Processing of personal data in the context of the Contract


The Parties undertake, each insofar as it is concerned, to comply with the obligations and requirements of Personal Data Protection Laws designated by Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (hereafter the "GDPR") as well as any legislation or regulations relating to the protection of personal data applicable to the processing carried out under the Contract (together the "Data Protection Regulations").

Each Party shall implement at least the appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including those set out in Article 32 of the GDPR. These measures include those that reasonably limit the risk of a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. If the Service Provider is located outside the European Economic Area, it must have European Union approved Binding Corporate Rules (or "BCR") or have signed European Commission approved Standard Contractual Clauses (or "SCC") with the Customer.

Each Party may communicate to the other Party the personal data of certain natural persons (signatories, referees, third parties, etc.) necessary for one or other of the purposes below. It undertakes to inform the said persons prior to this transmission to the other Party in accordance with the regulations in force, in particular Article 14 of the GDPR.

The Parties acknowledge that they shall determine their respective roles, responsibilities and obligations under the Data Protection Regulations. In the event that the purpose of the Service involves one of the Parties processing personal data on behalf of, on the instruction of, and under the authority of the other Party, the Parties shall enter into a legal act governing the relationship between controller and processor, in accordance with Article 28 of the GDPR.

Each Party, as a separate data controller, may collect and process personal data relating to the employees, agents and suppliers of the other Party for the purposes of entering into, performing and monitoring the Contract. The Parties have agreed that each of them undertakes to inform its employees, agents and suppliers of the characteristics of the aforementioned processing. In order to enable it to fulfill this obligation, the Customer shall provide the Service Provider with the information set out in paragraphs 1 to 5 below. For its part, the Service Provider undertakes to provide the Customer with a notice with the same purpose no later than one month after the Agreement comes into force.

1.- Purpose and legal basis

-  The Customer processes on the basis of Article 6.1.c of the GDPR, i.e. on the basis of the execution of a contract to which the Service Provider is a party, or of pre-contractual measures taken at its request, the data of the Service Provider's employees and representatives for the management and follow-up of calls for tenders, for the purposes of follow-up and proof of the execution of the services, supplies of goods and materials and works which are the object of the Service, contractual management (issue of quotations, management of invoicing, management of the contractual library, etc.), and more generally for the needs of the commercial relationship (maintenance of the supplier base, evaluation of the quality of services, monitoring of the vigilance plan and CSR commitments, etc.), as well as, if necessary, the management of claims and debt collection.

-  The Customer processes on the basis of legitimate interest (Article 6.1.f of the GDPR) the personal data of the Service Provider necessary for the follow-up of the commercial relationship, by means of an integrated management software package (ERP).

-  The Customer shall process on the basis of the legal obligations (Article 6.1.c of the GDPR) applicable to it the personal data necessary for the fulfilment of its accounting and tax obligations. The Customer may also process personal data of the Provider's employees or representatives for the purpose of preventing corruption and for the purpose of preserving evidence in the event of litigation or claims.

2.- Categories of personal data processed

​​​​​​- For the above-mentioned purposes, the Customer processes the following categories of personal data: identification data, job title, professional contact information, and data produced in the context of the Service (e.g. billing data, payment data). As part of the prevention and fight against corruption activities, certain data relating to the Provider's corporate officers may be processed by the Customer, such as postal address, possible offenses and publicly known convictions.

- Personal data are processed on paper or electronically in accordance with the principles of lawfulness, minimization, updating and transparency, and according to technical methods designed to ensure their security and confidentiality.

3.- Recipients

- The processed data are intended for the duly authorized internal services of the Customer and Engie companies in French Polynesia.

- Data transfers outside the European Union are carried out on the basis of one of the guarantees provided for in Chapter V of the GDPR. In particular, the Customer ensures that transfers are only made to countries that guarantee an adequate level of data protection, or failing that, those benefiting from an adequacy decision from the Commission, or, where applicable, that adequate safeguards are in place (for example, the European Commission's Standard Contractual Clauses of June 4, 2021).

- Finally, the Provider's data may be transmitted to authorized third parties, subject to a duly motivated request or a legal obligation (e.g.: competent administrations, regulated professions...).

4.- Retention periods

- The personal data processed are kept for a period of time not exceeding that necessary to achieve the purposes for which they are processed.

- The criteria for determining the data retention period take into account the applicable accounting and tax regulations, the statute of limitations for rights and the legitimate interests of the Customer when these constitute the legal basis for the processing. In particular, in the case of processing for commercial purposes, the Customer shall ensure that the data is used for the duration of the contractual relationship, plus 3 years after the end of the relationship.

- At the end of these periods, the data is deleted or anonymized.

5.- Rights of individuals

- Any individual whose data is collected (the "data subject") has, under the conditions provided for by the regulations in force, a right of access, rectification, deletion, limitation, withdrawal of consent when applicable, and portability of his or her personal data. He/she also has the right to object to the processing of his/her personal data for reasons related to his/her particular situation and, in accordance with Article 85 of the French Data Protection Act, the right to define general and specific directives defining the manner in which he/she intends these rights to be exercised after his/her death.

- To exercise these rights, the person concerned must send his or her request, accompanied by proof of identity, to the following address : ELECTRICITE DE TAHITI - BP 8021 - 98702 FAA'A, or by e-mail to the address "". In the case of commercial e-mails, the unsubscribe mechanism at the bottom of the e-mail can also be used. Finally, the person concerned may lodge a complaint with the competent supervisory authority.