VERSION 26/02/2025

ARTICLE 1: FOREWORD

The GDPR and you

Personal data protection is one of our main concerns. This is why LOUVRE HOTELS GROUP is committed to processing your personal data in accordance with the General Data Protection Regulation (Regulation EU 2016/679 of 27 April 2016) (hereinafter referred to as the “GDPR”) and the French Data Protection Act (Act No. 78-17 of 6 January 1978, as amended). The purpose of the personal data protection policy is therefore to inform you about:

• The data controller
• How your personal data is collected and processed
• The recipients of your personal data
• Your rights regarding the use of your personal data
• Our mutual obligations in relation to the protection of personal data

This policy applies to applicants, external applicants or employees of LOUVRE HOTELS GROUP and its subsidiaries who are seeking internal mobility. For the purposes of this policy, all such persons are referred to as “applicants”.

ARTICLE 2: GLOSSARY

We promise you will understand!

Personal data means any information relating to an identified or identifiable natural person, i.e. information allowing such natural person to be directly (e.g.: surname, first name, etc.) or indirectly identified (e.g.: email address, etc.).

Personal Data Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means (e.g.: collection, recording, organisation, storage, transmission of data, erasure, etc.).

The Data Controller determines the purposes (objectives) and the means of processing to achieve these purposes.

The Data Processor (or Third Party) processes Personal Data on behalf of the Data Controller and in accordance with its instructions.

ARTICLE 3: GENERAL PRINCIPLES

We have legal obligations!

Pursuant to the provisions of Article 5 of the GDPR, the collection and processing of your Personal Data complies with the following principles:

• Lawfulness, fairness and transparency: the collection and processing of your Personal Data is only permitted on a legal basis defined in advance (performance of a contract, legal obligation, consent, legitimate interest, protection of vital interest, public interest).
• Purpose limitation: the collection and processing of your Personal Data is carried out to meet one or more defined purposes.
• Minimisation of data collection and processing: the collection of Personal Data is limited to what is necessary for the proper fulfilment of the purposes for which it is collected.
• Storage limitation: the Data Controller is required to define retention periods for the Personal Data processed. Personal Data shall only be kept for as long as necessary to achieve the purpose.
• Integrity and confidentiality of data collected and processed: the Data Controller undertakes to safeguard the integrity and confidentiality of the Personal Data collected.

ARTICLE 4: DATA CONTROLLER

We are responsible for the data entrusted to us!

The processing of your Personal Data in connection with the management of your application or internal mobility is carried out by LOUVRE HOTELS GROUP, a Simplified Limited Company (Société par Actions Simplifiées), with a share capital of € 117,624,016, registered with the Trade Register of Nanterre under number 309 071 942, whose registered office is located at Tour Voltaire, 1 Place des Degrés, 92800 Puteaux, France, as the Data Controller.

This means that we control how your Personal Data is processed and that we decide on the purposes of such processing. It also means that we give specific instructions to our Data Processors, who may process your Personal Data on our behalf. In accordance with Article 32 of the GDPR, we implement all technical and organisational measures to ensure the protection of your Personal Data.

Hotels are autonomous and independent entities. Therefore, when you apply for a position at one of these hotels, your Personal Data is processed by both the LOUVRE HOTELS GROUP and the hotel in question, each acting as a Data Controller with its own purposes.

Any Processing of Personal Data carried out by the hotels is governed by a personal data protection policy specific to each hotel in its capacity as Data Controller. All hotels are required to comply with the principles of protection of your Personal Data in accordance with the applicable regulations and to ensure that your rights are upheld when you exercise them.

ARTICLE 5: PERSONAL DATA COLLECTED AND PROCESSED – WHAT DATA?

What do we know about you?

Pursuant to the minimisation principle, we only collect Personal Data that is required to fulfil our objectives. Accordingly, in connection with managing applications, LOUVRE HOTELS GROUP may collect and process the following information:

Please note that when you submit your application, we do not require any sensitive data such as highly Personal Data (social security number) or legal data (criminal record), or data regarding your financial situation. This data may be collected and processed for administrative purposes if your application is successful.

We are aware of the sensitive nature of this information and are committed to ensuring a high level of confidentiality and compliance with our legal and regulatory obligations. If you would like more information, on joining the group you will be asked to read the “Human Resources” Personal Data policy, which will be provided to you by the relevant Data Controller.

Cookies

ARTICLE 6: PERSONAL DATA COLLECTED AND PROCESSED: FOR WHAT PURPOSES?

Let us explain!

ARTICLE 7: PERSONAL DATA COLLECTED AND PROCESSED: WHO HAS ACCESS TO YOUR PERSONAL DATA?

We do not share it with just anyone!

The Personal Data we collect may be transmitted for various purposes:

• To authorised personnel of LOUVRE HOTELS GROUP;
• To authorised personnel of the hotels in the LOUVRE HOTELS GROUP network;
• To authorised persons at our service providers who are Processors for LOUVRE HOTELS GROUP, in particular service providers tasked with:
  • Part of the recruitment process, in particular for LOUVRE HOTELS GROUP
  • Website maintenance and security
  • Networking (send you messages, organise appointments and conduct interviews by videoconference)
• To social media sites acting as Data Processors in order to identify whether you are a user of one of these social media sites (such as LinkedIn) and enable you to apply from your profile;
• Any regulatory, statutory, governmental or other authority, agency or body and relevant sector regulator, if required by law or in the context of an investigation and in accordance with local regulations.

Please note that the use of service providers is necessary for the proper fulfilment of the purposes and we undertake to verify and guarantee their compliance with the GDPR.

LOUVRE HOTELS GROUP undertakes not to disclose your Personal Data to third parties or external organisations without your express consent. LOUVRE HOTELS GROUP does not and will not sell, transfer or disclose the data collected to unauthorised third parties.

LOUVRE HOTELS GROUP does not use automated decision-making based on your personal data. No profiling is carried out when processing your personal data, and the data we collect will never be used without human intervention, including when assessing your profile in relation to the position for which you have applied.

ARTICLE 8: YOUR RIGHTS You hold all the cards!

Pursuant to current regulations, you have the following rights regarding your personal data:

If you wish to exercise your rights, you can contact our data protection officer:

By email: dpo@groupedulouvre.com

By post to the following address:

LOUVRE HOTELS GROUP – DPO

Tour Voltaire, 1 place des Degrés

92800 Puteaux

FRANCE

You may exercise these rights at any time, free of charge, except in cases of blatantly unfounded or excessive requests (in particular due to their repetitive nature). In this exceptional case, we reserve the right, in accordance with the GDPR, to require payment of reasonable costs or to refuse your request.

Following your request to exercise your rights, you will be sent a response within 1 (one) month of receipt of the request, which may be extended by 2 (two) months given the complexity of your request.

You also have the right to file a complaint with the relevant supervisory authority (in France: the Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority), or “CNIL” www.cnil.fr ).

You may also exercise your rights in relation to your Personal Data processed by a hotel in its capacity as Data Controller. Please exercise your rights directly with the hotel and consult its Personal Data protection policy if necessary.

ARTICLE 9: WHAT ARE YOUR OBLIGATIONS

That’s right, you also have obligations!

• Accuracy of Personal Data

As an applicant, you represent that you are aware of the importance of the accuracy of your Personal Data. You therefore undertake to only provide accurate Personal Data.

In this regard, you may request that your personal data be corrected or erased as provided for in Article 8 of this policy.

• Management of Personal Data of persons under 15 years of age

We do not knowingly collect or ask for Personal Data for persons under 15 years of age.

In the event that such transmission occurs, as the legal representative of the person under the age of 15, you may contact the human resources department of LOUVRE HOTELS GROUP, whose contact details are provided in Article 8, or the relevant hotel so that this information can be deleted.

• Free fields

In general, failure to complete the fields marked with an asterisk (*) on the website will prevent us from providing you with all or part of the website’s features. Your application may not be considered if these mandatory fields are not completed.

The other fields are optional and are intended to allow you to provide information that you consider useful for the processing of your application for the position in question.

When a form includes a free text field, we ask that you only provide information that is strictly objective and essential to your application and that you never disclose sensitive data (such as credit card numbers, health data, etc.).

• Sensitive Personal Data

We do not collect “sensitive” Personal Data.

We remind you that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the purpose of specifically identifying a natural person, data concerning health or data pertaining to a natural person’s sex life or sexual orientation is considered sensitive Personal Data.

If you willingly provide us with sensitive Personal Data, especially in the free field when you apply, in your CV, or during your interviews in connection with your application, you acknowledge that you have given us your explicit consent to process these special categories of Personal Data.

ARTICLE 10 – HOW DO WE PROTECT YOUR PERSONAL DATA?

Cybersecurity: we are all stakeholders, we are all affected, we are all responsible!

We implement appropriate technical and organisational measures to:

• Protect your Personal Data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access to such Personal Data.
• Ensure the confidentiality, integrity, availability and ongoing resilience of systems and services
• Restore the availability of Personal Data and access thereto within appropriate timeframes in the event of an incident

We operate systems and networks protected by industry-standard security measures and use secure protocols on unsecured networks to protect the transmission of your Personal Data. In addition, access to your Personal Data is restricted to authorised personnel and service providers.

Although we strive to protect our recruitment site and systems at all times, we cannot control all risks associated with the operation of the Internet and draw your attention to the existence of potential risks inherent in its operation.

When we need to share your Personal Data with our Data Processors, we take all necessary measures to ensure that the third party recipients have implemented appropriate technical and organisational measures to protect your Personal Data.

ARTICLE 11: DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA

Even outside Europe, we take care of your Personal Data!

As part of providing our services, we may need to transfer your Personal Data to recipients, especially Third Parties or hotels in the network, which may be located outside the European Economic Area (EEA), in countries that may have different rules on the protection of Personal Data.

In the event of a transfer of Personal Data outside the EEA, we undertake to comply with the requirements of the applicable regulations and to implement the appropriate safeguards needed for such a transfer.

ARTICLE 12: UPDATES TO THE DATA PROTECTION POLICY

It is important to keep up to date!

If any clause of this policy is invalid, especially due to a change in legislation, applicable personal data protection regulations or a court decision, this shall in no way affect the validity of the other clauses of the policy.

This policy is governed by French law.

It is subject to updates. The previous policy will then be lawfully replaced by the new version posted online. The latter will immediately become enforceable upon you. Use of the website is subject to the policy in force at the time of use.

We recommend that you consult the policy on a regular basis to be kept informed of any changes and updates.