Privacy policy

For the purpose of conducting their professional activities, VPK Packaging Group NV and all of its affiliates (together the “VPK Group”), as Data Controllers, need to Process Personal and professional Data regarding staff, applicants, Customers and suppliers. The VPK Group shall take all adequate measures to make sure these Processing activities adhere to the European General Data Protection Regulation (“GDPR”) and other legislations regarding the Processing of Data.

 

 

1. DEFINITIONS

Consent: a legally binding expression of will, given voluntarily, in which the Data Subject declares his/her agreement to the Processing of data.

Customers: all companies who place orders for products or services with the VPK Group.

Data Controller(s): The Data Controller is the person or organisation that determines when, why and how to Process Personal Data. The Data Controller is responsible for establishing practices and policies in line with the GDPR.

Data Subject: a natural person, meaning an identified or identifiable individual about whom the VPK Group holds Personal Data. This does not include companies or other legal entities.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject by means of which the Data Subject can be identified (directly or indirectly) based on that data alone or in combination with other identifiers BBP possesses or can reasonably access. Personal Data includes Sensitive Personal Data but excludes anonymous data or data that has had the identity of a Data Subject permanently removed. Personal data can be factual (for example a name, email address, location or date of birth) or an opinion about that person's actions or behaviour. Personal Data specifically includes, but is not limited to, Data Subject’s contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and curriculum vitae (CV).

Processing of data/To Process data: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

2. PRINCIPLES

The VPK Group adheres to the general principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected only for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed
  • Accurate, complete, where necessary kept up to date and relevant for the purpose of collection
  • Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed
  • Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing, accidental loss, destruction or damage
  • Not transferred without appropriate safeguards being in place
  • Made available to Data Subjects, who are allowed to exercise certain rights in relation to their Personal Data

3. PURPOSES OF DATA COLLECTION

The Personal Data collected usually concern the following items: name, nationality, job title, address, telephone number, e-mail address, financial and pay details, educational background, marital status and curriculum vitae (CV).

The VPK Group Processes Personal Data solely for the purpose of conducting its professional activities. In this regard, The VPK Group primarily collects Personal Data for the following business purposes (without limitation):

  •  Personnel and Payroll
  • Compliance with legal, regulatory and corporate governance obligations and good practice
  • Implementation of agreements
  • Execution of shared services (ICT, finance,…)
  • Administrative purposes
  • Financial purposes
  • Recruitment and selection
  • Disciplinary matters
  • Monitoring of staff (access to systems/facilities, absence, compliance with policies,…)
  • Investigation of complaints
  • Research and development
  • Health and safety purposes
  • Disciplinary and grievance issues
  • Quality control
  • Marketing
  • Improving services

The Personal Data obtained via the contact form on this website will only be used to provide you with the information you have requested. This website also automatically keeps log files concerning the use by visitors to generate statistics for an anonymous analysis of this use.

4. LEGAL GROUNDS FOR PROCESSING

The VPK Group applies all reasonable means to ensure that Personal Data is collected as prescribed by the GDPR. This applies to all Personal Data, irrespective of the means of collection: collected in person, electronically or by submitting through the VPK Group website.

For most of the Processing activities mentioned in section 4 the VPK Group can rely on one of the following legal Processing grounds as foreseen by the GDPR: contractual necessity or legal obligation. If these legal grounds do not apply, the VPK Group will request the Data Subject’s Consent to Process the Personal Data. Consent will be requested if the Personal Data being Processed relate to, among other things, the taking and use of pictures, sending of newsletters, research and development and marketing.

The Personal Data of external parties, such as Customers and suppliers, to be Processed will generally concern name, e-mail address and phone number of employees or representatives of these Customers and suppliers. The legal ground based on which the Processing activity takes place is contractual necessity. The GDPR confirms that, in order to enter in a contract or perform a contract, it is needed and agreed that Personal Data Processing happens within this contractual scope.

5. DATA TRANSFER

Any information which falls under the definition of Personal Data will remain confidential and will only be disclosed to third parties with appropriate Consent of the Data Subject, unless the VPK Group can rely on a Processing ground as foreseen by the GDPR and mentioned in section 5.

A brief overview of the categories of recipients: partner entities, distributors, service providers, financial partners, insurance companies, payroll processors, IT services providers and other companies that the VPK Group may use for support. The VPK Group shall not share Personal Data to non-business related third parties, except in case required by law or as permitted under the GDPR.

6. RIGHTS OF DATA SUBJECTS

Data Subjects have multiple rights when it comes to their Personal Data. First of all, Data Subjects have the right to access their Personal Data held by the VPK Group. Secondly, Data Subjects can ask what Personal Data is held about them and why, ask questions about how the Personal Data is gathered, how it is kept up-to-date and file a request not to use their Personal Data for direct marketing purposes.

The VPK Group also ensures Data Subjects’ right to be forgotten. This means that Data Subjects can make a request to have their Personal Data removed from any files or databases held by the VPK Group.

For any of these questions or requests, an e-mail can be sent to dpo@vpk.be. All e-mails will be answered as soon as reasonably possible.

7. DATA ACCURACY

The VPK Group, on the one hand, undertakes to keep Data Subjects’ Personal Data as up-to-date and accurate as possible. Data Subjects, on the other hand, are requested to notify the VPK Group of any relevant changes in Personal Data held about them by the VPK Group.

8. DATA STORAGE AND SECURITY

The VPK Group shall apply all reasonable means not to hold Personal Data of Data Subjects longer than necessary in relation to the purpose for which it is held.

Personal Data is secured by appropriate technical and organisational measures against unauthorised or unlawful Processing and against accidental loss, destruction or damage.

The VPK Group’s ICT-departments have developed and implemented safeguards appropriate to size, scope and business, available resources, the amount of Personal Data and identified risks. Those safeguards are evaluated and tested regularly to ensure security of Personal Data.

Data Subject’s Personal Data can only be accessed by authorized personnel. The VPK Group’s staff are aware of the internal Privacy & Data Protection Policy, the internal IT policy and this privacy notice and the obligations that come with it.

9. DATA PROTECTION BREACH

Any breach of this privacy notice or of the GDPR by the VPK Group can be reported by sending an e-mail to the following e-mail address: dpo@vpk.be. All e-mails will be answered as soon as reasonably possible.

10. AMENDMENTS

This privacy notice will be updated as frequently as necessary to reflect best practices in data management, security and control and to ensure compliance with any legal changes.

The VPK Group will publish the latest version on its website as soon as reasonably possible.  

last reviewed on: 15/10/2018