GDPR Information Notice (Article 13) – Employees

1. Data collected

Identity and contact details; administrative and banking information; tax and social security data; working time and work organization; career-related information; IT logs; data received from third parties (social security bodies, insurance companies, authorities).

Health data may be processed exclusively by the occupational health service (fitness for work, preventive actions).

No biometric data are collected.

2. Purposes and legal bases

Processing is carried out for the following purposes:

  • personnel and payroll management;

  • administration of employee benefits;

  • training;

  • information systems security;

  • reporting and management control;

  • defence of the company’s interests in legal proceedings;

  • prevention and monitoring of occupational health.

The applicable legal bases are:

  • performance of the employment contract (Article 6(1)(b));

  • compliance with legal obligations (Article 6(1)(c));

  • the employer’s legitimate interest (Article 6(1)(f)), following an assessment of the situation;

  • consent, where required (e.g. optional schemes).

Health data are processed in accordance with Article 9(2)(h) of the GDPR, within the framework of occupational medicine.

3. Recipients / access

Internally, the data are accessible to authorized departments (human resources, management, Works Council, on a need-to-know basis).

Externally, the data may be disclosed to service providers (HRIS, payroll, IT), the occupational health service, social security and tax authorities, insurance companies, banks, and public authorities where required by law.

4. Transfers outside the European Union

The data are not transferred outside the European Union.

5. Data retention periods

Data are retained for periods proportionate to the purposes pursued, in accordance with the legal obligations applicable to employment records.
They may be retained for up to six years in the context of pre-litigation and litigation management.

6. Mandatory nature of data and consequences

Certain data are necessary for the performance of the employment contract and/or required by law (payroll, social security and tax declarations).
Failure to provide such data may prevent the performance of the employment contract and the employer’s compliance with its legal obligations.

7. Automated decision-making

No automated decision-making producing legal or similarly significant effects is implemented, except for standard HR tools that do not rely on high-impact profiling.

8. Your GDPR rights and how to exercise them

You have the following rights:

  • right of access to your data (Article 15);

  • right to rectification (Article 16);

  • right to erasure (Article 17);

  • right to restriction of processing (Article 18);

  • right to object (Article 21), including to direct marketing;

  • right to data portability (Article 20, where applicable);

  • right to withdraw your consent at any time (without retroactive effect).

To exercise your rights, you may contact the Data Protection Officer (DPO) or the data controller.
The response time is one month and may be extended by two months in the event of a complex request.