Personal Data Protection (PDP)

Dalkia is fully aware that in a connected world, the protection of personal data is essential for providing secured connected services. As a result, it is committed to protecting the personal data of its employees and customers, at every stage of designing its services, from data collection to deletion. In addition, Dalkia has set up systems to detect, manage and respond effectively in order to minimise the negative consequences for data subjects in the event of security incidents.

IT Policy and Charter

Dalkia has put in place Personal Data Protection Policies to inform its current and future customers, service providers and employees about how their data is processed. You are welcome to view our general data protection policy: see details below. This document explains how Dalkia processes the categories of data concerned, the legal basis of processing, the people who have access to your information, how we store and keep data secure, and how you can exercise your rights. The procedures for updating this document are also explained. If you have any questions regarding this Policy, please contact our Data Protection Officer (DPO).

Dedicated governance

Dalkia has appointed a Data Protection Officer, whom you can contact at dpo@dalkia.fr. The main mission of our DPO are to:

  • advise and inform Dalkia, its customers and subcontractors and their employees about their personal data protection obligations,
  • monitor compliance with EU and Member States’ personal data protection law and Dalkia’s and its customers’ rules on personal data protection, including with regard to the allocation of responsibilities, employee awareness and training, and related audits,
  • advise, on request, on the data protection impact assessment and verify its implementation,
  • cooperate with the supervisory authority,
  • act as a point of contact for the supervisory authority on matters relating to the processing of personal data, and conduct consultations, where appropriate, on any other subject.

General Data Protection Policy Details

1. Glossary

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any other subsequent French legislation, including its implementing regulations.

LIL: French Data Protection Act of 6 January 1978, as amended.

Personal data: any data relating to an identified or identifiable natural person; an "identifiable natural person" means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: within the meaning of the GDPR, "processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes of processing and means of the processing of personal data.

Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

DPO: the Data Protection Officer advises and supports the body that appoints them with compliance issues.

2. Who is responsible for processing your personal data?

Your personal data is processed by Dalkia SA, headquartered at Tour Europe – 33, Place des Corolles – TSA 12345 – 92099 Paris La Défense Cedex – in its capacity as the controller.

3. What personal data are processed?

The personal data categories we process are listed in the appendix for each of the types of processing carried out.

4. What are the purposes of the processing that we carry out on your personal data?

The processing we carry out on your personal data is for the following purposes:

  • managing our relationship,
  • monitoring and delivering the services you contracted with us,
  • managing your account in the Customer Area,
  • responding to your requests for information,
  • keeping you informed,
  • managing any complaints,
  • managing the recording of your calls,
  • contributing to help us improve our services,
  • presenting the features of our services recognised by our customers,
  • managing your participation in our events,
  • managing a whistleblowing incident,
  • responding to your requests regarding your personal data.

5. What is the legal basis for the processing of your personal data?

Dalkia processes your personal data on grounds of:

  • statutory obligations. This concerns all processing required by French and European legislation.
  • pre-contractual and contractual actions. This concerns the processing carried out to prepare for the signing of contracts with current and future Dalkia customers, and their performance.
  • its legitimate interest. This concerns all processing carried out that is necessary for running the company.
  • your consent. This concerns the processing carried out to keep you informed, invite you to events or present the features of our services recognised by our customers.

6. Who has access to your personal data?

Your data is processed by authorised persons at Dalkia.

We may be required to share your personal data in response to legal obligations or administrative or judicial decisions. We may therefore be required to communicate them to persons authorised by state agencies and services.

We may also share them with partners or service providers, in order to process all or part of your personal data, to the extent necessary for the performance of the tasks entrusted to them (for example, the operation of our website, the provision of services related to the operation or maintenance of the information system, the provision of services concerning the recording of your calls, or for carrying out investigations). Your personal data will be shared only with authorised persons.

To the extent possible, your data are not transferred outside the European Union. However, since some of our service providers are located in countries outside the European Economic Area, your personal data are processed in these countries. In such cases, we ensure that the transfer is carried out in a manner that complies with the applicable personal data protection regulations.

7. How do we secure your personal data ?

Dalkia has an Information System Security Policy (ISSP) in place. In particular, the Group Information System Security Officer is responsible for its deployment within the group.

Dalkia implements a set of systems deemed appropriate by IT security experts to ensure a good level of protection for Information Systems, in particular:

  • protection against viruses and malware,
  • network supervision,
  • protection from hacking,
  • software updates,
  • securing the premises,
  • protection of workstations and servers.

Dalkia regularly updates and strengthens these systems in line with technological capabilities and any new vulnerabilities identified. The behaviour and vigilance of each user is also a key factor in the security of IT resources. Accordingly, everyone using the information system must comply with Dalkia’s IT charter. This is updated whenever safety or personal data protection regulations change significantly.

Dalkia has implemented security control measures.

All such security measures are intended to ensure that the processed data are appropriately protected against unauthorised access, modification, disclosure or destruction.

The main measures are as follows:

  • Employees, subcontractors, service providers and contact persons at Dalkia who need access to your personal data to perform their roles, functions and responsibilities:
    • are authorised and have access which is strictly reserved for them;
    • are given information and/or trained, depending on their roles, functions and responsibilities;
    • have signed, according to their functions and responsibilities, a confidentiality undertaking and have been informed of the risks and penalties that apply in the event of breach of this obligation.
  • We encrypt data when necessary.
  • We conduct both internal audits and audits of our suppliers processing personal data on our behalf.

Dalkia ensures that third parties, service providers and processors within the meaning of the GDPR comply with and apply appropriate security measures.

8. How long do we store your personal data ?

In accordance with the regulations, we store your personal data only for no longer than is necessary for the fulfilment of the purposes indicated. These storage periods are based on:

  • our statutory or regulatory obligations,
  • the duration of your contract, if you have entered into a contract with Dalkia,
  • the time required to process your request or complaint,
  • the period during which your user account in the Customer Area remains open,
  • your interest in our services,
  • the need to maintain a history of your interactions with us, for the proper management of our business relationship.

9. How can you exercise your rights in relation to your personal data ?

Under the conditions set out in the applicable regulations, you have a right of access, rectification and objection, the right to portability, erasure and limitation of processing, and the right to give instructions on the storage, erasure and communication of your personal data after your death.

These rights may be exercised by contacting Dalkia SA:

By post: DPO Service – Tour Europe – 33, Place des Corolles – TSA 12345 - 92099 Paris La Défense Cedex, 

By email: dpo@dalkia.fr.

If you are not satisfied despite Dalkia’s response to your request, you are entitled to file a complaint with the French supervisory authority, CNIL.

10. Review and updating of our data protection policy

We undertake to process personal data in accordance with the statutory provisions in force. This policy will be reviewed based on improvements on personal data protection regulation.

11. Appendix on Processing and the Personal Data Processed

See attached document