PERSONAL DATA PROTECTION POLICY FOR REPORTING MANAGEMENT - KEOLIS GROUP
Purpose and Data controller
Within the framework of the reporting system, data processing is carried out by Groupe Keolis SAS and Keolis SA, joint data controllers, in order to process the reports received in accordance with the present procedure and to carry out the necessary investigations, as well as to deal with any disciplinary and/or legal proceedings that may arise from them.
Legal basis
The processing operations are carried out in order to fulfil the obligations of Keolis Group 1 under (i) Articles 6 et seq. of Law No. 2016-1691 of 9 December 2016, known as “Sapin II” (ii) Article 17 of the same law, and (iii) the provisions of Law No. 2017-399 of 27 March 2017 on the due diligence of parent companies and instructing parties.
Data subject to the processing
As par of the reporting system, the following data may be collected and processed:
- identity, functions and contact details of the whistleblower
- identity, functions and contact details of the persons subject of the report;
- identity, functions and contact details of the persons involved in the verification of the facts reported and the associated investigation;
- facts reported;
- elements collected in the context of the verification of the reported facts;
- reports of the verification operations;
- follow-up to the report.
Access and recipients of data
- Internal transmission within the Keolis Group
The personal data processed within the framework of the reporting system are accessible and processed by the members of the Ethic Line Committee. The necessary data may be transmitted to other persons within Keolis Group who need to know about it and who may be called upon to intervene in the verification of the reported facts and the associated investigation. In this context, only the data necessary for the accomplishment of their respective missions of verification or processing of the report will be transmitted to them.
- Transmission to external service providers
Data may be transmitted to service providers (lawyers, etc.) who may be called upon to intervene during the investigation. In this context, only the data strictly necessary for the accomplishment of their respective missions will be transmitted to them.
In order to ensure the hosting and proper functioning of the reporting platform, the data may be processed by the Keolis Group's service provider in charge of hosting and maintaining the Ethics Lines reporting platform , EQS Group GmbH, exclusively within the framework of its subcontracting missions.
- Transmission to third parties
Certain data may be transmitted to third parties in the event that Keolis Group is required to comply with laws and regulations and legal requests and orders.
Elements that could identify the Whistleblower may only be disclosed, except to the judicial authority, with the prior consent of the Whistleblower.
Data retention periods
Data relating to a report deemed inadmissible will either be destroyed or archived after anonymisation, within a maximum period of one (1) month. The archived anonymised data may be kept for a maximum of 10 years before final destruction.
If it turns out that the whistleblower made a report in bad faith or under abusive conditions and contrary to the law, in this case, the data relating to the report may be kept under the conditions and time limits recalled below when a disciplinary procedure or legal proceedings are initiated.
Data relating to a report deemed admissible:
- Where the report is not followed by disciplinary or judicial proceedings, the data will be destroyed or archived after anonymisation, within two months of the closure of all verification operations.
- Where disciplinary proceedings or legal proceedings are initiated against the person concerned or the author of an abusive report, the data relating to that report shall be kept until the end of the proceedings or the time limit for appeals against the decision.
Data subject to archiving measures are kept in a separate information system with restricted access for a period not exceeding the time limits for litigation.
Security measures and transfers of personal data outside the European Union
Keolis secures the personal data processed in the context of reports by putting in place adequate physical, organisational and technical measures to prevent unauthorised access, use, disclosure, modification or destruction, in accordance with the GDPR.
These measures include in particular:
- Storage and processing of report data on secure servers
within the European Union; - Restricted access to authorised persons only;
- Internal organisational measures to protect the data.
Reports made from outside the European Union may be processed in accordance with this procedure.
Rights of data subjects and exercise of these rights
In accordance with the GDPR, any person identified in the reporting system has the following rights:
- A right of access to the data concerning them which has been processed in the context of the reporting system. However, the person subject to a report may not under any circumstances obtain, on the basis of their right of access, information concerning the identity of the Whistleblower.
- A right to rectification and erasure of the data concerning them. However, this right can only be exercised to rectify factual data, the material accuracy of which can be verified by Keolis with evidence, and without deleting or
replacing the data, even if erroneous, initially collected. Indeed, this right must not allow the retroactive modification of the elements contained in the report or collected during its investigation. The exercise of this right must not make it impossible to reconstruct the chronology of any changes to important elements of the investigation.
The right to object to processing may not be exercised by the persons concerned within the framework of the reporting system, as the processing is implemented by Keolis on the basis of (i) Articles 6 et seq. of Law No. 2016-1691 of 9 December 2016, known as “Sapin II”, (ii) Article 17 of the same law, and (iii) the provisions of Law No. 2017-399 of 27 March 2017 on the due diligence of parent companies and principals.
All the rights listed above may be exercised by the persons concerned at the following address: ethicline@keolis.com.
1 Keolis Group is understood to mean the group formed by the companies GROUPE KEOLIS S.A.S, Keolis SA and all their subsidiaries (i.e. all the companies controlled by the Group within the meaning of the consolidation rules).