Agua Toulouse Groupe Ga Smart Building 1

Privacy and cookies policy

PERSONAL DATA PROTECTION POLICY

Date of last amendment: 22 September 2023

Introduction

GA SAS (hereinafter “GA”) and all its subsidiaries (hereinafter the “GA group”) undertake to ensure that the processing of personal data carried out in the context of its activity complies with European Regulation No. 2016/679, known as General Data Protection Regulation (GDPR) on personal data and with the Data Protection Act.

The notion of personal data (the “Personal Data”) refers to any information relating to an identified or identifiable natural person. A person is “identifiable” insofar as he/she may be identified, directly or indirectly, in particular by reference to an identification number or to one or more details which are specific to him/her.

The Personal Data collected may include, in particular and without limitation, surnames and first names, postal address, email address, telephone numbers, career data, copy of the employment contract, pay slips, IP address and any other Personal Data that may be relevant for the purposes set out below. However, the Personal Data collected is limited to the data strictly necessary for the purposes of the processing concerned.

Who collects the personal data?

This personal data protection policy applies to the processing of personal data carried out by GA SAS, and/or any of its affiliated companies and related entities acting as data controller(s). The data controller(s) may be contacted at the following address: GA SAS, 8 chemin de la Terrasse, Toulouse 31500.

Who does this policy apply to?

The purpose of this Personal Data Protection Policy is to inform all data subjects about how GA and or its subsidiaries collect and use your Personal Data and the means you have to control this use. This policy does not apply to third party websites that may be mentioned on the GA Group website.

The data subjects affected by the data processing we perform are:

  • any visitor to our website
  • our customers, their employees, and/or customers and/or suppliers, and/or partners, and/or service providers
  • our prospects
  • applicants for our job offers.

What are the methods of collection, the purposes and the foundations of the processing of your personal data?

3.1.  Website visitors

When you browse our website, we may collect personal data about you. These data are collected and processed on the basis of our legitimate interest and your consent in order to:

  • respond to any request or claim received;
  • invite you to events for which you have expressed an interest;
  • send you information or newsletters;
  • adapt the content of our website so that your experience is more personalised, and improve your experience on our website, carry out and measure the effectiveness of our marketing activities.

Furthermore, login and browsing data (date and time of visit to the website, IP address, device, browser, operating system, system configuration data) are automatically collected by the website via cookies.

These data are necessary for the proper technical functioning of the website and its services, as well as for audience measurement.

3.2.  Customers and prospects

In the context of our business relationships, we collect and process personal data concerning certain employees of our customers and prospects. These data are collected on the basis of the performance of the Contract or pre-contractual measures, compliance with legal obligations and the consent of the data subjects in order to allow:

  • the management of the contract, invoices, accounting, monitoring of the contractual relationship;
  • dispute management (transmissions to insurance companies, lawyers, counsel, etc.);
  • management of operations enabling communication with the Customer;
  • invitations to GA events;
  • sending commercial proposals/partnership proposals.

3.3.  Applicants

When you submit an application in the “Careers” area, the data are collected on the basis of the performance of the contract, in respect of the pre-contractual measures taken at the request of the applicant. Unless you object to being contacted again for offers other than the one for which you initially applied, they may be kept for two years, on the basis of the legitimate interest of the company to establish a CV library to meet its recruitment needs.

We may also collect personal data through Partners (temp. agency, recruitment firm, etc.) to whom you have previously given your consent to be contacted by us. In this context, only data for which you have provided explicit consent to their use by a partner will be used.

3.4.  Persons whose personal data may be collected indirectly

In the context of the services we provide to our customers, we may indirectly obtain personal data about you because our customers or other people provide them to us (for example your counsel or employer, or service providers we use for the purposes of our business) or because these data are in the public domain. These data are processed in compliance with this policy and the applicable regulations.

When we obtain personal data about you from our customers, it is their responsibility (i) to ensure that all personal data for which they are responsible for communicating to the GA group have been collected in a lawful, fair and transparent manner and (ii) to inform you of the processing that we carry out with your data.

To whom are your data transmitted?

The data collected on the GA group website and by any other means may be communicated to GA employees and those of its subsidiaries, partners or service providers, in the context of the performance of all or part of the services. GA would like to reiterate that, in this context, it asks its service providers, by contract, to implement strict measures for the confidentiality and protection of these data. Furthermore, GA may be required to provide personal information to authorised French or foreign public authorities.

No information is processed outside the European Union.

What are the technical and operational measures to protect your personal data?

We use a package of technical and organisational measures to protect your personal data, process them lawfully, fairly and transparently, and guarantee a level of security adapted to the risk.

These measures include:

  • awareness raising and training of staff to ensure they are aware of our obligations regarding the protection of personal data and the best practices to adopt to protect them;
  • administrative (HR, IS) and technical controls so as to limit access to personal data to only those personnel who need to be aware of them for any of the aforementioned purposes;
  • the implementation of internal procedures and policies, in particular for the management of requests for the exercise of rights and the adaptation of procedures for handling confidentiality incidents;
  • IT security measures to ensure protection against attacks and failures, in accordance with ISO 27001; including firewalls, encryption, antivirus software, antimalware and tools to prevent cyber attacks and personal data breaches;
  • physical security measures to protect our premises, including access badges.

Although the GA Group takes all appropriate security measures at the time of collection of your personal data and in the context of any processing of personal data, the transmission of data over the Internet (including by email) is never completely secure.

The website may offer you hyperlinks to other websites that can provide you with more qualified information. GA cannot be held responsible for content that it does not publish, the User recognising that this site and the services of third parties or partners are completely independent. The proposed redirection to a third-party site is not a recommendation and GA is in no way responsible for the editorial content proposed or the processing of Personal Data by these other websites.

How long are your personal data retained?

We will keep your personal data in our systems for the longest of the following periods:

  • the duration necessary for the accomplishment of the purposes for which they are processed, plus the statutory limitation period;
  • the retention, archiving and limitation periods set out by law or regulations;
  • the end of the limitation period applicable following a dispute or investigation in connection with one of our offers or proposals, or one of our services.

What are your rights?

Pursuant to Articles 14 to 22 of the GDPR, any natural person using the service has the right to exercise the following rights:

  • right of access: you can request a copy of the data that concerns you personally;
  • right of rectification: you can modify data that may be inaccurate about you;
  • right to object: you can object to us processing your data, within the limits of the conditions of Article 21 of the GDPR;
  • right to erasure: you can request the erasure of data concerning you, within the limits of the conditions of Article 17 of the GDPR;
  • right to object to profiling;
  • right to restriction of processing.

You may issue directives relating to the storage, erasure and communication of your personal data after death, in accordance with Article 85 of the Data Protection Act 78-17 of 6 January 1978.

These advance directives may be general or specific and issued to the following address: donneespersonnelles@ga.fr.

In the context of our activities, we do not perform profiling.

Furthermore, when you give your consent to the processing of your personal data, you have the option to withdraw it at any time.

Finally, when a personal data breach that may result in a high risk to your rights and freedoms is detected, you will be notified of this breach as soon as possible.

How can you exercise your rights?

If you have any other questions regarding the use we make of your personal data, the exercise of your rights or to lodge a complaint, you can contact our Data Protection Officer (“DPO”) at: donneespersonnelles@ga.fr.

If any question or request raised with our services has remained unfulfilled, you are entitled to lodge a complaint with the French National Data Protection Commission (“CNIL”), via its website or by mail: 3, place de Fontenoy – TSA 80715 – 75334 Paris CEDEX 07. This right may be exercised at any time free of charge, apart from postage costs, if applicable, and any costs of assistance or representation if you choose to be assisted in this procedure by a third party.

Revision of the personal data protection policy

We may change our personal data protection policy periodically, in particular due to legislative and/or regulatory changes and internal policies regarding the protection of your personal data.

If we make changes to this personal data protection policy, we will change the revision date at the top of the page. The amended version of this personal data protection policy will be applicable from this date. Thus, we encourage you to regularly review this policy in order to keep you informed of how we protect your personal data.