Data and Content Protection Charter

In the context of the Processing of Personal Data carried out as part of its business activities, Vivendi undertakes to comply with the applicable provisions regarding the protection of personal data, in particular those of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, relating to the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”) and of the French Law no. 78-17 of January 6, 1978 relating to data processing, data files, and individual liberties, as amended (the “Data Processing and Liberties Law”).

Pursuant to Article 13 of the GDPR, the objective of this notice is to provide Data Subjects with information about how Vivendi SE (“Vivendi”) uses and processes their Personal Data in the context of their browsing on its website (the “Site”) and the use of the services provided therein.

Capitalized terms used in this notice, whether in singular or plural form, shall have the meaning given to them by article 4 of the GDPR.

1. Who is the Data Controller?

Vivendi is the Data Controller for the personal data of any user who browses the Site and uses its services.

Vivendi’s identity and contact details are specified in the “Legal Notice” section of the Site, accessible via the following link vivendi.com/en/footer/legal-notices/.

2. Which Personal Data are collected?

Vivendi collects the following Personal Data in order to manage the Site and enable Internet users to browse it and use its services:

IP address and technical data (such as operating system version, browser type and whether or not a proxy is used);
information related to the Data Subject’s browsing on the Site (such as date and time of access, pages visited, and hypertext links used to access to the Site);
information related to the consent given by the Data Subject regarding the placement and reading of cookies or other trackers, in particular those operated by third parties;
information about the Data Subject in the event of their application to a job offer published via the website of Vivendi’s recruitment partners;
the e-mail address of the Data Subject in the event that the latter sends an e-mail to the contact e-mail addresses provided on the Site, as well as any other information that the Data Subject may send to Vivendi in this context; and
data relating to the identification of the Data Subject in connection with his or her registration to the Vivendi Shareholders’ Club via the membership form accessible on the Site.

3. For what purposes and on what legal bases are the Personal Data collected and processed?

Vivendi relies on different legal bases to carry out the aforementioned Processing:

the consent of the Data Subject to:
- manage and process any request, query, question and/or complaint sent by e-mail to the contact addresses provided on the Site;
- process an application for a job posted on one of its recruiters’ websites;
- store and use data from cookies or other trackers that are not strictly necessary for the operation and use of the Site (particularly in the case of third-party cookies); and
- become a member of the Vivendi Shareholders’ Club, and, in particular, to receive documentation prepared by Vivendi and to attend events organized by it.
its legitimate interests to:
- develop, maintain and improve the Site;
- store and use data from cookies or other trackers not subject to consent and necessary for the operation and use of the Site;
- measure the audience and compile statistics on visits to the Site;
- detect, in a preventive way, security incidents and fraudulent activities on the Site; and
- defend its rights and interests.

4. Who has access to the Personal Data collected?

The Personal Data collected by Vivendi is processed by a limited number of persons authorized to access it on the basis of their missions and pursuant to the purposes pursued:

any appropriate member of Vivendi’s Communications Department (e.g., in the case of an e-mail sent to the contact addresses provided on the Site);
any appropriate member of Vivendi’s Human Resources Department (e.g., in the case of applications submitted via hypertext links to recruiters’ websites published on the Site);
any appropriate member of Vivendi’s Finance Department (e.g., in the case of an e-mail sent to the contact addresses provided on the Site);
any appropriate member of Vivendi’s Information Systems Department (e.g., for Site maintenance);
Vivendi’s subcontractors and service providers, particularly for technical reasons (such as hosting, security and Site maintenance service providers, fraud management service providers, technical service providers in charge of sending e-mails and newsletters and anti-spam and anti-robot service providers); and
any authority, jurisdiction or third-party where such disclosure is required by law, regulation or court order, or where such disclosure is necessary to ensure the protection and/or defense of Vivendi’s rights.

5. How long is Personal Data retained?

Personal data is kept for no longer than is necessary for the purposes for which the data are processed, especially:

For any request, query, question and/or complaint: For the time required for the data to be processed by the appropriate Vivendi teams. At the end of this period, the Personal Data will be destroyed, unless Vivendi is obliged to keep them in order to fulfill its legal obligations or to defend its rights, in which case they will be archived for the legal period (e.g., statute of limitations).
For any job applications: For the time required to analyze and process them. Should the candidate be selected, the data related to their application will then be deleted, except for certain data which may be retained for a period of five (5) years, on a probationary basis. Should the candidate not be selected, Vivendi will keep their data for the time necessary to inform them of the decision, and will ask for their agreement to keep their file for a specific period in order to contact them again should new opportunities arise, or to add to its database of candidates;
For cookies or other trackers placed by Vivendi and strictly necessary for browsing and using the Site: The data collected through the cookies is retained for six (6) months;
For membership in the Shareholders’ Club: The information collected via the membership application form accessible on the Site is kept for the duration of the Data Subject’s membership in the Shareholders’ Club. Once membership has expired, the information concerning the Data Subject will be archived for five (5) years before being deleted; and
For log files: The information collected (such as IP address, connection time and date and browsing system) is retained for six (6) months.

6. What rights do Data Subjects have?

Every Data Subject has the following rights, which they can exercise at any time, within the limits set by applicable regulations and legislation:

the right to access their Personal Data;
the right to rectify their Personal Data;
the right to erase their Personal Data;
the right to limit the processing of their Personal Data;
the right to portability of their Personal Data;
the right to object to the processing of their Personal Data;
the right to withdraw their consent to the Processing of their Personal Data when the Processing is based on the consent of the Data Subject; and
the right to set out instructions on what to do with their Personal Data after their death.

7. Contact

For any questions and/or clarifications concerning this notice and the way in which Vivendi processes your Personal Data, or if you wish to exercise your rights, please contact our Data Protection Officer by email at: privacy@vivendi.com.

In order to respond to your request, you may be asked to provide proof of identity and additional information.

In any event, you can contact the National Commission for Information Technology and Civil Liberties (“CNIL”) – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, Tel: 01 53 73 22 22, www.cnil.fr