Data Protection Policy - AISIN (TC) Europe
1.Introduction and scope
For the performance of its activities AISIN (TC) Europe processes various data, both commercial and personal data. This policy concerns the processing of the personal data of different categories of identifiable persons such as employees, clients and suppliers website users, subscribers or any other persons contacting AISIN (TC) Europe. AISIN (TC) Europe understands the importance of the protection of personal data and the concerns of its employees, clients and clients’ contact persons, suppliers and suppliers’ contact persons and other persons with whom it has contacts regarding the processing of their personal data. AISIN (TC) Europe always carefully considers the protection of personal data during the different personal data processing operations. Different persons within the company may have access to the personal data of its employees (the term employees shall include: everyone who works for AISIN (TC)Europe , including independent service providers and consultants, temporary workers such as agency workers, trainees, student workers, volunteers, former workers) and other individuals (clients and suppliers) in the performance of their duties. Each of these persons within AISIN (TC) Europe is bound by this policy. This policy is designed to provide a uniform minimum standard for the protection of personal data applicable to AISIN (TC) Europe S.A. and its respective subsidiaries. This policy will be applied by all entities within AISIN (TC) Europe, except if other compulsory data protection legislation is applicable which contains stricter obligations and conditions. Anyone with access to the personal data processed by AISIN (TC) Europe must comply with this policy. Failure to comply with this policy may result in disciplinary measures / sanctions, such as a warning, dismissal or other sanction authorized by law, without prejudice to AISIN (TC) Europe’s right to bring civil or criminal proceedings. The data controller for the purposes of this policy is AISIN (TC) Europe S.A., with registered office address at Avenue de l'Industrie 19, Parc Industriel, 1420 Braine-l’Alleud, Belgium and registered at the Crossroads Bank for Enterprises under the numbers: 0401.891.982 - 0474.474.114
2. Contact point for the protection of personal data
AISIN (TC) Europe has created a GDPR contact point, to ensure the implementation and enforcement of the General Data Protection Regulation (also called “GDPR”) and this policy. To exercise any of your rights (see article 7 of this policy), or if you have any other questions about how AISIN (TC) Europe processes your personal data, please e-mail GDPR@aisineurope.com or write to AISIN (TC) Europe by registered letter at the address below : AISIN (TC) Europe GDPR Contact Avenue de l’Industrie 19, Parc Industriel, 1420 Braine-l’Alleud, Belgium
3. Definitions
The applicable data protection legislation uses specific language and refers to an abstract matter. Below you will find several definitions in order to enable you to better understand the terminology, and by extension, this policy. a. Data protection legislation Various pieces of legislation can apply, depending on the concrete application in which personal data are processed. The basic principles and obligations are indicated in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard Data Protection Policy – AISIN (TC) EUROPE – November 2021 to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. This regulation is also known as the General Data Protection Regulation (GDPR). Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector is applicable in specific cases (e.g. processing of location data; use of cookies). As well as the European regulations, specific national data protection legislations also apply. b. Personal data Personal data concern all information about an identified or identifiable natural person, also known as the data subject. A person is considered as identifiable when a natural person can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person. c. Data controller The controller is a natural person or legal person (for example a company), a public authority, agency or other body which, alone or jointly with others, determines the purposes and means for the processing of personal data. d. Processor The processor is a natural person or legal person, a public authority, agency or other body that processes personal data on behalf of and only on instructions from the controller. e. Processing personal data Processing personal data means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means (e.g. software), such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. f. Filing system A filing system means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis. This implies both electronic structured filing systems by means of the use of software or cloud applications, and paper files and filing systems, provided that these filing systems are organized and structured in a logical way by connecting them to individuals or which are connected to individuals on the basis of criteria.
4. Principles applicable when collecting and processing personal data
In addition to having its specific language, GDPR has several basic principles which every controller must comply with in order to be in accordance with this legislation… In the event of doubt regarding the application of these principles in a concrete case, you can always contact the GDPR contact point for further explanations. a. Lawfulness GDPR provides that personal data must be processed lawfully and fairly with respect to the data subject. In order to process personal data lawfully, a legal basis must exist. In principle, personal data can only be processed when: Data Protection Policy – AISIN (TC) EUROPE – November 2021 o The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. o The processing is necessary for compliance with a legal obligation which is imposed upon the organization. o The processing is in order to protect the vital interests of the data subject or another natural person. o The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the organization, which acts as the controller. o The processing is necessary for the purposes of the legitimate interests pursued by the company as a controller or the interests of a third party, except where the fundamental rights and freedoms of the data subject regarding the protection of his or her personal data override these interests. o The data subject has given his or her consent. The company shall inform the person concerned at the latest before the data is collected about the purpose for which consent is required, which personal data will be collected for the processing, the right to revoke consent, the possible consequences for the data subject in the context of automated individual decision-making and profiling, and transfer to third countries. If you have given your consent for a specific processing purpose to AISIN (TC) Europe in order to process your data for that purpose, you can withdraw this consent at any time. AISIN (TC) Europe will then stop any further processing of your data for which you gave consent and will inform you of the possible consequences of your withdrawal of consent. If AISIN (TC) Europe processes your personal data for other purposes and in order to do so it refers to other legal bases, it will still be able to process your personal data. AISIN (TC) Europe ensures that it always refers to at least one of the above-mentioned legal bases when it processes personal data… If you have questions about the applicable legal basis that AISIN (TC) Europe is referring to, you can always contact the GDPR contact point. Some categories of personal data are of a sensitive nature and data protection legislation also has a stricter regime for these special categories of personal data (also known as ‘sensitive personal data’). These are data concerning race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and processing of genetic data, biometric data for the unique identification of a person, or data about health, sexual behavior or sexual orientation. Data relating to criminal offences or convictions also form a special category. In principle, the processing of these sensitive personal data is forbidden unless the company can refer to one of the exceptions. In a limited number of cases, should AISIN (TC) Europe process sensitive personal data, the data subject will be informed in advance. For more information about the AISIN (TC) Europe’s handling of sensitive personal data, please contact the GDPR contact point. b. Fairness The data controller ensures that personal data shall be processed: o For specific, explicit and legitimate purposes and may not be processed further in a way incompatible with the initial purposes for which the data were collected. The data controller shall always clearly communicate the purposes before starting the processing. o This processing shall be limited to what is necessary for the purposes for which the data were collected. If possible, the data controller will anonymize the data or use pseudonyms Data Protection Policy – AISIN (TC) EUROPE – November 2021 in order to limit the impact for the data subject as much as possible. This means that the name or identifier will be replaced so that it is difficult or even impossible to identify an individual. o Limited in time and only as necessary for the specific purpose. o Accurately, and the data shall be updated where necessary. The data controller shall take all reasonable measures to erase or update the personal data, taking into account the purposes for which they are processed. c. Transparency (personal data collected and purposes for processing) In principle, AISIN (TC) Europe processes personal data it has received directly from the data subject and shall inform him/her about the following matters: The identity and contact details of the controller; The purpose of the processing and its legal basis; If the personal data processing is supported by a legitimate interest, an explanation of this interest; The (categories of) receivers of the personal data; The transfer of personal data to third countries (outside the EU) or international organizations (+ on what basis); The time limit for the storage of personal data or the criteria used to determine the time limit; The rights of the data subject (including the right to revoke consent); The right to lodge a complaint with the related supervisory authority; explanation when the transmission of personal data is a contractual or legal obligation; The logic behind automated decision-making processes and the possible legal consequences for the data subject; If the company receives personal data from a third party, it shall clearly inform the data subject about the categories of personal data which it received from this third party and will also make this third party known to the data subject. When the data subject already has all the information, AISIN (TC) Europe will not inform the data subject unnecessarily about the processing of his/her personal data. If AISIN (TC) Europe processes personal data for other purposes that are incompatible with the purposes for which they were initially collected (the new purpose is not described in the initial information note and the data subject cannot guess that his / her personal data will also be processed for this new purpose), the company will take all the necessary measures to process such data lawfully and will inform the person concerned. AISIN (TC) Europe can provide information on both a collective and individual basis and will always ensure that it is written in understandable and simple language. Specific legislation may contain exceptions or set additional requirements which the company must comply with, with respect to the provision of information to data subjects. These mandatory legal provisions take precedence over this policy. The personal data that AISIN (TC) Europe collects may notably include: - Name - E-mail address - Telephone number - Address - Financial and tax related information (eg. Bank account number) - Date of birth Data Protection Policy – AISIN (TC) EUROPE – November 2021 - Family circumstances (eg. Marital status) - Employment and education details - Pictures (eg. Company events) - Posting on any social media applications and services that we provide - IP address, browser type and language, access time - Details for using our products and services - Etc. AISIN (TC) Europe processes personal data to provide its clients, employees etc., with the requested services. As part of this, AISIN (TC) Europe may also use personal data in the course of correspondence relating to different services: - Customer management - Supplier management - Personnel and payroll administration - Staff management - Public relations - Security - Safety - Marketing (eg. Promoshop, Newsletter) - Trade information / technical sales information - Etc. In addition to the below purposes AISIN (TC) Europe may also use personal data collected via its websites: - To manage and respond to any request submitted through our websites - To receive orders from customers The use of cookies on AISIN (TC) Europe’s websites is exclusively restricted to visitor statistics following Google Analytics: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage d. Confidentiality and integrity AISIN (TC) Europe takes the required technical and organizational measures to ensure that the processing of personal data is always carried out with the appropriate safeguards to protect the data against unauthorized access or unlawful processing and against loss, destruction or damage, accidental origin. AISIN (TC) Europe use a range of physical, electronic and managerial measures to ensure that it keeps personal data secure, accurate and up to date. - Education and training to relevant employees to ensure they are aware of our privacy obligations when handling personal data - Administrative and technical controls to restrict access to personal data on a need-to know-basis - Technological security measures, including firewalls, encryption and anti-virus software - Physical security measures, such us staff security passes to access premises, clean desk policies etc.
5. Transfer of personal data Data Protection Policy – AISIN (TC) EUROPE – November 2021
In some cases, AISIN (TC) Europe may have to transmit personal data to third-party receivers, both inside and outside the company's group. In any event, these personal data are only transferred on a need-to-know basis to these receivers who carry out the processing for specific purposes. AISIN (TC) Europe shall always observe the necessary security measures when transferring the data and with respect to the receivers, in order to guarantee the confidentiality and integrity of the personal data… The transfer to third parties can take several forms, as described in more details below. a. Transfer within the group of AISIN (TC) Europe Third-party transfers can only intervene if AISIN (TC) Europe has respected the various principles and obligations imposed by GDPR. This means, among other things, that the data subject must be informed about the transfer and the reason for this transfer and that the transferring company can rely on a legal basis (consent from the data subject, performance of an agreement, legitimate interest, etc.) for this transfer. In this further processing, the company must also comply with the other principles listed in article 4 of this policy. When your personal data are passed on to companies within the group, but which are located outside the European Economic Area (i.e. The European Union, Norway, Iceland and Liechtenstein), AISIN (TC) Europe will provide for the appropriate guarantees described in point c. b. Transfer to processors AISIN (TC) Europe may ask a third party, a processor, to process personal data, on behalf of and only on instructions from AISIN (TC) Europe. The processor may not process these personal data for its own purposes which are independent of the purposes for which AISIN (TC) Europe uses the processor. AISIN (TC) Europe may decide to collaborate with these processors, which provide services at the request of AISIN (TC) Europe, including for travel agencies, rental services, and other professional consultancy services, etc. AISIN (TC) Europe will only use processors and provide them with personal data if a subcontract is concluded in accordance with legal requirements of GDPR. c. Transfer to third countries - outside the European Economic Area It is also possible that AISIN (TC) Europe transfers personal data to parties that are based in third countries, i.e. countries outside the European Economic Area. Such a transfer is possible if the country where the receiver is based offers sufficient legal guarantees to protect your personal data and which the European Commission has assessed as being adequate. In other cases, the company shall conclude a standard contract with the receiver so that equivalent or similar protection to that offered in Europe is offered. Where this has not occurred or is not possible, AISIN (TC) Europe may still transfer the personal data of the data subject, following the consent of the data subject, within the limits of the relationship with AISIN (TC) Europe. In order to allow the transfer, and therefore the processing, also in these cases, AISIN (TC) Europe will ask the person concerned if he/she agrees to this occasional transfer to third countries. If more information or a copy of the guarantees for these international transfers is desired, the procedure as described under article 7 can always be followed.
6. Time limit for the storage of personal data
AISIN (TC) Europe will hold personal data on its systems for the longest of the following periods: - As long as is necessary for the relevant activity or services ; - Any retention period that is required by law ; or Data Protection Policy – AISIN (TC) EUROPE – November 2021 - The end of the period in which litigation or investigations might arise in respect to AISIN (TC) Europe. After the final time limit has passed, AISIN (TC) Europe shall delete or anonymize the personal data if it still wishes to use it for statistical purposes and may retain the data for a longer period of time for dispute management, study or archiving purposes.
7. Rights of individual data subjects
Data protection legislation provides for different rights for data subjects with respect to the processing of personal data so that the data subject can still exercise sufficient control over the processing of his or her personal data. Through this policy, AISIN (TC) Europe is already trying to provide as much information as possible to the data subjects in order to be as transparent as possible with respect to the processing of personal data. This general policy must be read together with more specific information notes which give more explanations about the company’s specific processing purposes. AISIN (TC) Europe understands that the data subject may still have questions or desire additional clarifications with respect to the processing of his or her personal data. AISIN (TC) Europe thus understands the importance of the rights and shall therefore comply with these rights, considering the legal limitations in the exercising of these rights. The different rights are described in detail below. a. The right of access The data subject has the right to obtain confirmation from AISIN (TC) Europe of whether or not his or her personal data are being processed. If his or her data are being processed, the data subject may request the right to consult his or her personal data. The company shall inform the data subject of the following: o The processing purposes; o The categories of personal data concerned; o The receivers or categories of receivers to which the personal data are supplied; o The transfer to receivers established in third countries or international organizations o If possible, the period during which it is expected that the personal data will be saved, or If this is not possible, the criteria used to determine this period; o that the data subject has the right to ask the company to correct or erase personal data, or to limit the processing of his or her personal data, as well as the right to object to this processing; o That the data subject has the right to lodge a complaint with a supervisory authority; o If the personal data are not collected from the data subject, all available information about the source of the data; o The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. AISIN (TC) Europe shall also supply a copy of the personal data that are being processed. For any further copies requested by the data subject, the company may charge a reasonable fee. b. The right to rectification When the data subject establishes that AISIN (TC) Europe has incorrect or incomplete data about him/her, the data subject always has the right to inform AISIN (TC) Europe of this fact so that appropriate action can be taken to rectify or supplement these data. It is the data subject’s responsibility to provide correct personal data to the company. Data Protection Policy – AISIN (TC) EUROPE – November 2021 c. The right to be forgotten The data subject can ask to have his or her personal data erased if the processing is not in accordance with data protection legislation and within the limits of the law (Article 17 GDPR). d. The right to restriction of processing The data subject may request the processing restricted if: o The accuracy of the personal data is contested by the data subject, for a period enabling The controller to check their accuracy; o The processing is unlawful and the data subject opposes the erasure of the data; o AISIN (TC) Europe no longer needs the data, but the data subject requests that they not be removed, given that he or she needs them for the exercise or defense of legal claims; o He or she has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject. e. The right to data portability The data subject has the right to obtain his or her personal data which he or she provided to AISIN (TC) Europe in a structured, commonly-used and machine-readable format. The data subject has the right to have those personal data transmitted to another controller (directly by AISIN (TC) Europe). This is possible if the data subject has consented to the processing and if the processing is carried out via an automated process. f. The right to object When personal data are processed for direct marketing purposes (including profiling), the data subject can always object to this processing. The data subject can also object to processing due to a specific situation regarding the data subject. AISIN (TC) Europe shall stop processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests of the data subject or for the exercise or defense of legal claims. g. Automated individual decision-making The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her such as evaluating personal aspects with respect to the performance of work, reliability, creditworthiness, etc. This right not to be subjected to such automated decision-making does not exist when the decision is permitted by a mandatory legal provision. Nor may the data subject invoke this right when the decision is necessary for entering into, or the performance of, a contract between the data subject and the AISIN (TC) Europe or is based on the data subject's explicit consent. In these last two cases, the data subject does have the right to obtain human intervention from someone at AISIN (TC) Europe and he or she has the right to make his or her point of view known and to challenge the automated decision process. h. Right to withdraw consent If you have given your consent for a specific processing purpose to AISIN (TC) Europe in order to process your data, you can withdraw this consent at any time by contacting the GDPR contact point. i. Procedure for exercising rights and other provisions Data Protection Policy – AISIN (TC) EUROPE – November 2021 The data subject can exercise his/her rights by sending an e-mail or registered letter to AISIN (TC) Europe’s GDPR contact point described in article 2 of this policy. AISIN (TC) Europe may ask the data subject to identify themselves in order to ensure that the effective exercise of the rights is requested by the data subject. In principle, AISIN (TC) Europe shall respond to the request of the interested person within one month. Otherwise, AISIN (TC) Europe informs the data subject of the reasons for their delay in the follow-up of the request.
8. Revision of this policy
AISIN (TC) Europe reserves the right to adjust and review this policy when it deems necessary and to remain coherent with the legal obligations and/or recommendations of the competent supervisory authority for data protection.