
The Group processes personal data relating to its employees, customers, partners, service providers, subcontractors and suppliers as part of its daily activities (employee management, management of customer and prospect solutions, etc.).
On the strength of its ethical values relating to personal data and privacy, ENGIE is committed to protecting them through the definition and implementation of a Group Personal Data Protection Policy.
At European level, the 1995 Directive has been replaced by the General Data Protection Regulation (GDPR), which is directly applicable since 25 May 2018. The latter reinforces the rights of individuals and the obligations of data controllers.
Internationally, a similar trend is observed in an ever-increasing number of countries.
ENGIE is committed to respecting the regulations relating to the protection of personal data.
ENGIE's Personal Data Protection Policy defines the objectives, means and governance that enable the entities concerned to comply with the regulations in this area.
The principles it sets out are to be put into practice by all entities carrying out processing of personal data. The ENGIE Business Units have appointed Data Privacy Managers in charge of coordinating personal data protection activities. Their missions are, in particular, the implementation of the Group Policy at the level of the BU or Entity, the advice and information of the data controllers, ensuring compliance with the regulations on the protection of personal data within their scope, raising employee awareness...
At Group level, the Data Privacy Committee brings together the Data Privacy Managers on a quarterly basis and aims to ensure the management of cross-functional activities relating to the protection of personal data.
The data privacy risk is assessed each year within the BUs and consolidated at Group level as part of the Group's annual risk analysis process (ERM).
The protection of personal data within ENGIE has its own control framework which is supported by the annual internal control exercise (INCOME).
The Group's personal data protection activities are reported annually to the Committee for Ethics, the Environment and Sustainable Development (CEEDD) of the ENGIE Board of Directors.
The Personal data must be collected for specified, explicit and legitimate purposes and must not be further processed in a way incompatible with those purposes.
Personal data must be adequate, relevant and not excessive in relation to the objectives pursued. The data subjects involved must be informed in a transparent manner of the use and sharing of their data. They must be able to exercise their right of access, rectification, opposition,...
The data controller must implement appropriate technical and organisational measures to ensure a level of security adapted to the risks.
ENGIE is required to process numerous personal data concerning its employees, particularly in the context of human resources management.
ENGIE has appointed Data Protection Officers (DPOs) for several of its companies in several countries. They can be reached via the GDPR portal.