Privacy Policy of the Global Energy Management Business Unit and its Related Companies 

The protection of your personal data is important to the ENGIE Group and its business unit “Global Energy Management.” This Privacy Policy explains how we process your personal data (“Personal Data”) in the context of our business activities, including the provision of energy services, products, and solutions, and through interactions such as visiting our websites. 

For the purpose of applicable data protection legislation (including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)), the data controller (“we,” “us,” “our”) may be the ENGIE Group company with whom you are in contact or the publisher of the website you use. This Privacy Policy outlines what Personal Data we use, why we use it, how long we retain it, and how you can exercise your rights. 

1. Which Personal Data Do We Use? 

Visitors of Our Websites: 

  • Data to improve user experience and manage our services (e.g., IP address, login details, contact information). 
  • Information provided via online contact forms or extranet platforms. 
  • Cookies to enhance browsing experience. For more details, refer to our Cookie Policy. 

Counterparties, Clients, and Suppliers: 

  • Identification details of directors and authorized representatives (e.g., name, passport or ID number). 
  • Business relationship data (e.g., phone numbers, email addresses). 
  • Data for internal investigations, including checks related to anti-money laundering and crime prevention. 
  • Records of correspondence and communications (e.g., emails, calls) as permitted by law. 
  • Transactional data for legal compliance. 
  • Event or conference registration details. 
  • Video surveillance images for security purposes. 

2. How Do We Collect Personal Data? 

Personal Data may be: 

  • Provided directly by you or through clients, counterparties, or suppliers. 
  • Obtained from public sources, such as:  
  • Search engines (e.g., World Check Risk Intelligence, LexisNexis). 
  • Official publications or authority databases. 
  • Publicly available third-party databases. 

3. Why and On What Basis Do We Use Personal Data? 

We process Personal Data only when necessary: 

  • For legal compliance: e.g., detecting and preventing financial crimes. 
  • To execute contracts: e.g., fulfilling obligations to clients, counterparties, or suppliers. 
  • For legitimate interests: e.g., ensuring operational security and fulfilling ethical obligations. 
  • With consent: for specific purposes when required. 

Specific purposes include: 

  • Compliance with legal obligations and financial crime prevention. 
  • Maintaining records of interactions with counterparties. 
  • Ensuring the security of operations and premises. 
  • Delivering products and services, managing invoices, and personalizing business relationships. 
  • Defending rights in investigations by regulators or competent authorities. 

We do not make decisions solely based on automated processing that produce legal effects or similarly significant impacts. 

Failure to provide required Personal Data may result in an inability to fulfill contractual obligations or compliance with legal requirements. 

4. Who Do We Share Personal Data With? 

Personal Data may be shared with: 

  • ENGIE Group entities and internal/external service providers for relevant purposes. 
  • Government authorities, courts, and law enforcement as required by law. 
  • Third parties during corporate reorganizations (e.g., mergers or acquisitions) in compliance with data protection laws. 

5. Transfers of Personal Data Outside the European Economic Area (EEA) 

When transferring Personal Data outside the EEA, we ensure appropriate safeguards are in place, such as: 

  • Adequacy decisions by the European Commission. 
  • Standard data protection contractual clauses. 
  • EU-US Privacy Shield compliance for transfers to the United States. 

For details, consult: EDPS International Transfers

6. How Long Do We Retain Personal Data? 

Retention periods depend on: 

  • The purpose of processing and applicable regulations. 
  • Legal requirements for proof and response to authorities (e.g., five years for correspondence records). 
  • Statutory limitation periods for claims or disputes, plus a reasonable additional period if needed. 

7. What Are Your Rights and How Can You Exercise Them? 

You have the following rights under applicable regulations: 

  • Access: Obtain information about and a copy of your Personal Data. 
  • Rectification: Request corrections to inaccurate or incomplete data. 
  • Erasure: Request deletion of data under certain circumstances. 
  • Restriction: Limit processing of your data. 
  • Objection: Oppose processing unless required for contractual or legal obligations. 
  • Withdrawal of Consent: Revoke consent at any time for specific processing. 
  • Data Portability: Receive or transfer your data in a machine-readable format where applicable. 

To exercise your rights, contact: gem-privacy@engie.com. We may require proof of identity to prevent unauthorized access. 

For complaints, contact the relevant supervisory authority: EU Data Protection Authorities

8. Security 

We implement technical and organizational measures to ensure a level of security appropriate to risks. Security incidents leading to accidental or unlawful destruction, loss, or unauthorized access are promptly reported. 

9. Updates to This Privacy Policy 

This Privacy Policy may be updated to reflect technological or regulatory changes. Material updates will be communicated via usual channels. 

In case of inconsistencies, this Privacy Policy prevails over other related documents. 

For questions or concerns about this Privacy Policy, please contact our Data Privacy Manager or team at gem-privacy@engie.com