This document constitutes the confidentiality policy implemented by the Herstal Group, hereinafter referred to as “the company”, in the framework of its activities.
The company is composed of the following legal entities:
- HERSTAL SA
- FN HERSTAL
- BROWNING International
- BROWNING SA
- HERSTAL Group Services
The protection of your privacy and your personal data is of primary importance to the company.
This confidentiality policy was drawn up in order to ensure respect of European Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR).
The aim of this confidentiality policy is to inform you how the company collects, uses and stores your personal data.
2. WHAT IS THE SCOPE OF THIS POLICY?
What does the “processing of your data” cover, and who is responsible for this?
We only collect and use personal data which is necessary in the context of our activities, and which enables us to offer quality services.
We are therefore the liaison person for you, and the supervisory authorities (e.g. “the Data Protection Authority”), for all questions regarding the use of your data.
For some services, we use specialist third parties, which, in some cases, act as sub-contractors. They are therefore obliged to follow our instructions, and respect our confidentiality policy. In other cases, these third parties are also (joint) Controllers and must, for their part, respect their legal obligations in this area.
We make sure that these sub-contractors only receive data which is strictly necessary for performing their part of the contact.
We may also be involved, in the role of sub-contractor to other legal entities. In such case, those entities are the Controllers for the personal data. So we follow their instructions.
What data is covered by our policy?
The data covered by this policy is the personal data of natural persons, i.e. data which directly or indirectly allow a person to be identified.
In the context of your relationship and interactions with the company, we may be obliged to collect several different types of personal data, such as:
- identification and contact data (e.g. your title, name, address, date and place of birth, National Register number, account number, telephone number, email address, IP address and occupation);
- family situation (e.g. marital status, number of children);
- bank, financial and transaction data (e.g. bank details, account numbers, data relating to transfers including communication, and, in general, all data recorded during your bank transfers);
- data relating to your behaviour and habits relating to use of our channels (e.g. our website) and our products;
- data relating to your preferences and interests, communicated directly or indirectly by you, e.g. through participation in our events, surveys, etc.;
- data resulting from your interactions on our dedicated pages on social media networks (e.g. Facebook and LinkedIn).
We never process data relating to your racial or ethnic origin, your political opinions, your religion, your philosophical beliefs or trade union membership, your genetic data, your sex life or sexual orientation, unless we are obliged to by legislation or this arises from your use of our products and services.
3. GUIDING PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
When processing personal data in the context of the management and the performance of our undertakings, we respect, amongst others, the following principles:
- Legitimate processing of data: we process personal data in a legitimate manner in the context of our activities;
- Specified purposes and limitation of purposes: we collect and process personal data for the legitimate purposes specified below;
- Minimisation of data processing: we limit processing of personal data to that which is necessary in the context of our activities;
- Accuracy of the personal data: we take all reasonable steps to ensure that personal data is accurate, and, if it no longer appears to be accurate, to rectify and/or erase it without delay;
- Limitation of processing and storage: we will not process and store personal data longer than necessary for the performance of our activities;
- Security Measures: we take the necessary and appropriate technical and/or organisational measures to ensure the security of personal data.
4. WHEN IS YOUR PERSONAL DATA COLLECTED?
The data which we use in order to verify or improve our databases may be collected either directly from you, or obtained from the following sources:
- from publications/databases made available by official authorities (e.g. the Belgian Official Gazette);
- our client companies or our service providers;
- websites/pages from social media networks containing information made public by you (e.g. your website or social network);
- databases made public by third parties.
Some of your data may also be collected by the company, in particular:
- when you become a client or a supplier;
- when you visit our buildings, or request a visit;
- when you register to use our on-line services (at each identification or use);
- when you complete forms and contracts submitted by us to you;
- when you use our services and products after signing a contract;
- when you subscribe to our newsletters;
- when you contact us via the various different channels made available to you;
- when your data is published or transmitted by authorised third parties or professional suppliers of data;
- when you are filmed by our surveillance cameras, located in and around our premises/buildings.
Images are recorded solely for the security of goods and persons, and to prevent abuse, fraud and other offences against our clients and/or our personnel (their presence is indicated by stickers bearing our contact details).
5. ON WHAT GROUNDS, AND WHY DO WE USE YOUR PERSONAL DATA?
We process your personal data for various purposes. At each processing, only data which is relevant to the intended purpose is processed.
In general, we use your personal data:
- in the context of performance of a contract or taking precontractual steps;
- to comply with provisions of laws and regulations to which we are subject;
- for reasons falling under the legitimate interest of the company (see illustrations below). When performing this type of processing, we take care to maintain the balance between this legitimate interest and respect of your privacy;
- when we have obtained your consent.
The company processes personal data for purposes including, but not limited to:
- supplying you information regarding our products and services;
- assisting you and responding to your requests;
- ensuring proper performance of the agreements concluded;
- operating the financial and accounting management of the company;
- providing proper management of clientele, equipment, after-sales services and suppliers;
- creating usage profiles, and provided you have indicated your consent to this; performing information and/or promotional activities for products and services, those of companies of its group and/or of its business partners;
- improving existing services (or those in development) via surveys of clients or potential clients, statistics, tests, comments addressed directly to us by you – or published by you on our websites;
- the respect of legal and regulatory obligations, including responses to official requests from duly authorised public authorities or judicial authorities;
- detecting and preventing abuse and fraud: we process and manage contact and security data (card reader, password, etc.) in order to validate, monitor and ensure the security of transactions and communications via our remote services;
- ensuring the supply of services through use of sub-contractors;
- following up our research and development activities;
- improving the quality of our personal service for clients and partners;
- performing direct marketing activities relating to services of the company;
- ensuring the security of our premises and infrastructure, and that of the persons in these areas.
6. WHO HAS ACCESS TO YOUR DATA, AND TO WHOM IS IT TRANSFERRED?
Only authorised users have access to your personal data, in order to achieve the aforementioned purposes. Authorised users means persons who, in the context of their post within the company, and in the context of the activities performed, are authorised to process personal data on the basis of instructions from the company.
In order to achieve the aforementioned purposes, the company divulges your personal data to:
- external auditor;
- registered auditor;
- legal advisor;
- financial consultant;
- other professional and/or service providers/advisor;
- banking institutions, insurance companies/funds;
- IT companies or service providers for programme software and the storage of electronic data (servers, etc.);
- judicial and administrative authorities, or police departments.
7. HOW LONG DO WE STORE YOUR DATA?
We store your personal data for the longest period necessary for respect of the applicable provisions of laws and regulations, or a different period taking into account operating constraints such as the proper keeping of accounts, efficient management of relations with clients and partners, and responses to legal claims or claims of authorities.
Some data is archived for longer periods in order to respect our legal obligations, and for purposes of legal proof, in particular, to safeguard your rights. This archived data can only be accessed for the purpose of evidence in court, inspection by an authorised Authority (e.g. by tax authority), for the purpose of presenting documents to judicial or administrative authorities, or police departments.
8. SECURITY AND CONFIDENTIALITY
The company undertakes to adopt the necessary and appropriate technical, physical, and organisational measures to protect personal data from unauthorised access, unlawful and unauthorised processing, loss or accidental damage, and unauthorised destruction. These measures are regularly assessed, and, if necessary, updated in order to guarantee maximum protection of the personal data of data subjects.
In the event of breach or data leak, as described below, we will take the necessary/appropriate steps to establish its extent and consequences, to terminate it as quickly as possible, and, where applicable, limit its impact on data subjects.
9. WHAT ARE YOUR RIGHTS?
According to the applicable regulation, you have several different rights:
- the right to request access to personal data (A)
- the right to rectification (A)
- the right to erasure of data (A)
- the right to object to processing (B)
- the right to withdraw consent (B)
- the right to request restriction of the processing (B)
- the right to data portability (C)
A. Right to Access, Rectification, and Erasure
Each data subject has the right to request access. If a data subject exercises this right, the company is obliged to supply him/her information concerning this, including:
- providing a description and a copy of the personal data;
- informing the data subject of the reasons for which the company processes this data.
If data is incorrect or incomplete, the data subject can request that it be rectified.
In certain circumstances, the data subject may, in compliance with the data protection regulation, request the erasure of personal data concerning him/her, amongst others, if the personal data is no longer necessary for the purposes for which it was collected or processed. However, the company may refuse to erase this data, for example, for the introduction, exercise or proof of legal claims.
To ensure that your data is kept completely up to date, please notify us of any change (e.g. change of marital status, or home address).
B. Right to Object to and Restrict Processing of Your Data, and Right to Withdraw Your Consent
You have the right to object to some processing of your personal data which we may wish to perform. In particular, you have the right to object to use of your data for direct marketing purposes, without having to justify this. You can also request restriction of the processing of your data.
However, this right can only be exercised under certain conditions:
- Your request must be dated and signed;
- For cases other than objection to direct marketing purposes, you must have serious, legitimate grounds, relating to your particular situation, for objecting to the processing. If the objection is justified, the processing in question can no longer involve this data.
However, you cannot object to processing which is necessary for the performance of a contract concluded with you, or in order to take steps at your request prior to entering into a contract; nor can you object to compliance with any legal or regulatory provision to which we are subject.
If you have given consent for the processing of your personal data, you have the right to withdraw this consent at any time.
C. The Right to Portability
Where necessary, and provided this is applicable, the data subject may ask to receive certain personal data supplied by him/her to the company in the context of the management and performance of its activities, and to transfer this data to a different Controller. If this is technically possible, the data subject may request the company to transfer this data directly to a different Controller.
According to the regulation, you have the right to lodge a complaint with the relevant Supervisory Authority.
10. TRANSFER OF DATA OUTSIDE THE EEA
In the case of international transfers emanating from the EEA to a third country for which the European Commission has made an adequacy decision granting that country a level of protection of personal data equivalent to that provided by the legislation of the EEA, your personal data will be transferred on this basis.
Transfers to countries outside the EEA for which the European Commission has not made an adequacy decision, are performed by us, either on the basis of a derogation applicable to the situation (e.g. in the case of international payment, the transfer is necessary for performance of the contract); or on the basis of the fact that the recipient of the data has agreed to process the personal data in accordance with the “Standard Contractual Clauses” drawn up by the European Commission for Controllers or sub-contractors.
To obtain a copy of these texts or to find out how to obtain one, send a written request in the manner indicated in Article 13.
11. BREACH OF PERSONAL DATA
11.1. MENTION OF BREACHES RELATING TO PERSONAL DATA
In the performance of their function, authorised users must take care to avoid incidents (deliberate or not) which may adversely affect the privacy of data subjects.
In the event of a breach of personal data, appropriate measures are taken as quickly as possible, in order to minimise the risk of damage to data subjects, and to the company (damage to reputation, sanctions imposed, etc.).
In all cases, all authorised users, and all other persons who consult, use or manage company information, must immediately report each security breach and incidents linked to the security of information to the “Privacy Manager”, in order for an analysis to be performed immediately, for the necessary measures to be taken, and to establish whether the breach must be reported to the Data Protection Authority and/or the data subjects.
When reporting is performed by email, it is important that the email is sent to the “Privacy Manager” (see Section 10.2), and that title of the email expressly indicates that this is a highly urgent message concerning a possible breach linked to personal data.
The information must contain a full and detailed description of the incident, including the identity of the person reporting it (surname, first name, address, email address (where applicable) and telephone number), the type of incident, and the number of persons concerned.
11.2. SURVEY AND RISK ANALYSIS
In principle, the company will commence an investigation within 24 hours of the incident or breach being detected by the company or reported by a sub-contractor, authorised user, recipient, data subject or third party.
The investigation will indicate the nature of the incident, the type of data targeted and whether specifically personal data is impacted (and, if so, the data subjects and the amount of personal data affected). The investigation will determine whether or not it is a breach of personal data.
In the event of a breach, a risk analysis will be performed to establish (what may be) the possible consequences of the breach, and, in particular, the (possible) impact for data subjects.
The company will then decide, based on the nature of the breach, whether or not an obligation exists to notify the Data Protection Authority and/or the data subject.
11.3. DOCUMENTATION OF BREACHES
All breaches will be documented in a register. The register shall contain a detailed explanation of the main cause of the incident and its contributing factors, the timescale of events, the remedial action taken, recommendations and lessons learned, in order to identify areas requiring improvement. The recommended changes to the system and procedures shall be documented and implemented as quickly as possible.
We will examine the action taken to handle the breach recorded in the report.
12. HOW TO INSPECT THIS POLICY, AND CHANGES TO IT?
In this world of constantly evolving technologies, we will regularly update the Confidentiality Policy.
We invite you to inspect the latest version of this document on our websites, and we will notify you of all significant changes on our websites, or via our usual means of communication.
13. HOW TO CONTACT US
You can contact the Privacy Manager at the email address firstname.lastname@example.org or email@example.com, or by writing a letter to the postal address: Herstal Group – Voie de Liège, 33 à 4040 Herstal, Belgium.
Personnel, persons applying for vacant positions, and former employees of the company can also consult the “HR Confidentiality Policy” on the Intranet of the Herstal Group.
This Confidentiality Policy is applicable from 25 May 2018.