DATA PRIVACY POLICY

Last updated on 01.04.2022

 

 

This Data Privacy Policy explains:

 

1.    the key principles governing the Processing of Personal Data by the GEFCO Group;

2.    the different types of information that the GEFCO Group Processes, the legal basis and the purposes of the Processing as well as the categories of recipients of the Personal Data, depending on the type of Personal Data and the Data Subject by the Processing of the Personal Data;

3.    the way the GEFCO Group processes this information;

4.    the way the GEFCO Group protects this information;

5.    the way the GEFCO Group secures the transfer of Personal Data;

6.    how long the Personal Data is kept;

7.    how Data Subjects may exercise their rights under applicable data protection laws.

 

1 Definitions

1.1 "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

1.2 "Sensitive Personal Data" refers to Personal Data revealing information about a person's racial or ethnic origin, political opinions, religion or philosophical beliefs, criminal offences and convictions, criminal history, trade union membership, genetic data, biometric data, health status and sex life or sexual orientation, in accordance with applicable data protection law(s).

1.3 "Subsidiaries" refers to all companies controlled by, or under the common control of, GEFCO SA.

1.4 "GEFCO SA" refers to GEFCO SA, a legal entity under French law, whose registered office is located at 22/24, rue Jean Jaurès, 92800 Puteaux, France and which is registered with the Trade and Companies Registry under number RCS Nanterre B 542 050 315.

1.5 "GEFCO Group" means GEFCO SA and/or any of its Subsidiaries that Process Personal Data as a Data Controller or, where applicable, as a Subcontractor.

1.6 "Applicable Data Protection Law(s)" refers to the relevant local laws and regulations on personal data protection, data security, data retention and data privacy to which Data Subjects are subject, including the GDPR.

1.7 "General Data Protection Regulation" or "GDPR" refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.8 "Controller" refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.9 "Processor" refers to any natural or legal person who Processes Personal Data on behalf of the Controller in accordance with specific written instructions.

1.10 "Third Party" refers to auditors, accountants, contractors, agents, suppliers and authorized third party service providers of GEFCO SA and its Subsidiaries who Process Personal Data.

1. 11 "Process", "Process(es)", "Processing" and "Processed" refer to any operation or set of operations carried out or not by means of automated processes and applied to Personal Data or sets of Personal Data, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure, or destruction.

 

2 Compliance with key data protection principles

2.1 Compliance with data protection laws

When handling Personal Data as a Data Controller, the GEFCO Group and the GEFCO Group's Personnel undertake to:

-          process Personal Data lawfully, fairly and transparently with regard to the Data Subject ("lawfulness, fairness, transparency");

-          ensure that the Processing of Personal Data is lawful and has a legal basis;

-          collect Personal Data for specified, explicit and legitimate purposes and ensure that it will not be further processed in a way incompatible with those purposes ("purpose limitation");

-          ensure that Personal Data is adequate, relevant and limited to what is necessary to satisfy the purposes for which it is processed ("data minimization");

-          ensure that Personal Data is accurate and, where necessary, kept up to date ("accuracy");

-          process Personal Data in the ways as to ensure adequate security of such Data, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality");

-          To retain Personal Data in a form that permits identification of Data Subjects for no longer than is necessary to satisfy the purposes for which it is Processed; ("retention limitation").

 

2.2 Transparency

When Processing Personal Data, the GEFCO Group informs Data Subjects of the purposes for which it will Process their Personal Data and provides all the information it is required to provide in accordance with the applicable Data Protection Law(s), in order to ensure that Data Subjects understand how their Personal Data will be Processed by the GEFCO Group.

 

2.3 Purposes of the Processing carried out by the GEFCO Group and the Data Processed

2.3.1 Purposes of the Processing carried out by the GEFCO Group as Data Controller

 

The GEFCO Group may Process the following categories of Personal Data, which may vary according to the profile of the Data Subject. This Personal Data is processed for the following purposes:

Customers and future customers:

In the context of contract performance or pre-contractual measures:

-          Management of the GEFCO Group's contractual relationship with its customers and future customers (contractualization and order tracking),

-          management of the execution of transport and/or logistics service orders

-          the management of customer accounts or spaces made available to its customers for the purpose of tracking orders

-          the management of after-sales service and guarantees,

-          In the legitimate interest of the GEFCO Group:

-          commercial canvassing and informing customers about the services it offers,

-          the management and monitoring of customer satisfaction,

-          As part of the GEFCO Group's compliance with its legal obligations:

-          keeping the general accounts,

-          Researching the good repute of the main third parties in the context of the legal obligation to prevent the risk of corruption.

 

For these purposes, the GEFCO Group generally processes personal contact information (such as name, business e-mail address, telephone number, title, address) and financial information (payment information, customer relationship management data, invoice payment process and tracking information).

 

Suppliers and Subcontractors:

In the context of contract performance or pre-contractual measures:

-          the management of the GEFCO Group's contractual relationship with its Suppliers and subcontractors,

-          management of the execution of transport and/or logistics service orders,

-          the geolocation of drivers as part of transport operations management

-          video surveillance of goods warehouses and vehicle fleets,

As part of the GEFCO Group's compliance with its legal obligations:

-          general accounting,

-          Research into the compliance of third parties in the context of the legal obligation of vigilance,

-          researching the good repute of the main Third Parties as part of the legal obligation to prevent the risk of corruption.

For these purposes, GEFCO Group generally processes their personal contact information (such as name, business email address, phone number, title, address), financial information (payment information, invoice payment process and tracking information), as well as driver location information for the purpose of tracking and tracing assets that GEFCO Group manages in the context of its business via certain services or applications such as GEFCO Drive and/or GEFC@NNECT.

 

Applicants

In the context of contract performance or pre-contractual measures:

-          The management of applications made through the GEFCO Group's websites,

In this context, the GEFCO Group processes the personal contact information of applicants (such as name, e-mail address, telephone number, title, address), information relating to the applicant's training and professional life (such as training and professional background, curriculum vitae and covering letter);

 

Visitors

Within the framework of the GEFCO Group's legitimate interests:

-          Managing access to the GEFCO Group's premises.

In the context of controlling access to the GEFCO Group's premises and as part of its legitimate interest, the GEFCO Group may Process personal contact information (such as name, e-mail address, telephone number, company name, etc.) and images (captured by its video-protection and video-surveillance systems).

 

Users of the website:

Within the framework of the GEFCO Group's legitimate interest and with the consent of users:

-          The management of cookies on the websites,

Within the framework of the legitimate interests of the GEFCO Group:

-          the management of contact requests,

In the context of browsing the GEFCO Group's websites, the GEFCO Group may Process browsing traces (cookies) and personal contact information (such as name, professional e-mail address, telephone number, company name, etc.) which are communicated during contact and quotation requests.

 

Partners:

As part of the GEFCO Group's legitimate interest:

-          The organization of events with the GEFCO Group's external partners.

As part of the management of relations with the GEFCO Group's partners, the GEFCO Group may Process personal contact information (such as name, professional e-mail address, telephone number, company name, etc.) which is communicated in the context of commercial relations.

 

2.3.2 Purposes of the Processing carried out by the GEFCO Group as a Subcontractor

In the context of its activities, the GEFCO Group may act as a Subcontractor of personal Data on behalf of customers. This Personal Data is processed for the following purposes:

As part of the performance of the contract or pre-contractual measures:

-          the management of warehouses, storage, and packaging, 

-          management of the execution of transport and/or logistics service orders,

-          In the context of compliance with the legal obligations incumbent on the GEFCO Group:

-          management of customs authorizations,

-          management of tax representation,

In this case, the GEFCO Group only acts in accordance with the customer's clear and detailed instructions, which are set out in writing. If this is impossible (for example in the event of conflict with current or future legislation), the Company will promptly inform the customer of its inability to comply with its instructions. When the GEFCO Group ceases to act on behalf of the customer, it will return, destroy or continue to adequately protect (at the customer's option) all Personal Data it has received from the customer.

 

2.4 Recipients of Personal Data

The Personal Data collected by the GEFCO Group is intended for employees of the Group's entities authorized to manage and execute contracts and orders, recruitment, and legal obligations, depending on the purposes of the collection and within the limits of their respective attributions. 

It may be transmitted for certain tasks related to the purposes, and within the limits of their respective missions and authorizations, to the following recipients:

-          Entities/subsidiaries of the GEFCO Group in the context of outsourcing an activity to another entity of the GEFCO Group or consolidation of the Data;

-          Service providers and subcontractors used by the GEFCO Group to carry out a series of operations and tasks on its behalf;

-          Commercial partners only when the Data Subjects have expressly consented to this by ticking a box on the GEFCO Group's personal data collection forms;

-          Duly authorized public authorities (customs, judicial, control...); within the framework of the GEFCO Group's legal and regulatory obligations;

-          Regulated professions (lawyers, bailiffs, etc.) who may be involved in the implementation of guarantees, collection or litigation;

When Personal Data is communicated to the GEFCO Group's service providers and subcontractors, they are also asked not to use the Personal Data for purposes other than those initially planned. The GEFCO Group makes every effort to ensure that these Third Parties preserve the confidentiality and security of Personal Data. In all cases, only the necessary Personal Data is provided. The GEFCO Group makes every effort to ensure secure communication or transmission of Personal Data.

The Personal Data collected by GEFCO is not sold to Third Parties.

 

2.5 Rights of data subjects: Access, portability, rectification, limitation, deletion and objection

Data Subjects may request access to, and portability of their Personal Data held by the GEFCO Group where such requests are reasonable and permitted under applicable data protection law.

Data Subjects may also request rectification or deletion of their Personal Data if such data is inaccurate or is being used in a manner contrary to this Policy.

Data Subjects may object to the Processing of their Personal Data on legitimate grounds or request its restriction to the extent required or permitted by applicable Data Protection Laws.

Data Subjects also have the right to define directives on the fate of their Personal Data after their death.

In order to exercise their rights, Data Subjects may contact the GEFCO Group in accordance with Section 3 of this Data Privacy Policy.

2.6 Security and confidentiality

The GEFCO Group takes reasonable precautions to protect Personal Data against destruction or unauthorized, accidental, or unlawful loss, alteration, disclosure or access. These precautions include technical, physical, and organizational security measures, such as measures to prevent unauthorized access. The applicable measures remain confidential but are duly documented in the information technology and risk management policies adopted by the GEFCO Group.

 

2.7 Transfer of Personal Data

The GEFCO Group Processes and will oblige Third Parties to Process Personal Data in the relevant jurisdictions in accordance with what is established in the applicable Data Protection Law(s). If the Processing involves a transfer of Personal Data to a country outside the European Union that is not covered by any of the exceptions provided for in the applicable Data Protection Laws, the GEFCO Group undertakes to secure the transfer by means of one of the following mechanisms:

-          standard contractual clauses approved by the European Commission (EU) 2021/914;

-          Binding Corporate Rules: where the relevant Third Parties have adopted the EU Binding Corporate Rules covering Personal Data Processed by Third Parties;

-          any other mechanism officially recognized by applicable Data Protection Laws as ensuring an adequate level of protection for Personal Data.

 

2.8 Data retention period

The GEFCO Group keeps Personal Data only for as long as is necessary to fulfill the purpose for which the GEFCO Group holds such Personal Data, in particular to meet the needs of its customers or to fulfill its legal obligations. Retention periods vary according to several factors, such as:

-          The needs of the GEFCO Group's activities as a Processor and Subcontractor;

-          Contractual requirements;

-          Legal obligations;

-          Recommendations of the supervisory authorities.

This retention period for all data processed in the context of a commercial relationship with customers and suppliers corresponds to the duration of the applicable prescription periods in civil and/or commercial matters. 

 

3 Contact, Questions & Complaints

In order to exercise your rights, express a concern, raise a question, make a complaint or obtain further information regarding the Processing of your Personal Data by the GEFCO Group, you may send an e-mail to the following address: data.privacy@gefco.net, enclosing, if necessary, a valid proof of identity (unless the Person concerned is employed by the GEFCO Group and uses a GEFCO e-mail address).

The GEFCO Group undertakes to respond to your request within a reasonable period of time, which will not exceed 3 months, depending on the complexity of the request and/or the number of requests it receives.

In the event of a dispute, the Data Subject may file a complaint with the local regulatory authority in charge of data privacy (in France, the CNIL).

 

4 Changes to this Policy

The GEFCO Group may amend this Data Privacy Policy from time to time to reflect its current privacy practices. When we change this statement, we will revise the "updated" date at the top of this document. We encourage you to periodically review this Privacy Policy to stay informed about how the GEFCO Group is handling and protecting your Personal Information.