This policy applies to all processing of personal data carried out by the Group.
II. COLLECTION PURPOSE
The Group undertakes to collect and process personal data fairly and lawfully.
The processing operations carried out by the Group serve explicit, legitimate and determined purposes. The data collected are not used for any other purpose.
The defined purpose determines the data’s relevance. Only the appropriate data strictly needed to achieve the purpose will be collected and processed.
These purposes are therefore compatible with our core competencies.
Group employees have been made aware of these new obligations.
III. INFORMATION ABOUT INDIVIDUALS
In accordance with this policy, each data collection document complies with the law and informs the person from whom personal data are collected of:
- The identity of the processing manager and, where applicable, that of their representative;
- The purpose of the processing operation for which the data are intended;
- The mandatory or optional nature of their replies;
- The recipients or categories of recipients of the data;
- The right of individuals with regard to the processing of data;
- The existence, where applicable, of transfers of personal data and the country of destination;
- The storage period.
IV. RECIPIENTS OF THE COLLECTED DATA
The recipients designate any person authorised to receive data, whether they are employees of the Group or a third party.
V. DATA STORAGE
The purpose of the processing operation is to determine the data storage period, which must not exceed the period required for this purpose.
The data collected from our employees are kept for the legal period required by social and tax regulations.
Data on customers or prospects used for business purposes only, may be kept for a period of three years from the end of the business relationship or on the expiry date of a contract or the last contact with a prospect.
The Group determines and implements the means required to protect the processing of personal data in order to prevent any access by an unauthorised third party and to prevent any data loss, alteration or disclosure.
For example, computer rooms are controlled in closed rooms with access restricted to identified employees, and in the event of a fire, they are protected by specific equipment (Gas) in each room.
All IT servers are hosted by the Group in France and are only accessible via logins and passwords.
“Administrator” passwords are only known to ISD members.
Data are backed up on physical media (LTO) which are stored in a restricted access room.
The data users can access depend on their position in the company, with the IT department managing various profiles.
The Group’s personal data protection policy is thus organised around logical, physical or organisational measures.
VII. DATA INFRINGEMENT MANAGEMENT
If any data breach has been detected, it is the responsibility of the processing manager or any person with knowledge of such an event to inform our DPO and the ISD within 24 hours of the infringement detection.
As soon as the information is received, the ISD (Information Systems Director) will formulate an appropriate action plan. After approval by the processing manager, our DPO will carry out the required corrective actions and provide the appropriate information.
In particular, our DPO will inform any person whose personal data has been intercepted in any way by an unauthorised third party, of the incident, within 72 hours at the most.
VIII. USE OF YOUR PERSONAL DATA
The Group complies with the obligations of the Data Protection Act and the European Data Protection Regulation (GDPR). Processing operations are set up for the three types of individuals involved:
- With regard to our employees: these processing operations are used to comply with legislation in our capacity as an employer;
- With regard to our customers: these processing operations are carried out under of a business contract requiring us to collect and process personal data under this contract;
- With regard to our prospects: these processing operations are carried out in order to know them and make us known to them but also to regularly send them news and information about our products, brands, operations and/or media likely to arouse your interest.
IX. COMPLAINTS MANAGEMENT AND EXERCISE OF PERSONAL RIGHTS
In accordance with the law, the exercise of your rights to access, query, change, oppose and correct information is carried out by e-mail or post sent to our DPO (Frédéric PARADIS – Groupe Marck 74, rue VilleboisMareuil 92230 Gennevilliers – email@example.com).
If you identify any error in these data or if you consider them incomplete or ambiguous, you may also ask us to correct, complete or clarify them.
Your requests must be accompanied by a photocopy of an identity document together with your signature.
The processing of personal data is recorded in a register kept by our DPO (Data Protection Officer).
XI. TRANSFER DATA
Any personal data collected are exclusively reserved for Groupe Marck subsidiaries.
The Group reserves the right to send the personal data of the individuals involved in order to comply with its legal obligations and, in particular, if it is required to do so by judicial requisition.
The Group hereby undertakes not to transfer your data held by it outside the European Economic Area other than for the transfers required for the performance of a contract (e.g. Contract with Egencia).
For any request for information relating to this personal data protection policy, you can contact our DPO (Frédéric PARADIS – Legal Director & Compliance Officer – firstname.lastname@example.org and in his absence his assistant email@example.com).