Our approach to personal data protection
Context and stakes
The Group processes personal data relating to its employees, customers, partners, service providers, subcontractors and suppliers as part of its daily activities (employee management, management of customer and prospect solutions, etc.).
On the strength of its ethical values relating to personal data and privacy, ENGIE is committed to protecting them through the definition and implementation of a Group Personal Data Protection Policy.
- Personal data: any information relating to an identified or identifiable natural person ("data subject"), directly or indirectly, by reference to an identification number or to one or more elements specific to him/her (i.e. surname, first name, social security number, e-mail, IP address, etc.).
- Processing: any operation or set of operations involving personal data, whatever the process used and in particular the collection, recording, organisation, storage, etc.
- Data controller: entity that determines the purposes and means of the Processing operation(s) it sets up or has set up. The Data Controller is required to take all necessary precautions to protect Personal Data.
The evolution of regulations over time
At European level, the 1995 Directive has been replaced by the General Data Protection Regulation (GDPR), which is directly applicable since 25 May 2018. The latter reinforces the rights of individuals and the obligations of data controllers.
Internationally, a similar trend is observed in an ever-increasing number of countries.
ENGIE's commitment to the protection of personal data
ENGIE is committed to respecting the regulations relating to the protection of personal data.
ENGIE's Personal Data Protection Policy defines the objectives, means and governance that enable the entities concerned to comply with the regulations in this area.
The principles it sets out are to be put into practice by all entities carrying out processing of personal data. The ENGIE Business Units have appointed Data Privacy Managers in charge of coordinating personal data protection activities. Their missions are, in particular, the implementation of the Group Policy at the level of the BU or Entity, the advice and information of the data controllers, ensuring compliance with the regulations on the protection of personal data within their scope, raising employee awareness...
At Group level, the Data Privacy Committee brings together the Data Privacy Managers on a quarterly basis and aims to ensure the management of cross-functional activities relating to the protection of personal data.
The data privacy risk is assessed each year within the BUs and consolidated at Group level as part of the Group's annual risk analysis process (ERM).
The protection of personal data within ENGIE has its own control framework which is supported by the annual internal control exercise (INCOME).
The Group's personal data protection activities are reported annually to the Committee for Ethics, the Environment and Sustainable Development (CEEDD) of the ENGIE Board of Directors.
Some examples of data protection principles applied
The Personal data must be collected for specified, explicit and legitimate purposes and must not be further processed in a way incompatible with those purposes.
- A data processing must have a specific objective.
- The data processed must be consistent with the purpose of the collection.
- The data must not be reused for purposes other than those declared.
Personal data must be adequate, relevant and not excessive in relation to the objectives pursued. The data subjects involved must be informed in a transparent manner of the use and sharing of their data. They must be able to exercise their right of access, rectification, opposition,...
The data controller must implement appropriate technical and organisational measures to ensure a level of security adapted to the risks.
ENGIE is required to process numerous personal data concerning its employees, particularly in the context of human resources management.
ENGIE has appointed Data Protection Officers (DPOs) for several of its companies in several countries. They can be reached via the GDPR portal.