To what Elior commits to protect personal data

ici votre image

Data protection: everyone's business within the Elior group

ici votre image
ici votre image

My rights

As an employee, the Elior Group collects and processes a significant amount of data concerning you. As such, the Elior Group has a duty to treat your data transparently and fairly and to ensure the security.

The HR notice reflects this commitment and makes it possible to give you complete information on this subject and to know how to exercise your rights;

  • Notice relating to the protection of employees' personal data  (FR/EN/ES/DEU/IT/PT)
  • Notice on the protection of employees' personal data (short version)  (FR/EN/ES/DEU/IT/PT)​​​​​​​
ici votre image

Deepen the constraints related to the GDPR

​​​​​​​1. Consider - from the outset of new projects - privacy and compliance

It is important to refer to the Group's policy and additional rules where applicable, and to follow the process for launching new projects.​​​​​​​

ici votre image

​​​​​​​2. Know how to identify a personal data

This refers to any information relating to an identified or identifiable physical person, directly or indirectly. The combination of indirect information can make it possible to identify a person. It does not matter whether they are public or confidential, related to the professional or private sphere, or whether they are on paper or computerized.

ici votre image

3. Ensure that personal data in processing is minimised, especially during the collection phase​​​​​​​​​​​​​​

4. Identify, with the dgmp ambassador, the legal basis on which its processing is based:

Legal obligation: necessary to comply with a legal obligation to which the processing is subject (national law or European Union law); for example the communication to social security and the tax administration of the data relating to the remuneration of employees.

Contractual necessity: necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request.
This situation must only cover the services essential to the performance of the contract and in particular exclude any commercial solicitation; for example, collecting a guest's contact information for editing and sending invoices or processing employee data for payroll implementation

ici votre image

Legitimate interests: necessary for the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail; for example, analyzing Internet traffic to prevent access to malicious systems.

Vital interests: necessary to safeguard the vital interests of the data subject or another natural person; for example, the collection of a personal telephone number for sending SMS alerts in the event of serious events in the workplace.

Public interest: necessary if the controller has a public authority or a public interest mission, for which processing is necessary. 

Consent: the data subject has consented to the processing of his or her personal data for one or more specific purposes, he or she must be free (real choice, without negative consequences), informed (presence, at the time of expression of consent, of appropriate and sufficient information) and unambiguous (logic of  « opt-in » no ambiguity and absence of consent by default or related to inaction);

​​​​​​​5.  Ensure the legal framework for possible data exchanges and transfers

6. Ensure data security

​​​​​IT security rules facilitate data protection. To engage employees in this process, a wide range of awareness-raising tools exists and are available on the «Ressources» page.
For more information,​​​​​​​​​​​​​​​​​​​​​

7.  Fill in the retention periods and apply the data life cycle

The information held must be accurate, this can be controlled by setting up appropriate mechanisms (verification at the time of collection, possibility for individuals to update it directly, periodic review of a sample, etc.)

Personal data must be kept for a defined period of time before they are collected and adapted to the purpose for which they are collected. Once this objective has been achieved, these data must be archived, deleted or anonymized, as the case may be. 

ici votre image

8. Monitor free comment areas

Special precautions are required. These free text fields are useful for tracking a file or customizing a relationship. While it is not prohibited to use them, awareness-raising actions and management rules must govern their use to prevent the comments entered from infringing the rights of the persons concerned.

ici votre image

9. Be vigilant about any requests to exercise people's rights,

ici votre image

10.  Reporting incidents

Despite the application of high standards to ensure data security, the Elior Group cannot fully protect itself against the risk of data violations that can be defined by:

  • A breach of confidentiality, that is to say a data leak (example: loss of USB key containing client files);
  • A breach of integrity, ie an unplanned change (eg unwanted modification of the database which automatically indicates to the authorities the recipient of a company car);
  • An attack on the availability, that is to say a destruction of data (example: malicious software encrypting a database).

The source of these violations may be external (e.g. attack of a resource of the Elior group or a provider exposed to the Internet) as well as internal. It may also be intentional or accidental (e.g. screen not protected by a privacy filter exposed in public transport)

The sooner an incident is recovered, the earlier the competent services can circumscribe it.

When it concerns violations of personal data, the group has 72 hours to notify the CNIL, the French regulatory authority. In some cases, it will even be mandatory to inform the affected data subjects.

11. Contact your ambassador as soon as possible, to be advised, kept informed and accompanied

>>> 2 emails to know = +

>>> To find out more, visit the page  «GDPR : Kesako ? 

Related documents

Informações relativas à RGPD-short
pdf - 263.6 Ko - 07/06/2019 13:42
Informações relativas à RGPD
pdf - 458.6 Ko - 07/06/2019 13:42
Information on the GDPR-short
pdf - 254.3 Ko - 07/06/2019 13:42
Information on the GDPR
pdf - 353.3 Ko - 07/06/2019 13:42
Information relative à la RGPD-short
pdf - 275 Ko - 07/06/2019 13:42
Information relative à la RGPD
pdf - 309.5 Ko - 07/06/2019 13:43
Information über den DSGVO-short
pdf - 262.5 Ko - 07/06/2019 13:43
Information über den DSGVO
pdf - 303.5 Ko - 07/06/2019 13:43
Nota informativa relativa a la RGPD-short
pdf - 266.7 Ko - 07/06/2019 13:43
Nota informativa relativa a la RGPD
pdf - 314.9 Ko - 07/06/2019 13:43
Nota informativa relativa alla RGPD-short
pdf - 260.3 Ko - 07/06/2019 13:43
Nota informativa relativa alla RGPD
pdf - 310.2 Ko - 07/06/2019 13:43