Personal data protection policy

Protection is TRACKFORCE's vocation. We know that our clients are concerned about the security and confidentiality of their personal data. We are therefore committed to building a relationship of trust with our clients and being completely transparent about their personal data.

That is why, with the entry into force on 25 May 2018 of European Regulation no. 2016/679 of 27 April 2016 on the protection of personal data (hereinafter the "GDPR"), we have redefined and formalized our personal data protection policy, in this document termed "Data Protection Policy".

This Data Protection Policy is therefore intended to inform you about the technical and organizational commitments and measures we have put in place to ensure protection of your personal data.

It supplements TRACKFORCE's Terms and Conditions of Sale (hereinafter the "CGV") as well as its contractual clauses relating to subcontracting.

This Data Protection Policy is not static; it may change according to the laws and regulations of Luxembourg, as well as European legislation, and will undergo any adaptations that the doctrine of National Data Protection Commission (CNPD) and guidelines of the G29 (Working Group with the representatives of the independent supervisory authority of each member country of the European Union) will make necessary.

Clause no. 1: Data collection and processing

As part of its client relationship, TRACKFORCE collects and processes personal data necessary for the management of its clients’ private security personnel (whether these are staff of the client itself or of its subcontractors), incident management, visitor management, sales and marketing lead management, as well as management of facilities and assigned personnel.

To do this, TRACKFORCE ensures it collects and processes only data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed. This is how we respect the principle of data minimization set by the GDPR.

Clause no. 2: Purposes of data processing

The data we collect has a specific purpose, and is not used for other purposes. Our purposes are determined, legitimate, explicit and compatible with our missions, in this case management of activities related to the human protection and security of our clients' sites, sales and marketing lead management, as well as management of facilities and assigned personnel.

The defined purpose determines the relevance of the data to be collected: only data that is adequate and strictly necessary to achieve the purpose is collected and processed by TRACKFORCE.

Clause no. 3: Information of persons concerned

In accordance with the GDPR, TRACKFORCE informs and encourages its clients to inform the person from whom personal data is collected:

  • The identity and contact details of the data controller and, where appropriate, his representative;
  • Where applicable, contact details of the Data Protection Officer;
  • The purposes of the processing for which the personal data is intended as well as the legal basis of the processing;
  • Where applicable, legitimate interests pursued by the data controller or by a third party;
  • Recipients or categories of recipients of personal data, if they exist;
  • Where appropriate, because the data controller intends to transfer personal data to a third country or to an international organization;
  • The retention period of the personal data or, where this is not possible, the criteria used to determine this period;
  • The existence of the right to request the data controller to provide access to personal data, to correct or delete such data, or to limit the processing relating to the person in question, or the right to object to processing and the right to data portability;
  • Where applicable, the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on the consent provided prior to its withdrawal;
  • The right to lodge a complaint with a supervisory authority;
  • Information on whether the requirement of the provision of personal data is of a regulatory or contractual nature or whether it is a condition for the conclusion of a contract and whether the person in question is required to provide personal data, as well as on the possible consequences of the non-provision of this data;
  • The existence of automated decision making, including profiling.

In the absence of individualized contact with the person concerned by the collection and processing, TRACKFORCE encourages its clients to inform said person by posting on the site covered by private security protection.

Clause no. 4: Recipients of the data

TRACKFORCE does not share client data with third parties; TRACKFORCE does not trade it.

Your personal data is therefore intended only for specific recipients, entitled to receive it, in this case and according to the case, TRACKFORCE and its subcontractors, TRACKFORCE clients and their subcontractors, as well as any other person, organization, or entity that clients will want to communicate or share the data with, and only for the purpose of private security services or facilities management.

Clause no. 5: Data retention

TRACKFORCE only retains its clients' personal data for the time required for the operations for which it was collected and in compliance with the regulations in force.

Each client can set the retention period according to the nature of the personal data concerned.

This data is automatically deleted after a maximum of 5 years after the end of the contractual relationship, according to the settings defined by each client.

Data on prospects is retained for up to 3 years from the last contact between TRACKFORCE and the prospect.

Clause no. 6: Data security

TRACKFORCE determines and implements the means necessary for the protection of personal data to avoid risks resulting in particular from the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, retained or otherwise processed, or from unauthorized access to such data, accidentally or unlawfully.

These means consist of appropriate technical and organizational measures to ensure a level of security adapted to the risk, and include inter alia, as required:

  • Pseudonymisation and encryption of personal data;
  • Means to ensure the constant confidentiality, integrity, availability and resilience of data processing systems and services;
  • Means to restore the availability of personal data and access to it in good time in the event of a physical or technical incident;
  • A procedure to test, analyze and assess regularly the effectiveness of the technical and organizational measures to ensure data processing security.

In particular, access to data is secured by strong security systems according to client choice, each defining the level of security appropriate to its business and its needs: identification by certificate, double authentication and other processes implemented by Trackforce and set out in the Document called "Trackforce Business Security".

The protection policy for personal data processed by TRACKFORCE is thus organized around logical, physical or organizational measures.

Clause no. 7: Restricted access to data

TRACKFORCE defines and implements the rules of access and confidentiality applicable to personal data processed.

The level of detail accessible is defined by the client, according to the authorization/profile of each user: Agent, Head of Station, Client, Supervisor.

Only duly authorized persons can therefore access certain data details, within the framework of a security policy in particular restricting access to only that data necessary for the activity.

Access rights, granted in accordance with the user's function, are updated in case of an upgrade or change of function.

Clause no. 8: Data transfer

In principle, TRACKFORCE does not transfer client data from one country or subsidiary to another worldwide.

If such a transfer were to be necessary, in this case to a country outside the European Union, that transfer would be part of the purpose of the processing for which the data is intended.

In this case, data recipients would only have communication of the categories of data necessary for the achievement of that purpose.

More generally, TRACKFORCE would transfer the data only in accordance with the provisions of articles 44 to 50 of the GDPR.

Clause no. 9: Rights of individuals concerned by the collection and processing of personal data

Pursuant to the GDPR and non-contrary provisions of the Data Protection Act, any natural person whose personal data is subject to processing is entitled to oppose the collection and processing of their personal data, the right of access to said data, rectification or erasure thereof (the right to be forgotten), the right not to be the subject of a decision based exclusively on automated data processing, including profiling, the right to limitation of processing of data concerning them, the right to have information about the persons to whom the data controller has transmitted personal data concerning them, as well as the right to portability of said data as these rights are described in Articles 15 to 22 of the GDPR. They may exercise these rights by sending their request to accompanied by proof of their identity and their signature.

Clause no. 10: Data protection players

IN connection with entry into force of the GDPR on 25 May 2018, TRACKFORCE has appointed a Data Protection Officer (DPD or DPO) directly reporting to the Chairman of TRACKFORCE.

The DPO constantly ensures compliance of all processing of personal data taking place in the TRACKFORCE Group.

Clause no. 11: Maintenance of non-contrary provisions of TRACKFORCE's Terms & Conditions of Sale

This Data Protection Policy complements the TRACKFORCE Terms and Conditions of Sale, the non-contrary provisions of which remain applicable.