HR Data Processing Charter 

Keyrus Group 


Hereafter referred to as the “Charter” 
PREAMBLE

As a player in the context of digital transformation, the Keyrus Group is involved in the construction of an innovative, virtuous, responsible and transparent work environment. 

We position ourselves in order to set up good practices when processing your personal data within the Keyrus Group, both with regard to our Employees and our Candidates. We intend to adopt ethical practices, taking account of the regulations in force applicable to your personal Data processing, specifically the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as well as Law No 78-17 of 6 January 1978 (Law I&L) on Information Technology, files and freedoms (hereafter referred to as the “Regulations”). 

The aim of this Charter is to inform every Employee and Candidate of the processing performed on their personal Data as part of Human Resources management within the Keyrus Group. 

DEFINITIONS

Below are some definitions to help you understand this Charter.

‘Candidate’ means the person who has sent their application and/or who has been contacted by an entity in the Keyrus Group or by an intermediary from a recruitment company as part of an offer of employment. 

‘Company Social Network’ means any communication platform internal to the Keyrus Group. The Company Social Network aims to facilitate collaborative working and to make exchanges between Employees in the same company or in the same group more fluid. Within the Keyrus Group, we use Workplace by Facebook. 

‘Data Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing; where the purposes and means of such Processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law. 

‘Employee’ means the person who has been recruited by an entity in the Keyrus Group, irrespective of their status. 

‘HR or Human Resources’ means any team or team member involved in personnel management, recruitment, payroll or relationships with bodies representing personnel within the entities in the Keyrus Group. 

‘IT Resources’ means the equipment, files, programmes, software and software packages, all the networks (local and external), servers, IT systems, electronic mail, instant messaging services, storage space, and collaborative tools belonging to the Keyrus Group. 

 ‘Keyrus Group’ means the following companies: Keyrus SA, Kadris Consultants, Keyrus Management, Keyrus Management Régions, Up Génération, Keyrus Capital Markets, Keyrus Biopharma Innovation, and Younicorns who are joint Processing Controllers, as detailed hereafter. 

‘Personal Data’ means any information relating to an identified or identifiable natural person (hereinafter the ‘Data subject’); an ‘identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of said natural person. 

‘Processing’ means any operation performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

‘Recipient’ means the natural or legal person, public authority, service or any other organisation which receives the communication of your personal Data, whether they are a third party or not.

PRINCIPLES RELATING TO DATA PROCESSING  

As stated in the preamble herein, the Keyrus Group makes every effort to permanently comply with the essential principles of the GDPR and to assure all its Employees and Candidates that the personal Data collected are processed in a legal, fair and transparent manner. 

The personal Data are collected for specific, express and legitimate purposes and the Keyrus Group undertakes not to process them for purposes which are incompatible with these objectives.

The entities in the Keyrus Group respect the principle of data minimisation, in accordance with Article 5(c) of the GDPR, specifically that only personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes are processed, as defined hereafter. 

PURPOSES AND LEGAL BASIS FOR DATA PROCESSING   


Your personal Data may also be collected indirectly by external sources:


As part of recruitment procedures, some personal Data may be obtained by a source other than the Data subject, specifically employment sites such as Monster or APEC, and also from social networks such as LinkedIn. 

If some of your personal Data have been processed by such companies, please refer to their data management policies. The Keyrus Group cannot be held responsible for any breach of the Regulations in force by one of these companies.  

TYPES OF PERSONAL DATA

In order to enable you to understand this Charter better, please find below a table listing the main categories of personal Data: 


PERSONAL DATA COLLECTED 

With regard to the legal purposes and foundations defined above, the Keyrus Group holds and processes the following personal Data:

  • For recruitment management purposes:
    • Identification data (surname, first name(s), address (postal and email), telephone number, date of birth, photo, LinkedIn profile address); 
    • Professional life (CV, training, degree and copy of degree certificates, experience, letter of motivation, information provided by the Candidate, summary of interviews, dates of interviews, work permit (yes/no), messages which may have been sent by the Candidate, amongst other things, through the Keyrus Group’s website); 
    • Personal life (hobbies stated on the Candidate’s CV); 
    • Economic and financial information (current remuneration and desired remuneration); 
  • As part of performing the employment contract:
    • Identification data (surname, married name, first name(s), gender, date and place of birth, address, numbers allocated by social security, pensions and provident organisations, photo (optional), email address, nationality, passport number (only for personnel who are seconded abroad);
    • Copy of ID card;
    • Photos taken during events organised by the WC;
    • Type, order number and copy of the certificate granting authorisation to work for foreign employees in application of Article R. 620-3 of the Employment Code;
    • Type of driving licence held by the employee and a copy of the Employee’s vehicle registration certificate for the company to pay mileage claims; 

    • Professional life (CV, place of work, internal identification number, date joined the company, length of service, position held and career grade, type of employment contract, dates of appraisal meetings, identity of appraiser, Employee’s professional skills, assigned objectives, results obtained, assessment of professional skills based on objective criteria, presenting a direct and necessary link with the position held, observations and desires formulated by the Employees, appreciation of professional aptitudes and career development plans, disciplinary sanctions, professional achievements, work calendars (dates, places and times of work meetings, subject, people present, attached documents), tasks performed (identification of personnel involved, division of tasks), messages through electronic messaging service, Employee’s deliverables);

    • Data relating to telephony management (outgoing and incoming telephone numbers, service used, operator called, nature of the call (in the form of: local, regional, national, international), duration, date and time of start and end of call, invoicing elements (number of taxes, volume and nature of data exchanged, excluding the content thereof and the costs of the service used), SIM card number, IMEI number, PUK code); 

    • Log file data (“logs”); 

    • Connection data (username and password);  

    • Data used to monitor Employees’ use of the internet; 

    • Data used to monitor use of the messaging service (tools to measure the frequency and size of the emails, tools to analyse the attached documents, etc.); 

    • Content of the Employee’s email; 

    • Proof of experience acquired (date of the evidence request, degree, certificate for the qualification concerned, professional experience subject to proof, evidence (yes/no), date of decision); 

    • Personal life (family and marital situation, dependent children, emergency contact’s details, elements providing a right to special leave, leisure); 

    • Health data provided by the Employee; 

    • Declarations regarding accidents at work or occupational disease (contact details for the occupational health doctor, date of the accident or the first medical certificate of occupational disease, date of last working day, date of return, grounds for the decision (accident at work or occupational disease), work not resumed to date); 

    • Administrative monitoring of Employees’ medical visits (dates of visits, workstation aptitude (apt or inapt, proposals to adapt the workstation or assignment to another workstation drawn up by the occupational health doctor); 

    • Rate of incapacity, COTOREP category (A, B, C), other categories of beneficiaries under Law No 87-517 of 10 July 1987 (disabled pensioner, war-disabled, assimilated war-disabled); 

    • Remuneration elements (remuneration scheme and calculation basis, type, rate and basis of social contributions, leave and absence giving rise to deductible or compensable amounts, as well as any deductions made by the employer legally, professional expenses, payment method, banking or postal identity); 

    • Training (diplomas, certificates and attestations, foreign languages spoken, monitoring requests for professional training and periods of training completed, organisation of training sessions, assessment of knowledge and training); 

    • Professional elections (establishing the electoral list (identity of electorate, age, length of service, college), managing nominations (identity, nature of the mandate sought, elements enabling compliance with the eligibility conditions to be checked, union mandate (at the candidate’s initiative), where appropriate the union membership declared by the candidates in the first round) and publication of the results (identity of the candidates, mandates concerned, number and percentage of votes obtained, identity of personnel elected and, where appropriate, the elected persons’ union membership);

    • Meetings of personnel representation bodies (invitations, preparatory documents, minutes); 

    • Specific obligations entitling employees to special leave or to time-off rights (such as exercising an elected mandate or a union representative, participating in the operational reserve or in volunteer firefighting missions); 

    • Supplies of individual services, equipment, vehicles and payment cards (managing requests, supply type, supply, maintenance and withdrawal dates, budget allocations); 

    • Managing the catering services (Employee choice - restaurant ticket or RIE);

    • Report issued by the tax administration in return for each social nominative declaration or "income from other sources deduction" declaration subscribed by the collector which includes a particular identifier, information specific to each beneficiary of income paid by the debtor of the withholding tax, the registration number in the national directory for the Identification of natural persons or an ID number attributed by the national pension fund for employees, or provisional identification numbers allocated by the employer in the case where the first two numbers are not known, the applicable withholding tax rate, except where applicable (automatically or at the beneficiary option) the proportional rate, the anomalies detected by the tax authority;   

PERIOD FOR STORING DATA

The storage period applicable to your personal Data is based on the storage times provided for by law and the regulations for each data type. 

Unless the legal provisions or provisions in the tables below state otherwise, the personal Data concerning Employees are stored on an active basis for the period of time that the Data subject is employed. Upon the Employee’s departure, the data are archived in the intermediary archive in accordance with the legal and regulatory periods. At the end of these periods, the personal Data are destroyed. 

An indicative and non-exhaustive list of the storage periods for the principle documents relating to the Keyrus Group’s human resources management and corporate life is as follows: 


Personal data related to exercising union mandates and the mandates of personnel representatives are stored on an active basis for the duration of the Employee’s mandate, and then archived in the intermediary archive for 6 months after the end of the mandate (Article L2411-5 of the Employment Code) before being deleted. 

PROCESSING DATA COLLECTED BY ELECTRONIC MEANS 

Working within the Keyrus Group, you will use its IT resources (platforms, Company Social Networks, applications, software, etc.) on a daily basis. These systems will require your individual authentication and are therefore likely to process your personal Data. Each of these IT resources has its own data protection policy. Failing that, this Charter shall apply to govern the processing of your personal Data. It is the Employee’s responsibility to read these documents and to implement the obligations incumbent upon them as a result therefrom. 

For specific Processing, particularly in relation to security (video surveillance, badges, etc.), the use of an IT resource made available to the Employee or individual supply of services and equipment (hardware, software, badges, cars, etc.), Employees shall receive specific information informing them about the way in which their personal Data will be processed. 

For further information on using the Keyrus Group’s IT resources, we would encourage you to read the Keyrus IT Policy. Users may also file a complaint with the French Data Protection Agency, the CNIL, as supervisory authority. 

DATA RECIPIENTS

The Keyrus Group is the Data Controller with regard to processing the personal data of its Employees and the Candidates it handles. It undertakes to only send the data to authorised Recipients, either: 

  • As part of personnel management:
    • Authorised persons responsible for personnel management and managing individual supplies and IT resources; 
    • The line managers of the Employees concerned, excluding data relating to social action directly implemented by the employer; 
    • Personnel representation bodies: after receiving express agreement from the persons concerned, employees’ professional contact details and data strictly required for their representation; 
    • The Works Council (or WC), except if opposed by the Employee;
    • Union delegates: employees’ professional contact details after formal agreement with the employer and receipt of express agreement from the persons concerned, and data strictly required to defend the employees’ interests; 
    • Training providers and organisations; 
    • Internal Employees responsible for training; 
    • Suppliers providing catering services;  
    • The telecoms operator for telephony management. 
  • As part of Payroll management: 
    • Teams responsible for personnel administration and payroll;
    • Teams responsible for financial control in the company;
    • Authorised persons responsible for personnel management; 

    • Organisations managing different social insurance systems, unemployment insurance, pensions and provident schemes, paid holiday funds, public organisations and administrations legally authorised to receive them;
    • Accounts auditors; 

    • Financial organisations involved in managing the company’s and Employee’s accounts.   
  • As part of recruitment:
    • Teams responsible for recruitment; 

    • Authorised persons responsible for personnel management; 
    • Employees involved in recruitment; 
    • Recruitment agencies. 

 

Authorised suppliers may also have access to your personal Data as part of the services which they may provide, amongst other things, in connection with software solutions or IT resources used to process your personal Data (maintenance, support, hosting, security and monitoring IT resources, etc.). 

In the case of a dispute, your personal Data are liable to be sent:

  • To the legal team and, where necessary, to people working to resolve the conflict; 
  • To the judicial authorities in the case of an offence;
  • To administrative or judicial courts, joint or consular, arbitration, in order to establish, exercise or defend the rights of an entity in the Keyrus Group; 
  • To administrative or judicial courts, joint or consular, to execute an enforceable court decision against an entity in the Keyrus Group; 
  • To any natural or legal person to execute an enforceable court decision against an entity in the Keyrus Group; 

Employees in the Keyrus Group may have access to your identification data (surname, first name, professional email address and telephone number, position) specifically in order to communicate with you. 

For service reasons, the companies and members of their personnel who have a business relationship with the Keyrus Group may also be sent your identification data (surname, first name, professional email address and telephone number, position)

Furthermore, as part of transferring employees, VIE or a placement abroad, your personal Data may be sent to an entity in the Keyrus Group located in a third country outside of the European Union which does not guarantee an adequate level of personal data protection, according to the European Commission. This type of data transfer would only be carried out on the basis of appropriate guarantees, such as the signing of standard contractual clauses. 

In the event of an audit or inspection, your personal Data may be sent to the auditor, either internal or external. 

Our Data Protection Officer (DPO), our RSSI, authorised persons in the Processing and Organisation team and Keyrus Group Management are also Recipients. 

SECURITY AND CONFIDENTIALITY 

We implement all the technical and organisational measures deemed appropriate by the Keyrus Group, in accordance with Article 32 of the GDPR in order to ensure the security and confidentiality of your personal Data. 

We ensure that each Recipient abides by the appropriate security and confidentiality safeguards. 

It is the Employee’s responsibility to meet their obligations in terms of security and, specifically, to implement the provisions in the Keyrus IT Policy. 

For further information regarding data security, please contact your DPO. 

TRANSFER TO THIRD COUNTRIES 

In specific cases, such as transferring employees, expatriation, a VIE or a placement abroad, your personal data may be sent to an entity in the Keyrus Group located in a third country outside of the European Union which does not guarantee an adequate level of personal data protection, according to the European Commission. In this case, the Keyrus Group undertakes to implement all appropriate guarantees pursuant to the GDPR, such as the signing of standard contractual clauses. 

As part of telephony management, our telecoms operator BOUYGUES TELECOM stores (or outsources the storage to a trusted provider) the personal Data which we send to it within the European Union. Some data may also be accessible form the United States by partners who have signed up to the Privacy Shield agreement.

As part of using the MYKLX (Coursefit) training platform, your personal data are sent to our provider KBIN Applications Ltd, which is located in Israel. This transfer is based on a European Commission adequacy decision. 

In the case of your personal data being transferred to a Recipient located in a non-EC Member State, appropriate guarantees will be put in place, in accordance with the GDPR provisions, and the Keyrus Group will inform you thereof by all means possible. 

For further information, please contact your DPO. 

RIGHTS OF DATA SUBJECTS 

In accordance with the Regulations in force applicable to Personal Data Processing, you have the right to access, oppose, rectify, erase and, where necessary, limit the processing of your data, as well as the right to the portability of your data. 

To gain a full understanding of these rights and the means of exercising them, you can send your questions and/or requests to our Data Protection Officer (DPO) by:

> Post to Keyrus SA, 155 rue Anatole, 92300 LEVALLOIS-PERRET, France, with the subject ‘Personal Data’ 

> Email to Keyrus.DataProtection@Keyrus.com

The DPO shall reply to you as soon as possible. 

The operator Bouygues Telecom is the Data Controller responsible for processing your personal Data in relation to the electronic communications services. However, questions and/or requests should be sent our DPO. 

You also have the right to make a complaint to the French Data Protection Agency (CNIL), who are currently located at the following address: 3 place de Fontenoy, 75007 Paris. 

SEVERABILITY 

If one or more provisions of this Charter are held to be invalid or declared as such by virtue of statute or other legislative instrument or following a final decision by a competent court, such provision(s) will be deemed severed from the policy and all other provisions will remain valid and enforceable. 

AMENDMENTS TO THE POLICY 

The Policy may be amended by Keyrus Management in order to take into account recommendations from CNIL, changes in the law, case-law, Information Technology and, more generally, on the basis of any developments in IT and communications technology.