1. DEFINITIONS. 4
2. WHAT ARE THE DATA PROTECTION PRINCIPLES APPLIED BY THE GROUP ?. 4
3. IN WHAT CIRCUMSTANCES ARE CANDIDATES REQUIRED TO PROVIDE PERSONAL DATA? WHAT IS THE LEGAL BASIS FOR THE PROCESSING OF CANDIDATES’ PERSONAL DATA?. 5
4. IN WHAT CIRCUMSTANCES ARE CANDIDATES REQUIRED TO PROVIDE PERSONAL DATA?. 5
5. WHO RECEIVES CANDIDATES’ PERSONAL DATA?. 5
6. HOW IS CANDIDATES’ PERSONAL DATA SECURED?. 6
7. HOW LONG IS CANDIDATES’ PERSONAL DATA STORED?. 6
8. WHAT RIGHTS DO CANDIDATES HAVE REGARDING THE PROCESSING OF THEIR PERSONAL DATA?. 6
9. CONTACTS. 7
10. CHARTER APPLICABILITY AND AMENDMENTS. 7
The Crédit Agricole Group (the "Group") complies with personal data protection regulations, including those relating to the personal data of the candidates1 for a position in the Group.
In preparation for the changes to the regulations governing personal data protection that will occur when the General Data Protection Regulation (GDPR) comes into effect on 25 May 20182 the Group has decided to formalise this "Charter for the Protection of Personal Data of Crédit Agricole Group Candidates" (the "Charter").
The Charter states all processing of candidates’ personal data performed within the Group, the basic data protection principles applicable to these operations and the way in which the Group upholds regulatory compliance.
The following definitions apply in the Charter:
- Personal Data : Any information relating to an identified or identifiable candidate. For example, personal data can be candidates’ contact details resume or cover letter;
- Processing: Any operation (or set of operations) performed on personal data, including, for example, its collection, organisation, storage, modification, use, transmission, distribution or erasure;
- Purpose: The reason for processing personal data. The purposes of personal data processing in the context of this Charter are stated in §3 below;
- Recipient: Any natural or legal person, public authority, service or other organisation to which personal data is disclosed;
- Controller: The entity that defines the purpose of the personal data processing and the resources used to perform said processing. The controller of processing that uses candidates’ personal data is the Group entity that is looking to recruit.
- Processor: Any entity other than the process manage that processes personal data on behalf and at the request of the controller. A Group entity may therefore be a processor for another Group entity. For example, companies that provide IT or consulting services to the controller, or which are entrusted with HR management services, are considered to be processors.
2. WHAT ARE THE DATA PROTECTION PRINCIPLES APPLIED BY THE GROUP ?
Candidates’ personal data is processed in accordance with the following personal data protection principles:
- Legal, fair and transparent processing: Candidates’ personal data must always be collected and processed (the for a specific purpose “legal basis”). No processing that breaches the principles defined in this Charter and the GDPR may be performed. Furthermore, clear, comprehensive and transparent information must be provided to all candidates regarding the processing of their personal data;
- Restricted purposes: Candidates’ personal data must always be collected and processed for specific purposes determined from the outset;
- Lean data: Only personal data that is strictly necessary in order to achieve the stated purposes may be collected from candidates. No personal data superfluous to the processing performed may be collected or used;
- Accuracy: Candidates’ personal data must always be accurate and regularly updated. All reasonable measures must be taken to ensure that any inaccurate data is either corrected or erased;
- Limited retention: Candidates' personal data must not be stored for longer than needed to achieve the purposes for which it was collected.
- Security: Candidates’ personal data must be stored and processed securely and confidentially.
3. IN WHAT CIRCUMSTANCES ARE CANDIDATES REQUIRED TO PROVIDE PERSONAL DATA? WHAT IS THE LEGAL BASIS FOR THE PROCESSING OF CANDIDATES’ PERSONAL DATA?
The controller processes candidates’ personal data in order to:
- Manage candidatures, set up the job interview and selection processes, manage recommendations and references, manage the candidate pool and pre-recruitment, and establish promise-to-hire letters and contracts.
These processing are based on candidate’s consent. A candidate’s consent must always be given freely informed and explicit (generally in writing). Candidates may decide to withdraw their consent at any time. However, doing so does not affect the validity of any processing already performed with the candidate’s consent.
- Manage access to premises and potential video surveillance of the premises.
These processing are justified by a legitimate interest, which consists of ensuring security of goods and individuals (in the real time and afterwards). In this case, candidates may oppose certain processing involving their personal data for reasons relating to their specific circumstances (unless the data controller proves that there are legitimate and essential reasons for the processing prevail over the data subject’s interests, rights and basic liberties or for the purpose of exercising or defending their legal rights).
The processing of personal data communicated by candidates is not based on profiling.
4. IN WHAT CIRCUMSTANCES ARE CANDIDATES REQUIRED TO PROVIDE PERSONAL DATA?
Some personal data may be necessary to review candidatures by the Group. Candidates will be informed about it during the data collection process, by an asterisk or in an equivalent way.
In the case this data is not communicated, the data controller will not be able to process the candidature.
5. WHO RECEIVES CANDIDATES’ PERSONAL DATA?
For the purposes of the processing described above, candidates’ personal data may in certain cases be disclosed to a variety of recipients, including:
- Group entities,
- IT – Data processing firms, test editors, or data processors in charge of access to premises and eventual video surveillance providers.
- Recruitment agencies
Group entities acting as controllers must choose processors that provide adequate guarantees that the processing will comply with the principles of the GDPR and that the personal data will remain confidential and secure.
If a recipient of personal data is located in a country outside the European Union, the recipient must comply with local legal requirements that provide a suitable level of protection, or, for the case of companies in the United States, comply with the Privacy Shield (a self-certification mechanism recognised by the European Commission), or else provide guarantees ensuring an equivalent level of protection.
These guarantees may be in the form of the standard contractual clauses on personal data protection
adopted by the European Commission (namely, a transfer agreement between the controller and a processor, stating the respective obligations upon each if personal data is transferred outside the European Union).
6. HOW IS CANDIDATES’ PERSONAL DATA SECURED?
Solutions used to store and process candidates’ personal data must satisfy the security prerequisites specified by the Group’s Information Systems department and are subject to stringent approval and audit procedures.
The Group has implemented technical and organisational measures to ensure that candidates’ personal data remains secure and confidential. These include:
- Access control and user permissions for IT equipment used to process candidates’ personal data;
- Ensuring the security of technical infrastructures (including workstations, networks and servers) and data (for example, backups and business continuity plan);
- Restricting who is authorised to process personal data, depending on the purpose of the processing and the resources allocated;
- Strict non-disclosure obligations binding the Group’s processors;
- Rapid response procedures in the event of a security incident involving candidates’ personal data.
7. HOW LONG IS CANDIDATES’ PERSONAL DATA STORED?
The candidate’s personal data regarding the processing of candidatures’ management, mentioned in 1. of §3 is stored for eighteen (18) month after the candidate’s last contact with the Group.
Personal data collected for managing access to the premises is stored for three (3) month. Personal data collected for the management of eventual video surveillance systems is stored for thirty (30) days.
Throughout the storage period, only “need-to-know” individuals with the appropriate permissions may have access to candidates’ personal data, based on the purposes of the intended processing.
At the end of the storage period, candidates’ personal data must be either permanently erased or irreversibly anonymised.
8. WHAT RIGHTS DO CANDIDATES HAVE REGARDING THE PROCESSING OF THEIR PERSONAL DATA?
All candidates may exercise the following rights3 at any time:
- i. Right to access: Candidates may obtain information regarding the nature, source and use of their personal data. Whenever personal data is disclosed to third parties, candidates may also obtain information concerning the identities or categories of the recipients;
- ii. Right to rectification: Candidates may request that inaccurate or incomplete personal data be corrected or supplemented;
- iii. Right to erasure: Candidates may request that their personal data be erased, particularly if it is no longer necessary for the performed processing. The controller must erase personal data promptly, except in the cases provided for in the Regulation;
- iv. Right to restrict processing: Candidates may request that their personal data be made temporarily unavailable to prevent its subsequent processing, for example by moving their data to a different processing system, in the circumstances defined by the GDPR4.
- v. Right of opposition: Candidates may oppose certain processing involving their personal data for reasons relating to their specific circumstances, except where legitimate and essential reasons for the processing prevail over the data subject’s interests, rights and basic liberties or for the purpose of exercising or defending their legal rights;
- vi. Right to portability: Whenever personal data is processed after obtaining the candidate’s consent or required for the performance of a contract, the candidates concerned may ask to receive their personal data provided to the controller, in a widely-used and structured electronic format. This right to portability can be exercised only if the data processing is operated under candidate’s consent.
The controller undertakes to examine requests submitted by candidates within the time limits specified in the GDPR.
To obtain the coordinates of the data protection officer (DPO), to get a copy of the appropriate warranties mentioned at the paragraph 5 and to exercise the rights mentioned on the 8 , candidates may contact : firstname.lastname@example.org
Candidates may also submit a complaint to the relevant data protection authority if they consider that any personal data processing does not comply with the GDPR. Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy - 75007 Paris
10. CHARTER APPLICABILITY AND AMENDMENTS
The Charter shall be applicable with effect from 25 May 2018.
The Charter is available to download from each intranet Group entity, at the following address: https://www.groupecreditagricole.jobs/en/Candidate-Charter. It is liable to change, in response to regulatory or processing changes.
1 The term “candidate” refers to any individual, external to the group, contacting a Group’s entity or is contacted by a Group’s entity for the purpose of presenting his candidature to any position within a Group’s entity, an employment contract or any other related type of contract, including an apprenticeship, a vocational training contract, or an internship.
2 EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
3: Furthermore, candidates whose personal data is processed by a data processor located in France may issue instructions regarding the processing of their personal data in the event of their death.
4: It means:
- if the candidate disputes the accuracy of the processed personal data (for example in case of error related to the candidate's civil status), for a period allowing the controller to verify the accuracy of these data;
- if the processing is illegal and the candidate objects to the erasure of their data and demands that its use be restricted;
- if there are no longer any grounds for storing the candidate’s personal data but the candidate wishes it to be retained by the controller, for the purpose of exercising or defending their legal rights;
- if the candidate has opposed processing for the time required in order to check whether the legitimate reasons of the controller should prevail over those of the candidate;