1.1. To run our business, we collect and use personal data or individually identifiable information (also referred to as “personal data”) from employees, customers, suppliers or other third party stakeholders (such as agents, consultants, visitors of our website).
1.2. We are committed to safeguarding these personal data and handle it in compliance with applicable data protection and privacy laws applicable from time to time, including, where applicable as from 25 May 2018, compliance in the European Union with the General Data Protection Regulation (or “GDPR”).
1.3. The purpose of this policy is to further explain why and how we will handle personal data, in light of new requirements under GDPR.
1.4. The legal entity which is responsible for the processing (also known as the “controller”) will depend on the circumstances. It will be either the entity which is the employer (for employees), the entity with which you or your employer have a commercial and/or contractual relationship (for representatives/contact persons of prospects, customers and suppliers) or the entity in charge of the website you are visiting (for website visitors).
This policy does not apply to any information processed about legal entities.
2. What type of personal data is collected?
2.1. We collect basic identification information about individuals with whom we interact, such as the name, title, position, company name, email and/or postal address and the professional fixed and/or mobile phone number. This information may either be directly provided by you or provided by the legal entity for whom you work (e.g. if you are the contact person designated by your employer to manage your relationship with us).
2.2. For employees, candidates, former employees, contingent workers and as the case may be temporary workers and consultants (“Staff”), we collect additional personal data for identification purposes, in order to perform our contractual obligations or because required by legal requirements.
Examples of the types of personal data that we may process about our Staff include:
- personal information (e.g. name, address, personal identification and contact information)
- organisation information (e.g. supervisory organisations and cost centres)
- employment information (e.g. employment dates such as dates of hiring/promotion/position change, compensation, performance)
- position information (e.g. position title, job code)
- time and attendance information (e.g. absence leave days).
If and when national registry number, social security number or local equivalent is collected, stored and processed such processing is only done when legally required and for no longer than required.
For prospective employees, personal data is either obtained directly from you or from recruitment agencies to which you would have provided or otherwise made available those data.
2.3. In case of website visitors, our web server automatically collects non-personally-identifiable information. Typical information collected includes the domain name of your Internet access provider, the Internet protocol (IP) address used to connect the visitor's computer to the Internet, the visitor's browser type and version, operating system and platform, the average time spent on our site, pages viewed, information searched for, access times and other relevant statistics. We only use this information in the aggregate to measure the use of its sites and to administer and improve them. Some of the pages of the web site may also deposit certain bits of information called "cookies" in a visitor’s computer. See further under Section 8 to learn more on the “cookies” we generally use.
3. For what purpose do we use personal data?
3.1. We will only process personal data for a specific purpose and to the extent relevant to achieve that purpose.
3.2. Personal data will only be processed based on one of the following legal grounds:
- we have obtained prior consent;
- the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
- the processing is necessary to comply with our legal or regulatory obligations;
- the processing is necessary to protect the vital interests of the relevant individual or of another natural person; or
- the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms. Please note that, when processing your personal data on this basis, we always seek to maintain a balance between our legitimate interest and your privacy.
Examples of such ‘legitimate interests’ are:
- to offer our products and services to our customers ;
- to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
- to perform our contractual obligations;
- to comply with legal requirements; and
- to meet our corporate and social responsibility objectives.
4. How do we protect personal data?
4.1. Access to personal data is only granted to members of our personnel who need it in order to perform their tasks. All such members of personnel must comply with the internal rules and processes in relation to the processing of personal data to protect them and ensure their confidentiality. They are also required to follow all technical and organisational security measures put in place to protect the personal data.
4.2. We have also implemented technical and organisational measures to protect personal data against unauthorised, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other unlawful forms of processing. These security measures are being implemented taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing and the nature of the personal data, with particular care for sensitive data.
5. Who has access to personal data and with whom are they shared?
5.1. Within our Group we may transfer personal data to our members of personnel (within the limits indicated in Section 4 above) and other companies of the group to which we belong. Such other companies will either act as another controller or will only process personal data on behalf and upon request of the controller (thereby acting as a so-called “processor”). In all cases, the personal data will continue to be processed only for the originated purposes and insofar as reasonably necessary.
5.2. We may also transfer personal data to third parties outside our Group to complete a legitimate purpose, to the extent they need it to carry out the instructions we have given to them. Such third parties may include:
- third parties who process personal data, such as our (IT) systems providers, our payroll provider or other HR-related management providers, fleet/transport companies, cloud service providers, database providers and consultants;
- any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request; and
- any central or local government department and other statutory or public bodies.
When use of third parties providers, thereby acting as “data processors”, we will enter into an agreement to process this information in accordance with applicable data protection and privacy laws, including GDPR where applicable.
5.3. The personal data transferred within or outside our Group may also in certain instances be processed in a country outside the European Economic Area ("EEA"), which covers the EU Member States, Iceland, Liechtenstein and Norway. Non-EEA countries may not offer the same level of personal data protection as EEA countries. If your personal data are transferred outside the EEA, we will therefore put in place suitable safeguards to ensure such transfer is carried out in compliance with the applicable data protection rules.
6. How long is personal data stored?
6.1. We will only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
6.2. Request to have personal data removed from our databases, can be made by following the procedure described in Section 7 below, which we will review and address as set out therein.
7. Your rights and how to exercise them?
7.1. You have a right of access to your personal data as processed by us. If you believe that any information we hold about you is incorrect or incomplete, you may also request the correction thereof. We will promptly correct any such information.
You also have the right to:
- request the erasure of your personal data;
- request portability of your personal data;
- request the restriction of the processing of your personal data;
- withdraw your consent where we obtained your consent to process personal data (without this withdrawal affecting the lawfulness of processing prior to the withdrawal);
- object to the processing of your personal data for direct marketing purposes; or
- object to the processing of your personal data for other purposes in certain cases where the processing of your personal data is made without legal basis.
You also have the right to lodge a complaint with a supervisory authority responsible for data protection.
7.2. To exercise the above rights, you may send an email to firstname.lastname@example.org, with a recto-verso scan/copy of your identity card or passport for identification purpose. For Germany, request can be addressed at H.Eul@HE-C.de.
We will address such requests, withdrawal or objection as required under the applicable data protection rules.
If you are not satisfied with how we process your personal data, please let us know and we will investigate your concern.
7.3. In the interests of keeping personal data properly up to date and accurate, we may ask you periodically to review and confirm the personal data we hold about you and/or to inform us of any change in relation to your personal data (such as a change of address or, for employees, a change in family composition or marital status).
8. About cookies that we use
8.1. A cookie is a text file which may be placed on your device when visiting our website. It contains information that is collected from your device and sent back to the website on each subsequent visit so as to remember your actions and preferences over time.
8.2. Generally, a cookie assigns a unique number to the visitor that has no meaning outside the assigning site. This technology does not collect an individual visitor’s identifying information; rather, this information is also in an aggregate form. The purpose of this technology and the information it provides is again to help us improve the web site and your use of it. Most web browsers allow the user to deny or accept the cookie feature. However, please note that cookies may be necessary to provide you with certain features (e.g. customized delivery of information) available on the web site. At any moment you can change the settings applicable to the cookies (i.e. a message that alerts you of the sending of cookies on your computer) by modifying the navigation parameters of your internet browser (Internet Explorer, Firefox, Chrome, Safari or Opera). In this case, be aware that it is possible that you cannot subscribe to our website anymore or use other functions that need the subscription or the collection of information.
9. Amendments to this Policy
This policy may be subject to amendments. Any future changes or additions to the processing of personal data as described in this policy affecting you will be communicated through an appropriate channel, depending on how we normally communicate on our policies and their amendments.