Personal Data Protection Policy – Candidates for Recruitment


This personal data protection policy is designed to provide you with completely transparent information about how we process your personal data collected on our recruitment site “careers.societegenerale.com” and, more generally, as part of the assessment of your application for positions offered by the Societe Generale group.
We ensure that the information you provide to us or that we collect through various channels (our recruitment site, our correspondence, conversations and interviews with our employees and particularly our recruitment consultants) are only used for the purposes indicated in this policy.
This policy complies with European personal data protection regulations and particularly the General Data Protection Regulation (GDPR) of 27 April 2016, which came into force in the European Union on 25 May 2018.

Who is concerned by this personal data protection policy ?


This policy is intended for candidates who apply for one or more jobs offered by the Societe Generale group, either directly via our recruitment site careers.societegenerale.com or at trade fairs and forums, by letter, email, via recruitment firms, through employees (as part of co-optation), job sites or social networks (such as LinkedIn) or any other useful means of finding candidates.
In the event that we need to ask for a reference, this will be carried out within the applicable regulatory framework (with the candidate’s prior agreement). This policy therefore also applies to candidate's referees, whose personal data may be collected during verification.
Unless otherwise stated, we refer collectively to the groups of people referred to above as “you”.

What do we mean by... ?


« Collect » refers to the collection of personal data.
« Recipient » is the natural person, legal entity or organisation that receives the personal data, whether or not a third party as defined in the paragraph “Who is likely to receive the data?”.
« Personal data » refers to any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
« Societe Generale entity » means any entity over which the group has control.
« Group or Societe Generale » refers to all companies in the group and/or any company which the group controls.
« Data subject » : is the natural person whose data is processed, i.e. within the framework of this policy: visitors to our recruitment sites, candidates (whether or not they have created an account on our recruitment sites) and referees.
« Controller » is the natural person, legal entity or organisation which, alone or jointly, determines the objectives and methods for processing personal data.
« Processing » :means any operation, or collection of operations applied to personal data, regardless of the process used (e.g. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limitation, deletion or destruction, etc.).
« Processor » :is the natural person, legal entity or organisation that processes personal data on behalf of a Controller.

What personal data do we collect ?


Via our recruitment site
When browsing our recruitment site careers.societegenerale.com and creating your candidate profile, we may collect personal data about you, in our capacity as controller.
This data has been collected directly from you or has been sent to us – if you have provided your consent – by third parties such as recruitment agencies, job boards for Societe Generale employees or professional social networks (LinkedIn, etc.). In this case, it is specified that we are not responsible for the processing of your personal data by those third parties (with whom you have an independent relationship), Societe Generale acting solely as recipient in this respect.

During consideration of your application
We may need to process various types of personal data, including :

  • • identification data (e.g. first name, last name and contact details, etc.);
  • personal data (e.g. personal information included in your CV)
  • data relating to working life and specifically the information contained in your CV (e.g. education, diplomas, career, skills and qualifications, etc.);
  • declarative data (e.g. information provided during recruitment interviews by you or third party sources if they are relevant to the processing of your application);
  • information from your responses to the different tools used during the recruitment process (e.g. personality tests or inventories);
  • data collected using innovative solutions (video interviews to short-list candidates); technical data (e.g. login data used by you to access our website);
  • data relating to your profile (e.g. your username and password);
  • data from video surveillance devices and devices used to record electronic communications, in accordance with applicable rules (e.g. security surveillance cameras on our premises);
  • data made public at your initiative (e.g. profiles from professional social networks).

These data may be provided directly by you or collected from third parties.

Limits of data collection
During this collection, we undertake to only ask you for personal data strictly necessary for the purpose of the processing in question (minimisation principle).

Accuracy of your personal data
It is your responsibility to ensure the accuracy, completeness and updating of the data you send us. The transmission of any inaccurate, false or incomplete data may disqualify you from the position or result in the termination of any employment contract between you and a Societe Generale entity. We invite you to inform us in the event of any changes to your personal data during our collaboration.

Sensitive data
We do not collect sensitive personal data (e.g. about race or ethnicity, religious beliefs, physical or mental health or sexual orientation) as part of our recruitment process or recruitment activities.

However, we may collect sensitive data about you if you voluntarily provide us with such data or if we are required to collect such data because of the legal, regulatory or contractual requirements incumbent upon us and specifically under an agreement or commitment made to regulators or agreed in the context of any kind of litigation.

For what purposes do we collect or use your personal data ?


Via our recruitment site
The collected data is for use within the framework of our recruitment process and its optimisation, enabling us in particular to extract the information directly from your CVs or to propose positions within the group that may be appropriate for you.
It is also used to keep you informed of job advertisements, events, actions or publications likely to be of interest to you.

During consideration of your application
The personal data collected can be used for the purposes of management of your candidate account and the processing of your application, including:

  • identification data (e.g. first name, last name and contact details, etc.);
  • personal data (e.g. personal information included in your CV)
  • data relating to working life and specifically the information contained in your CV (e.g. education, diplomas, career, skills and qualifications, etc.);
  • declarative data (e.g. information provided during recruitment interviews by you or third party sources if they are relevant to the processing of your application);
  • information from your responses to the different tools used during the recruitment process (e.g. personality tests or inventories);
  • data collected using innovative solutions (video interviews to short-list candidates); technical data (e.g. login data used by you to access our website);
  • data relating to your profile (e.g. your username and password);
  • data from video surveillance devices and devices used to record electronic communications, in accordance with applicable rules (e.g. security surveillance cameras on our premises);
  • data made public at your initiative (e.g. profiles from professional social networks).

On what basis do we process your personal data?


For our recruitment site The data collected are processed with your consent, unless otherwise required by legal or regulatory requirements.
The data strictly necessary for examining your application are identified by an asterisk or other equivalent symbol. For data not identified by an asterisk, failure to respond will not impact the handling of your application.

During consideration of your application
Your personal data is processed with your consent. By submitting your application, you consent to the processing of your personal data in accordance with the purposes of this policy. In very exceptional cases, some processing relating to the recruitment process may be required in order to comply with our legal, regulatory or sectoral obligations or be justified by our legitimate interest and therefore not require your prior consent.
Refusal or withdrawal of your consent to the processing of all or part of your personal data may have consequences on the processing of your application by preventing it from being considered fairly compared with other applications. Such withdrawal may therefore constitute abandonment of your application.

Who is likely to receive your data?


We ensure that only authorised persons have access to personal data.
Recipients may include:

Group departments or entities
All personal data you send us in the context of an application is communicated to the Societe Generale entity that published the job offer.
Where necessary, we may communicate some of your personal data to the various departments concerned (recruitment consultants, HR managers and assistants, etc.) and to managers within Group entities for organisational, operational or management reasons or to meet our legal, regulatory or contractual obligations.

Third parties
In the course of our business, third parties (e.g. our subcontractors, service providers, external recruitment consultants, etc.) may be recipients or have access to some of your personal data.
In that case, we ensure that the transfers or exchanges are necessary and are carried out within the limit of these purposes, while providing all the appropriate data protection safeguards.
Exceptionally and in compliance with applicable regulations, some of your personal data may also be sent to third parties in France or abroad for the purpose of establishing, safeguarding or defending a right in court, in the context of administrative or criminal investigations by one or more regulators, compliance with commitments made to them or in the context of legal disputes of any kind.
Some of your personal data may particularly be sent not only to regulators or judicial authorities but also to Societe Generale's advisors and those of the other parties to the proceedings, as well as to those parties themselves. In that case, Societe Generale ensures that data transferred or exchanged are relevant and necessary for the purposes referred to above.

Is your personal data communicated or accessible from a country outside the European Union ?


Is your personal data communicated or accessible from a country outside the European Union? In view of the international structure and activities of our group, personal data may, in accordance with the specified purposes of the processing, be transferred to group entities, service providers, subcontractors or partners located in a European Union country or a country outside the European Union.

To fulfil the purposes mentioned above, we may be required to disclose the information collected to people in charge of recruitment and related services, to the group’s legal entities, to its partners and to its subcontractors and providers established inside or outside the European Union (EU). These parties may therefore need to contact you directly, using the contact details that you have provided to us, in order to offer you positions within our group corresponding to your profile.

Personal information or data may potentially be transferred to non-EU countries and be subject to different laws or regulations from those applicable in the European Union.

Rules ensuring the protection and security of this information have been put in place in the event of any future transfer to a country outside the EU. In particular, we have put in place legal protections to secure this type of transfer (standard contractual clauses with our service providers and partners and binding corporate rules (BCRs) between group entities).

How long are your data kept ?


Your personal data will be kept for the period necessary to complete the recruitment process.

Unless you request otherwise, your personal data will be kept in order to study the possibility of offering you other positions that may correspond to your profile for a maximum of two (2) years from your last contact with Societe Generale (your last log-in to your Candidate Space on the website careers.societegenerale.com).

The results of any tests you are asked to take during the recruitment process are processed separately and will be kept for 12 months after completion.

How do we ensure the security and confidentiality of your personal data ?


We take all appropriate security measures to ensure the security and confidentiality of your personal data, in particular with a view to protecting them from any loss, accidental destruction, alteration or unauthorised access. Security is essential to our activities. When we use subcontractors or service providers, we select them based on the quality and safety criteria they are able to offer. We therefore impose confidentiality rules on our subcontractors and our service providers that are at least equivalent to our own. Measures are implemented to control access to processing and secure the communication of personal data. We favour the use of techniques that render your data anonymous as soon as possible or necessary.

What are the main principles of the GDPR?


In accordance with the main principles set out in the GDPR, we take all necessary measures to ensure that your personal data are:

  • processed lawfully, fairly and transparently;
  • collected for specified, explicit and legitimate purposes;
  • adequate and relevant to the purpose of the processing;
  • kept in accordance with the defined retention periods;
  • processed in a way that ensures appropriate security.

We implement the necessary measures to respect the protection of personal data, both from the design stage, for example of a service or an application, and during their usage period. When necessary, we also carry out impact assessments on protection of the personal data in question.

How can you exercise your rights ?


As part of the processing of personal data, you enjoy a number of rights provided by the GDPR. Within the limits and conditions permitted by that regulation, where applicable you can therefore:

  • request access to your personal data (right of access);
  • correct, update and erase your personal data (right of rectification and erasure), it being specified that erasure can only occur when the personal data are no longer necessary for the purposes for which they were collected or processed and of the processing was based on consent;
  • oppose the processing of your personal data on legitimate grounds;
  • request a limitation on the processing of your personal data (right to limitation);
  • file a complaint with a supervisory authority;
  • receive or request the transfer of your personal data that you have provided to the group (right to portability).

Exclusively in France, you have the option of appointing a person to whom Societe Generale can send instructions relating to the retention, deletion and communication of your personal data after your death.

Exercise of these rights is subject to a number of conditions specified in the applicable regulations and must be exercised in accordance with them.

Regarding access to your data and their correction, you may, at any time within 12 months after your last log-in, access your Candidate Space on our website careers.societegenerale.com to consult and update them as applicable.

For any other request relating to the processing of your personal data, you can use the contact form available on our recruitment site, selecting the message subject “GDPR”.

You may also send your questions directly to our “Data Privacy” correspondents by writing to the following address:

Cookies and other trackers


For statistical purposes, indirectly nominative data may also be used to manage your connection and browsing. This enables us to better understand your behaviour on the site and thereby optimise your browsing experience (for more information about the cookies used see: Our cookie policy

Possibility of appeal


The supervisory authority in France is CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07 - www.cnil.fr. For other countries (Societe Generale group entities using the careers.societegenerale.com website for the processing of applications), you will find a list of supervisory authorities in the appendix.

Finally... for further information


The contact details of Societe Generale’s Data Protection Officer (DPO) are sg-protection.donnees@socgen.com.

This policy may be updated or amended. Therefore, we invite you to regularly visit our recruitment sites (and more specifically the site careers.societegenerale.com).

Depending on your country of residence, specific local requirements may be applied by Group entities, particularly to adapt to regulatory requirements. These will be specified to you on a case-by-case basis by the recruitment advisers in the entities concerned.

Appendix – Supervisory authorities


Australia

https://www.oaic.gov.au/

Belgium

https://www.autoriteprotectiondonnees.be/

Canada

https://www.priv.gc.ca/index_f.asp

China

http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021

Czech Republic

http://www.uoou.cz

France

https://www.cnil.fr

Germany

https://www.bfdi.bund.de/

Hong-Kong

http://www.pcpd.org.hk/

India

http://mit.gov.in/

Italy

http://www.garanteprivacy.it/

Japan

http://www.ppc.go.jp/en/

Luxembourg

http://www.cnpd.lu/

Marocco

http://www.cndp.ma/

Monaco

http://www.ccin.mc

Poland

https://uodo.gov.pl/

Portugal

https://www.cnpd.pt/

Roumania

http://www.dataprotection.ro

Serbia

https://www.poverenik.rs/en

South Korea

http://www.pipc.go.kr/cmt/main/english.do

Spain

http://www.agpd.es

Switzerland

http://www.leprepose.ch

United-Kingdom

https://ico.org.uk/

United-States

https://www.privacyshield.gov/