The GDPR at a Glance

ici votre image

What is it?

The GDPR (General Data Protection Regulations) is a European legislation of 27 April 2016, applicable from 25 May 2018. Its rules have been incorporated into French law and led to the revision of the Data Protection Act on 20 June 2018.


Who protects?

It protects every EU resident.


To whom is it applicable and where ?

All organisations (companies, associations, administrations, local authorities, etc.) installed in the EU must apply the GDPR. But be careful, any non-EU organisation sending services and products-even free-to EU residents must comply with them as well.


What's the point ?

The text aims to harmonize the rights of all EU Member States on the protection of personal data. It thus aims to better protect people by strengthening their rights over their data and makes everyone responsible for processing the data.


Why this text?

Data protection is not new, but the expansion of digital and new technologies, as well as the massive exploitation of data for commercial purposes have led the legislator to want to:

  • inform the citizen about the use of his data (principles of transparency and loyalty);
  • strengthen the protection of privacy (principles of legal justification to deal with personal data, and proportionality between treatment of the given and the objective pursued);
  • and, in the face of digital risks (cyber-attacks, faults...), increase data security.


How does it protect us?

The GDPR now places the burden on organizations to manage the risks associated with the use of personal data (accountability). Organizations are therefore responsible and must demonstrate their compliance with the new rules. In the same vein, they must also notify the CNIL of any violation of personal data. 

The text also facilitates the exercise of individuals' rights and European regulatory authorities have organised themselves to facilitate remedies in the event of non-compliance with rights (single window or one-stop shop). 


What is the risk of non-compliance ?

European legislation has considerably increased sanctions. The most striking sanction of the Panel is financial. It can reach according to the nature of the infringements 10 or 20 million euro, and in case of very large turnover, 2 to 4% of global turnover.

The GDPR applied to the Elior group

ici votre image

As a restaurant and service provider, offering its customers, guests a healthy diet, prepared, and distributed in the state of the art and in compliance with the regulations in force, is a constant concern and an essential guarantee of trust.

Similarly, managing the processing of personal data in accordance with data protection regulations has become a fundamental issue.

To this end, the Group has defined a personal data protection policy applicable to the entire Elior Group. It sets the rules to ensure a consistent approach for all Group entities.

>>> Additional rules: the Group subsidiary in which you work may establish additional rules to specify their application in the country or sector of activity in which you operate. 



ici votre image

Personal data & treatments: to list and map

The Elior group must know and master the processing of personal data carried out in the context of its activities, which concern employees, customers or even suppliers.

To do this,the Group must keep and maintain over time a register detailing all relevant information on processing operations:​​​​​​​

ici votre image

We often talk about "collecting" data to talk about processing. But this is only one treatment process among many others.

These include recording, copying and pasting, deleting, modifying, communicating, or interconnecting.

If you take any action on personal data, there is a good chance that it is being processed.​​​​​​​

Privacy by design : privacy first

It is easier to take privacy and security considerations into account as early as possible in projects. 

Therefore, as soon as you start a new project, you are responsible for:

  • To take into account the issue of the protection of personal data,
  • And to ensure that the privacy of the persons concerned is respected.

The main principles related to the processing, to be respected

ici votre image

The processing of personal data must fulfill a substantial number of conditions in order to comply with:

  • Legality. Process data only if the processing is based on a legal basis (legal obligation, contract, consent of the person, public interest mission …).
  • Loyalty and transparency. People need to know what we are doing with their personal data. This principle refers to the right to information of persons.
  • Proportionality. Process data only as relevant and strictly necessary for the purpose for which they are intended, and to reduce the number to the strictest necessary. The data must be accurate, updated and kept for the specified period of time.
  • Security. Data must be digitally and/or physically secure, whether in electronic or paper format. In addition to an essential minimum-security foundation, data must be secured according to the risks involved, and according to the results of privacy impact assessments.
    Examples of measures:
    - protection of application access by authentication systems (username and password);
    - management of authorizations (only authorized persons have access to such data);
    - encryption of the data in the case of, for example, storage or transfer.
    >>> Any security issues? Visit or revisit the page https://hackingdiner.eliorgroup.net/.

Human rights: giving people the opportunity to exercise them

Whenever an organization processes personal data, individuals must be able to exercise their rights, in particular:

  • to access their personal data;
  • to request its correction / update;
  • to request its deletion;
  • to request the limitation of the processing of personal data;
  • to oppose the processing of personal data

These requests must be answered within one month.

However, the exercise of these rights is not an absolute right, the request must be legitimate and must be considered on a case-by-case basis. For example, it is possible to refuse a person's request to object to or delete billing data, the storage of which is essential for billing purposes and is a legal obligation.

Privacy risks to be analyzed and monitored

The Group must conduct privacy impact assessments. They make it possible to answer several questions such as:

  • Can the proposed or existing treatment have negative impacts on those affected?
  • Are IT security measures adequate and sufficient to protect the same data from cyberspace risks, vulnerabilities, data theft or cyber-attacks?
  • Are contracts signed with service providers, suppliers, customers sufficiently protective?

Non-EU data transfers: to be supervised

Prior to their implementation, data transfers to countries outside the European Economic Area (EEA) must be legally possible and secure as not all countries have such protective legislation.

The transfer of personal data  must be interpreted in a broad sense; it can for example be:

  • Data transfers between legal entities within the Elior Group itself;
  • An outsourced administration or maintenance of an IT resource;
  • Hosting a service in the cloud.

Related documents

Política de proteção-RGPD
PDF - 661.1 Ko - 07/06/2019 13:44
Politica sulla protezione-RGPD
PDF - 658.7 Ko - 07/06/2019 13:44
Politique de protection-RGPD
PDF - 683 Ko - 07/06/2019 13:44
Protection Policy-GDPR
PDF - 640.9 Ko - 07/06/2019 13:44
Schutzpolitik-DSGVO
PDF - 686.2 Ko - 07/06/2019 13:44
Política de protección de datos de carácter personal
PDF - 658.4 Ko - 07/06/2019 16:58