Privacy Policy Keolis S.A.

The company Keolis S.A. (“Keolis S.A.”, “We”, “our”, “us”) makes every effort to protect your personal data, in compliance with applicable European and French legislation. This privacy policy (the “Privacy Policy”) aims to inform you as to the purposes and conditions in which we process personal data that we may collect through our various channels, and in particular: the Keolis S.A. website [https://www.keolis.com], our social media accounts, the Successfactor career platform (“Career Platform”) [https://careers.keolis.com/]  or any event that we may organise. Our Cookie Policy, which can be consulted at https://www.keolis.com/en/cookies-management, comes in addition to this Privacy Policy and provides information on the purposes and conditions of use of cookies or web browsing data that Keolis S.A. may deploy. We invite you to take a moment to read this Privacy Policy so as to have all the information you need to understand how your personal data is used and so as to allow you to freely and fully exercise the rights granted to you by law and by this Privacy Policy.

Controller

The entity responsible for processing your personal data is the company Keolis S.A. 

Terms & Conditions of Use

The Privacy Policy is an integral part of the Terms and Conditions of Use of our Keolis website and should be read in conjunction with them (these can be consulted by following these links: https://www.keolis.com/en/legal-notices.

Applicable law and competent administrative authority

The Privacy Policy is governed by the General Data Protection Regulation n°2016/679 (“GDPR”) and by the French Data Protection Act no.78-17 of 6 January 1978 subsequently amended, under the regulatory supervision of the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés – www.cnil.fr).

Links to third-party site

Our website may contain or use links to websites, mobile apps, products or services operated by third parties (in particular sites of advertisers, partners of Keolis S.A. or social media sites). We remind you that the Privacy Policy does not apply to these third parties over which Keolis S.A. has no control and for which we cannot be held liable. We recommend that you consult the privacy policies, procedures and practices of these third parties.

The Privacy Policy applies to the personal data that we may collect from you or about you (see below) from the following sources:

• Your browsing history on the Keolis S.A. website (in particular when using a functionality, completing a registration form or survey, consulting resources available on the website);

• The exchange of e-mails, text messages or any other electronic messages between Keolis S.A. and you;

• Receipt and management of your application on the Career Platform, accessible via the “Join us” tab, as well as by email and creation of a CV database;

• Receipt of your information/contact requests sent to support on the Career Platform, as well as by email;

• Receipt of your information/contact requests sent via the “Contact” section of the Keolis S.A. website (application, press, sponsorship and partnership, suppliers and transport services), as well as by email;

• Receipt of supplier/prospect information in the context of the management of pre-contractual and contractual relations;

• Receipt and answers to your requests for rights in accordance with the GDPR.

• Data contained in alerts received under the Keolis Group’s ethical alert system

We collect and use your personal data for the main purposes described below. We keep your personal data only for as long as necessary to fulfil the different purposes, except where the law permits or requires us to keep it longer.

These maximum durations apply unless you request the deletion or cessation of use of your data before the expiry of the latter for a reason compatible with any legal obligation which may be imposed on Keolis S.A. 

In accordance with the applicable regulations, we process your data when we have a legal basis for doing so. This may be for the performance of a contract (a), legitimate interest (b), a legal obligation (c) or your consent (d).

a. Purposes of processing based on contractual (or pre-contractual) performance

• Management of your recruitment;

• Management of pre-contractual and contractual relations with our suppliers.

• Management of your user account on the Career Platform;

b. Purposes of processing based on legitimate interest

• Management of your requests sent on the Keolis S.A. website or by email;

• Building up of our CV database in order to contact you if we have opportunities;

• Transmission of your application to the subsidiary concerned;

• Management of Keolis S.A. Communication;

• Management of commercial prospecting aimed at professionals, however it is possible to oppose this by contacting us at the address indicated in article 9 of this Privacy Policy;

• Management of pre-litigation and litigation, the gathering of evidence.

c. Purposes of processing based on legal obligation

• Management of your requests to exercise your rights (access, rectification, opposition, etc.) pursuant to the GDPR.

• The management of whistleblowing reports in order to comply with the obligations of the Keolis Group under (i) Articles 6 et seq. of French Law No. 2016-1691 of 9 December 2016, known as “Sapin II,” (ii) Article 17 of the same law, and (iii) the provisions of Law No. 2017-399 of 27 March 2017 on the duty of vigilance of parent companies and ordering companies.

d. Purposes of processing based on your consent

• Cookies management, with the exception of strictly necessary cookies: to find out more about your data collected in this context, we invite you to consult our cookie policy.

• The transmission of your requests/questions to the subsidiary concerned.

Keolis S.A may disclose your personal data:

In-House

To the departments authorised by Keolis and needing to know in the context of the aforementioned purposes, including the departments of Communication and Marketing, Purchasing, General Resources, Human Resources, Accounting, Legal, etc.

Within the Keolis Group

We may share your personal data with certain entities with the Keolis Group, or partners; in order to maintain continuity of our services or of our relations with our customers, sales prospects or website users.

• If you have formally given your consent, your contact/information request will be forwarded to the Keolis subsidiary/Partner concerned by your question.

• In order to enable your applications to be processed within the Group and when you respond to a job offer from a Keolis subsidiary, your application data is sent to this Keolis subsidiary as a separate data controller for review and processing of your application. Your data is then processed in accordance with the privacy policy of the Keolis subsidiary concerned, which you can consult by contacting it directly.

With third-party providers

We may share your personal data with trusted third parties, service providers of Keolis S.A., located within the European Union (hereinafter the “EU”), in particular to ensure the proper functioning of our website or our services in connection with the purposes mentioned above.

Your personal data processed in the context of managing your application may also be disclosed to service providers (career platform operators), as well as to external organizations where these are engaged by Keolis S.A. as part of recruitment processes (recruitment agencies).

As part of the processing of whistleblowing reports, data may be transferred to service providers (lawyers, investigators, etc.) who may be required to intervene during the investigation. In this context, only the data strictly necessary for the performance of their respective tasks will be transmitted to them.

With business partners

We may share pseudonymous data which do not contain any items of direct identification, for the purposes described in Article 3. “Use of your personal data and storage periods” above, in particular concerning the cookies collected by Business partners who collects and processes the cookies (listed in the Cookies Policy). Business partners are separately controllers or joint controllers for processing.

With third parties on legal gorunds

If we were to be compelled to observe laws and regulations and legal requirements and instructions, or if permitted by law (i.e. to protect and uphold rights, a situation posing a threat to life, health or safety, etc.).

***
In any event, we always require such recipients to provide sufficient confidentiality and security safeguards and to take the necessary physical, organizational, and technical measures to protect and secure your personal data, in accordance with the applicable legislation.

Hosting and transfer of data outside the European Union

All of your data is processed and hosted within the EU. However, data transfers outside the EU may occur. Any transfer of your data outside the EU is carried out with appropriate safeguards in compliance with the applicable regulations, either because the recipient countries benefit from an adequacy decision, or because such transfers are governed by the implementation of Standard Contractual Clauses approved by the European Commission, or by adequacy decisions (such as the Data Privacy Framework for transfers to the United States). For more information on the safeguards governing such transfers, you may contact us at the addresses indicated in Article 9.

Keolis S.A. safeguards your personal data by implementing the adequate physical, organisational and technical measures to prevent any unauthorised access, use, disclosure, modification or destruction, in accordance with current legislation.

These measures specifically include:  

• Storing data on secure servers in the European Union;

• Limiting access to your data on a “need to know” basis;

• Implementation of organisational measures internally to protect your data.

While Keolis S.A. takes every possible measure to protect your personal data, we cannot guarantee the security of the information transmitted to our website when your terminal or browser is affected by a security breach.

As part of the continuous improvement of our services, we may use artificial intelligence (AI) technologies, including machine learning algorithms, to analyze collected data, automate certain processes, or personalize content and recommendations.

These automated processes are carried out in compliance with the principles of the GDPR and the AI Act, in particular:

🧠 Purpose: AI is used to enhance the user experience (e.g., recommendations, automated assistance).

🔍 Transparency: You are informed of any automated processing involving your personal data.

⚖️ Legal basis: Processing is based on legitimate interest or your consent, depending on the circumstances.

👤 Guaranteed rights: No processing produces legal effects without human involvement; you retain your rights (access, objection, rectification, etc.).

🔐 Security and ethics: Systems are regularly audited to prevent bias and ensure compliance.

No decision producing significant legal effects will be made solely on the basis of automated processing, except in cases provided for by law and with your explicit consent.

Pursuant to the GDPR and the French Data Protection Act, you are entitled to several rights, including:

Access, modification, updating and deletion of your personal data

You may ask to be granted access to your personal data which are held and processed by Keolis S.A.; you may consult them, obtain a printed or electronic copy of them and ask for them to be corrected, updated or deleted.

Objection

You may at any time ask that some of your data be no longer processed.

Portability

You may request to have your processed data sent to you in an open and machine-readable format, whether it be for your personal use or to transfer them to another controller.

Restriction of processing

In certain cases, you may request that the processing of your personal data be restricted.

Claims to a Supervisory Authority

Without prejudice to any other legal remedy, you are entitled to lodge a complaint with the supervisory authority of the European Union country in which you reside, work or in which you deem that your rights might have been infringed upon.

***

You may exercise all of these rights by sending a written request together with a copy of proof of identity to the contacts set out in Article 9. How to contact us. We will try to deal with your request at our earliest opportunity and in accordance with the conditions provided for by the applicable legislation. Notwithstanding, it may occur that due to our binding legal or contractual obligations, we are unable to grant your request.

Keolis S.A. reserves the right to make changes to the Privacy Policy.
We invite you to regularly consult this page to learn of any changes and stay up to date on the measures we take to protect your personal data.

To exercise your rights or for any queries relating to the Privacy Policy, please contact our Data Protection officer by clicking here or by post at:

Keolis SA

Data Protection Officer

34 Avenue Léonard De Vinci,

92400 Courbevoie, France.

This Privacy Policy was last updated on 09/03/2025