Listed on Euronext Paris, the Vivendi group has remained a major player in the content, media and entertainment industries since the completion of its spin-off transaction in December 2024. It draws on a unique portfolio of listed and unlisted assets in leading groups operating in these sectors, which are enjoying strong structural growth, driven by growing demand for content and technological changes linked to digital and artificial intelligence (“AI”).

Over the years, the products and services provided by the group have become highly digitized, with the use of new technologies and AI enabling them to be better personalized and adapted to the needs, lifestyles, preferences and habits of users and customers.

In this context, the protection of personal data is a major issue for the Vivendi group, and more particularly for Gameloft, which has made this subject a core concern, including as a specific element of its compliance program.

By way of introduction, it is important to emphasize that the Vivendi group is committed to complying with the applicable provisions on the protection of personal data, in particular those of Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The Vivendi group also takes great care to ensure that its business partners, suppliers, service providers and any other person with whom it works or collaborates respect these same values and principles relating to the protection of personal data.

Purpose of the Charter

Aware of the importance of protecting personal data and in the interests of transparency, Vivendi SE (“Vivendi”) drew up a Personal Data Protection Charter in 2008 (the “Charter”), which is regularly updated and available on its website (the “Site”).

To obtain more detailed information about a particular Processing, you should consult the personal data protection policy applicable to the Processing in question or contact us at the address given in the “Contact” section below. For any information concerning Processing carried out by one of the group’s companies, please contact the concerned entity directly.

Notice

This Charter may be updated at any time. Any modification, addition, or deletion will take effect immediately upon its publication on the Site. Therefore, we encourage you to consult this Charter regularly to stay informed about the most recent applicable version.

In addition, the Site may contain links to websites published by Vivendi group’s companies or third parties, which are governed by their own privacy policies. This Charter does not apply to these sites and the relating Processing. We recommend that you review the corresponding privacy policies to understand how your personal data is processed. Vivendi disclaims any responsibility for the use of your Personal Data on these sites.

Capitalized terms used in this Charter, whether in singular or plural form, shall, unless otherwise expressly defined in this Charter, have the meaning given to them by Article 4 of the GDPR.

Legal status

In principle, Vivendi acts as a Data Controller regarding any Processing taking place within the scope of its activity and for which Vivendi determines the purposes and means. For example, Vivendi is the Data Controller for the processing of Personal Data of its employees in the context of its human resources management. Vivendi is also the Data Controller for the processing of Personal Data of any internet user who browses the Site (excluding links to third-party sites).

General principles

To provide certain services and/or products, Vivendi needs to obtain certain Personal Data. If the Data Subject does not wish to share his/her Personal Data, Vivendi will not be able to provide them with such services and/or products.

In general, when carrying out Processing operations, Vivendi strives to:

  • process Personal Data in a manner that is lawful, fair and transparent with respect to the Data Subject;
  • collect only Personal Data that is adequate, relevant and limited to what is necessary for the purposes for which it is to be used; and
  • ensure that Personal Data is accurate and, if necessary, keep it up to date by deleting and/or rectifying it.

In addition, Vivendi only collects Personal Data for specific, explicit and legitimate purposes and undertakes not to subsequently process it in a manner incompatible with the purposes for which it was initially collected.

If Vivendi is required to process Personal Data for purposes other than those for which it was originally collected, it will immediately inform the Data Subject and take any necessary preliminary steps (e.g., prior notification to the Economic and Social Council).

As a general rule, Vivendi endeavors to communicate the Personal Data it collects to only those who are authorized to access and process it based on their role/function, and strictly within the limits necessary for the purpose pursued by the relevant Processing.

Finally, Personal Data is never transferred to third parties without the prior express consent of the Data Subject.

Categories of Personal Data collected

The nature of the Personal Data Vivendi collects varies depending on the intended purposes and the services and/or products it provides. Such Personal Data may notably include:

  • data relating to identity: last name, first name, gender, e-mail and postal address, date and place of birth, photograph, etc.;
  • data relating to professional life: resume, diplomas, training, position, employer, work location, professional e-mail address, etc.;
  • financial data: income, bank details, etc.; and
  • connection data: IP address, user ID, etc.

In principle, Vivendi does not collect any Personal Data falling into “special categories”, as defined by Article 9 of the GDPR, except in cases where legislation and/or regulations require it to do so, particularly in relation to the collection and processing of its employees’ social security numbers for the purposes of preparing their pay slips and complying with applicable legal obligations.

Legal basis for the Processing

In accordance with Article 6 of the GDPR, Vivendi only collects Personal Data if it has a legal basis for doing so.

Depending on the specific Processing involved, Personal Data is collected and processed by Vivendi based on:

  • the Data Subject’s consent (e.g., when Vivendi responds to a request made to it by a Data Subject through the Site); and/ or
  • a contract to which the Data Subject is a party (e.g., for the performance of the Data Subject’s employment contract); and/or
  • a legal obligation to which Vivendi is subject (e.g., to comply with its accounting obligations or to provide its external and internal collaborators with a whistleblowing system); and/or
  • Vivendi’s pursuit of its legitimate interests (e.g., installation of video surveillance cameras on Vivendi’s premises or cybersurveillance of the Site).

Recipients of the Personal Data

Depending on the Processing concerned, Vivendi may be required to share the Personal Data it has collected, notably to the following categories of recipients:

  • any of Vivendi’s internal departments and/or any entity of the group;
  • its business partners;
  • its service providers and subcontractors;
  • any lawyers, court officers and ministerial officials;
  • any administrative or judicial authorities; and
  • its external or internal auditors.

Transfers outside the European Economic Area

Vivendi endeavors, as much as possible, to process Personal Data within the European Economic Area (“EEA”). However, in the course of its operations, Vivendi is sometimes obliged to recourse to service providers, partners, or subsidiaries located outside of the EEA.

In such cases, and if no decision by the European Commission provides that the country or territory to which the transfer is contemplated ensures an adequate level of protection (“adequation decision”), any transfer of Personal Data outside of the EEA automatically involves the implementation of appropriate safeguards in accordance with the applicable legislations and regulations applicable to the protection of Personal Data. In particular, Vivendi systematically enters into a written contract governing its relationship with the service provider, partner, or subsidiary located outside the EEA, specifying the qualification of the parties, as well as their reciprocal obligations and responsibilities. Vivendi also attaches to such a contract the standard contractual clauses validated by the European Commission (“SCCs”) and verifies, through audits or ad hoc questionnaires, that the importer of Personal Data has implemented any complementary and technical, legal, and organizational measures to ensure an appropriate protection of security and confidentiality of the Personal Data concerned.

Retention period

Vivendi retains Personal Data only for as long as is strictly necessary for the purpose(s) for which it was collected.

Once this retention period has expired and before the final and definitive deletion of the Personal Data, Vivendi will, for certain Processing operations, archive the Personal Data for a specified and limited period (e.g., the legal statute of limitations for any action that may be brought, in order to be able to defend its rights), in accordance with the applicable legislations.

Security measures

Vivendi implements all the appropriate technical and organizational measures necessary to ensure the security and confidentiality of the Personal Data it processes as part of its business activities, in accordance with the applicable legislations and regulations.

Vivendi also requires its service providers, partners, and subcontractors to whom it communicates Personal Data to provide, at least, the same appropriate guarantees and implement sufficient security measures to protect the Personal Data shared with them. Vivendi ensures that these obligations are met by means of written contracts.

Contact

For any questions and/or clarifications regarding this Charter and the way in which Vivendi processes Personal Data, or if you wish to exercise your rights, you can contact our Data Protection Officer by email at the following address: privacy@vivendi.com.

In order to respond to your request, we may ask you to provide proof of identity as well as some additional information.

In any event, you can contact the National Commission for Information Technology and Liberties – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, Tel.: 01 53 73 22 22, www.cnil.fr.