Personal data protection

A. General Policy

Whether you are a customer, partner, vendor, shareholder, or more generally a contact of the Covivio Group, we recommend that you carefully read our Policy because it contains important information regarding your Personal Data, particularly in regard to the use of your Personal Data for the purposes pursued, as well as the rights and means of action that you have. If any of the above should be lacking or deficient, do not hesitate to contact our Data Protection Officer (the “DPO“) at the following address: dpo@covivio.fr. 

Who is the Controller?

The Controller refers to the entity that determines the purposes and the means for the processing of Personal Data (the “Controller“).

The Controller is Covivio S.A. whose corporate headquarters is located at 18, Avenue François Mitterrand, 57 000 Metz (France), registered with the Metz Companies and Trade Registry under METZ Companies and Trade Registry number B364800060, jointly with its controlled subsidiaries, in accordance with Article L.233-3 of the Commercial Code, specifically the companies Wellio and Covivio Hotels, referred to hereinafter as “Covivio” or “Covivio Group“.

Covivio Group Confidentiality Policy

1. Why do we process your Personal Data?

The purposes for the processing of your Data depend upon the relationship that you maintain with Covivio.

The legal basis may be:

• your consent, especially in your capacity as a Covivio Group prospect or contact in the broader sense;
• the performance of a contract between yourself and Covivio, this is specifically the case if you are a lessee, customer, vendor, or counterparty to any other transaction carried out by Covivio;
• compliance with our legal or regulatory requirements and obligations, particularly for any meeting notice calling the shareholders of our Group’s issuer companies to General Meetings, for the purposes of any other requirement or obligations to which they are subject as listed companies, for the purposes of any action or procedure that we must carry out pursuant to combating money laundering and the financing of terrorism;
• our legitimate interests, especially pursuant to the protection of our premises and their occupants (video surveillance).

2. What Personal Data do we process?

A. You have a contractual relationship with a Covivio Group company

We make an effort to inform you “on a continuous and ongoing basis” as well as under the framework of contracts that cover or entail the processing of your Personal Data, as to the exact nature of such data as well as your applicable rights. Generally, such data has been collected from you directly.

For any additional information, please do not hesitate to contact our DPO at the following address: dpo@covivio.fr.

B. You are a Covivio Group contact in the broader sense

The essential purpose of the Data that we process is to transmit to you information regarding Covivio and its subsidiaries, manage the relationship that we have with you, and invite you to events, satisfaction surveys or contests.

Such data may specifically be:

• your surnames (given names or surnames normally used) and names;
• your employer;
• if applicable, your professional area;
• your contact information (email and mailing addresses, telephone number).

You may at any time request that you no longer appear on our mailing lists (using the designated spaces on the latter or by contacting our DPO at dpo@covivio.fr).
If you have no other ties or relationships with Covivio, we shall permanently delete your Data from our databases.

Specific information regarding the CRM established by Covivio:

To facilitate management of its contacts, Covivio has set up a management tool called “CRM” (Client Relationship Management).

As an internal or external “contact”, in the broader sense, of our Group (Covivio SA and its subsidiaries abroad and in France, and specifically the companies Wellio and Covivio Hotels), we process your personal Data using softwares programs developed by Sales Force and/or Lyyti, which acts in their capacity of processors of your personal data.

Because this processing is based upon your consent, you may at any time request that the Data contained in the aforementioned tool be anonymized (dpo@covivio.fr).

The Personal Data that may potentially be processed is as follows:

Such Personal Data consists of:

• name(s) and surname(s);
• marital status;
• business address and/or personal address;
• business and/or personal telephone number;
• business and/or personal email address;
• Position;
• Job category;
• industry or business sector;
• type of relationship that you maintain with Covivio (customer, lessee, vendor, board member, shareholder, prospect, employee, other) or that of your company or business;
• your wishes regarding invitations to events organized by Covivio;
• data relating to meetings you have held with our employees or events organized by our Group in which you have participated;
• your possible affiliation with an association or other business or industry association and any information of a strictly business nature regarding the relationship that you maintain with our Group.

Generally, such Data has been collected from you directly, or is public information.

Your personal data is processed to:

• ensure effective and targeted communications between, on the one hand, Covivio Group employees, and on the other hand, your company or business;
• optimize internal management of group contacts within our teams.

Such Data is for the sole and exclusive use of the Covivio Group.

The recipients of such data are:

• the authorized employees of Covivio and its subsidiaries in France and abroad (the Covivio Group);
• in the applicable instances, certain authorized employees of our service providers acting in their capacity of processors of the Data on behalf of Covivio.

Your data may potentially be transmitted outside the European Union in accordance with terms and procedures that comply with applicable regulations (establishment of the appropriate guarantees and protections, and specifically the Biding Corporate Rules (BCR) and Standard Contractual Clauses (CCT)).

It will not in any case be the subject of commercial transactions with third parties.

Policy on the retention of your Personal Data in CRM:

• using our tool, we anonymize your Data within a maximum period of fifteen (15) days following your request;
• we conduct annual campaigns to make your Data reliable.

C. You are a shareholder in a Covivio Group company (or you represent a shareholder)

As an issuer, we have occasion to collect certain Personal Data from our individual shareholders (natural persons or representatives of legal persons).

The purpose of our processing of your Data is to:

• transmit and communicate to you all the documentation to which you – or the company that you represent – are entitled, or the documentation that you request in your capacity as a shareholder;
• meet our legal and regulatory requirements;
• track and monitor the composition of our shareholder structure.

Such Data consists of:

• your surnames (given names or surnames normally used) and names;
• Date and place of birth;
• business and/or personal telephone number;
• business and/or personal mailing address;
• business and/or personal electronic mail address;
• country of residence;
• your holding in Covivio’s capital (number of shares, ownership regime, any possible pledging or any other security granted, date the shareholder account was opened, internal identification numbers, etc.);
• if applicable, your status as a Group employee and the entity that employs you.

3. Who are the recipients of your Personal Data? 

They are as follows:

• authorized Covivio Group personnel who require access to your Data pursuant to their work assignments and who are authorized to process the Data for the aforementioned purposes;
• duly authorized service providers, and in particular:
  • service providers that participate in the management of our relationship with you, especially for the purposes of communication and transmission of documents
  • service providers responsible for analyzing our shareholder structure and the management of vote solicitation campaigns pursuant to our General Meetings

Covivio ensures that they observe a security and confidentiality policy that complies with regulations, including the laws and regulations of the European Union and the European Economic Area, and their member states, applying to the processing of personal Data.

Your data may potentially be transmitted outside the European Union in accordance with terms and procedures that comply with applicable regulations (establishment of the appropriate guarantees and protections, and specifically the Biding Corporate Rules (BCR) and Standard Contractual Clauses (CCT));

• in the applicable circumstance and at their request, competent governmental or judicial authorities.

In no case shall your Personal Data be the subject of commercial transactions with third parties.

4. How long is the Data retained? 

Your Personal Data shall not be retained in a form that makes it possible to identify you, beyond the period of time necessary for the purposes for which the Data is processed, in compliance with our contractual, legal and regulatory obligations and requirements. For any and all information, we suggest that you contact our DPO (dpo@covivio.fr).

5.What are your rights? 

Under the terms and conditions established by Personal Data protection regulations and specifically the GDPR, you can at any time request additional information regarding the processing of your Personal Data.

You have:

• a right to access your Data in order to determine the Data pertaining to you that we are processing;
• a right of correction specifically for the purpose of correcting any inaccuracy or incomplete Data;
• the right to request the portability of your Data so that you may receive your Data in a structured format that is commonly used and machine readable, or so that you may request that we transmit your Data directly to a third party of your choice, when that is legally and technically possible;
• the right to request the deletion of the Data regarding yourself or request a restriction of the processing of that Data when a reason justifies our temporarily suspending processing of your Data;
• the right to oppose our processing of the aforementioned Data for a legitimate reason with respect to your particular situation.
• when the legal basis of the processing is your consent, you have the right to withdraw your consent at any time.
• the right to make known your instructions regarding the retention, deletion, and communication of your Data after your death;
• you have the ability to file a complaint with a regulatory authority.

For the purposes of any complaint, we request that you contact the DPO at the following address: dpo@covivio.fr.

If you exercise any of the aforementioned rights, Covivio shall request from you a certain amount of information so that it can process and handle your request and protect you against any fraudulent request originating from a third party (and specifically a copy of a legally recognized form of identification).

6. Ensuring the security of your data is important to us

Covivio makes an effort to implement the technical and organizational measures necessary for the safety of your Data, for the purposes of protection against any intentional or unintentional manipulation, loss, destruction, or unauthorized access.

In particular, we make the prevention of cyber threats one of our priorities. Covivio Group employees are subject to authorizations to access your data that are strictly regulated and differentiated as a function of their assigned authorities and work assignments, and they are bound by confidentiality clauses, just like our external service providers, processors and subcontractors.

7. Changes in our processing policy

This policy reflects our current standards, which may be subject to change.

Any change shall enter into effect as of the publication of the most recent updated version of this policy.

B. Specific Policy – Cookies

The purpose of the following information is to present to you the precise terms and procedures for the processing of your Personal Data that is collected at the Internet site https://www.covivio.eu/fr (referred to hereinafter as the “Site”).

No personal Data, other than certain cookies, is collected via the Site. Information regarding the installation of cookies is presented below.

Covivio undertakes to ensure that the collection and processing of cookies, conducted from the Site, complies with the General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).

Your refusal or consent to the deposit of unnecessary cookies, advertising and marketing cookies is valid for 6 months. We use cookies from the GDPR Cookie Consent plugin to store user consent. These expire every 6 months, so the choice “Accept” or ” Refuse” will be asked again at the same period. 

The collection of consent for the deposit of necessary cookies, analysis and performance cookies is not required.

The specificities of each category of cookies are indicated below.

1 – About cookies

At the time you access our Site, cookies are installed on your computer, your mobile phone, or your tablet. We use various cookies on the aforementioned site for the purpose of measuring traffic on the Site.

2 – Definition of a Cookie

A cookie is a text file installed on your computer, your mobile phone, or your tablet, specifically at the time you visit an Internet site. It makes it possible to retain user data in order to facilitate browsing and enable certain features and functionalities. Cookies are managed by your Internet browser.

3 – Find out more about cookies and the means for opposing them

4 types of cookie are installed on the Site:

Internal cookies necessary for the site to function

These cookies are necessary for the proper functioning of our Website. This category includes only cookies that ensure and provide the basic features and functionalities of the aforementioned site.

You can oppose those cookies and delete them using your browser parameters, however, there is the risk that your user experience and your security will be degraded.

COOKIE	DURATION	DESCRIPTION
cookielawinfo-checkbox-analytics	6 months	This cookie is set by the “GDPR Cookie Consent” plugin. It is used to record the installation of cookies in the “Analysis and Performance” category.
cookielawinfo-checkbox-necessary	6 months	This cookie is set by the “GDPR Cookie Consent” plugin. It is used to record the installation of cookies in the “Necessary” category.
cookielawinfo-checkbox-non-necessary	6 months	This cookie is defined by the plugin “GDPR Cookie Consent”. It is used to store the user’s consent for cookies in the “Non-Necessary” category.
cookielawinfo-checkbox-third-party	6 months	This cookie is defined by the plugin “GDPR Cookie Consent”. It is used to store the user’s consent for cookies in the “Advertising Content” category.
idsession	6 months	Cookie that makes it possible to create a session identification number.
PHPSESSID		This cookie is native to PHP applications. The cookie is used to store and identify a users’ unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	6 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Non-Necessary Cookies

• Parameterize your browser to request your consent before installing a cookie. You have the ability to accept or refuse them one by one or refuse them all;

COOKIE	DURATION	DESCRIPTION
lang		This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
li_sugr	3 months	LinkedIn.com cookie. Used to find a probability match with a user’s identity outside of designated countries. For more information: https://fr.linkedin.com/legal/cookie-policy
lissc	11 months*	LinkedIn.com cookie. Used to verify that there is a correct SameSite attribute for all cookies in this browser. For more information: https://fr.linkedin.com/legal/cookie-policy The period of validity of these cookies is 11 months, but the user must choose every 6 months whether they wish to “Accept” or “Refuse” their installation.
test_cookie	11 months*	This cookie is defined by DoubleClick (which belongs to Google) for the purpose of determining whether the Website visitor’s browser supports cookies. For more information: https://policies.google.com/privacy The period of validity of these cookies is 11 months, but the user must choose every 6 months whether they wish to “Accept” or “Refuse” their installation.
u	3 months	Linkedin /adsymptotic.com cookie. This cookie is a browser identifier for users outside of the designated countries.  For more information:  https://fr.linkedin.com/legal/cookie-policy

Analysis and Performance Cookies

These cookies allow us to perform audience measurement and performance statistics by analyzing the volume and source of traffic to our site. These cookies also allow us to anonymously analyze the behavior of visitors to our Site in order to measure and improve the performance of our Site and our online campaigns. The collection of your consent is not required, we use an audience analysis software configured according to the recommendations of the CNIL to benefit from the exemption of consent.

COOKIE	DURATION	DESCRIPTION
_pk_id	13 months*	This cookie is set by the web analysis tool Matomo.  The _pk_id cookie is used to store a few details about the user such as the unique visitor ID.  For more information: https://matomo.org/faq/general/faq_146/
_pk_ses	30 minutes	This cookie is set by the web analysis tool Matomo.  The _pk_ses, _pk_cvar, _pk_hsr short lived cookies used to temporarily store data for the visit.  For more information: https://matomo.org/faq/general/faq_146/

Advertising Content

These cookies enable us to display our advertising campaigns on third party sites and social networks following your visit to our Internet site. If you do not accept these cookies, you will not be able to have access to this personalized advertising on these third-party sites. 

The Site employs certain services provided by third party sites.

They are as follows:

• Social networks (LinkedIn, Twitter, etc.)
• Search engines (Google)
• Disseminating videos (YouTube; Vimeo)

COOKIE	DURATION	DESCRIPTION
bcookie	2 years*	This cookie is defined by LinkedIn. The purpose of this cookie is to activate LinkedIn functionalities on the page.  For more information: https://fr.linkedin.com/legal/cookie-policy   The period of validity of these cookies is 2 years but the user must choose every 6 months whether they wish to “Accept” or “Refuse” their installation.
bscookie	2 years*	This cookie is a browser ID cookie set by Linked share Buttons and ad tags. The period of validity of these cookies is 2 years but the user must choose every 6 months whether they wish to “Accept” or “Refuse” their installation.
GPS	30 minutes	This cookie, which is defined by YouTube, records a unique identifier for the purpose of monitoring and following users as a function of their geographic situation.  For more information: https://policies.google.com/privacy?hl=fr&gl=fr
IDE	2 years*	Utilized by Google DoubleClick and stores information regarding the way the user utilizes the Website and any other advertising before visiting the Website. This cookie is used to present to users advertising that is relevant to them as a function of their user profiles.  For more information: https://policies.google.com/privacy  The period of validity of these cookies is 2 years but the user must choose every 6 months whether they wish to “Accept” or “Refuse” their installation.
lidc	1 day	This cookie is defined by twitter.com. It is used to integrate the sharing functionalities of such social media. It also stores information regarding the way that the user utilizes the website, for monitoring and targeting purposes.  For more information:   https://help.twitter.com/fr/rules-and-policies/twitter-cookies
personalization_id	2 years*	This LinkedIn cookie is used to follow visitors on various websites, for the purpose of presenting advertising that is relevant according to visitor preferences.  For more information:   https://fr.linkedin.com/legal/cookie-policy   The period of validity of these cookies is 2 years but the user must choose every 6 months whether they wish to “Accept” or “Refuse” their installation.
UserMatchHistory	4 weeks	This cookie is defined by YouTube and used to follow and monitor information on the YouTube videos incorporated into a website.  For more information:   https://policies.google.com/privacy?hl=fr&gl=fr
VISITOR_INFO1_LIVE	5 months	This cookie is defined by YouTube and used to follow and monitor information on the YouTube videos incorporated into a website. For more information:  https://policies.google.com/privacy?hl=fr&gl=fr
vuid	2 years*	This cookie is defined by Vimeo and is used to follow and monitor information on Vimeo videos incorporated into a website.  For more information: https://vimeo.com/cookie_policy  The period of validity of these cookies is 2 years but the user must choose every 6 months whether they wish to “Accept” or “Refuse” their installation.
YSC	Session	These cookies are defined by YouTube and are used to follow and monitor views of integrated videos.  For more information: https://policies.google.com/privacy?hl=fr&gl=fr

Means for opposing the installation of cookies

When you first visit our Site, a banner informs you of the presence of these cookies and invites you to indicate your choice for unnecessary cookies as well as for advertising and marketing cookies. They are deposited only if you accept them. Your refusal or your consent to the deposit of cookies will be valid for a period of 6 months.

You can at any time inform us and parameterize your cookies so as to either accept them or refuse them, by going to the Cookies Management page in the bottom left of the footer of every page of the Site: 

To managed installed cookies, you can also:

• Parameterize your browser to block or even delete the cookies installed by our Site;
• Parameterize your browser to request your consent before installing a cookie. You have the ability to accept or refuse them one by one or refuse them all;
• Decide to delete a previously installed cookie by modifying the parameters of your Internet browser.