Employees' personal data
Data protection for human resources
The KLÉPIERRE Group, including every company within it (hereinafter the “KLÉPIERRE Group” or “KLÉPIERRE”) attaches great importance to the protection of privacy and of its employees’ personal data.
KLÉPIERRE is therefore adopting a strict confidentiality policy in accordance with current regulations, and will ensure that it is enforced.
In the context of this Charter, “we” and “our” refer to any company of KLÉPIERRE Group, to the entity by which you are employed on the date of receipt of this document, or to the entity offering the position to which you are applying.
KLÉPIERRE is subject to the applicable rules governing data protection, and particularly General Data Protection Regulation no. 2016/679 of 27 April 2016 (known as “GDPR”) and, on a subsidiary basis, all the national legal rules enacted pursuant to that regulation.
For this reason, we have drafted and introduced this Data Protection Charter for Human Resources (hereinafter the “Charter”), which clearly, simply and fully describes the way in which Klépierre, in its capacity as controller, collects and uses your Personal Data in accordance with Klépierre’s Data Protection Principles (which are core principles of Klépierre), the tools at your disposal to monitor such use and exercise your rights in that regard.
Regarding the Personal Data collected for hiring, throught the Career pages on Klépierre website, the controller is KLÉPIERRE MANAGEMENT, SNC with its head office 26 boulevard des Capucines in Paris (75009) in France, and registred RCS PARIS 562 100 214
Regarding the Personal Data collected for Human Resources MANAGEMENT, the controller is the Klepierre Group’s Company, who signed your employment contract.
1. ACCEPTANCE OF THIS DATA PROTECTION CHARTER FOR HUMAN RESOURCES
You must read this Charter carefully to ensure that you are properly informed as to the nature of the Personal Data that Klépierre holds on its employees and on applicants for positions within the Klépierre Group, and regarding the way in which such information is used.
“Personal Data” (hereinafter “Data”) means any information collected and recorded in a format allowing you to be identified personally and as an individual, whether directly (e.g. your name), or indirectly (e.g. your telephone number). By agreeing to apply to Klépierre, or by agreeing to the provisions of your employment contract with Klépierre, you expressly agree to this Charter.
You acknowledge and accept that this Charter does not grant you any rights in addition to those provided for by local laws.
2. KLÉPIERRE’S DATA PROTECTION PRINCIPLES
Klépierre’s Data Protection Principles, which apply to the whole of the Klépierre Group, are set out below.
- Legality, Fairness and Transparency: When your Data is collected and processed, Klépierre will inform you of the purpose of the processing, of the addressees of the data, of any data transfers, of the period of retention of your data and of your rights.
- Legitimacy: Data are only collected and processed for the purposes described in this Charter. No subsequent processing will take place which is incompatible with the purposes expressly described.
- Minimization, relevance and accuracy: Only Data required to be processed are collected. Klépierre will take all reasonable steps to keep Data up-to-date and to ensure that inaccurate Data are deleted or corrected.
- Retention: We will keep your Data for the time necessary for the purposes of data processing, in accordance with the provisions of this Charter and the requirements of local laws.
- Access and correction: You have the possibility of accessing, amending, correcting or deleting your Data. Details of the department to contact for this purpose are provided below.
- Confidentiality and security: We will put reasonable technical and organizational measures in place to protect your Data against tampering, accidental or unlawful loss or unauthorized disclosure or access.
- International sharing and transfers: We may share your Data within the Klépierre Group or with third parties (such as commercial partners and service providers) for the purposes set out in this Charter. We will take appropriate steps to guarantee the security of such sharing and transfers. If you have any questions regarding Klépierre’s Data Protection Principles, please contact the department whose details are set out below.
This Charter applies to: All employees working for an entity of the Klépierre Group, namely:
- Employees of the KLÉPIERRE Group, or of a subsidiary or other entity controlled by Klépierre; or
- Any person engaged (directly or indirectly) in a mission for Klépierre, including temporary staff, trainees or members of the staff of a service provider, and employees of entities (co-ownership, property associations (AFUL), etc.) insofar as their data are processed by Klépierre; and to applicants for a position with a Group entity; hereinafter referred to as “you”.
4. WHAT DATA ARE COLLECTED?
Insofar as allowed by local laws, we collect, process and keep Data concerning you and concerning your family and relations, such as:
In the context of the recruitment process:
CV, family name, spouse’s name, forename, sex, date of birth, contact details (personal address, e-mail address, personal telephone number), diplomas and training certificates, foreign languages spoken, curriculum vitae (detailing your professional experience and, if applicable, continuing education), application letter, disability situation, and psychological profiling results.
In the context of management of human resources:
Identifying information: family name, spouse’s name, forename, sex, date and place of birth, nationality, contact details (address, personal telephone number, e-mail address and the name and telephone number of the person to be contacted in an emergency), copy of an identity document, copy of a social security certificate, passport number (for employees traveling internationally), driving license number (if this information is relevant to the position), photos, bank details; Social security data: work permit number, social security number, and, if applicable, level of disability;
Family situation: civil status, name, forename and date of birth of your spouse or partner, name, forename and date of birth of any children, information relating to insurance, pension and the beneficiary of pension or welfare payments;
Transport/Business travel: any information relating to the means of transport used by an employee, for the purposes of reimbursement of travelling expenses or the organization of business travel (preferences, location, etc.), e.g. travel card, expenses incurred in the use of a vehicle, etc.;
Copy of the driving license and annual solemn declaration of driving license validity (for employees benefiting from a company car).
Training: period of training and number of connections to online training tools;
Training and career: diplomas and training certificates, foreign languages spoken, curriculum vitae (detailing your professional experience and, if applicable, continuing education), situation in term of mobility and career plan management, monitoring of the annual performance assessment and psychological profiling results;
Professional life: temporary contract, permanent contract, part-time or full-time employment, recruitment date, contract termination date, directorate, department and service, immediate superiors, employee identification number, job title, information about the position, telephone number and e-mail address, job description, working hours, absences (in particular, sick leave, special leave or absences, maternity leave, parental leave), paid leave (if applicable) and leave to reduce working hours (RTT), evidence for authorized absences (death certificate, marriage, house-moving invoice, medical certificate for sick children, record of work stoppage), school certificates, staff representative mandate (as a member of the social and economic committee or of a union), etc.
Economic and financial situation: tax deductions and withholding taxes, level of salary, record of salary and other items of compensation, stock options plan, purchase option plan, relevant payments, contributions to the pension fund, bank account details, notifications to third-party holders;
Any Data that Klépierre must collect in order to comply with its obligations as employer pursuant to local laws (e.g. membership of a union, level of disability, etc.);
Your use of Klépierre’s IT system: the manner in which your Data are collected and processed in the context of your use of Klépierre’s IT system is set out in the Klépierre Group’s Use of IT Resources Charter provided to you upon joining KLEPIERRE, and in certain countries is included in your employment contract or in your company’s internal regulations;
Video surveillance and access badge monitoring data: Klépierre has set up video surveillance and access control systems at its premises which enable it to collect and process Data about you such as video recordings, access information and information on the time of collection;
Whistle-blowing mechanism: in accordance with its legal obligations, Klépierre has set up a whistle-blowing mechanism that enables employees to report conduct that is unethical or inappropriate. If applicable, the nature of the Data collected and the manner in which they are processed are set out in a specific information note provided to you upon joining the KLEPIERRE Group, or are included in your employment contract or, in certain countries, in your company’s internal regulations;
Personal preferences (food taboos, hobbies…) mainly treated as a part of organization of team building events.
Any other additional Data that we need to manage the employment relationship or that you provided to us when you applied for a position at Klépierre (e.g. curriculum vitae or application letter, assessment report by external recruitment consultants or by former managers).
5. WHAT SENSITIVE DATA ARE COLLECTED?
We may have occasion to collect and process particular categories of Data about you. We may process such Data if and strictly insofar as such processing is necessary for the employment contract to be performed, or in the context of legal claims, or when we are obliged to do so to comply with our legal or regulatory obligations.
Criminal records: if necessary in the context of the position held by the employee at Klépierre;
The whistle-blowing mechanism in place within the Group may also reveal breaches or offenses that you might have committed;
Data concerning your health, when its processing is necessary in order for us to perform our employment law or social security obligations, insofar as such processing is permitted by the applicable laws or when it is necessary for the purposes of preventative medicine, occupational health or assessment of an employee’s suitability for his or her position;
If applicable, Data revealing your sexual orientation (the processing of Data relating to the composition of your family could incidentally reveal your sexual orientation (for example, if you inform us of the name and sex of your partner);
If applicable, Data revealing your religious beliefs (the processing of Data relating to your eating habits could incidentally reveal your religious beliefs).
6. HOW ARE YOUR DATA COLLECTED?
Your Data may be collected by various means, including, in particular:
- Klépierre’s online recruitment websites;
- any other means of recruitment, including external recruitment consultants, job interviews, contacts with former employers.
Employment and employment relations: any information collected through:
- interviews with the Human Resources Department and on paper or electronic forms;
- to identification Data;
- evidence relating to travelling expenses;
- information relating to welfare benefits, health, pension and retirement plans, etc.
Internal and international mobility at Klépierre:
- Klépierre’s local Human Resources networks.
- Video recordings from video surveillance systems (if any) installed at Klépierre’s premises or in the vicinity of centers’ management offices, at shopping centers managed by KLEPIERRE;
- Information on the time of collection provided by access badge monitoring systems (if applicable);
- Other security measures.
Provision of information by third-party service providers:
- Recruitment service providers;
- Companies managing Klépierre’s employee savings, stock options and bonus performance share plans, etc.
Use of Klépierre’s IT systems: for more information, please refer to the Group’s Use of IT Resources Charter.
We may gather your Data:
- Directly from you, for example through the application and recruitment procedure (online or in person);
- In the course of your activities in the context of your employment, for example your assessment or your interactions with other employees, contractors, customers or other persons; and
- From third parties, to the extent authorized by applicable laws. These third parties may include former employers or other employees (for example to source talent internally).
7. WHAT OBJECTIVES ARE WE SEEKING TO ACHIEVE?
Your Data are collected, processed and kept by Klépierre for the following purposes, in particular:
In the context of the recruitment process:
- The purpose of processing is to study applications received, to conduct the selection process, to create a CV database, and to share information relating to talent identified within the Klépierre Group;
- Applicants’ Data are collected either directly or indirectly in order to enable us to assess their suitability to carry out their mission (e.g. to check their references and qualifications).
In the context of managing human resources:
In order to comply with applicable local laws: for example, for the management of:
- obligations in terms of maternity leave;
- the organization of professional elections;
- obligations in terms of diversity;
- working hours;
- sick leave;
- pay: salaries and benefits due pursuant to your employment contract, annual increases and any other salary adjustments, payment of annual bonuses and management of pensions; deductions for income tax and social security contributions.
For the purposes of foreign mobility:
- To manage employees’ mobility within the Klépierre Group.
To provide services to employees:
- Employee benefits (e.g. luncheon vouchers, etc.)
- Administrative management of stock option plans (if applicable); allocations of bonus shares, etc.
Management of performance and talent:
- To facilitate the management of performance and employees’ career development, particularly in the context of annual performance assessments, annual salary reviews and, if applicable, disciplinary sanctions in accordance with local laws.
Security and control: for the management of:
- Access to premises (monitoring of badges);
- Access to Klépierre’s IT system;
- Security: video surveillance recordings (if applicable).
- Planning and budget;
- Management of directories;
- Management of employee files;
- Financial report;
- Restructurings, reorganizations, acquisitions and de-mergers.
Management of resources:
- For the distribution and maintenance of resources. E.g. management of employees’ rights of access to premises, the IT system and the database.
- For the organization of employee training sessions (e.g. via Klépierre University).
Creation of documentation:
- For annual reports, which may include the Data of certain categories of employees, or for internal and external communication media (which may contain photographs or videos of employees).
Disclosure to the authorities:
- When judicial authorities and/or police forces request such Data in the context of a judicial investigation;
- Subject to local legal provisions, when Klépierre can use your Data to protect its rights or to substantiate any claim, defense or statement in a case or before the courts, administrative authorities, arbitration tribunals and/or mediators, in the context of disciplinary actions/enquiries, audits or internal or external investigations.
We are authorized to use your Data in accordance with the above provisions, provided that:
- This is necessary to perform our obligations and to exercise our rights in connection with the employment contract between us;
- Such Data are necessary for the performance of our obligations in the context of occupational health and in order to take decisions concerning your suitability for work;
- We have legal and regulatory obligations with which we must comply;
- They may be necessary for us to establish, exercise or defend our rights or in the context of legal proceedings; or
- Your Data such as that described may be processed and used on the basis of our legitimate interest (or the legitimate interests of one or more companies of the Klépierre Group), such as:
- To enable us to administer and manage our operational activities in an effective and efficient way;
- To ensure a consistent approach to the management of our employees and the employees of our affiliated companies worldwide;
- To maintain the compliance of internal policies and procedures; or
- To enable us to contact you or to contact your family in emergencies.
8. SHARING YOUR DATA
Klépierre may share your Data with external or internal addressees, in the following way:
The Klépierre Group: We may share your Data, only if to do so is appropriate, with authorized members of Klépierre’s staff requiring access to them in the context of their tasks at Klépierre, for the purposes described above:
– your managers and superiors, Human Resources Managers, the staff of the IT and Legal Departments, the statutory auditors and accounting managers, the relevant managers of other entities of the Klépierre Group as regards categories of specific data stored on the Group’s databases, or in the context of pre-litigation proceedings or litigation;
External service providers: We may share your Data, if necessary, with third-party service providers, such as:
– payroll managers, service providers and managers dealing with benefits, suppliers of IT systems, financial institutions, pension management bodies, insurance companies (including health and welfare), and professional consultants and advisers;
– employment agencies or recruitment consultants, temporary employment agencies and placement services;
– other distributors and providers of goods or services such as travel agencies and company car leasing companies;
– any other service providers involved in the provision of services to employees.
Local authorities – internal investigations: we may share information with local authorities in accordance with the applicable regulations or in the context of internal investigations within the Klépierre Group:
- Tax authorities, social security departments, judicial authorities, employment departments or other authorities;
- Independent accountants, authorized representatives of internal audit functions such as auditors or lawyers, company security officers and law firms;
- Your Data may be shared in the context of internal or external audits and investigations following a request from police services, administrative or judicial authorities or when this is required by applicable laws, a court decision or a regulation.
- Klépierre reserves the right to disclose your Data to the public authorities in the context of official requests, for national security purposes or when the law so requires.
– Your Data may be disclosed in the context of a restructuring, sale or asset transfer, merger or other changes of control of Klépierre or of its situation (or that of its subsidiaries), to potential investors and to their statutory auditors and legal advisers.
Service providers in the context of commercial proposals: Klépierre will share your Data only if this is necessary for the afore-mentioned purposes. Klépierre will ask the addressees to preserve the confidentiality of your Data and to use it only in the context of the task that they are performing for Klépierre.
9. INTERNATIONAL TRANSFERS
For the purposes set out in Article 7 of this Charter, we may transfer your Data to addressees internal to the Group or third parties to the Group, who may be located in countries offering different levels of Data protection.
Consequently, in addition to introducing this Charter, Klépierre is taking appropriate steps, including by means of contractual clauses, to secure the transfer of your Data to external Klépierre entities or addressees located in countries offering a level of protection that differs from that offered in the country in which the Data are collected.
10. DATA SECURITY
Klépierre takes appropriate technical and organizational measures, in accordance with the applicable legal provisions, to protect your Data against accidental or unlawful destruction, loss or accidental alteration, and against unauthorized disclosure or access. For this purpose, technical measures (such as firewalls) and organizational measures (such as a system of user names and passwords, physical methods of protection, etc.) have been put in place.
11. RETENTION OF DATA
We will only store your Data for the period necessary for the purposes set out in this Charter, or as provided by applicable laws.
12. ACCESS AND AMENDMENT
You have the right to access your Data collected by Klépierre and to amend them, subject to the applicable legal provisions.
These rights include:
- the right to obtain information concerning the processing of your Data and to access Data concerning you that we retain;
- the right to withdraw your consent to the processing of your Data at any time, provided the processing concerned is based on consent. However, please note that we might still be authorized to process your Data if such processing takes place on a legal basis other than consent, and in particular if such processing is necessary for the performance of the employment contract, if it is necessary to comply with a legal or regulatory provision, or if it takes place on the basis of our legitimate interests;
- In certain circumstances, the right to receive Data in a commonly-used structured format readable by machine, and/or to request that we transfer such data to a third party, provided that is technically possible. Please note that this right only applies to Data that you have provided to us;
- The right to ask us to correct your Data if they are inaccurate or incomplete;
- The right to ask for your Data to be deleted in certain circumstances. Please note that there are circumstances in which you may ask us to delete your Data but in which we have the right to retain them;
- The right to object to, to ask for restrictions on, the processing of your Data in certain circumstances. Again, there might be circumstances in which you object to, or ask for restrictions on, the processing of your Data but in which we are legally authorized to continue to process your Data and/or to refuse your request;
- The right to file a complaint with the national authority (details of which are provided above) if you think that one or more of your rights have been infringed by our company; and
- The right to give instructions as to the treatment of your Data after your death.
You can exercise your rights by contacting us at the addresses appearing in the section headed “Contact us” below.
If you have any questions or complaints regarding the processing of your Data, we suggest that you contact the Data Protection Officer by e-mail at email@example.com or by letter to [ADDRESS].
You also have the right to make a complaint to the competent supervisory body, which in the case of France is:
Commission nationale de l’informatique et des libertés
3 Place de Fontenoy – TSA 80715 – 75334 Paris CEDEX 07
Tel : 01 53 73 22 22
This Charter is liable to be changed or amended. Consequently, we suggest that you review this Charter regularly as published on the corporate website, or for employees, on the intranet or as displayed on the staff notice board of your establishment.
14. PRIMACY OF LOCAL CHARTER
In case of local Charter includes requirements which are more stringent than those of this Charter, these local prescriptions will supersede them.