EU CUSTOMER/VENDOR DATA PROTECTION POLICY
Rules on customer/vendor personal data processing
1. INTRODUCTION AND SCOPE
Ferro is committed to processing personal data responsibly and in compliance with the applicable Data Protection Laws in all countries in which Ferro operates.
This EU Customer/Vendor Data Protection Policy (the “Policy”) describes the types of customer and vendor personal data Ferro collects, how Ferro uses the personal data, with whom Ferro shares the personal data, and the rights you, as a customer or vendor, have regarding Ferro´s use of the personal data. This Policy also describes the measures Ferro takes to protect the security of the data and how you can contact us about our data protection practices.
2. CONTACT DETAILS OF THE DATA CONTROLLERS
The entities responsible for the collection and use of your personal data (Data Controllers) for the purposes described in this Policy are listed in Appendix I.
3. CONTACT DETAILS OF THE DATA PROTECTION COORDINATOR
At the pan-European level, an EU Data Protection Coordinator is designated. This position is involved in all issues related to the protection of your personal data. The EU Data Protection Coordinators is in charge, in particular, of monitoring and ensuring compliance with this Policy and the applicable Data Protection Laws and providing advice on data protection matters upon request.
For any clarification or additional information you may need in order to fully understand this Policy, please contact the Ferro EU Data Protection Coordinator at:
Lenore Burg DataProtectionEU@Ferro.com +31 10 4784 935
4. PURPOSES OF DATA PROCESSING AND LEGAL BASIS
Ferro processes personal data in accordance with applicable Data Protection Laws and only for limited, explicit and legitimate purposes.
Ferro will not use personal data for any purpose that is incompatible with the purpose for which it was initially collected unless you provide your prior explicit consent for further use.
Ferro processes customer and vendor personal data for the following purposes:
|Managing commercial relationships with current and potential clients||Contractual|
|Managing commercial relationships with suppliers and vendors||Contractual|
|Carrying out promotional operations||Legitimate Interest|
|Conducting statistical surverys and marking studies||Legitimate Interest|
For questions or additional information regarding the purpose and legal basis for processing personal data, please contact the Ferro EU Data Protection Coordinator.
Ferro ensures that our internal governance procedures clearly specify the reasons behind decisions to use personal data for further processing purposes. Prior to using your personal data for a purpose other than the one for which it was initially collected, you will be informed about such new purpose.
5. PERSONAL DATA PROCESSED
The provision of personal data is a requirement necessary to enter into a contract with Ferro or a requirement by law or regulation for Ferro to administer your contractual relationship. The personal data processed is limited to the data necessary for carrying out the purpose for which such personal data is collected.
Personal data processed includes the following:
- Business information (such as name of organization, phone number, email, department and job title);
- Contractual information (such as date of agreement, type of commercial relationship, etc.).
Ferro will not collect personal data if such collection is prohibited under the applicable Data Protection Laws.
In any case, no personal data revealing racial or ethnic origin, political opinions, philosophical beliefs, or concerning sex life will be processed. Trade union membership and health-related personal data as well as religious beliefs may only be collected under very limited circumstances as provided and permitted by local data protection laws.
Ferro will maintain personal data in a manner that ensures it is accurate, complete and up-to-date.
6. RECIPIENTS OF PERSONAL DATA
Ferro will only grant access to personal data on a need-to-know basis, and such access will be limited to the personal data that is necessary to perform the function for which such access is granted.
Authorization to access personal data will always be linked to the function, so that no authorization will be extended to access personal data on a personal basis. Service providers will only receive personal data according to the purposes of the service agreement with Ferro.
7. INTERNATIONAL DATA TRANSFERS
International data transfers refers to transfers of personal data outside of the EU.
The international footprint of Ferro involves a large number of transfers of personal data between different corporate entities, as well as to third parties located in various countries. This includes the transfer of personal data from EU Member States to countries outside of the EU considered as not providing adequate legal protection for the processing of personal data.
Ferro ensures that appropriate safeguards are implemented to secure such data transfers in compliance with applicable data protection laws. We have implemented international data transfer agreements based on EU Standard Contractual Clauses to cover our international data transfers and a copy of these clauses can be obtained by contacting the EU Data Protection Coordinator.
8. RETENTION PERIOD OF PERSONAL DATA
We will not retain your personal data processed longer than allowed under the applicable Data Protection Laws. In any case, we will not retain it longer than such personal data is necessary for the purpose for which it was collected or otherwise processed, subject to applicable local retention requirements.
9. YOUR DATA PROTECTION RIGHTS
Under applicable Data Protection Laws, you will benefit from the rights listed in this section. These rights can be exercised by you at any time by contacting the Ferro EU Data Protection Coordinator
9.1 Right to access
You are entitled to obtain confirmation from Ferro as to whether or not any personal data concerning you is processed by Ferro.
In the affirmative, you have the right to access such personal data, to obtain a copy of it free of charge (except for repetitive or excessive requests) and to be provided with the following information:
(i) purposes of such processing, (ii) categories of personal data concerned, (iii) recipients or categories of recipients of personal data, in particular recipients in third countries outside the EU, (iv) the envisaged retention period or, if not possible, the criteria used to determine it, (v) existence of the right to request rectification or erasure of personal data, as well as the right to object to or request restriction of processing, (vi) the right to lodge a complaint with a supervisory authority, (vii) information relating to any third party source of personal data if the data were not collected from you, and (viii) the existence, the logic involved, the significance and the consequences of any automated decisions, including profiling.
Where personal data is transferred outside of the EU, you will be informed of the appropriate safeguards relating to such transfer.
9.2 Right to rectification
You have the right to obtain without undue delay the rectification of inaccurate, incomplete or outdated personal data concerning you.
9.3 Right to erasure
You have the right to obtain without undue delay the erasure of your personal data in one of the following cases:
- The personal data is no longer necessary in relation to the purpose(s) for which it was collected or otherwise processed;
- You withdraw the consent on which the processing was based, and there are no other legal grounds for the processing;
- You object to the processing, as provided in section 9.5 below;
- Your personal data has been unlawfully processed;
- Your personal data has to be erased for compliance with a legal obligation in EU or EU Member State law.
However, Ferro may refuse the erasure of personal data if the processing of such data is necessary for (i) exercising the right of freedom of expression and information, (ii) compliance with a legal obligation which requires processing by EU or EU Member State law or for the performance of a task carried out in the public interest, (iii) reasons of public interest in the area of public health, scientific or historical research purposes or statistical purposes, or (iv) establishment, exercise or defense of legal claims.
9.4 Right to restriction
You have the right to obtain restriction of processing in the following cases:
- Where you claim inaccuracy of your personal data processed by us (the restriction being provided for a period enabling Ferro to verify the accuracy);
- Where the processing appears unlawful, and you oppose the erasure and request the restriction of use of your personal data instead;
- Where Ferro does not need your personal data for the purposes of processing, but the personal data is required by you for the establishment, exercise or defense of legal claims; and
- Where an objection is raised by you in relation to the processing, pending the verification whether the legitimate grounds of Ferro override those of you.
When you have obtained a restriction of processing of your personal data, you will be informed prior to lifting of such restriction.
9.5 Right to object
As a general rule, you have the right to object, at any time and on legitimate grounds relating to your particular situation, to the processing of your personal data.
Provided that such objection is justified, Ferro will no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests.
9.6 Right to data portability
In cases where the data processing is based on your consent or on your contract, and where such processing is carried out by automated means, you can request (i) to communicate to you the personal data concerning you, in a structured, commonly used and machine-readable format, in order to be able to further transmit such personal data to another data controller, or (ii) to directly transmit such personal data to such other data controller, if technically feasible.
However, Ferro can refuse such request if the processing concerned is necessary for the performance of a task carried out in the public interest or if responding to such request risks to adversely affect the rights and freedoms of others.
9.7 Right to withdraw consent
Where the processing of your personal data is based on consent, you have the right to withdraw such consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
9.8 Right to lodge a complaint
You also have the right to lodge a complaint with the competent supervisory authority.
10. POLICY COMPLIANCE
Monitoring and ensuring compliance of the personal data processing within Ferro with this Policy and applicable Data Protection Laws is the responsibility of the EU Data Protection Coordinator.
As mentioned above, you may contact the EU Data Protection Coordinator with regard to any issue related to processing of your personal data and to exercise your rights as mentioned in section 9 above.