Privacy Policy

The purpose of this policy is to explain how Transtech Group and all its affiliates (here referred to as “Transtech” Schedule 1 for details.) meets its legal, and regulatory requirements under the various applicable data protection laws (here referred to as “the applicable data laws”) and to ensure that all personal and special category information is processed compliantly and in the best interests of individuals/data subjects.

2. SCOPE

The applicable data laws include but are not limited to ‘Regulation (EU) 2016/679 (General Data Protection Regulation)/” The EU GDPR”) and all other data protection laws and regulations applicable to Transtech and its operations and regulates the processing of personal information (here referred to as “data”) of the residents of any relevant jurisdiction.

The applicable data laws include provisions that promote accountability and governance. Transtech has put comprehensive and effective governance measures in place to meet these provisions. The aim of such measures is to minimise the risk of breaches and uphold the protection of personal data.

3. DEFINITIONS

• “Biometric data” means data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

• “Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of data relating to him or her.

• “Cross Border Processing” means processing of data which: -

o takes place in more than one EU Member State or other country: or

o which substantially affects or is likely to affect data subjects in more than one EU Member State or other country.

• “Data controller” means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of data.

• “Data processor” means a natural or legal person, public authority, agency or other body which processes data on behalf of the controller.

• “Data subject” means an individual who is the subject of data

• “GDPR” means the General Data Protection Regulation (EU) (2016/679)

• “Genetic data” means data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person, and which originates, in particular, from an analysis of a biological sample from the natural person in question.

• “Personal data” (“data”) means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, social or other identity of that natural person.

• “Processing” means any operation or set of operations which is performed on data or on sets of data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• “Profiling” means any form of automated processing of data consisting of the use of data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

• “Supervisory Authority” means an independent public data protection regulatory authority which is established by an EU Member State OR by another applicable third country relevant to the operations of Transtech’ s business.

• “Third Party” means a natural or legal person, public authority, agency or body other than the data subject.

• “Transtech” means TranstechGroup, LLC., Transtechenergy, Metalforms, Metalforms Italia, and affiliated companies from time to time.

4. GENERAL DATA PROTECTION REGULATION (GDPR) AND OTHER APPLICABLE DATA LAW

The General Data Protection Regulation (GDPR) (EU)2016/679) came into force for all EU Member States on 25th May 2018. The GDPR applies directly to Member States. As Transtech processes personal information regarding individuals (data subjects) we are obligated under the GDPR to protect such information, and to obtain, use, process, store and destroy it, only in compliance with its rules and principles. We similarly are obligated under the provisions of all other applicable data laws or frameworks relevant to our business to protect any personal information in other relevant jurisdictions.

4.1 PERSONAL DATA

Information protected under the GDPR and other applicable data laws is known as “personal data” (“data”) and is defined as: -

“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Transtech ensures that a high level of care is afforded to data falling within the GDPR’s ‘special categories’ (or the equivalent in any other applicable data laws).

In relation to the ‘Special categories of Personal Data’ the GDPR advises that: -

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited – unless one of the Article 9 clauses applies.”

5. OBJECTIVES

We are committed to ensuring that all data processed by Transtech is done so in accordance with the applicable data laws. We ensure the safe, secure, ethical and transparent processing of all data and have stringent measures to enable data subjects to exercise their rights.

Transtech has developed the below objectives to meet our data protection obligations and to ensure continued compliance with the legal and regulatory requirements.

6. GOVERNANCE PROCEDURES

6.1 ACCOUNTABILITY AND COMPLIANCE

Due to the nature, scope, context and purposes of processing undertaken by Transtech, we carry out frequent risk assessments and information audits to identify, assess, measure and monitor the impact of such processing. We have implemented adequate and appropriate technical and organisational measures to ensure the safeguarding of data and compliance with the applicable data laws.

Transtech has appropriate technical and organisational measures in place to ensure and demonstrate compliance with the applicable data laws.

6.2 PRIVACY BY DESIGN

We operate a 'Privacy by Design' approach and ethos, with the aim of mitigating the risks associated with processing data through prevention via our processes, systems and activities. We have developed controls and measures that help us enforce this ethos as follows:

6.3 DATA MINIMISATION

Under the GDPR and all applicable data laws, it is advised that data should be 'limited to what is necessary', which forms the basis of our minimalist approach. We only ever obtain, retain, process and share the data that is essential for carrying out our services and/or meeting our legal obligations and only retain data for as long as is necessary.

Our systems, employees, processes and activities are designed to limit the collection of personal information to what is directly relevant and necessary to achieve the specified purpose. Data minimisation enables us to reduce data protection risks and breaches and supports our compliance with the applicable data laws.

Measures to ensure that only the necessary data is collected include: -

• Electronic collection (e.g. forms, website, surveys etc) only have the fields that are relevant to the purpose of collection and subsequent processing. We do not include 'optional' fields, as optional denotes that it is not necessary to obtain

• We have appropriate agreements in place with third-paty controllers who send us personal information (either in our capacity as a controller or processor). These state that only relevant and necessary data is to be provided as it relates to the processing activity we are carrying out

• We have documented destruction procedures in place where a data subject or third-party provides us with personal information that is surplus to requirement

• Forms, contact pages and any documents used to collect personal information are reviewed periodically to ensure they are fit for purpose and only obtaining necessary personal information in relation to the legal basis being relied on and the purpose of processing

6.4 PSEUDONYMISATION

We utilise pseudonymisation where possible and appropriate to record and store data in a way that ensures it can no longer be attributed to a specific data subject without the use of separate, additional information (personal identifiers). Encryption and partitioning are also used to protect the personal identifiers, being kept separate from the pseudonymised data sets.

When using pseudonymisation, we ensure that the attribute(s) being removed and replaced, are unique and prevent the data subject from being identified through the remaining markers and attributes. Pseudonymisation can mean that the data subject is still likely to be identified indirectly and for this reason we use this measure in conjunction with other technical and operational measures of risk reduction and data protection.

6.5 ENCRYPTION

We utilise encryption as a further risk prevention measure for securing the data that we hold. Encryption is used to make data indecipherable unless decryption of the dataset is carried out using the assigned key.

We utilise encryption for transferring data to any external party. Where special category information is being transferred and/or disclosed, we review the encryption method for compliance and accuracy.

6.6 RESTRICTION

Our Privacy by Design approach means that we use company-wide restriction methods for all data activities. Restricting access is built into the foundation of Transtech’s processes, systems and structure and ensures that only those with authorisation and/or a relevant purpose, have access to personal information. Special category data is restricted at all levels and can only be accessed by the appropriate duly authorised persons.

7. DATA PROTECTION AUDIT

To enable Transtech to fully prepare for and comply with the applicable data laws, we have carried out a company-wide data protection audit to better enable us to record, categorise and protect the personal data that we hold and process.

All personal information obtained, processed and shared by Transtech in our capacity as a controller/processor is compiled on a central register which includes details about: -

• What personal data we hold

• Where it came from

• Who we share it with

• Legal basis for processing it

• What format(s) is it in

• Who is responsible for it?

• Disclosures and transfers

8. LEGAL BASIS FOR PROCESSING

At the core of all personal information processing activities undertaken by Transtech, is the requirement to comply with all applicable data laws.

Data is only obtained, processed or stored when we have met the relevant processing requirements including where: -

• The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

• Processing is necessary for compliance with a legal obligation to which we are subject

• Processing is necessary in order to protect the vital interests of the data subject or of another natural person

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Transtech

• Processing is necessary for the purposes of the legitimate interests pursued by Transtech or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data)

• Any such other permissible processing as applicable data laws shall allow.

9. PROCESSING SPECIAL CATEGORY DATA

Special categories of Personal Data are defined in the data protection laws as: -

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Where Transtech processes any personal information classed as special category or information relating to criminal convictions, we do so in accordance with the applicable data laws.

9.1 We will only ever process special category data where: -

• The data subject has given explicit consent to the processing of the personal data

• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

• Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

• Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim

• Processing relates to data which are manifestly made public by the data subject

• Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity

• The applicable data laws otherwise permit such processing

Where Transtech processes personal information that falls into one of the above categories, we have adequate and appropriate provisions and measures in place prior to any processing.

10. RECORDS OF PROCESSING ACTIVITIES

Where Transtech acts as a controller (or a representative), our internal records of the processing activities carried out under our responsibility, may include but not limited to the following information: -

• Our full name and relevant contact details. Where applicable, we also record any joint controller and/or the controller's representative

• The purposes of the processing

• A description of the categories of data subjects and of the categories of data

• The categories of recipients to whom the data has or will be disclosed (including any recipients in third countries or international organisations)

• Where applicable, transfers of data to a third country or an international organisation (including the identification of that third country or international organisation and where applicable, the documentation of suitable safeguards)

• Where possible, the envisaged time limits for erasure of the different categories of data

• A general description of the processing security measures.

Where Transtech acts as a processor (or a representative), our internal records of the categories of processing activities carried out on behalf of a controller, contain the following information: -

• The full name and contact details of the processor(s) and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative

• The categories of processing carried out on behalf of each controller

• Where applicable, information documenting transfers of data to a third country or an international organisation (including the identification of that third country or international organisation and where applicable, the documentation of suitable safeguards)

• A general description of the processing security measures employed

11. THIRD-PARTY PROCESSORS

Transtech works with external processors for certain processing activities (where applicable). We use information audits to identify, categorise and record all data that is processed outside of Transtech, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible. Such external processing may include but not limited to the following information:

• IT Systems and Services

• Legal Services

• Other Professional Services (for example, accounting)

• Debt Collection Services

• Human Resources

• Payroll

• Hosting or Email Servers

• Credit Reference Agencies

• Direct Marketing/Mailing / emailing Services

We have strict due diligence and Anti-Money-Laundering and Know Your Customer procedures and measures in place and review, assess and as necessary, carry out appropriate background checks on all processors prior to forming a business relationship. Where relevant, we obtain company documents, certifications, references and ensure that the processor is adequate, appropriate and effective for the task we are employing them for.

We review their processes and activities prior to contract and during the contract period to ensure compliance with the data protection regulations and review any codes of conduct that they are obligated under and seek confirmation of compliance.

The continued protection of data subjects’ rights and the security of their personal information is always our top priority when choosing a processor and we understand the importance of adequate and reliable outsourcing for processing activities as well as our continued obligations under the applicable data laws for data processed and handled by a third party.

The Processor Agreements that we use, and any associated contract reflect the fact that the processor: -

• Processes the data only on our documented instructions

• Seeks our authorisation to transfer data to a third country or an international organisation (unless required to do so by a law to which the processor is subject)

• Shall inform us of any such legal requirement to transfer data before processing

• Ensures that persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

• Takes all measures to ensure the security of the data at all times

• Informs Transtech immediately of any breaches, non-compliance or inability to carry out their contractual duties

12. DATA RETENTION

Transtech adheres to the requisite retention periods as required by the applicable data laws. All personal data is disposed of in a way that protects the rights and privacy of data subjects.

13. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

The privacy and confidentiality of individuals will be upheld and respected while their data is being stored and processed by Transtech. Transtech uses appropriate measures and tools to reduce the risk of breaches in processing. Where processing is likely to be high risk or cause significant impact to a data subject, we will map out and assess the impact ahead of time.

Where Transtech is considering carrying out processing that utilises new technologies, and/or where there is a likelihood that such processing could result in a high risk to the rights and freedoms of data subjects, we always carry out a Data Protection Impact Assessment (DPIA).

This enables us to identify the most effective way to comply with our data protection obligations and ensure the highest level of data privacy when processing. It is part of our Privacy by Design approach and allows us to assess the impact and risk before carrying out the processing.

14. DATA SUBJECT RIGHTS PROCEDURES

14.1 CONSENT AND THE RIGHT TO BE INFORMED

The collection of data is integral to the proper operation of the services offered by Transtech and we therefore have specific measures and controls in place to ensure that we comply with the conditions for consent under the data protection laws.

Where processing is based on consent, Transtech will ensure that: -

• Consent requests are transparent and use plain language

• Consent is freely given, specific, and informed, as well as being an unambiguous indication of the individual’s wishes

14.2 ALTERNATIVES TO CONSENT

Transtech acknowledges that there are alternative lawful bases for processing under the applicable data laws.

14.3 INFORMATION PROVISIONS

Where personal data is obtained directly from the individual (e.g. through consent, by employees, written materials and/or electronic formats), we provide the below information in all instances:

• The identity and the contact details of the controller

• The contact details of the relevant person at Transtech

• The purpose(s) of the processing for which the personal information is intended

• All such other information as the applicable data laws require to be provided

The above information is provided to the data subject at the time the information is collected.

14.4 PERSONAL DATA NOT OBTAINED FROM THE DATA SUBJECT

Where Transtech processes data that has not been obtained directly from the data subject, Transtech ensures that the information disclosures are provided to the data subject in accordance with the requirements of the applicable data laws. By reviewing this external data privacy policy any such data subject will be deemed to have been provided with information relevant to the handling of their data. In case of doubt, please send inquiries to Privacy@TranstechGroup.com.

In addition, where data has not been obtained directly from a data subject, we also provide them with information about: -

• The categories of data

• The source the data originated from and whether it came from publicly accessible sources

While we endeavour to follow best practice in the provision of the relevant information, we reserve the right not to provide the data subject with the information if: -

• They already have it and we can evidence their prior receipt of the information

• The provision of such information proves impossible and/or would involve a disproportionate effort

• Obtaining or disclosure of the information is expressly laid down by an applicable country law to which Transtech is subject and which provides appropriate measures to protect the data subject's legitimate interest

• Where the data must remain confidential subject to an obligation of professional secrecy regulated by applicable data laws or other applicable national legislation

14.5 EMPLOYEE PERSONAL DATA

We do not always rely upon consent as a legal basis for obtaining or processing employee personal information. We ensure that employees are provided with the appropriate information disclosures and are aware of how we process their data and why.

14.6 THE RIGHT OF ACCESS

We ensure that appropriate measures are taken to provide information and any communication made relating to the rights of data subjects will be in a concise and intelligible form.

Such information is provided free of charge in writing, or by other means where authorised by the data subject and with prior verification as to the subject’s identity.

Information supplied in response to a right of access request will be provided to the data subject generally within 30 days from the date the request is received or within such further period as required under the applicable data laws. Where the provision of information is particularly complex or is subject to a delay for good reason, the period may be extended by two further months where necessary. This is only done in exceptional circumstances, and the data subject will be informed in writing of any delays.

Where we cannot comply with a right of access request, the data subject will be informed generally within 30 days of the reason(s) for the refusal and of their right to lodge a complaint with the Supervisory Authority.

14.7 SUBJECT ACCESS REQUEST

Where a data subject asks us to confirm whether we hold and process data concerning them and requests access to such data, we inform them of: -

• The purposes of the processing

• The categories of data concerned

• The recipients or categories of recipient to whom the data have been or will be disclosed

• Confirmation as to whether the data has been or will be disclosed to third countries or international organisations and the appropriate safeguards pursuant to the transfer

• Where possible, the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine that period

• The existence of the right to request rectification where appropriate

• The right to lodge a complaint with a Supervisory Authority

• Where data has not been collected direct by Transtech, any available information as to the source and provider

• Where applicable the existence of automated decision-making.

14.8 DATA PORTABILITY

Transtech will provide a data subject’s personal information to them in response to a subject access right request (“SAR”) in a format that is easy to disclose and read. Transtech complies with the data portability rights of individuals by arranging for all data to be readily available and in a structured, commonly used and machine-readable format, enabling data subjects to obtain and reuse their data for their own purposes elsewhere.

Where requested by a data subject, we will transmit the data directly from Transtech to a designated controller, where technically feasible.

All transmission requests under the portability right are assessed to ensure that no other data subject is impacted. Where the data relates to more individuals than just the data subject submitting the SAR, compliance with such requests will always be without prejudice to the rights and freedoms of the other data subjects.

14.9 RECTIFICATION

14.9.1 CORRECTING INACCURATE DATA

All data processed by Transtech is reviewed for accuracy wherever possible and reasonable steps will be taken to keep it up to date. Where inconsistencies are identified and/or where the data subject or controller inform us that the data we hold is inaccurate, we take every reasonable step to ensure that such inaccuracies are corrected with immediate effect.

Where notified of inaccurate data by a data subject, we will where possible rectify the error within 30 days or such other period as the applicable data laws require and inform any third party of the rectification if we have previously disclosed that personal data to them. The data subject will be informed in writing of the correction and where relevant is provided with the details of any third party to whom the data has been disclosed.

If for any reason, we are unable to act in response to a request for rectification, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority.

14.10 THE RIGHT TO RESTRICT PROCESSING

There are certain circumstances where Transtech restricts the processing of personal information.

When data is restricted it is only stored and not processed in any way.

Transtech will apply restrictions to data processing: -

• Where an individual challenges the accuracy of the data and we are in the process of verifying the accuracy of the data and/or making corrections

• Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether we have legitimate grounds to override those of the individual

• Where we no longer need the data, but the data subject requires the data to establish, exercise or defend a legal claim

Transtech reviews all restriction requests and actions and retains copies of notifications from and to data subjects and relevant third parties. Where data is restricted, and we have disclosed such data to a third party, we will inform the third party of the restriction in place and of the reason and notify them if any such restriction is lifted.

Data subjects who have requested restriction of data are informed within 30 days of the restriction being made or within such further period as the applicable data laws require and are also advised of any third party to whom the data has been disclosed. We also notify the data subject in writing of any decision to lift a restriction on processing. If for any reason, we are unable to act in response to a request for restriction, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority.

14.11 OBJECTIONS

Data subjects have the right to object to:

• Processing of their personal information based on legitimate interests or the performance of a task in the public interest/exercise of official authority

• Direct marketing

• Processing for purposes of scientific/historical research and statistics

Where Transtech processes data for the performance of a legal task, in relation to our legitimate interests or for research purposes, a data subject’s objection will only be considered where it is on 'grounds relating to their particular situation'. We nonetheless reserve the right to continue processing such data where: -

• We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual

• The processing is for the establishment, exercise or defense of legal claims

Where we are processing personal information for direct marketing purposes under a previously obtained consent, we will stop processing such data immediately where an objection is received from the data subject.

Where a data subject objects to data processing on valid grounds, Transtech will cease the processing for that purpose and advise the data subject accordingly within 30 days of the objection being received or within such further period as required by the applicable data laws.

15. SECURITY AND BREACH MANAGEMENT

Alongside our 'Privacy by Design' approach to protecting data, we work at all times to ensure the security of data.

We have implemented adequate and appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with the requirements of the applicable data laws.

While every effort is made to reduce the risk of data breaches, Transtech has controls and procedures in place to deal with any such breach.

16. TRANSFERS AND DATA SHARING

Transtech takes proportionate and effective measures to protect data held and processed by us at all times. We acknowledge the importance of the protection and security of data being transferred. Data transfers within the area of the EU Member States (or, where relevant, the UK) are deemed less of a risk than transfers from within those areas to a third country or an international organisation, due to the European Council and UK adequacy decisions.

Where data is transferred for a legal and necessary purpose, we use a process that ensures such data is encrypted and where possible is also subject to our data minimisation methods.

Transtech uses approved, secure methods of transfer.

17. TRAINING

Transtech takes steps to ensure that all its staff have the requisite levels of training and support appropriate to their function.

SCHEDULE 1

Transtech affiliates

Transtech Group, LLC.

Trans-Tech Energy, LLC.

Transtech Fabrication, LLC

Bendel Tank & Heat Exchanger, LLC.

Metalforms, LLC.

Metalforms Italia S.r.l.

ESI Acquisition Entity, LLC.

KL Distribution, LLC.

Energyneering Solutions, LLC.

ESI Seller, Inc.

ESI Acquisition Canada, Inc.

Energyneering Solutions Canada, LTD

Transtech Group International, Inc.

Maddox Industrial Holdings, LLC

Maddox Industrial LLC

If at any time you feel that we are not abiding by this privacy policy, contact us immediately via telephone at (+1) 888.206.4563 or via email.

TransTech Group Divisions

TransTech Group Companies

Helpful Resources

CONTACT US