General Personal Data Protection Policy

This policy reflects the commitments made in the framework of everyday operations for responsible use of personal data.

Respect for fundamental rights and freedoms, notably privacy and protection of personal data, are particularly important values for the Groupama Group, of which Groupama Immobilier is a member.

Data Protection Officer (DPO)

In 2007, the Groupama Group appointed a Data Protection Delegate (Correspondant Informatique et Libertés - CIL) to preserve privacy and protect personal data. Now referred to as a Data Protection Officer (DPO), this individual is fully independent in the performance of his or her duties for all of the Group’s French companies.

The DPO provides a guarantee of confidence. As the personal data protection specialist, the DPO is responsible for ensuring that data protection guidelines are applied correctly. He or she is the dedicated contact for the French data protection authority (Commission Nationale de l’Informatique et des Libertés – CNIL) and all persons concerned by the collection or processing of personal data.

Principles Governing Protection of Personal Data

Companies of the Groupama Group process personal data in compliance with current laws and regulations, and specifically the General Data Protection Regulation (GDPR), the French Data Protection Act of January 6, 1978 (revised), and the guidelines issued by the CNIL.

Personal data governance policies have been implemented in the Group’s companies, and compliance with their provisions is monitored.
1. Specified, explicit and legitimate purpose for processing data

Personal data are collected for specific purposes that are disclosed to the concerned data subjects. These data shall not be used at a later date in any manner that is incompatible with these purposes.
These data are collected fairly. No data is collected without the data subject being aware and informed beforehand.

2. Proportion and relevance of collected data

The personal data collected are strictly necessary for the stated purpose. Companies of the Groupama Group undertake to minimize the amount of data collected and to maintain accurate, updated records by facilitating the exercise of the concerned data subjects’ rights.

3. Limited personal data retention period

Personal data are retained for a limited period that shall not exceed the amount of time needed to fulfill the stated purpose. Data subjects are informed of the personal data retention periods, which can vary depending on the data, processing purpose and legal or regulatory requirements.

4. Data Confidentiality/Security

Information System Security Policies (ISSPs) tailored to the type of data processed and the company’s activities have been put in place.
Appropriate physical, logical and organizational security measures have been implemented to ensure data confidentiality and, in particular, prevent any unauthorized access.

Companies of the Groupama Group also require that all contractors offer appropriate safeguards to ensure that personal data are kept secure and confidential.

Personal data may be transferred to countries within or outside the European Union. In the event of such transfers, the concerned data subjects shall be informed in detail and specific measures shall be taken to ensure the transfers are performed correctly.

5. Data subject rights

All necessary means are taken to guarantee the effectiveness of data subjects’ rights concerning their personal data. These include:

- Clear, comprehensive information on the types of data processing used. This information is easily accessible and understandable.
- Facilitated access to data. All data subjects have rights concerning their personal data that may be exercised at any time, free of charge.

Data subjects may access all their personal data and, in certain cases, request that the data be rectified (inaccurate or incomplete data) or deleted, or that their use be temporarily restricted. Data subjects also have a right to portability for data they supplied personally, provided that said data were supplied based on their explicit consent or for the performance of a contract.

These rights may be exercised online or by any other means in accordance with the procedures provided to data subjects. Data subject requests may also be directed to the DPO.

· Monitoring of the Personal Data Protection Policy

This policy, which is accessible on all websites of Groupama Group companies, is regularly updated to reflect changes in legislation and regulations, as well as any changes in the Groupama Group’s organization or its offerings, products and services.

This General Personal Data Protection Policy is supplemented by:

- Detailed information on the purposes of the data processing performed, as well as on the data recipients, retention periods and practical procedures for exercising data subjects’ rights. More
- Information on cookies. More
- When appropriate, general recommendations on data security rules for users/clients, notably as concerns usernames and passwords.

General Personal Data Protection Policy approved on March 23, 2017 by the shared DPO (updated in May 2018).

To contact the DPO for France, write to Groupama Assurances Mutuelles – Data Protection Officer – 8-10 rue d’Astorg, 75383 Paris or email contactdpo@groupama.com