Dear employees of Colas’ subsidiaries and affiliates in the United States: 

We are pleased to share with you Colas’ personal data protection policy relating to HR related personal data that Colas, the direct or indirect parent company of your employer processes. 

This policy is presented in a question-and-answer format. 

It briefly describes the personal data relating to you in Colas’ possession and the uses that Colas make of them. 

It also points out to your specific rights in terms of personal data and explains how to exercise them. 


Preliminary notice:

Please note that your employer is the primary data processor of your HR and work related personal data.

These processing activities and purposes are not part and are not included in this privacy policy. This policy concerns only the processing activities undertaken by Colas as direct or indirect parent company of your employer.



 Who is in charge of processing my personal data? 


The company in charge of data processing activities described herein is: 

Colas SA 

1, Rue du Colonel Pierre Avia 

75015 Paris, France 

Company Number RCS 552 025 314 

Colas’ Chief Privacy Officer (CPO) is your point of contact for any questions regarding this document. 

You can send any queries to the Chief Privacy Officer (CPO) by email at: 

Please note that your employer is the primary data processor of your HR and work related personal data and that these processing activities are not part and are not included in this privacy policy which concerns only the processing activities undertaken by your employer’s parent company.



Why do you need my personal data?     


We need these personal data: 

•    To communicate with you (through internal communications networks);

•    To offer you access to the various Colas Group tools and IT services. 

As employees of the Colas group, we provide you with a variety of technological solutions, computer platforms as well as, as the case may be, various terminals (such as computer and telephone systems). We need to process certain personal data to identify and authenticate you on these tools and to permit you to use these tools as well as to manage these tools and provide user support services.

•    As per our legitimate interests and to meet our legal obligations as parent company and as a publicly listed company.



On what legal basis do you use my personal data?     


We use your data: 

These data are essential to us within the framework of your employment contract. In this context, we primarily use your data to manage, in particular: 

-    Your career;
-    Your remuneration and benefits;
-    Your earnings; 

To enable you to use various IT and digital tools; to authenticate yourself when logging in to use these tools.  

To meet our legal obligations and requirements as parent company and as a publicly listed company (NYSE Euronext Paris); 

As per our legitimate interests as parent company of the Colas group; we consider that the processing of your personal data does not cause a significant conflict with your rights and freedoms. 

The various uses we make of data are specified in the appendix.



How did you collect my data?     


We provide our subsidiaries with common global HR IT system and tools as well as common unified IT devices, tools and software.

As such, the means by which we collect your data are the following: 

(i) The personal data you provide your employer with or that your employer collects during your employment. These data are electronically stored through Colas’ HR management tool in a single database located within the European Union. It is thus processed by Colas as data host.

(ii) We may also collect technical data relating to your use of the various IT tools and platforms (email services, Office 365 tools, HR software, etc.) These technical data are principally of the following kinds: IP addresses, cookies, logs, etc. 

(iii) We also collect personal data when and if you decide to use the Group’s mobility/relocation tools and framework. 


What categories of personal data do you collect about me? 


 We are in charge of hosting the HR related personal data collected by or via your employer and providing you with various IT tools and solutions.

We are thus processing the following categories of personal data: 

Marital status, identity, identification data (first name and family name, address, telephone numbers, photo, etc.), identity card, work permit and residence permit (if applicable); 
Personal life (family status, events giving entitlement to special leave days (civil partnership, etc.), number of children, etc.); 
Economic and financial information (salaries, employee savings plans, personalized tax rate, financial status, bank account details, etc.); 
Position, rank, seniority (awards, etc.), 
Professional life: diplomas, professional identification card for the construction industry, etc.; 
Login data (IP addresses, logins, bookmarks, cookies, etc.); 
Health data: this may relate to work accidents and absences from work (and/or any other situation related to a specific health situation affecting you or your family: maternity leave, etc.); 
Data relating to travel and reported expenses, including your passport data (if applicable); 
Your social security number; 
Company vehicles users: data relating to road traffic and regulations offenses in connection with the use of a company vehicle (if applicable) and driving license data;   When organizing union elections and managing the activity of the company's Economic and Social Committee (ESC), to determine the union representativeness within the Group and the trade union affiliation of candidates and elected representatives in the ESC. 
If applicable, corporate directorships.



Do you use services providers (subcontractors) to process my personal data?     


Yes. To carry out their missions, our services providers need to access some data concerning you.

These services providers include (without limitation) 1. Colas’ IT subsidiary as well third-party services providers (user support, maintenance, data storage, IT software editors, etc.).

a.  For employee savings plans, if applicable: Regard BTP, Interépargne (Natixis) and Amundi

b.  Bouygues SA manages programs open to Colas employees (employee savings plans, leveraged transactions for employees, stock options). In this context, C2S and Banque Transatlantique have access to some of your personal data as part of their assignments;

We use various data hosting and IT services providers such as Microsoft.



Do you transfer my personal data to other entities?     


Yes. We transmit some of your personal data to the following entities: 

Our IT services providers (including our IT subsidiary) and/or travel services agencies (as the case may be)

Training and continuing education institutions or organizations (as the case may be); 

Our insurers. 

We communicate only the data necessary for these entities to carry out their tasks.  We do not sell your personal data or use it for profit.  



Do you hold any sensitive data (1) about me?     


We do not directly collect sensitive data. However, if your employer is subject to legal obligations in that respect and required to process certain sensitive data, these data will be stored/hosted in our database (for example: the social security number, sick leave, accidents at work, trade union elections).


 Within the meaning of the Regulation, sensitive or special data are: 
(1) Personal data relating to the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union affiliation, genetic personal data, biometric data used for uniquely identifying a natural person, personal health data or personal data on the sex life or sexual orientation of a natural person; and - Personal data relating to criminal convictions and offenses.



Where are my personal data stored geographically?     


Your personal data are stored within the European Union. 



How long will you store my personal data?     


We store your data for the period(s) of time defined by your employer.

These durations are established based on the principles detailed below. Hence, your data will be stored: 

So long as you are an employee within the Colas group; and/or

Until the data becomes outdated; and/or

For the duration of the legal retention period (if any).

For computer/IT accounts (2)  : your account will remain active until you leave the company at which point it will be deleted promptly upon receipt of a notification sent by your employer stating that you no longer work for the group/this company.  

Please note that Colas may retain a copy of your personal data in order to exercise its rights (as plaintiff or defendant) before a court of law until the expiry of the applicable statute of limitations.



Will my personal data be used to make automated decisions or profiling (3)?     



Notwithstanding, the collection, processing, and/or storage of sensitive data is only be to the extent that such collection, processing and/or storage of sensitive date is legally permitted under the applicable laws of the United States.
2 Documents deposited by Colas in the Digiposte digital safe are stored for life in your personal space even if you leave the company. 
3 Profiling means any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.



What are my rights concerning my personal data? 


Under the European union regulation, you are entitled with the following rights: 

1.  Right of access 

This means that you can ask Colas: 

- Whether we hold personal information about you; and - To be informed of all these personal data. 

This right of access allows you to check the correctness of the data, and, if necessary, to ask your employer to correct or delete them, if they are inaccurate or outdated. 

2.  Right to rectification 

You can ask Colas to correct inaccurate information concerning you. 

Based on this right, you can prevent the circulation or processing of inaccurate information about you.

3.  Right to erasure (right to be forgotten) 

You are entitled to request the deletion of some of your data, under certain conditions, listed in Article 17 of the Regulation. 

4.  Right to object to the processing of your data 

You are entitled to object, for legitimate reasons, to the processing of certain of your personal data. 

5.  Right to restriction of processing 

This right entitles you to request that only the necessary data be processed by the data controller. 

6.  Right to data portability 

You can recover some of your data in an open, machine-readable format (electronic format). 

Your data can thus be easily stored or transmitted from one information system to another for re use. 

7.  Right to withdraw at any moment your consent to the processing of your data (if your data are being processed based on your consent); 

Note: These rights are not absolute; you can exercise them within the prescribed legal framework. In some cases, we will not be able to grant all or part of your request (legal obligation, public interest, etc.). In this case, we will inform you of the reason(s) for such refusal. 



What happens if I object to the processing of my personal data or if I withdraw my consent?     


Most of the processing activities undertaken by Colas as regards your personal data are carried out on the basis of our legitimate interests or to meet our legal requirements. 

However, for certain processing operations (such as those based on your consent) and should you withdraw your consent, request the deletion of your personal data or object to a specific processing operation; your data shall be unavailable upon treatment of your request (so long as we are legally entitled to satisfy such request) and you will no longer benefit from the associated services. 

Note: In some cases, we will not be able to grant your request (legal obligation, meeting our commitments to you, etc.). In such a case, we will inform you of the reason(s) for such refusal. 



How can I exercise my rights and whom should I contact? 

     To exercise your rights, please contact Colas’ Group Chief Data Protection Officer at:   

You can also contact Colas by mail at its head office:

Colas SA
To the attention of the Chief Privacy Officer
1, Rue du Colonel Pierre Avia 75015 Paris, France

In case of difficulties, you can also file a complaint with the competent supervisory authorities. As Colas is a French company, the competent supervisory authority if the CNIL (Commission Nationale de l’Informatique et des Libertés) – the French data protection authority.

If, after contacting us, you consider that your data processing rights and freedoms are not observed or that the geolocation system does not comply with data protection rules, you can file a complaint with the relevant French courts of law.




Data hosting 

As we are hosting the HR data bases of your employer, Colas stores the personal data that your employer collects.

Your employer independently collects, enters and/or modifies your personal data onto the tool and/or processes the HR data it collects (including, as the case may be, for the following purposes: company communications and reporting, administrative and payroll management, implementation and management of the company's labor obligations, ensuring office access security, etc.). 

Please note that such processing activities are not subject to nor detailed in Colas’ personal data protection policy.

 Provision and management of work tools, computer and telephone terminals, software and applications 

Colas provides you (directly or, among others, via its IT subsidiary) with a variety of computer and telephone terminals, as well as IT applications, software programs and work tools. 

In this context, we handle certain personal data to: 

Provide and manage: 

Directories (Colas and Bouygues) and organizational charts; 

Terminals (computers, tablets, business phones, etc.), solutions, applications and work tools; 

Your user accounts: creation and management of associated rights; 

Electronic messaging (including electronic calendars and Skype for Business features); 

Group-based document-sharing solutions (OneDrive, DocStore, Teams); 

SaaS software and solutions used by the various departments and requiring user identification (in particular by means of login/password, SSO, certificate attached to user accounts or VPNs); 

Internal social networks and/or data broadcast or collection mechanisms (Intranet, MyColas, Yammer, Wiz, etc.); 

Provide, perform and/or ensure: 

Maintenance services for the used terminals; 

General or specific IT support (user terminals and standard software); 

Logging systems (logging in, phone logging, internet logging), under the conditions specified in the internal regulations; 

Preservation of documents stored on servers according to the policies implemented at the company;

The security of the information system of Colas. 

Secure the IT terminals in the event of loss or theft 

For instance, a Mobile Device Management System (MDM) may be installed on the business phone to locate the phone, lock it and/or delete part of its content in the event of loss or theft.

Offer and/or manage employee training catalogues, sessions, modules and eLearning (including, amongst others, compliance training and Occupational Health and Safety (OHS) training); 

Implement compliance reporting and disclosure processes as well as to manage and investigate the professional alerts received through the whistleblowing facility Colas is part of;

Monitor and ensure the existence of all required professional authorizations, licenses and certifications (such as, for electrical work) management; 

 Permit the use and management of service vehicles, commercial vehicles or construction equipment 

If you use a service vehicle, a commercial vehicle or construction equipment, we process some personal data for the following purposes: 

Driving licenses and authorizations verifications (for example, after a safe driving certification test); 

Management of traffic violations; 

Management of the fleet of vehicles (insurance, fuel consumption, etc.); 

Geolocation / geo-tracking of the company's vehicles (if applicable). 

Communicate to you various news pertaining to the group (such as its governance and business activities, etc.) 

As the parent company of the Colas group, we may process certain personal data in the following context: 

As parent company for the Colas group, Colas processes certain personal data to create and operate management charts and systems, to realize and/or compile dashboards, studies, reporting and follow-up of certain HR indicators. These processing activities concern employees of the Colas group located world wild. Your personal data are thus processed for the following purposes: 

Reporting and monitoring the HR indicators of Colas Group employees at Colas’ level:  

Analysis and follow-up of the workforce of the Colas Group; 

Analysis and follow-up of compensation (fixed, variable, bon uses and profit-sharing, etc.); 

Career management within the Colas group; 

Coordination of business lines within the Colas Group; 

Employee savings plans: If applicable, implementation, management of employee savings’ plans for the Colas group, and analysis of the payments made under employee savings plans 

Finally, as subsidiary of Bouygues SA, we are required to communicate certain data to Bouygues SA, Colas’ holding company and controlling shareholder.

Bouygues SA offers, manages and oversees various employee savings plans and leveraged transactions available to Colas Group employees in France. These arrangements require that the personal data presented below should be sent to Bouygues SA, which processes it as detailed in the following sections: 

Reporting and monitoring the HR indicators of Colas Group employees at Bouygues SA level 

As the holding company of Colas, Bouygues SA processes some of your personal data to compile dashboards, studies and follow-up of Group HR indicators. Those mainly cover the employees located in France. As the case may be (depending on your country and the participation of your employer the offered schemes), Bouygues may process certain personal data for the following purposes:

Analysis and follow-up of the workforce of the Bouygues Group; 

Analysis and follow-up of compensation (fixed, variable, bon uses and profit-sharing, etc.); 

Career management within the Bouygues group; 

Coordination of business lines within the Bouygues Group; 

Employee savings plans: Analysis of the payments made under employee savings plans 

If applicable, leveraged transactions restricted to the employees (Bouygues Confiance) 

Management of the list of the employees entitled to subscribe and communications related to this process; 

Application of the final amounts deducted on the relevant pay slip(s). 

Communications and notifications on the company's activity: 

Bouygues uses your name and address to generate a mailing list to send you selected company publications (Minorange, Challenger Express, or special publications (books, etc.)). 

Management of job mobility /relocation within the Bouygues group.

As part of the deployment of an intra-group mobility scheme within Bouygues SA, Bouygues SA offers you a platform for submitting applications for positions published by Bouygues group entities (use and registration on this platform is made on a voluntary basis by interested employees only). The personal data processed in this context are covered by a dedicated personal data protection policy available on the Mobyclic tool.