Legal

Personal Data Protection Policy

Updated September 1st, 2022

Personal data protection policy

Updated September 1st, 2022

Protection is TRACKFORCE’s vocation. We know that our clients are concerned about the security and confidentiality of their personal data. We are therefore committed to building a relationship of trust with our clients and being completely transparent about their personal data.

That is why, with the entry into force of the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018, we have redefined and formalized our personal data protection policy, in this document termed “Data Protection Policy”.

This Data Protection Policy is therefore intended to inform you about the technical and organisational commitments and measures we have put in place to ensure protection of your personal data.

It supplements TRACKFORCE’s Terms and Conditions (hereinafter the “T&C”) as well as its contractual clauses relating to data processing.

This Data Protection Policy is not static; it may change according to the laws and regulations of the United Kingdom, as well as any other relevant legislation, and will undergo any adaptations that the doctrine of the Information Commissioner’s Office (ICO) will make necessary.

Clause no. 1: Data collection and processing

As part of its client relationship, TRACKFORCE collects and processes personal data necessary for the management of its clients’ private security personnel (whether these are staff of the client itself or of its processors), incident management, visitor management, sales and marketing lead management, as well as management of facilities and assigned personnel.

To do this, TRACKFORCE ensures it collects and processes only data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed. This is how we respect the principle of data minimisation set by the UK GDPR.

Clause no. 2: Purposes of data processing 

The data we collect has a specific purpose, and is not used for other purposes. Our purposes are determined, legitimate, explicit and compatible with our missions, in this case management of activities related to the human protection and security of our clients’ sites, sales and marketing lead management, as well as management of facilities and assigned personnel.

The defined purpose determines the relevance of the data to be collected: only data that is adequate and strictly necessary to achieve the purpose is collected and processed by TRACKFORCE.

Clause no. 3: Information of the data subject 

In accordance with the UK GDPR, TRACKFORCE informs and encourages its clients to inform the data subject from whom personal data is collected:

  • The identity and contact details of the data controller and, where appropriate, his representative;
  • Where applicable, contact details of the Data Protection Officer;
  • The purposes of the processing for which the personal data is intended as well as the legal basis of the processing;
  • Where applicable, legitimate interests pursued by the data controller or by a third party;
  • Recipients or categories of recipients of personal data, if they exist;
  • Where appropriate, the fact that the data controller intends to transfer personal data to a third country or to an international organisation;
  • The retention period of the personal data or, where this is not possible, the criteria used to determine this period;
  • The existence of the right to be informed about the collection and use of its personal data, the right to request the data controller to provide access to personal data, to rectify, erase or delete such data, or to restrict processing relating to the data subject, or the right to object to processing, the right to data portability and the rights in relation to automated decision making and profiling;
  • Where applicable, the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on the consent provided prior to its withdrawal;
  • The right to lodge a complaint with the supervisory authority (ICO);
  • Information on whether the requirement of the provision of personal data is of a regulatory or contractual nature or whether it is a condition for the conclusion of a contract and whether the data subject is required to provide personal data, as well as on the possible consequences of the non-provision of this data;
  • The existence of automated decision making, including profiling.

 

In the absence of individualized contact with the data subject, TRACKFORCE encourages its clients to inform said data subject by posting on the site covered by private security protection.

Clause no. 4: Recipients of the data

TRACKFORCE does not share client data with third parties; TRACKFORCE does not trade it.

Your personal data is therefore intended only for specific recipients, entitled to receive it, in this case and according to the case, TRACKFORCE and its processors, TRACKFORCE clients and their processors, as well as any other person, organisation, or entity that clients will want to communicate or share the data with, and only for the purpose of private security services or facilities management.

Clause no. 5: Data retention

TRACKFORCE only retains its clients’ personal data for the time required for the operations for which it was collected and in compliance with the regulations in force.

Each client can set the retention period according to the nature of the personal data concerned.

This data is automatically deleted after a maximum of 5 years after the end of the contractual relationship, according to the settings defined by each client.

Data on prospects is retained for up to 3 years from the last contact between TRACKFORCE and the prospect.

Clause no. 6: Data security

TRACKFORCE determines and implements the means necessary for the protection of personal data to avoid risks resulting in particular from the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, retained or otherwise processed, or from unauthorized access to such data, accidentally or unlawfully.

These means consist of appropriate technical and organisational measures to ensure a level of security adapted to the risk, and include inter alia, as required:

  • Encryption of personal data;
  • Means to ensure the constant confidentiality, integrity, availability and resilience of data processing systems and services;
  • Means to restore the availability of personal data and access to it in good time in the event of a physical or technical incident;
  • A procedure to test, analyze and assess regularly the effectiveness of the technical and organisational measures to ensure data processing security.

In particular, access to data is secured by strong security systems according to client choice, each defining the level of security appropriate to its business and its needs: identification by certificate, double authentication and other processes implemented by Trackforce and set out in the Document called “Trackforce Business Security”.

The protection policy for personal data processed by TRACKFORCE is thus organised around logical, physical or organisational measures.

Clause no. 7: Restricted access to data

TRACKFORCE defines and implements the rules of access and confidentiality applicable to personal data processed.

The level of detail accessible is defined by the client, according to the authorization/profile of each user: Agent, Head of Station, Client, Supervisor.

Only duly authorized persons can therefore access certain data details, within the framework of a security policy in particular restricting access to only that data necessary for the activity.

Access rights, granted in accordance with the user’s function, are updated in case of an upgrade or change of function.

Clause no. 8: Data transfer

In principle, TRACKFORCE does not transfer client data from one country or subsidiary to another worldwide.

If such a transfer were to be necessary, in this case to a country outside the United Kingdom, the European Union or the European Economic Area, that transfer would be part of the purpose of the processing for which the data is intended.

In this case, data recipients would only have communication of the categories of data necessary for the achievement of that purpose.

More generally, TRACKFORCE would transfer the data only in accordance with the provisions of articles 74 to 78 of the UK GDPR or any other relevant provisions.

Clause no. 9: Rights of the data subject

Pursuant to the UK GDPR and non-contrary provisions of any other relevant legislation, any natural person whose personal data is subject to processing is entitled to oppose the collection and processing of their personal data, the right of access to said data, rectification, deletion or erasure thereof (the right to be forgotten), the right not to be the subject of a decision based exclusively on automated data processing, including profiling, the right to limitation of processing of data concerning them, the right to have information about the persons to whom the data controller has transmitted personal data concerning them, as well as the right to portability of said data as these rights are described in Articles 44 to 54 of the UK GDPR or any other relevant provisions. They may exercise these rights by sending their request to dpo@trackforce.com accompanied by proof of their identity and their signature.

Clause no. 10: Data protection players

In connection with entry into force of the UK GDPR on 23 May 2018, TRACKFORCE has appointed a Data Protection Officer (DPO) directly reporting to the Chairman of TRACKFORCE.

The DPO constantly ensures compliance of all processing of personal data taking place in the TRACKFORCE Group.

Clause no. 11: Maintenance of non-contrary provisions of TRACKFORCE’s Terms & Conditions

This Data Protection Policy complements the TRACKFORCE Terms and Conditions, the non-contrary provisions of which remain applicable.