1. purpose and definitions
The Eloy Group, and the various entities making up the Group, which are also covered by this note, adopts a serious approach to the protection of personal data which it is required to process within the framework of its legal obligations, its activities and the tasks entrusted to it.
This commitment is made in accordance with the regulations relating to the protection of personal data, specifically European Regulation 2016/679 referred to as the “GDPR” in this note.
“Processing” means all operations relating to personal data enabling a natural person to be identified, such as the collection, recording, structuring, storage, modification, consultation, use or deletion of the personal data in question.
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as a “data subject”); an “identifiable natural person” is deemed to mean a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an on-line identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
2. data protection officer
The Eloy Group is responsible for certain personal data processing undertaken in the course of its activities. This only involves personal data processing where the Eloy Group itself determines the purposes and the processing methods implemented.
Consequently, when the Eloy Group acts as processor for a private partner or public authority, these parties remain responsible for data processing undertaken on their behalf by the Eloy Group. In these circumstances, the Eloy Group acts as processor (as defined by the GDPR) in processing this personal data which it is required to process for others.
The personal data processed by the Group primarily involves:
- prospects and clients of the “communication” departments,
- prospects and clients of the after-sales departments,
- prospects and clients of the commercial departments,
- clients, in the broad sense, with whom the Eloy Group comes into contact in relation to public or private procurement contracts for works or services,
- applicants for a position available at the business,
- members of staff of the business,
The prospects, clients, applicants or staff members are hereinafter generally referred to as the “Data Subject(s)”.
Any Data Subject who wishes to ask a question about his or her personal data or exercise his or her rights under the GDPR, or any other legislation applicable in relation to personal data protection, may contact the data protection officer via one of the following email addresses: [email protected], [email protected], [email protected].
4. data processing
The Eloy Group only processes personal data for the purposes of undertaking the private or public tasks entrusted to it, and to ensure compliance with its legal obligations.
5. source of the data
The personal data processed by Eloy Group is disclosed primarily by:
- the clients themselves,
- the applicants themselves,
- members of staff,
- specialist service providers,
- commercial and/or industrial partners,
- private principals,
- public authorities.
6. categories of data processed
The personal data processed by the Eloy Group is primarily the following:
- identification: surname, first name, address, national register number, telephone, email address,
- education, hobbies, confidential medical information, etc.
7. transfer of data
Processing of personal data by the Eloy Group will not involve any transfer of data to a country which is not a member of the European Economic Area.
8. time limit for storage of the data
The personal data collected by the Eloy Group is stored for no longer than the period required for the purpose of the data processing, that is between three and ten years from the initial processing depending what it relates to.
9. subcontractors and service providers
Any subcontractor or service provider who is required to process personal data at the request of the Eloy Group acts in the capacity of “processor” within the meaning of the GDPR. Such parties are required to comply strictly with the rules laid down by the GDPR and by the up-to-date version of this note at the time of the processing.
10. rights of data subjects
10.1. general provisions
The Eloy Group may only refuse to respond to requests made by Data Subjects if it is impossible to identify a Data Subject involved or the Data Subject’s request is inconsistent with the legal obligations with which the Group is required to comply.
Depending on the complexity of the matter, the Eloy Group will use its best endeavours to respond to requests made by Data Subjects no later than three calendar months after the requests are made.
If the Eloy Group is unable to provide an appropriate reply to a request made by a Data Subject, it will notify the Data Subject and inform him or her, where necessary, of the right available to him or her to file a complaint with the supervisory authority.
10.2. free and chargeable requests
Requests made by Data Subjects are processed free of charge by the Eloy Group unless they are unfounded or excessive, notably where they are repetitive in nature, in which case the Eloy Group reserves the right to require payment of reasonable costs to cover the administrative costs relating to such requests.
10.3. requests made by data subjects
Data Subjects are entitled to obtain from the Eloy Group, subject to the principles set out in point 10.1:
- confirmation as to whether personal data relating to them is being processed by the Eloy Group,
- access to that data,
- an initial copy of the personal data subject to processing, free of charge,
- rectification or erasure of all or part of the personal data, free of charge,
- exercise of their right to object to the processing of their personal data,
- the following information: purposes of the processing, potential recipients of the personal data, proposed storage period of the personal data, information relating to the source of the personal data collected.
Data Subjects have the right to require the Eloy Group to erase all or part of the personal data relating to them where:
- such data is clearly no longer of interest having regard to the purposes for which it was processed or collected,
- the Data Subject decides to withdraw his or her consent which formed the basis for the collection or processing,
- the Personal Data has been processed unlawfully.
The Eloy Group may nevertheless refuse to erase the Personal Data where the processing is necessary:
- to comply with a legal obligation,
- to enable it to exercise its legal rights,
- to ensure that the fulfilment of a task of the Eloy Group or the holding of essential statistical data is not compromised.
10.5. restriction of processing
Data Subjects may require the Eloy Group to restrict or suspend personal data processing in the following circumstances:
- where the accuracy of the personal data is disputed,
- where the personal data processing is unlawful.
Data Subjects may object at any time to their personal data being used for marketing purposes.
The Eloy Group will notify each recipient to whom it has lawfully sent personal data of any rectification or erasure of such data unless this step would require disproportionate resources or efforts.