GPF’s policy on personal data protection

GPF is careful to comply with the rules governing protection of personal data and is committed to the highest standards of professional ethics, in particular in terms of respecting personal privacy.

In the course of its activities, GPF collects and processes personal data concerning its customers, employees and partners such as suppliers and contractors.

Determined to encourage innovation whilst also building lasting relationships based on trust and shared values of social responsibility and respect for people, GPF has put in place the structures and technical resources needed to protect the personal data that is processes. It regularly reviews and adapts these mechanisms to ensure robust protection for personal data.

This policy document on personal data protection is designed to provide information about GPF’s commitments in terms of protection of personal data.

1. Data collection is fair and transparent

GPF informs its customers, employees and partners about data processing that concerns them using the most appropriate channels, to ensure transparency of the data collection process.

The primary aim of collecting personal data is efficient management of the various relationships that GPF has with its customers, employees and partners.

2. Data processing is necessary and proportionate

Where GPF is required to process data, it does so for specific purposes: all data processing undertaken by GPF is for a purpose that is necessary, limited in scope and explicit in purpose.

GPF preserves data ways that enable the people concerned to be identified only for a period of time required for the purposes for which the data is processed.

3. Data processing is accurate and minimised

For all data processing activities, GPF is committed to collecting and using only data that is relevant, appropriate and limited to what is necessary for the purposes for which it is processed.

4. Data security is ensured

GPF regards the security of personal data as a matter of great importance.

Appropriate technical and organisational measures are employed to ensure that data are processed in ways that guarantee they will not be lost, destroyed or accidently damaged in ways that may compromise their confidentiality or integrity.

When designing, selecting or using the various tools that enable it to process personal data, GPF seeks assurances from its in-house teams or the publishers of said tools, as appropriate, that these tools deliver optimal protection for all data processed.

GPF acts at all times to ensure by-design and by-default protection for all data processed. To this end, whenever possible and/or necessary, GPF uses pseudonymisation or data encryption techniques.

When GPF works with a contractor, GPF will pass on personal data only after requiring that the contractor abides by GPF’s data security rules.

GPF audits its services and those of its contractors to check that its data security rules are applied.

5. Access to data is controlled

GPF operates strict accreditation policies to ensure that the data it processes can be consulted only by authorised persons.

When GPF needs to transfer data outside the European Union, for example to one of its contractors, it does so only within the context of a specific contractual framework and in compliance with all regulatory requirements to guarantee the highest level of data protection.

6. Individual rights are respected

GPF is fully committed to ensuring respect for the rights of people concerned by the data processing it performs:

  • right to be informed;
  • right of access;
  • right to correct;
  • right to erase (“right to be forgotten”);
  • right to restrict processing;
  • right to portability;
  • right to object;
  • right to give instructions for the retention, erasure and communication of your personal data after your death.

7. Easy to contact

GPF will respond to requests from concerned individuals at every stage of the data processing process, and will fully abide by all conditions and deadlines imposed by applicable regulations.

Requests from individuals to exercise their rights can be made, electronically and/or by post, by addressing the contact name provided, inter alia, in the legal notice, the standard terms and conditions for use of applications and websites, on data collection forms, etc.

The individual concerned must clearly indicate their last and first name(s), attach a copy of a proof of identity and provide an address to which the response should be sent.

GPF will inform all concerned individuals who wish to exercise their rights in the event that it should prove impossible to respond to their request.