1. Foreword – Who we are

The regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter the "GDPR") sets out the legal framework applicable to the processing of personal data.

The GDPR reinforces the rights and obligations of controllers, processors, data subjects and data recipients. In particular, it requires that data subjects be informed of their rights in a concise, transparent, comprehensible and easily accessible manner.

As part of its business activities, BRIDOR SAS, whose head office is located at ZA Olivet, 35530 Servon sur Vilaine, France, and which is registered with the Rennes Trade and Companies Register under number 491 668 893 (hereinafter the "Company"), and who is the data controller, processes personal data according to the terms described below.

For a clear understanding of this policy, it is specified that:
  • "Candidates": natural persons applying for employment with the Company, the Le Duff Group entities concerned, or companies that operate establishments under the Le Duff Group brand (franchisees);
  • "data controller" means the natural or legal person who determines the purposes and means of the processing of personal data as defined in this policy. Under the terms of this policy, the data controller is the Company;
  • "Subcontractor" means a natural or legal person who processes personal data on behalf of the data controller. In practice, these are the service providers with whom the Company works and who handle on the personal data it processes;
  • "data subjects" means persons who can be identified, whether directly or indirectly. They are referred to herein as "Candidates";
  • "Recipients" means the natural or legal persons who receive the transmission of personal data. Recipients of the data may therefore be both internal recipients and external bodies.
2. Subject

In order to run its business, the Company implements and runs personal data processing operations relating to candidates applying for positions within the Company, the Le Duff Group entities concerned, or companies that operate establishments under the Le Duff Group brand (franchisees).

The purpose of this policy is to satisfy the Company's obligation to provide information and thus to formally establish the rights and obligations of candidates with regard to the processing of their personal data.

The processing of personal data may be managed directly by the Company or through a subcontractor specifically designated by the Company.

This policy is independent of any other document that may apply within the framework of the contractual relationship between the Company and its candidates (cookies, commercial or partnership contracts, etc.).

3. General principles and commitments

The Company will only process candidate data insofar as it concerns personal data collected by or for our departments, or for the branches and franchisees of the Le Duff Group companies, or is processed in connection with job offers within these entities.

Candidates will be informed of any new processing, modification or deletion of an existing processing operation.

4. Data collected

  • Identification: Your surname / first name / title / position
  • Contact details: Telephone / email address / mailing address 
  • Career: Education / Professional experience / Degrees / Awards / Record of interview / Names of the companies you have worked for / information on your professional background and information provided by the candidate as part of their CV and cover letter sent to the Company
  • Photo, if you have granted us this right
More broadly, any information and personal data that you spontaneously provide in the context of your application.

5. Origin of the data

The Company collects the data of its candidates from the data provided by the candidate via the files or electronic forms completed by the candidate.

BRIDOR SAS informs you that it may also add to your profile other information it has about you, i.e.: information gathered (i) during its conversations with you, whether in writing, by telephone or in physical interviews, and (ii) from professional social networks or from any public information source, when this information is useful for the handling of your application. 

6. Purposes of the treatment

This information is subject to computer processing for the handling of your application. Your data may also be included in a CV database, which will allow BRIDOR SAS to offer you other positions, as the case may be. 

To facilitate external and internal recruitment, BRIDOR SAS uses the DigitalRecruiters software programme, published by the company BANKESS, which allows it to distribute job offers, gather applications and manage them. 

BRIDOR SAS is the data controller responsible for processing the personal data that is provided, and BANKESS acts as a subcontractor. 

In view of the purpose of this data processing, which is to process the personal data of candidates who respond to job offers and to include data about candidates in the BRIDOR SAS CV database, the processing of your personal data is necessary for the pursuit of BRIDOR SAS' legitimate interests, namely the management of its recruitment processes, as well as for the execution of pre-contractual measures that may exist between BRIDOR SAS and candidates who respond to its job offers.

7. Legal basis

In view of the purpose of this data processing, which is to process the personal data of candidates who respond to job offers and to include data about candidates in the BRIDOR SAS CV database, the processing of your personal data is necessary for the pursuit of BRIDOR SAS' legitimate interests, namely the management of its recruitment processes, as well as for the execution of pre-contractual measures that may exist between BRIDOR SAS and candidates who respond to its job offers.

The data processing described in this policy is necessary for the execution of pre-contractual measures taken at the candidate’s request.

8. Data recipients

This data is hosted in France and will be transmitted to the people in charge of recruitment within BRIDOR SAS to allow them to study your application.
The answers to fields marked with an asterisk are required. Failure to complete these fields may compromise the follow-up of your application. In other cases, the fields are optional and have no impact on the examination of your file. 

The Company ensures that the data is only accessible to the following internal or external authorised recipients:
  • depending on the situation: officers and employees of the Company, the Le Duff Group entities concerned, or companies that operate establishments under the Le Duff Group brand (franchisees),
  • if necessary, employees of the Company's technical service providers that participate in the operation of the "recrutement.groupeleduff.com" website (e.g. translation services, IT service providers, printing, etc.)
  • services in charge of control,
  • public bodies, exclusively to meet the Company's legal obligations, court officers, judicial officers,
  • the Company's communications department,
  • the Company’s IT department.
With the exception of communication to the persons specified above, your personal data will not be communicated, transferred, rented or exchanged for the benefit of any third party.

In its capacity as a subcontractor of BRIDOR SAS, the company BANKESS is authorised to access your personal data when necessary, in particular within the framework of its missions of administering and maintaining the Company's careers website and application management tool. However, it may not transmit this data to its own subcontractors without having obtained the Company's prior consent. BANKESS may be required to transmit your personal data to a judicial authority, upon request of said authority. 

9. Transfer of personal data

In the event that a candidate wishes to complete an application for a position in a country outside the European Union, the Company may—if required in the context of the examination of their application—transfer the personal data collected to recipients (within the meaning of Article 9) located in that country.

When the country concerned does not benefit from a consistency mechanism (which means that they provide your personal data a degree of protection equivalent to that in force within the European Union), the Company ensures to the extent possible that the transfer is covered by one of the following appropriate safeguards:
  • standard contractual clauses approved by the CNIL,
  • our adherence to an approved code of conduct in effect,
  • compliance with a certification scheme certified by an approved body,
  • binding company rules approved by the CNIL.

10. Duration of storage

The duration of storage of your personal data is determined by the Company with regard to its legal and contractual constraints.

The data will be stored for a maximum of one (1) year after collection.

However, data that constitute proof of a right or a contract, which must be kept in order to comply with a legal obligation, will be stored for the period provided for by the legislation in force.

At the end of the duration of storage defined for each of the categories of personal data processed, and subject to the provisions that allow archiving of data that is strictly necessary for the exercise of a right and for proof of this right for the duration of the applicable limitation periods, or by virtue of the legal obligations to which the Company is subject, the Company:
  • shall destroy the personal data, or
  • shall store this personal data in an irreversibly anonymised form, so that it no longer constitutes personal data within the meaning of the applicable regulations.
Candidates are reminded that deletion or anonymisation are irreversible, and that the Company is no longer in a position to restore this data afterwards.

11. Right of access

Candidates traditionally have the right to request confirmation from the Company as to whether or not the data concerning them is being processed.

Candidates also have a right of access, which is subject to compliance with the following rules:
  • the request shall be made by the data subject himself, and shall be sent with a copy of an up-to-date form of identification;
  • the request must be made in writing, send to the following address: Référent Données Personnelles - LE DUFF GROUP - 52 avenue du Canada 35200 RENNES, France or to the following email address: vosdonneespersonnelles@bridordefrance.com
Candidates have the right to request a copy of their personal data being processed from the Company. However, in the event of a request for an additional copy, the Company may require the candidate to bear this cost.

If a candidate submits his request for a copy of the data electronically, the information requested will be provided in a commonly used electronic format, unless otherwise requested.

Candidates are informed that this right of access may not relate to information or data that is confidential, or for which the law does not authorise communication.

12. Updating and rectification

You may exercise this right by contacting your usual contact person, or, failing that, the management in charge of the Company's communications.

In order to allow for regular updating of the personal data collected by the Company, the Company may request updates from candidates who may potentially satisfy its requests.

The Company shall not be held responsible for a lack of updating if the candidate does not update his or her data.

13. Right to erasure

The candidate’s right to erasure shall not be applicable in cases where the processing is carried out in order to comply with a legal obligation.

Apart from this situation, candidates may request the deletion of their data in the following limited cases:
  • when the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • when the data subject objects to processing that is necessary for the legitimate interests pursued by the Company and there are no overriding legitimate reasons for the processing;
  • when the data subject objects to the processing of his personal data for the purposes of direct marketing, including profiling;
  • when personal data have been unlawfully processed.
14. Right of limitation

Candidates are informed that this right is not intended to apply insofar as the processing carried out by the Company is lawful and that all personal data collected is necessary for the performance of the commercial contract.

15. Right to portability

The Company agrees to the portability of data in the specific case of data provided by the candidates themselves, through the online services offered by the Company, and for purposes based on the sole consent of the data subjects. In this case, the data will be provided in a structured, commonly used, machine-readable format.

16. Automated individual decision-making

The Company does not use automated individual decision-making.

17. Post-mortem rights

Candidates are informed that they have the right to issue guidelines on the storage, erasure and disclosure of their data after their death. The communication of specific post-mortem directives and the exercise of their rights are carried out:
  • by email sent to: vosdonneespersonnelles@groupeleduff.com
  • or by post to the following address: Référent Données Personnelles - LE DUFF GROUP - 52 avenue du Canada 35200 RENNES, France, along with a signed copy and a copy of a form of identification.
18. Justification - Excessive exercise of rights

With regard to all the candidate’s rights mentioned here, and in accordance with the legislation on the protection of personal data, you are informed that these are rights of an individual nature which can only be exercised by the data subject with regard to his or her own personal data. To meet this obligation, we will verify the identity of the data subject.

We remind candidates that if a data subject requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the Company may:
  • require the payment of reasonable charges to cover the administrative costs incurred in providing the data, sending messages or taking the action requested; or
  • refuse to comply with these requests.
19. Optional or required responses

For each personal data collection form, an asterisk is used to inform candidates of which responses are optional and which are required.

If a response is required, the Company will explain to candidates the consequences of not answering.

20. Right of use

Candidates grant the Company a right to use and process their personal data for the purposes defined above.

21. Subcontracting

The Company informs candidates that it may use any subcontractor of its choice in the processing of their personal data.

In this case, the Company ensures that the subcontractor complies with its obligations under the GDPR.

The Company shall sign a written contract with all its subcontractors and imposes the same data protection obligations on subcontractors as it does on itself. Furthermore, the Company reserves the right to audit its subcontractors to ensure compliance with the provisions of the GDPR.

22. Security

It is the Company's responsibility to define and implement the technical security measures, physical or digital, that it considers appropriate to combat the destruction, loss, alteration or unauthorised disclosure of data in an accidental or illicit manner.

These measures include:
  • the use of security measures for access to the premises (closing of offices, badges, etc.);
  • secure access to our computers and smartphones (access code modified regularly);
  • logins and passwords required for all our business applications;
  • the management of data access authorisations (specificity for our financial and accounting services and communications);
  • VPNs for remote connections;
  • complex passwords that are changed regularly for our Wi-Fi network.
To this end, the Company may be assisted by any third party of its choice to carry out vulnerability audits or intrusion tests at the frequency it deems necessary.

In any event if there is a change in the means that ensure the security and confidentiality of personal data, the Company undertakes to replace them with means of superior performance. No change shall lead to a decrease in the level of security.

In the event that all or part of the processing of personal data is subcontracted, the Company shall impose contractual security guarantees on its subcontractors by means of technical measures to protect such data and appropriate human resources.

23. Data breach

In the event of a breach of personal data, the Company undertakes to notify the CNIL under the conditions prescribed by the GDPR.

If the breach poses a high risk to the applicants and the data was not protected, the Company:
  • will notify the candidates concerned;
  • will provide the candidates concerned with the necessary information and recommendations.
24. Records of processing activities

The Company has a record of its data processing activities.

25. Right to lodge a complaint with the CNIL (French Data Protection Authority)

Candidates concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of personal data concerning them does not comply with European data protection regulations. This may be done at the following address:

CNIL - Service des plaintes:
3, place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07, FRANCE 
Phone: +33 (0)1 53 73 22 22

26. Changes

The present policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions and recommendations of the CNIL or changes in usage.

Any new version of this policy will be made known to candidates by any means chosen by the Company, including electronic means (e.g., distribution by email or online).

27. For more information

For further information, you may contact our data protection officer at the following email address: vosdonneespersonnelles@groupeleduff.comFor more general information on the protection of personal data, you may visit the CNIL website: www.cnil.fr