Carmeuse supports the right to privacy, including the rights of individuals to control the dissemination and use of Personal Data relating to them. In this respect, Carmeuse strives to be compliant with applicable Data Protection Legislation.
This Policy applies to all Contractors who are dealing with any of the Carmeuse entities within Europe based on an agreement, contract, order or other legal documentation, whether oral or in written, and applicable to its relation with such Carmeuse entity (hereinafter, the “Agreement”). Categories of Contractors include, without limitation, (i) customers, (ii) all consultants, independent contractors, suppliers, temporary workers, etc. performing services for or at Carmeuse and (iii) any other third parties acting directly or indirectly on Carmeuse’s behalf (such as outsourcing organizations that perform information processing services on behalf of Carmeuse). All Contractors are mandatorily required to adhere to this Policy.
(a) Within the framework of any Agreement, Carmeuse, in its capacity of data controller, might collect and process personal data of representatives or other identifiable contact persons within a Contractor’s organization (hereinafter, the “Data Subjects”) (hereinafter, the “Personal Data”), such as, for all categories, including (i), (ii) and (iii) above:
- Identification data;
- Contact details;
- Personal characteristics;
- Professional data (employer, profession, position);
For category (i), where appropriate,
- Leisure pursuits and interests;
And for categories (ii) and (iii), where appropriate,
- Financial details;
- Time registration details;
- Photos and video materials;
- Medical and health data;
- Evaluation data;
- Judicial data, including data relating to criminal convictions and offences.
(b) Collection of Personal Data generally occurs as follows:
- Either directly from the Contractor, for example via information entered into or provided by him;
- Either via other (public or non-public) information channels, such as the organization of the Contractor, social media channels such as LinkedIn, etc.;
- Either by actions of Carmeuse itself or its data processors, for example via certain controls or checks, evaluations, camera surveillance, access control measures, monitoring of IT systems etc.
(c) This processing shall occur for the purposes of properly performing the Agreement and the obligations thereunder, for organizing and maintaining a proper administration of the Agreement within Carmeuse, for enforcing Carmeuse safety rules, for maintaining proper contractual relationships with the Contractor and contacting such Contractor in case of any problems or issues (hereinafter, the “Purposes”). Consequently, the legal grounds upon which this processing activity shall be based are, as the case may be, the consent of the natural persons whose Personal Data might be processed, the necessity for the performance of the Agreement and/or Carmeuse’s legitimate interests in organizing and maintaining a proper administration of any and all Agreements, enforcing Carmeuse safety rules and communicating with any Contractor.
(d) The Personal Data Carmeuse collects in the context of the Purposes shall be treated with due care. Carmeuse therefore takes reasonable efforts to ensure that appropriate technical and organizational security measures are being taken with regard to Personal Data. Access rights to these Personal Data are restricted in such a way that they can only be accessed in a secured way (passwords) and only when necessary for the performance of certain tasks, in accordance with the Purposes, so that only authorized persons who need the Personal Data for the proper performance of their duties have the possibility to carry out internal consultations.
(e) The Personal Data of the Data Subjects may, when relevant, be shared with the following categories of recipients, some of which may be acting as data processors on behalf of Carmeuse: IT service providers, hosting providers, other entities within the Carmeuse Group, public authorities, legal and tax advisors. Such data processors shall abide by the same principles as set out in this Policy and, in case of transfers outside the European Union, Carmeuse shall ensure suitable safeguards via appropriate contractual clauses in accordance with applicable data protection legislation.
(f) Storage and retention of the Personal Data of the Data Subjects shall last as long as necessary for the Purposes and for a maximum period of ten years as from the termination of any and all Agreements with the respective Contractor, unless otherwise required by applicable law.
(g) In accordance with applicable data protection legislation and to the extent allowed thereunder, the Data Subjects’ rights are as follows:
- The right to request access to and rectification or erasure of their Personal Data;
- The right to ask for restriction of the processing of their Personal Data;
- The right to object to the processing of their Personal Data; and
- The right to Personal Data portability.
These rights can be enforced by notifying Carmeuse at firstname.lastname@example.org. In addition, the Data Subjects also have the right to lodge a complaint with the relevant Data Protection Authority in their country.
(h) The Contractor shall take the necessary measures to inform the Data Subjects of the processing of their Personal Data by Carmeuse and their associated rights as described in (f) above.
(i) To the extent a Contractor would be processing any Personal Data of representatives or other identifiable contact persons within Carmeuse, such processing should be done according to similar principles as set out in this Policy.