The Crédit Agricole Group (the “Group”) is committed to compliance with regulations relating to the protection of personal data, in particular with regard to candidates[1] for a position within the Group.

In the context of changes in personal data protection regulations with the entry into force of the General Data Protection Regulation on 25 May 2018[2] (the “GDPR”), the Group wished to formalise this Crédit Agricole Group Personal Data Protection Charter applied to recruitment (the “Charter”).

The purpose of the Charter is to inform applicants of the processing of their personal data within the Group, the main protection principles applicable to such processing and the manner in which the Group complies with regulatory requirements.

[1] The term “candidate” refers to any person outside the Group who contacts a Group entity or is contacted by a Group entity with a view to applying for any position within a Group entity, for an employment contract or any other type of similar contract, including an apprenticeship or professional training contract, as well as for an internship.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC

The following definitions are used in the Charter:

1. Personal data: any information relating to an identified or identifiable candidate. For example, personal data can be candidates’ contact details resume or cover letter;

2. Processing: any operation (or set of operations) carried out on personal data, including, for example, its collection, organisation, storage, alteration, use, transmission, dissemination or erasure;

3. Purpose: the reason for processing personal data. The purposes of personal data processing in the context of this Charter are stated in paragraph 3 below;

4. Recipient: any natural or legal person, public authority, service or other organisation to which personal data is disclosed;

5. Controller: the entity that determines the purposes and means of the processing of personal data. With regard to the processing of candidates’ personal data, the controller is the entity of the Group that seeks to recruit;

6. Processor: any entity other than the controller that processes personal data on behalf of and on the instructions of the controller. A Group entity may therefore be the processor of another Group entity. Thus, companies providing IT or consultancy services to the controller, e.g., in the area of recruitment, or that are entrusted with services relating to human resources management on behalf of the controller, are considered controllers.

Candidates’ personal data is processed in accordance with the following personal data protection principles:

1. Lawfulness, fairness and transparency of processing: candidates’ personal data shall always be collected and processed on the basis of a specific justification (the “legal basis”). No processing contrary to the principles of this Charter and the GDPR may be done. Moreover, clear, transparent and complete information shall be provided to candidates on the processing operations carried out on their personal data;

2. Limitation of purpose: candidates’ personal data shall always be collected and processed for specific purposes determined from the outset;

3. Data minimisation: the personal data of candidates that is collected shall be limited to what is necessary in relation to the purposes for which it is processed. No personal data superfluous to the processing carried out may be collected or used;

4. Accuracy: the personal data of candidates shall be accurate and updated regularly. All reasonable steps shall be taken to ensure that any inaccurate personal data is rectified or erased;

5. Storage limitation: candidates’ personal data shall not be stored longer than is necessary for the purposes for which it was collected;

6. Security: candidates’ personal data shall be stored and processed in a way that ensures its security and confidentiality.

The controller processes candidates’ personal data in order to:

1. Manage candidatures, set up the job interview and selection processes, in particular in compliance with obligations in terms of the fight against financial crime (screening of pre-selected candidates against the International Sanctions lists), manage recommendations and references, manage the candidate pool and pre-recruitment, and to draw up the promises of employment and contracts.

These processing operations are based on the execution of pre-contractual measures or the legitimate interest of the controller.

A candidate’s consent to the use of his or her personal data must always be free, specific, informed and unambiguous (which generally takes the form of consent provided in writing). Candidates may decide to withdraw their consent for these purposes at any time. However, such withdrawal has no consequences on the validity of processing operations already carried out with the candidates’ consent.

2. To manage access to the premises and any video-surveillance devices on the premises.

These processing operations are justified by the legitimate interest of ensuring the security of goods and individuals (in real time and afterwards). In this case, candidates may object to the processing of their personal data for reasons relating to their specific circumstances (unless the data controller can show that there are legitimate and compelling reasons for the processing that override the interests and rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims).

The processing of personal data communicated by candidates is not based on profiling.

Ces traitements sont justifiés par l’intérêt légitime qui consiste à assurer la sécurité des biens et des personnes (en temps réel et a posteriori). Dans ce cas, le candidat a la possibilité de s’opposer au traitement de ses données pour des raisons tenant à sa situation particulière (sauf à ce que le responsable du traitement ne prouve qu’il existe des motifs légitimes et impérieux pour le traitement qui prévalent sur les intérêts et les droits et libertés de la personne concernée, ou pour la constatation, l’exercice ou la défense de droits en justice).

Les traitements des données personnelles communiquées par les candidats ne sont pas basés sur du profilage.

Certain personal data may be necessary for the review of applications by the Group. Candidates will be informed of this at the time of collection by an asterisk or equivalent means.

If this data is not provided, the Data Controller will not be able to process the application.

For the purposes of the processing described above, candidates’ personal data may in certain cases be disclosed to the following recipients:

• Group entities;
• IT subcontractors, editors of recruitment tests or subcontractors in charge of managing access to the premises and any video surveillance systems;
• Recruitment agencies;
• Teams in charge of the fight against financial crime.

The Group’s entities use subcontractors that provide sufficient guarantees that the processing complies with the principles of the GDPR and that the confidentiality and security of personal data is ensured.

If a recipient of personal data is located in a country outside the European Union, the recipient must be subject to compliance with local legislation ensuring an adequate level of protection or with guarantees enabling this level of protection to be ensured.

These guarantees may be standard contractual clauses for the protection of personal data adopted by the European Commission which are effective in the importing country (i.e. a transfer contract between the controller and a recipient specifying the obligations of the controller and the recipient in the event of a transfer of personal data outside the European Union).

The solutions used to store and process candidates’ personal data meet the security requirements issued by the Group’s Information Systems division and are subject to rigorous validation and audit procedures.

To ensure the security and confidentiality of the personal data of candidates, the Group has implemented technical and organisational measures, notably:

• Controlling access to and authorisation of the IT equipment used to process the personal data of candidates;
• Measures to secure the technical infrastructure (workstation, network, server) and data (back-up, business continuity plan);
• Limitation of the persons authorised to process the personal data according to the purposes and the means provided for each processing operation;
• Strict confidentiality requirements imposed on subcontractors;
• Procedures have been put in place in order to react promptly in the event of a security incident involving the personal data of candidates.

The candidate’s personal data relating to processing operations for the management of applications referred to under 1. of paragraph 3 is stored under the following conditions:

When the candidate is not hired:

• Stored in the active database for eighteen (18) months from the last use of the internal recruitment tool by the candidate;
• At the end of the eighteen (18) months, the data is destroyed.The candidate may delete their account at any time during the application. The “Delete my account” button enables the automatic and definitive deletion of the candidate’s account and all applications

Personal data collected for the management of access to the premises is stored for a period of three (3) months. Personal data collected for the management of any video surveillance systems is stored for a period of thirty (30) days.
For the entire duration of the retention of this personal data, access to the personal data of candidates is limited to only those persons who need to access it and who have the relevant authorisation, according to the purposes of the intended processing.

At the end of this period, the candidates’ personal data will be definitively deleted or irreversibly anonymised.

All candidates may exercise the following rights at any time:

1. Right of access: candidates may obtain information on the nature, origin and use of personal data concerning them. If their personal data is transmitted to third parties, candidates may also obtain information concerning the identity or categories of recipients;

2. Right of rectification: candidates may request that inaccurate or incomplete personal data be rectified or completed;

3. Right to erasure: candidates may request the erasure of their personal data, in particular if the personal data is no longer necessary for the processing operations carried out. The controller shall proceed to delete Personal Data as soon as possible, except in cases provided for by the regulations;

4. Right to restriction of processing: candidates may request that their personal data be temporarily made inaccessible in order to limit their future processing in the situations provided for by the GDPR;

5. Right to object: candidates may object to certain processing of their personal data for reasons relating to their particular situation, unless there are legitimate and compelling reasons for the processing which prevail over the interests, rights and freedoms of the candidate or for the establishment, exercise or defence of legal claims;

6. Right to portability: candidates may request to receive the personal data they have provided to the Data Controller, in a structured, commonly used and machine-readable format This right to portability can only be exercised when the processing of personal data is carried out with the candidate’s consent.

The controller undertakes to ensure that the review of an application to exercise a right submitted by a candidate is carried out within the time limits laid down in the GDPR.

To obtain the contact details of the Data Protection Officer (“DPO”), to obtain a copy of the appropriate guarantees mentioned in paragraph 5, and to exercise the rights mentioned in paragraph 8, candidates may contact the Human Resources Department at the following address: [email protected], or the Human Resources Department of the Regional Bank at the address shown on its career website.

Candidates may also address a complaint to the relevant French regulatory authority, Commission Nationale de l’Informatique et des Libertés (CNIL), the head office of which is located at 3 Place de Fontenoy – 75007 Paris, France, in the event that they consider that any personal data processing does not comply with the personal data protection regulation.

The Charter is applicable as from 25 May 2018.

The Charter is published on the Group’s career website at the following address: https://www.groupecreditagricole.jobs/Charte-Candidats. It may be updated, in particular in the event of regulatory or processing changes.

The Charter was revised on 19 October 2023.