As an employee, the Elior Group collects and processes a significant amount of data concerning you. As such, the Elior Group has a duty to treat your data transparently and fairly and to ensure the security.
The HR notice reflects this commitment and makes it possible to give you complete information on this subject and to know how to exercise your rights;
1. Consider - from the outset of new projects - privacy and compliance
It is important to refer to the Group's policy and additional rules where applicable, and to follow the process for launching new projects.
2. Know how to identify a personal data
This refers to any information relating to an identified or identifiable physical person, directly or indirectly. The combination of indirect information can make it possible to identify a person. It does not matter whether they are public or confidential, related to the professional or private sphere, or whether they are on paper or computerized.
3. Ensure that personal data in processing is minimised, especially during the collection phase
4. Identify, with the dgmp ambassador, the legal basis on which its processing is based:
Legal obligation: necessary to comply with a legal obligation to which the processing is subject (national law or European Union law); for example the communication to social security and the tax administration of the data relating to the remuneration of employees.
Contractual necessity: necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request.
This situation must only cover the services essential to the performance of the contract and in particular exclude any commercial solicitation; for example, collecting a guest's contact information for editing and sending invoices or processing employee data for payroll implementation
Legitimate interests: necessary for the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail; for example, analyzing Internet traffic to prevent access to malicious systems.
Vital interests: necessary to safeguard the vital interests of the data subject or another natural person; for example, the collection of a personal telephone number for sending SMS alerts in the event of serious events in the workplace.
Public interest: necessary if the controller has a public authority or a public interest mission, for which processing is necessary.
Consent: the data subject has consented to the processing of his or her personal data for one or more specific purposes, he or she must be free (real choice, without negative consequences), informed (presence, at the time of expression of consent, of appropriate and sufficient information) and unambiguous (logic of « opt-in » no ambiguity and absence of consent by default or related to inaction);
5. Ensure the legal framework for possible data exchanges and transfers
6. Ensure data security
IT security rules facilitate data protection. To engage employees in this process, a wide range of awareness-raising tools exists and are available on the «Ressources» page.
For more information, https://hackingdiner.eliorgroup.net/.
7. Fill in the retention periods and apply the data life cycle
The information held must be accurate, this can be controlled by setting up appropriate mechanisms (verification at the time of collection, possibility for individuals to update it directly, periodic review of a sample, etc.)
Personal data must be kept for a defined period of time before they are collected and adapted to the purpose for which they are collected. Once this objective has been achieved, these data must be archived, deleted or anonymized, as the case may be.
8. Monitor free comment areas
Special precautions are required. These free text fields are useful for tracking a file or customizing a relationship. While it is not prohibited to use them, awareness-raising actions and management rules must govern their use to prevent the comments entered from infringing the rights of the persons concerned.
9. Be vigilant about any requests to exercise people's rights,
10. Reporting incidents
Despite the application of high standards to ensure data security, the Elior Group cannot fully protect itself against the risk of data violations that can be defined by:
The source of these violations may be external (e.g. attack of a resource of the Elior group or a provider exposed to the Internet) as well as internal. It may also be intentional or accidental (e.g. screen not protected by a privacy filter exposed in public transport)
The sooner an incident is recovered, the earlier the competent services can circumscribe it.
When it concerns violations of personal data, the group has 72 hours to notify the CNIL, the French regulatory authority. In some cases, it will even be mandatory to inform the affected data subjects.
11. Contact your ambassador as soon as possible, to be advised, kept informed and accompanied