Contact Us

Privacy & Information Security Policy (GDPR) – Wave Energies

Version: 1.1 Last updated: 2025-08-30 Registered Office: 16 Rue Jacqueline Auriol, 76290 Fontaine-la-Mallet

Our CSR Values

At Wave Energies, transparency, respect for individual rights, and a commitment to continuous improvement guide our approach to data protection and information security. We view GDPR and cybersecurity not as a constraint, but as an opportunity to strengthen trust with our employees, partners, clients, and stakeholders.

1. Introduction

This policy explains how Wave Energies processes and protects personal data in the context of its operations. It applies to all employees, candidates, clients, prospects, subcontractors, and partners. Privacy and Information Security Policy (GDPR)

SASU WAVE ENERGIES 16 RUE JACQUELINE AURIOL 76290 FONTAINE-LA-MALLET SIRET No.: 513 744 235 00039 / RCS LE HAVRE / T.V.A – V.A.T: FR-08 513 744 235 / Code: APE – NAF: 7112B

2. Data Controller & GDPR Contact

  • GDPR Officer: Marc-Antoine Hilbert, General Manager.
  • Contact: contact@wave-energies.com
  • Address: 16 Rue Jacqueline Auriol, 76290 Fontaine-la-Mallet

3. Scope and Audience

This policy covers all data processing operations carried out by Wave Energies:

  • HR Data (including recruitment),
  • Commercial Data,
  • Technical Data related to assignments and projects,
  • Data collected via our tools (Boond Manager ERP) and our sites/services.

4. Data Categories & Purposes

Data Processed

  • HR (including recruitment): identity, contact details, background, payroll, training, career.
  • Commercial: professional identity/contact, exchanges, offers, contracts, invoicing.
  • Technical & Projects: data related to assignments, sites, inspections.
  • Security & Traceability: technical logs, access logs, authorizations.

Purposes

  • Management of personnel and applications.
  • Management of client and prospect relationships.
  • Execution of technical assignments and projects.
  • Quality, security, and legal compliance monitoring.
  • Continuous improvement of our services.

5. Legal Bases

  • Contractual performance (Art. 6-1-b GDPR): HR, assignments, client/supplier contracts.
  • Legal obligation (Art. 6-1-c): social, tax, accounting, security obligations.
  • Legitimate interest (Art. 6-1-f): commercial relationship, security, fraud prevention.

Privacy and Information Security Policy (GDPR)

SASU WAVE ENERGIES 16 RUE JACQUELINE AURIOL 76290 FONTAINE-LA-MALLET SIRET No.: 513 744 235 00039 / RCS LE HAVRE / T.V.A – V.A.T: FR-08 513 744 235 / Code: APE – NAF: 7112B

  • Consent (Art. 6-1-a): marketing communications, image dissemination, applications via Boond Manager.

6. Retention Periods

  • Employee file (HR): 5 years after contract termination.
  • Applications: 2 years after last contact.
  • Clients/prospects: contract duration + 5 years.
  • Projects/technical: project duration + legal obligations (up to 10 years).
  • Accounting/invoicing: 10 years (legal obligation).
  • Technical logs/access logs: 12 to 24 months.

7. Data Subject Rights

Every data subject has the following rights:

  • Access, rectification, erasure, restriction, objection, portability.
  • Withdrawal of consent at any time for the processing concerned.
  • Possible complaint to the CNIL (www.cnil.fr).

To exercise your rights: contact@wave-energies.com

8. Information Security

The hosting and security of our data are provided by BT Blue (Bretagne Télécom – Blue Group), a French specialist in cloud and cybersecurity.

Measures Implemented

  • Secure hosting in France (certified data centers).
  • Firewalls and network security managed and supervised by BT Blue.
  • XDR (Extended Detection & Response) solution operated by MicroSOC BlueCyber for continuous monitoring of workstations and servers.
  • Regular backups (Veeam Backup) and tested restoration.
  • Strong passwords, MFA, encryption, access logging.
  • Annual Cybersecurity & GDPR awareness training for employees.
  • Annual cyber risk assessments and implementation of corrective action plans.

Mandatory Best Practices

To protect the confidential data of the company and its clients, it is strictly forbidden to: Privacy and Information Security Policy (GDPR)

SASU WAVE ENERGIES 16 RUE JACQUELINE AURIOL 76290 FONTAINE-LA-MALLET SIRET No.: 513 744 235 00039 / RCS LE HAVRE / T.V.A – V.A.T: FR-08 513 744 235 / Code: APE – NAF: 7112B

  • use removable storage media (USB stick, external hard drive, memory card, etc.) to transfer or store professional data,
  • copy or store professional data on personal spaces (private computers, smartphones, personal messaging services, consumer cloud services such as personal Google Drive, Dropbox, iCloud, etc.),
  • transmit documents via unsecured channels.

All data transmission must be carried out via:

  • secure professional messaging systems,
  • internal storage spaces (Wave Energies server),
  • or dedicated and validated client spaces.

9. Alert Procedure

Any security or confidentiality incident can be reported:

  • via the Wobee platform (anonymous reporting possible),
  • by email to contact@wave-energies.com,
  • to the HR Director, the General Manager, or the QHSE Manager.

Guarantees: confidentiality of processing, no retaliation, traceability and follow-up.

10. Incident Response Plan

  1. Detection & Containment (isolation, access reset).
  2. Analysis & Remediation (cause identification, corrective actions).
  3. Notification (CNIL within 72h for serious breaches + concerned parties).
  4. Feedback (procedure updates).

11. Consent (Boond Manager ERP)

Our Boond Manager ERP includes a module for collecting and tracking candidate consent only. 👉 Clients and employees are informed within the contractual or regulatory framework, but their consent is not managed via the ERP.

12. Sharing, Subcontractors & Transfers

  • Access limited to authorized personnel.

Privacy and Information Security Policy (GDPR)

SASU WAVE ENERGIES 16 RUE JACQUELINE AURIOL 76290 FONTAINE-LA-MALLET SIRET No.: 513 744 235 00039 / RCS LE HAVRE / T.V.A – V.A.T: FR-08 513 744 235 / Code: APE – NAF: 7112B

  • Every subcontractor is subject to a confidentiality agreement & GDPR obligations.
  • No transfer outside the EU without appropriate safeguards (standard contractual clauses, adequacy decisions).

13. Call Recording

Wave Energies does not record telephone conversations. Any future implementation would be strictly regulated (prior information, legitimate purpose, restricted access, limited duration) and validated by the GDPR Officer.

14. Cookies (website section)

Our website uses cookies to:

  • improve user experience,
  • measure audience and performance,
  • offer tailored content.

Each user is informed upon arrival on the site and can:

  • accept all cookies,
  • refuse non-essential cookies,
  • customize their preferences.

Cookies are stored for a maximum period of 13 months.

15. Document Governance & Updates

  • This policy is dated and revised every 2 years (or after a major incident).
  • Associated documents (procedures, registers) are reviewed at least annually.
  • Any updates are communicated to employees and published on our platforms