ARTELIA-Third-party-policy-EN-v2.1-html.html

Policy regarding the personal data

of third parties

Artelia Group reserves the right to modify the present privacy policy at any time, in particular :

- To add a new data processing operation involving a new purpose

- To provide additional information that may be required by regulatory authorities.

DATE : NOVEMBER 2023 VER. : 2.1

V. 2.1 / NOVEMBER 2023

FOREWORD

(EU) Regulation no. 2016/679 of the European Parliament and Council dated 27 April 2016  on the
protection  of  natural  persons  with  regard  to  the  processing  of  personal  data  and  on  the  free
movement  of  such  data,  referred  to  as  the  General  Data  Protection  Regulation  (hereafter  the
GDPR), lays down the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of controllers, subcontractors, data subjects (the
individuals concerned) and recipients of such data.
In the framework of its business, the Artelia Group is required to process personal data.
To facilitate the understanding of this policy, it shall be made clear that:

“Controller” refers to the natural person or legal entity that determines the purpose and the
means of processing personal data. In the framework of this policy, the controller is Artelia
Holding (hereafter referred to

as “Artelia”), whose registered office is situated at Le First

Part Dieu

– 2 avenue Lacassagne 69003 Lyon – France.

Artelia Group subsidiaries apply this personal data protection policy when they act as
controller.

“Subcontractor” refers to any natural person or legal entity that processes personal data on
behalf of the controller.

“Data subject” or “third party” refers to any person that can be identified either directly or
indirectly, and whose personal data are collected the controller. In the framework of this
policy, the “data subjects” or “third parties” are:

the various natural persons who are Artelia’s correspondents in its dealing with its
clients, contacts and partners understood as being legal entities,

persons applying for a job at Artelia;

visitors to Artelia’s websites.

“Recipient” refers to any natural person or legal entity to whom personal data are disclosed
by Artelia. Data recipients can hence be either internal recipients or external recipients.

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise,
transparent, intelligible and easily accessible form.

V. 2.1 / NOVEMBER 2023

PURPOSE

The purpose of this policy is to comply with Artelia’s duty to inform by virtue of the GDPR and to
formalise the rights and obligations of the data subjects with respect to the processing of their
personal data.

SCOPE

This personal data protection policy is to be applied when implementing the processing of personal
data relating to all third parties of Artelia, which hence includes the natural persons who are its
corresponds in its dealings with each of its clients, partners and contacts, persons applying for a
job at Artelia, and visitors to its websites.
This policy only concerns processing activities for which Artelia acts as controller and hence is not
applicable to processing activities that are not set up or exploited by Artelia (so-

called “shadow IT”

activities).
Personal data processing activities can be managed either directly by Artelia or by a subcontractor
specifically appointed by Artelia.
This policy exists independently of any other document that may apply between Artelia and its
clients, partners, contacts or job applicants.

GENERAL PRINCIPLES

All  processing  activities  performed  at  Artelia  concerning  the  data  of  persons  concerned  by  this
policy relate to personal data collected by or for Artelia’s departments or processed in relation to its
services and comply with the general principles of the GDPR.
A list of the personal data processing activities implemented is appended to this policy.
Any new instances of processing and any modification or deletion of an existing processing activity
will be brought to the attention of the data subjects through a change in this policy.

TYPES OF DATA COLLECTED

The types of data collected are specified in the appendix of this document.

DATA SOURCES

Data relating to data subjects are generally collected directly either from them (i.e. in the framework
of a job application) or from clients, partners and contacts (direct collection).

V. 2.1 / NOVEMBER 2023

In some specific cases, data may also be collected indirectly via other partners and/or suppliers of
Artelia, in which case Artelia takes the utmost care to ensure that the data disclosed to it with
regard to the processing activity concerned are pertinent and adequate (principle of minimisation).

PURPOSES AND LEGAL BASES

Depending on the case, Artelia processes data chiefly for the following purposes:

managing relations with clients and partners (particularly contract monitoring, accounting,
provision of services, invoicing, etc.);

managing relations with contacts;

updating

Artelia’s bank of CVs with those of job applicants who give their consent for this;

updating Artelia’s CRM (“Customer Relationship Management”) database with the contact
details of its correspondents in its dealings with clients, contacts and partners

managing newsletters

sending New Year greetings

responding to public and private tender invitations

managing job applications submitted to Artelia

controlling access to Artelia premises (safety of people and property, identifying
perpetrators of theft, vandalism or assault)

These purposes have the following legal bases:

performance of a contract signed between Artelia and its client or partner,

completion of pre-contractual formalities on behalf of an Artelia job applicant;

Artelia

’s legitimate interest in holding data concerning its users and its contacts and in

responding to requests submitted by visitors to its website via the contact form provided
there.

For purposes outside the aforementioned bases and whenever necessary, Artelia will obtain the
consent of the data subjects.

RECIPIENTS OF THE DATA – AUTHORISATION
AND ACCESSIBILITY

Artelia ensures that the data can only be accessed by authorised internal or external recipients.

Internal recipients

External recipients

V. 2.1 / NOVEMBER 2023

Internal recipients

External recipients

- Authorised personnel from departments in charge
of handling relations with clients and partners and
of prospecting for business, such as the marketing,
communication

and

sales

departments,

departments involved in managing recruitment,
administrative

departments,

logistics

and

departments and their supervisors;
- Authorised staff members in departments
responsible for oversight (internal auditing, etc.);

- Subsidiaries from the Artelia group;
- Official bodies, court officials and State officials, in
the framework of their assignments;
- Account auditors;
- Subcontractors.

Recipients of data subjects’ personal data at Artelia are bound by a duty of confidentiality.
Artelia decides which recipient will have access to which data in accordance with an authorisation
policy.
Artelia  is  not  liable  under  any  circumstances  for  any  harm  of  any  nature  resulting  from  unlawful
access to personal data held by external recipients.

Storage Period

The period for which the data are stored is defined by Artelia in light of the legal restrictions by
which it is bound or, failing this, in accordance with its requirements.
On expiry of the storage periods defined by Artelia, the data are either deleted or kept after having
been made anonymous, chiefly for statistical purposes. They may also be kept for the requirements
of pre-litigation or litigation.
Data subjects are reminded that deletion and anonymisation are irreversible operations and that
Artelia will be unable to restore the data concerned thereafter.

RIGHT OF CONFIRMATION AND RIGHT OF
ACCESS

Data  subjects  have  the  right to  ask  Artelia  for  confirmation  as  to whether  data  pertaining  to  them
are being processed.
Data  subjects  also  have  the  right  to  access  their  data,  the  said  right  being  contingent  on
compliance with the following rules:

the request is made by the subject himself/herself and is accompanied by a copy of an up-
to-date identity document;

the request is submitted in writing to the following email address: gdpr@arteliagroup.com.

Data  subjects  have  the  right to  request  a  copy  of  their  personal  data  being  processed  by  Artelia.
However,  should  they  request  additional  copies,  Artelia  may  require  them  to  cover  the  cost  of
providing these copies.
If  data  subjects  submit  their  request  for  a  copy  of  their  data  electronically,  the  information
requested  will  be  supplied  to  them  electronically  in  a  commonly  used  form,  unless  otherwise
requested.

V. 2.1 / NOVEMBER 2023

Lastly, data subjects are hereby informed that this right of access cannot apply to information or
data that are confidential or that cannot be disclosed by law.
The right of access must not be exercised in an abusive way, meaning in a regular manner with the
sole purpose of disrupting the department concerned.

UPDATING AND RECTIFICATION

Artelia complies with requests from data subjects to update their personal data:

automatically in the case of modification requests submitted online on entry fields which
can be updated technically or legally;

at the written request of the individual himself/herself, who must provide proof of identity.

RIGHT TO ERASURE

The data subjects’ right to erasure will not apply in cases where data is processed to comply with a
legal obligation.
Outside this situation, data subjects are entitled to request the erasure of their data in the following
limiting situations:

the personal data are no longer necessary with regard to the purposes for which they were
collected or processed in some other way;

when the data subject withdraws the consent upon which the processing activity is based
and there is no other legal basis for this activity;

the data subject opposes a processing activity that is necessary with regard to the
legitimate interests of Artelia but for which no compelling legitimate purpose exists;

the data subject opposes the processing of their personal data for prospecting purposes;

the personal data have been unlawfully processed.

In accordance with personal data protection legislation, data subjects are hereby informed that this
is an individual right that can only be exercised by the individual concerned with respect to their
own information; for security reasons, the department concerned will therefore verify their identity in
order to avoid disclosing any of their confidential information to someone other than them.

RIGHT TO LIMITATION

Data subjects are hereby informed that this right is not intended to apply to the extent that Artelia is
processing data in a lawful manner and that all personal data collected are required for the
performance of its services.

V. 2.1 / NOVEMBER 2023

RIGHT TO PORTABILITY

Artelia grants the right to data portability in the specific case where data are disclosed by the data
subjects themselves and for purposes based solely on the individual’s express consent. In this
case the data will be disclosed in a commonly used, machine-readable structured format.

AUTOMATED INDIVIDUAL DECISION

Artelia does not make automated individual decisions concerning data subjects.

POST MORTEM RIGHT

The data subjects are hereby informed that they have the right to give guidelines regarding the
post-mortem storage, erasure and disclosure of their data. These specific guidelines are submitted
and this right is exercised by sending an e-mail to the following address: gdpr@arteliagroup.com.
The request shall be accompanied by a copy of a signed proof of identity.

MANDATORY OR VOLUNTARY NATURE OF
RESPONSES

On  each  form  used  to  collect  personal  data,  data  subjects  are  informed  of  responses  that  are
mandatory by means of an asterisk. The other responses are voluntary.
In cases  where  responses  are  mandatory,  Artelia  explains  the  consequences  of failing  to provide
one.

USAGE RIGHT

The data subjects grant Artelia a right to use and process their personal data for the purposes
listed in the appendix.
However, all enhanced data resulting from processing and analysis by Artelia remain the exclusive
property of Artelia (usage analysis, statistics, etc.).

SUBCONTRACTING

V. 2.1 / NOVEMBER 2023

Artelia hereby  informs the  data subjects that it may appoint any subcontractor of its choice  in  the
context of processing their personal data.
In  such  a  case,  Artelia  will  ensure  that  the  subcontractor  fulfils  its  obligations  with  respect  to  the
GDPR.
Artelia  undertakes  to  sign  a  written  contract  with  all  of  its  subcontractors  and  imposes  the  same
personal  data  protection  obligations  on  its  subcontractors  that  it  imposes  on  itself.  Furthermore,
Artelia  reserves  the  right  to  carry  out  an  audit  of  its  subcontractors  to  ensure  that  they  are
complying with the provisions of the GDPR.

SECURITY

It is Artelia’s responsibility to define and implement the physical or logical technical security
measures that it deems appropriate to prevent the destruction, loss, alteration or unauthorised
disclosure of data in an accidental or unlawful manner.
These measures mainly include:

-  data access authorisation management;
-  internal safeguarding measures;
-  identification processes;
-  implementation of safety audits;
-  adoption of an information system security policy;
-  adoption of business continuity/disaster recovery plans, if appropriate;
-  implementation of a security protocol or security solutions.

DATA BREACH

In  the  event  of  a  personal  data  breach,  Artelia  undertakes  to  notify  the  competent  supervisory
authority under the conditions outlined by the GDPR.
If the said breach exposes data subjects to serious risk, Artelia:

will notify the data subjects;

will provide the data subjects with appropriate information and recommendations.

GDPR LEAD

Artelia has appointed a GDPR lead, who is the single contact person for matters pertaining to
personal data protection.
This person can be contacted at the following email address: gdpr@arteliagroup.com.
Artelia will notify the GDPR lead beforehand if personal data in its possession undergo further
processing.
If data subjects wish to obtain specific information or ask a specific question they can contact the
GDPR lead, who will respond to their requests within a reasonable period of time.

V. 2.1 / NOVEMBER 2023

RECORD OF PROCESSING ACTIVITIES

In  its  capacity  as  controller,  Artelia  undertakes  to  maintain  an  up-to-date  record  of  all  the
processing activities it performs.
This record is a document or application listing all of the processing activities carried out by Artelia
in its capacity as controller.
Artelia  undertakes  to  provide  the  supervisory  authority,  on  first  request,  with  the  information
enabling  the  said  authority  to  verify  that  its  data  processing  activities  comply  with  the  applicable
data protection legislation.

RIGHT TO LODGE A COMPLAINT WITH THE
COMPETENT SUPERVISORY AUTHORITY

Individuals whose personal data are processed are hereby informed of their right to lodge a
complaint with a supervisory authority if they believe that this processing activity is taking place in a
manner that does not comply with the GDPR.
The contact details of the supervisory authority are given in the appendix to this policy.

POLICY AMENDMENTS

This policy may be modified or adjusted at any time in the event of changes in legislation or case
law, decisions or recommendations issued by the supervisory authority, or changes in custom.
Data subjects will be notified of any new version of this policy by any means defined by Artelia,
particularly via its website.

FURTHER INFORMATION

Anyone requiring additional information may contact the GDPR lead at the following email address:
gdpr@arteliagroup.com
Anyone requiring more general information on the topic of personal data protection can consult the
website of the supervisory authority named in the appendix.

oOo

V. 2.1 / NOVEMBER 2023

APPENDIX 1

List of processing activities

Processing activities

Details

Contact details of Artelia’s correspondents
in its dealings with clients and partners

Processing of the personal data of Artelia’s correspondent(s)
in its dealings with its various clients and partners via its CRM
database in order to maintain business relations with these
parties (sign contracts, organise meetings, etc.).

Job application

Analysis  of  information  supporting  a  job  application  sent  by
the  applicant  (CV  and/or  other  document  including  personal
data) by email or via the recruitment area on Artelia’s website
(application for a specific position or spontaneous application)
and  selection  of  the  applicant  whose  profile  most  closely
matches  the  position  considered.  Addition  of  the  applicant’s
CV  to  the  CV  base  set  up  Artelia,  provided  that  his/her  prior
consent has been obtained.

Visitors to Artelia’s websites

Processing of the personal data of visitors to Artelia’s
websites: gathering of their connection data and processing of
their personal data if they fill in the contact form.

Video surveillance

Recording of video surveillance images at entrances to
Artelia’s premises.

V. 2.1 / NOVEMBER 2023

APPENDIX 2

Types of data collected

Types of data

Details

Non-technical data

• Identity and identification (surname, first name, date of birth);
• Contact details (e-mail address, postal address, telephone

number);

• Private and/or professional life when necessary (private life in

the case of job applicants);

• Images (video surveillance)

Technical data

• Identification data (IP address)
• Connection data (particularly logins)

V. 2.1 / NOVEMBER 2023

APPENDIX 3

Contact details of the

supervisory authority

CNIL (French Data Protection Authority)

– Service des plaintes (Complaints Department)

3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tel.: +33(0)1 53 73 22 22

oOo