Last Update 20.04.2018
This Policy should not conflict with applicable national and/or regional laws in the jurisdictions in which GEFCO SA and its Affiliated Companies operate and the Policy shall be so construed wherever possible. In the event of any conflict between this Policy and any applicable national and/or regional laws, the mandatory provisions of the relevant law shall prevail over the provisions of this Policy.
1.1 “Affiliated Companies” means any companies being controlled by, or under common control with GEFCO SA.
1.2 “Applicable Data Protection Law(s)” means the relevant local personal data protection, data security, data retention, and data privacy laws and regulations to which the Personal Data are subject, including the GDPR.
1.3 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.4 “General Data Protection Regulation” or “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5 “GEFCO Group” designates GEFCO SA and/or any of its Affiliated Companies, which Process Personal Data as a Controller or, as the case may be, as a Processor.
1.6 “GEFCO SA” designates GEFCO SA, a legal entity registered under the laws of France at 77/81 rue des Lilas d’Espagne, 92400 Courbevoie, France, under the registration number RCS Nanterre B 542 050 315.
1.7 “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.8 “Process,” “Processes,” “Processing,” and “Processed” means any operation or set of operations which is performed on Personal Data or sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.9 “Processor” means a natural or legal person which Processes personal data on behalf of the Controller, pursuant to specific and written instructions.
1.10 “Sensitive Personal Data” means Personal Data revealing information as to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, offences, criminal convictions, criminal history, trade union membership, genetic data, biometric data, health, sex life or sexual orientation pursuant to Applicable Data Protection Law(s).
1.11 “Third Party(ies)” means GEFCO SA and its Affiliated Company’s authorized auditors, accountants, contractors, agents, vendors, and third party service providers that Process Personal Data.
2 Key Principles
2.1 Compliance with Data Protection Laws
In handling Personal Data as a Controller, the GEFCO Group and the GEFCO Group’s Personnel agree that Personal Data shall be:
- Processed by the GEFCO Group lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are Processed, are erased or rectified without delay (‘accuracy’);
- Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’);
- kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are Processed; personal data may be stored for longer periods insofar as the personal data will be Processed solely for archiving purposes in compliance with applicable regulations on statute of limitation (‘storage limitation’).
The GEFCO Group will only Process Personal Data in accordance with Applicable Data Protection Laws, and more specifically in circumstances where:
(i) Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract (such as Processing of the GEFCO Group’s clients or suppliers Personal Data that are necessary for managing their contractual relationship);
(ii) the Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes (such as Processing of geolocation data on trucks and drivers to trace and track goods delivery in the context of the GEFCO Group’s activities);
(iii) Processing is necessary for compliance with a legal obligation to which the Controller is subject (such as financial accounting, handling employees’ payroll Processing, keeping records for tax purposes or providing information to public bodies, law enforcement agencies, or legitimate and authorized Third Parties such as the GEFCO Group’s attorneys or professional accountants in compliance with all applicable laws…);
(iv) Processing is necessary for the purposes of the legitimate interests pursued by the GEFCO Group or by a Third Party (such as Processing of relevant employees’ Personal Data by the Human resources department, handling recruitment, applying physical and logical security procedures…).
The GEFCO Group Processes Personal Data fairly and lawfully in accordance with Applicable Data Protection Law(s). To this end, the GEFCO Group informs Data Subjects of the purposes for which it will Process their Personal Data and provide all of the information that it must provide in accordance with Applicable Data Protection Law(s), to ensure that the Data Subjects understand how their Personal Data will be Processed by the GEFCO Group.
Non-exhaustive examples of Personal Data Processing which could be made by the GEFCO Group are briefly described below.
2.3.1 Processing carried out by the GEFCO Group as a Controller
The GEFCO Group may Process the following categories of Personal Data which may vary depending on the Data Subject’s profile.
Clients and prospective clients: For the purpose of managing the GEFCO Group’s contractual relationship with its clients and prospective clients and informing them about its services, the GEFCO Group usually Processes their Personal contact information (such as name, email address, telephone number, title, address), financial information (payment information, customer relationship management data, information related to the invoices payment process and follow up).
Suppliers and sub-contractors: For the purpose of managing the GEFCO Group’s contractual relationship with its Suppliers and sub-contractors, the GEFCO Group usually Processes their personal contact information (such as name, email address, telephone number, title, address), financial information (payment information, information related to the invoices payment process and follow up); drivers location information for the purpose of tracking and tracing the goods that the GEFCO Group handles in the context of its activities via certain applications or services such as GEFCO Drive and/or GEFC@NNECT.
Employees: For the purpose of handling recruitment and human resources within the GEFCO Group, the GEFCO Group usually Processes candidates and employees personal contact information (such as name, email address, telephone number, title, address), employees’ administrative data (such as information related to its career, evaluation, training, allocation of IT resources, cars…), data related to the employees’ work organization (such as information on employees’ agendas, business travel arrangements…),
Visitors: In the context of controlling access to the GEFCO Group’s premises, the GEFCO Group may Process personal contact information (such as name, email address, telephone, company name…), and images (captured by its video protection and video surveillance systems).
2.3.2 Processing carried out by the GEFCO Group as a Processor
Occasionally, the GEFCO Group may act as a Processor of Personal Data on behalf of clients. In such case, the GEFCO Group will only act in accordance with clear and detailed instructions of the client, which shall be in written form. If this is not possible (for example due to a conflict with current or future legislation), the GEFCO Group will promptly inform the client of its inability to comply with its instructions. When the GEFCO Group ceases to act on behalf of a client, it will (at the client’s option) return, destroy or continue to properly protect all Personal Data it had received from that client.
Where the GEFCO Group acts as a Processor, the GEFCO Group will collaborate with the client in order to comply with the Applicable Data Protection Law(s), for example by (i) informing the client about the Processing activities that the GEFCO Group carries out so that they may inform the Data Subjects accordingly; (ii) at the clients’ request, putting in place reasonable measures to have the Personal Data updated, corrected, anonymized or deleted (subject to certain limited exceptions); and (iii) sending to the client any requests it receives from individuals for access to their Personal Data that the GEFCO Group Processes, so that the client may respond to those requests.
Where acting as a Processor of Personal Data, the GEFCO Group will in any event treat such Personal Data in accordance with its security policies and procedures, and will only transfer Personal Data where the client has agreed to such a transfer (which it may do in advance under the terms of the agreement signed with the GEFCO Group) and inform the client if there is a serious breach of security in relation to Personal Data so that the client may inform the Data Subjects concerned, if and where necessary.
2.4 Purpose limitation
The GEFCO Group will only Process Personal Data for the purposes (i) set out in any notice made available to the relevant Data Subject, (ii) as required by law or (iii) where consented to by the relevant individuals. Notice can be made, among other, through this Policy, the GEFCO Group’s website, contractual arrangements, billboards, formal notices, newsletter, etc.
2.5 Access, rectification, deletion and objection
Data Subjects should have access to their Personal Data held by the GEFCO Group where those requests are reasonable and permitted by Applicable Data Protection Law. The GEFCO Group agrees to rectify, amend, or delete the Data Subject’s Personal Data upon request where it is inaccurate or where it is being used contrary to this Policy.
Data Subjects may object to the Processing of their Personal Data for legitimate reasons, to the extent required or permitted by Applicable Data Protection Laws.
2.6 Data Quality and Proportionality
Personal Data should be kept accurate and where necessary, up to date. The Personal Data held by the GEFCO Group must be adequate, relevant and not excessive and should only be retained for as long as necessary for the purposes of the relevant Processing, all in compliance with the GEFCO Group’s archiving policies and the provisions of Applicable Data Protection Law(s) on data retention obligations.
2.7 Security and Confidentiality
The GEFCO Group takes reasonable precautions to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access. These precautions include technical, physical and organizational security measures, such as measures to prevent unauthorized access. The applicable measures are kept confidential but are dully documented in IT and risk management policies adopted by the GEFCO Group.
2.8 Transfer of Personal Data
The GEFCO Group Processes and shall cause Third Parties to Process Personal Data in adequate jurisdictions as defined in Applicable Data Protection Law(s). If the Processing involves a transfer of Personal Data to a country outside the European Union and which is not covered by one of the exceptions provided for in Applicable Data Protection Laws, the GEFCO Group undertakes to secure the transfer by one of the following mechanisms:
- Standard Contractual Clauses approved by the European Commission (such as Standard Contractual Clauses for Data Controllers 2004/915/EC or Standard Contractual Clauses for Data Processors 2010/87/EU or any subsequent version);
- Binding Corporate Rules: in case the Third Parties concerned have adopted EU Binding Corporate Rules that cover the Personal Data that Third Parties Process.
- Any other mechanism officially recognized by Applicable Data Protection Laws as ensuring an adequate level of protection of Personal Data.
3 Contact, Questions & Complaints
To exercise your rights, express a concern, raise a question, make a complaint, or to obtain additional information about the Processing of your Personal Data by the GEFCO Group, you may send an e-mail to the following address: firstname.lastname@example.org, accompanied by a valid proof of ID (unless the Data Subject is a GEFCO Group employee).
The GEFCO Group undertakes to respond to your request within a reasonable time, up to 3 months, depending on the complexity of the request and/or of the number of requests it receives.
In case of dispute, the Data Subject may lodge a complaint with the local Data Privacy Regulatory Authority (in France, the CNIL).
4 Changes to this Policy