Personal Data Protection Policy

Last updated: July 2024


1 Introduction


The Soitec group (“Soitec”) is attentive that the collection and Processing of your Personal Data complies with applicable regulations. The objective of this Personal Data protection policy (the “Policy”) is to provide you with clear and transparent information on the Processing of Personal Data carried out by Soitec depending on the relationship between you and the latter. This Policy only concerns Processing for which Soitec is responsible and therefore does not cover Processing which is not carried out by Soitec itself.


1.1 Applicable regulation

The applicable regulations include:


  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”) ;


  • Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms, known as the Data Protection Act, amended by the Order No. 2018-1125 of December 12, 2018 taken pursuant to Article 32 of Law No. 2018-493 of June 20, 2018;


  • the recommendations of the French National Commission for Information Technology and Liberties (“CNIL”) ;


  • other laws and regulations applicable in the countries in which Soitec operates.


1.2 Definitions

For a better understanding of this Policy, certain terms are defined as follows:

Personal Data

Any information relating to an identified or identifiable natural person. A person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific elements specific to their physical, physiological, psychological, economic, cultural or social identity is deemed identifiable.

Data Controller

Natural or legal person who determines the purposes and means of Processing Personal Data.

Subcontractor

Any natural or legal person who processes Personal Data on behalf of the Data Controller.

Data subjects

Persons whose Personal Data are collected by the Data Controller, and in particular any commercial partner interacting with Soitec with a view to establishing a commercial relationship, visitors to the website www.soitec.com, Soitec shareholders and investors, or even candidates for employment within Soitec.

Recipients

Natural or legal persons who receive communication of Personal Data. The Recipients of the data may be Soitec employees, subsidiaries and/or trusted partners, suppliers, co-contractors, Subcontractors, or any other third parties or administrations to the extent necessary for Soitec's activity.

Processing

Any operation or set of operations carried out or not using automated processes and applied to Personal Data, such as collection, recording, organization, conservation, adaptation or modification, extraction , consultation, use, communication by transmission, distribution or any other form of making available, reconciliation or interconnection, as well as blocking, erasure or destruction.

As Data Controller, Soitec maintains a record of all Processing activities carried out. Soitec undertakes to provide the supervisory authority, upon first request, with information enabling said authority to verify compliance of the Processing with the regulations in force.


1.3 Scope

This Policy applies to all our online and third-party services. It aims to inform:


  • Users of the Website www.soitec.com;

  • Soitec prospects;

  • Soitec’s customers and commercial partners;

  • Candidates for employment at Soitec.


This Policy does not apply to Soitec employees, who can refer to the internal Personal Data protection policy.


2 How does Soitec process your Personal Data?


2.1 Who collects your Personal Data?


The Data Controller, within the meaning of the GDPR, is the company Soitec, limited company whose head office is located at Chemin des Franques, Parc Technologique des Fontaines, 38190 Bernin, France, registered in the Grenoble Trade and Companies Register under number 384 711 909.


2.2 How do we collect your Personal Data?


  • Website user data : Your Personal Data is collected via our online form that we have made available to you on our website as well as, where applicable, via the use of cookies.


  • Customer and business partner data : Your Personal Data is collected directly from you via an information sheet.


  • Job candidate data : Your Personal Data is collected directly from you via the employment section of our website.



2.3 What are the purposes and legal basis for the Processing of your Personal Data?

As part of our activities, the legal basis and purposes of the Processing of Personal Data are identified for each Processing which is implemented by Soitec within the register kept by Soitec. The purposes and legal basis for the Processing of Personal Data remain, in particular, the following:

Processing activities

Purposes

Legal basis(s)

Personal Data collected

Management of commercial activities

Contract management (call for tenders, negotiation, signature, order, delivery, invoicing, payment, complaints, etc.)

Pre-contractual measures

Execution of a contract

Identification data (first name, surname, e-mail address, postal address, etc.)

Management of marketing activities

Carrying out commercial prospecting and marketing actions

Legitimate interest

Identification data (first name, surname, e-mail address, postal address, etc.)

Management of visits to Soitec sites

Carrying out site visits for commercial or communications purposes

Legitimate interest

Identification data (first name, surname, e-mail address, postal address, etc.)

Management of financial activities

Management of relations with shareholders and investors (correspondence, information)

Legitimate interest

Identification data (first name, surname, e-mail address, postal address, etc.)

Management of the Soitec website

Operation of the Soitec website

Legitimate interest

Connection data (IP address, type of device, etc.)

Applications for job offers

Management of candidate applications

Contacting candidates

Legitimate interest

Pre-contractual measures

Identification data (first name, surname, e-mail address, postal address, etc.)

Professional data (training, qualifications, skills, curriculum vitae, etc.)

2.4 Who has access to your Personal Data?

Soitec ensures that your Personal Data is only accessible to authorized Recipients for reasons strictly justified by the legal basis and in an adequate, relevant and limited manner to the purposes of the Processing. To this end, Soitec implements technical and operational measures, including specific authorization rules. The following persons may in particular be Recipients of the Personal Data:


Internal Recipients

Generally speaking, your Personal Data is accessible to the following internal Recipients:


  • Department of Communication regarding the management of your requests and your subscriptions to newsletters;


  • Human resources department regarding the management of your candidate space and your applications for job offers within the Soitec group;


  • Sales Department and Business Units regarding relations with prospects and customers;


  • Purchasing Department regarding relations with suppliers and service providers;


  • Security Department regarding site security management;


  • General Secretariat regarding relations with shareholders and the management of legal actions.

External Recipients

When Personal Data is shared with external Recipients, Soitec ensures that these external Recipients provide sufficient guarantees to ensure compliance with applicable regulations. Your Personal Data may in particular be shared with:


  • our Subcontractors and service providers intervening for technical and logistical reasons (website hosting, security and maintenance providers, fraud management providers, technical service providers in charge of sending emails and newsletters, anti-spam and anti-robot service providers, recruitment agencies which can advise us in the management of our candidate databases and help us in the selection of profiles within these databases);


  • any authority, jurisdiction or other third party when such communication is required by law, a regulatory provision or a court decision, or if this communication is necessary to ensure the protection and defense of our rights;


  • Our banking and financial organizations;


  • Our external advisors (lawyer, auditors, etc.).

2.5 How long is your Personal Data kept?

Personal Data is kept by Soitec for a period strictly justified by the legal basis and the purposes of the Processing. Soitec bases itself in particular on the durations as defined within the draft framework relating to the Processing of Personal Data implemented for the purposes of managing commercial activities adopted by the CNIL on November 29, 2018.

Generally speaking, Personal Data is kept for the contractual duration of the commercial relationship with Soitec, plus a period of five (5) years from the date of end of the commercial relationship, unless otherwise provided by applicable local laws, for the establishment, exercise or defense of legal claims or when the Data Subject requests their erasure.


Processing activities

Basis

Intermediate archiving

Reference text

Management of commercial activities

Contractual duration of the commercial relationship

5 years from the end of the contract

Art. L110-4 of the French Commercial Code

Management of marketing activities

Duration of the non-contractual relationship

3 years from the last contact with the Data Subject

CNIL recommendation

Management of visits to Soitec sites

Duration of visit

3 months after registration

NS-042

Management of financial activities

Obligation

legal conservation

Legal retention period (e.g., accounting obligation of 10 years)

Art. L.123-22 of the French Commercial code

Management of the Soitec website

Consent to cookies, audience trackers

Consent to cookies: 6 months

Lifespan of audience trackers: 13 months

Information collected: 25 months

CNIL recommendation

Applications for job offers

During the recruitment process and up to 3 months for unsuccessful candidates (in order to give the reasons and explanations of the decision).

Up to two years for information strictly necessary to constitute a pool of candidates

Up to five years from the date of hiring decision for successful candidates

CNIL recommendations

After the set deadlines, and unless there is a pre-litigation and litigation procedure, or a request from a competent authority, Personal Data is either deleted or kept after being anonymized, in particular for reasons of statistical use. Deletion or anonymization are irreversible operations that Soitec is subsequently no longer able to restore.



2.6 Transfers of Personal Data outside the European Economic Area


The Personal Data of the Data Subjects are, as a general rule, processed and stored within the European Economic Area. For cases where it is processed and/or stored outside the EEA, appropriate safeguards in accordance with Soitec's legal obligations will be put in place, as provided by law (for example, the standard contractual clauses of the European Commission ).

Indeed, as a multinational group, Soitec has a legitimate interest in transmitting the Personal Data of the Data Subjects within the Soitec group to branches/subsidiaries located throughout the world. Soitec may also need to outsource certain services to external providers located outside the EEA.


3 What are your rights?

Right to information

Everyone has a right to review their own Personal Data; therefore, anyone who carries out Processing is obliged to inform the Data Subjects.

To find out more: Articles 13 and 14 GDPR or go to the website of the CNIL

Right of access

Exercising the right of access allows you to know whether data concerning you is being processed and to obtain communication of it in an understandable format. It also allows you to check the accuracy of the data.

To find out more: Article 15 GDPR or go to the website of the CNIL

Right to rectification

The right of rectification allows you to correct inaccurate data concerning you or to complete data related to the purpose of the Processing.

To find out more: Article 16 GDPR or go to the website of the CNIL

Right to erasure or right to be forgotten

The Data Subject has the right to obtain from the controller the erasure, as soon as possible, of Personal Data concerning him or her and the controller has the obligation to erase this Personal Data as soon as possible, when one of the reasons provided for by the regulations applies.

To find out more: Article 17 GDPR or go to the website of the CNIL

Right to restriction of Processing

The Data Subject has the right to obtain from the controller restriction of Processing. However, the Data Subject is informed that they do not have an absolute right to limit the Processing of their Personal Data, according to the limits provided for by the regulations.

To find out more: Article 18 GDPR or go to the website of the CNIL

Right to data portability

Data subjects have the right to receive the Personal Data concerning them that they have provided to a controller, in a structured, commonly used and machine-readable format, and have the right to transmit this data to another controller without the controller to whom the Personal Data has been communicated obstructing this.

To find out more: Article 20 GDPR or go to the website of the CNIL

Right to object

The Data Subject has the right to object at any time, for reasons relating to his or her particular situation, to the Processing of Personal Data concerning him or her. However, the Data Subject's right to object is not absolute.

To find out more: Article 21 GDPR or go to the website of the CNIL

Right not to be subject to an automated decision

The Data Subject has the right not to be subject to a decision based exclusively on automated Processing, including profiling, which produces legal effects concerning them or significantly affects them in a similar way.

To find out more: Article 22 GDPR or go to the website of the CNIL

Right to define directives after death

Data subjects are informed that they have the right to formulate directives concerning the conservation, erasure and communication of their post-mortem Personal Data. The implementation of this right is subject to a decree which has not yet been published.

To find out more: Article 40-1 Data Protection Act


4 How to exercise your rights?

The exercise of the aforementioned rights is carried out, at the choice of the Data Subject:


  • by email to dpo [at] soitec.com; or


  • by post to the address: DPO, Soitec, Chemin des Franques, Parc Technologique des Fontaines, 38190 Bernin, France.


Your request will be processed as soon as possible. As part of the request to exercise rights, your Personal Data is processed and kept as proof of execution of the request.

In case of complaint relating to the Processing of your Personal Data, you can contact the CNIL under the conditions defined by the latter:


  • by email to the address according to the terms described on the CNIL website ; or


  • by post to the address: CNIL - Complaints Department - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.