Personal Data Protection Policy
Last updated: July 2024
1 Introduction
The Soitec group (“Soitec”) is attentive that the collection and Processing of your Personal Data complies with applicable regulations. The objective of this Personal Data protection policy (the “Policy”) is to provide you with clear and transparent information on the Processing of Personal Data carried out by Soitec depending on the relationship between you and the latter. This Policy only concerns Processing for which Soitec is responsible and therefore does not cover Processing which is not carried out by Soitec itself.
1.1 Applicable regulation
The applicable regulations include:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”) ;
Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms, known as the Data Protection Act, amended by the Order No. 2018-1125 of December 12, 2018 taken pursuant to Article 32 of Law No. 2018-493 of June 20, 2018;
the recommendations of the French National Commission for Information Technology and Liberties (“CNIL”) ;
other laws and regulations applicable in the countries in which Soitec operates.
1.2 Definitions
For a better understanding of this Policy, certain terms are defined as follows:
Personal Data | Any information relating to an identified or identifiable natural person. A person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific elements specific to their physical, physiological, psychological, economic, cultural or social identity is deemed identifiable. |
Data Controller | Natural or legal person who determines the purposes and means of Processing Personal Data. |
Subcontractor | Any natural or legal person who processes Personal Data on behalf of the Data Controller. |
Data subjects | Persons whose Personal Data are collected by the Data Controller, and in particular any commercial partner interacting with Soitec with a view to establishing a commercial relationship, visitors to the website www.soitec.com, Soitec shareholders and investors, or even candidates for employment within Soitec. |
Recipients | Natural or legal persons who receive communication of Personal Data. The Recipients of the data may be Soitec employees, subsidiaries and/or trusted partners, suppliers, co-contractors, Subcontractors, or any other third parties or administrations to the extent necessary for Soitec's activity. |
Processing | Any operation or set of operations carried out or not using automated processes and applied to Personal Data, such as collection, recording, organization, conservation, adaptation or modification, extraction , consultation, use, communication by transmission, distribution or any other form of making available, reconciliation or interconnection, as well as blocking, erasure or destruction. As Data Controller, Soitec maintains a record of all Processing activities carried out. Soitec undertakes to provide the supervisory authority, upon first request, with information enabling said authority to verify compliance of the Processing with the regulations in force. |
1.3 Scope
This Policy applies to all our online and third-party services. It aims to inform:
Users of the Website www.soitec.com;
Soitec prospects;
Soitec’s customers and commercial partners;
Candidates for employment at Soitec.
This Policy does not apply to Soitec employees, who can refer to the internal Personal Data protection policy.
2 How does Soitec process your Personal Data?
2.1 Who collects your Personal Data?
The Data Controller, within the meaning of the GDPR, is the company Soitec, limited company whose head office is located at Chemin des Franques, Parc Technologique des Fontaines, 38190 Bernin, France, registered in the Grenoble Trade and Companies Register under number 384 711 909.
2.2 How do we collect your Personal Data?
Website user data : Your Personal Data is collected via our online form that we have made available to you on our website as well as, where applicable, via the use of cookies.
Customer and business partner data : Your Personal Data is collected directly from you via an information sheet.
Job candidate data : Your Personal Data is collected directly from you via the employment section of our website.
2.3 What are the purposes and legal basis for the Processing of your Personal Data?
As part of our activities, the legal basis and purposes of the Processing of Personal Data are identified for each Processing which is implemented by Soitec within the register kept by Soitec. The purposes and legal basis for the Processing of Personal Data remain, in particular, the following:
Processing activities | Purposes | Legal basis(s) | Personal Data collected |
Management of commercial activities | Contract management (call for tenders, negotiation, signature, order, delivery, invoicing, payment, complaints, etc.) | Pre-contractual measures Execution of a contract | Identification data (first name, surname, e-mail address, postal address, etc.) |
Management of marketing activities | Carrying out commercial prospecting and marketing actions | Legitimate interest | Identification data (first name, surname, e-mail address, postal address, etc.) |
Management of visits to Soitec sites | Carrying out site visits for commercial or communications purposes | Legitimate interest | Identification data (first name, surname, e-mail address, postal address, etc.) |
Management of financial activities | Management of relations with shareholders and investors (correspondence, information) | Legitimate interest | Identification data (first name, surname, e-mail address, postal address, etc.) |
Management of the Soitec website | Operation of the Soitec website | Legitimate interest | Connection data (IP address, type of device, etc.) |
Applications for job offers | Management of candidate applications Contacting candidates | Legitimate interest Pre-contractual measures | Identification data (first name, surname, e-mail address, postal address, etc.) Professional data (training, qualifications, skills, curriculum vitae, etc.) |
2.4 Who has access to your Personal Data?
Soitec ensures that your Personal Data is only accessible to authorized Recipients for reasons strictly justified by the legal basis and in an adequate, relevant and limited manner to the purposes of the Processing. To this end, Soitec implements technical and operational measures, including specific authorization rules. The following persons may in particular be Recipients of the Personal Data:
Internal Recipients | Generally speaking, your Personal Data is accessible to the following internal Recipients:
|
External Recipients | When Personal Data is shared with external Recipients, Soitec ensures that these external Recipients provide sufficient guarantees to ensure compliance with applicable regulations. Your Personal Data may in particular be shared with:
|
2.5 How long is your Personal Data kept?
Personal Data is kept by Soitec for a period strictly justified by the legal basis and the purposes of the Processing. Soitec bases itself in particular on the durations as defined within the draft framework relating to the Processing of Personal Data implemented for the purposes of managing commercial activities adopted by the CNIL on November 29, 2018.
Generally speaking, Personal Data is kept for the contractual duration of the commercial relationship with Soitec, plus a period of five (5) years from the date of end of the commercial relationship, unless otherwise provided by applicable local laws, for the establishment, exercise or defense of legal claims or when the Data Subject requests their erasure.
Processing activities | Basis | Intermediate archiving | Reference text |
Management of commercial activities | Contractual duration of the commercial relationship | 5 years from the end of the contract | Art. L110-4 of the French Commercial Code |
Management of marketing activities | Duration of the non-contractual relationship | 3 years from the last contact with the Data Subject | CNIL recommendation |
Management of visits to Soitec sites | Duration of visit | 3 months after registration | NS-042 |
Management of financial activities | Obligation legal conservation | Legal retention period (e.g., accounting obligation of 10 years) | Art. L.123-22 of the French Commercial code |
Management of the Soitec website | Consent to cookies, audience trackers | Consent to cookies: 6 months Lifespan of audience trackers: 13 months Information collected: 25 months | CNIL recommendation |
Applications for job offers | During the recruitment process and up to 3 months for unsuccessful candidates (in order to give the reasons and explanations of the decision). Up to two years for information strictly necessary to constitute a pool of candidates | Up to five years from the date of hiring decision for successful candidates | CNIL recommendations |
After the set deadlines, and unless there is a pre-litigation and litigation procedure, or a request from a competent authority, Personal Data is either deleted or kept after being anonymized, in particular for reasons of statistical use. Deletion or anonymization are irreversible operations that Soitec is subsequently no longer able to restore.
2.6 Transfers of Personal Data outside the European Economic Area
The Personal Data of the Data Subjects are, as a general rule, processed and stored within the European Economic Area. For cases where it is processed and/or stored outside the EEA, appropriate safeguards in accordance with Soitec's legal obligations will be put in place, as provided by law (for example, the standard contractual clauses of the European Commission ).
Indeed, as a multinational group, Soitec has a legitimate interest in transmitting the Personal Data of the Data Subjects within the Soitec group to branches/subsidiaries located throughout the world. Soitec may also need to outsource certain services to external providers located outside the EEA.
3 What are your rights?
Right to information | Everyone has a right to review their own Personal Data; therefore, anyone who carries out Processing is obliged to inform the Data Subjects. To find out more: Articles 13 and 14 GDPR or go to the website of the CNIL |
Right of access | Exercising the right of access allows you to know whether data concerning you is being processed and to obtain communication of it in an understandable format. It also allows you to check the accuracy of the data. To find out more: Article 15 GDPR or go to the website of the CNIL |
Right to rectification | The right of rectification allows you to correct inaccurate data concerning you or to complete data related to the purpose of the Processing. To find out more: Article 16 GDPR or go to the website of the CNIL |
Right to erasure or right to be forgotten | The Data Subject has the right to obtain from the controller the erasure, as soon as possible, of Personal Data concerning him or her and the controller has the obligation to erase this Personal Data as soon as possible, when one of the reasons provided for by the regulations applies. To find out more: Article 17 GDPR or go to the website of the CNIL |
Right to restriction of Processing | The Data Subject has the right to obtain from the controller restriction of Processing. However, the Data Subject is informed that they do not have an absolute right to limit the Processing of their Personal Data, according to the limits provided for by the regulations. To find out more: Article 18 GDPR or go to the website of the CNIL |
Right to data portability | Data subjects have the right to receive the Personal Data concerning them that they have provided to a controller, in a structured, commonly used and machine-readable format, and have the right to transmit this data to another controller without the controller to whom the Personal Data has been communicated obstructing this. To find out more: Article 20 GDPR or go to the website of the CNIL |
Right to object | The Data Subject has the right to object at any time, for reasons relating to his or her particular situation, to the Processing of Personal Data concerning him or her. However, the Data Subject's right to object is not absolute. To find out more: Article 21 GDPR or go to the website of the CNIL |
Right not to be subject to an automated decision | The Data Subject has the right not to be subject to a decision based exclusively on automated Processing, including profiling, which produces legal effects concerning them or significantly affects them in a similar way. To find out more: Article 22 GDPR or go to the website of the CNIL |
Right to define directives after death | Data subjects are informed that they have the right to formulate directives concerning the conservation, erasure and communication of their post-mortem Personal Data. The implementation of this right is subject to a decree which has not yet been published. To find out more: Article 40-1 Data Protection Act |
4 How to exercise your rights?
The exercise of the aforementioned rights is carried out, at the choice of the Data Subject:
by email to dpo [at] soitec.com; or
by post to the address: DPO, Soitec, Chemin des Franques, Parc Technologique des Fontaines, 38190 Bernin, France.
Your request will be processed as soon as possible. As part of the request to exercise rights, your Personal Data is processed and kept as proof of execution of the request.
In case of complaint relating to the Processing of your Personal Data, you can contact the CNIL under the conditions defined by the latter:
by email to the address according to the terms described on the CNIL website ; or
by post to the address: CNIL - Complaints Department - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.