THY MARCINELLE, STAHLBETEILIGUNGEN BELGIAN BRANCH
Information document about the processing of personal data relating to external people
(LAST UPDATE: 01/03/2021)
The present Information document about the processing of personal data relating to external people (hereunder the “Policy”) is valid for the three Belgian entities of the RIVA Group (www.rivagroup.com) mentioned below.
In the course of its activities, each of the entities is required to carry out various data processing operations, for which it is responsible for processing (within the meaning of the applicable legislation on the protection of privacy and the processing of personal data).
These data processing operations are carried out in accordance with this Declaration and an internal general data protection policy specific to each entity.
Details of the entities:
- THY MARCINELLE S.A. a company incorporated under Belgian law, having its registered office at Rue de l’Acier 1, 6000 Charleroi, registered with the Banque Carrefour des Entreprises under number 0437.347.363 ;
- STAHLBETEILIGUNGEN BELGIAN BRANCH, located at Rue Charles Martel 50, L-2134 Luxembourg, Luxembourg (Grand Duchy), bearing the company number 987.170.
Contact details of the Data Protection Officer (DPO) for the three entities: Dpd.belgique@rivagroup.com.
These 3 entities are hereinafter referred to, each on its own behalf and separately, as “Data Controller” or “we”.
In certain cases (specified below), the processing is carried out under the joint controllership of the entity concerned and the parent company of the RIVA Group, namely Riva Forni Elettrici S.p.A., a company incorporated under Italian law, with registered office at Viale Certosa, 249 – 20151 Milan and company number 07969220966 (hereinafter referred to as “RFE“). In these cases, the terms “data controller” and “we” and “us” include the entity concerned and RFE. This joint controllership arises from the fact that, being part of the same group of companies, RFE is responsible within the group for the management of common ICT systems, the management of internal control activities and the preparation of financial statements. Overall, the joint controllers collaborate with each other in order to comply with the obligations of the GDPR. A joint-controllership agreement has been signed between the joint controllers, in compliance with Article 26 of the GDPR. The essence of the arrangement is available to the data subjects and can be obtained by contacting the DPO.
This information document does not concern processing carried out in the context of the operation of the website (or the cookies installed by this site), nor the processing activities carried out in the context of our recruitment processes, which are the subject of specific privacy policies.
- Objective of this policy
- Information
This policy informs you (as the data subject) about how we process your personal data, in our capacity as controller, in accordance with all applicable data protection and privacy laws and regulations, including the “RGPD” – Regulation (EU) 2016/679 (hereinafter referred to as “Data Protection Laws”), and in particular pursuant to Articles 13 and 14 of the RGPD.
This policy is also intended to inform you of your rights regarding the processing of your personal data.
The Data Controller undertakes to respect and protect the personal data encountered in the course of his activities.
Personal Data is any information relating to an identified or identifiable natural person. An “identifiable natural person” is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more elements specific to his physical, physiological, genetic, psychological, economic, cultural or social identity. This includes, for example (and not limited to), your name, home and business addresses, telephone number, email address, credit card or other billing information, certain data about your business activities, certain data about your activities on our website, and other information you provide us.
This Statement describes how the Data Controller manages Personal Data collected both through the Data Controller’s website and through other means (for example, from forms, telephone calls, e-mails, purchase orders, or other communications with you).
We process your data in accordance with all applicable laws regarding the protection of personal data and privacy, including the “GDPR” – General Data Protection Regulation (EU) 2016/679.
By accessing and using the Data Controller’s Website, benefiting from the services of the Data Controller, purchasing or providing products or services to the Data Controller, or otherwise providing your data to the Data Controller (including in the context of a business relationship), you acknowledge that you have read and, where necessary, accept the terms of this Declaration and the processing and transfer of Personal Data in accordance with this Declaration.
- Informed consent
In some cases (specified below), the legal basis for our processing is your informed consent. In such cases, the other purpose of this policy is to provide you with the information necessary to obtain valid consent from you.
Where our processing of personal data is based on your consent, you have the right to withdraw your consent at any time, but this withdrawal may not affect the lawfulness of the processing carried out prior to this withdrawal. To withdraw your consent, you are invited to use the easy unsubscribe procedures provided to you by our communications tools or by sending us an e-mail (to the address below).
When our processing of personal data is based on your consent, it is our duty to be able to demonstrate that you have consented to the processing of your personal data. To do so, we retain data relating to your consent as long as we need to demonstrate our full and complete compliance with data protection laws.
If you are under 16 years of age, it is our duty to make reasonable efforts to verify, in such cases, that consent is given or authorized by the person having parental authority, taking into account the available technology. This explains why, if necessary, we may ask for more information about this holder of parental authority.
- Information on the different processing of personal data
In this section, for each treatment we perform, we provide you with information on:
- The purposes of the processing for which the personal data are intended (why we process your data);
- The legal basis of the processing (and, where applicable, the legitimate interest pursued by us or by a third party);
- The categories of personal data concerned (what types of data are processed);
- The sources of your data;
- If applicable, the recipients, or categories of recipients of personal data (with whom we share data);
- The length of time for which personal data are kept, or if it is not possible to specify, the criterion used to determine this length of time;
- Where appropriate, the transfer of personal data to recipients in countries outside the EU or to international organizations and the safeguards allowing such transfer;
In order to be as transparent and clear as possible, this information is presented in the table below, and is provided by processing (and mentions, if applicable, the possible joint controllership with RFE in relation to the processing):
Customer and order management
(joint controllership with RFE) |
Categories of data subjects: Customers
Purpose: Customer and order management (order tracking and fulfillment, sales information, invoicing, after-sales service). Legal basis: GDPR, art. 6, §1 b) (execution of contractual or pre-contractual measures), GDPR, art. 6, §1 c) (execution of legal and regulatory obligations: CIR, 315§3 ; CTVA 60§4).
Data categories: Traditional identifiers (surname, first name, address, telephone), Electronic identifiers, Customer code, Function, Language, Currency, Representative, Communications content, Commercial information
Sources: Data subjects
Recipients: Data controller, public administrations in the context of legal obligations. Transfer outside EU: Switzerland (appropriate level of protection confirmed by an adequation decision) Retention period: 10 years from the end of the contract or until withdrawal of consent if no contract. |
Supplier management
(joint controllership with RFE) |
Categories of data subjects: Suppliers
Purpose: Supplier management (selection, order tracking, accounting and administration, quality control). Legal basis: GDPR, art. 6, §1 b) (execution of contractual or pre-contractual measures). Data categories: Traditional identifiers (surname, first name, address, telephone), Electronic identifiers, Administrative data, Content of communications. Sources: Individuals concerned (or their employer). Recipients: Data controller (purchasing department / logistics department). Transfer outside EU: Switzerland (appropriate level of protection confirmed by an adequation decision) Retention period: 10 years from the end of the contract or until withdrawal of consent if no contract. |
Prospecting | Categories of data subjects: prospects.
Purpose: general prospecting, company development. Legal basis: GDPR, art. 6, §1 f) (legitimate interest: prospecting of professional customers, development of economic activities). Data categories: Traditional identifiers (surname, first name, address, telephone), Electronic identifiers, Administrative data, Sectoral data, Customer code, Function, Category / Home group, Language, Currency, Financial details, Representative, Transport, Communications content, Commercial information. Sources: Data subjects, official databases, trade (public) databases. Recipients: Data controller, commercial intermediaries. Transfer outside EU: / Retention period: 3 years. |
Public Relations
(joint controllership with RFE) |
Categories of data subjects: customers.
Purpose: public relations and customer information (information, possible complaints). Legal basis: GDPR, art. 6, §1 (a) (consent), GDPR, art. 6, §1 (c) (fulfilment of legal and regulatory obligations). Data categories: Traditional identifiers (surname, first name, address, telephone), electronic identifiers, content of communications, commercial information, description of the possible complaint. Sources: Data subjects. Recipients: /. Transfer outside the EU: / Retention period: 10 years from the end of the contract or until withdrawal of consent if no contract. |
Email marketing
(joint controllership with RFE) |
Categories of data subjects: customers, prospects.
Purpose: communication by e-mail. Legal basis: GDPR, art. 6, §1 a) (consent), GDPR, art. 6, §1 f) (legitimate interest: soft opt-in for existing customers). Data categories: Electronic identifiers. Sources: Data subjects. Recipients: / Transfer outside EU: / Retention period: until unsubscribing. |
Visitor register / Visitor safety | Categories of data subjects: Visitors, external company, subcontractors
Purpose: Visitor Access Control / Visitor Safety Legal basis: GDPR, art. 6, §1 f) (legitimate interest: to guarantee the security of the company’s assets and the safety of persons when they are within the company) Data categories: Entry time, Exit time, Visitor’s name, Name of external company or subcontractor, Name and first name of the visited worker, Registration number, Badge number, Signature.
Sources: Data subjects Recipients: Police, judicial authorities Transfer outside EU: / Retention period: 1 month |
Surveillance cameras / Security of the production sites | Categories of data subjects: Visitors to the site
Purpose: To ensure the safety of the site and workers, to ensure the protection of the company’s assets, to ensure the control of the production process (verification of the proper functioning of the installations) Legal basis: GDPR, art. 6, §1 f) (legitimate interest: safety of the site and workers, protection of goods, control of the production process); Law of 21 March 2007 regulating the installation and use of surveillance cameras, Chap. II and III Data categories: Images
Sources: Installed cameras Recipients: Police, judicial authorities Transfer outside EU: / Data Retention: 1 month |
Transporters register | Category of data subjects: Carriers (drivers)
Purpose: Verification of the identity and capacities of the drivers. Legal basis: GDPR, art. 6, §1, f) (legitimate interest: prevention of fraud and offences, verification of the proper execution of contracts, protection of company equipment, company security). Categories of data concerned: surname, first name, driver’s license number and expiry date Source: the datasubjects themselves Recipients: other entities of the RIVA group Transfers outside the EU: / Retention period: 10 years |
Operational camera at the entrance of the Thy-Marcinelle premises | Category of data subjects: persons whose image is captured by the camera
Purpose: operational camera for logistical purposes (to ensure the smooth running of Thy Marcinelle’s activities, in particular with regard to the arrival and departure of the trucks; checking the external characteristics of the trucks; the organization of the washing platform) Legal basis: GDPR, art. 6, §1, f) (legitimate interest: good organization of entries and exits from the site) Data categories: video images Source: camera located at the entrance of the site Recipients: / Transfers outside the EU: / Retention period: 15 days |
Where the provision and processing of personal data is necessary for compliance with laws or contractual obligations, your refusal to provide us with the data or your provision of false or incomplete data may result in us refusing or stopping any business relationship with you or your company.
If we process personal data for purposes other than those set out in this article, we will provide you with information about this new purpose and any other relevant information before starting the new processing.
- Your rights as a data subject
Data protection laws grant you rights in certain cases and under certain conditions, including the rights of access, rectification, request for deletion of your personal data, as well as the right to request the limitation of processing or to oppose processing. In certain cases and under certain conditions, you also have a right to the portability of your data.
Please contact us as specified in the “Who to contact about your personal data” section below to make any request to exercise your rights or if you have any questions or concerns about how we handle your personal data.
You can, in principle, exercise these rights free of charge. Please note, however, that the processing of external requests, which are found to be unfounded or excessive, may sometimes be subject to reasonable administrative fees.
Please note that some personal data may be exempted from the rights of access, rectification, objection, deletion, limitation or portability in accordance with personal data protection laws or other legislation.
- Sharing Personal Data
Depending on the type of relationship we have with you and the needs, the Data Controller may make the Personal Data accessible to the following third parties and entities:
- Other members of our Group (including among others the RIVA Group (Italy) and Riva France (France)).
- Our service providers
External third-party service providers, such as IT systems service providers, support, hosting; print, advertising, analysis and market research service providers; banks and financial institutions that handle our accounts; insurance; document and management record providers; translators; travel assistance providers; call centre service providers; and other similar third-party vendors and outsourced service providers that assist us in the performance of our business activities.
- Government authorities and third parties involved in legal proceedings
The Data Controller may also share Personal Data with governmental authorities or other public authorities or participants in civil legal proceedings and their representatives and other advisors that we believe are necessary or appropriate: (a) to comply with applicable law, including laws outside your country of residence; (b) to comply with legal proceedings; (c) to respond to requests from the public and governmental authorities (including public and governmental authorities outside your country of residence); (d) to enforce our terms and conditions; (e) to protect our operations or those of the Group of Companies; (f) to protect our rights, privacy, security, property and/or those of the Group of Companies, you or others; and (g) to enable us to pursue valid solutions or limit our damages.
- Other third parties
We may share Personal Data with beneficiaries or providers of emergency services (firefighters, police and emergency medical services); other parties to a current or proposed reorganization, merger, sale, joint venture, assignment, transfer or other transaction related to all or part of our activities, goods or stock for which such Personal Data was collected.
- International transfers
As the Data Controller is part of the Riva Group, Personal Data are routinely transferred to other European Union countries where other Group companies are located, as well as to Switzerland (which offers appropriate and adapted guarantees with regard to the protection of personal data, in accordance with an adequacy decision by the European Commission).
Given the international nature of our activities, and for the reasons explained above, we may also need to transfer certain documents containing Personal Data to parties located in countries outside the European Economic Area (including the United States and other countries that have a different – and less protective – data protection regime than that applicable in the European Union, and which do not benefit from an adequacy decision by the European Commission). For example, in order to comply with our legal obligations or fulfill our contracts, we may transfer information to other members of our commercial network, service providers, business partners and public and governmental authorities located outside the European Union. Such a transfer is only made when it is essential for the performance of a contract or the establishment, exercise or defense of legal rights, or when it is made with your explicit and detailed prior consent. The risk of such transfer is limited to the extent that the data are limited to what is strictly necessary and imposed by applicable law or contracts.
- Safety and security
The Data Controller shall take appropriate technical, physical, legal and organizational measures, which comply with the Laws on the Protection of Personal Data.
Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If you have reason to believe that an interaction with us is no longer secure (for example, if you believe that the security of any personal data you may have with us has been compromised), please notify us immediately. See the section “Who to contact about your personal data” below.
When the controller provides personal data to a service provider, the service provider will be carefully selected and must use appropriate measures to protect the confidentiality and security of personal data.
- Retention of Personal Data
The Data Controller shall retain the Personal Data for the period necessary to fulfil the purposes set out in this Declaration unless a longer retention period is imposed or permitted by law.
Data retention periods are set out in our Data Retention Policy and differ according to the data and the purposes for which they are stored.
As a general rule:
- the data retention required by law is carried out within the time limits prescribed by law;
- the data necessary for us to demonstrate the proper performance of contracts are kept for a period of 10 years from the end of the contract concerned.
- Personal Data of Other Individuals
If you provide Personal Data to the Data Controller with respect to other individuals, you consent: (a) to inform the individual of the content of this Policy; and (b) to obtain consent (where legally required) for the collection, use, disclosure, and transfer (including cross-border transfer) of Personal Data with respect to the individual in accordance with this Policy.
- Complaints
If you are not satisfied with our handling of your personal data and you think that contacting us will not solve the problem, the Data Protection Laws give you the right to file a complaint with the competent supervisory authority (more information on the latter’s website):
https://www.autoriteprotectiondonnees.be
Autorité de Protection des Données
Rue de la Presse, 35
1000 Bruxelles (Belgique)
Tel. : +32 (0)2 274 48 00
Fax : +32 (0)2 274 48 35
Email : contact(at)apd-gba.be
- Who to contact about your personal data
Questions or requests relating to our processing of personal data may be addressed to the following address: THY MARCINELLE, Data Protection Officer, Rue de l’Acier 1, 6000 Charleroi, Belgium.
Questions or requests concerning the processing of personal data may also be addressed to the Data Protection Officer (DPO) for the three entities: Dpd.belgique[at]rivagroup.com
- Changes to this Policy
We regularly review this Policy and reserve the right to make changes at any time to reflect changes in our business or new legal requirements.
To inform you of the changes, we will post the updates on our website. In some cases (and if we have your address), we may also inform you by email.
Please check the “last updated” date at the top of this Policy to see when it was last revised.