This web page is to enable collaboration and information sharing for the purposes of ensuring compliance with the data protection legislation.
The text below contains links to the current drafts of these types of documents:
- Records of Data Processing Activities
- Privacy Notices
- Processor Compliance
- Process Documents
I have drafted these documents with what I know about CUK’s data processing in mind, however, the purpose of this web page is to invite feedback and comments.
Please send feedback and comments to me at firstname.lastname@example.org
Those with responsibilities for data protection compliance are below.
These individuals should have responsibility for data protection in their respective areas specifically identified in their job descriptions.
Chief Executive Officer – Martin Jarrett
Overall responsibility for compliance and for allocating data protection duties and responsibilities to departmental heads.
GDPR Local Key Contact – Leila Sangar (Eacotts)
Day to day responsibility for GDPR issues (update the record and notices, answer data subjects requests, alert data breaches, liaise with legal team and colleagues etc. – a guide with the full description of the tasks to be provided).
Red text – for attention: to be reviewed and amended or has action points
Blue text – for review: likely to be accurate
Green text – for consideration (i.e. something that may be helpful but is not essential)
When we act as a data processor we must maintain records of all categories of data processing including:
- the name and contact details of the processor or processors and
- of each controller on behalf of which the processor is acting, and,
- where applicable, of the controller’s or the processor’s representative,
- and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of Extra-territorial transfers, the documentation of suitable safeguards;
- where possible, a general description of the technical and organisational security measures.
When we act as a data controller this requires us to have records of our processing activities, to have adopted and published suitable policies, to have allocated responsibilities for data protection to suitable job holders and to have ensured our staff have been trained in data protection basics.
It also requires us to ensure that those who process personal data for us have the relevant data protection clauses in the relevant supply contracts.
When we have completed the process a tool to assess our compliance with the duty of accountability is linked >>here<<
This requires us to provide all categories of data subjects for whom we process personal data with information about our processing activities.
When we obtain personal data from the data subject, we must provide this information when we collect the data. When we obtain it from a third party we must provide this information within 1 month.
We will comply with the duty of transparency by publishing suitable privacy notices
This can be done via a website (i.e. a ‘data privacy page’ or similar) and providing a link to this page whenever we collect personal data.
Alternatively we can issue the privacy notice to the data subjects in electronic or hard copy.
The Constellium Group entity that is the data controller is required to respond to data subjects’ request in relation to their rights within 30 days (in the majority of cases).
These are the right to: (i) access, (ii) be informed of processing activities, (iii) rectification of inaccurate or incomplete data, (iv) erasure, (v) restriction of processing, (vi) portability and (vii) object to processing.
We will comply with this by following the Constellium Group Data Subject Rights Processes and by completing and maintaining records of the forms that are required as part of that process.
We will ensure our staff are adequately trained.
This requires us to adopt suitable security measures to avoid or minimise the risk of a data breach. The extent to which we are obligated to deploy security will depend on the level of risk of a breach and to data subjects’ rights are freedoms in the case of a data breach, and also the sensitivity of the data we process.
We will comply with this by following the Constellium Group guidance and processes regarding data security and data breaches.
We will undertake a data protection impact assessments if the risk associated with processing is high.
We will ensure our staff are adequately trained.
Records of Processing Activities
The most recent version of the records of processing activities is linked >>here<< as a ms excel download.
The entires that relate to CUK were based on the survey documented linked >>here<<
We must keep this under review; provide any important missing information and indicate if a new processing activity should be added.
Data Protection Policy
As part of our duty of accountability we explain our approach to all aspects of compliance in a single policy document.
This is an outward facing document that will be available to those external to the business. This document is available >>here<<
Data Subject Rights – Employees
Our approach to fulfilling employee data subject’s rights requests is set out in the Employee Data Subject Rights Process which can be accessed >>here<<
This process requires forms to be completed by the employee (available to download >>here<), the person who receives the request (available to download >>here<<) and the Data Privacy Officer (available >>here<<).
Data Subject Rights – Others
[Is there a process for external data subject requests?]
Data Subject Rights – Generally
Template letters are available >>here<< as a pdf file.
Guidance for those who handle requests:
Basic guidance is linked >>here<<
For more detailed guidance see the link >>here<<
Constellium Group’s data security guidance is available >>here<<
When we act as data processor we are must investigate data breaches or ‘near misses’ quickly and report data breaches to the relevant Constellium Group company that acts as data controller (as per the Interaffiliate Data Processing and Transfer Agreement, see below).
When we act as a data controller we, like the relevant Constellium Group companies above, are under very stringent reporting requirements when we became aware of a data breach or ‘near miss’.
When we act as a data controller we have only 72 hours to investigate and notify the regulatory authority in the UK (the Information Commissioner’s Office, or ‘ICO’).
In more serious cases we may also have to notify the data subjects who are affected.
Constellium Group procedures ensure we fulfil our duties within the requisite timescale. The Data Breach Incident process is available >>here<<
It includes a link to a list of regulatory authorities in the EU (>>here<<)
Data protection compliance under the GDPR means complying with the principle of data minimisation; we will do this in two ways.
By keeping our records of processing activities under careful review we will be able to identify personal data categories that we no longer need, or can justify processing.
We must also set and abide by suitable retention periods for the personal data we process.
Our approach to retention periods is contained within the records of processing activities (see column P in 2019.06.28 Constellium Processing-activities linked above).
For employees it is six years from termination of employment.
[If we process data for any other categories of data subject the records of processing activities must be amended]
Wherever we share personal data with a contractor, supplier or other business partner we must ensure that GDPR article 28 terms are either incorporated into the terms of business, or that they have been agreed separately.
A form that can be used to verify that a processor’s terms include the these is available >>here<<
If a processor’s terms do not include the article 28 terms …
… we will ensure that the addendum to contract terms linked >>here<< are signed off or incorporated into the main contract.
If the processor is contracting on our terms of business we will ensure these incorporate the article 28 terms.
We can also demonstrate that processing undertaken on our behalf is lawful by recording external processors in the audit (IAR) and noting where we are satisfied that the article 28 terms are incorporated into the relevant terms of business.
Inter Group Sharing
Transfers of personal data from one Constellium Group entity to another are subject to an Interaffiliate Data Processing and Transfer Agreement.
The Interaffiliate Data Processing and Transfer Agreement has been executed on behalf of these Constellium Group entities:
- CONSTELLIUM N.V.
- CONSTELLIUM HOLDCO II B.V.
- CONSTELLIUM N.V. (French branch)
- CONSTELLIUM INTERNATIONAL
- CONSTELLIUM FINANCE
- CONSTELLIUM FRANCE HOLDCO
- CONSTELLIUM USSEL
- CONSTELLIUM EXTRUSION FRANCE
- CONSTELLIUM PARIS
- C-TEC CONSTELLIUM TECHNOLOGY CENTER
- CONSTELLIUM NEUF-BRISACH
- CONSTELLIUM ISSOIRE
- CONSTELLIUM MONTREUIL-JUIGNÊ
- CONSTELLIUM FRANCE III
- ENGINEERED PRODUCTS INTERNATIONAL
- CONSTELLIUM SINGEN GMBH
- CONSTELLIUM DEUTSCHLAND GMBH
- CONSTELLIUM ROLLED PRODUCTS SINGEN GMBH & Co. KG
- CONSTELLIUM GERMANY HOLDCO GMBH & Co. KG
- CONSTELLIUM GERMANY VERWALTUNGS GMBH
- CONSTELLIUM TREUHAND UG (HAFTUNGSBESCHRÄNKT)
- CONSTELLIUM EXTRUSIONS LANDAU GMBH
- CONSTELLIUM EXTRUSIONS DEUTSCHLAND GMBH
- CONSTELLIUM EXTRUSIONS BURG GMBH
- CONSTELLIUM AUTOMOTIVE ZILINA S.R.O.
- CONSTELLIUM EXTRUSIONS DECIN S.R.O.
- CONSTELLIUM EXTRUSIONS LEVICE S.R.O.
- CONSTELLIUM UK LIMITED
- CONSTELLIUM VALAIS SA
- CONSTELLIUM SWITZERLAND AG
- CONSTELLIUM ITALY S.P.A.
- CONSTELLIUM W
- CONSTELLIUM HOLDINGS MUSCLE SHOALS LLC
- CONSTELLIUM MUSCLE SHOALS LLC
- CONSTELLIUM MUSCLE SHOALS FUNDING II LLC
- LISTERHILL TOTAL MAINTENANCE CENTER LLC
- CONSTELLIUM US HOLDINGS I, LLC
- CONSTELLIUM AUTOMOTIVE USA, LLC
- CONSTELLIUM ROLLED PRODUCTS RAVENSWOOD, LLC
- CONSTELLIUM-UACJ ABS LLC
- CONSTELLIUM METAL PROCUREMENT LLC
- CONSTELLIUM PROPERTY AND EQUIPMENT COMPANY LLC
- CONSTELLIUM AUTOMOTIVE MÉXICO TRADING, S. DE E.L. DE C.V.
- CONSTELLIUM AUTOMOTIVE MÉXICO, S. DE R.L. DE C.V.
- CONSTELLIUM AUTOMOTIVE MÉXICO TRADING, S. DE E.L. DE C.V.
- CONSTELLIUM SOUTHEAST ASIA PTE. LTD.
- CONSTELLIUM JAPAN K.K.
- CONSTELLIUM ENGLEY (CHANGCHUN) AUTOMOTIVE STRUCTURES Co. LTD
- CONSTELLIUM CHINA
This agreement provides that where the entity that receives personal data (‘Data Importer’) does so as a data processor its terms regulate the respective group entities’ duties and responsibilities. This agreement complies with GDPR article 28 (see above).
An unsigned copy of this agreement can be viewed >>here<<
[Is there a final executed version?]
Transfers to Third Countries
Personal data may be shared between Constellium Group entities based in EU member states and those external to the EU. These transfers are subject to Interaffiliate Data Processing and Transfer Agreement, see above, which incorporates the EU Standard Contractual Clauses.
[Are there any transfers from CUK to 3rd party and other sub-processors outside the EU]
We have a privacy notice for data subjects who are our employees.
This short form version of this document is linked >>here<<
I have undertaken a compliance review of the short form version of document >>here<<; please note my comments. We may need to amend the privacy notice for full compliance.
There is also a longer form version linked >>here<<
I will undertake a compliance review of the long form version of document >>here<<.
We should add privacy notices for any other categories of data subject whose personal data we process:
- Agency workers
- Applicants for employment (for whom data processing will be different from those who are ultimately employed)
- Suppliers and contractors
[privacy notice will ideally carry contact details for CUK GDPR Local Contact ‘email@example.com’]
We need to ensure we provide a link to the relevant privacy notice/s wherever we collect personal data and to back fill this where data subjects have not yet been given this information.
We can also use a link to this wording in place of long and inconvenient text when we collect personal data.
If this is viable, the text for this can be something along these lines:
Additional guidance on data protection compliance can be found on these links: