HR PERSONAL DATA PROTECTION CHARTER ESI GROUP

 

1. OBJECTIVES OF THE HR PERSONAL DATA PROTECTION CHARTER

The ESI Group, including each of its component companies (hereinafter the " Group ESI " or "ESI" or the “Group”) attaches great importance to the protection of privacy and data relating to its Employees and Candidates.

ESI undertakes to preserve your confidence in the confidentiality of your personal data and therefore ensures that it adopts and complies with all French and European regulations and legislation relating to the protection of personal data.

The purpose of this Charter is to inform each Employee and Candidate (hereinafter referred to as "You") about the HR processing of their personal data.

2. DEFINITION

  • « Candidate » refers to the person having sent an application and/or having been contacted by an entity of the Group or through a recruitment agency in connection with a job offer.
  • « Employee » refers to a person who has been recruited by an entity of the Group, regardless of his or her status.
  • « Recipient » refers to the natural or legal person, public authority, service or any other body that receives communication of your Personal Data, whether or not it is a third party.
  • « Personal Data » refers to any information relating to an identified or identifiable natural person ("Data Subject"); an "identifiable natural person" is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or to one or more specific elements specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
  • « Group » refers to the companies of the Group.
  • « IT ressources » refers to the hardware, files, programs, software and software packages, all networks (local and external), servers, information systems, e-mail, instant messaging, storage spaces, collaborative tools belonging to the entities of the Group.
  • « Corporate Social Network » refers to any Group internal communication platform such as Salesforce chatter, MS Teams. The Corporate Social Network aims to facilitate collaborative work and fluidify exchanges between employees of the same company or group..
  • « HR or Human Ressources» refers to any department or member of a department involved in personnel management (management of payroll, mutual insurance and provident funds), integration (recruitment), employee development (training, mobility, career development), or relations with employee representative bodies within ESI Group entities.
  • « Controller » refers to the natural or legal person, the authority public, service or other body which alone or jointly with others determines the purposes and means of the Processing; where the purposes and means of such Processing are determined by Union law or by the law of a Member State, the controller may be designated or the specific criteria applicable to its designation may be provided for by Union law or by the law of a Member State.
  • « Processing » refers to any operation applied in an automated or non-automated manner to Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or combination, limitation, erasure or destruction.

3. PRINCIPLES RELATING TO THE PROTECTION OF PERSONAL DATA

The data protection principles that apply to the Group are as follows:

  • Legality, loyalty and transparency. The Group always makes effort to comply  with the essential principles of the GDPR and assures all of its Employees and Candidates that the Personal Data collected is processed in a lawful, fair and transparent manner. When collecting and processing your personal data, the Group will inform Employees and Candidates of the purpose of the processing, the recipients of the data, any transfers, the length of time their data will be kept and their rights.
  • Legitimacy. Personal data is only collected and processed for the purposes described in this Charter. No further processing incompatible with the stated purposes will be carried out.
  • Minimization, relevance and accuracy. Only personal data necessary for processing is collected. The Group will take all reasonable steps to keep personal data up to date and to ensure that inaccurate personal data is erased or corrected.

4. FIELDS OF APPLICATION 

This Charter applies to all Employees working for an entity of ESI :

  • An Employee of ESI, of a subsidiary or of another entity controlled by ESI Group ;

  • Or any other person hired (directly or indirectly) to carry out an assignment for ESI, including temporary workers, trainees or members of staff of a service provider insofar as the data is processed by ESI.

    This Charter also applies to Candidates for a position within a Group entity.

5. PURPOSE OF PROCESSING OF PERSONAL DATA OF EMPLOYEES AND CANDIDATES

The personal data of Employees and Candidates are intended to be used in particular for :

  • Recruitment: contacting the Candidate, scheduling the interview, following up with Candidates, sending information about ESI or the recruitment process.
  • Administrative management of personnel : management of the professional file kept in accordance with legal and regulatory provisions, as well as statutory, contractual or contractual provisions, management of internal directories and organization charts, management of individual allocations for the supply of equipment, vehicles and payment cards, control of access to the premises, management of meetings of staff representative bodies, membership of provident and supplementary health insurance schemes.
  • Mobility management;
  • Payroll and benefits management: compensation, employee savings, bonuses, withholding tax;
  • Management of the Employee’s career: professional assessment, skills management, management of professional mobility.
  • Training: follow-up of training requests and training periods carried out, evaluation of knowledge and training;
  • Management, administration and control of the use of IT resources : monitoring and maintenance of the computer equipment, management of computer directories to define access authorizations to applications and networks, management of electronic messaging, intranet.

6. WHAT IS THE LEGAL BASIS FOR THE DIFFERENT TREATMENTS?

Processing   Purposes

Possible legal bases (subject to different choices justified by the context)

specific)
Recruitment Application processing (CV and cover letter) and interview management - Pre-contractual measures
Constitution of a CV-thèque - Legitimate interest
Administrative management of personnel  

Management of the professional file of employees, kept in accordance with the legislative and regulatory provisions, as well as the statutory provisions, contractual or conventional agreements that govern the interested parties.

- Execution of the contract
Realization of statistical reports or lists of employees to meet administrative management needs. - Legitimate interest
Management of internal directories and organization charts. - Legitimate interest
Management of individual endowments of supplies, equipment, vehicles and payment cards. - Legitimate interest
Management of professional elections. - Legal obligation

Organization of meetings of the bodies employee representatives.

- Legal obligation

Compensation management and fulfilment of formalities

administrative
Establishment of remunerations, provision of pay slips - Execution of the contract
Nominative social declaration. - Legal obligation
Provision of computer tools to staff

Follow-up and maintenance of the park computer science.

- Legitimate interest

Management of computer directories to define access authorizations to applications and networks.

- Legitimate interest

Implementation of devices designed to ensure the security and proper functioning of applications and networks.

- Legitimate interest
Professional e-mail management. - Legitimate interest

Virtual private networks internal to the organization allowing the diffusion or the collection of data for administrative management of personnel (intranet).

- Legitimate interest
Organization of work Management of professional agendas and projects. - Legitimate interest
Career and mobility monitoring

Professional evaluation of personnel, in compliance with legislative and regulatory provisions or conventional rules that govern it.

- Legitimate interest
Management of internal professional skills. - Legitimate interest
Forecasting and forecasting of employment and skills - Legitimate interest
Management of professional mobility. - Execution of the contract
Training

Management of training requests and of the training periods completed.

- Execution of the contract

Organization of training sessions and evaluation of knowledge and training.

- Legitimate interest
Management of social assistance Management of social and cultural action directly implemented by the employer, to the exclusion of occupational medicine, social service or psychological support activities. - Legitimate interest

 

7. WHAT PERSONAL DATA IS COLLECTED ?  

Regarding the purposes previously defined, ESI has and processes the following personal data:

a) For recruitment management purposes :

  • Identification data (surname, first names, address trigram (postal and email), telephone number, date of birth, LinkedIn profile address) ;
  • Data relating to professional life (CV, training, diploma, copies of diplomas, experience, covering letter, information provided by the Candidate, work certificates, interview reports, interview dates, work authorization (yes/no), message that may be sent by the Candidate on the ESI Group website);
  • Economic and financial data (current and desired remuneration).


b) As part of the performance of the employment contract  

  • Identification data (surname, marital name, first names, sex, date and place of birth, age, address, numbers assigned by the social security, pension and provident institutions, photo (optional), email address, nationality, passport references (only for personnel who have to travel abroad), marital status, internal identifiers, etc.);
  • Copy of the ID card;
  • Type, serial number and copy of the title valid work permit for foreign employees;
  • Data concerning the vehicle used; Copy of the driver's license held by employeé and the copy of the car registration of the Employee's vehicle for the payment by the company of the mileage allowances;
  • Data concerning the professional life  (CV, place of work, internal identification number, date of joining the company, seniority, job held and hierarchical coefficient, nature of the employment contract, dates of evaluation interviews, identity of the evaluator, professional skills of the Employee, objectives assigned, results obtained, assessment of professional skills based on objective criteria and presenting a direct and necessary link with the job held, observations and wishes formulated by the Employee, career development forecasts, disciplinary sanctions, professional achievements, professional diaries (dates, places and times of professional meetings, subject, persons present, attached documents), assigned tasks (identification of the staff concerned, task distribution), e-mail messages, Employee deliverables);
  • Data relating to the management of telephony (service used, nature of the call (in the form: local, departmental, national, international), duration, date and time of start and end of the call, billing elements (number of taxes, volume and nature of data exchanged excluding the content thereof and cost of the service used) SIM card number, IMEI number, PUK code, RIO number)
  • Data used to control the use of outlook  (tools for measuring the frequency and size of email, tools for analyzing attachments, etc.) ;
  • Contents of the Employee’s electronic outlook ;
  • Validation of acquired experience (date of the request for validation, diploma, title or certificate of qualification concerned, professional experience subject to validation, validation (yes/no), date of the decision)
  • Personal life (family and marital status, dependent children, emergency contact information, special leave entitlements, leisure, vacation bonuses);
  • Health data transmitted by the Employee;
  • Declaration of work accident and occupational disease  (contact details of the occupational physician, date of the accident or of the first medical report of the occupational disease, date of the last day of work, date of resumption, reason for the stoppage (work accident or occupational disease), work not resumed to date);
  • Administrative follow-up of medical examinations of Employees (dates of the examinations, suitability for the workstation (fit or unfit, proposals for adaptation of the workstation or assignment to another workstation made by the occupational physician);
  • Disability rate ;
  • Remuneration elements (basic and variable remuneration if applicable, nature, rate and basis of social security contributions, vacations and absences giving rise to deductible or compensable deductions as well as any deductions legally made by the employer, professional expenses, method of payment, identity banking or postal) ;
  • Training (diplomas, certificates and attestations, foreign languages spoken, follow-up of professional training requests and training periods completed, organization of training sessions, evaluation of knowledge and training);
  • Professional election (establishment of the electoral list (identity of voters, age, seniority, college), management of candidacies (identity, nature of the mandate requested, elements to verify compliance with the conditions of eligibility, trade union mandate (at the initiative of the candidate), if necessary declared trade union membership (by candidates in the first round) and publication of results (identity of candidates, mandates concerned, number and percentage of votes obtained, identity of elected personnel and, if necessary, trade union membership of elected officials);
  • Meetings of employee representative bodies (convocations, preparatory documents, minutes);
  • Individual allocations of supplies, equipment, vehicles and payment cards (management of requests, nature of allocation, dates of allocation, maintenance and withdrawal, budget allocations) ;
  • Catering management

Your data are likely to be transmitted:

  • To public bodies within the framework of our legal obligations;
  • To provident, complementary health and collective savings organizations for affiliation purposes;
  • To the Social and Economic Committee, unless you object;
  • To our technical and IT subcontractors and to our subcontractors for training or career management.

Your personal data will not under any circumstances be transferred to a third party for commercial purposes.

They are kept by us for the duration necessary for the execution of our legal and contractual obligations.

8. HOW IS YOUR PERSONAL DATA COLLECTED?

Your Personal Data may be collected by various means, including:

a) Recruitment management :

  • ESI 's recruitment websites;
  • All other means of recruitment, including external recruitment firms;
  • and by electronic messages exchanged between the Candidate and the Employees involved in the recruitment process (HR Business Partner, manager).

b) Hiring and in the execution of the employment contract  

  • Interviews with Human Resources departments and management involved in the recruitment process;
  • Evaluations;
  • Modification of identification data;
  • The supporting documents related to the transport tickets;
  • Information related to employee benefits, health, welfare and pension plans, etc.

 

9. SECURITY ET CONFIDENTIALITY

ESI implements all the technical and organisational measures that ESI deems appropriate in accordance with Article 32 of the GDPR in order to guarantee the security and confidentiality of your Personal Data.

For further information concerning data security, please contact ESI Group's data protection team at the following e-mail address: dataprotection [at] esi-group.com  and the IT team at the following e-mail address: support.it [at] esi-group.com .

10. TRANSFERS OF PERSONAL DATE TO THIRD COUNTRIES

In specific cases, such as a transfer of permanent or one-off Employees, an expatriation, a VIE or an internship abroad, your Personal Data may be transferred to an entity of the Group in a third country that does not ensure a sufficient level of personal data protection according to the European Commission.

The Group continues to improve the supervision of such transfers by means of appropriate guarantees.

11. RIGHTS OF THE PERSONS CONCERNED  

According to the Regulation, you have the right to request from the Controller access to your personal data, the rectification of inaccurate or incomplete data, or the deletion of such data for legitimate reasons, or a limitation of the processing as well as the portability of its data, i.e. the right to retrieve its data and transmit it to another data controller as well as the right to request the transmission directly to another data controller.

You also have the right to object to the processing of your personal data on legitimate grounds.

You may exercise all of these rights by contacting the Human Resources Department of ESI Group and the legal entity to which you belong.

You can also contact the ESI Group data protection team at the following e-mail address: dataprotection [at] esi-group.com . They will reply as soon as possible.

You also have the right to lodge a complaint to the data protection office to which you belong if you consider that the processing of personal data concerning you constitutes a violation of the said law.

12. UPDATE

This Charter is subject to change or modification.

Consequently, we invite you to regularly look at this Charter as published on ESI Group's Corporate website.