Privacy Notice
Information on the protection of Personal Data relating to the processing of Client and prospect relations
- Definitions
- Personal Data: any information relating to an identified or identifiable natural person
- Customer: legal entity with which SAFRAN has concluded a contract
- Prospect: a legal entity with which SAFRAN intends to enter into a contract
- SAFRAN: Safran SA and its subsidiaries
- Site: refers to the Safran group's Client portal and the CRM tool used to manage the Client/Prospect relationship
- User: refers to any natural person, working for a company, legal entity, client of one of the SAFRAN Group companies and using the Site
- Introduction
As part of the management of the Group's Customers and prospects, SAFRAN has decided to implement various CRM (Customer Relationship Management) tools.
SAFRAN is committed to respecting the various regulations concerning the protection of Personal Data and the privacy of its Customers and Prospects, including the European regulation on the protection of Personal Data (RGPD).
In order to ensure transparency towards the staff of Customers and Prospects, this information notice presents the way in which Personal Data is processed in the management of Customers and Prospects.
- The purposes of the processing ;
- Legal bases ;
- Data collected ;
- Retention periods ;
- Recipients of the data ;
- Transfers of Personal Data outside the European Union and their supervision;
- Respect for the rights of data subjects and their exercise.
This information notice applies to all staff of Customers and Prospects.
As updates become available, new uses or new applications are added, this notice will be updated.
- Processing of Personal Data
Within the framework of the management of Customers and Prospects, several Personal Data processing operations are carried out. These processes deal with Personal Data such as identification, professional and activity data of the Customers' and/or Prospects' staff.
Purposes |
Data subjects |
Personal Data |
Retention periods |
Recipients |
Internal User Management |
Safran personnel with access to the CRM |
|
[RS(1] Anonymization of personal data 3 months after an employee leaves the Group |
|
Customer Management |
Customer staff |
|
Anonymisation of personal data at the end of the commercial relationship or by default 3 years after the last activity of the Customer |
|
Prospect Management |
Prospects' staff |
|
Anonymisation of personal data by default 3 years after the account creation date |
|
Management of satisfaction surveys |
Safran’s personnel and Customer |
|
Removal of surveys 3 years after completion |
|
a. Specificities of the data collected
This Personal Data is collected:
- Directly to the staff of Customers or Prospects (e.g. by giving them a business card)
- Indirectly via public directories or professional networks with public data SAFRAN will only use Personal Data for the purposes stated, unless the new purpose is compatible with the purposes stated. Examples: legal prescription rule, legal proof or litigation management.
Personal Data is not sold to third parties.
b. Specificity of the recipients
In addition to the recipients listed in the table below, all Personal Data will be accessible by :
- the administrators of the tool
- authorised IT teams
- if necessary, depending on requirements, SAFRAN service providers implementing the services (provision of the portal, authentication service, maintenance).
c. Specificities on shelf life
In addition to the durations listed in the table above :
- Data Subjects may themselves delete or update some of their Personal Data
- Some Personal Data may be retained for longer periods of time for evidentiary, safeguarding or legal purposes. In order to protect the interests of data subjects, the list of recipients of such Personal Data will be reduced and access will be tracked.
- Legal basis for processing
The processing of Personal Data listed above has a legal basis:
- Safran's legitimate interest :
- to provide professional tools to enable its staff to carry out their mission;
- to provide tools to be in contact with the personnel of its Customers in order to manage the contracts concluded between SAFRAN and its Customers;
- manage commercial prospecting and business potential with Prospects;
- to manage the relationship strategies with its Customers and Prospects
- Compliance with the regulations to which Safran is subject, in particular those relating to fraud, due diligence, IT security, technical data protection or Personal Data.
- Users' responsibility for the content posted and/or published
Each data subject is responsible for the content he/she publishes and the actions he/she takes: no anonymous content is possible. The content posted or published must comply with the applicable regulations on the protection of Personal Data and respect for privacy.
Contributions shall be of a strictly professional nature and may not deal with personal matters such as politics, religion or the morals of a person. They shall not contain any offensive or defamatory material.
- Security of Personal Data
SAFRAN has implemented physical, logical and organizational measures to protect the Personal Data of the data subjects so that it is not lost, altered or disclosed to unauthorized third parties.
Personal Data is protected against unauthorised access, use or disclosure by using encryption procedures and access limitations. Only those persons who require access to Personal Information in the course of their duties have access to it.
In the context of SAFRAN's legitimate interest in securing its information system by ensuring traceability, connection logs are processed and kept for one year; they are only accessible by administrators and the IT security team.
- Transfers of Personal Data
The Personal Data are hosted in the following countries:
a. Transfers of Personal Data within the Safran Group
SAFRAN is an international group with subsidiaries outside the European Union.
The Site is used by all SAFRAN Users regardless of their location. In fact, transfers of Personal Data are made between the different subsidiaries.
These transfers of Personal Data are governed by Safran's Binding Corporates Rules - Controller, i.e. internal corporate rules requiring all Group subsidiaries to have a level of Personal Data protection at least equivalent to that present in the European Union.
SAFRAN has operations in the following countries Australia; Belgium; Brazil; Canada; China; Czech Republic; Finland; France; Germany; Hong Kong; India; Japan; Malaysia; Mexico; Morocco; Netherlands; Poland; Russia; Singapore; South Africa; Spain; Taiwan; Thailand; Tunisia; United Arab Emirates; United States; Vietnam.
b. Transfers of Personal Data outside Safran
The Site is provided and hosted by a service provider.
Within the framework of maintenance operations and in particular in order to respond to incidents that may arise, the staff of the service provider or its subsequent service providers may have access to the Personal Data of Users.
In this context, Personal Data may be accessible from countries in which the Providers are located :
Within the European Union: Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Ireland, Netherlands, Romania, Sweden
Outside the EU: Australia, Brazil, Canada, Chile, China, Egypt, Hong Kong, India, Israel, Japan, Malaysia, Serbia, Singapore, South Africa, South Korea, Switzerland, Tunisia, United Arab Emirate, United Kingdom, United States
These accesses are mapped out and framed by :
- European Commission adequacy decisions ;
- BCR subcontractors of SAFRAN's service providers;
- the European Commission's Standard Contractual Clauses (SCC) that the service provider has signed with its subsidiaries and subsequent service providers. Upon request to the SAFRAN Group DPO, a copy of these SCCs can be sent to the data subjects.
- Rights of the Persons Concerned
Users have rights over their Personal Data.
- Right of access: each User may obtain confirmation as to whether or not his/her Personal Data are processed by SAFRAN and may request a copy;
- Right of rectification: each User may request the modification of Personal Data concerning him/her that is inaccurate or obsolete;
- Right of deletion: in certain cases, a User may request the deletion of his/her Personal Data when it is no longer necessary for one of the purposes mentioned above;
- Right of limitation: each User may request a temporary freeze on the use of his/her Personal Data when he/she disputes the accuracy of the data or when he/she objects to the processing;
- Right of portability: each User can request a copy of his/her Personal Data in an intelligible and commonly structured way to transfer it to another company;
- Right of opposition: in certain cases listed in the regulations, a User may ask SAFRAN to no longer process his/her Personal Data.
The aforementioned rights are not absolute. They may be limited due to legal obligations to which SAFRAN may be subject or in the event of an interest strictly necessary to achieve its objectives.
Users may exercise these rights by contacting the SAFRAN Group Data Protection Officer (DPO) at:
- safran.dpo@safrangroup.com
- 2 boulevard du Général Martial Valin, 75015 PARIS.
If there is any doubt as to the identity of the data subjects, SAFRAN reserves the right to request a copy of a proof of identity.
In the event of no response or an unsatisfactory response, data subjects may file a complaint with a personal data supervisory authority.
In France: www.cnil.fr.
In Germany: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html