Personal data protection policy

 

The French companies of the Group ARMOR inform you that your personal data is collected and processed in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or “GDPR”) and the French Data Protection Act no. 78-17 (the “Regulations”).

The purpose of this policy is to provide you with information on the processing your Personal Data undergoes and on the conditions under which it is protected by the Group ARMOR.

 

The following definitions will help you to understand all of the concepts used in this document concerning the protection of your Personal Data.

 

 

  1. DEFINITIONS

Personal Data

 

 

 

All information that relates to an identified or identifiable natural person, in particular a name, an identification number, location data, an online identifier, or one or more factors that are specific to the physical, economic, cultural or social identity of that natural person.

 

Recipient

A person who is authorised to receive Personal Data that is stored in a file or undergoing Processing, on account of their position.

 

DPO

Data Protection Officer.

 

Sensitive Data

 

The personal data of a natural person concerning their racial or ethnic origin, their political, philosophical or religious opinions, their trade union membership, their health, their sex life or their sexual orientation, their criminal convictions and offences, or their social security number.

 

Data Subject

 

A natural person who is directly or indirectly identified or identifiable and whose Personal Data undergoes Processing.

 

Controller

The French company of the Group ARMOR that determines the Processing purposes and means.

 

Processor

A natural or legal person (undertaking or public body) that processes the Personal Data on behalf of a Controller, in the form of a service or provision of services.

 

Processing

An operation which is performed on Personal Data, regardless of the means used (collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, or alignment).

 

 

 

 

 

 

 

 

 

  1. PURPOSES OF PROCESSING

The French companies of the Group ARMOR collect your Personal Data for the following purposes:

  • Candidate for a position

 

2.1.1.    Management of recruitments

 

Purposes of the Processing

Management of recruitments (assessment of applicants for the position offered, verification of application information)

 

Lawful basis for the Processing

Employer’s legal obligation

 

Legitimate interest: for required Data marked with an asterisk that is needed in order to get to know the applicant

 

Consent: for optional Data

 

Personal data collected

Identification: surname, first name, identity photo, gender, date and place of birth, nationality, telephone number, email and personal addresses

 

Personal information: family situation

 

Professional information: professional situation, training, references, business experience and email address

 

Sensitive Data

Health: disability recognised by the Local Authorities

 

Criminal convictions and offences: legal obligation for AEO (Authorised Economic Operator) certification

 

Recipients

Authorised persons from the human resources departments, the support services that are involved in negotiations, the line manager or other companies in the ARMOR Group that are involved, state bodies and recruitment firms

 

Source of collection

Directly from the Data Subject or indirectly via another person (recruitment firms, professional references, business social media and websites)

 

Retention period

12 to 24 months as from the last contact

 

     

 

  • Employees of prospective and current customers

 

2.2.1.   Management of prospective and current customers

 

Purposes of the Processing

Direct marketing (compilation and management of a file of prospective customers)

 

Customer relationship management (management of the customer data file, management of sales contracts, management of orders, after-sales service, management of customer accounting and invoicing, management of the customer account and sales follow-up)

 

 

Lawful basis for the Processing

Consent of prospective customers in order to establish a business relationship

 

Consent of customers for optional Data

 

Legitimate interest of the commercial management and marketing of the sale

 

 

Personal data collected

Identification and professional information: surname, first name, employer’s name, position, telephone number, business address and email address

 

Online activity: IP address, browsing time, date and data, login name

 

 

Recipients

Authorised persons from the marketing and sales, IT and accounting departments, or other companies of the Group ARMOR that are concerned, and other Processors 

 

 

Source of collection

Directly from the Data Subject via a contact form, trade fairs, visits, telephone calls or indirectly via another person (referral, the customer’s sales representative, trade fair organisers, service providers, business social media and websites)

 

 

Retention period

Until the end of the business relationship

 

 

 

2.3.      Employees of prospective and current customers and of carriers

 

 

2.3.1.   Management of procurements and of deliveries

 

Purposes of the Processing

Management of the procurements of the French companies in the Group

Management of deliveries to customers and between Group sites

 

Lawful basis for the Processing

Legitimate interest: ensure the communication that is necessary for the procurements of the companies in the Group ARMOR, for deliveries to customers and for transfers of products between sites

 

Personal data collected

Identification and professional information: surname, first name, address, telephone number, business address and email address

 

Online activity: login name

 

Recipients

Authorised persons from the transportation and IT departments, storekeepers, customers, suppliers, carriers and other Processors

 

Source of collection

Directly from the Data Subject or by the customer, the supplier or the carrier via an exchange of emails or telephone call

 

Retention period

Duration of the contractual relationship

 

 

 

 

  • Employees of suppliers

 

2.4.1.   Approaching suppliers and management of relationships with suppliers

2.4.2.  

Purposes of the Processing

Approaching and selection of suppliers (compilation and management of a data file of potential suppliers)

 

Management of the supplier relationship (compilation and management of the supplier data file, management of orders and deliveries, management of invoices and payments, and of supplier accounting, management of procurement contracts)

 

Lawful basis for the Processing

Legitimate interest in compiling and maintaining a list of suppliers and managing procurements

 

Personal data collected

Identification and professional information: surname, first name, employer’s name, place of invoicing, profession, business telephone number and address, date of birth, gender and position

 

Recipients

Authorised persons in the purchasing, accounting, logistics, legal, quality, HSE and IT departments, or other companies of the Group ARMOR that are concerned, and other Processors

 

Source of collection

Directly from the Data Subject or through online research and trade fairs or business contacts

 

Storage period

Duration of the contractual relationship

 

 

  • Other co-contracting parties

 

2.5.1.   Management of contracts and legal documents

 

Purposes of the Processing

Management of contracts and legal documents

 

Lawful basis for the Processing

Legitimate interest: managing legal documents and contracts

 

Personal data collected

Identification and professional information: surname, first name, date of birth, gender, email address, postal address, telephone number and position

 

Online activity and access: IP address, browsing time, date and data, login name and password

 

Recipients

Authorised persons from the IT, legal, procurements, financial control, industrial monitoring and property departments, corporate officers of the Group ARMOR companies concerned, authorised persons from the co-contracting entity and other Processors

 

Source of collection

Directly from the Data Subject

 

Storage period

Duration of the contractual relationship

 

 

  • Corporate officers of clients, suppliers and other co-contracting parties

 

2.6.1.   Fight against corruption

 

 

Purposes of the Processing

Avoiding fraud

 

Lawful basis for the Processing

Legal obligation pursuant to the “Sapin 2” Act

 

Personal data collected

Identification: surname and first name of the corporate officer

 

Professional information: position, politically exposed person status

 

Criminal convictions and offences: corporate officer convictions on grounds of corruption

 

Recipients

Authorised persons from the consolidation and internal control, purchasing, finance and sales departments of the Group ARMOR companies

In the event of an audit: French Anti-Corruption Agency

 

Source of collection

Directly from the Data Subject and via the Office Forms questionnaire for post-training evaluations or indirectly via the report on the risk of corruption of a service provider for the data on external third parties

 

Storage period

5 years after the end of the business relationship for reports on partners

10 years to justify actions to raise awareness of exposed employees or after the employee leaves the company in question

 

 

  • Visitors to French sites

 

2.7.1.   Access control and video surveillance

 

Purposes of the Processing

Access control for visitors and external partners

Video surveillance of the La Chevrolière, Les Sorinières and Cordon Bleu sites

 

Lawful basis for the Processing

Legitimate interest: visitor reception and access control, number of people present on the site, safety of persons and property, protection of industrial property, contributes to Authorised Economic Operator certification

 

Personal data collected

Identification and professional information: surname, first name and copy of ID document, depending on the site

 

Location: dates and times of the visit and movement of visitors inside and outside the buildings

 

Online activity: IP addresses and login names

 

Recipients

Employees who are responsible for evacuation and safety or Authorised Persons from the corporate services, IT and human resources departments, corporate officers or the external emergency or investigative services in the event of an incident, and other Processors

 

Source of collection

Access: directly from the Data Subject

 

Video surveillance: indirectly via recording of images

 

Storage period

Access: 1 year maximum

Video surveillance of the La Chevrolière site: 30 days for the exterior and 5 days for the interior, 6 days for access to the server

Video surveillance of the Les Sorinières site: 0 days

 

Video surveillance of the Cordon Bleu site: 15 days

 

 

  1. STORAGE PERIOD

Your Personal Data is not stored any longer than is necessary for the purpose of the Processing and the archiving requirements defined by law in the event of litigation or for legal obligations. When data is archived, the necessary access is restricted to authorised persons.

 

 

  1. TRANSFER OF DATA OUTSIDE OF THE EUROPEAN UNION

In principle, your Personal Data is not transferred outside of the EU. The only Personal Data that may be transferred outside of the EU to the Group ARMOR companies and certain Processors (suppliers, clients and carriers) concerns the management of contracts and the management of procurements, deliveries and orders outside of the EU.

If Personal Data is transferred outside of the EU to a country that does not have an adequate level of protection within the meaning of the Regulations, the Group company concerned or the Processor undertakes to implement all appropriate safeguards, such as, in particular, Standard Contractual Clauses, a code of conduct or a certification mechanism.

 

 

  1. EXERCISE OF RIGHTS BY DATA SUBJECTS

You have a right of access, rectification, objection, portability and erasure concerning your Personal Data and a right to request restriction of the processing thereof. You can exercise these rights by contacting the Data Protection Officer (“DPO”) via email: dpo@armor-group.com or by sending a letter to the following address: ARMOR, For the attention of the DPO, 20 rue Chevreul, CS 90508, 44105 NANTES Cedex 4, France stating:

  • The identity of the Controller,

  • The processing concerned or circumstances under which Personal Data is collected,

  • The right(s) that you wish to exercise,

  • A recto-verso copy of the Data Subject’s ID card or passport.

Your legitimate request will be processed within one month of receipt. If necessary, this time-limit may be extended by 2 months, before the initial 1-month time-limit expires, depending on the complexity and the number of requests. Absent a satisfactory response from ARMOR, you also have the right to file a claim with the supervisory authority: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07 or online www.cnil.fr/fr/plaintes

 

  1. IDENTITY OF THE CONTROLLER

The Controller is one of the following French companies of the Group ARMOR, which determines the purposes and means of the Personal Data Processing and is identified when the Personal Data is collected:

 

ARMOR

A French société par actions simplifiée (simplified joint-stock company) with capital of €10,299,450

20 rue Chevreul, 44100 Nantes, France

Nantes Trade and Companies Register no. 857 800 692

 

ARMOR PRINT SOLUTIONS

A French société par actions simplifiée (simplified joint-stock company) with capital of €8,005,000

17 Boulevard de Chantenay, 44100 Nantes, France

Nantes Trade and Companies Register no. 892 312 067

 

ARMOR BATTERY FILMS

A French société par actions simplifiée (simplified joint-stock company) with capital of €5,296,317

20 rue Chevreul, 44100 Nantes, France

Nantes Trade and Companies Register no. 892 311 937

 

ASCA

A French société par actions simplifiée (simplified joint-stock company) with capital of €29,039,609

20 Rue Chevreul, 44100 Nantes, France

Nantes Trade and Companies Register no. 844 766 170

 

KIMYA

A French société par actions simplifiée (simplified joint-stock company) with capital of €3,165,439

20 Rue Chevreul, 44100 Nantes, France

Nantes Trade and Companies Register no. 892 311 887

 

Several companies in the Group ARMOR are joint Processors when they determine jointly the Personal Data Processing purposes and means. ARMOR is the joint Processor for the following types of Processing, along with all the other subsidiaries mentioned above:

  • Management of recruitment

  • Management of procurements

  • Management of deliveries

  • Management of contracts and legal documents

  • Access control and video surveillance

  • Fight against corruption

  • Management of the exercise of Data Subjects’ rights

 

  1. UPDATES

The French companies in the Group ARMOR retain the right to update these provisions at any time.