DATE OF DIFUSION ON 25/04/2026

ARTICLE 1: FOREWORD

Let's set the framework

The protection of personal data is one of our major concerns. This is why LOUVRE HOTELS GROUP undertakes to process your personal data in compliance with the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016), hereinafter the "GDPR" and the French Data Protection Act (Law No. 78-17 of 6 January 1978 as amended relating to information technology, files and freedoms).

Thus, the purpose of this personal data protection policy is to present to you:

• The controllers of your personal data;

• How your personal data is collected and processed;

• The recipients to whom your personal data is transmitted;

• Your rights regarding the use of your personal data;

• Our reciprocal commitments to the protection of personal data.

This policy applies to all people who apply to LOUVRE HOTELS GROUP or to an establishment in its network, all channels combined, or to former candidates. For the purposes of politics, all these people are referred to interchangeably as the "Candidates".

We would like to point out that when you are hired, you will be invited to consult the "Human Resources & Personnel Administration" Personal Data Protection Policy which will be given to you by the data controller of the establishment where you will be hired.

ARTICLE 2: GLOSSARY

We promise, you'll understand us

• Personal Data (or Personal Data) means any information relating to an identified or identifiable person, i.e. allowing him or her to be identified directly (e.g. surname, first name, etc.) or indirectly (e.g. email address, cookies, etc.);
• Processing means any operation or set of operations, whether automated or not, applied to data or to a set of Personal Data, such as: collection, recording, organization, storage, transmission, deletion, etc.;
• The Data Controller refers to the legal or natural person who determines the purposes and means of a Processing, i.e. the objective and the way in which it is carried out;
• Processor means the legal or natural person who processes Personal Data on behalf of the Controller on its instructions.

ARTICLE 3: GENERAL PRINCIPLES

We have legal obligations!

In accordance with the provisions of Article 5 of the GDPR, the collection and Processing of your Personal Data complies with the following principles:

• Lawfulness, fairness and transparency: the collection and Processing of your Personal Data may only be based on a previously defined legal basis (Performance of a contract, legal obligation, consent, legitimate interest, preservation of vital interests, public interest);
• Limited purposes: the collection and Processing of your Personal Data is carried out to meet one or more previously defined purposes;
• Minimization of data collection and processing: only Personal Data that is strictly necessary for the proper execution of the purposes pursued is collected;
• Data retention limited in time: the Data Controller is obliged to define retention periods for the Personal Data processed. It must only be kept for as long as necessary to achieve the purpose or within the limits of the regulatory obligations imposed on the Data Controller;
• Integrity and confidentiality of the data collected and processed: the Data Controller undertakes to guarantee the integrity and confidentiality of the Personal Data collected.

ARTICLE 4: DATA CONTROLLER AND DISTRIBUTION OF RESPONSIBILITIES

Who is responsible for the data?

In the context of application management and recruitment, the processing of Personal Data is carried out by several entities acting at different levels, each in its capacity as a data controller within the meaning of Article 47 of the GDPR, for the processing that it determines and implements independently.

4.1 Louvre Hotels Group

The processing of personal data related to the management and operation of the Group's recruitment platform, the candidate area, as well as the shared tools and services made available in this context, is carried out by LOUVRE HOTELS GROUP, a simplified joint-stock company with a capital of €117,624,016, registered with the Nanterre Trade and Companies Register under number 309 071 942, whose registered office is located at Tour Voltaire - 1 Place des Degrés - 92800 Puteaux – France (hereinafter "we", "us" or "the Company"), as Data Controller.

As such, Louvre Hotels Group independently determines:

• The purposes and means of the processing relating to the provision of the careers site and the candidate space;

• The conditions for collecting, hosting, securing and storing the data processed via these tools;

• The procedures for exercising the rights of the data subjects for the processing falling within its scope.

• The purposes and means of the processing related to recruitment for its own purposes, as a separate data controller.

4.2 Hotels in the network

The hotels in the Louvre Hotels Group network are legally autonomous and independent entities.

, the Personal Data transmitted is processed by the hotel concerned for the exclusive needs of its own recruitment and hiring process, as a separate data controller.

Each hotel independently determines:

• The purposes of the processing related to recruitment for its own purposes;

• The means necessary for the analysis, management and conservation of the applications received;

• The retention periods applicable to the data it processes;

• The procedures for exercising the rights of the data subjects for the processing for which it is responsible.

4.3 No co-responsibility

Louvre Hotels Group and the hotels in the network do not act as joint data controllers within the meaning of Article 26 of the GDPR. Each of these entities intervenes autonomously and independently, for processing operations pursuing distinct purposes, and assumes sole responsibility for the compliance of the processing it implements with the applicable regulations on the protection of personal data.

Data subjects may exercise their rights with Louvre Hotels Group (see Article 9) for processing relating to:

• Management of the recruitment platform;

• The candidate space;

• Recruitments made for its own needs, as a data controller.

Directly to the hotel of the network concerned for the processing carried out by the latter in its capacity as data controller.

Each entity undertakes to process requests in compliance with the deadlines and conditions provided for by the GDPR.

ARTICLE 5: PERSONAL DATA COLLECTED AND PROCESSED - WHAT DATA?

What do we know about you?

In accordance with the principle of minimization, we only collect Personal Data that is necessary to achieve our purposes. Thus, in the context of human resources management and personnel administration, the Company may collect and process the following information:

• Identity data: Title, surname, first names, date of birth;
• Contact data: Postal address, email address, telephone number;
• Professional life data: Professional experience and career, languages spoken, diplomas obtained, availability (night work, etc.);
• Personal life data: Possession of a driver's license, languages spoken, etc.;
• CV Data and Free Fields: Any information you mention on your CV or other attachments to your application or that you share with us;

• Connection and browsing data: IP address, connection history, cookies, etc.

It should be noted that when submitting your application, we are not required to become aware of so-called "sensitive" Personal Data, i.e. data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs as well as genetic and biometric data for the purpose of uniquely identifying a natural person, data concerning health, a person's sex life or sexual orientation. As well as highly personal Personal Data (such as your social security number for example) or judicial data (such as an extract from your criminal record), or data relating to your banking information (bank details, IBAN, etc.).

Some of this information may be requested if your application is selected as part of the constitution of your personal administrative file. You will be invited to consult the "Human Resources & Personnel Administration" Personal Data policy when you are hired, which will be given to you by the Data Controller concerned.

ARTICLE 6: FOR WHAT REASONS?

We would like to explain to you

For any further information on the purposes or retention periods, you can refer to the "CNIL reference framework on recruitment" or contact the Company's DPO (see article 9.3).

For Processing based on the Company's legitimate interest, a preliminary balancing analysis is carried out in order to verify that the Company's interests do not disproportionately infringe on the fundamental rights and freedoms of Employees. In this context, the Company ensures in particular the proportionality of the Data processed, the transparency of the Processing, as well as the possibility for the data subjects to exercise their right to object, when applicable.

ARTICLE 7: WHO HAS ACCESS TO YOUR PERSONAL DATA?

You don't pass them on to just anyone

We undertake to transmit your Personal Data only to:

Authorized personnel of the Company;

• Authorised staff of the hotels in the LOUVRE HOTELS GROUP network;
• Authorized personnel of Subcontractors and partners, in particular in charge of recruitment, maintenance and security of systems, collaborative tools, etc. In this context, we undertake to monitor compliance with legal requirements relating to the Personal Data processed by our Data Processors;
• To social networks acting as Data Processors in order to identify whether you are a user of one of these social networks (such as LinkedIn) to allow you to apply from your profile;
• To any relevant regulatory, statutory, governmental or other authority, agency or body and industry regulator, if required by law or in connection with an investigation and in accordance with local regulations;

• Auditors, advisors or lawyers appointed by either party.

The use of service providers is necessary for the proper functioning of our services. We are committed to monitoring and ensuring compliance with legal requirements relating to Personal Data.

The Company does not and will not sell, transfer or communicate the data collected to unauthorized third parties.

ARTICLE 8: USE OF ARTIFICIAL INTELLIGENCE (AI) SOLUTIONS

AI also has rules

Some Personal Data Processing may be carried out by automated Processing or algorithmic tools, including artificial intelligence (AI) technologies, whose sole purpose is to provide assistance in the analysis or production of content, according to predefined rules.

These tools are not intended to produce decisions producing legal or significant effects with regard to Employees.

No individual decision is taken solely on the basis of automated processing, and any decision remains based on human assessment.

On the other hand, we do not use any fully automated decisions based on your Personal Data. No profiling is implemented and the Personal Data we process is never used without human intervention, including in the context of evaluating your profile with regard to the position concerned by your application.

For any further information on the use of this type of artificial intelligence solutions within the Company or to request an "enhanced human review", you can contact the dedicated teams or the DPO (see article 9).

ARTICLE 9: YOUR RIGHTS

You have all the cards in your hand

9.1 Your rights

In accordance with the regulations in force, you have the following rights regarding your Personal Data:

• Right of access: You may, at any time, access your Personal Data that we hold about you, note that this right is not absolute and that its exercise may be legitimately refused or limited. In this case, the Company must duly justify its decision;

• Right to rectification: You may make a request to complete or correct your personal information;

• Right to object: The right to object may be exercised, provided that the data subject invokes reasons relating to his or her particular situation, when the Processing is carried out on the basis of our legitimate interest. It is specified that the right to object does not exist when the Processing meets a legal obligation or if it is necessary for the performance of a contract. In addition, where the Processing is exceptionally based on the -employee's consent, the right to object does not apply as such, insofar as you may withdraw your consent to the Processing. In addition, where the Processing is exceptionally based on the employee's consent, the right to object does not apply as such, insofar as you may withdraw your consent to the Processing.

• Right to restriction: You may claim the restriction of future Processing of your Personal Data under certain conditions;

• Right to erasure: You may request the deletion of your Personal Data provided that its retention is not necessary to comply with legal obligations and/or to defend the Company's rights, for example;

• Right to portability: You have the right to request the transmission of your Personal Data to another organization under certain conditions;

• Post-mortem guidelines: You can decide what happens to your Digital Personal Data after your death.

Following your request to exercise your right, a response will then be sent to you within one (1) month of receipt of the request, which may be extended by two (2) months depending on the complexity of your request.

9.2 How to exercise your rights?

You can exercise your rights at any time and free of charge, except in the case of manifestly unfounded or excessive requests (in particular due to their repetitive nature), in which exceptional case we reserve the right, in accordance with the GDPR, to demand the payment of a reasonable fee or to refuse your request.

If you wish to exercise your rights, you can make the request from your "candidate space" or contact the dedicated teams, by email at rhgdpr@louvre-hotels.com

You can also exercise your rights with regard to your Personal Data processed by a hotel in its capacity as Data Controller. We invite you to exercise your rights directly with the hotel and to consult its Personal Data protection policy if necessary.

9.3 The Data Protection Officer (DPO)

The Company has appointed a Data Protection Officer (DPO) to the CNIL. You can contact him:

• By email to: dpo@groupedulouvre.com

• By post to: DPO, LOUVRE HOTELS GROUP, Tour Voltaire - 1 place des degrés, 92800 Puteaux - France

9.4 Complaints to the CNIL

If, after contacting us, you believe that your rights have not been respected, you can lodge a complaint with the competent authority, namely the Commission National de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, 75007 Paris or via their website: https://www.cnil.fr/fr

ARTICLE 10 : HOW DO WE PROTECT YOUR PERSONAL DATA?

The security of your Personal Data is taken seriously

We are concerned about the security of your Personal Data, which we undertake to process securely for the time necessary to achieve the purposes pursued.

We operate data systems and networks that are protected by industry-standard security measures and we use secure protocols over unsecured networks to protect the transmission of your Personal Data. As such, the security of connection to the Company's tools is reinforced by Multi-Factor Authentication (MFA).

In accordance with Article 32 of the GDPR, we have implemented appropriate technical and organisational measures, taking into account the state of knowledge, the costs of implementation, as well as the nature, scope, context and purposes of the Processing, in order to guarantee a level of security appropriate to the risks identified, for, among other things:

• Guarantee the constant confidentiality, integrity and resilience of processing systems and services;
• Restore data availability and access in a timely manner in the event of a physical or technical incident.

• Protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure.

All persons with access to your Personal Data have been made aware of good practices in terms of data protection. They are bound by an obligation of confidentiality, and are exposed to disciplinary sanctions in the event of non-compliance with this provision.

When we need to share your Personal Data in the context of carrying out certain Processing, we take all necessary measures to ensure that the third-party recipients have put in place appropriate technical and organizational measures to protect your Personal Data.

Please note that, although we always strive to protect our sites, systems and operations, we do not control all the risks associated with the operation of the Internet and draw your attention to the existence of any risks inherent in its operation.

ARTICLE 11: DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

Even outside Europe, we take care of your Personal Data

The Personal Data collected by the Company is mainly processed within the European Economic Area. However, in certain situations (in particular the use of technical, IT or hosting service providers), transfers of Personal Data to third countries may be carried out.

Where this is the case, we ensure that such transfers are subject to appropriate legal safeguards, in accordance with Chapter V of the GDPR, to ensure a level of data protection substantially equivalent to that guaranteed within the European Economic Area. Such safeguards may include, inter alia, the conclusion of standard contractual clauses of the European Commission and, where appropriate, the implementation of additional protection measures.

The persons concerned have the right to obtain a copy or reference of the applicable guarantees, within the limits provided for by the regulations.

ARTICLE 12: WHAT ARE YOUR COMMITMENTS?

And yes, you also have obligations

• 12.1 Accuracy of Personal Data

As a Candidate, you declare that you are informed of the importance of the accuracy of the Personal Data concerning you. You therefore undertake to provide only accurate Personal Data about yourself.

In this respect, you can modify inaccurate or incomplete data directly from your Candidate space or make a request for rectification or deletion to the competent services (see Article 9).

• 12.2 Free fields

In general, failure to fill in the fields identified as mandatory on a site by an asterisk (*) does not allow us to provide you with all or part of the site's features. Your application may not be considered if you do not fill in this type of mandatory field.

The other fields are optional and are intended in particular to allow you to fill in information that you think is useful for processing your application for the position concerned.

When a paper form or on a website offers a free field, we ask you to indicate only strictly objective information that is essential to your request and never to communicate sensitive data (such as passwords, banking information, health data, etc.).

• 12.3 Sensitive Personal Data

We only collect and process "sensitive" Personal Data when such processing is strictly necessary for the management of employment relationships, compliance with our legal and regulatory obligations, or the exercise or defense of legal claims, in accordance with Article 9 of the GDPR.

In certain situations, sensitive Data may be communicated by the Candidate spontaneously, in particular in the context of specific requests related to the management of his applications or the exercise of his rights.

In this case, this Data is only processed within the strict limits of the purpose pursued, with reinforced guarantees of confidentiality and security, and is not subject to any reuse incompatible with this purpose.

Only so-called "highly personal" data mentioned in Article 5 of this policy may be collected by us in order to compile your administrative file if your application is accepted.

• 12.4 The management of the Personal Data of persons under 15 years of age

We do not knowingly collect or solicit Personal Data from anyone under the age of 15. In the event that such a transmission takes place, in your capacity as the legal representative of the person under the age of 15, you can contact us directly (see Article 9.3) so that this information can be deleted.

ARTICLE 13: UPDATE OF THE DATA PROTECTION POLICY

Important to make updates

This Personal Data Protection Policy may change.

In the event that one of the clauses is null and void, in particular due to a change in legislation, the applicable regulations or a court decision, this shall in no way affect the validity of the other clauses of this policy. This Policy and the documents referred to in it are governed by French law.

This Policy is subject to updates and will be disseminated. It will automatically replace the old version and will be made applicable to you from the date of its distribution.

In order to stay informed of these possible changes and updates, it is recommended that you regularly consult the policy available on the https://louvrehotelscareers.com/