1. General provisions
Controller
The entity responsible for processing your personal data is the company Keolis S.A.
Terms & Conditions of Use
The Privacy Policy is an integral part of the Terms and Conditions of Use of our website and should be read in conjunction with them (these can be consulted by following this link: https://www.keolis.com/en/legal-notices.
Applicable law and competent administrative authority
The Privacy Policy is governed by the General Data Protection Regulation n°2016/679 (“GDPR”) and by the French Data Protection Act no.78-17 of 6 January 1978 subsequently amended, under the regulatory supervision of the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés – www.cnil.fr).
Links to third-party site
Our website may contain or use links to websites, mobile apps, products or services operated by third parties (in particular sites of advertisers, partners of Keolis S.A. or social media sites). We remind you that the Privacy Policy does not apply to these third parties over which Keolis S.A. has no control and for which we cannot be held liable.
We recommend that you consult the privacy policies, procedures and practices of these third parties.
2. The personal data that we collect
The Privacy Policy applies to the personal data that we may collect from you or about you (see below) from the following sources:
- Your browsing history on the Keolis S.A. website (in particular when using a functionality, completing a registration form or survey, consulting resources available on the website);
- The exchange of e-mails, text messages or any other electronic messages between Keolis S.A. and you.
3. Use of your personal data
We collect and use your personal data for the main purposes described below:
- To understand your needs and expectations, in particular to improve the way you use our website and its functionalities;
- To answer your questions and deal with your requests;
- To comply with the law, regulations and legal requirements and instructions.
4. Data transmission
Keolis S.A may disclose your personal data:
Within the Keolis Group
If you have given your consent, we may share your personal data with certain entities with the Keolis Group, or partners; in order to maintain continuity of our services or of our relations with our customers, sales prospects or website users;
With third-party providers
We may transfer your personal data to trusted third parties located within the European Union, notably in order to keep our website working correctly;
With business partners
We may share certain pseudonymous data which do not contain any items of direct identification, for the purposes described in Article 3 “Use of your personal data” above;
With third parties on legal grounds
If we were to be compelled to observe laws and regulations and legal requirements and instructions, or if permitted by law (i.e. to protect and uphold rights, a situation posing a threat to life, health or safety, etc.).
***
In all events, we always require that these recipients provide sufficient privacy and security guarantees and that they take the necessary physical, organisational and technical measures to protect and safeguard your personal data in accordance with current legislation.
5. Data security
Keolis S.A. safeguards your personal data by implementing the adequate physical, organisational and technical measures to prevent any unauthorised access, use, disclosure, modification or destruction, in accordance with current legislation.
These measures specifically include:
- Storing data on secure servers in the European Union;
- Safeguarding your data in particular through pseudonymisation processes, the encryption of data transmitted and the implementation of means to guarantee the confidentiality, integrity and availability of your data;
- Limiting access to your data on a “need to know” basis.
While Keolis S.A. takes every possible measure to protect your personal data, we cannot guarantee the security of the information transmitted to our website when your terminal or browser is affected by a security breach.
6. Your rights with regard to your personal data
Pursuant to the GDPR and the French Data Protection Act, you are entitled to several rights, including:
Access, modification, updating and deletion of your personal data
You may ask to be granted access to your personal data which are held and processed by Keolis S.A.; you may consult them, obtain a printed or electronic copy of them and ask for them to be corrected, updated or deleted.
Objection
You may at any time ask that some of your data be no longer processed.
Portability
You may request to have your processed data sent to you in an open and machine-readable format, whether it be for your personal use or to transfer them to another controller.
Restriction of processing
In certain cases, you may request that the processing of your personal data be restricted.
Claims to a Supervisory Authority
Without prejudice to any other legal remedy, you are entitled to lodge a complaint with the supervisory authority of the European Union country in which you reside, work or in which you deem that your rights might have been infringed upon.
***
You may exercise all of these rights by sending a written request together with a copy of proof of identity to the contacts set out in Article 9 “How to contact us”. We will try to deal with your request at our earliest opportunity and in accordance with the conditions provided for by the applicable legislation. Notwithstanding, it may occur that due to our binding legal or contractual obligations, we are unable to grant your request.
7. Storage period for collected data
We keep your personal data for only as long as is needed to fulfil the different purposes set out in Article 3 “Use of your personal data”, except when we are allowed or required by law to keep them for longer.
The table below gives a summary of the maximum storage periods applicable to or required of Keolis S.A. depending on the purposes for which your personal data may be processed. These maximum durations apply unless you ask for your data to be erased or no longer used before their expiry on grounds consistent with any legal obligation which Keolis S.A. may be required to observe.
PURPOSES |
STORAGE PERIODS |
Response to your requests |
Time required to deal with your request |
Measurement of audience, personalisation of website and cookie management |
13 months following the deposit of the cookie |
Sign-in identifiers |
1 year following each new session |
Management of data access and rectification requests |
1 year following receipt of request |
Management of objections to data processing |
3 years following the date at which the right to object is acted upon |
8. Changes to the Privacy Policy
Keolis S.A. reserves the right to make changes to the Privacy Policy.
We invite you to regularly consult this page to learn of any changes and stay up to date on the measures we take to protect your personal data.
9. How to contact us
To exercise your rights or for any queries relating to the Privacy Policy, please contact our Data Protection officer at dpo@keolis.com or by post at:
Keolis SA
Data Protection Officer
20 rue le Peletier,
75009 Paris, France.
This Privacy Policy was last updated on 23/08/2018