Veolia Group
In the world
Specialty Brands

Privacy Policy

1. PREAMBLE

This Personal data privacy policy is intended to inform physical persons (employees, applicants, customers, suppliers or partners and their employees) on the measures implemented by VNS Europe, VNS France, and VNT France when collecting personal data in the course of its activities.

This Policy may evolve from time to time, either due to the legal context in France and in the European Union or to recommendations or decisions made by the CNIL (French supervisory authority for the protection of personal data).

2. DATA COLLECTED, PURPOSES OF PROCESSING AND ROLE OF THE DPO/DPC

Furthermore, VNS Europe, VNS France, and VNT France take actions to raise the awareness of its employees to the necessity of protecting personal data so any collection or processing shall not operate unless relevant for the intended purposes and unless such purposes are defined to guarantee they are lawful, specified, explicit and legitimate.

Any processing implemented by VNS Europe, VNS France, and VNT France that may contain personal data are the subject of a full descriptive form, entered in the “Record of processing” held by VNS Europe, VNS France, and VNT France’s Data Protection Officer (DPO) or by the DPC (Data Protection Correspondent).

VNS Europe, VNS France and VNT France’s DPO or DPC thus ensures that the collection of personal data and their processing complies with :

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (DGPR)

  • Law n°78-17 of 6 January 1978 on the protection of personal data (French Data Protection Act)

     

The DPO or DPC is functionally placed under the authority of the general management of VNS France in order to guarantee its independence and to place the protection of personal data at the centre of the company's organisational chart.

3. GOLDEN RULES

VNS Europe, VNS France, and VNT France rely on 6 golden rules so that any person collecting or processing personal data on its account :

  • abides by the GDPR and ensures that personal data is collected, used and shared while respecting the rights of the concerned persons and the concept of “privacy by design”;
  • is transparent and clear with the concerned persons about the purposes of the processing, about the purpose and means of its implementation and about the persons with whom their data will be shared; seeks the natural’s persons consent every time it is possible and proceeds without their consent only where GDPR or the law allows it or where their prior consultation is impossible or may present a specific risk;
  • seeks advice in case they have any doubt on how to process any personal data, confronts opinions with other practitioners, gets a legal advice or an advice from the competent supervisory authority if need be and documents their decision;
  • bases the decision to collect, use or share personal data on the physical person’s interest in order to process only necessary, relevant, adequate, proportionate, accurate, timely and secure data for a period of time in conformance with the purposes of the processing;
  • ensures that any information shared is strictly necessary to reach the purposes of the processing and to allow providers to render the services expected;
  • makes sure that the security measures are proportionate to the risks involved and taken to preserve the availability, the confidentiality and the integrity of the processing.

 

4. CONCERNED PHYSICAL PERSON’S INFORMATION

In accordance with GDPR, VNS Europe, VNS France, and VNT France is committed to informing the concerned physical persons of the rights they are guaranteed by informing them about:

  • the identity of the data controller
  • the purpose of the processing;
  • where relevant, whether answers are obligatory or optional and what the potential consequences of
  • their failure to answer are;
  • the recipients of the data;
  • their right to access, to rectification or to erasure on the data that concern them, the right to object to the processing for legitimate reasons, or to object to the processing of their data for marketing activities as well as the right to provide general or specific instructions for the processing of the data that concern them after their death;
  • the period of time for which the data are stored.

 

5. GROUP PROCESSING

VNS Europe, VNS France, and VNT France inform all concerned physical persons that some of the personal data relating to them are subject to Group processings under the responsibility of Veolia Environnement SA. and are recorded in the latter’s register. Veolia Environnement SA is then responsible for informing them under the conditions of the legislation relating to the protection of personal data.

6. RECIPIENTS

VNS Europe, VNS France and VNT France inform the individuals concerned that all processing of personal data for which it is responsible may be made accessible to the internal audit department of VNS Europe, VNS France and VNT France or of the Group, to the compliance department of VNS Europe, VNS France and VNT France or of the Group, to the statutory auditors of VNS Europe, VNS France and VNT France or the Group, the persons in charge of handling reports of behaviour that violates the Group's ethics rules, as well as the lawyers of VNS Europe, VNS France and VNT France and, if applicable, the Group, the competent authorities and, in certain cases, the parties involved in a proposed merger or acquisition.

VNS Europe, VNS France, and VNT France may share some of the personal data collected with Group employees or with service providers and suppliers, strictly within the necessary limits required for the fulfilment of their tasks.

In this case, VNS Europe, VNS France, and VNT France ensure that they comply with the laws and regulations applicable for the protection of personal data and that they pay a special attention to their confidentiality

7. DATA STORAGE

Personal data collected by VNS Europe, VNS France and VNT France or on its behalf are stored by VNS Europe, VNS France and VNT France or its service providers particularly on cloud storage services. For reasons, mostly technical or linked to VNS Europe, VNS France and VNT France’s international dimension, some data may be stored or accessed outside the European Union or the European Economic Area (EEA) territories. If so, VNS Europe, VNS France and VNT France ensure that effective measures, compatible with the GDPR’s requirements, are taken to offer an adequate level of protection for personal data in particular strict and appropriate physical, technical, organizational and procedural measures to ensure the availability, the security and the integrity of the personal data modulated depending on their nature or sensitivity. 

VNS Europe, VNS France and VNT France seek to limit the storage duration of personal data to the period of time necessary to complete the operations for which they have been collected and processed as permitted by the applicable regulation. Personal data is then irreversibly destroyed or anonymised.

8. SECURITY AND ALERTS

VNS Europe, VNS France and VNT France have adopted measures to ensure the security of the personal data collected in a manner that is appropriate to their sensitivity and to the attached risks. Thus, the IT teams and their providers or their subcontractors implement the requirements set out in Veolia’s Cybersecurity policy in particular those relating to: 

  • the identification of cyber risks,
  • the implementation of adapted network protections through filter devices,
  • the maintenance in security conditions of the various infrastructure components, in particular, application of the softwares updates and upgrading of the components to avoid their use for other purposes than maintenance,
  • the enhancement of the infrastructure components such as servers or workstation,  
  • regular checks of the infrastructure or applications vulnerabilities by monitoring and using a scanner of technical or applicative vulnerabilities,
  • the encryption of the data at rest when necessary and of data in transit,
  • the use of security good practices when developing new applications, in particular web applications, use of OWASP guidelines,
  • the allocation of users rights complying with the “lesser duty” rule and the right to be informed,
  • an access protection by implementing strengthened identification mechanisms and by a regular review of the accounts,
  • the security supervision of the personal data and application through the centralisation and use of logs,
  • the preservation of factors proving the implementation of the above measures.

When a breach affects personal held by VNS Europe, VNS France, and VNT France, he will act promptly after it has knowledge of such breach in order to inform the CNIL where appropriate and, if need be, to identify the flaws and implement adapted security measures.

9. PHYSICAL PERSONS’ RIGHTS

In accordance with the Personal Data Protection Act of 6 th January 1978, as modified, physical persons whose data are collected have, within the limits of the law, a right to access, to rectify, if applicable to portability and to erasure of the personal data that concerns them and a right to limitation. They also have a right to give the data controller instructions concerning the fate of their personal data after their death. Each physical person concerned by a processing may exercise their rights by writing to the person in charge at VNS Europe, VNS France, and VNT France of that specific processing whose identity was indicated at the moment the collection occurred then by sending an email to VNS Europe, VNS France, and VNT France’s DPO/DPC using the following address: [email protected]. If they believe the response is not satisfying, the concerned persons may refer to the CNIL.

10. CONTACT

For any further information relating to this policy, please send a mail or email to VNS Europe, VNS France, and VNT France’s DPO/DPC ([email protected]).

for VNS France and VNT France [email protected] and 
for VNS Europe (UK) [email protected]

In general terms, any concerned person always has the possibility to contact the French supervisory authority (https://www.cnil.fr) or to the following address: 3, Place de Fontenoy, 75007 Paris - France), and ICO (www.ico.org.uk) for the UK.