PERSONAL DATA PROTECTION POLICY
– CANDIDATES FOR RECRUITMENT

This personal data protection policy is designed to provide you with completely transparent information about how Societe Generale process your personal data collected on our recruitment site “careers.societegenerale.com” and, more generally, as part of the assessment of your application for positions offered by Societe Generale or Societe Generale entity.
We ensure that the information you provide to us or that we collect through various channels (our recruitment site, our correspondence, conversations and interviews with our employees and particularly our recruitment consultants) are only used for the purposes indicated in this policy.
This policy complies with European personal data protection regulations and particularly the General Data Protection Regulation (GDPR) of 27 April 2016, which came into force in the European Union on 25 May 2018.

WHO IS CONCERNED BY THIS
PERSONAL DATA PROTECTION
POLICY?

This policy is intended for candidates who apply for one or more jobs offered by the Societe Generale group, either directly via our recruitment site careers.societegenerale.com or at trade fairs and forums, by letter, email, via recruitment firms, through employees (as part of co-optation), job sites or social networks (such as LinkedIn) or any other useful means of finding candidates.
In the event that we need to ask for a reference, this will be carried out within the applicable regulatory framework (with the candidate’s prior agreement). This policy therefore also applies to candidate's referees, whose personal data may be collected during verification.
Unless otherwise stated, we refer collectively to the groups of people referred to above as “you”.

WHAT DO WE MEAN BY...?

« Collect » refers to the collection of personal data.
« Recipient » is the natural person, legal entity or organisation that receives the personal data, whether or not a third party as defined in the paragraph “Who is likely to receive the data?”.
« Personal data » refers to any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
« Societe Generale » means the legal entity registered with the Paris Trade and Companies Register under the unique identification number 552 120 222
« Societe Generale entity » means any entity over which the group has control.
« Data subject » : is the natural person whose data is processed, i.e. within the framework of this policy: visitors to our recruitment sites, candidates (whether or not they have created an account on our recruitment sites) and referees.
« Controller » is the natural person, legal entity or organisation which, alone or jointly, determines the objectives and methods for processing personal data.
« Processing » :means any operation, or collection of operations applied to personal data, regardless of the process used (e.g. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limitation, deletion or destruction, etc.).
« Processor » :is the natural person, legal entity or organisation that processes personal data on behalf of a Controller.

WHAT PERSONAL DATA DO WE
COLLECT?

Via our recruitment site
When browsing our recruitment site careers.societegenerale.com and creating your candidate profile, we may collect personal data about you, in our capacity as controller.
This data has been collected directly from you or has been sent to us – if you have provided your consent – by third parties such as recruitment agencies, job boards for Societe Generale employees or professional social networks (LinkedIn, etc.). In this case, it is specified that we are not responsible for the processing of your personal data by those third parties (with whom you have an independent relationship), Societe Generale acting solely as recipient in this respect.

During consideration of your application
We may need to process various types of personal data, including :

  • identification data (e.g. first name, last name and contact details, etc.) ;
  • personal data (e.g. personal information included in your CV) ;
  • data relating to working life and specifically the information contained in your CV (e.g. education, diplomas, career, skills and qualifications, etc.) ;
  • declarative data (e.g. information provided during recruitment interviews by you or third party sources if they are relevant to the processing of your application) ;
  • information from your responses to the different tools used during the recruitment process (e.g. personality tests or inventories) ;
  • data collected using innovative solutions (for example video interviews to short-list candidates); technical data (e.g. login data used by you to access our website) ;
  • data relating to your profile (e.g. your username and password) ;
  • data from video surveillance devices and devices used to record electronic communications, in accordance with applicable rules (e.g. security surveillance cameras on our premises);
  • data made public at your initiative (e.g. profiles from professional social networks).

These data may be provided directly by you or collected from third parties.

During consideration of the hiring process if your application is successful
When your application is accepted, we collect information in order to prepare the establishment of your employment contract and your hiring:

  • the data needed to finalize your employment contract (for example, a copy of your national identity card, a copy of your diplomas, a copy of your social security card, etc.);
  • the data necessary for the declaration of your employment dedicated to public and social administrations;
  • data necessary to comply with legal, regulatory or compliance obligations to which we may be subject to.

  • Limits of data collection
    During this collection, we undertake to only ask you for personal data strictly necessary for the purpose of the processing in question (minimisation principle).

    Accuracy of your personal data
    It is your responsibility to ensure the accuracy, completeness and updating of the data you send us. The transmission of any inaccurate, false or incomplete data may disqualify you from the position or result in the termination of any employment contract between you and a Societe Generale entity. We invite you to inform us in the event of any changes to your personal data during our collaboration.

    Sensitive data
    Based on the jurisdiction where you are applying for a role, we may be required to collect such data because of the legal, regulatory, or contractual requirements incumbent upon us and specifically under an agreement or commitment made to regulators or agreed in the context of any kind of litigation.

    However, we may collect sensitive data about you if you voluntarily provide us with this data or if we are required to collect this data due to legal, regulatory or contractual requirements and more particularly pursuant to an agreement or commitment made with regulators, or as part of litigation of any kind.

    HOW DOES THE SOLUTION FOR THE
    ANALYSIS OF YOUR CV BY OUR
    PARTNER CV CATCHER WORK?

    CV Catcher, a solution published by Jobijoba (a public limited company with share capital of €112,903, entered in the Bordeaux Trade and Companies Register under number 499 570 604 and whose head office is located at 198 avenue Haut Levêque, 33600 Pessac), facilitates your search for jobs and the submission of your application on our recruitment site. The data contained in your Curriculum Vitae are collected to assess your profile, skills and experience in order to provide you with current vacancies adapted to your profile.

    General operating principles
    After uploading your CV, your profile is then analysed using a matching algorithm and the online jobs that match your profile are then suggested to you. CV Catcher’s technical solution is based on a combination of semantic analysis algorithms and machine learning to detect the key elements of an applicant’s profile, regardless of the CV’s layout, the vocabulary and language used. The information collected is then compared with Societe Generale’s recruitment open roles in order to automate the matching with available jobs.

    Data storage
    CV Catcher, in its capacity as data controller, keeps the personal data only for the time of analysis and transfer to the recruiter’s information system.

    The applicant’s acceptance for the use of the CV Catcher solution:
    In order to use the CV Catcher solution, the applicant must acknowledge having read and accepted the general terms and conditions of use. You accept by ticking the checkbox provided for this purpose before uploading the CV. This checkbox contains a link to the aforementioned legal notices. Please note that the CV Catcher solution can be used only after having read the documents and having accepted them. Failing this, the applicant will always be able to continue his search for current vacancies.

    FOR WHAT PURPOSES DO WE
    COLLECT OR USE YOUR PERSONAL
    DATA?

    From our recruitment site
    The data collected is intended to be used as part of our recruitment operations and their optimization, in particular by allowing information to be extracted directly from your CVs or to offer you positions likely to suit you within the Group.
    They also allow us to keep you informed of job offers, events, actions or publications likely to arouse your interest.

    As part of the review process for your application
    The personal data collected may be used for purposes related to the management of your candidate account and the processing of your application, including:
    • contacting you by phone or e-mail in addition to reviewing your CV;
    • the organization of tests and possible interviews if your application holds our interest;
    • sending job alerts, the provision of innovative solutions;
    • contacting us in the event of future employment opportunities other than the specific position for which you contacted us;
    • the management of your requests for information;
    • the monitoring of diversity and non-discrimination;
    • the management and organization of compliance with the Group's legal, regulatory, contractual or compliance obligations;
    • the management of any appeals or complaints.
    During consideration of hiring process
    The personal datas collected are necessary for:
  • the establishment of your employment contract;
  • the preparation of your arrival at our premises;
  • The respect of our legal, regulatory and compliance obligations or commitments subscribed by the Group.
  • ON WHAT BASIS DO WE PROCESS
    YOUR PERSONAL DATA?

    For our recruitment site 
    The data collected are processed on the basis, following different aspects, of:

  • the implementation of pre-contractual treatment (such as the processing of applications and the management of recruitment interviews);
  • our legitimate interest;
  • and in specific cases on your consent.

  • The data strictly necessary for examining your application are identified by an asterisk or other equivalent symbol. For data not identified by an asterisk, failure to respond will not impact the handling of your application.

    During consideration of your application and your hiring process
    The treatment of your personal data is based on the execution of pre-contractual or contractual measures.
    Some processing relating to the recruitment process may be justified by our legitimate interest or by our duties to comply with our legal, regulatory or sectoral obligations. In very exceptional cases, some treatments may require your prior consent.

    WHO IS LIKELY TO RECEIVE YOUR
    DATA?

    We ensure that only authorised persons have access to personal data.
    Recipients may include:

    Group departments or entities
    All personal data you send us in the context of an application is communicated to the Societe Generale entity that published the job offer.
    Where necessary, we may communicate some of your personal data to the various departments concerned (recruitment consultants, HR managers and assistants, etc.) and to managers within Group entities for organisational, operational or management reasons or to meet our legal, regulatory or contractual obligations.

    Third parties
    In the course of our business, third parties (e.g. our subcontractors, service providers, external recruitment consultants, etc.) may be recipients or have access to some of your personal data.
    In that case, we ensure that the transfers or exchanges are necessary and are carried out within the limit of these purposes, while providing all the appropriate data protection safeguards.
    Exceptionally and in compliance with applicable regulations, some of your personal data may also be sent to third parties in France or abroad for the purpose of establishing, safeguarding or defending a right in court, in the context of administrative or criminal investigations by one or more regulators, compliance with commitments made to them or in the context of legal disputes of any kind.
    Some of your personal data may particularly be sent not only to regulators or judicial authorities but also to Societe Generale's advisors and those of the other parties to the proceedings, as well as to those parties themselves. In that case, Societe Generale ensures that data transferred or exchanged are relevant and necessary for the purposes referred to above.

    IS YOUR PERSONAL DATA
    COMMUNICATED OR ACCESSIBLE
    FROM A COUNTRY OUTSIDE THE
    EUROPEAN UNION?

    Is your personal data communicated or accessible from a country outside the European Union? In view of the international structure and activities of our group, personal data may, in accordance with the specified purposes of the processing, be transferred to group entities, service providers, subcontractors or partners located in a European Union country or a country outside the European Union.

    To fulfil the purposes mentioned above, we may be required to disclose the information collected to people in charge of recruitment and related services, to the group’s legal entities, to its partners and to its subcontractors and providers established inside or outside the European Union (EU). These parties may therefore need to contact you directly, using the contact details that you have provided to us, in order to offer you positions within our group corresponding to your profile.

    Personal information or data may potentially be transferred to non-EU countries and be subject to different laws or regulations from those applicable in the European Union.

    Rules ensuring the protection and security of this information have been put in place in the event of any future transfer to a country outside the EU. In particular, we have put in place legal protections to secure this type of transfer (standard contractual clauses with our service providers and partners binding corporate rules (BCRs) between group entities).

    HOW LONG ARE YOUR DATA KEPT?

    Your personal data will be kept for the period necessary to complete the recruitment process.

    Unless you request otherwise, your personal data will be kept in order to study the possibility of offering you other positions that may correspond to your profile for a maximum of two (2) years from your last contact with Societe Generale (your last log-in to your Candidate Space on the website careers.societegenerale.com).

    The results of any tests you are asked to take during the recruitment process are processed separately and will be kept for 12 months after completion.

    HOW DO WE ENSURE THE SECURITY
    AND CONFIDENTIALITY OF YOUR
    PERSONAL DATA?

    We take all appropriate security measures to ensure the security and confidentiality of your personal data, in particular with a view to protecting them from any loss, accidental destruction, alteration or unauthorised access. Security is essential to our activities. When we use subcontractors or service providers, we select them based on the quality and safety criteria they are able to offer. We therefore impose confidentiality rules on our subcontractors and our service providers that are at least equivalent to our own. Measures are implemented to control access to processing and secure the communication of personal data. We favour the use of techniques that render your data anonymous as soon as possible or necessary.

    WHAT ARE THE MAIN PRINCIPLES OF
    THE GDPR?

    In accordance with the main principles set out in the GDPR, we take all necessary measures to ensure that your personal data are:
     

    • processed lawfully, fairly and transparently;
    • collected for specified, explicit and legitimate purposes;
    • adequate and relevant to the purpose of the processing;
    • kept in accordance with the defined retention periods;
    • processed in a way that ensures appropriate security.

    We implement the necessary measures to respect the protection of personal data, both from the design stage, for example of a service or an application, and during their usage period. When necessary, we also carry out impact assessments on protection of the personal data in question.

    HOW CAN YOU EXERCISE YOUR
    RIGHTS?

    As part of the processing of personal data, you enjoy a number of rights provided by the GDPR. Within the limits and conditions permitted by that regulation, where applicable you can therefore:

    • request access to your personal data (right of access);
    • correct, update and erase your personal data (right of rectification and erasure), it being specified that erasure can only occur when the personal data are no longer necessary for the purposes for which they were collected or processed and of the processing was based on consent;
    • oppose the processing of your personal data on legitimate grounds;
    • request a limitation on the processing of your personal data (right to limitation);
    • file a complaint with a supervisory authority;
    • receive or request the transfer of your personal data that you have provided to the group (right to portability).

    Exclusively in France, you have the option of appointing a person to whom Societe Generale can send instructions relating to the retention, deletion and communication of your personal data after your death.

    Exercise of these rights is subject to a number of conditions specified in the applicable regulations and must be exercised in accordance with them.

    Regarding access to your data and their correction, you may, at any time within 12 months after your last log-in, access your Candidate Space on our website careers.societegenerale.com to consult and update them as applicable.

    For any other request relating to the processing of your personal data, you can use the contact form available on our recruitment site, selecting the message subject “GDPR”.

    You may also send your questions directly to our “Data Privacy” correspondents by writing to the following address:

    COOKIES AND OTHER TRACKERS

    For statistical purposes, indirectly nominative data may also be used to manage your connection and browsing. This enables us to better understand your behaviour on the site and thereby optimise your browsing experience (for more information about the cookies used see: Our cookie policy

    POSSIBILITY OF APPEAL

    The supervisory authority in France is CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07 - www.cnil.fr. For other countries (Societe Generale group entities using the careers.societegenerale.com website for the processing of applications), you will find a list of supervisory authorities in the appendix.

    FINALLY... FOR FURTHER
    INFORMATION

    The contact details of Societe Generale’s Data Protection Officer (DPO) are sg-protection.donnees@socgen.com.

    This policy may be updated or amended. Therefore, we invite you to regularly visit our recruitment sites (and more specifically the site careers.societegenerale.com).

    Depending on your country of residence, specific local requirements may be applied by Group entities, particularly to adapt to regulatory requirements. These will be specified to you on a case-by-case basis by the recruitment advisers in the entities concerned.