The French companies of the ARMOR Group inform you that your Personal Data are collected and processed in accordance with EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data or GDPR and the French Data Protection Act no. 78-17 (the “Regulations”).

The purpose of this policy is to provide you with information on the Processing of your Personal Data and on the conditions under which they are protected by the ARMOR Group.

The internal Personal Data protection policy may be updated from time to time: we recommend that you review this policy regularly.

The following definitions are provided to facilitate your understanding of the terms used in this Personal Data protection policy.

Data subject
An identified or identifiable natural person, either directly or indirectly, whose Personal Data is subject to Processing.

Personal Data
Any information enabling your identification, including a name, a professional email address, an identification number, an online identification, or one or several specific elements relating to your physical, economical, cultural or social identity.

Sensitive Data
Any Personal Data relating to racial or ethnic origins, political, philosophical or religious opinions, affiliation with a trade union, health, criminal convictions or offenses or social security number.

Recipient
A person authorized to access your Personal Data recorded in a file or subject to a Processing, by reason of their professional duties.

DPO
Data protection officer

Controller
ARMOR group’s French entity which determines the purpose and the means of a Processing.

Processor
A natural person or legal person (company or governmental institution) which processes your Personal Data on behalf of the Controller, as part of a service or contractual commitment.

Processing
Any operation or set of operations performed on your Personal Data, irrespective of the means or processes employed (collection, recording, organization, storage, adaptation, editing, extraction, consultation, use, disclosure by transmission or communication, or any other form of making available or reconciliation).

2.1. Wich Personal Data?

The Personal Data collected by the French entities of the ARMOR Group concerning you mainly include:

Identification
Last name, first name, identity photo, gender, date and place of birth, nationality, personal phone number, personal email and address, employer’s name, job title, professional phone number, professional address and email.

Personal Life
Marital status.

Professional life
Employment status, education, references, work experience, professional email, date and time of visits to the premises.

Connection data
IP address, time, date and browsing data, login credentials.

Exceptionally, in order to comply with our legal obligations under anti-corruption and anti-money laundering regulations, we may process information regarding the status of politically exposed persons among some executives, as well as any criminal convictions recorded against them.

When visiting certain facilities operated by the ARMOR Group, we may process a copy of your identity document depending on the facility visited. This copy will be deleted within a few days following your visit.

As part of recruitment processes, we may process sensitive data, such as recognition of a disability status by the MDPH (French Department for Disabled Persons), or any criminal convictions, in accordance with the obligations of the certification as an Authorized Economic Operator (AEO).

2.2. How do we collect your Personal Data?

Your Personal Data may be collected :

• Directly from you, notably through contact forms, during trade fairs, visits, telephone prospecting, or by email.
• Indirectly, in particular through recruitment agencies, professional references, online professional networking platforms, or websites.
• Indirectly, when introductions are made via trade fair organizers or other service providers;
• Indirectly, during any visits to our premises, through the recording of images.

Access to your Personal Data is strictly limited to Armor Group employees who have a legitimate need to access such information in the performance of their professional duties.

Your Personal Data are processed for the purposes listed below:

3.1. Recruitment management

Purposes
• Assessment of applications for the proposed position
• Verification of the information provided in the application

Legal basis
• Legitimate interest: for mandatory Data marked with an asterisk, for the purpose of getting to know the candidate
• Consent: for non-mandatory Data

Recipients
Authorized personnel from Human Resources departments, support services involved in negotiations, the relevant line manager, other interested Armor Group companies, and recruitment agencies.

3.2. Prospects and custoer management

Purposes
• Prospecting
• Commercial, marketing and accounting management of the customer relationship

Legal basis
Legitimate interest: for the purpose of prospecting potential and existing clients, and managing commercial, marketing and accounting activities

Recipients
Authorized personnel from the marketing, commercial, IT and accounting departments, other interested Armor Group companies, and service providers.

3.3. Supply and delivery management

Purposes
• Management of the supply chain for the French companies within the Group
• Management of deliveries to customers and between the Group’s sites

Legal basis
Legitimate interest: to ensure the communication necessary for the supply of ARMOR Group companies and for deliveries to clients and inter-site transfers of products

Recipients
Authorized personnel from the marketing, commercial, IT and accounting departments, other interested Armor Group companies, and service providers.

3.4. Supplier prospecting and relationship management

Purposes
• Prospecting and selection of suppliers
• Management of the supplier relationship

Legal basis
Legitimate interest in establishing and maintaining a supplier database and managing procurement activities

Recipients
Authorized personnel from the purchasing, accounting, logistics, legal, quality, HSE and IT departments, other interested Armor Group companies, and other service providers (including IT providers).

3.5. Management of contracts and other legal documents

Purposes
Management of contracts and legal documents

Legal basis
Legitimate interest: managing legal documents and contracts

Recipients
Authorized personnel from the IT, legal, purchasing, management control, regulatory monitoring and intellectual property departments, senior officers of interested Armor Group companies, authorized representatives of the contracting entity, and other legal service providers.

3.6. Anti-corruption and anti-money laundering compliance

Purposes
Prevent frauds

Legal basis
Legal obligation arising from Sapin II Law

Recipients
Authorized personnel from the consolidation and internal control, purchasing, finance and sales departments of Armor Group companies.
In the event of an audit: the French Anti-Corruption Agency.

3.7. Access control and video surveillance

Purposes
• Access control for visitors and external partners
• Video surveillance of the Chevrolière and Cordon Bleu plants

Legal basis
Legitimate interest: reception and access control for visitors, monitoring on-site presence, ensuring the safety of persons and property, protecting intellectual property, and contributing to Authorized Economic Operator certification.

Recipients
Authorized personnel responsible for evacuation and safety at the site, or authorized personnel from general services, IT, human resources, senior officers, or external emergency or investigative services in the event of an incident, as well as other service providers.

Processing activities relating to individuals who are employees within the ARMOR Group are described in the internal Personal Data Protection Policy, which is available in the documentary resources.

Your Personal Data is not retained for longer than necessary, based on:

• the purpose of the Processing operations carried out;
• archiving requirements in the event of litigation;
• our legal obligations subject to oversight by the competent authorities.

For further information, please contact the Data Protection Officer (DPO).

As a matter of principle, your Personal Data is not transferred outside the EU. The only Personal Data that may be transferred outside the EU to Group companies and certain Sub-processors (including suppliers, customers, and carriers) relates to the management of intra-group communications, contract administration, and the management of procurement, deliveries, and orders.

In the event of a transfer of Personal Data outside the EU to a country that does not provide an adequate level of protection within the meaning of the applicable Regulation, the relevant Group company or Sub-processor undertakes to implement all appropriate safeguards, including, without limitation, Standard Contractual Clauses, a code of conduct, or binding corporate rules.

The controller responsible for the Processing of your Personal Data is one of the following ARMOR Group companies, which determines the purposes and means of such Processing and is identified at the time of collection and processing of the Personal Data:

ARMOR SAS ("ARMOR-IIMAK")
20 rue Chevreul – 44100 Nantes - France
R.C.S. Nantes 857 800 692

ARMOR PRINT SOLUTIONS ("Altkin")
17 Boulevard de Chantenay, 44100 Nantes, France
R.C.S. Nantes 892 312 067

ARMOR BATTERY FILMS SAS
20 rue Chevreul – 44100 Nantes - France
R.C.S. Nantes 892 311 937

ARMOR SMART FILMS SAS
20 rue Chevreul – 44100 Nantes - France
R.C.S. Nantes 922 404 322

Several companies in the ARMOR GROUP are joint Processors when they determine jointly the Personal Data Processing purposes and means. ARMOR is the joint Processor for the following types of Processing, along with all the other subsidiaries mentioned above:

• Management of recruitment
• Management of procurements
• Management of deliveries
• Management of contracts and legal documents
• Access control and video surveillance
• Fight against corruption
• Management of the exercise of Data Subjects’ rights

Several ARMOR Group companies act as joint Controllers where they jointly determine the purposes and means of Processing your Personal Data. ARMOR is a joint Controller for the following Processing activities together with all other subsidiaries listed above:

• Recruitment management
• Procurement management
• Delivery management
• Management of contracts and legal documents
• Access control and video surveillance
• Anti-corruption measures
• Management of the exercise of Data Subjects’ rights

You have the right to access, rectify, object to, port, erase your Personal Data, or request a restriction of its processing. You may exercise these rights by contacting the Data Protection Officer (DPO) by email at:
dpo@armor-group.com or by postal mail at the following address: ARMOR, For the attention of the DPO, 20 rue Chevreul, 44110 NANTES, France, specifying:

• The identity of the Controller responsible for the Processing of your Personal Data;
• The right(s) you wish to exercise.

Your request will be processed within one month from its receipt. This period may be extended by two additional months, prior to the expiry of the initial month, depending on the complexity and number of requests. In the absence of a satisfactory response from ARMOR, you also have the right to lodge a complaint with the supervisory authority: CNIL, 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, or online at www.cnil.fr/fr/plaintes.

8.1. Appropriate technical and organizational measures

The French entities of the ARMOR Group implement technical and organizational security measures as outlined in a General Information Systems Security Policy.

These measures are proportionate to the sensitivity of the Personal Data and are designed to protect such data against destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

8.2. Cases of breaches of your Personal Data

In the event of a breach affecting your Personal Data, we will inform you and report the Personal Data breach to the competent supervisory authority.