General Personal Data Protection Policy
STEF Group (hereinafter “STEF”), which specialises in the transport and logistics of temperature-controlled products and the maritime transport of passengers and cargo, is aware of the risks that the collection and use of personal data may entail for persons’ privacy and, therefore, has made personal data protection and respect for privacy a major concern.
The General Personal Data Protection Policy thus sets out the commitments made by STEF and its Subsidiaries, as well as by all its employees, to enable the responsible collection and use of Personal Data strictly for the purposes of the Group’s activities.
Principles and rules applicable to Personal Data protection
STEF and its Subsidiaries collect and process Personal Data in compliance with applicable European laws and regulations, in particular, the General Data Protection Regulation (GDPR) and the various national laws and regulations of the countries where the Group’s Subsidiaries are located.
- Personal Data:
Any information that directly or indirectly identifies an individual.
- Data Controller:
A person, department or organisation that determines the purposes and means of data processing.
A person, department or organisation that processes Personal Data on behalf of the Data Controller (IT service provider, transport subcontractor, logistics subcontractor, communication agency, etc.).
Companies within the consolidation scope of STEF SA, both in France and in the countries where the Group operates, in particular Spain, Italy, Portugal, Switzerland, Belgium and the Netherlands.
Any operation or set of operations applied to Personal Data, such as data collection, recording, organisation, structuring, storage, adaptation, modification, extraction, consultation, use and transmission.
- Data Subjects:
Individuals whose Personal Data is processed.
1. Data Controller
The personal Data Controller is STEF SA or its Subsidiaries as defined above.
It may be contacted as follows:
- by using the contact form available on the STEF.com website or on the STEF website of the relevant country, under the “Contact Us” section, by clicking on the topic “Exercising my rights over my personal data”.
- by post, at the following address:
93 boulevard Malesherbes
The Data Controller undertakes to protect Personal Data in accordance with this General Personal Data Protection Policy.
In the event the integrity, confidentiality or security of Data Subjects’ Personal Data is compromised, the Data Controller may inform them by any means, if necessary, and in accordance with the laws in force.
2. Purpose of processing operations
Personal Data processed by STEF is collected and used for specific objectives or purposes, of which the data subjects are informed.
Each processing operation has its own purposes.
The sole goal of these processing operations is to enable STEF to provide and optimise transport and logistics services for controlled-temperatures products, the maritime transport of persons and cargo, and the production of IT products and services ancillary to its business activities.
In addition, these processing operations meet the needs of recruitment, business communication, information, delivery, merchandise traceability, service quality monitoring, personnel management, internal management of activities and services, etc.
The possible purposes include the following:
- Use of our websites and computer tools;
- Providing requested information or services (in particular, sending newsletters, sales offers, studies, e-mailing campaigns, etc.);
- Collecting information that enables us to improve our products and services;
- Communication about various STEF-related events, including updating services, products and customer support;
- Communicating on social networks strictly for the needs of the Group’s activities;
- Sending invoices and documentation related to the performance of our business, regardless of the medium (written, digital, electronic, etc.);
- Recruitment management, administrative management of staff (management of working hours, schedules, travel, leave, absences, etc.), preparation of reports and compliance with local legal and regulatory obligations, in particular with regard to social contributions, database management, payroll management, management of social protection regimes and supplementary pension schemes, if any, training and career management, professional evaluations, verification of employee activities and compliance with internal rules applicable within the company, conduct of internal investigations and disciplinary procedures, management of the employment contract termination procedure, telecommunications management, management of the use of service or company vehicles, and management of the company's internal directory and the company’s intranet;
- Collecting, communicating, exchanging and forwarding all commercial, financial, contractual, legal, corporate and regulatory documentation;
- Conducting marketing studies exclusively for internal use;
- Securing all of our sites and vehicles, tools and technical operating resources in accordance with the safety and security rules required by law or regulation;
- Managing, controlling and optimising the transport and logistics services provided by the group and its subsidiaries;
- Any other uses required to conduct our activities as described above.
Personal Data collected is only used for the purposes listed above and may not be used for purposes other than those determined for each processing operation.
3. Lawfulness of processing (legal grounds)
STEF’s processing of Data Subjects’ Personal Data is supported by the following legal grounds:
- the performance of a contract they have entered into with STEF; or
- the performance of pre-contractual measures at their request; or
- compliance with a legal obligation; or
- the pursuit of STEF’s legitimate interests.
In the absence of one of the legal grounds indicated in section 1.3, the specific, explicit, comprehensible and informed consent of the Data Subjects is required before its implementation.
The required consents are obtained and managed in accordance with the group’s consent management procedure.
5. Categories of data
The categories of Personal Data collected vary depending on each processing operation.
However, regardless of the processing carried out, STEF does not collect the following data: information about racial origin, political opinions, religious, philosophical or racial beliefs, sexual orientation or genetic data.
If one or more of the categories of data indicated above were to be processed, STEF would do so only occasionally and in strict compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 6 January 2016 (GDPR).
6. Restrictions on data collected (proportion and relevance)
Only Personal Data strictly necessary for the purposes determined is collected.
STEF endeavours to minimise and limit the data collected and to keep it up to date.
7. Retention period and deletion
The retention periods are determined on the basis of the following criteria:
- Operational requirements: the period during which the data is required to ensure complete performance of the services provided by STEF;
- Legal and regulatory requirements: the period during which STEF is required to keep the data pursuant to its legal and regulatory obligations.
Data about employees will be kept during their period of employment with the company and, thereafter, during the applicable periods of prescription.
In the absence of a specific retention period, the Personal Data collected will be kept for a limited period of time that is necessary for the purposes determined, and which may not exceed five years from the conclusion of the processing operations.
At the end of the specified retention period, the data will be deleted or anonymised.
8. Data recipients
Depending on the processing operations, Personal Data collected may be transmitted to the following recipients:
- The relevant departments of the STEF Group Subsidiaries;
- Third parties who have concluded a contract with the STEF Group and who act as Processors;
- Public or private legal and/or regulatory bodies.
With the exception of the recipients listed above, no data is transmitted without the express prior agreement of the data subjects.
9. Security and confidentiality
STEF implements data protection measures that are appropriate in light of the type of data processed and the Group’s activities.
Appropriate physical, logical and organisational security measures are taken to ensure optimal data confidentiality and, in particular, to prevent unauthorised access.
The technical security measures are covered by the IT Security Policy (ITSP).
STEF requires all Processors to furnish the guarantees necessary to provide at least the same level of security, protection and confidentiality to the personal data transmitted to it, as well as compliance with the GDPR.
In certain cases, data may be transferred to countries outside the European Union. In such case, STEF ensures that legal tools are in place to ensure that the countries where this data will be received offer an adequate level of protection, in accordance with Articles 45 and 46 of the GDPR.
10. Rights of Data Subjects
STEF takes the necessary measures to enable Data Subjects to effectively exercise their rights over the Personal Data collected.
Summary of key rights
o Right of access and communication of data
Data Subjects have the right to access Personal Data about them.
o Right of rectification/erasure of data
The law entitles Data Subjects to request that data about them be rectified, updated or erased if it is inaccurate, erroneous, incomplete or obsolete.
o Right to object
Data Subjects may object to the use of their Personal Data but only in the following two situations:
- If the exercise of this right is based on legitimate grounds;
- If this right is exercised to prevent the use of data collected for commercial prospecting purposes.
o Right to data portability
Data Subjects may recover the Personal Data provided to the Data Controller in order to reuse it.
o The right not to be the subject of a decision based solely on automated processing
Data Subjects are entitled not to be the subject of a decision based solely on an automated process if the decision has legal effects concerning them or significantly affects them.
Procedures for exercising these rights
The STEF contact details provided in section 1.1 can be used by all persons to exercise their rights over their data.
Formal requirements for requests
- Requests made by post must be sent by registered letter with acknowledgement of receipt.
Information and details to be provided with requests
- A copy of any official document recognised by law as indisputably proving the identity of the requesting party. This proof is requested due to the Data Controller’s obligation to ensure the security and confidentiality of data processing operations.
- If possible, requests should include the login and/or e-mail address used to access the STEF IT system, the Personal Data provided, the context in which it was collected and/or the nature of the relationship between the Data Subject and STEF (employee, customer representative, etc.).
- The type of right being exercised should be selected directly in the contact form from among the proposed choices.
- To ensure data security, each request will be confirmed by an acknowledgement of receipt sent to the applicant's e-mail or postal address according to existing information. The identity of the Data Subject making the request will then be confirmed via the link provided in the return e-mail or letter.
- The Data Controller undertakes to respond to any properly submitted and documented request within a reasonable time, which may not exceed two months from receipt of the request.
- The date of receipt taken into account for purposes of calculating the above time period is the date on which the form is sent or, if the request is made by post, the date on which the registered letter with acknowledgement of receipt is delivered.
Monitoring the General Personal Data Protection Policy and practices
STEF’s General Personal Data Protection Policy is available on STEF’s various websites, in particular at www.stef.com.
In addition, concerning maritime transport of passengers and cargo, the General Personal Data Protection Policy of the subsidiary that handles this business can be viewed on the following website: www.lamerdionale.fr.
This policy is regularly updated to take into account legislative and regulatory changes in the field of personal data protection, as well as changes in the Group’s organisation and activities.
Therefore, Data Subjects are invited to regularly review this General Personal Data Protection Policy in order to keep abreast of the latest changes that may be made to it.
The processing of Personal Data collected by STEF is governed by this policy, as supplemented by the IT Security Policy (ITSP), the privacy policies specific to each Group website, and all internal procedures and rules relating to the principles discussed in this document.
The “secure by design” principle, i.e. the principle of taking into account Personal Data security from the design stage, and the “secure by default” principle, i.e. the principle of limiting the amount of Personal Data, are incorporated into the development and deployment procedures for STEF's new IT systems.
Compliance audits and upgraded practices
The systems’ compliance with national and European rules on personal data management and security is regularly audited by STEF’s internal departments.
Functional improvements to the Personal Data management systems and organisation, as well as to the procedures for handling requests to exercise rights, are regularly made in accordance with ongoing legal, regulatory and technical developments in order to ensure the highest possible security, at all times, for the Personal Data collected and processed and to enable Data Subjects to effectively exercise their rights.
General Personal Data Protection Policy updated 01/12/2018