Privacy Policy | AF Compressors

General Data Protection Regulation
2016/679 of April 27, 2016 (effective date : 25th May 2018)
AF COMPRESSORS GROUP (hereinafter « AF »)

Table of content

Preamble
Scope
Definitions
Data controllers (EU) and contact point for data protection
Principles applicable to the collection and processing of personal data
Rights of data subjects protected by the GDPR
Processing activities of personal data
Categories of data subjects
Categories of personal data
Legal bases of processing
The possible consequences of failure to provide such data
Categories of recipients of the personal data
Transfers of personal data to third (non-EU) countries
Subcontractors and responsibility for the processing of data
The period for wich the personal data are stored
Technical and organisational security measures
Scope of this Policy
Contact – Privacy Manager

1. Preambule

This private policy is drawn up in accordance with the European General Data Protection Regulation 2016/679, hereinafter referred to as “GDPR”.

In carrying out its B-to-B business, AF processes a variety of data, from both business and personal data.

This policy covers the processing by AF, in the European Union (hereinafter “EU”), of personal data of various categories of identifiable persons, including workers, contact persons of customers, suppliers, prospects and potential suppliers, the users of the website, …

It defines how AF handles the processing of personal data: what data are processed, for what purposes, to whom are they transferred, how long and how are they stored?

AF also intends to describe the general obligations that it undertakes to respect in order to guarantee the protection of these data and the effectiveness of the rights enshrined in the regulation and thus to ensure a relationship of trust between AF and the persons with whom it builds business relationships and maintains contacts.

The various persons within the group who may have access to personal data in the performance of their duties are bound by this personal data protection policy.

This policy is developed to provide a uniform minimum standard for the protection of personal data applicable to the entire AF group.

2. Scope

This policy concerns any processing in any form of personal data.

3. Definitions

The applicable data protection legislation is an abstract subject, which has its own language. Below are some definitions that will help you to better understand the terminology used in this policy.

Personal Data	Any information relating to an identified or identifiable natural person, whatever his/her nationality or place of residence; an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a date of birth, an identification number, location data, an online identifier, an e-mail address, a fingerprint, a swipe card or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
HR Data	Any personal data relating to the workers, including employees, workers, candidates (spontaneous or not), trainees, temporary workers and students of a subsidiary of the AF group;
Sensitive data	Personal data that deserve a higher level of protection because their processing can lead to significant risks, being racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning sex life or criminal convictions and offences or related security measures;
Processing	Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means (for non-automated “paper” processing, the GDPR only applies if the data is in a filing system), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, erasure or destruction;
Filing System	Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
Data subject	Natural person whom personal data are processed ;
Data controller	The legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data; this notion is autonomous and functional because it aims to assign responsibilities to person who exert a de facto influence, and is therefore based on factual rather than formal analysis;
AF / AF Group	AF Compressors Group including the holding company and its subsidiaries;
Subsidiary	Any company or legal entity consolidated and controlled by MOTEURS et FRANCOIS S.A., hereinafter the “holding company”, located at 4000 LIEGE (BELGIUM), Côte d’Or Street, 274 and registered with the Crossroads Bank for Enterprises (hereinafter “CBE”) under number 0425.662.229 or accounted for under the equity method in the financial statements;
Data processor	The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (outsourcing) and on the instructions of the latter, being a service provider (eg social secretariat, carrier, cloud provider, etc.);
AF Data processor	The company S.A. COMPRESSOR SPARE PARTS (hereinafter « CSP »), located at 4432 ALLEUR (BELGIUM), Rue du Parc, 10 (CBE : 0430.117.695), providing the AF Group with an international after-sales service, and the company SPRL A.C.R.J. located at 4432 ALLEUR (BELGIUM), Rue du Parc, 10 (CBE:0859.702.684) providing the AF Group with an international technical support and upgrades dept., and the agents (natural or legal persons; sales representatives, distributors and / or service providers) related to the core business of the Group;
ERP	“Enterprise Resource Planning”, also called Integrated Management Software (PGI), is a suite of integrated applications whose purpose is to coordinate core business processes across the enterprise (so-called vertical activities such as production, supply or rather horizontal activities such as marketing, sales forces, management of human resources, accounting and financial management, etc.) around the same information system;
Data exporter	Any subsidiary located in Europe processing personal data being further transferred or made available by a subsidiary outside of Europe;
Data importer	Any subsidiary located outside of Europe processing personal data, such personal data being transferred or made available by a subsidiary located in Europe;
DPA	Data Protection Authority which is the successor of the Commission for the protection of privacy (CPP) as Supervisory Authority pursuant to the GDPR – Belgian Supervisory Authority (www.dataprotectionauthority.be).

4. Data controllers (EU) and contact point for data protection

4.1. The Data controllers consist of the AF Group subsidiaries located in the EU that will be responsible for their compliance with this policy, namely:

S.A. ATELIERS FRANCOIS, located at 4000 LIEGE, Rue Côte d’Or, 274 (CBE : 0403.953.332)
S.A. AF INTERNATIONAL, located at L-9991 WEISWAMPACH, Gruuss Strooss 25 (RC B97177)
S.A. AF BELGIUM, located at à 1420 BRAINE-L’ALLEUD, Chaussée de Tubize 485 F (CBE 0420.052.857)
S.A. TRADEWARE, located at 1435 MONT-SAINT-GUIBERT, Rue du Fond Cattelain, 2 (CBE: 0447.647.179)
SARL ATELIERS FRANCOIS FRANCE, located at 13008 MARSEILLE (France), Rue du Rouet, 69 (RCS 421.296.039 – SIRET 421 296 039 00017)
AF POLSKA sp ZOO G, sise à 41800 ZABRZE (Pologne), Ul. Jana Galla, 29 (NIP 6511672695)
GmbH AF COMPRESSORS DEUTSCHLAND, located at 52064 Aachen (Germany), Leonhardstraße, 27 (TVA : DE323439588)

Each AF subsidiary is deemed to be data controller of its HR Data.

For non-HR Data, the holding company acting as « business Owner » and / or at least as manager of the AF Group ERP system, can be considered as Controller (except for AF POLSKA since it does not have access to ERP) and will therefore maintain the records of processing activities within the AF Group for purposes other than human resources management, including data processed by AF data processors established within the EU.

4.2. As the core business of AF does not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale and do not involve large-scale processing of sensitive data, the appointment of a Data Protection Officer (DPO) is not required. The AF group did not designate a DPO.

However, AF has entrusted the head of its legal department to ensure the implementation of data protection regulation and of this policy, with a mission of information and awareness of those involved in the data processing. This person will act as a point of contact with the DPA and the data subjects if necessary. She can be reached by e-mail (privacy@afcompressors.com).

5. Principles applicable to the collection and procession of personal data

The GDPR requires that personal data be processed in accordance with the following basic principles:

5.1. Lawfullness of processing

Each processing must be based on one of the legal bases listed in the GDPR. In principle, personal data can only be processed if:

the data subject gives his/her consent; he/she signifies agreement, by a statement or by a clear affirmative action, to the processing of personal data relating to him or her; his/her consent must be free, specific, informed (the data subject must know who will use what personal data and for what purpose), unambiguous, demonstrable and shall be as easy to withdraw as it has been given;
they are processed as part of the conclusion or performance of a contract, which includes the implementation of pre-contractual measures taken in response to the data subject’s request;
a legal obligation so requires; or if
the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (for example: sharing of data within the AF group for the purpose of performing a contract), unless the interests or The fundamental rights and freedoms of the data subject shall not prevail.

There is however a ban in principle of the processing of sensitive data subject to the exceptions exhaustively provided for by the GDPR (explicit consent, necessary processing for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law; necessary processing for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee; personal data which are manifestly made public by the data subject; necessary processing to protect the vital interests of the data subject; …).

The same applies to the processing of personal data relating to criminal convictions and offenses; it shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

5.2. Purpose limitation

The purpose principle is a fundamental basis of the GDPR. AF only processes personal data for purposes that have been explicitly defined beforehand (see point 7 below).

However, there are three possibilities if AF intends to process personal data for another purpose than that for which the personal data have been initially collected:

Separate consent: AF may request the consent of the data subject to process the personal data for this new purpose. This consent will constitute the (new) legal basis of the processing for this new purpose;
Legal obligation : the further processing of personal data is the result of a legal obligation;
Compatibility : AF shall ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected. If this is the case, the processing is based on the legal basis that allowed it to obtain and process the data initially.

5.3. Transparency

As data controller, AF intends to conduct a proactive communication so that data subjects know who is processing what personal data, for what purposes and whom they should be consulting in order to obtain more information (see points 6.1. and 18). This policy is meant to be clear, understandable and easily accessible. It is shared on the group’s websites (https://www.afcompressors.com and http://www.af-belgium.be ) and a copy will be made available on request in paper or electronic format.

5.4. Data minimisation – « Less is more »

Collecting and processing personal data is limited to what is relevant and necessary in relation to the purposes for which they are processed.

5.5. Accuracy

The personal data should be accurate and kept up-to-date. As soon as AF becomes aware of the erroneous or outdated nature of the personal data it processes, it updates, rectifies or erasures them. The data subject also has the right to correct his/her personal data.

5.6. Storage limitation

Personal data are kept for no longer than is necessary for the purposes for which they are processed, according to the legal retention periods.

5.7. Integrity & Confidentiality

AF uses appropriate technical or organisational measures to ensure security and confidentiality of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

These measures apply to physical access to personal data, access to such data by computers, servers, networks or other computer hardware, software applications and databases. In addition to technical and organisational measures, workers who, in the performance of their duties, have access to personal data, are made aware of the importance of the protection of personal data and are required to comply with different obligations to guarantee their confidentiality and integrity.

AF sets up access rights so that workers only have access to the data they need in the performance of their duties. Workers who have access to personal data are bound by a confidentiality clause as part of their employment contract.

AF ensures that the companies in the group and third parties with which it contracts and who receive personal data from the organisation apply the data protection legislation.

5.8. Accountability

AF intends to ensure compliance of its entities with the GDPR. It ensures that audits are carried out to assure this, to inform its management and its workers, to raise awareness and train the personnel involved in the processing, to keep the ad hoc records of processing activities, to implement procedures to respect the processing of the data in question and to deal with any complaints from the data subjects.

6. Rights of data subjects protected by the GDPR

The GDPR provide that data subjects have the following rights : the right of information, the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object, the right to data portability and the right not to be subject to a decision based solely on automated processing.

The data subjects exercise these rights vis-à-vis the data controller.

Through this policy, AF is already trying to provide as much information as possible to the data subjects in order to be more transparent about the processing of personal data.

AF also understands the importance of the rights it undertakes to respect, which are described in more detail later in this policy, so that data subjects can continue to exercise sufficient control over the processing of their personal data.

6.1. The right of information / the obligation to inform

Each data subject is entitled to certain information when AF processes his/her data.

1/ What information?

the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
the identity and the contact details of the controller;
the recipients or categories of recipients of the personal data, if any;
in the case of transfers outside the EU, reference to the existence of an adequacy decision by the Commission or to appropriate safeguards;
explanations about the legitimate interests pursued by the controller where the processing is based on this legal basis;
the categories of data processed;
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
the right to lodge a complaint with a supervisory authority;
where the processing is based on the consent, the existence of the right to withdraw it at any time;
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
the source of the data (in case of indirect collection);
if it does exists, the existence of automated decision-making, which is not the case at all in the AF group.

2/ When should the information be provided?

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the above-mentioned information.

It shall not apply where and insofar as the data subject already has the information.

Where the controller intends to make any subsequent changes to the process, the controller shall beforehand provide the data subject with information in order to give him/her a reasonable period of time to assess their impact and exercise his/her rights.

3/ How should the information be communicated?

The above information are communicated within the framework of this policy in order to find a balance between concision and precision and are structured so as to be easily readable.

6.2. Right of access

The right of access allows the data subject to control the lawfulness of each processing activity. It includes three levels:

data subject shall have the right to obtain from AF confirmation as to whether or not personal data concerning him or her are being processed;
where that is the case, he/she shall have access to the personal data and the above-mentioned information (cf. point 6.1.1/) ;
AF shall provide a free copy of the personal data undergoing processing (in a commonly used electronic form or in a hard copy) with, if the data subject request it, an explanatory note on the processing.

6.3. Right to rectification

The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If AF has transmitted this personal data to third parties, it must inform them of the rectification that has been made.

6.4. Right to erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from AF the erasure of his/her personal data for which there is no longer any reason to process them.

The right of erasure is however not absolute. AF shall have the obligation to erase personal data where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the personal data have been unlawfully processed by AF;
the personal data have to be erased for compliance with a legal obligation to which AF is subject;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
after successfully exercising the right to object;
(…).

AF may also refuse to erase personal data where the processing is necessary in particular for the establishment, exercise or defense of a right in court or compliance with a legal obligation to which it is subject.

6.5. Right to restriction of processing

In certain circumstances, the data subject shall have the right to obtain from the controller restriction of processing.

The limitation “freezes” the data processing. In such a case, AF may still only retain the personal data but should cease all other processing activities.

This will be the case when:

the accuracy of the personal data is contested by the data subject, for a period enabling AF to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
AF no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
the data subject has objected to processing ; the restriction applies pending the verification whether the legitimate grounds of AF override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or to take legal action.

6.6. Right to object

Each data subject shall have the right to object, “on grounds relating to his or her particular situation”, at any time to processing of personal data concerning him or her.

The right to object can only be exercised if the legal basis of the treatment is “the legitimate interests”. In other cases, the data subject cannot object because there are alternatives for the other legal bases to achieve the same purpose: in case of consent, the data subject may withdraw it; data subject cannot for that matter object to the processing imposed by law.

The exercise of the right to object would force AF to carry out a balancing of interests. It shall no longer process the personal data unless it could demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject. AF will then have to document and communicate these reasons to the data subject.

6.7. Right to data portability

This allows the data subject to obtain his/her personal data and to reuse them for other services. The data subject can move his/her data from one IT environment to another.

However, the right to portability of data can only be exercised when three conditions are fulfilled simultaneously:

the processing is based on consent or on a contract;
the processing is carried out by automated means (so no paper documents) ; and
the data subject himself/herself provides the data [this means that this right relates only to the personal data which the data subject has itself consciously provided (eg during a data recording, encoding by himself/herself of his/her name, address, e-mail, etc.) or that the company observes on the basis of the behavior of the data subject (eg connected accessories)].

The data subject shall therefore have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

6.8. Right not to be subject to a decision based solely on automated processing

A data subject shall have the right not to be subject to a decision based solely on automated processing (without human intervention), which produces legal effects concerning him or her or similarly significantly affects him or her, system used in particular in “profiling”.

6.9. Modalities for the exercise of the rights of the data subject

The data subject can exercise their rights by sending an e-mail to the head of AF’s legal department (privacy@afcompressors.com) or by accessing the online request process and clicking here. AF may ask the latter to identify themselves in order to ensure that the effective exercise of the rights is requested by the data subject himself/herself.

The controller shall provide information on action taken on a request to the data subject within one month of receipt of the request. Failing that, AF shall inform the data subject of the reasons for not taking action or for the delay in following up the request.

AF shall take appropriate measures to provide any information to the recipients of the personal data of the data subject that the data subject is exercising the right to rectify, erase or restrict the processing.

The data subject has also the possibility of lodging a complaint with DPA (www.dataprotectionauthority.be).

7. Processing activities of personal data

AF manufactures and markets in B to B itself or through specialized subsidiaries a wide range of oil-free piston air compressors, of its own design and following its own know-how, under its trademark AF, with accessories and spare parts, directly to users worldwide (PET and OPC) or manufacturers of PET bottling lines, to turn-key project companies delivering such PET bottling lines or to worldwide established companies of beverage sector.

It also distributes, through its subsidiary AF BELGIUM, vane, screw or piston compressors that cover all compressed air requirements, from small compressor for garage to large pharmaceutical or petrochemical plants, as well as solutions for breathable air or nitrogen.

AF itself or through AF specialized subsidiaries also offers and implement after-sales services (maintenance and repairs) to these customers.

AF therefore acts as a data controller for each of its activities involving the processing of personal data, from the collection of its customer data to the monitoring of the commercial relationship.

AF therefore only processes personal data for the following purposes:

1/ Human Resources (each subsidiary being considered responsible for the processing of related data):

Administration of wages and other remuneration in connection with the employment contract: application of social legislation, exchanges with tax and social security authorities and distraining creditors, …;
Personnel management: planning and organisation of work, corporate travel management (including obtaining VISA), monitor workforce movements, training and career planning programs, recording hours worked, registration administration of leaves and absences; temporary employees management, …;
Control of the personnel: control of the use of the means of communication, control of the working time and the professional activity in the workplace, control of the services, …;
Recruitment : management of (spontaneous) applications and the recruiting cycle, …;

2/ Sales department (PET and OPC departments) and after-sales service: managing customer processes such as contact management, sales and marketing management, including the pre-contractual phase, i.e. the management of orders and requests for services, deliveries, offers and invoices;

3/ Purchasing department: supplier management, prospection of potential suppliers, evaluation of suppliers;

4/ Logistics: carrier management and customs export and import procedures;

5/ Direct marketing: personalized marketing with regard to the existing customers (proposal of upgrades in particular) and approaching commercial prospects in B to B (departments PET and OPC);

6/ Accounting: treatment of financial aspects of activities;

7/ Security & access control: control of access to the building, security, visitor register, surveillance cameras, …;

8/ Administration of shareholders: administration, payment of dividend and other benefits related to status;

9/ Management of subsidiaries and agents: administration, management of intragroup communications;

10/ IT / Communication (including website management): management and control of the means of communication; IT suppliers management; implementation of technical protection systems to ensure data security and confidentiality.

8. Categories of data subjects

This policy covers the processing by AF of personal data of various categories of directly identifiable persons, including contract workers and (spontaneous) applicants, contact persons (natural persons) referenced for customers, suppliers, prospects and potential suppliers; the users of the website; on-site visitors; shareholders, directors, officers, managers of subsidiaries and agents.

9. Categories of personal data

1.1./ For workers: fact sheet completed by each worker including last name, first name, copy of identity card and passport, address, age, sex, private phone number, private e-mail address, bank account number, national identification number / social security number, marital status, spousal status, number of dependents, in addition to remuneration (salary components, level, payment and salary evolution), contract, attendance and absences (possible medical certificates) / leave, means provided by the employer (company car, laptop, mobile phone), data concerning the use of these means and control of e-mails and the use of the internet, employee benefit assessments and feedback, curricula vitae and other data required with regard to AF’s Known Consignor status, in addition to all other legal, regulatory and contractual aspects of a personnel administration which are, for example connected with the industrial accident insurance, the occupational medicine, the medical supervision of work incapacity; vaccination card; cameras intended to ensure the safety and control of the production process and machinery and the protection of the assets of the enterprise; contact information of individuals (household members or others) whom the employer can contact in case of emergencies;

1.2./ For spontaneous candidates and profiles included on a reserve for recruitment: the curricula vitae and cover letters containing the data communicated on the initiative of the candidates and following their own presentation;

2./ For customers, suppliers, prospects and potential suppliers and users of the website: name, first name, professional phone number (mobile and / or fixed-line), function within the company, postal address and / or e-mail address of natural persons of contact within these companies collected from the data subjects themselves via:

customer / supplier registration forms ;
business cards handed to AF especially at trade fairs;
“quotation forms” completed on AF Group’s websites;
other direct interactions with you: exchanges by phone, mail, email or other.

3./ For visitors: last name, first name, the undertaking of which he/she is a part, date of visit, person visited, time of visit (time of entry and time of exit) and vehicle as written by the visitor himself/herself on the register of visitors at the entrance of buildings of different entities; surveillance cameras;

4./ For shareholders, directors, directors and officers: surname, first name, copy of identity card, address, phone number, bank account number, national identification number;

5./ For managers of subsidiaries and agents: last name, first name, professional phone number (mobile and / or fixed-line) and e-mail address of the natural persons of contact.

10. Legal bases of processings

1./ For workers and candidates :

Categories of data	Legal basis	Reasons for processing
Curriculum vitae	At the data subject’s request, implementation of pre-contractual measures Consent if reserve for recruitement Legal obligation as Known Consignor	check if the candidate is suitable placement on a recruitment reserve compliance with European Regulations 300/2008 and 185/2010
Identification data	Performance of an employment contract and legal obligation	Ensure the execution of the employment contract and the respect of tax and social legal obligations; insurance management (including group insurance)
Financial data	Performance of an employment contract	Process payroll and expense reimbursement; Control the salary policy Legal obligation
Verification of working time and encoding of absences and leaves	Legal obligation, performance of an employment contract, legitimate interests of the Group	Legal obligation, ensure the payroll and the operations of the Group, control the hours worked
Access control by badge and security identification	legitimate interests Legal obligation as Known Consignor	Securing access to the building and limiting access according to the areas identification of persons having access to areas where shipments are prepared and stored compliance with European Regulations 300/2008 and 185/2010
Assessment or finding of a breach	Performance of contract and legitimate interests of the Group and the data subject	To ensure the operations of the Group, to control the work and the respect of the work procedures, to intervene in time in case of failure from the data subject, to contribute to the personal and professional development of the data subject, …
Data concerning the use of means made available by the employer (company car, laptop, mobile phone)	Performance of contract and legitimate interests of the Group	Ensure the safety of workers, protect vehicles and their load, optimize business travel, monitor, control work in the absence of other means
Video surveillance	Performance of contract and legitimate interests of the Group (CCT n° 68)	Guarantee the safety and health of the data subject, protect company property, control the production process
Control of e-mails and internet usage	Performance of contract and legitimate interests of the Group	Prevent acts that are prohibited or defamatory, contrary to morality or that may affect the dignity of others; Protect commercial, economic and financial interests of a confidential nature and fight against fraudulent practices; Guarantee the security and / or the proper functioning of IT networks (including controlling costs) and physically protect the company’s facilities; Monitor compliance with rules related to the use of online technologies
Health	Necessary to fulfill obligations related to labor law or social security	Treat payroll, organise work and ensure the well-being of workers Legal obligation
Size and shoe size	Performance of contract	Supply of adapted work clothes
Data requested by embassies	Performance of contract Legitimate interests	organisation of work and travel (including obtaining VISA for business trips abroad)
Contact details of a person from the family circle of the data subject	protect the vital interests of the data subject	In case of emergency (e.g. accident at work or medical emergency)

2./ For customers, suppliers, prospects and potential suppliers and users of the website :

Categories of data	Legal basis	Reasons for processing
Contact details of a reference natural person	Performance of a B to B contract (contract management, delivery of the products and services, organisation of transport, provision of support/assistance, invoicing, relationship management, monitoring of the service provided,…) Legitimate interests	to ensure the proper performance of the contract ; to have at AF’s disposal the contact details of the resource person within the client or supplier company ; to insure technical support and maintenance ; to promote AF’s own services or products, including upgrades and correctives, linked with the initial contract to maintain contact with the customer or the supplier
Business cards or list of email addresses of contact natural persons of prospects B to B	Legitimate interests consent	direct hand-over by the data subject of his/her own business card data collection on the website of the target company prospecting new customers B to B prospecting and evaluation of suppliers in B to B possibility of “opt-out” if the data subject informs AF that he/she no longer wants AF to use his/her data to communicate with him/her in the future exchange with subsidiaries and agents according to the geographical area

3./ For visitors :

Categories of data	Legal basis	Reasons for processing
Contact details of visitors + visit time and person visited	Legitimate interests	ensure the safety of each site / protection of premises, production tools, products, goods and workers Accurately knowing visitor numbers inside Creation of identification badges Monitoring of entrances and exits
Video surveillance (closed place not accessible to the public and intended solely for the use of regular workers or occasional visitors)	Legitimate interests Belgian law of March 21st, 2007 regulating the installation and the use of surveillance cameras (modified by a law of March 21st, 2018)	monitor and control the premises prevent or detect offenses against the property of the enterprise

4./ For shareholders, directors, directors and officers:

Categories of data	Legal basis	Reasons for processing
Contact details	Legal obligation Performance of contract	execution of articles of incorporation / shareholders agreement Directive (EU) 2015/849 and the Belgian Anti-Money Laundering Act of 18 September 2017

5./ For managers of subsidiaries and agents:

Categories of data	Legal basis	Reasons for processing
Contact details of a reference natural person	performance of contract	to ensure the proper performance of cooperation agreements between related companies or agents contact information of the resource person within the partner company (legal person)

11. The possible consequences of failure to provides such data

1./ For workers and candidates : rejection of the application, no salary treatment, negative evaluation and / or warning and / or dismissal letter, non-compliance with legal obligations, impossibility of access to the building / to certain areas, …;

2./ For customers, suppliers, prospects and potential suppliers and users of the website :

difficulties and / or risks of error in the performance of the contract or even impossibility of performance of the contract attributable to the contractor of AF, exchanges with the wrong interlocutors which may be source of errors attributable to the contractor of AF, lack of information about the evolutions of the products, loss of time, loss of opportunity to conclude a contract, impossibility of answering information requests, …

3./ For visitors : denied access to the visited site ;

4./ For shareholders, directors, directors and officers : no notice and no dividend payment for some; non-appointment, non-renewal of management mandate or non-delegation of authority for others;

5./ For managers of subsidiaries and agents : difficulties preventing the normal performance of contract or even non-performance of the contract attributable to the AF partner, exchanges with the wrong interlocutors who may be sources of errors, loss of time or even contract for AF, lack of information,…

12. Categories of recipients of the personal data

The HR data processed by each of the subsidiaries by CSP and by ACRJ, in their capacity as data controller for these data, are transferred to AF INTERNATIONAL SA which serves as an intermediary (and thus a subcontractor) between them and the social secretariats as well as tax and social administrations.

If a person applies for a job or asks for information about a job vacancy – whether that job or position has been advertised on AF website or in another context – he/she may be required to provide personal data, including a curriculum vitae, that may be used within the AF Group, including shared with AF Subcontractors, to review the application or respond to the information request.

The professional contact details of workers, subsidiaries managers, agents and freelancers (only last name, first name, email address and telephone number of the key resource persons) can be communicated within the AF Group or (in particular on the Group’s website) to third parties (customers, prospects, agents, subsidiaries, suppliers, …) because these people hold a position which justifies connections among them in order to allow the AF Group to contract or perform a contract, in the best economic interests of the company and therefore indirectly in the interest of the data subject, this communication falling within the framework of the simple execution of the contract which binds the data subject to the company.

Data concerning customers, suppliers and managers of subsidiaries and agents are collected via the AF Group ERP system, accessible within the various Group subsidiaries located in the EU (except from AF Polska), CSP and ACRJ, in the form of fact sheets.

The data concerning prospects, potential suppliers and users of the website are collected by the heads of departments within the subsidiaries and are encoded and therefore stored in the ERP only in the context of a pre-contractual phase or the performance of a contract.

AF Polska and TRADEWARE have their own management software.

Shareholder data are only processed by company administrators / managing directors of the Holding and subsidiaries.

As for the visitors data, they are only collected by the AF subsidiary or subcontractor whose access to the site has been authorized to the data subject.

13. Transfers of personal data to third (non-EU) countries

AF’s international presence involves certain data transfers between different subsidiaries, as well as third parties located in the countries where the group operates.

For the performance of its contracts, AF (Data Exporter) makes available to some of its data-importing subsidiaries (AF South Africa, AF Shanghai, François Compressors India and AF Compressors do Brazil) secure and personalized access to its data ERP system, and this to a limited and defined number of people.

Other AF subsidiaries and agents within the EU and outside the EU (listed here https://www.afcompressors.com/our-presence/ ) may, for the purposes of performing defined contracts, have access to details of resource natural persons within B to B customers or suppliers.

These accesses / transfers are only authorized if the AF subsidiaries and agents, acting as AF subcontractors, provides sufficient appropriate safeguards in order to ensure a similar level of data protection.

When AF transfers personal data outside the EU to a country not listed on the European Commission list as having an adequate level of data protection, the transfers are operated and supervised by contractual provisions meeting EU requirements, including the signing of a contract in accordance with standard contractual clauses adopted by the European Commission. The standard clauses of the European Commission are available here (link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_fr ).

However, AF remains the data controller, ensures the security of the personal data referred to in the present policy and ensures that data subjects can exercise their rights, even if they are processed by persons in a country governed by different laws regarding the protection of privacy.

14. Subcontractors and responsibility for the processing of data

AF may be required to share information with other entities, eg business partners (including AF Subcontractors referred to in point 3), financial institutions, transport companies, postal services or administrations such as customs, public bodies such as the NSSO (National Social Security Office), the FPS (Federal Public Service) Employment, Labour inspectorate, the FPS Finance, social secretariats, insurance companies (including group insurance), leasing companies, cloud providers, the manager and the hosting provider of the website, embassies, … who play a role of subcontractor or separate controller in the processing of data collected by AF.

When the receiving entities process personal data for AF’s account and under its guidelines, they are considered as subcontractors.

They have a responsibility to comply with the obligations which they are required to adhere to as subcontractors. AF therefore asks them to provide details of the measures they have taken to comply with the GDPR and to ensure that their contracts are adjusted in accordance with the requirements of the Regulations and this policy.

For the performance of its contracts, AF making available to its subcontractor CSP and ACRJ a secure and personalized access to its ERP system, the latter also agrees to comply with this policy their endorses.

When there is an exchange of data between AF and a receiving entity, without sharing of purposes or means of the processing, it should be considered solely as a transfer of data between separate data controllers.

This is particularly the case for exchanges with the tax and social authorities and insurance companies.

15. The period for which the personal data are stored

AF retains the personal data covered by this policy as long as necessary for the purposes for which they are processed, in particular with regard to the legal obligations incumbent upon it but also to the lifetime of compressors that have been sold to referenced customers (need to be able to ensure the maintenance and repairs in view of the history of each compressor, to be able to solicit the suppliers of the parts of the different compressors still in activity, to call the relevant contractors who have already worked on a given compressor, …).

16. Technical and organisational security measures

AF implemented appropriate technical and organisational measures to ensure the protection of personal data against unauthorized (or unlawful) access or processing, accidental loss or damage.

AF therefore takes the following measures for this purpose: awareness-raising and training of staff involved in processing operations on the importance of the GDPR and its content (and setting up an IT Policy that each AF subsidiary and subcontractor undertakes to follow), designation of an IT security officer, periodic audits of data security, use of up-to-date anti-virus & anti-ransomware software, regular back-up, use of firewall, setting-up an authorized single access system to personal data, data encryption, monitoring system, servers and networks, disaster recovery plan.

AF Group provides a backup cloud service to its international subsidiaries for the exclusive purpose of controlling data security with exclusive access to the group’s IT service.

17. Scope of this Policy

This Privacy Policy is applicable since May 25, 2018, date of entry into force of the GDPR.

It can be consulted via the AF Group websites:

www.afcompressors.com

www.af-belgium.be

A copy may be made available on request in paper form or electronically.

AF may, as appropriate, modify and update this policy to ensure compliance with the reality of its activities.

This policy may also be updated to reflect legal, technical or business developments of the Group.

If required, the updated version will be available on our website.

You can find out when this policy was updated by checking the “Last Updated Date” shown below.

18. Contact – Privacy Manager

If you have questions or requests regarding the personal data protection policy or the processing of your data by AF, you can send them by e-mail (privacy@afcompressors.com) or write at the address below:

AF COMPRESSORS
c/o Privacy Manager
Rue Côte d’Or, 274
4000 LIEGE
BELGIUM

Last update : 17.05.2019