Personal data protection
General policy on the protection of personal data
The STEF Group (hereinafter STEF), specialised in transport and logistics for temperature-controlled products and in the maritime transport of passengers and goods, is aware of the risks associated with the collection and use of personal data for the private sphere of everyone and pays particular attention to the protection of such data and respect for privacy.
The general policy on the protection of personal data therefore expresses the commitments undertaken by STEF and its branches and all their employees in order to allow for the responsible collection and use of personal data within the rigorous framework of the Group's activities.
1 Principles and rules applicable to the protection of Personal Data
STEF and its Branches collect and process Personal Data in accordance with the law and European regulations and standards in force, and in particular, with the General Data Protection Regulation (GDPR) and with the various national laws and regulations of the countries in which Group branches operate.
Any information that allows the direct or indirect identification of a natural person.
- Data Controller:
Person, service or entity that determines the processing purposes and means.
- Data Processor:
Natural person, legal person or entity that processes Personal Data on behalf of the Data Controller (IT service provider, subcontractor for transport, subcontractor for logistics, communication agency, etc.).
Companies included in the scope of consolidation of STEF SA, both in France and in the countries in which the Group operates, in particular Spain, Italy, Portugal, Switzerland, Belgium and the Netherlands.
Any operation or set of operations applied to Personal Data such as collection, registration, organisation, structuring, storage, adaptation, modification, extraction, consultation, use, transmission.
- Data Subjects:
Individuals whose Personal Data are processed.
1.1 Data Controller
The Data Controller of personal data is STEF SA or its Branches as per the definition above.
It can be contacted as follows:
- Through the contact form available on the STEF.com website or on the STEF website of the country of reference, in the Contacts section, selecting the item "I wish to exercise my rights with regard to the processing of my personal data (GDPR)".
- By post, at the following address:
93 boulevard Malesherbes
75008 Paris France
The Data Controller undertakes to protect Personal Data in accordance with this General Policy regarding the protection of personal data.
In the event that the integrity, confidentiality or security of the Personal Data of the Data Subjects is compromised, the Data Controller may inform them by any means, where necessary and in compliance with the legislation in force.
1.2 Purpose of the processing
The Personal Data processed by STEF are collected and used for specific purposes or ends of which the data subjects are informed.
Each processing operation has its own purposes.
The sole purpose of these processing operations is to allow STEF to provide and optimise the transport and logistics services of temperature-controlled products, maritime transport of passengers and goods and the production of IT products and services ancillary to its business activities.
These processing operations meet the needs of recruitment, commercial communication, information, delivery, traceability of goods, monitoring of the quality of services, personnel management, internal management of activities and services, etc.
The possible purposes include, by way of example only, the following:
- The use of our websites and IT tools,
- The provision of the information or services requested (in particular: sending newsletters, commercial offers, studies, e-mail marketing campaigns, etc.),
- The collection of information that allows us to improve our products and services,
- The communication of various STEF-related events, including updates to services, products and customer support,
- Communication through social networks only for needs related to the Group's activities,
- The transmission of invoices and documentation relating to the implementation of our business, by any means (written, digital, electronic, etc.),
- The management of recruitment, administrative management of personnel (management of working hours, planning, travel, leave, absences, etc.), drafting of declarations and compliance with legal obligations and local regulations on the subject, in particular, the collection of social security contributions, database management, payroll management, management of any social security schemes, supplementary pension, career training and management, professional evaluation, control of employee activity and compliance with applicable rules within the company, internal investigations and disciplinary proceedings, management of the procedure for terminating the employment contract, management of telecommunications, management of the use of service or company vehicles, management of the internal directory and the company Intranet.
- The collection, communication, exchange, transmission of all commercial, financial, contractual, legal, social and regulatory documentation,
- Marketing studies for internal use only,
- The safety of all our sites and vehicles, tools and technical means by operating in compliance with safety and protection standards, or as required by law.
- The management, control and optimisation of transport and logistics services provided by the Group and its branches,
- And all other uses necessary for the operation of our businesses as described above.
The Personal Data collected are used only for the purposes indicated above and cannot be used for purposes other than those established for each process.
1.3 Lawfulness of processing (legal bases)
The processing of the personal data of the data subjects by STEF is justified by the following legal bases:
- execution of a contract that binds the data subjects to STEF; or
- execution of pre-contractual measures taken at the request of the data subjects; or
- compliance with legal obligation; or
- pursuit of STEF's legitimate interests.
In the absence of at least one of the legal bases indicated in point 1.3, the specific and explicit, understandable and clear consent of the Data Subjects is required before each processing operation.
The consents requested are collected and managed in accordance with the group's consent management procedure.
1.5 Data categories
The categories of Personal Data collected vary according to each processing operation.
However, regardless of the process, STEF does not collect the following data: information on racial origin, political opinions, religious, philosophical or racial beliefs, sexual orientation, genetic data.
If one or more of the aforementioned data are processed, they will be processed only on an occasional basis by STEF and in strict compliance with the requirements established in Regulation (EU) 2016/679 of the European Parliament and of the Council of 6 January 2016 (GDPR).
1.6 Limitation of collected data (proportion and relevance)
Only the Personal Data strictly necessary for the specified purposes are collected.
STEF strives to minimise and limit the data collected in this way and to keep them updated.
1.7 Retention and cancellation terms
The retention terms are determined according to the following criteria:
- Operational needs: period during which the data are necessary to ensure the complete provision of the services provided by STEF,
- Legal and regulatory requirements: period during which STEF is required to keep considering its legal and regulatory obligations.
The data concerning the employee will be kept for the duration of his/her employment in the company and beyond, within the limits of the applicable limitation periods.
In the absence of a specific retention period, the Personal Data collected are kept for a limited period of time necessary for the purposes indicated, and which cannot exceed 5 years from the end of the processing in question.
At the end of the specified retention period, the data is deleted or made anonymous.
1.8 Data recipients
The Personal Data collected, depending on the processing, may be used as the subject of a communication to the following recipients:
- The relevant departments/offices of STEF Group branches,
- Third parties who have entered into a contract with the STEF Group and who operate as Data Processors,
- Public and/or regulatory bodies of public or private law.
In addition to the recipients indicated above, no data will be transmitted without the prior explicit consent of the data subjects.
1.9 Security and confidentiality
STEF implements data protection measures appropriate to the nature of the data processed and the Group's activities.
Adequate physical, technical and organisational security measures are envisaged to guarantee optimal data confidentiality and, in particular, to avoid any unauthorised access.
As regards technical security measures, these are the subject of an IT Systems Security Policy (ISSP).
STEF requires any Data Processor to provide the necessary guarantees to ensure at least the same level of security, protection and confidentiality of personal data and compliance with the GDPR regulation.
In some cases, the data may be transferred to countries outside the European Union. In this case, STEF ensures that legal instruments are implemented to ensure, in accordance with the provisions of Articles 45 and 46 of the GDPR, that the countries receiving these data have an adequate level of protection.
1.10 Rights of data subjects
STEF adopts the necessary means so that data subjects can effectively exercise their rights on the Personal Data collected.
Summary of main rights:
- Right of access and communication of data:
Data subjects have the right to access the Personal Data concerning them.
- Right to rectify/delete data:
The legislation authorises the data subjects to request the rectification, updating or deletion of data concerning them that are inaccurate, incorrect, incomplete or obsolete, as the case may be.
- Right to objection:
Data subjects may object to the use of their personal data, but only in one of the following two situations:
1. When the exercise of this right is based on legitimate reasons,
2. When the exercise of this right aims to prevent the collected data from being used for commercial prospecting purposes.
- Right to data portability:
Data subjects have the possibility to retrieve the Personal Data provided to the Data Controller to be reused.
- Right not to be subject to a decision based solely on an automated process:
Data subjects have the right not to be subject to a decision based solely on an automated process if the decision produces legal effects that affect them or significantly influence them.
Methods of exercising the aforementioned rights:
STEF's contact methods referred to in point 1.1 allow each data subject to exercise their rights over their data.
Formalisation of requests:
- If they are sent by post, they must necessarily be sent by registered letter.
Elements and information to be indicated in requests:
- Copy of any official document providing indisputable proof of the applicant's identity, and recognised by law as such. This proof is required due to the Data Controller’s obligation of security and confidentiality in the processing of data.
- As far as possible, requests must include the identifier and/or e-mail address used to access the STEF system, the Personal Data transmitted, the context in which they were collected and/or the nature of the data subjects' association with STEF (employees, customer representative, etc.).
- The object of the exercised right must be selected directly in the contact form from the options proposed.
- In the interest of data security, each request will be the subject of an acknowledgement of receipt to the applicant's e-mail or postal address based on existing information. The identity of the data subject submitting the request will then be confirmed via a link in the e-mail sent or by post.
- The Data Controller undertakes to respond to all duly formalised and documented requests within a reasonable time, which cannot exceed 2 months from receipt of the request.
- The date of receipt considered for the calculation of the above term corresponds to the date of submission of the form or to the date of delivery of the registered letter if the request is sent by post.
2 Monitoring of the general policy on the protection of personal data and practices
This general STEF Personal Data Protection Policy is accessible to everyone on the various STEF websites, in particular on the website www.stef.com.
Furthermore, as regards the maritime transport of goods and passengers, the general policy on the protection of personal data of the branch in charge of this activity is available at www.lamerdionale.fr.
The Policy is regularly updated to reflect legislative and regulatory changes on data protection as well as the evolution of the Group in its organisation and business.
Consequently, the data subjects should regularly consult this General Policy on the protection of personal data to learn about the latest changes that may have been made.
The processing of Personal Data collected by STEF is governed by this Policy, supplemented by the Policy on the security of IT systems (ISSP), by the specific privacy policies for each website of the Group and by all internal procedures and rules relating to the principles referred to herein.
The principles of "privacy by design", meaning the principle that requires considering the security of Personal Data from the design stage, and of "privacy by default", meaning the principle of limiting Personal Data, are integrated into the development and implementation procedures of the new STEF IT systems.
Compliance monitoring and evolution of practices:
The compliance of the systems with national and European standards for the management and security of personal data is subject to regular verification by STEF's internal departments.
Improvements are regularly introduced in system operations and in the organisation of Personal Data on the basis of regulatory, legal and technical developments as well as requests for the exercise of rights in order to guarantee the maximum possible security of the Personal Data collected and processed as well as the effective exercise of the rights of the data subjects.
General policy on the protection of personal data updated on 01/12/2018