Group Data Protection Statement
Your privacy is very important to Pluxee Group. We (i.e. Pluxee International) have developed this Data Protection Statement in order for you to understand how and why we collect, use, store, share, transmit, transfer, delete or otherwise process (collectively “process”) your personal data.
Under the European data protection law, personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (hereinafter referred to as “Personal Data”).
This Statement further describes the measures we take to ensure the protection of your Personal Data. We also tell you how you can reach us to answer any questions or requests you may have about data protection.
What is the scope of this Data Protection Statement?
Territorial scope
The Statement applies to the global activities carried out in all geographic areas where we operate under the brand name “Pluxee” (hereafter altogether referred to as “Pluxee”) as far as European data protection laws, among which the General Data Protection Regulation (or “GDPR”), apply.
Material scope
This Statement applies to the processing of Personal Data carried out by Pluxee International, acting as Data Controller at group level. Personal Data is directly or indirectly collected through its Pluxee entities , from all individuals, including, but not limited to, Pluxee’s current, past, or prospective job applicants, employees, clients, consumers, merchants, affiliates, suppliers, contractors, shareholders, or any third parties, with “Personal Data” being defined as any data that relates to an identified or identifiable individual or a person who may be identified by means reasonably likely to be used.
This document is general in scope and may be supplemented by more specific privacy policies or notices, depending for instance on the type of processing activities, the location of the processing activities or the Pluxee entity controlling your Personal Data.
How will your Personal Data be collected and processed?
Compliance with the European data protection laws and any additional local laws regarding data protection
We are committed to complying with any applicable legislation relating to Personal Data and we shall ensure that Personal Data is collected and processed in accordance with the provisions of the European data protection laws and other applicable specific and/ or local laws, if any.
On which legal basis is your Personal Data being processed?
We do not collect or process Personal Data without having a lawful reason to do so. We may have to collect and process your Personal Data where necessary for the performance of a contract to which you are party, when it is necessary for compliance with a legal obligation to which we are subject, or where required, with your prior consent. We may also collect and process your Personal Data for Pluxee’s legitimate interests except where such interests are overridden by your interests or fundamental rights and freedoms.
When collecting and processing your Personal Data, we will provide you with a fair and full information notice or privacy statement about who is responsible for the processing of your Personal Data, for what purposes your Personal Data is being processed, who the recipients are, what your rights are and how to exercise them, etc., unless it is impossible, or it requires disproportionate efforts to do so.
When required by applicable law, we will seek your prior consent (e.g., before collecting any Sensitive Personal Data).
What is the purpose of the processing of your Personal Data?
Your Personal Data is always collected for specified, explicit and legitimate purposes, and is not further processed in a manner that is incompatible with those purposes.
When an entity of the Pluxee Group acts for its own purposes, your Personal Data is processed mainly for, but not limited to, the following purposes:
-
recruitment and human resources management,
-
accounting,
-
financial and non-financial management, controlling, auditing reporting and communication,
- treasury and tax management,
-
risk management,
-
management of employees’ health and safety environment,
-
provision of digital identities and tech and IT services,
-
information security management,
-
ensuring security of assets and premises,
-
client relationship management including billing and payment, customer service,
-
consumer relationship management, including management of accounts on websites and digital apps and sending of marketing communications,
-
supply management,
-
bids, sales and marketing management,
-
internal and external communication and events management,
-
data analytics operations,
-
compliance with anti-money laundering obligations or any other legal requirements, legal corporate management,
-
managing of public affairs and CSR (“Corporate Social Responsibility"),
-
implementation of ethics and compliance processes and programs.
How long do we keep your Personal Data ?
Pluxee will keep Personal Data that is processed accurate and, where necessary, up to date. Also, we will only retain Personal Data for as long as necessary for the purposes it has been collected for. The storage period may be extended where your Personal Data is still needed in order to satisfying any legal, accounting, or reporting requirements, and, where required for Pluxee to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. If you want to learn more about our specific retention periods for your Personal Data, you may contact our Group Data Protection Officer at dpo@pluxeegroup.com
Upon expiry of the applicable retention period, we will securely destroy your Personal Data in accordance with applicable laws and regulations.
Who may have access to your Personal Data?
We share your Personal Data, in the following circumstances:
-
with the Pluxee International’s teams for the purposes described in the applicable policies;
-
with entities working with Pluxee International under the same brand “Pluxee" (generally referred to as the “Pluxee Group entities” or the “Pluxee entities”);
-
with third parties including certain service providers we have retained in connection with the purposes described in this policy and the services we provide;
-
with companies providing services for money laundering and terrorist financing checks and other fraud and crime prevention purposes and companies providing similar services, including financial institutions and regulatory bodies with whom such Personal Data is shared;
-
with judicial authorities, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;
-
with service providers who we engage within or outside of Pluxee, domestically or abroad, e.g. shared service centres, to process Personal Data for any of the purposes listed above on our behalf and in accordance with our instructions only;
-
if we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.
Will your Personal Data be transferred outside the EU/ EEA?
European data protection law does not allow the transfer of Personal Data to third countries outside the European Economic Area (‘EEA’) that do not ensure an adequate level of data protection. Some of the third countries in which Pluxee operates outside EEA do not provide the same level of data protection as the country in which you reside and are not recognized by the European Commission as providing an adequate level of protection for individuals’ data privacy rights.
For transfers of your Personal Data to such countries, either to entities within or outside Pluxee Group, Pluxee International and the Pluxee entities have put in place an adequate safeguard to protect your Personal Data. You will be provided with more information about any transfer of your Personal Data outside of Europe at the time of the collection of your Personal Data through appropriate privacy policies or notices.
For further information, including obtaining a copy of the documents used to protect your information, please contact our Group Data Protection Officer at dpo@pluxeegroup.com.
What are your rights in connection with your Personal Data and how can you exercise those rights?
Pluxee International and the Pluxee entities are committed to ensure the protection of your rights under the applicable data protection laws. You will find below a table summarizing your different rights:
Rights | Description of your rights |
Right of access and rectification | You can obtain all the information listed under Art. 15 GDPR and/ or request a copy of the Personal Data we hold about you. You may also request rectification of inaccurate Personal Data, or to have incomplete Personal Data completed. |
Right to erasure |
Your right to be forgotten entitles you to request the erasure of your Personal Data in cases where:
|
Right to restriction of processing |
You may request that processing of your Personal Data be restricted in the cases where:
|
Right to data portability |
You can request, where applicable, the portability of your Personal Data that you have provided to us, in a structured, commonly used, and machine-readable format and you have the right to transmit this data to another Controller without hindrance from us where:
You can also request that your Personal Data be transmitted to a third party of your choice (where technically feasible). |
Right to object to processing | You may object (i.e., exercise your right to “opt-out”) to the processing of your Personal Data particularly in relation to profiling or to marketing communications. When we process your Personal Data on the basis of your consent, you can withdraw your consent at any time. |
Right not to be subject to automated decisions | You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon you or significantly affects you. |
Right to lodge a complaint | You can choose to lodge a complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. You have also the right to lodge your complaint before the courts where the Pluxee entity has an establishment or where you have your habitual residence. |
Right to withdraw consent | In the circumstances where you may have provided your specific consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. When you provide your consent, you will ordinarily be provided with the method to withdraw it. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. |
Right to define post-mortem directives |
In accordance with the French Data Protection Act, you have the possibility to define directives relating to the conservation, deletion, and communication of your Personal data after your death. These directives can be registered with a trusted digital third party, certified by the CNIL and responsible for enforcing your wishes in accordance with the requirements of the applicable regulations on the protection of Personal Data. |
To exercise these rights, you can:
-
Use the online Request webform: This electronic system allows you to log in and see the progress of your request, see and send messages and review your documents securely. This system is provided by One Trust and after making the request you will be sent details about how to log on.
-
You can also raise queries or complaints with the Group Data Protection Officer, by email to dpo@pluxeegroup.com or by post to 16, rue du Passeur de Boulogne, 92130 Issy-les-Moulineaux, France.
No fee usually required
You will not have to pay a fee to access your Personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
Additional privacy rights under applicable local data protection laws
You may have additional privacy rights under the applicable data protection laws in the country where the Pluxee entity providing you the services operates. For further information these additional privacy rights, if any, and on how to enforce them, please refer to your local Data Protection Statement and/or local privacy policies or notices.
For more details, please consult the Global Data Protection Rights management Policy[PGDPO2].
Will we have to modify this statement?
We may update this Statement from time to time as our business changes or legal requirements change. If we make any significant changes to this Statement, we will post a notice on our website when the changes go into effect, and where appropriate, send a direct communication to you about the change.
How to contact us?
If you have questions, comments, and requests regarding this Statement you can send them to the Group Data Protection Officer at dpo@pluxeegroup.com