Welcome to the Website workspace.totalenergies.com!

By connecting to the Website, you acknowledge that you have read, understood and accepted this Personal Data Protection Policy (herein after referred to as the “Policy”) without limitation or reservation along with our General Terms and Conditions of Use. Please note that other general terms and conditions and personal data protection policies apply to other websites of the TotalEnergies group. It is recommended that you read them carefully.

This Policy is intended to inform you of the rights and freedoms that you can exercise with regard to our use of your personal data. It also describes the measures implemented to protect them.
It is fully compliant with new french and european GDPR legislation (french RGPD) and applies to all TotalEnergies contractors (see GDPR contractor guide at CNIL's site).

TotalEnergies and Total Gobal Information Technology Services (referred to herein as TGITS or the “Data Controller”) is responsible for processing personal data concerning the management of this Website. Said processing is implemented in accordance with applicable laws.

1. Purpose of processing, Legal Basis, Period of Storage and types of data collected

When visiting the Website, you may provide with personal data such as your surname and first name in order to benefit from the services offered.
We can in particular collect some of your personal data for external communication purposes, such as answering your requests for information and better understanding your expectations. In our online forms, compulsory fields are marked with an asterisk. If you do not answer the compulsory questions, we will not be able to provide you with the requested service.
Your personal data are not subsequently processed in any manner that is incompatible with the purpose described above or in the collection forms. They are only stored for the requisite amount of time needed to fulfill these purposes.
When you'll login on Workspace platform, the use of your GGI will be done. This information will be stored by our security equipments, as well as your complete activity on the access provided by the Workspace connection over TotalEnergies Network, for security logging and misuses investigations.
By Using our service, you hereby fully accepts this point without any restriction.

2. Data recipients

Your personal data may be disclosed only to our specific departments tasked with processing or subsidiaries directly or indirectly owned or to specific partners, independent distributors or sub-contractors for analysis, Service Now requests or Incident Ticketing, and for statistics and security logging purposes.
Furthermore, if you submit a comment intended to be posted online, we may publish some of your personal data on the Website. Given the characteristics of the Internet, i.e., free capture of broadcast information and the difficulty, or even the impossibility, of monitoring usage by third parties, we inform you that you can stop such distribution by contacting us, as indicated in article 5 below.
The Data Controller transfers personal data in accordance with applicable laws.
Any transfer of data to a country outside the European Economic Area shall be carried out in accordance with the applicable regulations and in such a way as to protect your data appropriately.
For the purposes of the services provided on this Website, your data may be transferred to recipients located outside the European Union. For this reason, TotalEnergies has adopted “Binding Corporate Rules” (BCR) governing intra-Group transfers of personal data originating in the European Economic Area.
For data transfers not covered by the BCR, to countries outside the European Economic Area, other guarantees are provided.
You can request a copy by contacting us as explained in article § 7 below.

3. Security and data privacy

3.1. Security and privacy over the network

3.1.1. Security from build to publication

We provide access to our hosted applications with security in mind. Security is a high priority requirement when opening a service to the internet world. We apply stringent processes to ensure the security of our systems and this Website and its services throughout design, development, recurrent testing, and day-to-day operations.

3.1.2. Account and authentication

Our publications are hosted so that only allowed personals and staffs can access them, and so that you, and only you can access your eventual account. Your account is always at least password protected with Digital Passport, and can also potentially be secured more deeply by the use of a TotalEnergies SmartCard.
When choosing your password, while we ensure a strong password policy and non-reversible hashing for storage of the password, we encourage you to change it on a regular basis.

3.1.3. Military level encryption

All the services that you will access through this Website employ military level security – the highest standards in Internet and data security, thanks to the service provided by this Website.
Our independent, multiple security layers include strong cryptographic implementations (such as 256 bit data encryption, at least 128 bit data encrypted SSL systems using Advanced Encryption Standards or GCM algorithm, up to 384 bits if your browser can support it) and defense-in-depth network protection (with multiple firewalls, intrusion prevention appliances, and active monitoring systems).

3.1.4. PCI-DSS compliance

This site fully complies with PCI-DSS security requirements.

3.1.5. Proactive and preventive intrusion detection

Our infrastructure implements preventive and proactive intrusion detection mechanisms to enforce the security of our hosted applications.

3.1.6. Security Monitoring and Optimisation

TGITS conducts periodic security reviews and vulnerability assessments on its infrastructures. We also actively monitor and continuously optimize our security infrastructure, both within the application codes and across our network/system platform, whose access always securely, deeply and stricly logged and transmitted to our SIEM team for every-day audit (see article § 5 of this Privacy Policy).

3.1.7. Disaster Recovery Plan (DRP)

Our hosting infrastructure are hosted on 2 DC-3 certified datacenters around Paris region. Fallback from one datacenter to one other is regular tested and is guaranteed to be completely transparent for all your publication's usage, regardless of the services that are made accessibld through this Website, whose Disaster Recovery Plan may not be as complete as the one of our hosting service.

3.2. Data Privacy of your personal data

We implement the appropriate measures to ensure the security and confidentiality of your personal data and in particular to prevent them from being altered, damaged or accessed by unauthorized third parties.
As a matter of fact, thsi Website does not store any direct personal information, and only makes hard use of your TotalEnergies GGI identifier that will be logged for every request you will make through Workspace service on TotalEnergies' Network. These tracks will only be exploited by habilitated personals and security teams and will never be disclosed for other purposes.

4. Cookies management

4.1 Principles

When you visit the Website, “cookies” may be installed on your computer browser. A cookie is a file that records information concerning your browsing of the Website from that computer (e.g., visited pages, date and time of browsing, viewed links, authenticated session persistence) and will facilitate your visits by making it easier and faster for you to identify yourself to access your target pages.
You can delete cookies installed on your computer at any time and prevent new cookies being saved and receive notification before installation of a new cookie by configuring your browser software. Please refer to the help section of your browser software for more information on how to activate and deactivate these functions and refer to the browser’s “types of cookies, cookies, statistics, settings”.
Furthermore, you can also use this page service to remove all the specific cookies used by this Website. See section § 4.2.3 in order to do that online. However, Please note that you may not benefit from some of our services if you uninstall a cookie or prevent cookies from being installed on your machine.

4.2 Type of cookies, statistics and settings

Cookies installed on your server when you surf on the Website are cookies which exclusively aim at enabling or facilitating communication through electronic mean or which are strictly necessary for the provision of services you require (Languages cookies, identify cookies ...) or statistics cookies, as well as potential other cookies under the following conditions.
When this site will require cookie installation, your consent will always be requested prior any cookie deployment, given that the pursuit of the navigation on the Website means your acceptation.

4.2.1. Which cookies are installed ?

Data Controller Cookies

Hereby is the exhaustive list of cookies that are or can be set up by this Website on your Browser, after confirming your consent. Please refer to article § 4.2.2 to see all the cookies that are currently set in the browser you are using by our platform.

Cookie name	Description	Content	Persistence
LastMRH_Session	Tracking the last 8 digits of the MRHSession session ID. This is the value that will be reported for your current session in every access report.	See §4.2.2	Removed when the browser is closed
MRHSession	Cookie used by the Website to store your Workspace Session Identifier for session persistence after authenticationn has passed.	See §4.2.2	Removed when the browser is closed
MRHSHint	Cookie is used for Microsoft SharePoint or for IBM Lotus Domino iNotes. MRHSHint cookie is used to carry information for SharePoint ActiveX controls.	See §4.2.2	Removed when the browser is closed
MRHSequence	Cookie is used to keep the version of a set of cookies changed by Workspace and JavaScript.	See §4.2.2	Removed when the browser is closed
F5_fullWT	Cookie is used to mark a full webtop session on Workspace Service.	See § 4.2.2	Removed when the browser is closed
F5_HT_shrinked	Cookie is used to mark a shrinked home tab in portal access through Workspace Service.	See § 4.2.2	Removed when the browser is closed
Site (F5_ST)	Cookie is used exclusively to keep the client informed about session-timeout and inactivity timeout through use of specific Workspace browser-based JavaScript.	See §4.2.2	Removed when the browser is closed
TIN	Cookie is used to keep client informed about the remaining time in session inactivity timeout.	See §4.2.2	Removed when the browser is closed
workspace-settings	Cookie is used to store user session preferences. This is a permanent cookie.	See §4.2.2	10 years after setup, unless removed
workspace-selfservice	Cookie is used to store user selfservice/ondemand activated resources. This is a permanent cookie.	See §4.2.2	10 years after setup, unless removed

Third-Parties Cookies

Third parties cookies are set by the sites that you access through Workspace, once your Workspace session is connected and running.
Please refer to your specifics applications privacy policies for more information on the cookies they sets up, the data they collect and security measures they implement.
More specifically, for users that authenticate on our service with a Digital Passport identifier:

Cookie editor	Description	Content	Persistence
Memority (DigitalP@ss)	A set of cookies defined on hubtotal.net domain, and eventually replayed on workspace.totalenergies.com domain by our service authenticate your DigitalP@ss session and store its persistence information during all your browsing session.	Consult Memority for more information	Removed when the browser is closed

Statistics Cookies

This site does not make any use of statistics cookies. However, subsequent sites that will be accessed through the Workspace service may setup that kind of cookies. Please always refer to the specific terms of use and privacy policy of the specific applications and websites accessed through this service.

4.2.2. Live view of cookies installed by this Website

This section list all the cookies effectively installed by this Website on your browser.

There is no cookie currently set by this Website.

Cookie name

Current value

4.2.3. Removing all cookies installed by this Website

All the cookies installed by this Website can be removed all-in-one by using the "Remove our Cookies" button provided below.
Please keep in mind that you will loose all preferences and customisations that you will have personalised on this Website. You will also loose all session information, meaning that if you are currently using this Website's service, you will be immediately disconnected.
Also please note that if you use this Website again, you will be prompted again for your consent to redeploy the cookies that the use of this site requires.

4.2.4. Setting up your Browser to refuse cookies, or to warn you before installing cookies

• Surfing with Internet Explorer 10 or greater, or Microsoft Edge: Click on “Tools”, “Internet Options”, “Confidentiality”, then the level you want to apply.
• Surfing with Firefox: Click on “Tools”, “Options”. In “Privacy” uncheck “Accept cookies”.
• Surfing with Google Chrome: Click on “Customise and Control Google Chrome”, click on “Settings”. In “Confidentiality”, click “Content Settings”, and tick “Block cookies and data from third parties websites.
• Other browser, or mobile OS browser: Please refer to your browser vendor or mobile OS vendor documentation.

5. Access logging by our security services

As stated in article § 3, access to Workspace services is strictly logged by our security services for security analysis and forensics purposes.
The sole personal information that is logged by our services is your personal GGI that has been granted by your TotalEnergies representative as your unique identifier on TotalEnergies network. This information is associated in every access log that your browsing session or your use of the Workspace VPN service will generate.
In no case this information will be shared with other partners or third parties than the formally habilitated ones to exploit those logs.
In no case also will this information be exploited for other purposes than security and audit forensics.
Finally, you can request a full copy of your access logs for the current month by sending us this request as stated in next article.

6. TotalEnergies' Binding Corporate Rules

6.1. Introduction

The TotalEnergies Group (or "TotalEnergies") promotes a culture and practices protecting personal data⁽¹⁾, in accordance with the applicable laws. To this end, TotalEnergies has implemented binding corporate rules ("BCRs").
This document summarizes the data protection principles that apply under our BCRs and the rights granted by them.

6.2. Purpose

Our BCRs are a set of internal binding rules, which are applicable to all of the TotalEnergies subsidiaries that have adopted them. They have been approved by the European data protection authorities.
They allow TotalEnergies subsidiaries to transfer personal data originating from the European economic area ("EEA")⁽²⁾ to TotalEnergies subsidiaries located outside of the EEA in compliance with the applicable law.

6.3. Implementation scope

Our BCRs apply to all EEA-originating personal data processed by TotalEnergies subsidiaries including data relating to former and current employees, job applicants, clients and prospective clients, suppliers and sub-contractors and the staff of third companies acting on behalf of the Group subsidiaries as well as shareholders (hereafter "data subjects").

6.4. Protection principles

The following principles set out in our BCRs must be respected:

Lawfullness

Any processing⁽³⁾ operation carried out within the Group has a legal basis, provided by the applicable law.
Personal data must only be processed for legitimate and lawful purposes. The data must not be further processed in a way which is incompatible with those purposes.

Relevance

Personal data must be accurate and proportionate, in terms of quality and quantity, in relation to the purpose of the processing.

Transparency

Personal data must be obtained lawfully and loyally. Data subjects must be informed about the characteristics of the processing of their personal data and about their rights, unless this proves impossible or would involve disproportionate efforts.

Security

Personal data must be protected by appropriate security measures to limit the risks of unauthorized access, destruction, alteration or loss.
When calling upon the services of a third party to process personal data, TotalEnergies subsidiary makes sure that the latter offers sufficient guarantees as regards the security and confidentiality of data.

Retention

Personal data must be retained only for a reasonable and not excessive period of time with regard to the purpose of the processing.
When the retention period expires, the data is destroyed, anonymized or archived.

International transfers⁽⁴⁾ of personal data

TotalEnergies does not transfer personal data originating from a country of the EEA directly to a TotalEnergies subsidiary located in a third country which does not provide an adequate level of protection, unless such subsidiary has formally subscribed to the BCRs or uses another legal instrument recognized by the European Commission.
TotalEnergies does not transfer personal data originating from the EEA directly to a company not belonging to the Group located in a country which does not provide an adequate level of data protection (data controller or processor) without a legal basis under applicable law and instruments providing for sufficient safeguards, such as the standard contractual clauses.
Similarly, where a data importer further transfers personal data originating from the EEA to a company not belonging to the Group (data controller or processor) located in a country which does not provide an adequate level of data protection, the data importer shall enter into an agreement with this company whereby it commits to observe the principles of BCRs.

6.5. Data subject rights

Under our BCRs, data subjects whose personal data are processed have the following rights:

• Right of access to the data,
• Right to rectify, erase and lock data,
• Right to object to the processing,
• Right to limit the processing.

A comprehensive list of the rights granted by the BCRs is detailed in APPENDIX 1 hereafter.

Data subjects may exercise these rights by submitting a request using the contact details provided in the legal notice concerning the processing of their data. TotalEnergies subsidiaries undertake to give replies within a reasonable timeframe about queries concerning the processing outside the EEA.
Moreover, if data subjects believe that a TotalEnergies subsidiary has failed to observe our BCRs, they have the right to lodge a complaint by sending, either:

• An e-mail to : data-protection@totalenergies.com
• A letter to TotalEnergies – Data Protection, Tour Coupole, 2 place Jean Millier, Arche Nord Coupole/Regnault, 92078 PARIS LA DEFENSE CEDEX, FRANCE.

Data subjects will be informed about the status of their complaint and of any further steps.
The internal complaint procedure is described in Appendix 2 hereafter.
The fact that data subjects may file a complaint with TotalEnergies does not affect their rights to lodge a complaint with the competent EEA data protection authorities or to bring an action before the courts of the EEA country where the TotalEnergies subsidiary responsible for exporting the personal data is established.

6.6. Changes to TotalEnergies' Rules

If necessary, our BCRs may be completed or updated.

6.7. More information

A copy of the comprehensive version of BCRs and a list of TotalEnergies subsidiaries can be obtained by sending an e-mail at: data-protection@totalenergies.com

Appendix 1 - Third party Beneficiary rights

TotalEnergies’ BCRs grant rights to Data Subjects to enforce the Rules as third-party beneficiaries, as detailed in the various chapters of these BCRs.
More specifically, they may enforce the following principles according to the terms and conditions set out in these BCRs:

• That any processing operation carried out within the Group must have a legal basis as provided for by Applicable Law;
• That TotalEnergies must collect and process Personal Data for legitimate, specified and explicit purposes and must not further process any Personal Data in a way incompatible with the purpose for which they were collected;
• That TotalEnergies must process Personal Data that are relevant and not excessive in relation to the purposes for which they are collected, and that these Data must be accurate and, where necessary, kept up to date;
• That Data Subjects must be provided with easy and permanent access to the information relating to their rights under these BCRs;
• That Data Subjects whose Personal Data originate from the EEA must have a right of access, of rectification and of objection to the processing of their Personal Data in accordance with Applicable Law;
• That Data Subjects whose Personal Data originate from the EEA must not be subject to a decision that produces legal effects concerning them or significantly affects them and that is based solely on automated processing of Personal Data intended to evaluate certain personal aspects relating to them, unless that decision:
  • Is taken in the course of the entering into or performance of a contract, provided the request for the entering into or the performance of the contract, lodged by the Data Subject, has been satisfied or that there are suitable measures to safeguard his/her legitimate interests, such as arrangements allowing him/her to express his/her point of view; or
  • Is authorized by Applicable Law, which also lays down measures to safeguard the Data Subject’s legitimate interests;
• That TotalEnergies must implement appropriate measures to guarantee the security and confidentiality of the Personal Data, having regard to the state of art and the cost of their implementation;
• That TotalEnergies must conclude a written processing agreement with any service provider used to process Personal Data, specifying that the service provider shall act only under TotalEnergies’ instructions and shall implement appropriate security and confidentiality measures;
• That TotalEnergies must not transfer Personal Data from a Member State of the EEA or originating from the EEA to a company not belonging to the Group and located in a Third Country which does not provide an adequate level of data protection (either an External Data Controller or Processor) without a legal basis under Applicable Law and instruments providing for sufficient safeguards;
• That a TotalEnergies Subsidiary must immediately inform the Data exporter if this TotalEnergies Subsidiary deems that the legislation applicable in its jurisdiction is likely to prevent it from fulfilling its obligations pursuant to TotalEnergies’ BCRs, and have a detrimental effect on the guarantees offered by these BCRs, unless where prohibited by a law enforcement authority, in particular as a result of a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
• That any Data Subject may lodge a complaint with TotalEnergies through the internal complaint mechanism in accordance with the terms set out in the Chapter "Complaint handling";
• That any TotalEnergies Subsidiaries that have subscribed to the BCRs must cooperate with the competent supervisory authorities, follow their recommendations regarding the international Transfers of Data in the event of a complaint or of a particular request from such authorities and accept to be audited by the supervisory authority of their country of establishment; That any Data Subject may lodge a complaint with the National Supervisory Authorities or bring an action before the court of the EEA Member State where the Data exporter is established in order to enforce the above principles, and, where appropriate, to receive compensation for the damage suffered as a result of a breach of TotalEnergies’ BCRs. If, in the course of a transfer of Personal Data outside the EEA, the Data importer fails to observe TotalEnergies’ BCRs, the Data exporter will defend any claim, establish that the Data importer has not violated the BCRs, and pay compensation to the Data Subject for the damage suffered as a result of that violation.

Appendix 2 - Internal Complaint handling procedure

If a Data Subject believes that a TotalEnergies Subsidiary has not complied with TotalEnergies’ BCRs, he/she may file a complaint in accordance with the complaint procedure set forth in the relevant privacy policy or contract or pursuant to the procedure described below.

How to make a complaint

Data Subjects may file a complaint by sending, either:

• An e-mail to: data-protection@totalenergies.com, or
• A letter to TotalEnergies – Data Protection, Tour Coupole, 2 place Jean Millier, Arche Nord Coupole/Regnault, 92078 PARIS LA DEFENSE CEDEX, FRANCE.

The complaint should clearly provide as much detail as possible about the issue raised, including:

• The country and the TotalEnergies Subsidiary concerned, the Data Subject’s understanding of the violation of the BCRs, the redress requested;
• The Data Subject’s full name and contact details as well as a copy of his/her identity card or any other identifying document;
• Any previous correspondence on this specific issue.

TotalEnergies' response

Within three months of TotalEnergies receiving a complaint, the appropriate Branch Data Privacy Lead ("BDPL") shall inform the Data Subject in writing of the admissibility of the complaint; and if the latter is admissible, of the corrective actions that TotalEnergies has taken or will take in response. The appropriate BDPL shall ensure that, if necessary, appropriate corrective actions are taken to achieve compliance with TotalEnergies’ BCRs if necessary.
The appropriate BDPL shall send a copy of the complaint and any written reply to the Corporate Data Privacy Lead ("CDPL").

Recourse process

If the Data Subject is not satisfied with the response from the appropriate BDPL (e.g., the complaint has been rejected), he/she may refer to the CDPL by sending an e-mail or letter as indicated above. The CDPL will review the complaint and reach a decision within three months of the data the request was received. Following this period, the CDPL will inform the Data Subject whether the initial response has been upheld or communicate a new response.
The fact that Data Subjects may file a complaint with TotalEnergies does not affect their right to lodge a complaint with the competent National Supervisory Authority or bring an action before the court of the EEA Member State where the Data exporter is established.

7. Your rights

In accordance with current regulations, you have a right to access, query, modify, rectify or delete your personal data. You also have a right to prior consent to marketing and to object to it under the applicable regulations.
You can obtain disclosure of your personal data. You can also object to the processing and circulation of your personal data. The Company reserves the right to reject any request it deems inappropriate. In accordance with applicable law in force, you have a right of formal consent to sales canvassing via e-mail, fax or automatic caller.
.You have the right to give instructions for the use of your personal data after your death.
You can also ask for restriction of the data and/or make a claim to the CNIL (the French data protection agency).

If you wish to exercise these rights or obtain other information, please send your request by e-mail using our contact form or by post to the following address:

Total Global Information Technology Services S.A.S.
Legal Department
2 Place Jean Millier - La Défense 6
92400 COURBEVOIE,
France

⁽¹⁾ Personal data means any information enabling the direct or indirect identification of a natural person.

⁽²⁾ EEA means Member States of the European Union plus Iceland, Liechtenstein and Norway.

⁽³⁾ Processing means any operation which is performed upon personal data, whether or not by automatic means (e.g.: collection, recording, storage, destruction ...).

⁽⁴⁾ Transfer means all virtual and physical exchanges of EEA-originating personal data from one country to another.