Privacy Notice (EEA) Business Partners
At PHINIA we take data protection very seriously. We have developed this Privacy Notice in particular to clearly inform you about how we collect, use, disclose and otherwise process personal data as required by applicable law or as we require in the course of fulfilling our professional responsibilities and operating our business and about your rights under GDPR. Please find descriptions of all definitions used in Annex 1 of this Notice.
1. For whom is this Privacy Notice?
This Notice covers our processing of personal data under GDPR with respect to our Business Partners located in the EEA. By providing this Notice to you, we comply with our information obligations under GDPR. Please note that this Notice shall not confer upon you any rights or obligations that are not conferred upon you by law.
2. Who are we and how can you contact us?
The controller of your personal data is the PHINIA entity with which you or your employer / commissioner has entered into a contract or intends to enter into a contract and/or of which you are visiting the company premises.
For a list of the relevant PHINIA entities with their contact details, please refer to Annex 2. For information regarding the contact details of the relevant data protection officer or other privacy contact (if no data protection officer is appointed locally by the relevant PHINIA entity), please contact PHINIA´s compliance office.
In any case, you may always contact PHINIA´s compliance office with respect to questions about this Notice, the processing of your personal data in general and to exercise your rights towards PHINIA as outlined below under no. 8.
3. Where do we collect your data?
We collect your personal data either directly from you (e.g. if you contact us) or it may be provided to us by your employer / commissioner. This concerns the following categories of personal data:
Contact details (name, business address, business email address and phone number, business fax number)
Professional details (company name, job position, job title, authorizations (e.g. to receive notifications with respect to the relationship between your employer / commissioner and PHINIA or to conclude contracts)
You are generally not required to provide your personal data to us. However, if you do not provide your personal data, we might not be able to carry out certain processes (e.g. we will be unable to contact you without your contact details). In some cases, this may mean that we will be unable to continue with your engagement (in case we concluded or intend to conclude a contract with you) or that your employer / commissioner will not be able to deploy you as a point of contact for us.
How is your data used (purposes and legal bases)?
We process your personal data to administer and manage the relationship between us and you or your employer / commissioner, operate our business and comply with our legal obligations.
More specifically, we process your personal data for the following purposes and rely on the listed legal bases. Where relevant, the legitimate interest is included in the table below as well.
The relevant legal bases are:
Performance of a contract (Art. 6 (1) (b) GDPR);
Compliance with legal obligations (Art. 6 (1) (c) GDPR);
Protection of vital interests of you or of another natural person (Art. 6 (1) (d) GDPR;
Legitimate interests (Art. 6 (1) (f) GDPR); and
Consent (Art. 6 (1) (a), Art. 7 GDPR).
Purpose of processing | Legal basis | Legitimate interest (where relevant) | Categories of personal data |
To carry out the contract between us and (i) you or (ii) your employer / commissioner | (i) Performance of contract in case of a contract1 between you and the Controller or the intention to conclude such (ii) Legitimate interests in case your employer / commissioner concluded the contract* with the Controller or intends to do so | We have a legitimate interest in efficiently and productively carrying out the contract between us and your employer / commissioner. | Your contact details, professional details, and details on your (contractual) relationship with us |
To facilitate payments (in case you are our contractual partner and are entitled to payments) | Performance of contract | N/A | Your contact details, professional details and payment related information such as bank details |
To carry out sustainability assessments with respect to our suppliers | Legitimate interests | We have a legitimate interest in ensuring that our suppliers operate sustainably. | Contact details |
To operate CCTV operations on our premises (if any) | Legitimate interests | We have a legitimate interest in ensuring the security of our premises. | Videos/pictures of you |
To facilitate visits to our premises and ensure security of our premises | (i) Performance of contract in case the visit is necessary in the context of a contract between you and the Controller or the intention to conclude such (ii) Legitimate interests | We have a legitimate interest in ensuring the security of our premises. | Your contact details, professional details and log data of entry and exit from the premises and vehicle information (e.g. licence plate number) |
To provide you with direct marketing communication regarding products and/or services we offer (including via email) | Consent or – where lawful under applicable national direct marketing rules – our legitimate interests | We have a legitimate interest in marketing our products and/or services | Your contact details |
To protect your vital interests or those of another natural person (this will only apply in case you require emergency medical care while visiting our premises but are unconscious or otherwise incapable of giving consent) | Protection of vital interests of you or of another natural person | N/A | Your name and contact details |
To enable corporate transactions (including sale of all or part of our asset(s) and/or activity(ies)) | Legitimate interests | We may have a legitimate interest in disclosing information regarding our Business Partners to (potential) buyers or acquirers and their external counsels in certain scenarios. | Contact details, professional details, details on your (contractual) relationship with us |
To safeguard our rights | Legitimate interests | We have a legitimate interest in the establishment, exercise and defense of legal claims. | Your contact details, professional details and details on your (contractual) relationship with us |
To comply with legal obligations to which we are subject (e.g. deriving from tax law, foreign trade law or sanctions regulations) | Compliance with legal obligations | N/A | Your contact details, professional details and details on your (contractual) relationship with us |
To carry out compliance investigations | Legitimate interests | We have a legitimate interest carrying out compliance investigations to safeguard that we comply with our legal obligations. | Your contact details, professional details and details on your (contractual) relationship with us |
For any of the above listed purposes it might be necessary to transfer data to our Affiliates | (i) Performance of contract in case of a contract between you and the Controller or the intention to conclude such (ii) Legitimate interests in case your employer / commissioner concluded the contract with the Controller or intends to do so | We, as part of the PHINIA group, have a legitimate interest in transferring your personal data within the group for internal administrative purposes. | The data categories correspond to those listed with respect to the relevant purpose for processing. |
In some cases your personal data may be processed based on your freely-given consent. You will be informed about the purposes of such processing prior to being asked to give consent.
5. Who has access to your information (recipients)?
Within the Controller, only authorized PHINIA employees with appropriate responsibilities have access to your personal data. In addition, we may share your personal data with the following categories of recipients:
5.1 - We may share your personal data with service providers that process personal data on our behalf and subject to our instructions as so-called processors, for the purpose of providing their professional services to us:
Customer management system provider (USA)
Supplier management system provider (USA)
5.2 - We may share your personal data with the following third parties:
Other entities of the PHINIA Group: We may share your personal data with Affiliates for the purposes listed in no. 4 above.
Other third parties:
Sustainability assessment platform provider for the purpose of carrying out sustainability assessments
Tax and other state authorities (including social security institutions and law enforcement agencies) for the purpose of compliance with laws and regulations applicable to us
Consultants (lawyers and auditors) for the purpose of compliance with legal obligations, corporate transactions and safeguarding our rights
Courts in the EEA and outside the EEA for the purpose of safeguarding our rights
Potential buyer or acquirer of all or part of our asset(s) and/or activity(ies) for the purpose of corporate transactions
The legal bases relevant for the transfer of personal data to third parties can be found in no. 4 above.
6. Do we transfer your data internationally (third country transfers)?
Some recipients of personal data may be located outside the EEA/UK and in countries that do not offer a level of protection equivalent to the one granted in the EEA/UK. Where personal data is transferred to locations outside the EEA/UK, we will, as required by law, ensure that your privacy rights are adequately protected either because the European Commission has decided that the country to which personal data are transferred ensures an adequate level of protection (Art. 45 GDPR) or the transfer is subject to appropriate safeguards provided by entering into standard data protection clauses of the European Union with the recipient (Art. 46 GDPR) unless GDPR provides for an exception (Art. 49 GDPR). In addition to this, we intend to, where necessary, agree on additional measures with recipients to ensure an adequate level of data protection.
A copy of the standard data protection clauses of the European Union can be found here. Copies of other safeguards can be requested by contacting PHINIA´s Compliance Office.
7. How long do we store your data?
Your personal data will generally only be stored until the personal data are no longer necessary in relation to the purposes for which they were collected (or otherwise processed). The personal data therefore generally will be deleted at the latest after the contractual relationship with you or your employer / commissioner has ended and the standard statute of limitations period applicable to that information in the respective country has expired.
As an exception, personal data may be stored longer where their processing is necessary for compliance with a legal obligation – including compliance with statutory retention periods – to which we are subject or for the establishment, exercise or defense of legal claims.
8. What rights do you have under GDPR?
8.1 - Right of access. You may request information about the processing of your personal data and a copy of the personal data undergoing processing insofar as such copy does not adversely affect the rights and freedoms of others.
8.2 - Right to rectification. You may request correction of your personal data that is inaccurate and/or completion of such data which is incomplete.
8.3 - Right to erasure. You may request deletion of your personal data, in particular where (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (ii) you objected to the processing and there are no overriding legitimate interests for the processing, (iii) your personal data has been unlawfully processed or (iv) your personal data has to be erased for compliance with a legal obligation to which we are subject. The right to deletion, however, does not apply in particular where the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims.
8.4 - Restriction of processing. You may request restriction of processing (i) for the period in which we verify the accuracy of your personal data if you contested the accuracy of the personal data, (ii) where the processing is unlawful and you request restriction of processing instead of deletion of the data, (iii) where we no longer need the personal data, but you require the data for the establishment, exercise or defense of legal claims or (iv) if you objected to processing until it has been verified whether our legitimate grounds override your interests, rights and freedoms.
8.5 - Right to data portability. You may request to receive your personal data, which you have provided to us, in a structured, commonly used machine-readable format and transmit those data to another controller without hindrance from us, where the processing is based on consent or a contract and the processing is carried out by automated means; in these cases you may also request to have the personal data transmitted directly to another controller where this is technically feasible (data portability).
8.6 - Right to withdraw consent. You may withdraw their consent at any time for the future where processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal.
8.7 - Right to object.
8.8 - Right to lodge a complaint. You may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of an alleged infringement if you consider that the processing of your personal data infringes the GDPR.
A list of the European supervisory authorities can be found here.
8.9 - France – Right to digital legacy. Should you be located in France, you additionally have the right to define (general or specific) directives regarding the fate of your personal data after your passing.
Please address your requests to exercise your rights to PHINIA´s Compliance Office (except for the right to lodge a complaint with a supervisory authority).
9. Changes to this Notice
We reserve the right to amend or modify this Notice at any time to ensure compliance with applicable laws. Please check regularly whether this Notice has been updated. We will notify you in case there are substantial changes to this Notice that affect you.
This Notice has been updated last in June 2023.
Annex 1 – Definitions
The terms and expressions in capital letters used in this policy have the meanings set forth below. Additionally, the definitions included in Art. 4 of the GDPR shall apply.
“Affiliate” shall mean PHINIA Inc. and any entity which directly or indirectly controls, or is controlled by, PHINIA Inc. ‘Control’ means direct or indirect ownership or domination of more than 50% of the voting interest of the respective entity.
“Business Partner” shall mean any natural person means with whom PHINIA has a business relationship, including but not limited to representatives and employees of customers, suppliers, service providers, external consultants, and visitors to our premises. PHINIA is obliged to inform future and current business partners in Europe about the processing of personal data by PHINIA in accordance with the GDPR.
“Controller”, “we”, “us”, “our” shall mean the PHINIA entity which is controller of your personal data according to no. 2 below.
“DPO” shall mean data protection officer.
“EEA” shall mean European Economic Area.
“GDPR” shall mean the General Data Protection Regulation (Regulation (EU) 2016/679) or UK GDPR where UK GDPR is relevant.
“Notice” shall mean this Privacy Notice (EEA).
“UK” shall mean United Kingdom.
“UK GDPR” shall mean the GDPR as transposed into UK national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the UK.
Annex 2 – PHINIA group entities as of [insert date]
Name | Address | Contact Details |
|
|
|
|
|
|