Covivio GDPR Policy

We are pleased to welcome you to our space dedicated to Covivio’s policy governing the processing of personal data.

Whether you are a customer, partner, supplier, shareholder or, more generally speaking, a contact of the Covivio Group, you will find the answers to your main questions below. Should any question remain unanswered, please feel free to contact our Data Protection Officer (DPO) at the following address:

Who is responsible for data processing?

The answer is Covivio S.A., whose registered office is located at 18, Avenue François Mitterrand, 57000 Metz (France), jointly with its controlled subsidiaries, including Wellio and Covivio Hotels.

Why do we process your data?

The reasons why we process your data depend on your relationship with Covivio. Their legal basis may be:

  • your consent, particularly if you are a prospect or contact of the Covivio group in the broad sense of the term;
  • the performance of a contract binding you to Covivio; this is especially the case if you are a tenant, customer, supplier or counterparty to any other transaction undertaken by Covivio;
  • compliance with our legal or regulatory obligations: convening our shareholders of our Group’s issuing companies to General Meetings, other obligations incumbent on them as listed companies  to which we are bound as an issuing company, the measures we must take in the fight against money laundering and the financing of terrorism, and so on;
  • our legitimate interest, specifically when it comes to the protection of our premises and their occupants (CCTV).

Which data do we process?

You have a contractual relationship with a Covivio Group company

We endeavour to keep you informed, on an ongoing basis or under contracts aimed at or involving the processing of your personal data, of the exact nature of this data and of your rights related thereto. Usually, these data have been collected from you directly. For any further information, please contact our DPO at the following address:

You are a Covivio Group contact in the broad sense of the term

The personal data we process are basically intended to provide you with information related to Covivio and its subsidiaries, to manage the relationship we have with you, to invite you to events, satisfaction surveys, competitions…. This includes your names, given names, employer if any, position, business sector, and professional and/or personal contact details (email and postal addresses, phone number).
You may at any time request to be removed from our emailing lists (via the dedicated space in our emails or by contacting our DPO). If there is no other link tying you to Covivio, we will permanently delete your personal data from our base.

Specific information about the CRM implemented by Covivio

In order to facilitate the management of its contacts, Covivio has set up a management tool called “CRM” (Client Relationship Management).

As an internal or external “contact”, in the broad sense, of our Group (Covivio SA and its subsidiaries abroad and in France, including Wellio and Covivio Hotels), we process your personal data within software developed by Sales Force acting as a subcontractor of your personal data.

As this processing is based on your consent, you may at any time request that the data contained in this tool be made anonymous (

The data that may need to be processed are as follows:

These are your: surname(s) first name(s), civil status, business and/or personal address, business and/or personal telephone number, business and/or personal email, position, category of function, sector of activity, type of relationship you have with Covivio (customer, tenant, supplier, administrator, shareholder, prospect, employee, other…) or that of your company, your wishes to be invited to events organised by Covivio, data relating to appointments you have held with our employees, your possible membership of an association or other professional circle and any strictly professional information concerning the relationship you have with our Group.

Generally this data has been collected from you directly or is public information.

Your personal data are processed:

  • in order to ensure effective and targeted communication between the employees of the Covivio Group on the one hand and you or your company on the other hand
  • optimize the management of the group’s contacts within our teams

These data are for the exclusive use of the Covivio Group. The recipients are:

  • the authorized employees of Covivio and its subsidiaries in France and abroad (the Covivio Group)
  • where applicable, certain authorised employees of Sales Force, acting as subcontractor of personal data on behalf of Covivio.

Your personal data may be transferred outside the European Union in accordance with the regulations in force. Under no circumstances are they the subject of commercial transactions with third parties.

Policy for storing your data in the CRM:

  • We anonymize your data within our tool within a maximum period of 15 days following your request
  • We carry out annual campaigns to make your data more reliable

You are a shareholder of a Covivio Group company(or represent a shareholder)

We process your personal data in order to send you all the documentation to which you, or the company you represent, are entitled or that you request as a shareholder; to meet our legal and regulatory obligations; and to keep track of the composition of our shareholding.

These personal data consist of your name(s) (common name or birth name), given name(s), date and place of birth, professional and/or personal phone number, professional and/or personal postal address, professional and/or personal email address, and the number of shares and voting rights you currently hold.

Who are the recipients of your personal data?

They are:

  • authorised personnel of the Covivio group (Covivio and its subsidiaries);
  • duly authorised service providers, with whom Covivio imposes a policy of security and privacy in full compliance with regulations;
  • if relevant and at their behest, the competent administrative or judicial authorities.

Under no circumstances are your personal data the subject of commercial transactions with third parties.

Should such data be forwarded outside the European Union, we guarantee full respect for all applicable regulations governing this type of transfer.

What is the retention period?

Your personal data will not be retained in any form that may lead to your identification beyond the time needed to fulfil the purposes for which they are processed and to respect our contractual, legal and regulatory obligations.

What are your rights?

  • You may at any time request additional information about the processing of your personal data.
  • You have right of access to your data together with right of rectification and portability.
  • You have the right to request the erasure of your personal data, to restrict the processing thereof, and also the right to oppose the processing of said data.
  • When the legal basis for processing is your own consent, you have the right to withdraw said consent at any time.
  • You have the option of lodging a complaint with a controlling authority.
  • For any request, please contact the Data Protection Officer at

Ensuring the security of your data is important to us

Covivio endeavours to implement the necessary technical and organisational measures to ensure the security of your personal data in order to forestall any intentional or unintentional manipulation, loss, destruction or unauthorised access. We have, in particular, made the prevention of cyber threats one of our top priorities. Covivio Group employees are entrusted with closely supervised authorisations to access your data, graded according to their duties, and they are bound by clauses of confidentiality, as are all our external service providers.

Future changes to our processing policy

The present policy reflects our current standards, which may be subject to changes. Any such change will take effect as from the publication of the latest updated version of the present policy.