In the course of its business activity, the ALTEN Belgium company (hereinafter “ALTEN”) needs to process Personal Data (as defined hereinafter) concerning the company’s Employees, Service Providers, Suppliers and current and prospective Customers.
ALTEN is bound by all applicable regulations when it comes to the protection of Personal Data and undertakes to comply with the applicable rules in this area, most notably the (EU) regulation 2016/679 of the European Parliament and Council of 27 April, 2016 (hereinafter the “GDPR”).
“Personal Data” pertains to any information that relates to a natural person, identified or identifiable, directly or indirectly, most notably through reference to an identifier such as an identification number, localisation data, an online identifier, or to one or more specific elements pertaining to his or her physical, physiological, genetic, psychic, economic, cultural or social identity.
“Sensitive Data” pertains to Personal Data which, directly or indirectly, indicates racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, along with the processing of genetic data, biometric data for the purposes of identifying a natural person in a unique way, data pertaining to health or data relating to the sex life or sexual orientation of a natural person.
“Data subject(s)” pertain(s) to a natural person whose Personal Data is collected or processed by ALTEN or by an ALTEN subcontractor.
“Employee(s)” pertain(s) to any internal member of ALTEN, whether an employee, intern, student apprentice, temporary employee or any other.
“Service provider(s)” pertain(s) to any person outside ALTEN but who carries out activities for ALTEN.
3. Collection and Processing of Personal Data
The rules described hereinafter must be respected by ALTEN Employees and Service Providers when they are required to collect and process Personal Data.
ALTEN shall ensure that all current and future Employees and Service Providers are informed of the content of this Policy and receive regular and appropriate training on the topics addressed herein.
This Policy will be published on the ALTEN website.
4. Collection for specific, explicit and legitimate purposes
European rules applying to the protection of Personal Data require that said Personal Data be collected for specified, explicit and legitimate purposes.
ALTEN Employees and Service Providers must therefore make sure that the purpose for which Personal Data is collected is:
- regulated and sufficiently specific;
- relevant to ALTEN’s business;
- communicated to those concerned in a clear manner;
- Legally authorised.
Likewise, if Personal Data is collected for a specific purpose, it cannot be used in any way that is incompatible with this initial specific purpose.
The purposes for which ALTEN collects and processes Personal Data are primarily as follows:
- administrative management of human resources;
- payroll management;
- career management and HR development;
- recruitment management;
- general accounting;
- management of current and prospective customers;
- management of service providers;
- the provision of IT tools for personnel;
- access control.
5. Existence of a legal basis for the processing of Personal Data
Before beginning the collection and processing of Personal Data, ALTEN Employees and Service Providers must ensure that the following prior conditions have been met:
- the person concerned has given his or her consent to the collection and processing of his or her Personal Data; or
- the processing of Personal Data is necessary for the performance of a contract to which the person concerned is party; or
- under certain special circumstances, ALTEN has a legitimate interest to process Personal Data (for example the prevention of fraud), unless overridden by the interests or rights of the person concerned; or
- the processing of Personal Data is necessary to protect the vital interests of the person concerned (for example a situation of life or death); or
- the processing of Personal Data enables ALTEN to meet a legal obligation to which it is bound; or
- the processing of Personal Data is necessary to perform an assignment in the public interest.
6. Minimisation of collected Personal Data
In view of the persons concerned, together with the context and purpose of processing, ALTEN Employees and Service Providers must be sure that processing is confined only to the Personal Data that meet the following conditions:
- confined to what is necessary with regard to the purpose(s) of processing.
Moreover, said Employees and Service Providers must keep this Personal Data updated to ensure that it is as accurate and as comprehensive as possible.
7. Retention of Personal Data
ALTEN Employees and Service Providers must make sure that Personal Data are not retained for longer than necessary with regard to the purpose for which they were collected and the nature thereof. Accordingly, they must set a period of retention over a limited period of time, taking full account of these instructions.
8. Collection of Sensitive Data
Generally speaking, the collection and processing of Sensitive Data at ALTEN is prohibited.
However, such collection or processing of Sensitive Data may be authorised if the following conditions are met:
- the collection or processing of such data is necessary and relevant in relation to ALTEN’s business activities; and
- at least one of the following conditions is also met:
o ALTEN has obtained the explicit consent of the person concerned for the collection and processing of his or her Sensitive Data, or
o the person concerned has previously made public his or her Sensitive Data, or
o the collection and processing of Sensitive Data is necessary to meet a legal obligation, particularly regarding labour or social security law, or
o the processing of Personal Data is necessary to protect the vital interests of the person concerned(for example a situation of life or death), or
o processing is necessary for the recognition, exercising or defence of a right in a court of law.
Before collecting or processing Sensitive Data, Employees and Service Providers must request authorisation from their line manager or from the company Data Protection Coordinator (DPC).
9. Information for persons concerned
ALTEN Employees and Service Providers must ensure that those concerned have effectively received clear and comprehensive information, written in an understandable and easily accessible manner, which specifies how and by whom their Personal Data will be used.
More precisely, said Employees and Service Providers must refer to the “Statements of Information” in order to ascertain which information has to be given to those concerned.
When Personal Data is collected indirectly (for example from a business partner or recruitment agency), said Employees and Service Providers must ensure that the necessary statement of information relating to indirect data collection has been effectively forwarded to the person concerned. To do so, they must also refer to the “Statements of Information”.
10. Respect for the rights that persons concerned may exercise
In compliance with applicable regulations, a data subject whose Personal Data is collected or processed by ALTEN must be able to exercise his or her right to portability for Personal Data, together with rights of access, correction, erasure, limitation and opposition for legitimate reasons.
The person concerned also has the right to issue instructions relating to the fate of his or her Personal Data in the event of death.
ALTEN Employees and Service Providers must ensure that the possibility of exercising these rights is effectively mentioned in information for the person concerned, as provided for in Section 9.
11. Automated decisions having a negative effect on the person concerned
European legislation for the protection of personal data aims to prevent decisions affecting people from being made solely on the basis of the automated processing of personal data with no human presence or intervention, as such decisions may have a significant negative effect on the persons concerned.
When decisions are made by automated means, ALTEN Employees and Service Providers must ensure that the persons concerned are made aware of the rationale behind any such decision.
Said Employees and Service Providers must take the necessary steps to protect the legitimate interests of those concerned, specifically the possibility for them to request human intervention or to contest the decision.
At ALTEN, a decision made by automated means may not be based on Sensitive Data.
12. Security and Privacy of Personal Data
ALTEN has introduced appropriate technical and organisational measures to ensure the security and privacy of the Personal Data it collects and uses.
As a consequence, when Personal Data is processed, ALTEN Employees and Service Providers must implement appropriate security measures in order to prevent:
- the accidental or unauthorised destruction of Personal Data;
- the impairment of Personal Data;
- accidental access to or unauthorised disclosure of Personal Data;
- illicit processing of Personal Data.
These appropriate measures will be taken with full consideration given to the nature of Personal Data and to the risks incurred by the processing thereof.
When ALTEN wishes to assign the processing of Personal Data to a subcontractor, Employees or Service Providers must ensure that a written contract has been established in which:
- the subcontractor undertakes to process the Personal Data assigned to him only when instructed to do so by ALTEN; and
- the subcontractor undertakes to implement the appropriate technical and organisational security measures in order to protect the security and privacy of the Personal Data entrusted to them.
13. Transfer of Personal Data to countries outside the European Union
In cases where the processing of Personal Data carried out by ALTEN may involve a transfer of said data to a third country (located outside the European Union or not having an appropriate level of protection within the meaning of the European regulation), or to an international organisation, ALTEN undertakes to provide the appropriate guarantees as required by the GDPR, and to ensure said guarantees are respected by Employees and Service Providers.