Information notice for processing of contact details under Thales Agreements

13 September 2024
PDF - 379 Ko Information notice for processing of contact details under Thales agreements

Preamble

The protection of personal data is of great importance to Thales, which ensures that the personal data of the concerned data subjects is processed in complete security and confidentiality, in accordance with the applicable legislation on the protection of personal data.
In this respect, Thales has adopted Binding Corporate Rules (BCR). The Thales BCR constitute the Thales Group's global policy on the protection of personal data, defining the principles and procedures that Thales undertakes to respect.

Definitions

"Agreement" : Means any contract, offer, letter of intent, memorandum of understanding or agreement signed by a Thales Company with a customer, supplier, partner, prospect or any other third party

"Applicable Data Protection Legislation" : Means any personal data protection regulations applicable to the Agreement, including, where applicable, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "the GDPR") and the laws and regulations adopted to implement the GDPR.

"BCR" : Means the Binding Corporate Rules applicable when Thales acts in its capacity as Data Controller, as approved by the French supervisory authority (“Commission Nationale de l’Informatique et des Libertés”) by deliberation no. 2023-144 dated 21 December 2023. The Thales BCR can be accessed by clicking here.

"Data Subject" : Means an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, an e-mail address, location data, an online identifying number, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Data Controller" : Means an organisation that determines the purposes and means of the Processing of Personal Data.

"EEA": Means the European Economic Area.

"Parties" : Means the Parties to the Agreement.

"Personal Data" : Means any information relating to a Data Subject.

"Processing" : Means any operation and/or set of operations carried out by using automated processes or not and applied to Personal Data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, limitation, deletion or destruction.

"Thales" or "Thales Company" : Means Thales SA, a public limited company (Société Anonyme) with its registered office at 4, rue de la Verrerie, 92190 Meudon, France, registered in the Nanterre Trade and Companies Register, France, under number 552 059 024 and/or any legal entity directly or indirectly controlled by Thales SA. The term "control" means that Thales SA directly or indirectly holds more than 50% (fifty percent) of the voting rights or economic rights of the legal entity concerned.

"Third Country" : Means a country outside the combined territories of the EEA and the UK.

"UK" : Means the United Kingdom.

Purpose of Processing Personal Data

This information notice applies to the Processing of Personal Data carried out by a Thales Company for the purposes of the administrative management of the Agreement it signs and the exchanges of information carried out in the context of the performance of the said Agreement.
In this respect, the Thales Company acts as Data Controller.

Categories of Personal Data processed and Data Subjects

The Personal Data processed by Thales includes the contact details of its employees, the employees of its co-contractor(s) and/or any third party involved in the performance and/or administrative management of the Agreement, such as their surname, first name, professional identifier, professional e-mail address, professional postal address and telephone number.
In certain cases, where the Agreement requires the provision of additional references concerning the employees involved in its performance, the Personal Data also includes information such as the nationality, date of birth, studies and diploma, positions held, address and place of residence of the employee.

Legal basis for the processing of Personal Data

Personal Data is used for the exchange of information and/or documents, for the purposes of delivering and invoicing the products and services covered by the Agreement and/or any other task relating to the administrative management or performance of the Agreement.
Therefore, Thales processes the Personal Data on the basis of its legitimate interests.

Retention duration

Personal Data is kept by Thales for a period of five (5) years after the end of the Agreement.

Recipients of Personal Data

The recipients of all or part of the Personal Data being processed are the Parties to the Agreement and, where applicable, the end customer, subcontractors, service providers and/or suppliers involved in the performance of the Agreement.

Transfers of Personal Data outside the European Economic Area

The sharing of Personal Data with certain recipients may require the transfer of Personal Data outside the EEA and the UK.

Where Personal Data is transferred by a Thales Company established in the EEA or in the UK to a Thales Company established in a Third Country, which has not been recognised as offering an adequate level of protection by an adequacy decision of the European Commission or the UK Parliament, as appropriate, such transfer shall be based on the Thales BCR.

Thanks to the Thales BCR, wherever Personal Data is processed within the Thales Group, it benefits from the same standard of protection.

Where Personal Data is transferred by a Thales Company established in the EEA to a third company established in a Third Country, which has not been recognised as offering an adequate level of protection by an adequacy decision of the European Commission, such transfer shall be governed by the European Union Standard Contractual Clauses as adopted by the European Commission (hereinafter the "SCC") or any other appropriate safeguards.

Where Personal Data is transferred by a Thales Company established in the UK to a third company established in a Third Country which has not been recognised as offering an adequate level of protection by an adequacy decision of the UK Parliament, such transfer is governed by the International Data Transfer Agreement or by the International Data Transfer Addendum to the SCC published by the UK Information Commissioner's Office.

The SCC signed by Thales can be obtained on request by clicking here.

Rights of Data Subjects

Data Subjects have the right to access their Personal Data and the right to rectify and delete their Personal Data. They also have the right to object to the Processing of their Personal Data or to request that the said Processing be limited.

Any request to exercise a right or make a claim may be made by e-mail to the contact address mentioned in the Contract.

If not mentioned in the Contract, the request can be made by clicking here.

To contact the Thales Group Data Protection Officer, please write to the following address:dataprotection@thalesgroup.com.

In any event, it is possible to lodge a complaint with the competent data protection authority.

Last update September 2024