Flexcon Europe GDPR Data Protection Notice

Date Updated: 03/15/2025

Addendum to the Flexcon Global Privacy Policy – UK/EU/EEA

GDPR Data Protection Notice

Introduction and scope

Flexcon and its affiliates (identified below) in the European Union ("EU"), European Economic Area ("EEA") and the United Kingdom (“UK”) (hereinafter collectively, "Flexcon", "we" or "us") collect and process information relating to an identified or identifiable natural person ("personal data") provided to us from, or that we obtain on behalf of, our suppliers/customers/outside contacts located in the EU, EEA and the UK (hereinafter collectively, "Europe") in the course of providing services to them.

The Flexcon affiliates in Europe are located at:

Flexcon Europe Limited 
Whitworth Road 
Southfield Industrial Estate 
Glenrothes, Fife KY6 2TF 
Scotland - UK   

Flexcon Europe Limited 
Flevolaan 3 
1382 JX Weesp 
P.O. Box 131 
1380 AC WEESP 
The Netherlands 

Email contact for both: privacy@Flexcon.com 

This Data Protection Notice ("Notice") is provided in accordance with applicable privacy laws including, but not limited to, laws implementing the General Data Protection Regulation 2016/679 ("GDPR"), the national implementing laws of the GDPR in Europe and the UK GDPR (the "Data Privacy Laws"). It applies only to former, current and prospective suppliers/customers/outside contacts located in Europe ("Third Parties") whose personal data we process on their behalf or on behalf Flexcon. It identifies the personal data we receive and how we use this information to serve our Third Parties and do business with our Third Parties.

We provide various commercial services to our Third Parties. In this respect, we are likely deemed a data controller under applicable Data Privacy Laws with respect to the personal data we obtain from Third Parties about their personnel and other individuals with whom we work. To the extent that we are deemed a data controller under applicable Data Privacy Laws, this Notice fulfils our obligation to provide information to the Third Parties whose personal data we process in this capacity. Our contact details are provided at the end of this Notice.

This Notice is offered as an addendum to our Global Privacy Policy, as amended. If there is any conflict between the Global Privacy Policy and this Notice, the Notice shall govern. Please ensure that you read our Global Privacy Policy in tandem with this Notice, as the Global Privacy Policy also provides you with information about how we handle your personal data, including information which we must give you under Data Privacy Laws.

What personal data do we process and how is it collected?

The European personal data that we process primarily includes "Contact Data", "Identity Data" and "Marketing and Communications Data" as follows:

  • "Contact Data": Email address, telephone number and physical address.
  • "Identity Data": First name, last name, position / title.
  • "Marketing and Communications Data": Preferences in receiving marketing from us and communication preferences.

We do not collect any special categories or other sensitive forms of personal data about our Third Parties.

We collect the above forms of personal data from different sources, including from:

  • directly from our Third Parties;
  • public sources, such as the internet sites; and
  • from any vendor engaged by us or by our Third Parties to provide services on our customer's behalf.

What we do with this personal data

The purposes of the processing for which the personal are intended as well as the legal basis for the processing is as follows:

purpose of personal data

If a data subject has provided consent to processing and subsequently withdraws that consent, we may still process that data subject's personal data where we have another lawful basis for doing. Flexcon will not use this personal data for any additional purposes without express consent to do so, unless we have another lawful ground on which to use this information under the Data Privacy Laws. Any such consent is revocable at any time. Where we need to collect personal data by law or under the terms of a contract that we have with a data subject and the data subject fails to provide that personal data when requested, we may not be able to perform the contract we have with the data subject (for example, to provide access to the services).

Automated decision making

Flexcon is not using European personal data for automated decision making, including profiling.

Sharing of personal data

We do not allow any third party/subcontractor/subprocessor to have access to this personal data, except as required or permitted by Data Privacy Laws or in accordance with this Notice and the Privacy Policy.

We may disclose this personal data to:

  • our other corporate entities outside of Europe for internal administrative purposes
  • our subcontractors (e.g., third parties that provide us with services such as IT services, hosting services, administration services, and other business process services, and marketing services)
  • our legal advisers
  • our auditors
  • our other relevant business advisers (e.g., bankers, accountants and insurers)
  • regulatory or governmental authorities (e.g., to comply with the law or respond to compulsory legal processes (such as a search warrant or court order) or in response to a request for information from a regulator or governmental authority, or in the course of actual or anticipated litigation or otherwise for legal purposes
  • other business entities in connection with the sale, assignment, merger or other transfer of all or a portion of Flexcon's business to that business entity

We require that our subcontractors, agents, legal advisers, auditors and other relevant business advisers agree in writing to comply with the Data Privacy Laws. We will only permit them to process personal data for specified purpose and in accordance with our instructions.

There may be instances when we disclose this personal data to other parties to protect the rights, property or safety of Flexcon, or any of our respective affiliates, business partners, or other third parties, or otherwise in the legitimate business interests of Flexcon and/or our affiliates and in accordance with Data Privacy Laws.

International transfers of personal data

Some of this personal data is processed by us outside Europe, including in the United States, and is held on secured servers. Flexcon's European affiliates take steps to safeguard the privacy and security of all categories of personal data as required under the Data Privacy Laws. Flexcon complies with the Data Protection Framework  (“DPF”), as described below. 

How Flexcon protects personal data

We are regularly audited for adherence to the ISO 9001 standard and are currently certified. We backup data every day to a secure offsite location which is GDPR compliant. Firewalls in our facilities are updated by the company IT department. Hard drives on PCs and laptops are protected by industry-standard encryption software.

Flexcon understands that storing personal data in a secure manner is an essential requirement of the Data Privacy Laws and, therefore, employs reasonable physical, technical and administrative safeguards to secure such data against foreseeable risks, including unauthorized use, access, disclosure, destruction, or modification. More specifically, our information security team has developed policies, standards and procedures to support and enforce preventive and detective operational controls to ensure the confidentiality, integrity, and availability of Flexcon's data. We utilize preventive and detective controls such as Log Collection Analysis and Event Correlation, Perimeter Protection, Account Security, Physical Security, User Access, Encryption, Data Loss Prevention, and Vulnerability Management to safeguard the data of Third Parties. In addition, Flexcon personnel are required to read Flexcon's code of business conduct and confidentiality and data security policies which are available to them online via the company internal network.

Although we make good-faith efforts to store the information we receive from and on behalf of the Third Parties in a secure operating environment that is not available to the public, Flexcon cannot guarantee complete security. Further, while we work to ensure the integrity and security of our network and systems, we cannot guarantee that our security measures will prevent third-party "hackers" from illegally obtaining this information.

How long we keep it

We retain the personal data for the duration of the business relationship with the Third Party and, depending on the applicable jurisdiction in which a Third Party is located, after the end of the engagement, unless the information is needed longer for legal, regulatory, audit, and tax requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, regulatory requirements, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Data protection rights under the GDPR

Data subjects may have the following rights under applicable Data Privacy Laws in relation to their personal data:

Data protection rights under the GDPR

Please use the contact details provided to exercise any of the rights set out above. Where a data subject has any such rights under Data Privacy Laws, we will respond to any such rights that a data subject wants to exercise within one (1) month of receiving the request, unless the request is complex, in which case it may take longer. Please be aware that there are exceptions and exemptions that apply to some of the rights, which we will apply in accordance with the applicable data protection laws.

In addition to the above rights, data subjects’ have the right to lodge a complaint with a supervisory authority.

Data Privacy Framework (“DPF”) Applicability (Certification Pending, April 2025)

Flexcon complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Protection Framework (Swiss-US DPF) (collectively with the EU-US DPF, the “Data Privacy Framework,” or “DPF”) as set forth by the US Department of Commerce.  We have certified to the US Department of Commerce that we adhere to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union / European Economic Area in reliance on the EU-US DPF, from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF, and from Switzerland in reliance on the Swiss-US DPF.  If there is any conflict between the terms in this privacy policy and the EU-US DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.  The Federal Trade Commission has jurisdiction over our compliance with the DPF.

In compliance with the DPF Principles, we commit to resolve complaints about our collection or use of personal information.  Residents of Europe with inquiries or complaints regarding our Privacy Policy and DPF commitment should first contact us through our representative, identified below. You can always submit a complaint directly to your local data protection authority.

We have further committed to refer unresolved privacy complaints under the EU-US DPF Principles to the International Centre for Dispute Resolution (“ICDR”) of the American Arbitration Association (“AAA”), a non-profit alternative dispute resolution provider located in the US.  If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://go.adr.org/dpf_irm.html for more information and to file a complaint. The services of ICDR-AAA are provided at no cost to you.

Under certain conditions, and as a last resort, it may be possible for you to invoke binding arbitration for complaints regarding DPF compliance not resolved by any other mechanisms.

Any onward transfer of personal data received under the DPF shall be subject to the same protections as set forth in the DPF Principles, including notice, choice, accountability for onward transfer, security, data integrity, purpose limitation, access, and recourse, enforcement, and liability.

Changes to this notice

This Notice may be revised from time to time. Small changes or changes that do not significantly affect data subjects’ privacy interests may be made at any time and without prior notice.

How to contact us

If you have any suggestions, questions, or concerns about this Notice or if you want to know which personal data, we have stored pertaining to you, please contact us at:

Privacy@flexcon.com