This privacy notice provides information to individuals who work for, on behalf of, or are representatives (an “Individual Representative”) of business customers, suppliers and subcontractors of COMPAGNIE D’ENTREPRISES / AANNEMINGSMAATSCHAPPIJ CFE or any of its affiliated companies (hereinafter jointly referred to as the “COMPANY”) regarding how their personal information is collected and processed by the COMPANY, in compliance with applicable data protection laws, in particular the European General Data Protection Regulation (hereinafter “GDPR”) and the Belgian law. This privacy notice explains why and how the COMPANY collects personal information about Individual Representatives (the “Personal Data”), what Personal Data is processed, who has access to Personal Data, how the COMPANY protects Personal Data, how long Personal Data is retained, the rights of Individual Representatives and who to contact for further information. This notice is without prejudice to specific provisions set out in any contract entered into between the COMPANY and the applicable customer, supplier or subcontractor.
1. WHY THE COMPANY PROCESSES PERSONAL DATA
The COMPANY keeps and processes Personal Data for administrative, marketing and customer/supplier/subcontractor management purposes, including for the following activities:
- responding to any communication, inquiry or request which an Individual Representative submits to the COMPANY (including via the website);
- managing relationships and maintaining contact with existing and prospective customers, suppliers and subcontractors;
- negotiating and executing agreements with customers, suppliers and subcontractors;
- processing information relating to a proposed or actual purchase or sale of products or services by the COMPANY, including sending statements and invoices;
- customer service purposes, including providing newsletters and marketing communications and/or conducting surveys and market research;
- improving the COMPANY’s products and/or services; and - legal and/or regulatory compliance, including dispute resolution.
2. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
Personal Data covered by this privacy notice is only processed:
- in order to take steps to enter into and manage the performance of a contract with the applicable customer, supplier or subcontractor;
- where necessary to comply with a legal or regulatory obligation that the COMPANY is subject to;
- where processing is necessary for the legitimate interests of the COMPANY and/or a third party; and
- where the Individual Representative has provided explicit consent to allow the processing of their Personal Data.
The nature in which the COMPANYY and/or a third party processes Personal Data for legitimate interests is to communicate with Individual Representative(s) from time to time regarding products, services or events offered by the COMPANY or other communications such as research and insights that may be of interest to the relevant business customer, supplier or subcontractor. The COMPANY will never process Personal Data for its legitimate interests unless the processing is appropriately balanced against the interests and fundamental rights and freedoms of the Individual Representative.
3. CATEGORIES OF PERSONAL DATA PROCESSED
Personal Data is all personal information relating to an identified or identifiable natural person who is an Individual Representative. For the abovementioned purposes, the processing of Personal Data includes the following categories:
- personal identification data, such as name and address;
- electronic identification data, such as email address, phone number, IP address and online identifiers/cookies obtained through website use;
- employment related data, such as job title, related employer and dealings with and subcontractors he COMPANY on behalf of the individual concerned or the applicable customer, supplier or subcontractor;
- personal details, such as the date of birth, language, nationality and gender;
- participation to events (including family members as the case may be); and - survey data.
In addition, to comply with legal and regulatory obligations regarding trade control, anti-money laundering and/or bribery and corruption laws, the COMPANY may carry out screening on potential or existing counter-parties before any contract is entered into and on a periodic basis during the term of the contract. This screening takes place against publicly available or government issued sanctions lists and media sources and would include relevant individuals such as directors, officers and key stakeholders. This data may include Personal Data regarding suspected and actual criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour but only for the purposes of ensuring the COMPANY’s compliance with legal and regulatory obligations and/or to the extent permitted or required by local law. No automated decision making results from such screening.
4. WHERE PERSONAL DATA COMES FROM
Where an Individual Representative contacts the COMPANY, Personal Data will likely come directly from the individual concerned. The COMPANY may also contact an Individual Representative for prospective purposes if initial contact information has not been obtained directly from such individual, including receiving such information from publicly available sources or any referrals from other customers, suppliers or subcontractors of the COMPANY. During the course of the business relationship, the individual concerned or another representative of the applicable customer, supplier or subcontractor will provide the COMPANY with further information as needed for the management of the business relationship with such customer, supplier or subcontractor. The COMPANY may also receive or generate data relating to an Individual Representative from other customers, suppliers, subcontractors or those to whom such individual communicates by email or other systems. The Personal Data collected directly or indirectly by the COMPANY is required to fulfil legal requirements and/or to enter into a contract and maintain contact with a customer, supplier or subcontractor for the duration of the business relationship. Failure to provide the COMPANY with required information will negatively affect the COMPANY’s ability to communicate with an Individual Representative of a customer, supplier or subcontractor (including the ability to provide any applicable electronic newsletters if an Individual Representative does not wish to share their email address), the COMPANY’s ability to enter into a contract with the applicable customer, supplier, subcontractor or continue the performance of a contract once entered into without access to necessary Personal Data.
5. WHO HAS ACCESS TO PERSONAL DATA
For the abovementioned purposes, Personal Data covered by this privacy notice will only be shared on a strict need to know basis with:
- the Individual Representatives themselves or other individuals employed by or representing the applicable customer, supplier or subcontractor;
- personnel of the COMPANY;
- authorized third party agents, service providers, professional advisors and/or subcontractors of the COMPANY; and
- government, regulatory bodies and/or public authorities where it is necessary to comply with legal or regulatory obligations which the COMPANY is subject to or as permitted by applicable local law.
6. PERSONAL DATA TRANSFERRED TO THIRD PARTIES
The COMPANY may transfer information about its customers, suppliers or subcontractors to third-party service providers for purposes connected with the management of the Company’s business, such as our IT supplier, accountant, auditor, as well as to the authorities (for example with the 30bis declaration of work, the electronic attendance registration or the competition to procurement contracts).
It may also be necessary in limited circumstances to transfer Personal Data abroad or to an international organisation to process and/or store this information to comply with our legal or contractual requirements. For transfers of data internationally, the COMPANY has implemented appropriate safeguards in line with GDPR requirements. To ensure an appropriate level of protection for Personal Data, the COMPANY will either use a data transfer agreement with the third party recipient based on standard contractual clauses approved by the European Commission or ensure that the transfer is to a jurisdiction that is the subject of an adequacy decision by the European Commission.
If necessary, your personal data may be passed on to other third parties. This could be the case, for example, if the COMPANY were to be reorganized in whole or in part, if its activities were to be transferred or if it were to be declared bankrupt. It is also possible that personal data must be transferred pursuant to a court order or to comply with a certain legal obligation. In that case, we will make reasonable efforts to inform you in advance about this communication to other third parties. However, you will understand that in certain circumstances this is not always technically or commercially feasible or that legal restrictions may apply.
Finally, and solely with a view to promoting links and synergies between the entities of the CFE group, we may pass on the data of our customers, suppliers and/or subcontractors to the COMPANY’s affiliates.
We will under no circumstances sell or make commercially available your personal data to direct marketing agencies or similar service providers, unless with your prior consent.
7. RETENTION OF PERSONAL DATA
Personal Data will be retained no longer than necessary for the processing purposes described in this privacy notice. Personal Data provided in respect of an Individual Representative is retained no longer than a normal sales cycle length. Where a contract is entered into with a customer, supplier or subcontractor, typically (and unless otherwise stated in other related documents for specific categories of data) Personal Data will be retained during the term of the contract as well as following the expiration or termination of the contract for as long as there may be legal liability for which the use of Personal Data may be relevant, taking into consideration the applicable statutory periods of limitation and legal retention obligations. Information may be retained for a shorter period of time where an Individual Representative objects to the processing of his Personal Data and there is no longer a legitimate purpose to retain such information.
8. HOW PERSONAL DATA IS PROTECTED
The COMPANY has implemented adequate technical and organizational measures to protect Personal Data and keep it as safe and secure as reasonably possible, protecting it against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against other unlawful forms of processing. These security measures have been implemented taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing and the nature of the Personal Data.
9. WHAT ARE THE INDIVIDUAL REPRESENTATIVE’S RIGHTS AND WHO CAN THEY CONTACT
Individual Representatives who have Personal Data collected and processed have the right at any time to contact the COMPANY to access their Personal Data and request a correction of any incorrect or incomplete information.
Subject to and in accordance with applicable law, individuals may also have the right to:
- request the deletion of their Personal Data;
- request restrictions or object to the processing of their Personal Data;
- data portability, allowing the individual to copy or transfer their Personal Data;
- withdraw their consent at any time where consent was provided to process their Personal Data, provided this will not affect the validity of the processing prior to such withdrawal of consent; and
- receive more information about the safeguards in case of international data transfers.
Individual Representatives also have a right to lodge a complaint with the Belgian Data Protection Authority or another EU supervisory authority if such individual thinks the COMPANY has not acted in line with any applicable data protection laws in respect of dealing with their Personal Data. For any further information about these rights or to make a request is, please send an email to: firstname.lastname@example.org.
10. COOKIES AND SIMILAR TECHNOLOGY
11. CHANGES TO PRIVACY NOTICE
This privacy notice from time to time as needed, notably to comply with changes in any applicable laws, regulations or requirements introduced by data protection authorities.