Personal data processing policy applicable to the processing implemented by the company TOYO TANSO France.

Preamble

The policy set out below applies to the processing of personal data carried out by the Company TOYO TANSO France (hereinafter referred to as the data controller).

The following provisions apply to all processing of personal data carried out by the data controller. It provides information on the purpose(s) of the processing carried out, the legal basis of the processing, the recipients of the data as well as their retention period, the security measures (general description), the possible existence of data transfers outside the European Union or automated decision-making, data-processing rights and freedoms and how to exercise them.

I.Legal framework - compliance with the GDPR and French law

The data controller declares that it processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the GDPR) and with French Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended).

II.Data controller

The person responsible for processing is the company TOYO TANSO France, whose contact details are given below: TOYO TANSO France S.A.

Z.A. du Buisson de la Couldre

9-10, Rue Eugène Hénaff

78190 Trappes, France

Phone: +33 1 30 66 35 35

contact@toyotansofrance.com

TOYO TANSO France has appointed a Data Protection Officer (DPD/DPO) at the CNIL. The contact details of the Data Protection Officer can be found below :

AGENCE RGPD - Data Protection Officer

22 rue de Bignoux

86000 Poitiers

III.Personal data

By personal data, we mean any information that makes it possible to identify, either directly or indirectly, a natural person within the meaning of Article 4.1 of the GDPR. TOYO TANSO France collects personal data in the context of its various activities. Personal data is collected directly from the persons concerned. These persons are informed about the purposes of the collection, the recipients of the data, their retention period and about their computer rights and freedoms.

The persons concerned by the processing implemented by the Company are in particular employees, customers, prospects, suppliers and partners.

The data collected is adequate, useful, necessary and limited to the strict minimum. All the data collected about each category of person is specified in the appropriate processing register sheets.

IV.Purposes of data collection

The personal data collected by the Company TOYO TANSO France in the context of its various activities have the following main purposes:

- To establish and manage the commercial relationship with prospects, customers, suppliers and partners.

- Drawing up and executing the employment contract

- Control the entrances and exits of the buildings

V.Legal basis of the processing carried out by TOYO TANSO France

The processing of personal data by TOYO TANSO France is based:

- Either on the consent of the person concerned for all processing that requires the prior collection of consent. Consent may be withdrawn at any time by formulating a request to the Data Controller.

- Either on the execution of a contract to which the data subject is a party or on the execution of pre-contractual measures taken at the request of the data subject.

- Or on the respect of a legal obligation in particular in terms of declarations to social organisations, invoice management and the exercise of rights under the GDPR and the Cyber law and Freedom Data Protection Act.

- Or on the pursuit of a legitimate interest, particularly in terms of access control to the building.

VI.Recipients of personal data

Personal data is first and foremost intended for TOYO TANSO France, the data controller. They are processed by the staff of the various departments concerned such as the human resources department and the sales administration department. They are processed solely for the purposes indicated above.

Personal data may be transmitted to public organisations in the context of our legal obligations; to provident, complementary health and collective savings organisations for affiliation purposes; to the employee representative committee, unless the person concerned objects; to our technical and computer subcontractors, in particular the company REFLEX-IT. Under no circumstances are they transferred to third parties for commercial purposes.

VII.Security measures

TOYO TANSO France attaches great importance to the protection of personal data. It implements physical, technical and organisational measures to protect the personal data it collects. On the physical and organisational levels, the Company has installed an anti-intrusion alarm and a video surveillance system to secure access to the building. Data in process is stored in locked cabinets and archive data is stored in a secured archive room. The data is accessible only by authorised persons within the Company. The Company makes every effort to avoid the risks of illegitimate access to data, unwanted modification of data and data disappearance. On a technical level, the Company sets up a system to control user access to the applications used for data processing. Passwords are individual and complex. Computer equipment is equipped with antivirus software and the software used is regularly updated. The Company frequently backs up the data stored on computer media. The data controller manages and distributes data access rights according to the job profile of the individuals. For legitimate reasons, the Company reserves the right not to mention all the technical security measures implemented for data protection.

VIII.Retention period

Retention periods depend on the intended purpose.

The personal data of employees are kept for the duration of the contractual relationship and for 5 years in interim archiving from the end of the contract. Data relating to payroll management are kept for 5 years from the date of payment of the payroll.

Personal data contained in the CVs of unsuccessful candidates are destroyed immediately. This data may be kept for up to 2 years after the last contact with the candidate.

Personal data collected in the context of the business relationship are kept strictly for the period necessary for the management of the business relationship and for the establishment of proof of a right or contract in accordance with the legal provisions.

IX.Rights of data subjects

In accordance with the General Regulations on the Protection of Personal Data (GDPR) which came into force on 25 May 2018 and by the LAW n° 2018-493 of 20 June 2018 relating to the protection of personal data known as LIL3 and the order n° 2018-1125 of 12 December 2018 taken in application of article 32 of the law n° 2018-493 of 20 June 2018 relating to the protection of personal data and modifying the law n° 78-17 of 6 January 1978 relating to information technology, to files and freedoms, you have a right of access, rectification, deletion, limitation, opposition as well as a right to data portability.

X. To exercise the rights

Requests can be made in different ways:

- By email by writing to dpo@agencergpd.eu

- In person at the reception of TOYO TANSO France located at 9-10, Rue Eugène Hénaff, 78190 Trappes, France.

- Via the application tool FRAGMOS by following the following link:

https://fragmos.agencergpd.eu/fr/toyo-tanso-france/request

- By postal mail by writing to TOYO TANSO France located at 9-10, Rue Eugène Hénaff, 78190 Trappes, France.

- Through an agent who will use one of the above channels to make the request.

For a request for access rights :

Specify which data or processing operations it relates to.

The data will be transmitted electronically or by post, by registered mail with acknowledgement of receipt.

The Company TOYO TANSO France may require the payment of reasonable fees based on administrative costs for any additional copies requested (article 15.3 of the GDPR).

In the event of manifestly unfounded or excessive requests, the Company TOYO TANSO France may require the payment of reasonable fees that take into account the administrative costs incurred to provide the information or refuse to comply with these requests (article 12.5 of the GDPR).

For a request for a right of rectification

If a person believes that his/her personal data is incorrect and should be corrected, he/she will make his/her request by one of the above means, attaching a copy of an identity document.

The person shall indicate precisely what data concerning him/her is inaccurate or incomplete and provide any information enabling him/her to correct or complete it (Article 15 of the GDPR).

For a request for right of erasure

The request will be made by one of the above means accompanied by a copy of an identity document.

The data subject will indicate precisely the personal data whose deletion is requested and the reasons for the request (Article 17 of the GDPR).

Please note: this right is not absolute, TOYO TANSO FRANCE may be obliged to keep data, particularly in the context of managing the commercial relationship (invoice management, litigation management) and in the context of documentation and the provision of proof relating to the exercise of your rights.

For a request to limit processing

The request will be made by one of the above means accompanied by a copy of an identity document.

The data subject will indicate precisely the personal data whose processing he or she is requesting to be limited and the reasons for the request.

Please note: this right is not absolute, TOYO TANSO France may decide to continue processing the data (article 18.3 of the GDPR). The limitation, if implemented, may result in the suspension of services provided by TOYO TANSO France. These incidences will be described in the letter acknowledging receipt of the request for limitation of processing.

For a request for a right of opposition

The request will be made by one of the above means accompanied by a copy of an identity document.

Please note: this right is not absolute. It will be necessary to indicate precisely the processing for which you object to the management of your personal data, and the reasons for the request (Article 21 of the GDPR).

For a request for the right of portability

Each person concerned may at any time make a request for data portability in order to retrieve the personal data that TOYO TANSO France has collected about them in the context of processing operations based on consent and on the basis of a contract.

To exercise this right, the request will be made by one of the above means accompanied by a copy of an identity document.

If the data subject wishes the data to be transferred to another controller in a standard format, he or she will specify this and provide the contact details of the other controller.

Updated on 1 January 2020.

Download PDF version

Política de procesamiento de datos personales