Notes on data privacy
The protection and confidentiality of data is our highest priority and we comply with the provisions of the European Regulation "on the protection of natural persons with regard to the processing of personal data and on the free movement of such data" (EU GDPR), as well as with the applicable national provisions on the protection of personal data. Please read this data protection information carefully before submitting a report.
Purpose of this whistleblowing system and legal basis
The Group Ethics & Compliance whistleblowing system operated with the platform BKMS® System is designed to collect, process and manage, securely and confidentially, the reports relating to breaches of EDF SA's Ethics and Compliance Code or those of its subsidiaries (excluding regulated infrastructures subsidiaries), to reports based on the fields referred to in law no 2016-1691 of 9 December 2016 on transparency, anti-corruption and economic modernisation (called Loi Sapin II) and in law no 2017-399 of 27 March 2017 on the duty of vigilance of parent companies and principal companies. The processing of personal data in the platform BKMS® System is based on the EDF Group's legitimate interest to detect and prevent any breach and to thus protect the Group, its employees, customers and suppliers.
Responsibility for the whistleblowing system
The EDF Group's Ethics and Compliance department is responsible for the Group's ethics and compliance reporting system (hereinafter the "whistleblowing system"). It is also the point of contact for persons affected by the whistleblowing system, at the following address:
EDF SA – Direction Ethique & Conformité Groupe
Strictement Confidentiel
Tour EDF – bureau 36P14
20, Place de la Défense
92050 Paris la Défense
The platform BKMS® System is managed by a specialist company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany on behalf of EDF.
Personal data and information entered into the platform BKMS® System is stored in a database operated by EQS Group GmbH, in a certified, high-security data centre. Only EDF has access to this data. Neither EQS Group GmbH nor another third party has access to the data.
All the data is encrypted and protected with the help of multiple levels of password protection so that access is restricted to a very limited number of people who have been explicitly authorised by EDF.
Questions concerning the protection of data in the whistleblowing system and enquiries relating to exercising your personal data rights can be sent to the EDF SA Group's Ethics and Compliance department via the whistleblowing system by clicking on the "Submit a report or ask for advice/ exercise your rights" button.
Type of personal data collected
The use of the whistleblowing system is voluntary. When you submit a report via the platform BKMS® System, we collect the following personal data and information:
- your name, if you choose to reveal your identity;
- whether you are an EDF SA employee or an employee of the subsidiary concerned, an external collaborator, occasional collaborator connected to EDF SA or the subsidiary concerned;
- your relationship with a third party if you disclose it;
- the names of persons and other personal data of the persons that you mention in your report.
Confidential handling of reports
The reports are received by a small selection of expressly authorised and specially trained employees ofthe EDF Group's Ethics and Compliance department. The reports are always handled with the strictest confidentiality. The employees of the EDF Group's Ethics and Compliance department perform an analysis of the admissibility of the reports, exchange with the whistleblower, and appoint a responsible examiner within the Group with the agreement of the whistleblower. The responsible examiner for processing the report will conduct the actions and the enquiries required by the specific case until it is closed.
During the processing of a report or an investigation, it may be necessary to give access to all or some of the data in the platform BKMS® System to other EDF Group employees specifically authorised by the GECD, if necessary outside of the European Union or the European Economic Area subject to different personal data protection rules. Compliance with the data protection provisions applicable at the time this data is transmitted is always guaranteed.
All persons who receive access to the data are obligated to maintain strict confidentiality.
Information concerning the person(s) affected by the report
The person mentioned in a report will be informed of the personal data concerning him/ her and contained in the platform BKMS® System. However, he/ she will not be informed of the identity of the whistleblower or of any information that would enable them to be identified. Where protective measures are necessary, in particular to prevent the destruction of evidence or for the purposes of the investigation, this person may be notified after these measures have been adopted in accordance with the applicable legal provisions.
Rights of the data subjects
Under the applicable data protection regulations, the whistleblower and the person(s) concerned by the report have the right to information, access, rectification, erasure and objection to the processing of personal data concerning them. If the right of erasure is invoked, EDF will examine as soon as possible to what extent the data stored is still necessary for processing a report. Data which is no longer necessary is deleted. If the right of objection is invoked, EDF will promptly examine to what extent there are no longer legitimate and compelling reasons for the processing which override the interests and the rights and freedoms of the data subject, or for establishing, exercising or defending legal rights. Furthermore, the whistleblower and the person(s) mentioned in the report have the right to issue a complaint with a supervisory authority.
Retention period for personal data
Personal data is stored for as long as it takes to verify and investigate the report or as stipulated by the applicable law. Once the report has been processed, this personal data will be anonymised or deleted within two months of the report being closed unless any follow-up action is required for the report (disciplinary procedure, litigation, amendment of the rules or of the internal organisation) or if the data controller is legally obliged to retain it (for example, to comply with accounting, social or tax obligations). In any case, this retention period must be strictly limited to the intended purpose, determined in advance and made known to the data subjects.
Use of the whistleblowing system
Communication between your computer and the whistleblowing system operated with the platform BKMS® System is achieved via an encrypted connection (SSL). The whistleblowing system does not enable IP addresses to be traced. To maintain the connection between your computer and the platform BKMS® System, a cookie is stored on your computer which only contains the session ID (a so-called "session cookie"). This cookie is only valid until the end of your session and expires when you close your browser or turn off your computer.
You can create a postbox within the whistleblowing system which is protected by a user name/ pseudonym and a password of your choice. You can either submit reports by name or anonymously. Exchanges between the persons in charge of analysing the permissibility and the processing and the whistleblower are only recorded within the platform BKMS® System which makes them especially secure. It is not a traditional communication via e-mail.
Note on sending attachments
When submitting a report or an addition to an existing report, you can also send attachments. If you wish to submit a report anonymously, please take into account the following security advice: files may contain personal data other than your identity that could compromise your anonymity. Remove this data from the files before sending them. If you are unable to remove this data, or if you are unsure how to do so, send an anonymised copy of the document to the address in the footer at the bottom of the page, citing the reference number which you received at the end of the reporting process.