Constellium is a global leader in innovative and high value-added aluminium products and solutions dedicated primarily to aerospace, automotive and packaging markets.
There are several Constellium entities located in the European Union.
Constellium is particularly committed to conduct its business in accordance with the privacy and the protection of personal data of individuals whether they are its own employees or external individuals such as clients, customers, partners, job applicants, providers etc.
The purpose of this Data Protection Policy (the “Policy”) is to inform you about the commitments made by Constellium to ensure that your personal data are respected in compliance with the applicable relevant laws.
This Policy may evolve according to the legal and regulatory context and the doctrine of supervisory authorities.
“Controller”: The Constellium legal entity which determines the purposes and means of the Processing of Personal Data.
“Data Subject”: Any natural person, including you, whose Personal Data are processed.
“Personal Data”: All information on an identified or identifiable natural person. A person is deemed to be identifiable if he or she can be directly or indirectly identified for example by reference to an IP number, identity number or by at least one factor specific to that person’s social, cultural, physical or economic identity.
“Processing”: Any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”: The natural or legal person which processes Personal Data on behalf of the Constellium legal entity.
3. Applicable law
In order to provide legal certainty and transparency for economic operators, the European Union adopted the Regulation 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation or ‘GDPR’). The GDPR enters into force on 25 May 2018.
The local laws of each Member State remains relevant in the limits allowed by the GDPR.
The Policy is subject to the GDPR and the relevant local laws of the concerned Constellium legal entity.
4. Principles for processing Personal Data
Constellium commits to ensure that Personal Data are:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary for the purposes;
- processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Constellium ensures that all its Processing is performed in accordance with the applicable laws.
Management is responsible for defining and structuring all processes where Personal Data can be collected, processed and/or used, that they comply with this Policy.
In particular, the following tasks are falling in the responsibility scope of the management:
- Ensuring that technical and organizational security measures are in place;
- Assuring that processes for the Personal Data collection, use and/or processing are compliant with the applicable laws and that the global and local process owners are informed upon necessary changes;
- Monitoring on a regular basis the relevant applicable laws.
Each Constellium’s employee has the duty to process the Personal Data he/she has access to in the course of its employment as strictly confidential.
Each Constellium’s employee can collect, use and/or process Personal Data pursuant to the defined process within Constellium but only in the extent as necessary to fulfil his/her duty.
- Data protection officer
Where required by law, each Constellium legal entity shall appoint a data protection officer who is in charge to ensure compliance with relevant data protection and privacy law and the provisions of this Policy.
6. How do we process Personal Data?
- In which context do we obtain Personal Data?
- By hiring people;
- By being contacted by customers, suppliers and/or other persons via our website, phone, email or any other mean;
- By prospecting new clients.
- How do we respect the transparency principle set forth in the GDPR?
Each Data Subject is informed by the Constellium legal entity which is collecting the Personal Data that his/her Personal Data are collected, used and/or processed and how his/her Personal Data are being handled by Constellium.
In particular, each Data Subject is informed (i) of which types of Personal Data will be subject to Processing; (ii) for which specific purpose(s); (iii) to whom such Personal Data might be transmitted; and (iv) how the Data Subject can exercise its rights.
- How do we use the Personal Data?
Personal Data are subject to data secrecy. Constellium apply the following rules in order to prevent any unauthorized collection, processing or use of such data by its employee:
- Employee may have access to Personal Data only as is appropriate for the type and scope of the task in question;
- Employee shall not disclose Personal Data to unauthorized people, either within the company or externally;
- Employee shall not share Personal Data informally;
- Employee shall request help from their manager or the Data protection officer (if applicable) if they are unsure about any aspect of data protection;
- Employee will receive an adequate training to help them understand their responsibilities when handling Personal Data.
- How do we respect data accuracy?
Constellium ensures that Personal Data are accurate and, where necessary, kept up to date, by applying the following rules:
- Personal Data will be held in as few places as necessary. Employee shall not create any unnecessary additional data sets;
- Employee shall take every opportunity to ensure Personal Data are updated and the management shall ensure that relevant databases and systems are checked on a regular basis;
- Personal Data shall be updated as inaccuracies are discovered.
- How do we store Personal Data?
Constellium is aware that periods for which the Personal Data are stored must be limited to a strict minimum.
To ensure safely storage, Constellium applies the following rules:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet;
- Employee shall make sure paper and printouts are not left where unauthorized people could see them;
- Personal Data printouts shall be shredded and disposed of securely when no longer required;
- Personal Data shall be protected by strong passwords that are changed regularly and never shared between employee;
- Personal Data shall only be stored on designated drives and servers, and shall only be uploaded to an approved cloud computing services;
- Servers containing Personal Data shall be sited in a secure location, away from general office space;
- Personal Data shall be backed up frequently;
- All servers and computers containing Personal Data should be protected by approved security software and a firewall.
7. Rights of Data Subjects
According to the GDPR, each Data Subject has the following rights:
- Right of access (article 15 GDPR): In certain cases, the Data Subject has the right to obtain confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the Personal Data.
- Right to rectification (article 16 GDPR): The Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning him or her.
- Right to erasure (article 17 GDPR): in certain cases, the Data Subject has the right to obtain the erasure of Personal Data concerning him or her.
- Right to restriction of processing (article 18 GDPR): in certain cases, the Data Subject has the right to obtain restriction of Processing.
- Right to data portability (article 20 GDPR): in certain cases, the Data Subject has the right to receive the Personal Data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
- Right to object (article 21 GDPR): in certain cases, the Data Subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of Personal Data concerning him or her.
In order to fulfill efficiently these requests and securely transmit the Personal Data to the Data Subject, Constellium has set up an internal process to handle Data subject requests.
A Data Subject can exercise his/her rights by sending an E-Mail to: data.protection(at)constellium.com
8. Transfer of Personal Data
As Constellium is a multinational group, Personal Data may be transferred to countries located outside the EEA. In this case, Constellium ensures that the country has an adequate level of data protection in compliance with articles 44 to 50 of GDPR.
The transfers of Personal Data within Constellium group are subject to appropriate safeguards thanks to an interaffiliate agreement which refers to the standard data protection clauses adopted by the European Commission (2004 Clauses Controller to Controller and 2010 Clauses Controller to Processor).
The transfers of Personal Data outside Constellium group are managed on a case-by-case basis. In this case, Constellium ensures that such transfers are (i) performed on the basis of an adequacy decision of the European Commission or (ii) are subject to appropriate safeguards.
- Technical and organizational security measures
Constellium has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of each Processing.
These measures are detailed in the “Global Information Security Policy” and the subsequent documents:
- Personal Data breach
In case of a data breach, Constellium has implemented an internal process in order to prevent, detect and stop Personal Data breach as well to notify the relevant supervisory authority and, if applicable, the Data Subjects, in time.