External Personal Data Protection Policy

The French companies of the Group ARMOR inform you that your personal data is collected and processed in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or “GDPR”) and the French Data Protection Act no. 78-17 (the “Regulations”).

The purpose of this policy is to provide you with information on the processing your Personal Data undergoes and on the conditions under which it is protected by the Group ARMOR.

The following definitions will help you to understand all of the concepts used in this document concerning the protection of your Personal Data.

1. DEFINITIONS

Personal Data: All information that relates to an identified or identifiable natural person, in particular a name, an identification number, location data, an online identifier, or one or more factors that are specific to the physical, economic, cultural or social identity of that natural person.

Recipient: A person who is authorised to receive Personal Data that is stored in a file or undergoing Processing, on account of their position.

DPO: Data Protection Officer.

Sensitive Data: The personal data of a natural person concerning their racial or ethnic origin, their political, philosophical or religious opinions, their trade union membership, their health, their sex life or their sexual orientation, their criminal convictions and offences, or their social security number.

Data Subjects: A natural person who is directly or indirectly identified or identifiable and whose Personal Data undergoes Processing.

Controller: The French company of the Group ARMOR that determines the Processing purposes and means.

Processor: A natural or legal person (undertaking or public body) that processes the Personal Data on behalf of a Controller, in the form of a service or provision of services.

Processing: An operation which is performed on Personal Data, regardless of the means used (collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, or alignment).

2. PURPOSES OF PROCESSING

The French companies of the Group ARMOR collect your Personal Data for the following purposes:

2.1. Candidate for a position

2.1.1. Management of recruitments

Purposes of the Processing: Management of recruitments (assessment of applicants for the position offered, verification of application information)

Lawful basis for the Processing: Employer’s legal obligation
Legitimate interest: for required Data marked with an asterisk that is needed in order to get to know the applicant
Consent: for optional Data

Personal data collected: Identification: surname, first name, identity photo, gender, date and place of birth, nationality, telephone number, email and personal addresses
Personal information: family situation
Professional information: professional situation, training, references, business experience and email address

Sensitive Data: Health: disability recognised by the Local Authorities
Criminal convictions and offences: legal obligation for AEO (Authorised Economic Operator) certification

Recipients: Authorised persons from the human resources departments, the support services that are involved in negotiations, the line manager or other companies in the ARMOR Group that are involved, state bodies and recruitment firms

Source of collection: Directly from the Data Subject or indirectly via another person (recruitment firms, professional references, business social media and websites)

Retention period: 12 to 24 months as from the last contact

2.2. Employees of prospective and current customers

2.2.1. Management of prospective and current customers

Purposes of the Processing: Direct marketing (compilation and management of a file of prospective customers)
Customer relationship management (management of the customer data file, management of sales contracts, management of orders, after-sales service, management of customer accounting and invoicing, management of the customer account and sales follow-up)

Lawful basis for the Processing: Consent of prospective customers in order to establish a business relationship
Consent of customers for optional Data
Legitimate interest of the commercial management and marketing of the sale

Personal data collected: Identification and professional information: surname, first name, employer’s name, position, telephone number, business address and email address
Online activity: IP address, browsing time, date and data, login name

Recipients: Authorised persons from the marketing and sales, IT and accounting departments, or other companies of the Group ARMOR that are concerned, and other Processors

Source of collection: Directly from the Data Subject via a contact form, trade fairs, visits, telephone calls or indirectly via another person (referral, the customer’s sales representative, trade fair organisers, service providers, business social media and websites)

Retention period: Until the end of the business relationship

2.3. Employees of prospective and current customers and of carriers

2.3.1. Management of procurements and of deliveries

Purposes of the Processing: Management of the procurements of the French companies in the Group
Management of deliveries to customers and between Group sites

Lawful basis for the Processing: Legitimate interest: ensure the communication that is necessary for the procurements of the companies in the Group ARMOR, for deliveries to customers and for transfers of products between sites

Personal data collected: Identification and professional information: surname, first name, address, telephone number, business address and email address
Online activity: login name

Recipients: Authorised persons from the transportation and IT departments, storekeepers, customers, suppliers, carriers and other Processors

Source of collection: DDirectly from the Data Subject or by the customer, the supplier or the carrier via an exchange of emails or telephone call

Retention period: Duration of the contractual relationship

2.4. Employees of suppliers

2.4.1. Approaching suppliers and management of relationships with suppliers

Purposes of the Processing: Approaching and selection of suppliers (compilation and management of a data file of potential suppliers)
Management of the supplier relationship (compilation and management of the supplier data file, management of orders and deliveries, management of invoices and payments, and of supplier accounting, management of procurement contracts)

Lawful basis for the Processing: Legitimate interest in compiling and maintaining a list of suppliers and managing procurements

Personal data collected: Identification and professional information: surname, first name, employer’s name, place of invoicing, profession, business telephone number and address, date of birth, gender and position

Recipients: Authorised persons in the purchasing, accounting, logistics, legal, quality, HSE and IT departments, or other companies of the Group ARMOR that are concerned, and other Processors

Source of collection : Directly from the Data Subject or through online research and trade fairs or business contacts

Storage period: Duration of the contractual relationship

2.5. Other co-contracting parties

2.5.1. Management of contracts and legal documents

Purposes of the Processing: management of contracts and legal documents

Lawful basis for the Processing: Legitimate interest: managing legal documents and contracts

Personal data collected: Identification and professional information: surname, first name, date of birth, gender, email address, postal address, telephone number and position
Online activity and access: IP address, browsing time, date and data, login name and password

Recipients: Authorised persons from the IT, legal, procurements, financial control, industrial monitoring and property departments, corporate officers of the Group ARMOR companies concerned, authorised persons from the co-contracting entity and other Processors

Source of collection : Directly from the Data Subject

Storage period: Duration of the contractual relationship

2.6. Corporate officers of clients, suppliers and other co-contracting parties

2.6.1. Fight against corruption

Purposes of the Processing: Avoinding fraud

Lawful basis for the Processing: Legal obligation pursuant to the “Sapin 2” Act

Personal data collected: Identification: surname and first name of the corporate officer
Professional information: position, politically exposed person status
Criminal convictions and offences: corporate officer convictions on grounds of corruption

Recipients: Authorised persons from the consolidation and internal control, purchasing, finance and sales departments of the Group ARMOR companies
In the event of an audit: French Anti-Corruption Agency

Source of collection: Directly from the Data Subject and via the Office Forms questionnaire for post-training evaluations or indirectly via the report on the risk of corruption of a service provider for the data on external third parties

Storage period: 5 years after the end of the business relationship for reports on partners
10 years to justify actions to raise awareness of exposed employees or after the employee leaves the company in question

2.7. Visitors to French sites

2.7.1. Access control and video surveillance

Purposes of the Processing: Access control for visitors and external partners
Video surveillance of the La Chevrolière, Les Sorinières and Cordon Bleu sites

Lawful basis for the Processing: Legitimate interest: visitor reception and access control, number of people present on the site, safety of persons and property, protection of industrial property, contributes to Authorised Economic Operator certification

Personal data collected: Identification and professional information: surname, first name and copy of ID document, depending on the site
Location: dates and times of the visit and movement of visitors inside and outside the buildings
Online activity: IP addresses and login names

Recipients: Employees who are responsible for evacuation and safety or Authorised Persons from the corporate services, IT and human resources departments, corporate officers or the external emergency or investigative services in the event of an incident, and other Processors

Source of collection: Access: directly from the Data Subject
Video surveillance: indirectly via recording of images

Storage period: Access : 1 year maximum
Video surveillance of the La Chevrolière site: 30 days for the exterior and 5 days for the interior, 6 days for access to the server
Video surveillance of the Les Sorinières site: 0 days
Video surveillance of the Cordon Bleu site: 15 days

3. STORAGE PERIOD

Your Personal Data is not stored any longer than is necessary for the purpose of the Processing and the archiving requirements defined by law in the event of litigation or for legal obligations. When data is archived, the necessary access is restricted to authorised persons.

4. TRANSFER OF DATA OUTSIDE OF THE EUROPEAN UNION

In principle, your Personal Data is not transferred outside of the EU. The only Personal Data that may be transferred outside of the EU to the Group ARMOR companies and certain Processors (suppliers, clients and carriers) concerns the management of contracts and the management of procurements, deliveries and orders outside of the EU.

If Personal Data is transferred outside of the EU to a country that does not have an adequate level of protection within the meaning of the Regulations, the Group company concerned or the Processor undertakes to implement all appropriate safeguards, such as, in particular, Standard Contractual Clauses, a code of conduct or a certification mechanism.

5. EXERCISE OF RIGHTS BY DATA SUBJECTS

You have a right of access, rectification, objection, portability and erasure concerning your Personal Data and a right to request restriction of the processing thereof. You can exercise these rights by contacting the Data Protection Officer (“DPO”) via email: [email protected] or by sending a letter to the following address: ARMOR, For the attention of the DPO, 20 rue Chevreul, CS 90508, 44105 NANTES Cedex 4, France stating:

  • The identity of the Controller,
  • The processing concerned or circumstances under which Personal Data is collected,
  • The right(s) that you wish to exercise,
  • A recto-verso copy of the Data Subject’s ID card or passport.

Your legitimate request will be processed within one month of receipt. If necessary, this time-limit may be extended by 2 months, before the initial 1-month time-limit expires, depending on the complexity and the number of requests. Absent a satisfactory response from ARMOR, you also have the right to file a claim with the supervisory authority: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07 or online www.cnil.fr/fr/plaintes.

6. IDENTITY OF THE CONTROLLER

The Controller is one of the following French companies of the Group ARMOR, which determines the purposes and means of the Personal Data Processing and is identified when the Personal Data is collected:

ARMOR
A French société par actions simplifiée (simplified joint-stock company) with capital of €10,299,450
20 rue Chevreul – 44100 Nantes – France
Nantes Trade and Companies Register no. 857 800 692

ARMOR PRINT SOLUTIONS
A French société par actions simplifiée (simplified joint-stock company) with capital of €8,005,000
17 Boulevard de Chantenay, 44100 Nantes, France
Nantes Trade and Companies Register no. 892 312 067

ARMOR BATTERY FILMS
A French société par actions simplifiée (simplified joint-stock company) with capital of €5,296,317
20 rue Chevreul – 44100 Nantes – France
Nantes Trade and Companies Register no. 892 311 937

ASCA
A French société par actions simplifiée (simplified joint-stock company) with capital of €29,039,609
20 Rue Chevreul, 44100 Nantes, France
Nantes Trade and Companies Register no. 844 766 170

KIMYA
Société par Actions Simplifiée au capital de 3.165.439 €
20 Rue Chevreul, 44100 Nantes, France
Nantes Trade and Companies Register no. 892 311 887

Several companies in the Group ARMOR are joint Processors when they determine jointly the Personal Data Processing purposes and means. ARMOR is the joint Processor for the following types of Processing, along with all the other subsidiaries mentioned above:

  • Management of recruitment
  • Management of procurements
  • Management deliveries
  • Management of contracts and legal documents
  • Access control and video surveillance
  • Fight against corruption
  • Management of the exercise of Data Subjects’ rights

7. UPDATES

The French companies in the Group ARMOR retain the right to update these provisions at any time.