Privacy Policy
We attach the utmost importance to the protection and confidentiality of your personal data. This privacy policy enables you to understand our commitments and your rights in relation to the processing of your personal data in the context of the management of the Lactalis Group whistleblowing system (hereinafter the “Whistleblowing Platform”).
1. Definitions
What is personal data?
Personal data is information that identifies you. This can be information that directly identifies you, such as your first and last name, or that indirectly identifies you, such as your date of birth or address.
What is personal data processing?
Processing personal data is any operation or series of operations carried out on personal data, such as the collection, recording, storage, modification, disclosure or erasure of your personal data.
What is the Lactalis Group whistleblowing platform?
The Lactalis Group has implemented a Whistleblowing Platform to receive, process and manage reports of anomalies or incidents that violate the law, the group’s internal rules and procedures, or the Lactalis Group’s Anti-Corruption Lact@Policy and could be considered as corruption or influence peddling in a secure, discreet and confidential manner. A list of the categories is available on the Whistleblowing Platform as well as the Terms of Use of the Whistleblowing System, and FAQs, which can be accessed here: https://lactalisgroup.sharepoint.com/sites/ConformiteGroupe/SitePages/Ligne d'alerte - Acceuil.aspx
In order to protect whistleblowers, the Lactalis Group has selected a secure external platform, BKMS® System, which guarantees the protection and confidentiality of whistleblowers’ personal data.
For more information on the Whistleblowing Platform, we recommend that you take a look at the Frequently Asked Questions or the User Guide available on the homepage.
2. Who is the data controller?
The Lactalis Group, located at 10 rue Adolphe Beck 53000 Laval (France), is responsible for the Whistleblowing Platform and the processing of personal data carried out through it (hereinafter “Lactalis”).
The Whistleblowing Platform is hosted by BKMS® System and managed by a specialist company, EQS Group GmbH, Karlstraße 47, 80333 Munich, Germany, on behalf of Lactalis.
Data entered into BKMS® System, including personal data, are stored in a database managed by EQS Group GmbH in a certified, high-security data centre. Only members of the Group Compliance Committee have access to these data. Neither EQS Group GmbH nor any other third party has access to the data.
All data are encrypted and saved using several levels of password protection so that access is restricted to a very limited number of persons with the express authorisation of the Group Compliance Department.
3. Purposes of the processing of personal data
Use of the Whistleblowing Platform is voluntary. When you submit a report via the Whistleblowing Platform, we collect the following personal data:
- Your name, if you disclose your identity.
- Your status as an employee (permanent or casual) of Lactalis or one of its affiliated companies in the Lactalis Group.
- The names of persons and other personal data of the persons you mention in your report, where applicable.
We may collect and process personal data for the following purposes:
- Receiving and processing reports submitted via the Whistleblowing System.
- Responding to enquiries or questions from whistleblowers or person(s) mentioned in the report concerning the management of the Whistleblowing System or the processing of their personal data within this system.
- Managing requests from whistleblowers or from person(s) mentioned in the report concerning exercising their rights with regard to their personal data: right to object, right to erasure, right to rectification, right to restrict processing, right to portability.
4. Confidential handling of reports
Reports received on the Whistleblowing Platform are examined by a very limited number of persons (members of the Group Compliance Committee, and designated internal or external experts upon authorization of the Committee), all of whom have been given specific authorisations and are subject to a high degree of confidentiality. The reports are always handled with the strictest confidentiality. The members of the Group Compliance Committee assess the admissibility of the report and, if necessary, carry out a more detailed investigation.
During the processing of a report, it may be necessary to share the information received with other employees of the Lactalis Group with the express authorisation of the Group Compliance Committee. These employees may be based outside the European Union or the European Economic Area and subject to different regulations on the protection of personal data. Compliance with the data protection provisions applicable at the time these data are transmitted is always guaranteed.
5. Information concerning persons mentioned in the report
In accordance with the applicable regulations on personal data protection, the individual concerned by an admissible report is informed by the Compliance Committee that personal data concerning them is being processed within one month of the recording of their data. This information does not contain information on the identity of the author of the report.
This information may be withheld where it would compromise the integrity or the requirements of the investigation, for example where there is a risk of destruction of evidence. Information will then be provided when the risk is eliminated.
6. Retention period for personal data and legal basis for processing
The personal data collected via the Whistleblowing Platform is kept for the period of time strictly necessary for the purposes specified below:
Purpose of processing | Retention period | Legal basis |
---|
Receiving and processing reports submitted via the Whistleblowing System | Personal data relating to a report which is deemed by the controller not to fall within the scope of the Whistleblowing Platform shall be destroyed immediately or made anonymous. If no action is taken on a report that falls within the scope of the Whistleblowing Platform, the personal data relating to this report shall be destroyed or made anonymous within two months of the Group Compliance Committee’s closing report. If a disciplinary or litigation procedure is initiated against a named person or the author of an abusive report, the personal data relating to the report shall be kept until the end of the procedure or the time limit for appeals against the decision. We may be required to retain personal data relating to a report, in temporary archives, in compliance with a legal obligation to which the Lactalis Group is subject (for example, to comply with accounting, social or fiscal obligations). | Legal obligation |
Handling your enquiries | Personal data are stored for the length of time necessary to respond to the request in question. | Legitimate interest |
Handling your requests to exercise your rights regarding your personal data | 3 years from the processing of your request. | Legitimate interest |
7. Your rights and recourse
In accordance with the applicable regulations on personal data protection, you have the right to access, rectification and erasure of your personal data. You also have a right to restrict the processing, a right to portability and a right to object.
In order to exercise your rights, by proving your identity by any means, you can contact us at the following email address: DPO@fr.lactalis.com or by post to the following address: Data Protection Officer – LGPO – Direction Affaires Juridiques Groupe 10 à 20 rue Adolphe Beck 53000 Laval (France).
If the right to erasure is invoked, we will examine as soon as possible to what extent the stored data are still required for the processing of a report. Data that is no longer required is deleted.
If the right to object is invoked, we will examine as soon as possible to what extent there are legitimate and compelling reasons for the processing which prevail over the interests and the rights and freedoms of the data subject, or for establishing, exercising or defending legal rights.
The person concerned may not, on the basis of their right of access, obtain the identity of the whistleblower, data relating to third parties or information obtained during the investigation of the report.
We will do our best to respond to your requests in a satisfactory manner. If, for any reason, you consider that our response is not satisfactory, we would like to inform you that you can lodge a complaint with a supervisory authority.
8. Use of the Whistleblowing Platform
Communication between your computer and the BKMS® System platform takes place via an encrypted connection (SSL). The whistleblowing platform does not enable IP addresses to be traced. To maintain the connection between your computer and the BKMS® System platform, a cookie is stored on your computer which merely contains the session ID (a so-called “null cookie”). This cookie is valid only until the end of your session and expires when you close your browser.
You can set up a postbox within the Whistleblowing Platform which is protected with a personally chosen user name/pseudonym and password. You can either submit reports using your name or anonymously. In the Whistleblowing Platform, the data are stored only within the BKMS® System platform, which makes it particularly secure. This is not a traditional form of e-mail communication.
9. Note on sending attachments
When submitting a report or an addition to an existing report, you can also send attachments. If you wish to submit a report anonymously, please take into account the following security advice: files may contain personal data that may reveal your identity. Remove these data from the files before sending them. If you are unable to remove this data, or if you are unsure how to do so, please copy the text of your attachment into the text of your report message or send a printed copy of the document anonymously to the address given in the footnote, specifying the reference number assigned to you at the end of the reporting process.
10. Contact us
If you have any questions or requests regarding this privacy policy, you can contact the Data Protection Officer by email at DPO@fr.lactalis.com