Privacy policy for Groupe CAT's employer branding and recruitement

Date of publication: 08-12-2025

We, Compagnie d’Affrètement et de Transport, C.A.T (CAT SAS), manage our employer brand and recruitment process for Groupe CAT (CAT SAS and certain of its subsidiaries) through our career website (the "Career Website") and with the help of an applicant tracking system.

In this Privacy Policy, we explain how we process your personal data in the following cases:

1. You visit our Career Site (you are a "Visitor")
2. You connect with us via our Career Site to create a profile and receive information about current or future vacancies within our company (you are a "Connected Candidate")
3. You apply for a position within our company via our Career Site or a third-party service (you are an "Applicant")
4. We collect information about you from other parties, sites and services, as we believe your profile is relevant to our current or future vacancies (you are a "Sourced Candidate")
5. We receive information about you from our employees or partners, as they believe your profile is relevant to our current or future vacancies (you are a "Referred Candidate")
6. We receive information about you from a Candidate who names you as a reference (you are then a "Referrer").

This Privacy Policy also describes your rights when we process your personal data and how you can exercise those rights.

When we use the term "Candidate" in this Privacy Policy, we are referring to all connected Candidates, applicant Candidates, sourced Candidates and referred Candidates, unless otherwise specified.

1. About the processing of personal data

Personal data refers to any information that can be directly or indirectly linked to a living individual. Examples of personal data include name, email address, telephone number and IP address. Processing of personal data refers to any automated or non-automated use of personal data, such as the collection, creation, analysis, sharing and deletion of personal data.

Laws and regulations govern how companies may process personal data, known as data protection laws. Different data protection laws apply to different types of personal data use in different parts of the world. An important example of data protection law that is relevant to our use of your personal data, as described in this Privacy Policy, is the European Union's General Data Protection Regulation (2016/679, GDPR).

Most of the obligations under the GDPR apply to the data controller. A data controller is the entity that decides for what purposes personal data will be processed and how the processing will be carried out. The data controller may use a data processor. A data processor is an entity that may only process personal data on behalf of the data controller and may not use the personal data for its own purposes.

When we process your personal data, we assume the role of data controller as described in this Privacy Policy.

2. What personal data do we process?

All individuals

• Device information - If you visit our Career Site, we will collect data about your device, such as IP address, browser type and version, session behaviour, traffic source, screen resolution, preferred language, geographic location, operating system, and device settings/usage.
• Technical and statistical data - If you visit our Career Site, we will collect technical and statistical data about your use of the site, such as information about the URLs you visit and your activity on the site.
• Communication data - We will collect and store your communications with us, including information provided by you during these exchanges. This may include, for example, the content of emails, video recordings, social media posts, information you add to your account with us, responses to surveys, etc.
• Contact details - Such as your name, email address, telephone number and physical address.

Candidates

• Data from interviews, assessments and other information from the recruitment process - Such as notes from interviews conducted with you, assessments and tests carried out, salary requirements.
• Information contained in your application - Such as your CV, cover letter, work samples, references, letters of recommendation, certificates and training.
• Information contained in your public profile - This is information we collect about you from public sources related to your professional experience, such as LinkedIn or your current employer's website.
• Information provided by referees - This is information we receive from our employees or partners who recommend you to us, or from people you have listed as references.

3. Where does your personal data come from?

All individuals

• From the Job Site. If you visit our Job Site, we collect technical and statistical data about how you use the Job Site, as well as data from your device.
• Directly from you. Most of the information we process about you comes directly from you, for example when you apply for a job with us or when you connect with us. You always have the choice not to provide us with certain information. However, some personal data is necessary for us to process your application or provide you with the information you request from us.

References

• From the person for whom you are a reference. If a candidate names you as a reference, we will collect your contact details from the candidate so that we can contact you.

Candidates

• From public sources. We may collect personal data about you from public sources, such as LinkedIn or your current employer's website.
• From our referrers. We may receive information about you from our employees or partners (such as recruitment service providers) if they believe your profile is relevant to our current or future vacancies.
• From your references. If you provide us with references, we may collect information about you from them.
• Data we generate ourselves or in collaboration with you. Information about your application and profile is generally created by us or in collaboration with you during the recruitment process. This may include, for example, notes taken during interviews with you, as well as assessments and tests carried out.

4. Why do we process your personal data?

To protect and enforce our rights, interests and those of others, including in legal proceedings.

Data subjects: the individual(s) concerned by any legal issue arising from the use of the Career Site or a dispute resulting from the recruitment process, who may belong to any of the categories of persons listed above.

Categories of personal data used: All categories of personal data listed above may be used for this purpose.

Sharing your personal data with other recipients for the purposes set out in Article 5 below.

Data subjects: This varies depending on the purpose of the sharing, see Article 5 below.

Categories of personal data used: All categories of personal data listed above may be used for this purpose.

Collecting information about your use of the Career Site, using cookies and other tracking technologies, as described in our Cookie Policy.

Data subjects: Visitors.

Categories of personal data used: Device information.

Maintain, develop, test and otherwise ensure the security of the Career Site.

Data subjects: Visitors.

Categories of personal data used: Device information; technical and statistical data.

Analyse the use and performance of the Job Site and its content in order to obtain statistics and improve operational performance.

Data subjects: Visitors.

Categories of personal data used: device information; technical and statistical data.

To provide you with updates on job vacancies within our company.

Data subjects: Registered candidates.

Categories of personal data used: Contact details; Communication data

To evaluate the profiles and applications we receive. This also includes communicating with you about your application and profile.

Data subjects: Registered candidates; applicants.

Categories of personal data used: All categories of personal data listed above may be used for this purpose.

Proactive collection and evaluation of your professional profile. This also includes communicating with you about your profile.

Data subjects: Sourced candidates; co-opted candidates.

Categories of personal data used: All categories of personal data listed above may be used for this purpose.

Contacting you directly about specific future vacancies with us.

Data subjects: Registered candidates and candidates.

Categories of personal data used: All categories of personal data listed above may be used for this purpose.

Recording the interview(s) conducted with you.

Data subjects: Applicants.

Categories of personal data used: Communication data.

Contacting you to ask you to participate in surveys.

Data subjects: Registered candidates and candidates.

Categories of personal data used: All categories of personal data listed above may be used for this purpose.

To contact you to request information about a Candidate and to evaluate the information you provide.

Data subjects: References.

Categories of personal data used: Contact details; Communication data.

5. Who do we share your personal data with?

Our service providers. We share your personal data with our service providers who offer services and features as part of our employer branding and recruitment process. These include recruitment service providers and the provider of our Career Site and associated Applicant Tracking System ("ATS").

Companies in our group. We share your personal data with companies in our group when they provide services and features for our employer brand and recruitment process, such as access to specific systems and software.

Companies providing cookies on the Career Site. If you consent, cookies are set by companies other than ours, which will use the data collected by these cookies in accordance with their own privacy policies. You can find information about the cookies concerned in our Cookie Policy.

To authorities and other public bodies - when we are required to do so. We will share your personal data with authorities and other public bodies when we are legally required to do so.

To parties involved in legal proceedings. If necessary to protect or defend our rights, we share your personal data with public authorities or other parties involved in potential or ongoing legal proceedings. This may occur, for example, in the event of complaints of discrimination.

Mergers and acquisitions, etc. In the context of a potential merger, sale of company assets, financing or acquisition of all or part of our business by another company, we may share your personal data with other parties involved in the process.

6. On what legal basis do we process your personal data?

In order to process your personal data, we must have an established legal basis. A legal basis is a necessary justification for the processing of personal data under the GDPR.

In the context of the activities described in this Privacy Policy, our main legal basis is that processing is necessary for our legitimate interest in enabling us to recruit talent with the appropriate skills. We have concluded that there is a legitimate interest in processing your personal data for this purpose, that this processing is necessary to achieve this objective, and that our interest outweighs your right to have your data not processed for this purpose.

If you would like more information on how this assessment was made, please do not hesitate to contact us. Please see sections 9 and 10 below for our contact details.

In certain specific circumstances, your data may only be processed if and when you give your explicit consent. This is the case, for example, when we offer to record a conversation with you. Please refer to Article 9 below for more information about your right to withdraw your consent.

7. When do we transfer your personal data outside the EU/EEA, and how do we protect it in such cases?

We strive to always process your personal data within the EU/EEA.

However, some of our service providers process your personal data outside the EU/EEA area. We also use suppliers whose parent company, or the parent company of their subcontractor, is based outside the EU/EEA. In such cases, we have taken into account the risk that personal data may be disclosed in countries outside the EU/EEA, for example due to a request from an authority.

When another recipient of your personal data (as described in section 5 above) is based outside the EU/EEA, this also means that your personal data is transferred outside the EU/EEA.

When we, or one of our suppliers, transfer your personal data outside the EU/EEA, we ensure that we use a safeguard recognised by the GDPR to enable the transfer. We use the following safeguards:

• A decision by the European Commission that the country outside the EU/EEA to which your personal data is transferred offers an adequate level of protection, corresponding to the level of protection guaranteed by the GDPR. In particular, we rely on the European Commission's adequacy decision for the United States via the EU-US Data Protection Framework, and the adequacy decision for the United Kingdom.

Or

• The conclusion of the European Commission's standard clauses with the recipient of personal data outside the EU/EEA. This means that the recipient guarantees that the level of protection of your personal data, as provided for by the GDPR, continues to apply, and that your rights are still protected.

When your personal data is transferred outside the EU/EEA, we also put in place appropriate technical and organisational safeguards to protect personal data in the event of disclosure. The specific protective measures we implement depend on what is technically feasible and sufficiently effective for the transfer in question.

If you would like more information about when your personal data is transferred outside the EU/EEA, please contact us using the contact details provided in sections 9 and 10 below.

8. How long do we keep your personal data?

All individuals

If we process your personal data for the purpose of protecting and enforcing our rights, we will retain it until the related legal matter has been fully and finally resolved.

Visitors

We retain your personal data for one (1) year for security purposes. Cookie retention periods are set out in our Cookie Policy. We retain your personal data for the purpose of analysing the performance of the Career Site for as long as we retain personal data about you for other purposes.

Candidates

If you are a registered Candidate (only), we retain your personal data for as long as you remain registered with us.

For other types of Candidates, we retain your personal data in order to determine whether you are a suitable candidate for the relevant vacancy(ies) with us.

If you are not selected in the initial recruitment process, we will retain your personal data for 24 months (only 6 months in the specific case of Germany). If you are interested in targeted job offers, we will only contact you if you have given your explicit consent.

If you are recruited, we will retain your personal data for the duration of your employment for purposes other than those mentioned above, of which you will be informed.

References

We retain your personal data for as long as we retain the personal data of the Candidate for whom you acted as a reference.

9. What are your rights, and how can you exercise them?

In this article, you will find information about your rights when we process your personal data. As described below, some of the rights only apply when we process your personal data on a specific legal basis.

If you wish to exercise any of the rights listed here, we suggest that you:

• Visit the Data and Privacy page of our Career Site, where we offer features that allow you to exercise your rights;
• Log in to your account with us, where you can use the account settings to exercise your rights; or
• Contact us directly at the following address: alertesGDPR@groupecat.com

Right to be informed

You have the right to be informed about how we process your personal data. You have the right to be informed if we intend to process your personal data for purposes other than those for which it was originally collected.

We will provide you with such information through this Privacy Policy, updates on our Job Site (see also section 11 below) and by responding to any questions you may have.

Right of access to your personal data.

You have the right to know whether we process personal data about you and to receive a copy of the data we process about you. When you receive a copy of your data, you will also receive information about how we process your personal data.

Right to access and request the transfer of your personal data to another recipient ("data portability").

You may request a copy of the personal data concerning you that we process for the performance of a contract concluded with you, or on the basis of your consent, in a structured, commonly used and machine-readable format. This will allow you to use this data elsewhere, for example to transfer it to another recipient. If technically feasible, you also have the right to ask us to transfer the data directly to another recipient.

Right to erasure of your personal data ("right to be forgotten").

In certain cases, you have the right to request that we delete your personal data. This may be the case, for example, if it is no longer necessary to process the data for the purposes for which we originally collected it, if you withdraw your consent, if you object to the processing and there are no legitimate and compelling grounds for the processing (see below for the separate right to object).

Right to object to our processing of your personal data.

You have the right to object to the processing of your personal data based on our legitimate interest, citing your personal circumstances.

Right to restrict processing.

If you believe that the personal data we process about you is inaccurate, that our processing is unlawful, or that we do not need the information for a specific purpose, you have the right to request that we restrict the processing of that personal data. If you object to our processing, as described above, you may also ask us to restrict the processing of that personal data while we review your request.

When the processing of your personal data is restricted, we will only process that data (except for storage) with your consent or for the establishment, exercise or defence of legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest.

Right to rectification.

You have the right to request that we rectify inaccurate information and complete information about you that you consider incomplete.

Right to withdraw your consent.

Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. If you exercise this right, we will cease processing your data for the purposes for which you withdrew your consent. However, this does not affect the lawfulness of processing based on your consent before its withdrawal.

Right to lodge a complaint.

If you have any complaints about our processing of your personal data, you can lodge a complaint with the national data protection authority, a list of which can be found here if you are based in the EU.

If you are based in the UK, you can lodge a complaint with the Information Commissioner's Office here.

10. Where can you send your comments or questions?

If you wish to contact us to exercise your rights or if you have any questions or comments about how we process your personal data, you can contact us by email at the following address: alertesGDPR@groupecat.com

11. Updates to this Privacy Policy

We update this Privacy Policy when necessary, whether because we adopt new methods of processing your personal data, to make the information clearer for you, or to comply with applicable data protection laws.

We encourage you to check this page regularly to stay informed of any changes that may be made. You can always check the top of this page to see when this Privacy Policy was last updated.