INFORMATION NOTICE FOR AXA GIE, AXA GIE UNIVERSITY, AXA SA AND AXA GLOBAL MOVE EMPLOYEE


AXA respects your privacy and ensures that all personal data it handles is processed in accordance with best confidentiality practices and the applicable laws on data protection, and notably the European Union General Data Protection n°2016/679 (GDPR).

The objective of this Information Notice is to present the several processing of your personal data carried out as an employee of GIE AXA, GIE AXA University, AXA SA or AXA Global Move.

Update of the present notice on the protection of your personal data

The Data Controllers (as defined below) may update this Information Notice from time to time in response to changing legal, technical, or business developments. When the Data Controllers update this Information Notice, the Data Controllers will take appropriate measures to inform you, consistent with the significance of the changes the Data Controllers make. The Data Controllers will obtain your consent to any material Notice changes if and where this is required by applicable data protection laws. This Information Notice was last updated on January 9th, 2025.

Table of contents

  • Update of the present notice on the protection of your personal data

  • Who are the Data controllers of your personal data?

  • What are your rights to your personal data?

  • How to contact the DPO or exercise your rights?

  • How to make a complaint to a Supervisory Authority?

  • How do we ensure the security of your personal data?

  • Is the provision of your personal data mandatory?

  • For what purposes and in what way is your personal data processed?

  • What about Secure GPT and My AI Brain?

  • Is an automated decision made in the context of this processing?

  • Where do your personal data come from?

  • To whom do we disclose your personal data?

  • Is your personal data transferred outside the European Union (EU)?

Who are the data controllers of your personal data?

GIE AXA, a European Economic Interest Grouping, organized under French law, with its registered office at 23 Avenue Matignon, 75008 Paris, registered with the Registry of Commerce and Companies of Paris under the number 333 491 066, can act as an independent data controller (it determines the purposes and means of the processing of your information).

GIE AXA and AXA SA (AXA SA, a Société Anonyme, organized under French law, with its registered office at 25 Avenue Matignon, 75008 Paris, registered with the Registry of Commerce and Companies of Paris under number 572 093 920, excluding these subsidiaries), or GIE AXA and GIE AXA Université (a European Economic Interest Grouping, organized under French law, with its registered office at 23 Avenue Matignon, 75008 Paris, registered with the Registry of Commerce and Companies of Paris under the number 342 312 931) or GIE AXA and AXA Global Move, Société Anonyme organized under Swiss law, with its registered office at Route des Acacias 47, 1227 Les Acacias, Case Postale 1510, 1211 Genève 26 (Suisse), registered with the Registry of Commerce IDE under the number CHE-158.210.029 can act as joint data controllers (they jointly determine the purposes and means of the processing of your information).

The data controllers are referred to in this Notice as "AXA" or "Data Controllers" or "We" or "Us".

What are your rights to your personal data?

In accordance with the French "Informatique et Libertés" law n° 78-17 of 6 January 1978 and the GDPR, you have the right to:

  • Access to your personal data: you have the right to request access to the personal data We process about you, and to obtain a copy of that data,

  • Rectify your personal data: you have the right to ask AXA to rectify or complete the personal data that We process about you that are inaccurate, incomplete, or not up to date,

  • Request the limitation of the processing of your personal data: you have the right to ask AXA to limit the processing of your personal data. This means that the Data Controllers may simply keep your data but may not process or use it in any other way,

  • Decide what happens to your personal data after your death: you have the right to give AXA instructions as to how your personal data should be used after your death.  

Based on the legal basis for the processing of your personal data described in the table below, you have also the right to:

  • Request the deletion of your personal data: you have the right to ask AXA to delete your personal data, except where the processing is based on the performance of a legal obligation of the Data Controllers,

  • Right to portability of your personal data: you have the right to receive the personal data you have provided to Us in a suitable format and have the right to transfer that data to another data controller without Us interfering but only where the processing is based on the performance of a contract or your consent,

  • Withdraw your consent at any time by contacting the DPO at the following address: privacy@axa.com, but only where the processing of your personal data is based on your consent.  

You also have the right to object at any time, where the processing of your personal data is based on the Data Controllers' legitimate interest(s), (please refer to the below table describing the legal basis for the processing of your personal data) to the processing of your personal data, unless the Data Controllers can demonstrate the need for further processing or where such data is necessary for the establishment, exercise, or defense of legal claims.

Furthermore, information on the balancing test can be obtained on request by contacting the following address: privacy@axa.com

How to contact the DPO or exercise your rights?

If you have any questions, complaints, or comments regarding this Information Notice or to exercise your rights listed above, please contact the DPO. The contact details are as follows: (i) privacy@axa.com and/or (ii) 23 avenue Matignon, 75008, Paris for GIE AXA or 25 avenue Matignon, 75008, Paris for AXA SA.

The Data Controllers may ask you for additional information to confirm your identity and/or to assist AXA to locate the data youare seeking

How to make a complaint to a supervisory authority?

You have the right to raise concerns about how your personal data is being processed with a competent supervisory authority, in the Member State of your habitual residence, place of work or place where you think an alleged infringement to your rights occurred.

In France, the data protection authority is the Commission Nationale de l'Informatique et des Libertés, or “CNIL” whose postal address is 3 place de Fontenoy - TSA 80715 – 75334 Paris CEDEX 07. Its website is accessible here: https://www.cnil.fr/

How do we ensure the security of your personal data?

The Data Controllers use appropriate technical and organizational measures designed to protect the personal information about you. The measures the Data Controllers use are designed to provide a level of security appropriate to the risk of the processing activity of your personal information, in line with AXA standards.

Is the provision of your personal data mandatory?

Whether or not the provision of your personal data to AXA is mandatory will be indicated to you at the time of collection of such data (e.g., by an asterisk on the collection form). If you do not provide AXA with personal data identified as mandatory, AXA may be unable to manage properly your recruitment, administrative management of personnel, trainings, management of employees share ownership, controls, statistics and data quality, management of press, newsletter and events processing that concern you as an employee.

For what purposes and in what way is your personal data processed?

Your personal data are processed for the different purposes listed in the table below.

Please refer to the following categories to know the different purposes of your personal data processing but also the legal basis chosen, the categories of personal data processed, and the data retention period applied.

What about Secure GPT and My AI Brain?

a)        Secure GPT

Secure GPT offers you a controlled and monitored access to a safe use of generative artificial intelligence (AI): you can send prompts and receive answers in a text format via the chat interface.

When you use Secure GPT, please note your personal data is being processed for connection purposes (One Account). Furthermore, any data disclosed into Secure GPT will be processed for text generation and conversational AI purposes. For more information about the processing of your personal data in Secure GPT, please consult the information notice available in Secure GPT.

b)        My AI Brain

My AI Brain ("MAB") is an internal AXA web interface based on Secure GPT artificial intelligence technology.

This tool provides with controlled and monitored access to the use of generative artificial intelligence (AI). It is possible to upload documents, send instructions, and receive responses in text form via the chat interface related to the content of these documents.

When you use My AI Brain, please note your personal data is being processed for connection purposes (One Account & logs of connection).

Furthermore, your conversation history, as well as any personal data mentioned in the documents uploaded in the tool and constituting the corpus, depending on each processing, will be processed for text generation and conversational AI purposes.

Please note:

  • the documents you will upload will be deleted (i) eighteen (18) months from the date of last consultation, or (ii) three (3) years after upload, whichever is shorter.

  • your conversation history will be deleted (i) six (6) months from the date of the last exchange with MAB, or (ii) eighteen (18) months from the date of issuance of the prompt and associated response, whichever is shorter.

  • your logs of connection will be deleted after twelve (12) months from the date the log was issued.

Is an automated decision made in the context of this processing?

No automated decision making is performed for processing described in this Information Notice.

Where do your personal data come from?

Most of the personal data we process is directly collected from you. Where your personal data are not obtained directly from you, the personal data we process comes from the Data Controllers (e.g., Group HR, Group Directory), AXA Entities, training sessions.

To whom do we disclose your personal data?

The Data Controllers communicate your personal data only to identified and authorized recipients which are the following:

Internal

Authorized recipients, within the limits of their respective attributions in relation to the processing concerned:

  • Following GIE AXA departments: Group Human resources, Group Legal, Group Finance, Group Risk and Management, AXA Research Funds, Group Communication, Group Compliance, Group Audit & Investigation, Group Finance, Group Strategy, Sustainability and Public Affairs, Group Brand, Group Corporate Responsibility, Direction des Services Supports, PBR GIE AXA, Security, Département de l'Administrateur Unique, Direction des Systèmes d’Information, Pôle chauffeur,

  • Group Audit, for the purpose of performing internal audits to ensure adequacy and effectiveness of internal controls and governance. For this processing, We pursue Our legitimate interests to ensure a prudent and transparent management of the company through the evaluation of the adequacy and effectiveness of the internal control activities.  Where relevant, this may include checking controls over transactions or records containing personal data. The processing of your special categories of data is based on your consent, collected by GIE AXA or other AXA local entities (e.g., AXA France) with which you are in contact.  Any personal data required to support the audit conclusion is deleted ten (10) years after the closing of the last issue relating to the audit (or after the issuance of the audit report if no issues have been identified), all other personal data is deleted within ten (10) days following completion of the audit,

  • GIE AXA Group Investigation department, for the purpose of implementing a system for collecting and managing professional alerts. For more information, please refer to the following information notice available on axa.com,

  • GIE AXA Group Risk Management and Group Compliance departments, to perform or support local AXA entities in performing the due diligence required to comply with AXA Standards and to document compliance with these Standards through an in-depth review. These departments may be called upon to give a second opinion on a particular case at the request of a local AXA entity and based on data provided by that entity. Your personal data will be kept for a maximum of five (5) years after the end of your employment contract.

o    The legal basis for the processing carried out by the Group Risk Management department is legitimate interest, to ensure compliance with the Standards resulting from Solvency II regulations and issued by the Autorité de Contrôle Prudentiel et de Résolution (ACPR),

o    The legal basis for the processing carried out by Group Compliance department is the AXA Group's legal obligation to comply with the requirements of the French Monetary and Financial Code,

  • Depending on your request, the relevant(s) AXA Entity(ies): AXA Group Operations and AXA GO Business Operations, for the purpose of managing the hosting and technical support of AXA storage platform.

For the reasons mentioned in the table above (purposes), your personal data may be communicated by email between the departments mentioned above. Your emails are stored for three (3) years in active storage (meaning in your email inbox) and then archived for one (1) year before being permanently deleted. Please note that this information is archived for one (1) year before being permanently deleted:

o    Information contained in a deleted email (i.e., moved to the "deleted items" category of the mailbox from the date on which the email is deleted),

o    Information contained in the mailbox of an employee or consultant who has left AXA (from the date of his or her departure).

External

  • Providers providing a cloud/data hosting service,

  • Provider providing AI systems,

  • Providers for the support and maintenance,

  • Providers to manage international mobility,

  • Providers for the management of advertising activities,

  • Providers to send surveys, collect and perform analysis of the answers,

  • Providers to propose (i) newsletters’ solution, (ii) contests’ management solution and (iii) ticketing management solution,

  • Providers used for awareness purposes,

  • Providers providing events’ solution platform (dedicated websites’ creation platform),

  • Providers to design travel solutions,

  • Providers to implement market place of job offers and putting potential candidates in touch with AXA,

  • Providers to propose People review and succession plan & Executive development’s services,

  • Providers to propose tools for Human Resources process,

  • Providers providing professional tools,

  • Providers for the establishment of benchmark on external compensation,

  • Providers to manage (i) IT security issues and (ii) physical security issues,

  • Providers to manage postal mail,

  • Providers to manage labor litigations,

  • Providers of an electronic voting solution,

  • Providers for the posting of the occupation of the buildings and the reservation of the meeting rooms,

  • Providers to ensure the follow-up of the services of the restaurant of and the follow-up of the stock,

  • Providers for management of K-bis update, transmission, and effective beneficiary declaration,

  • Providers for financial services,

  • Providers for the certification of the accounts of AXA,

  • Providers to manage accounting, invoicing, contract management, commercial relations,

  • Providers to fight against fraud in advertising,

  • Providers to organize and manage contests to promote AXA / LFC partnership and to send marketing communications,

  • Providers to organize training sessions and to organize and manage international corporate events,

  • Providers to manage Performance Shares dedicated to retirement and Long-Term Incentives,

  • Providers to receipt your electronic pay slips,

  • Providers to propose transport services,

  • Providers to manage labor litigations,

  • Beneficiaries of sponsorship.

    But also:

  • Our counsel, including our lawyers, insurers, reinsurers, brokers, auditors, to comply with mandatory legal or regulatory requirements, to audit individual, consolidated accounts, to check conflicts of interest between the Customer and other Service Provider's clients and for quality, risk management or financial accounting purposes,

  • Any competent authority (including courts, judicial or administrative authorities, ACPR, French tax authorities),

  • Any potential buyer or partner, in the case that the Data Controllers take part in a merger, acquisition or other form of asset transfer, they undertake to ensure an adequate level of protection if your personal data is transferred to potential buyers or selected partners in the context of this transaction. Your personal data is deleted six (6) months after its collection.

If you wish to get some details on above-mentioned recipients acting as a processor (i.e., these recipients act on Our instructions only) or controller (i.e., these recipients determine the purposes and means of processing), do not hesitate to contact the Data Privacy team at privacy@axa.com.

Is your personal data transferred outside the European Union (EU)

Some of those recipients are in countries outside the EU, which provide an adequate level of protection (i.e., your personal data is subject to the same levels of security as in the European Union):

§   Canada (link to access to Adequacy decision),

§   Japan (link to Adequacy decision),

§   New Zealand (link to access to Adequacy decision),

§   Switzerland (link to access to Adequacy decision),

§   United-Kingdom (link to access to Adequacy decision),

§   United-States, for companies participating in the EU-U.S. Data Privacy Framework (link to the Adequacy decision) – the list of these organisations is managed and published by the US Department of Commerce.

 

Your personal data can be transferred to the following country which do not provide an adequate level of protection:

§   India,

§   Madagascar,

§   Pakistan,

§   Philippines,

§   Singapore,

§   United-States, for companies who are not participating in the EU-U.S. Data Privacy Framework.

In this case, the Data Controllers provide safeguards to ensure the security and the confidentiality of your personal data and frame their transfer(s) with the following guarantees:

(i)                    By signing, with the recipient of the data, the Standard Contractual Clauses adopted by the European Commission. You may obtain a copy of the signed Standard Contractual Clauses by requesting it from our DPO, whose contact details are as follows: 23 avenue Matignon, 75008, Paris for GIE AXA or 25 avenue Matignon, 75008, Paris for AXA SA and/or privacy@axa.com

(ii)                   Or when your personal data is transferred to other entities of AXA, with Binding Corporate Rules (https://www.axa.com/en/about-us/our-commitments - part Find out more).