Protection of Privacy and Personal Data

Michelin is convinced that that the protection of personal data is critical to inspire confidence in its relations with all of its stakeholders. The Group undertakes to collect and process only the data necessary for its activities.

securite_des_clients_opaque@2x

Definition and Context

Personal data is information that directly or indirectly identifies a natural person.

This includes for example:

  • for the direct identification of a person, a photo or information on the person's civil status (last name, first name, etc.).
  • for indirect identification: a unique identification number (license plate, Michelin identifier, mobile phone number, etc.) or a combination of information (sex, age, profession, city of residence, etc.).

All this personal information must be protected.

The number of regulations to protect privacy and personal data has increased dramatically worldwide in recent years. In many countries, failure to comply with these regulations is now punishable by very significant financial sanctions (often reported in the press) and even criminal sanctions.

Guiding Principles

The personal data of employees, customers, suppliers, shareholders, partners or subcontractors must be processed in accordance with laws and regulations, as well as with applicable Group directives on the protection of personal data.

The Group undertakes to collect and process only the data necessary for its activities.

No personal data should be communicated to third parties, unless this is necessary and permitted by law.

Michelin is also convinced that data protection is a major competitive asset and a vehicle for trust in relations with all its stakeholders.

The protection of personal data can only be ensured with the help of everyone.

 

Do: I must

  • Collect and handle only personal data that is necessary for the objective pursued, and make sure that this objective is legitimate and clearly defined.
  • Ensure that the collection and use of personal data complies with the information provided to the persons concerned; if required, I make sure that I obtain the consent of the person to collect and use the data.
  • In free comment fields, only fill in comments that are relevant, adequate and not excessive; ask myself if I would be comfortable sharing this comment with the person who is the subject of it.
  • Destroy or correct inaccurate or incomplete data and respect the rights of individuals over their data.
  • Transmit personal data only to authorized internal recipients who have a legitimate need to know about it.
  • Transmit personal data externally only in the event of a legal obligation or to companies that have entered into an agreement with the Group.
  • Have read and comply with all of the commitments applicable within the Group in the event of authorized access to data from other countries or international transfers, these documents being accessible on the intranet (for example, the binding rules for the company (BCR)).
  • Ensure the security and confidentiality of personal data (for example, for document transmissions, by complying with group security rules regarding file encryption);
  • Inform the Michelin CERT (Computer Emergency Response Team - team in charge of managing IT security incidents) in accordance with the procedure applicable in the event of a data breach (loss of data, unauthorized access, unauthorized publication, etc.).
  • Participate in regular training if the functions I hold require handling of personal data. Know the framework applicable to my activity.

Don't: I must not

  • Collect personal data without the knowledge of the data subject.
  • Collect so-called "sensitive" information (state of health, sexual preference, political opinions, religious convictions, racial or ethnic origin) without the consent of the person or only if the law requires it.
  • Give access to personal data to a person located in another country, without having consulted the Legal Department.
  • Keep personal data longer than necessary for the purpose pursued.

Practical case 1

You are part of a sales team and you would like to create close relationships with your customers. You would like to enter some details related to their private lives in the Group's customer relationship management tool. Your replacement could thus have access to this information in your absence. Is this practice allowed?

No. You can only collect factual information related to the professional sphere. In addition, the collection of certain sensitive information (state of health, religion, etc.) is strictly prohibited. Remember that your customer can request access to their personal data.

Practical case 2

A colleague had an accident at work. You wish to provide feedback to all industrial sites. You provide the following information: Ronan A., Monitor, Vannes site, as well as the details of his injuries and the context of his accident. You only mention the first name of your colleague, do you comply with the regulations?

You should ask yourself the following questions.

1.  Are you pursuing a legitimate objective?

Yes. It is about improving the safety of employees through this feedback.

2.  Is it essential to transmit all this information?

No. The site, the position, the first name is not useful for reporting on this accident.

To "anonymize" personal data, you always must ask yourself: can I identify this person with the information provided? In this case, in giving the first name, function and mention of the industrial site, you give enough information that the person could be identified.

 

Whom to contact?

  • Your Manager
  • The Legal Department
  • Your Local Privacy Manager
  • The Group Data Protection Officer: privacy.fr@michelin.com