A woman's face with pictograms representing the protection of personal data

Personal data protection policy of Apave Group

We want to work with you, our customers, partners, service providers, suppliers and trainees, in a spirit of trust, and this policy sets out what we do with the personal data of individuals in our capacity as data controller.

This document tells you what personal data we collect and that you provide to us, why we do so, when we disclose it to third parties, how we store it, secure it, and how you can exercise your rights to your data.

If you have any questions about this policy, please contact our Data Protection Officer (DPO) using the form on this link.

1. Purpose and Scope

This policy defines how we process personal data in our capacity as a data controller.

 

The Apave Group is committed to complying with the General Data Protection Regulation (GDPR), as well as all applicable local laws and regulations across our various entities.

This policy applies uniformly to the Apave.com website and extends generically to all related entities and subsidiaries, whether located in France or internationally : Apave Exploitation France (AEF), Apave Infrastructures et Construction (AICF), Apave Italy, Apave Performance Immo, Apave Monaco, AQUASS, RSE France, Apave Tunisia, Apave India, Apave Africa, Apave Vietnam, and AGTS.

Within the framework of our business activities, we generally act as a data controller independent of our clients (controller-to-controller relationship) :

  • Training - Certification - Audit: Apave acts as a data controller in the same capacity as our clients, notably because we alone determine the purposes and means to meet the regulatory requirements applicable to us. This is simply a handover between two independent data controllers.
  • Inspection - Testing and Measurement: we do not collect personal data other than what is necessary to execute the purpose of the contract, for which processing Apave alone determines the purposes and means. Apave acts to fulfill its obligations as a trusted third-party organization and to ensure the traceability of its interventions. We operate in regulated professions with decision-making autonomy over the core mission.
  • Consulting: where we act within the scope of consulting missions or provide our expertise, know-how, and proprietary methodology, we are independent data controllers (compliance audits, risk management, technical or organizational consulting). When the mission is limited to a technical or operational service executed exclusively under the strict instructions of the client without any room for maneuver (e.g., the client provides the database using their own criteria), Apave will then act as the client's data processor.
 

2. Personal Data Collected Within the Framework of Our Activities

We only collect data that is adequate, relevant, and strictly necessary for the pursued purposes. This data may include, but is not limited to, the following:

  • All activities

    Processing Operations : Website management

    • Entities Concerned: All entities (Apave Exploitation France (AEF), Apave Infrastructures et Construction (AICF), Apave Italy, Apave Performance Immo, Apave Monaco, AQUASS, RSE France, Apave Tunisia, Apave India, Apave Africa, Apave Vietnam, and AGTS.)
    • Detailed Purposes:
      • Improving our products and services
      • Offering personalized advertising and content
      • Technical maintenance and security of the website
    • Personal Data Collected:
      • Identity (Last name, first name).
      • Professional contact details (Email, phone number).
      • Professional life (Job title, company, sector).
      • Browsing data (Cookies, IP addresses, connection logs).
      • Results of satisfaction surveys.

     

    Processing Operations: Management and tracking of client contracts

    • Entities Concerned: All entities (Apave Exploitation France (AEF), Apave Infrastructures et Construction (AICF), Apave Italy, Apave Performance Immo, Apave Monaco, AQUASS, RSE France, Apave Tunisia, Apave India, Apave Africa, Apave Vietnam, and AGTS.)
    • Detailed Purposes:
      • Ensuring the tracking and management of the contract and related services.
      • Scheduling interventions and preparing reporting elements, where applicable.
      • Processing contact forms and quote requests.
      • Sending newsletters and commercial prospecting.
      • Client satisfaction surveys.
    • Personal Data Collected:
      • Identification data: Last name, first name.
      • Professional life: Client contact details, job title, affiliated company, business relationship history.

  • Training

    Processing Operations: Registration and administrative management of training courses

    • Entities Concerned: AEF, BVT, and international subsidiaries.
    • Detailed Purposes:
      • Processing registration files.
      • Establishing training agreements and invoicing.
      • Compiling and tracking funding files with public bodies.
      • Sending invitations and welcome sheets.
    • Personal Data Collected:
      • Identity and professional contact details of the learner.
      • Contact details of the employer or sponsor.
      • Financial invoicing information.

     

    Processing Operations: Attendance tracking and training delivery

    • Entities Concerned: AEF, BVT, and international subsidiaries.
    • Detailed Purposes:
      • Monitoring learner attendance.
      • Digitalizing and signing attendance sheets via the dedicated application (or on physical media).
    • Personal Data Collected:
      • Last name, first name.
      • Signature (manual or digital).
      • Technical connection logs to the attendance application.

     

    Processing Operations: Management of prerequisites and aptitudes

    • Entities Concerned: AEF, BVT, and international subsidiaries.
    • Detailed Purposes:
      • Validating entry aptitudes for regulated training courses.
      • Verifying prior education levels or required technical authorizations.
    • Personal Data Collected:
      • Diplomas or credentials held.
      • Proof of professional experience.
      • Specific medical aptitudes (when required by local law, e.g., nuclear radiation risks).

     

    Processing Operations: Evaluation, certification, and issuance of deliverables

    • Entities Concerned: AEF, BVT, and international subsidiaries.
    • Detailed Purposes:
      • Conducting theoretical and practical examinations.
      • Producing and issuing regulatory titles and certificates.
      • Transmission to official national registries (e.g., INRS in France).
    • Personal Data Collected:
      • Grades, evaluations, and attendance records.
      • Date and place of birth (regulatory requirement for issuing certain titles).
      • Learner's ID photograph (if required for the certificate/title).

     

    Processing Operations: Measurement of educational satisfaction

    • Entities Concerned: AEF, BVT, and international subsidiaries.
    • Detailed Purposes:
      • Collecting and processing feedback from learners regarding the quality of the training provided.
    • Personal Data Collected:
      • Qualitative evaluations and comments (with the option to anonymize)
         
     

  • Consulting

    Processing Operations: Psychosocial Risk Assessment (PSR) & Occupational Health and Safety (OHS)

    • Entities Concerned: Apave Exploitation France (AEF).
    • Detailed Purposes:
      • Conducting workplace climate surveys and perception interviews.
      • Diagnosing safety culture within companies.
      • Assisting in drafting the Single Risk Assessment Document (DUER).
    • Personal Data Collected:
      • Responses to perception questionnaires, professional opinions.
      • Risk situations identified by workstation.
      • Photographs of working postures (without facial capture).

     

    Processing Operations: Radiation Protection Consulting (RPC)

    • Entities Concerned: Apave Exploitation France (AEF).
    • Detailed Purposes:
      • Monitoring individual radiological exposure (ensuring no breach of limits).
      • Secure routing of abnormal exposure alerts to the occupational physician.
    • Personal Data Collected:
      • Individual Dosimetric Monitoring (IDM) data.
      • Assessment assessments and reports sent to clients strictly in the form of statistical and anonymized data (averages, min/max doses).

     

    Processing Operations: CSR / ESG Accompaniment

    • Entities Concerned: RSE France (dedicated expert), Apave SA, AEF, BVT, Apave Performances Immo, AQUASS, and international subsidiaries.
    • Detailed Purposes:
      • Sustainability and societal maturity diagnostics.
      • Conducting carbon footprints (regulatory or voluntary).
      • Consulting on extra-financial and transition strategies.
    • Personal Data Collected:
      • Contact details of the client's technical focal points.
      • Operational activity data of the company necessary to calculate environmental/social indicators.

     

    Processing Operations: Combating undeclared work ("Id control")

    • Entities Concerned: AICF (Construction France) and international subsidiaries.
    • Detailed Purposes:
      • Verifying the compliance and regularity of subcontracting companies operating on construction sites.
    • Personal Data Collected:
      • Identification data (Last name, first name).
      • Professional data (BTP card, access badge).

  • Testing & Measurment

    Processing Operations: Occupational exposure measurements

    • Entities Concerned: AEF (Laboratories & Measurement Agencies) and international subsidiaries.
    • Detailed Purposes:
      • Physical measurement campaigns (noise, dust, vibration, air quality) at workstations within client establishments.
    • Personal Data Collected:
      • Physical exposure measurements linked to a workstation (employee indirectly identifiable by their employer).

     

    Processing Operations: Geotechnical sampling and testing

    • Entities Concerned: AGTS (dedicated expert) and international subsidiaries.
    • Detailed Purposes:
      • Identifying stakeholders to carry out the following missions: core drilling campaigns, sampling, and physical analysis of soils, foundations, and road structures.
    • Personal Data Collected:
      • Contact details of operators and owners of land parcels.

     

    Processing Operations: Testing on construction materials

    • Entities Concerned: AICF, AEF, and international subsidiaries.
    • Detailed Purposes:
      • Identifying stakeholders to carry out the following missions: physical controls of compliance and resistance of concrete, aggregates, and construction site structures.
    • Personal Data Collected:
      • Professional contact details of site managers and project supervisors.
     

  • Audit

    Processing Operations: Evaluation of social and medico-social establishments (ÉS&MS)

    • Entities Concerned: AEF (Technical Department).
    • Detailed Purposes:
      • Compliance audits of medico-social structures (HAS reference framework).
      • Administrative, contractual, and financial management of external, non-salaried evaluators/interveners.
    • Personal Data Collected:
      • Audit notes within the establishments.

     

    Processing Operations: Technical, Safety & Infrastructure Audits

    • Entities Concerned: AICF (Telecoms & Buildings expert), AEF, and international subsidiaries.
    • Detailed Purposes:
      • Identifying stakeholders to carry out the following missions: diagnostics of complex industrial installations, safety audits on telecommunications infrastructure (mobile towers, fiber optic connections).
    • Personal Data Collected:
      • Identity and job title of technical or operations managers.

     

    Processing Operations: Regulatory or voluntary certification audits

    • Entities Concerned: AEF and international subsidiaries.
    • Detailed Purposes:
      • Evaluating company management systems according to international standards (ISO 9001, 14001, 45001, 50001, etc.).
    • Personal Data Collected:
      • Names, first names, and job titles of employees audited during interviews.

  • Inspection

    Processing Operations: Periodic regulatory verifications (VRP)

    • Entities Concerned: AEF and international subsidiaries.
    • Detailed Purposes:
      • Identifying stakeholders to carry out the following missions: mandatory compliance checks of equipment in operation (lifting equipment, electrical installations, pressure equipment - PE).
    • Personal Data Collected:
      • Contact details of focal points and maintenance managers at the client's premises.
      • Names and signatures of technicians/managers in official statutory inspection reports.

     

    Processing Operations: Construction technical control

    • Entities Concerned: AICF and international subsidiaries.
    • Detailed Purposes:
      • Regulatory missions relating to the structural solidity and fire safety of new buildings or civil engineering works.
    • Personal Data Collected:
      • Contact details of project owners, architects, and partner engineering firms.
      • Technical opinions incorporating nominal validation data.

     

    Processing Operations: Monitoring and validation of regulatory qualifications

    • Entities Concerned: AEF, AICF, and international subsidiaries.
    • Detailed Purposes:
      • Nominal management, verification, and issuance of professional competence titles or cards on behalf of third parties (e.g., welder qualification processes).
    • Personal Data Collected:
      • Names, first names, date of birth, photographs of qualified personnel.
      • History and results of technical tests taken.

  • Certification

    Processing Operations: Management systems certification (ISO 9001, 14001, 45001, 27001, 50001...)

    • Entities Concerned: AEF, Apave SA, and international subsidiaries (Apave Italy, Tunisia, India, Africa, Vietnam, Monaco).
    • Detailed Purposes:
      • Reviewing certification applications and entering into contracts.
      • Scheduling, tracking, and conducting certification audits.
      • Technical decision-making (granting, maintaining, renewing, suspending, or withdrawing the certificate).
      • Sending certification renewal notifications and reminders via email.
      • Managing complaints and appeals processes.
    • Personal Data Collected:
      • Identity and professional contact details of the client focal point (Last name, first name, email, phone number).
      • Professional life (Job title, company).
      • Names, first names, and job titles of employees audited or interviewed.
      • Evaluation data and certification decisions.

     

    Processing Operations: Certification of skills and individuals (Real estate diagnosticians, Welders...)

    • Entities Concerned: AEF, BVT, Apave Performance Immo, AICF, and international subsidiaries.
    • Detailed Purposes:
      • Organizing, supervising, and conducting theoretical and practical examinations.
      • Producing, issuing, and managing professional skills certificates or cards.
      • Maintaining and publishing up-to-date registries of certified individuals.
      • Managing and sending certification renewal reminders.
    • Personal Data Collected:
      • Full identity (Last name, first name, date and place of birth).
      • Personal or professional contact details (Email, phone number, postal address).
      • Professional life (CV, diplomas, career history, employer).
      • Test results, grades, and technical evaluations.
      • ID photograph and signature of the certified individual depending on the specific certification.

     

    Processing Operations: Certification of products, services, and labels (Qualiopi, Labels, CE Marking, PPE...)

    • Entities Concerned: AEF, RSE France (dedicated expert for ESG/CSR labels), AICF (construction products), BVT (packaging/dangerous goods transport equipment), and international subsidiaries.
    • Detailed Purposes:
      • On-site or document-based compliance audits against applicable reference frameworks.
      • Producing and issuing compliance certificates or labels.
      • Annual tracking and surveillance audits to ensure continued compliance.
    • Personal Data Collected:
      • Professional contact details of focal points and compliance managers (Last name, first name, email, phone number).
      • Operational, technical, and nominal data integrated into the technical files submitted for compliance evaluation.

3. Data Retention and Security

We implement the necessary and appropriate organizational and technical security measures to protect the data we store against any unauthorized access, modification, disclosure, or destruction. The Information System Security Policy (ISSP/PSSI) can be shared with you to provide more details on these measures.
These measures include, but are not limited to, the following:

  • Collecting only data that is necessary for the determined, explicit, and legitimate declared purposes.
  • Apave's employees, processors, service providers, and interlocutors who need access to personal data to perform their roles, functions, and responsibilities:
    • Are authorized and have access strictly reserved for them;
    • Are raised in awareness and/or trained according to their roles, functions, and responsibilities;
    • Commit to respecting the confidentiality of the data they handle and have been informed of the risks and sanctions in the event of a breach of this obligation.
  • We encrypt data whenever necessary.
  • We conduct internal audits as well as audits of our suppliers processing personal data on behalf of Apave.

 

In accordance with the principle of data minimization and retention limitation, we have established retention periods adapted to the purpose of the processing carried out. To ensure the application of these principles, various measures have been taken:

  • Integration of retention and archiving periods into our General Quality Procedure and our retention periods management procedure;
  • Automation of certain data purges;
  • Integration of retention, archiving, and purging processes into our projects;
  • Handling data destruction requests upon instruction from the data subject or the client;
  • Equipment decommissioning and disposal procedures.

 

We generally retain personal data for the duration of the business relationship, after which we archive or delete it. In certain cases, we reserve the right to retain data for a longer period, notably to prevent potential litigation and to meet our legal and regulatory obligations.

In the event of a personal data breach presenting a risk to the rights and freedoms of individuals, Apave's DPO will notify the competent supervisory authority as soon as possible, and at the latest within 72 hours after becoming aware of it. The affected individuals will also be informed as soon as possible.

 

4. Data Recipients and International Transfers

Internal Recipients: Personal data is strictly reserved for the duly authorized internal departments of the Apave Group entity in charge of executing, tracking, or invoicing the services. Data may be transferred to the Group's parent company for the purposes of managing and steering our client database, steering our client surveys, etc. Furthermore, our clients' contact data may be shared with other Group entities that provide the same type of business activities.

 

Processors and Trusted Third Parties: We utilize trusted service providers (cloud hosting, LMS platform editors, certified external trainers or interveners) contractually bound by a formal data processing agreement compliant with applicable local regulations and security standards. When we use subcontractors to carry out specific processing activities, we ensure that these processors respect the same obligations and present sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing of personal data meets the requirements of the regulations in force. A formal data processing agreement will then be concluded.

 

Public Authorities: Data may be shared to comply with our legal or administrative obligations, or during external audits conducted by authorized evaluation bodies (e.g., in France: INRS, OPCO, COFRAC, CARSAT).


Guarantees on Transfers Outside the European Union:

  • For entities based in France/EU: The primary hosting of data for European entities is located in France or within the EU; we generally do not transfer data outside the European Union. In the event that we are required to do so for the needs of a contract, we commit to implementing the appropriate safeguards enabling the transfer. In any event, we remain responsible for our commitments regarding this personal data.
  • For entities based abroad: Data is hosted within the EU (barring exceptions). In all cases, the Apave Group commits, prior to any transfer, to ensuring compliance with an adequate level of protection or to concluding specific contractual clauses compliant with local and European regulations in force.

5. Rights of Data Subjects

In accordance with applicable regulations, any natural person possesses fundamental rights that Apave commits to respecting:

  • Right to clear, fair, and transparent information.
  • Right of access to information and to obtain a copy of the data.
  • Right to rectification of incorrect, inaccurate, or incomplete data.
  • Right to object to certain processing operations, notably to commercial prospecting.
  • Right to withdraw consent at any time (without retroactive effect).
  • Right to erasure (right to be forgotten), provided that the processing does not concern the execution of a contract in progress.
  • Right to data portability for data provided directly by the person, based on a contract or consent.
  • Right to restriction of processing and directives on managing data after death.

 

To exercise these rights, the user may contact the Group DPO electronically with the form, or by postal mail addressed to: Apave, DPO 6 Rue du Général Audran 92400 Courbevoie, France
It is also possible to lodge a complaint with the competent supervisory authority (the CNIL in France).

 

This policy is regularly reviewed and updated in line with technological developments and national and international regulatory texts.

Date of last update: 19/06/2026