SUCRES ET DENREES S.A. (“SUCDEN”) is an independent leader in soft commodities trading. The Group trades on the world’s major exchanges in a wide range of products and services including sugar, coffee, cocoa, ethanol, ocean freight and futures/options brokerage. In support, it is active in agriculture and sourcing, processing, logistics, distribution, merchandising, financing, research and risk management.
SUCDEN is particularly committed to conduct its business in accordance with the privacy and the protection of personal data of individuals whether they are its own employees or external individuals such as clients, customers, partners, job applicants, providers, etc.
The purpose of this Data Protection Policy (the “Policy”) is to inform you about the commitments made by SUCDEN to ensure that your personal data are processed in compliance with the applicable relevant laws.
This Policy may evolve according to the legal and regulatory context and the doctrine of supervisory authorities.
“Controller”: The SUCDEN legal entity which determines the purposes and means of the Processing of Personal Data.
“Data Subject”: Any natural person, including you, whose Personal Data are processed by SUCDEN.
“Personal Data”: All information on an identified or identifiable natural person. A person is deemed to be identifiable if he or she can be directly or indirectly identified for example by reference to an IP number, identity number or by at least one factor specific to that person’s social, cultural, physical or economic identity.
“Processing”: Any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”: The natural or legal person which processes Personal Data on behalf of the SUCDEN legal entity.
In order to provide legal certainty and transparency for economic operators, the European Union adopted the Regulation 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation or ‘GDPR’). The GDPR entered into force on 25 May 2018.
The local laws of each Member State remain relevant to such extent that they do not conflict with the GDPR provisions.
The Policy is subject to the GDPR and to the relevant local laws of the concerned SUCDEN legal entity.
Principles for processing Personal Data
SUCDEN commits to ensure that Personal Data are:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary for the intended purposes;
- processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
SUCDEN ensures that all its Processings are performed in accordance with the applicable laws.
The Board of Directors shall define and structure all processes where Personal Data can be collected, processed and/or used, and ensure that they comply with this Policy.
It shall include (but shall not be limited to) the following tasks:
- Ensuring that technical and organizational security measures are in place;
- Assuring that processes for the Personal Data collection, use and/or processing are compliant with the applicable laws and that the global and local process owners are informed upon necessary changes;
- Monitoring on a regular basis the relevant applicable laws.
Each SUCDEN employee has the duty to process, keep and use strictly confidential the Personal Data to which it has access to in the course of its employment.
Each SUCDEN employee can collect, use and/or process Personal Data pursuant to the applicable Sucden procedure(s) but only in the extent necessary to perform his assignment.
Data protection officer
Where required by law, each SUCDEN legal entity shall appoint a local data protection officer who is in charge of ensuring compliance with relevant data protection and privacy law and with the provisions of this Policy.
How do we process Personal Data?
In which context do we obtain Personal Data?
- When contracting people;
- When being contacted by customers, suppliers and/or other persons via our website, phone, email or any other mean;
- When prospecting new clients.
How do we respect the transparency principle set forth in the GDPR?
Each Data Subject is informed by the relevant SUCDEN legal entity which is collecting the Personal Data that his/her Personal Data are collected, used and/or processed and how his/her Personal Data are being handled by SUCDEN.
In particular, each Data Subject is informed (i) of which types of Personal Data will be subject to Processing; (ii) for which specific purpose(s); (iii) to whom such Personal Data might be transmitted; and (iv) how the Data Subject can exercise its rights.
How do we use the Personal Data?
Personal Data are subject to data secrecy. SUCDEN apply the following rules in order to prevent any unauthorized access, processing or use of such data:
- Employees may have access to Personal Data only to the extent that it is appropriate for the type and scope of the intended purpose;
- Employees shall not disclose Personal Data to unauthorized people, either within the company or externally;
- Employees shall not share Personal Data informally;
- Employees shall request help from their manager or the local data protection officer or the DPO in case of any doubt regarding any aspect of data protection;
- Employees will receive an adequate training to help them understand their responsibilities when handling Personal Data.
How do we respect data accuracy?
SUCDEN ensures that Personal Data are accurate and, where necessary, kept up to date.
How do we store Personal Data?
SUCDEN is aware of the strict time limits for the record keeping of Personal Data.
To ensure safely storage, SUCDEN applies the following rules:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet;
- Employees shall make sure paper and printouts are not left where unauthorized people could see them;
- Personal Data printouts shall be shredded and destroyed securely when no longer required;
- Personal Data shall be protected by using passwords with high degree of safety that are changed regularly and never shared between employees;
- Personal Data shall only be stored on designated drives and servers, and shall only be uploaded to an approved cloud computing services;
- Servers containing Personal Data shall be sited in a secure location, away from general office space;
- Personal Data shall be backed up frequently;
- All servers and computers containing Personal Data should be protected by approved security software and a firewall.
Rights of Data Subjects
According to the GDPR, each Data Subject has the following rights:
- Right of access (article 15 GDPR): the Data Subject has the right to obtain confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, accessto the Personal Data.
- Right to rectification (article 16 GDPR): The Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning him or her.
- Right to erasure (article 17 GDPR): in certain cases defined in article 17 of the GDPR, the Data Subject has the right to obtain the erasureof Personal Data concerning him or her.
- Right to restriction of processing (article 18 GDPR): in certain cases defined in article 18 of the GDPR, the Data Subject has the right to obtain restriction of Processing.
- Right to data portability (article 20 GDPR): in certain cases defined in article 19 of the GDPR, the Data Subject has the right to receive the Personal Data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
- Right to object (article 21 GDPR): in certain cases defined in article 21 of the GDPR, the Data Subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of Personal Data concerning him or her.
In order to fulfill efficiently these requests and securely transmit the Personal Data to the Data Subject, SUCDEN has set up an internal process to handle Data Subject requests.
Transfer of Personal Data
As SUCDEN is a multinational group, Personal Data may be transferred to countries located outside the EEA. In this case, SUCDEN ensures that the country has an adequate level of data protection in compliance with articles 44 to 50 of GDPR. In particular, SUCDEN ensures that such transfers are (i) performed on the basis of an adequacy decision of the European Commission or (ii) are subject to appropriate safeguards.
Technical and organizational security measures
SUCDEN has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of each Processing.
These measures are detailed in the different security and IT policies of SUCDEN.
Last updated on 19 September 2018