Data Protection Policy

The Regulation

The General Personal Data Protection Regulation (GDPR), on the protection of individuals with regard to the processing of personal data and on the free movement of such data, came into force on May 24, 2016 and will apply in all Member States as of May 25, 2018. This regulation replaces the current personal data protection directive and law and brings significant changes in the matter. But the objectives are essentially the same (protecting the privacy of citizens and ensuring the free movement of personal data within the European Union).

 

What specifically is personal data?

Personal data is any information, of whatever nature and whatever its medium, including sound and image, concerning an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to specific physical, physiological, mental, economic, cultural or social characteristics.

 

Purpose of the Data Protection Directive

As part of its social responsibility, Fimel, S. A. is committed to complying with data protection rights. This directive applies to the entire company and is in line with the globally accepted basic principles on data protection. The preservation of data protection forms the basis for business relationships characterized by trust and the reputation of Fimel as an attractive employer.

 

Scope and amendment of the Data Protection Directive

This Data Protection Policy applies to Fimel and its employees. The Data Protection Policy covers all processing of personal data. A change to this directive can only be made after revision of this directive and approval by your Board of Directors. Any changes that are made in connection with the Data Protection Policy will be reported at a later date. The most current version of the data protection directive can be accessed from the Fimel Human Resources Department.

 

Law Validity

This Data Protection Policy contains globally accepted data protection principles, without overriding the laws of the individual countries. The existing reporting and information requirements under national data protection law must be observed. Fimel is responsible for compliance with this Data Protection Policy and the legal requirements. If there is reason to assume that legal requirements conflict with the obligations under this Data Protection Policy, you must inform the Human Resources Department of the company immediately.

 

Principles for recording personal data

  1. Fairness and lawfulness
    • In processing personal data, the personality rights of the person concerned must be preserved. Your personal data must be collected and recorded fairly and lawfully.
  2. Linking
    • The processing of personal data must only serve the purposes for which it was determined before the data was collected. Subsequent changes to the purposes shall only be possible with restrictions and must be justified.
  3. Transparency
    • The employee concerned must be informed of how his/her data is processed. Personal data must be collected from each individual employee. When collecting data, the employee concerned must at least be able to recognize or be adequately informed of the following:
      • Identity of the responsible department
      • Purpose of data processing
      • Third parties or categories of third parties to whom the data may be passed on
  4. Data avoidance and data economy
    • Before personal data is processed, it should be checked whether and to what extent it is necessary in order to achieve the intended purpose of processing. Anonymized or statistical data should be used if this is possible in order to achieve the purpose or if the effort is in an appropriate relationship to the intended purpose. Personal data must not be saved for possible future purposes unless this is primarily stipulated.
  5. Deletion
    • Personal data that is no longer required after the expiration of the data retention period specified by law must be deleted. However, if there is a need to retain them due to historical significance, they must be retained for longer until they are no longer required.
  6. Accuracy of facts, currency of data
    • Personal data must be kept in a correct, complete and, if necessary, current version. Necessary steps must be taken to ensure that incorrect, incomplete or out-of-date data are deleted, corrected or updated.
  7. Confidentiality and data security
    • Personal data are subject to data secrecy. It must be treated confidentially. It must be protected by appropriate technical and organizational measures against unauthorized access, improper processing or transmission, as well as destruction, alteration or loss.

 

Admissibility of Data Processing

The collection, processing and use of personal data is permissible if one of the following factual circumstances exists. One of these factual circumstances is required if the purpose for collecting, processing and using personal data has changed from the original purpose.

  1. Data processing for the employment relationship
    • Due to the employment contract, data necessary for the conclusion, execution and termination of the employment contract can be collected. The personal data of job applicants may be processed for the initiation of an employment relationship. After a refusal, the applicant's data must be deleted, taking into account the respective legal deadlines, unless the applicant has consented to continued storage of the data for a later selection process.
    • Consent is also required for use of the data in other application processes or before forwarding to other companies. In an existing employment relationship, data processing must always be subject to the purpose of the employment contract, provided that one of the following factual circumstances of consent to data processing does not apply. If, in the initial process of the employment relationship or in the existing employment relationship, it is necessary to collect additional information about the job applicant from third parties, the respective national legal requirements must be considered. In case of doubt, the applicant's consent must be obtained. There must be legal legitimation for processing employee data that is in the employment context but does not originally serve to fulfill the employment contract. These can be legal requirements, consent of the employee or legitimate interests of the company.
  2. Data processing, due to legal permission
    • The processing of employees' personal data is also permitted if national legal regulations require, presuppose or authorize data processing. The type and extent of data processing must be necessary for the legally permissible processing and must be guided by these legal regulations. If this is possible, the interests of the employee that merit protection must be taken into consideration.
  3. Consent to Data Processing
    • Employee data processing can be carried out due to a data subject's consent. Declarations of consent must be voluntary. Involuntary consents have no effect. For reasons of proof, the declaration of consent must be obtained in writing. If circumstances, exceptionally, do not permit it, consent may be granted verbally. In all cases, the granting of consent must be properly documented. Before consent is given, the person concerned must be informed of this Policy.
  4. Data processing due to legitimate interests
    • Personal data of employees may also be processed if there is a legitimate interest of the Fimel company. Legitimate interests are generally of a legal (e.g. to assert, exercise or defend legal claims) or economic nature (e.g. for business analysis). Personal data may not be processed on the basis of a legitimate interest if, in individual cases, there is evidence that the interests of the employee worthy of protection override the interest of the processing. For each processing operation, it must be examined whether there are interests worthy of protection.
    • Control measures requiring the processing of personal data may only be taken if there is a legal obligation or a justified reason for doing so. Even if a justified reason exists, the proportionality of the control measure must be verified. The legitimate interest of the company in carrying out the control measure (e.g. compliance with legal provisions and internal company regulations) must be weighed against a possible interest of protection of the employee affected by the measure in excluding the measure and may only be realized if they are appropriate. The legitimate interest of the company and possible interests of employees, worthy of protection, must be ascertained and documented prior to any measure.
  5. Processing of data worthy of special protection
    • Personal data that deserves special protection should be processed only under certain conditions. Data requiring special protection is data concerning racial or ethnic origin, political views, religious or philosophical beliefs, union membership, or the health or sexual life of the data subject. Country legislation may classify other data categories as requiring special protection, or the content of the data categories may differ. Similarly, data relating to criminal offenses may be processed only under special conditions determined by the laws of the country. The processing must be explicitly permitted or stipulated under national law. Processing may also be permitted if it is necessary for the responsible department to fulfill rights and obligations under labor law. The employee may also expressly and voluntarily consent to processing. If data processing with special protection is planned, the responsible data protection officer must be informed in advance.
  6. Automated Decisions
    • If personal data is processed automatically as part of the employment relationship and evaluated on the basis of individual personality traits (e.g. as part of personnel selection or the evaluation of skill profiles), such automated processing may not be the sole basis for decisions that have negative consequences or significant detriments for the affected employees. In order to avoid erroneous decisions, it must be guaranteed in the automated process that a natural person can carry out an assessment of the content of the matter and that this assessment is then the basis for the decision. In addition, the employee concerned must be informed of the facts and the result of an automated individual decision and must have the opportunity to express his or her opinion.
  7. Telecommunications and Internet
    • Telephone systems, e-mail addresses, intranet and internet, and internal social networks are provided by the company in the first instance to carry out its tasks. These are work equipment and company resources. They may be used in accordance with the applicable legal provisions and internal directives. In the event of authorized use for private purposes, the secrecy of telecommunications and national telecommunications legislation must be observed, insofar as these are applicable. No general monitoring of telephone and e-mail communications or intranet and internet use will be carried out, except in exceptional cases where the company's own higher values are exposed. To counter attacks on the IT structure or on some users, protective measures can be implemented at the joints in the Fimel network that block technically harmful content or analyze attack patterns. For security reasons, the use of telephone systems, e-mails, the intranet and internet and internal social networks is protocolled for a limited period. Evaluations of this personal data may only be carried out if there is concrete and substantiated suspicion of a violation of legislation or Fimel corporate directives. These checks may only be processed by the industry for this purpose and in accordance with the proportionality principle. The respective national laws must also be observed, as must existing corporate regulations in this regard.

 

Transmission of personal data

A transmission of personal data to recipients outside of Fimel or recipients within the Fimel Group is governed by the conditions of permissibility of personal data processing, and the recipient of the data must undertake to use the data only for the purposes determined. If data is transmitted to a recipient outside of the Fimel Group that is located in a third country (outside the scope of this Directive), it must guarantee a level of data protection similar to that of this Data Protection Directive. This does not apply if the transmission occurs due to a legal requirement. If data is transmitted from third parties to Fimel, it must be ensured that the data can be used for the intended purpose.

 

On-demand data processing

Data processing on request is considered to be processing on request when a service provider is entrusted with the processing of personal data without transferring the responsibility for the respective business process to him. In such cases, in the first instance a declaration of consent must be requested with the intended purpose of the use of the data. The requesting company bears full responsibility for the correct processing of the data. The service provider is authorized to process personal data only within the scope of the requestor's instructions. Upon request, the following specifications must be met; the requesting company must ensure that they are met.

  1. The service provider should be chosen, taking into consideration its ability to guarantee the necessary technical-organizational protection measures.
  2. The assignment of the request must be in text form. This should document the instructions for data processing and the competencies of the applicant and the service provider.
  3. Before data processing begins, the applicant must be convinced of the service provider's compliance with its obligations. A service provider can prove compliance with the requirements relating to data security, in particular by submitting a declaration of consent to the activity. Depending on the risk of data processing, if applicable, a check must be repeated regularly during the term of the contract.
  4. In the event of cross-border data processing, the respective national requirements for transferring personal data abroad must be met. In particular, personal data from the European Economic Area may only be processed in a third country if the service provider can demonstrate a level of data protection that corresponds to this Data Protection Policy. Appropriate instruments can be, for example:
    • Agreement of EU model contract clauses on order processing in third countries with the service provider and possible subcontractors.
    • Participation of the service provider in an EU-recognized certification scheme for an adequate level of data protection.
    • Recognition by the respective data protection supervisory authorities of the service provider's mandatory company regulations for creating an adequate level of data protection.

 

Employee rights

All employees have the rights set out below. Claiming them must be carried out promptly by the responsible area and must not cause any prejudice to them.

  1. The employee may request information about which personal data about him/her is stored and from which source and for what purpose.
  2. In the case of transmissions of personal data to third parties, information must be provided on the identity of the recipient or on the categories of recipients.
  3. If personal data is incorrect or incomplete, the employee has the right to demand that it be corrected or completed.
  4. The employee has the right to object to the use of his/her personal data for advertising purposes or for opinion and market research. The data should be blocked for these purposes.
  5. The employee has the right to demand that his/her data be deleted if the legal basis for processing the data is missing or has been deleted. The same applies if the purpose of the data processing has been eliminated due to expiration of time or for other reasons. Existing archiving obligations and interests that conflict with the deletion of data that require protection must be observed.
  6. The employee has a fundamental right to object to the processing of his or her data, which must be observed if the interest to be protected overrides the interest in processing the data on account of a particular personal situation. This does not apply if a legal provision requires the processing to be carried out.

 

Processing Confidentiality

Personal data is protected by data secrecy. Employees are prohibited from collecting, processing or using data inappropriately. Any processing that an employee performs without being commissioned in the course of performing his or her duties and without being authorized to do so is unauthorized. The need-to-know principle applies: Employees may only have access to personal data if and insofar as it is necessary for the performance of the respective task. Employees are not permitted to use personal data for private or economic purposes, to pass it on to unauthorized persons or to allow access to it in any other way. Department managers must instruct employees belonging to their departments at the start of the employment relationship about the obligation to maintain data secrecy. This obligation remains valid also after the termination of the employment relationship.

 

Processing security

Personal data must be protected at all times against unauthorized access, improper processing or disclosure, as well as loss, falsification or destruction. This applies regardless of whether data processing is performed electronically or on paper. Prior to the introduction of new data processing systems, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures should be guided by technological progress, the risks involved in processing, and the need to protect the data (as determined by the information classification process). Technical and organizational measures for the protection of personal data are part of Fimel's information security management and must be continuously adapted to technological developments and organizational changes.

 

Data Protection Control

Compliance with applicable data protection directives and laws is checked regularly by means of audits and other controls. The coordinators responsible for data protection issues and other areas of the company are responsible for carrying these out. As part of the reporting obligations, the Fimel Management must be informed of the most important results. On request, the results of data protection controls can be made available to the tax authorities.

 

Data Security Incidents

Every employee must immediately report to his or her superior any violations of this Data Protection Policy or other provisions relating to personal data protection (data security incidents). The supervisor in question is obligated to immediately report data security incidents to the data protection coordinator. In cases of "improper transmission of personal data to third parties" improper access of third parties to personal data, or loss of personal data, reports must be made within the company immediately so that the legal obligations to report data security incidents can be met.

 

Liabilities and Sanctions

The management and those responsible for the Fimel company are responsible for data processing within their area of responsibility. They are therefore obliged to ensure that the legal requirements and those contained in the Data Protection Directive are taken into account (e.g. national reporting obligations). It is an administrative task of the managing directors to ensure correct data processing for data protection through organizational, personal and technical measures. The relevant employees are responsible for implementing these provisions. The data protection coordinators are contact partners for data protection within our facilities. They can carry out checks and must familiarize employees with the content of the Data Protection Policy. The management should support the respective data protection coordinators in their work. The managers responsible for business processes and projects are obligated to inform the data protection coordinators in good time about further processing of personal data. If data processing is necessary that could pose risks to the personal rights of the data subjects, the data protection coordinators must be involved before the data is processed. This applies in particular to personal data with special protection. 

Management must ensure that employees have the necessary training and information on data protection. Abusive processing of personal data and other violations of data protection law are also legally punishable and may give rise to claims for damages. Violations for which employees are individually responsible may have legal consequences.

 

The Chief Data Protection Officer

The current characteristics of the company do not require it to present a delegate responsible for data protection. The Industrial Management Department and the Human Resources Department of Fimel are therefore acting as internal data protection coordinators. Furthermore, any data subject may approach a data protection coordinator to provide suggestions, request information or make complaints regarding data protection and data security issues. Requests for information and complaints will be handled confidentially. If the responsible data protection coordinator is unable to remedy or eliminate a violation against this Data Protection Policy, he or she must request the intervention of the Fimel management. Inquiries from supervisory authorities must always be brought to the attention of these departments.

This website uses cookies to provide a better user experience.
To disable or see more information about cookies click on settings.
Continue