Processing of personal data in the context of the Contract

The Parties undertake, each insofar as it is concerned, to comply with the obligations and requirements of Act No. 78-17 of January 6, 1978 on Data Processing, Data Files and Individual Liberties, as amended, Regulation (EU) 2016/679 of the Parliament and of the Council of April 27, 2016 on General Data Protection Regulation (or "GDPR"), as well as any legislation or regulations on the protection of personal data applicable to processing carried out under the Contract.

Each Party shall at least implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in particular those provided for in Article 32 of the GDPR. These measures include those likely to reasonably limit the risk of a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data or unauthorized access to such data. If the Service Provider is located outside the European Economic Area, it must have Binding Corporate Rules (or "BCR") approved by the European Union or have signed standard contractual clauses approved by the European Commission with the Customer.

The Parties acknowledge that they must determine their respective roles, responsibilities and obligations in accordance with current regulations. In the event that the purpose of the Service involves one of the Parties processing personal data on behalf of, on the instructions of and under the authority of the other Party, the Parties will enter into a legal act governing the relationship between controller and processor, in accordance with Article 28 of the GDPR.

Each Party, as separate data controller, may collect and process personal data relating to the other Party's employees, agents and suppliers for the purposes of entering into, performing and monitoring the Contract. The Parties have agreed that each of them undertakes to inform its employees, agents and suppliers in advance of the characteristics of the aforementioned processing. To enable it to fulfil this obligation, the Customer provides the Service Provider with the information set out in paragraphs 1 to 5 below. For its part, the Service Provider undertakes to provide the Customer with a statement to the same effect no later than one month after the Contract comes into force.

1.- Purpose and legal basis

- The Customer processes on the basis on the basis of the performance of the contract to which the Service Provider is a party or pre-contractual measures taken at its request (Article 6.1.c of the GDPR) the data of employees and representatives of the Service Provider for the management and monitoring of invitations to tender, for the purposes of monitoring and proving the performance of the services, supplies of goods and materials and works that are the subject of the Service, contract management (issue of quotations, management of invoicing, management of the contrathèque...), and more generally for the needs of commercial relations (updating of the supplier database, evaluation of the quality of services, monitoring of the vigilance plan and CSR commitments, etc.), as well as, where applicable, the management of claims and debt recovery.

- The Customer processes on the basis of legitimate interest (Article 6.1.f of the GDPR) the Provider's personal data required to monitor the commercial relationship, by means of an enterprise resource planning (ERP) package and a customer relationship management (CRM) package.

- The Customer processes on the basis of the legal obligations (Article 6.1.c of the GDPR) applicable to it the personal data required to fulfil its accounting and tax obligations. The Customer is also likely to process the personal data of the Service Provider's employees or its representatives as part of the prevention of corruption, as well as for the purposes of preserving evidence in the event of any litigation or claim.

2 - Categories of personal data processed

- For the above-mentioned purposes, the Customer processes the following categories of personal data: identification data, job title, professional contact details, and data produced in connection with the Service (e.g. billing data, payment data). In the context of anti-corruption activities, certain data relating to the Service Provider's corporate officers may be processed by the Customer, such as postal address, and any publicly known offences and convictions.

- Personal data is processed on paper or electronically in accordance with the principles of lawfulness, minimization, updating and transparency, and according to technical procedures designed to ensure its security and confidentiality.

3.- Recipients

- The data processed is intended for the duly authorized internal departments of the Customer and other Engie companies in French Polynesia.

- Data transfers outside the European Union are carried out on the basis of one of the guarantees set out in Chapter V of the GDPR. In particular, the Customer ensures that transfers are only made to countries guaranteeing an adequate level of data protection, or failing that, those benefiting from an adequacy decision from the Commission, or, where applicable, that adequate safeguards are in place.

- Finally, the Service Provider's data may be transmitted to authorized third parties, subject to a duly motivated request or a legal obligation (e.g.: competent authorities, regulated professions, etc.).

4.- Shelf life

- Processed personal data is kept for no longer than is necessary to achieve the purposes for which it is processed.

- The criteria used to determine the data retention period take into account applicable accounting and tax regulations, the statute of limitations on rights and the legitimate interests of the Customer, where these form the legal basis for the processing. In particular, in the case of data processing for commercial purposes, the Customer shall ensure that data is used for the duration of the contractual relationship, plus 3 years after the end of the relationship.

- At the end of these periods, the data is deleted or anonymized.

5 - Individual rights

- All individuals whose personal data is collected have the right to access, rectify, delete, limit or withdraw their consent, where applicable, as well as the right to port their personal data, in accordance with current regulations. You also have the right to object to the processing of your personal data for reasons relating to your particular situation and, in accordance with article 85 of the French Data Protection Act, the right to define general and specific directives defining the way in which you intend these rights to be exercised after your death.

- To exercise these rights, the person whose data is collected must send a request, accompanied by proof of identity, to the following address: ELECTRICITE DE TAHITI - BP 8021 - 98702 FAA'A, or by e-mail to "rgpd.edt.pf@edt.engie.com". In the case of commercial e-mails, the unsubscribe mechanism at the bottom of the e-mail may also be used. Finally, the person concerned may lodge a complaint with the competent supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL).