Privacy Policy

Data processing policy (GDPR compliance)

The customer is connected to Vinalfood NV - Kico NV, hereinafter called the Dell'oro - Vinalfood group, for the purchase of goods. Within the framework of the affiliation contract between the parties, the Dell'oro - Vinalfood group processes personal data for the customer in strict compliance with the applicable data protection legislation, and more particularly the Regulation (EU ) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (the “General Data Protection Regulation” or “GDPR”).

This agreement constitutes an annex to the internal regulations and is an integral part thereof.

1. Processing of personal (worker) data of the customer for the customer

"Data controller" means the Dell’oro - Vinalfood group in its capacity to determine the purposes and means of the processing of personal data.

"Processor" means the Dell’oro - Vinalfood group in its capacity to process personal data on behalf of and in accordance with the client's instructions, the latter having the quality of Data Controller.

1.14. Details concerning the processing activity are set out in Annex 1, which is an integral part of this agreement.

1.15. With regard to data protection, the Processor:

• will process personal data in accordance with the provisions of national and European legislation applicable to the processing of personal data, and in accordance with the opinion of the supervisory authority;

• respect the rights of individuals as determined by the applicable legislation on the processing of personal data and to which the services relate.

1.16. The Subcontractor guarantees that it has appropriate technical and organizational measures, and undertakes to maintain them, inter alia against loss, destruction, accidental damage, unlawful access or treatment, or unlawful disclosure of personal data, and a sufficient number of security programs and procedures to ensure that unauthorized persons do not have access to the equipment used for the processing and retention of personal data personnel during the term of this agreement.

1.17. The Subcontractor will not use or process the personal data it receives under this agreement, unless such use or processing is required to perform the services in accordance with this agreement or in accordance with legislation relating to the processing of personal data. If the Data Controller transmits to the Processor other personal data than those necessary for the execution of the services, as referred to in Annex 1, point 5, these will not be processed by the Processor, and the Data Controller will bear full responsibility for it, to the exclusion of all liability on the part of the Processor. The Processor will only process personal data on the basis of written instructions from the Data Controller, including those relating to transmission personal data to a third State or an international organization, unless a provision of the European Union or of a Member State applicable to the Subcontractor requires it to be processed; in this case, the Processor will inform the Data Controller of this legal provision before processing, unless this legislation prohibits this notification for important reasons of public interest. The Subcontractor will also immediately notify the Controller if, in his opinion, an instruction violates the legislation relating to the processing of personal data.

1.18. The Subcontractor will not authorize third parties to access the personal data transmitted to it in execution of this agreement, with the exception of staff acting directly under its authority or sister companies, and in all cases only to the extent that such access is necessary to perform services under this agreement. The Subcontractor will in any event be responsible for the processing activities of these third parties.

1.19. The Subcontractor guarantees that the persons authorized to process personal data have undertaken to respect their confidentiality, or are bound by an appropriate legal obligation of confidentiality.

1.20. The Processor will not transmit personal data, obtained through the Controller or under this Agreement, outside the EEA or to a third party (including processors of the Processor) without the prior written consent of the Data Controller. The Subcontractor will in any event be responsible for the transfer of personal data to any authorized third party.

1.21. The Processor will immediately and without delay notify the Controller as soon as he becomes aware of (i) a legally binding request for disclosure of personal data from a law enforcement authority, unless this is prohibited, as a criminal ban aimed at guaranteeing the confidentiality of the police investigation, (ii) accidental or illicit access (such as hacking), or the loss of data or other incidents having an impact on personal data personnel related to this agreement; and / or (iii) the receipt of a request sent directly by data subjects, without responding to it, unless they have been authorized to do so.

1.22. Given the nature of the processing and the information available to the Processor, this will help the Data Controller to comply with the obligations to notify data breaches, to carry out an impact assessment relating to data protection, or consult the competent supervisory authority prior to a processing activity (if applicable).

1.23. At the request of the Data Controller, the Processor will provide the latter with all the information necessary to demonstrate compliance with the obligations mentioned in this agreement, as well as compliance with the legislation concerning the processing of personal data, and for allow audits, including inspections, to be carried out by the Data Controller or a mandated inspector, and contribute to these audits.

1.24. The Subcontractor will keep a register of its processing activities in execution of this agreement, in accordance with the applicable legislation on the processing of personal data, which may be made available if the Controller and / or the supervisory authority request it.

1.25. After the end of this agreement, for any reason whatsoever, the Processor will delete or return to the Data Controller, at the option of the latter, all personal data, and will delete the existing copies, unless the personal data must not be stored on the basis of European Union or Member State law.

1.26. The Subcontractor can be sued by the Controller only for the damage which would result from the non-compliance by the Subcontractor with the obligations and commitments incumbent upon him under the terms of this agreement or if the Subcontractor does not follow not the legitimate instructions of the Data Controller. The limitation of liability as defined in article 4 of the internal regulations also applies to the processing of personal data by the Processor for the Data Controller.

2. Processing of personal data (of contact persons) of the customer

2.1. The information collected by the Dell'oro - Vinalfood group, including without limitation the contact details (of representatives and contact persons) of the customer and the data required for invoicing, will be carefully processed in strict compliance with the GDPR.

2.2. This personal data (of contact persons and representatives) of the client will only be processed in the context of the execution of the affiliation contract for the following purposes: management of the client's files (e.g. billing, supply customer service, complaint management, processing of transactions, requests in the context of salary administration), marketing (invitations to events, newsletters) and compliance with obligations imposed by legislation and regulations. The recipients of this data are employees of the Dell’oro - Vinalfood group.

2.3. The Dell’oro - Vinalfood group will retain personal data for as long as necessary for the execution of the affiliation contract and for a maximum period of seven years from the end of the contract. The data will not be used for automated decision making.

3. Exercise of rights

3.1. Given the nature of the processing, the Dell’oro - Vinalfood group will assist, as far as possible, with the obligation to comply with requests from data subjects to exercise their rights.

3.2. The workers of the customer can directly address their request to the Dell’oro - Vinalfood group.

3.3. The Dell’oro - Vinalfood group will immediately provide the customer, and in any event within one month of receipt of the request, with information on the outcome of the request. The request should be sent electronically to gdpr@vinalfood.com. This period may, if necessary, be extended by two months depending on the complexity of the requests and the number of requests. The Dell’oro - Vinalfood group will inform the customer of such an extension within one month of receiving the request. This information will be provided electronically, unless the customer requests otherwise.

3.4. No payment will be required for taking measures to enable the exercise of rights. When the requests of a data subject are manifestly unfounded or excessive, in particular due to their repetitive nature, the Dell'oro - Vinalfood group may a) require the payment of reasonable fees which take account of the administrative costs incurred in providing the information, make the communications or take the measures requested; or b) refuse to comply with these requests.

APPENDIX 1: DETAILS CONCERNING THE PROCESSING OF PERSONAL DATA

1 Description of data processing (s)

The Processor performs the following processing activities, on behalf of the Data Controller and in accordance with the latter's instructions:

Personal data is used to ensure correct processing of pay.

2 Purposes

Communication regarding orders, deliveries, exceptional items, ... and info on company events, promotions, etc.

3 Duration of treatment

The operation / The processing operations will / will take place during the term of the contract / our collaboration.

4 Categories of persons concerned

  • Clients
  • Company managers
  • Current staff, Temporary workers, Trainees / professional training status
  • Agents

5 Categories of personal data

  • First/Last name
  • Address
  • Personal/Business phone number
  • Languages
  • Date/Place of birth (if specified by the client)
  • Personal/Professional E-mail address
  • Nationality
  • National register number or other national identification numbers (for business managers)
  • Sex
  • Function
  • Order history