Last edited: 26 may 2018 – v1.1_23052018
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly referred to as the “GDPR” is applicable on 25 May 2018. It aims to harmonize the laws on the protection of personal data within the European Union and to strengthen the protection of natural persons with regard to the processing of their personal data, the fundamental right of every person.
An integral part of its DNA, data represents for the ALTARES – D&B group one of the main raw materials for business growth; its mission is to offer its expertise across the entire value chain of data in order to enhance the wealth of data of its customers and make it a performance engine.
ALTARES – D&B group is the exclusive partner in France, BeNeLux and Maghreb of the international network of DUN & BRADSTREET, world leader in BtoB economic information. ALTARES – D&B group provides data on a worldwide scale (on a base of more than 280 million companies in 220 countries), aggregates them with those of its customers and with multiple sources, and offers solutions tailored to the needs of its customers.
In the sense of the GDPR:
- « personal data» means any information relating to an identified or identifiable natural person (‘data subject’) directly or indirectly;
- « processing » means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
The natural or legal person processing personal data may be:
- Controller: when determining, alone or jointly with others, the purposes and means of the processing of personal data.
- Processor: when processing personal data on behalf of the controller.
The purpose of this “Personal Data Protection Policy” is to inform all concerned people about how ALTARES – D&B Group collects and uses personal data and about the means available to data subjects to control said use.
4. What aspects of the activity of ALTARES – D&B group are subject to the Regulation on the protection of personal data?
GDPR applies to:
- ALTARES – D&B Group as an employer: the protection of personal data in the management of human resources.
- ALTARES – D&B group as an economic actor: the protection of the use of the personal data of the group’s customers and suppliers.
- ALTARES – D&B group as a database publisher and as a partner of the Dun & Bradstreet network: the protection of personal data contained in ALTARES – D&B Group’s databases and, globally, in Dun & Bradstreet’s database.
5. ALTARES – D&B group as a database publisher and partner of the Dun & Bradstreet network
The data collected by ALTARES – D&B group mainly concerns companies. For the most part, they do not make it possible to directly or indirectly identify a natural person; thus, they do not fall under the category of personal data. These include, for example, legal identity, legal category – share capital, activity, date of creation, date of registration, number of employees, number of establishments, telephone, fax, payment experience, balance sheet …
Some of these data may, however, be described as “personal data” according to the GDPR, such as e-mail, capital links, first names, names and, where applicable, birth dates of statutory officers, operational managers, insolvency proceedings, legal notices, …
These BtoB data include data from public and private sources. A distinction must be made between public data, collected and disseminated by public authorities in application of laws and regulations aimed at guaranteeing the respect of public order and the securing of transactions between companies, and data from private sources relating to the professional activity of the data subjects.
Legal basis of data processing in ALTARES – D&B group databases
ALTARES – D&B group puts data at the service of the business challenges of its customers by offering “Risk Management”, “Sales & Marketing”, “Compliance” and “Data Management” solutions.
The legal basis of this processing is the legitimate interest within the meaning of the GDPR: the information processing carried out by the ALTARES – D&B group contributes to the security of commercial transactions, in that it allows companies to manage their financial risks, develop a better understanding of their customers, partners and suppliers, including for marketing purposes and to comply with the various regulatory requirements applicable to their business, such as protection against fraud, corruption and money laundering.
The collection of data by public entities meets legal obligations requiring the publicity of this information. Data subjects may therefore legitimately expect that the information will be subject to further processing. The basis of the legitimate interest implies that the prior collection of the data subject’s consent is not necessary for the processing of their personal data as long as the legitimate interest prevails over the potential infringement of the data subject’s interests or fundamental rights and freedoms. The personal data are kept for the duration of the participation of the data subjects in the company plus the duration of the legal prescriptions.
ALTARES – D&B group and Dun & BRADSTREET:
ALTARES – D&B group and DUN & BRADSTREET have signed standard contractual clauses to regulate the transmission of personal information between them.
DUN & BRADSTREET has also adhered to the Privacy Shield and has formalized its policy of personal data processing accessible on the following link: https://www.dnb.co.uk/utility-pages/privacy-policy.html
7. ALTARES – D&B group commitments for the implementation of the GDPR
- Appointment a Data Protection Officer ‘DPO’ firstname.lastname@example.org
- Evolution of the records of processing registers in the light of the new obligations, and in particular setting up of the processing registers specific to ALTARES – D&B group’s processing and controlling activities.
- Formalization of the procedures governing the processing of personal data in order to comply with the obligations relating to the transparency and documentation of processing such as, in particular, the procedure relating to the registers of processing activities, the procedure for handling letters and the processing of applications for the exercise of their rights by the data subjects, the alert and information procedure in case of a data breach.
- Training of employees concerned by personal data processing according to good practices with regard to the GDPR and deployment of a policy to describe the rules of good conducted expected from employees of companies of the ALTARES – D&B group.
- Implementation of the notion of “Privacy by Design” from product design and implementation of processing and that of “Privacy by Default”.
8. Security of personal data
ALTARES – D&B group has implemented the necessary technical and organizational measures to guarantee a level of protection adapted to the risk incurred. It manages an infrastructure designed to ensure an optimum level of security throughout the entire data processing lifecycle.
ALTARES – D&B group protects and secures personal data to prevent destruction, loss, alteration and unauthorized disclosure of personal data or unauthorized access accidentally or unlawfully.
As a result, ALTARES – D&B group has taken the relevant physical, electronic and organizational protection measures for personal data.
All the actions and commitments of ALTARES – D&B group aim to respect the GDPR’s principles such as the principles of loyalty, lawfulness, transparency, determined, explicit and legitimate purposes, minimization and accuracy of data of a specific nature. personal data and respect for the rights of data subjects regarding their personal data.
9. Use of suppliers
ALTARES – D&B group directly carries out most of the personal data processing activities necessary to provide its services; however, ALTARES – D&B group may also use suppliers to help provide these services. Each of its suppliers is subject to a rigorous selection process to ensure that it has the necessary technical expertise and is able to provide the appropriate level of security and confidentiality. A written contract concluded between ALTARES – D&B group and each service provider obviously stipulates the respective obligations with regard to the personal data, in compliance with the requirements of the GDPR.
10. Rights of the data subjects
In accordance with the applicable regulations, ALTARES – D&B group and its partners shall process any request by a data subject for access to personal data, rectification or deletion of the personal data or limitation of the processing or opposition to processing on said data.
Any data subject may also define guidelines on the fate of his personal data after his death.
These rights are exercised by email to email@example.com with presentation of a proof of identity of the person concerned.
The data subject also has the right to lodge a complaint with a supervisory authority.
This personal data protection Policy applies to entities of ALTARES – D&B group located on the territory of the European Union as well as those located outside the European Union when they are required to offer goods or services to data subjects within the territory of the European Union.
In a constant effort to improve its services and processes as well as to protect the right of data subjects in accordance with the regulations in force, ALTARES – D&B group reserves the right to update this Personal Data Protection Policy according to its needs and circumstances or if required by law; therefore, we invite you to regularly check for updates.