Data protection policy

1. INTRODUCTION

The Veolia Group in Spain companies, whose parent company is VEOLIA SPAIN, S.L. (hereinafter, "VEOLIA"), are firmly committed to the protection of personal data.

This Data Protection Policy aims to inform individuals (employees, candidates, customers, suppliers or partners and their employees) about the measures implemented by VEOLIA in the collection of personal data in the course of their activities.

This Policy may evolve over time to adapt, where appropriate, to the legal context in Spain and the European Union or to incorporate the recommendations or decisions taken by the various data protection supervisory authorities in Spain and the European Data Protection Board.

2. PERSONAL DATA COLLECTED, PURPOSES OF PROCESSING AND DATA PROTECTION OFFICER

VEOLIA has created an organisation responsible for the correct application and compliance with this Policy under the supervision of the Chief Compliance Officer (CCO). The VEOLIA Data Protection Officer (DPO) is placed under the authority of the CCO in order to guarantee their independence and place the protection of personal data at the centre of the company's organisational structure.

In addition, VEOLIA carries out actions to make its employees aware of the need to protect personal data, so any collection or processing will not be carried out if it is not relevant to the intended purposes and if those purposes are not defined to ensure that they are lawful, specific, explicit and legitimate.

All processing carried out by VEOLIA that may contain personal data is subject to a complete descriptive sheet registered in the Record of Processing Activities.

VEOLIA guarantees that the collection and processing of personal data comply with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR), and
  • Organic Law 3/2018, of 5 December, on the protection of personal data and the guarantee of digital rights (LOPDGDD).

3. GOLDEN RULES

VEOLIA protection policy is based on 6 GOLDEN RULES that must be followed by anyone involved in the collection or processing of:

  1. to adhere to the GDPR and guarantee that personal data is collected, used and shared respecting the rights of data subjects and the concept of "privacy by design";
  2. to be transparent and clear with data subjects about the purposes of the processing, about the objective and the means and about the people with whom their data will be shared; to seek the consent of natural persons when necessary and proceed without their consent only when permitted by the GDPR or the LOPDGDD;
  3. to seek advice should there be any doubts about the processing of personal data, compare opinions with other professionals, obtain legal advice or advice from the competent supervisory authority, if necessary, and document the final decision;
  4. to ensure the decision to collect, use or share personal data is based on the interest of the natural persons and to process only the data that is necessary, relevant, adequate, proportionate, accurate, timely and secure for a period of time consistent with the purposes of the processing;
  5. to guarantee that all shared information is strictly necessary to achieve the purposes of the processing and to allow providers to provide the intended services;
  6. to ensure that the security measures adopted to preserve the availability, confidentiality, and integrity of the processing are proportionate to the existing risks.

4. INFORMATION FOR THE DATA SUBJECT

As established in the GDPR, VEOLIA undertakes to inform the data subject of:

  • the identity of the data controller;
  • the purpose of processing;
  • if applicable, whether the answers are mandatory or optional and what the possible consequences of not responding are;
  • the recipients of the data;
  • their right to access, rectify or erase data concerning them, the right to object to processing on legitimate grounds, or to object to the processing of their data for marketing activities, the right to restriction of processing and data portability, as well as the right to give general or specific instructions for the processing of data concerning them after their death;
  • the data retention period.

5. ACCESS TO DATA BY VEOLIA EMPLOYEES AND COLLABORATORS

VEOLIA informs the data subject that the personal data subjected to automated processing are registered in a Record of Processing Activities and may be consulted by persons from the internal audit departments of VEOLIA, by the compliance department or the DPO, by auditors, by those responsible for issuing alerts about behaviour that may violate the company's ethical standards and by its advisors or a competent authority and, in some cases, by parties interested in a merger or acquisition.

6. RECIPIENTS

VEOLIA may share some of the personal data collected with service providers and suppliers, strictly within the limits necessary for the performance of their tasks. VEOLIA ensures that it complies with applicable laws and regulations for the protection of personal data and that it pays special attention to the confidentiality.

7. STORAGE

The personal data collected by VEOLIA or on their behalf are stored by VEOLIA or their service providers, especially in cloud storage services.

For reasons, mostly technical or related to conditions specific to VEOLIA, some data may be stored or accessed outside the European Union or the territories of the European Economic Area (EEA). In this case, VEOLIA guarantees that effective measures, compatible with the requirements of the GDPR, are adopted to provide an adequate level of protection of personal data, in particular, strict and appropriate physical, technical, organisational and procedural measures to ensure the availability, security and integrity of personal data modulated according to their nature or sensitivity.

VEOLIA seeks to limit the duration of the storage of personal data to the period of time necessary to complete the operations for which they have been collected and processed, as permitted by applicable regulations. After this period, personal data is irreversibly destroyed or anonymised.

8. SECURITY AND ALERTS

VEOLIA has adopted measures to ensure the security of the personal data collected, in a manner appropriate to its sensitivity and the associated risks. Thus, the information and communications systems (ICT) team and its suppliers or subcontractors implement measures to, among other things:

  • identify cyber risks,
  • apply network protections adapted through filtering devices,
  • securely carry out the maintenance of the infrastructure's various components, in particular, software updates, and 1) improve the components to prevent their use for purposes other than those intended; 2) improve infrastructure components, such as servers, workstations and communication and network systems,
  • periodically test infrastructure or application vulnerabilities through monitoring and the use of a technical or application vulnerability scanner,
  • encrypt data at rest when necessary and data in transit, using good security practices when developing new applications, particularly web applications, by applying OWASP guidelines,
  • assign user rights in compliance with the principle of least privilege and the right to be informed,
  • protect access through the application of reinforced identification mechanisms and periodic review of accounts,
  • monitor the security of personal data and its application through centralisation and the use of access logs,
  • and preserve evidence of the application of the above measures.

When a breach affects personal data held by VEOLIA, it will act promptly upon becoming aware of such a breach to inform the relevant data protection supervisory authority where appropriate and, if necessary, to identify the failures and implement the adopted security measures.

9. RIGHTS OF NATURAL PERSONS

Natural persons whose data is collected have, within the limits of the law, the right of access, rectification, opposition in certain cases, where applicable, portability and the erasure of personal data concerning them, and the right to restriction of processing. They also have the right to send instructions to the data controller regarding the fate of their personal data after their death.

Each individual affected by processing can exercise their rights by writing to VEOLIA at the following address: dpo.es@veolia.com. If they consider the response unsatisfactory, data subjects may contact the data protection supervisory authority.