Data privacy and protection policy

Purpose

Ensure that data privacy is valued and protected accordingly when processed as a part of Chemwatch operation.

Target audience

All Chemwatch employees, contractors, and temporary workers.

Media

This document describes policy for Data handling for both electronic and hard copies (paper copies).

Personal Data

Generalised Definition

According to the law, personal data means any information relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number (e.g. social security number) or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (e.g. name and first name, date of birth, biometrics data, fingerprints, DNA…)

GDPR

  • The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
  • This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
  • The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
  • Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Sensitive Personal Data

At the moment we do not store any Sensitive Personal Data. Storing such data may require review and adjusting Security means.


Principles of data protection

The Company has adopted the following principles to govern its use, collection, and transmittal of Personal Data, except as specifically provided by this Policy or as required by applicable laws:

Personal Data shall only be processed fairly and lawfully.

  • Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
  • Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or processed.
  • Personal Data shall be accurate, complete and current as appropriate to the purposes for which they are collected and/or processed.
  • Personal Data shall not be kept in a form which permits identification of the Data Subject for longer than necessary for the permitted purposes.
  • Personal Data shall not be collected or processed unless:
    • the Data Subject has provided a valid, informed consent;
    • processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
    • processing is necessary for compliance with a Company legal obligation;
    • processing is necessary in order to protect the vital interests of the Data Subject;
    • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller or in a third party to whom the data are disclosed; or
    • processing is necessary for legitimate interests of Company or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject.
  • Personal Data shall be collected and processed in accordance with the rights of the Data Subjects.
  • Appropriate physical, technical, and procedural measures shall be taken to: (i) prevent and/or to identify unauthorized or unlawful collection, processing, transmittal of Personal Data; and (ii) prevent accidental loss or destruction of, or damage to, Personal Data.

All Sensitive Data transferred outside of the Company or across public communications networks shall be de-identified or shall be protected against unauthorized access by use of encryption.

Personal Data shall not be transferred to another entity, country or territory, unless reasonable and appropriate steps have been taken to maintain the required level of data protection.

Sources of Personal Data

Personal Data shall be collected only from the Data Subject unless the nature of the business purpose necessitates collection of the data from other persons or bodies, collection from the Data Subject would necessitate disproportionate effort, or collection must be accomplished under emergency circumstances in order to protect an interest of the Data Subject or to prevent serious loss or injury to another person.

Sensitive Data

Sensitive Data should not be processed unless the Data Subject expressly consents.

Data Quality Assurance

Each business unit shall take steps to assure that Personal Data it collects or processes is complete and accurate in the first instance. Data must be accurate and updated in such a way as to give a true picture of the current situation of the Data Subject.

The Company shall correct data which it knows to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification. Inaccurate data must be erased and replaced by corrected or supplemented data.

Personal Data must be kept only for the period necessary for permitted uses. When defining a permitted use for data, the business unit shall establish a sunset or review date for the stated purpose.

Personal Data should be erased if their storage violates any of the data protection rules or if knowledge of the data are no longer required by the Company or for the benefit of the Data Subject.

Use of Third Party Data Processors

Where the Company relies on others to assist in its processing activities, the Company will choose a Data Processor who provides sufficient security measures and take reasonable steps to ensure compliance with those measures.

Written Contracts for Third Party Processors. Company shall enter into a written contract with each data processor requiring it to comply with data privacy and security requirements imposed on Company under local legislation.

As part of Company’s internal data auditing process, Company shall conduct regular checks on processing by third party data processors, especially in respect of security measures.

Data protection requirements

Physical, Technical and Organizational Security Measures 

The Company shall adopt physical, technical, and organizational measures to ensure the security of Personal Data, including the prevention of their alteration, loss, damage, unauthorized processing or access, having regard to the state of the art, the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.

Adequate security measures should include all of the following:

  1. Entry Control: Prevention of unauthorized persons from gaining access to data processing systems in which Personal Data are processed.
  2. Admission Control: Prevention of data processing systems from being used by unauthorized persons.
  3. Access Control: Preventing persons entitled to use a data processing system from accessing data beyond their needs and authorizations. This includes preventing unauthorized reading, copying, modifying or removal during processing and use, or after storage.
  4. Disclosure Control: Ensuring that Personal Data in the course of electronic transmission during transport or during storage on a data carrier cannot be read, copied, modified or removed without authorization, and providing a mechanism for checking to establish who is authorized to receive, and who has received, the information.
  5. Input Control: Ensuring that it can be subsequently checked and established whether and by whom Personal Data have been entered into, modified on or removed from data processing systems.
  6. Job Control: Ensuring that in the case of commissioned processing of Personal Data, the data can be processed only in accordance with the instructions of the Data Controller.
  7. Availability Control: Ensuring that Personal Data are protected against undesired destruction or loss.
  8. Use Control: Ensuring that data collected for different purposes can and will be processed separately.
  9. Lifetime Control: Ensuring that data are not kept longer than necessary, including by requiring that data transferred to third persons be returned or destroyed.


All persons involved in any stage of processing Personal Data should explicitly be made subject to a requirement of secrecy which should continue after the end of the employment relationship.

Training

Each Business Unit will provide training to teach, or re-emphasize privacy and security related procedures. These procedures should be set forth in written guidelines to employees and shall include at least the following:

  • Each employee’s duty to use and permit the use of Personal Data only by authorized persons and for authorized purposes;
  • The Data Protection Principles;
  • The contents of this Policy;
  • The relationship between this Policy and other Company policies;
  • The need for and proper use of the forms and procedures adopted to implement this Policy;
  • The correct use of passwords, security tokens and other access mechanisms;
  • The importance of limiting access to Personal Data, such as by using password protected screen savers, logging out when the information is not being used and attended by an authorized person;
  • Securely storing manual files, print outs and electronic storage media;
  • A general prohibition on the transfer of Personal Data outside of the internal network and physical office premises; 
  • Proper disposal of confidential data;
  • Special risks associated with particular activities.
  • Changes to this documents as a notification via e-mail or in writing.

Compliance Audit

Current Compliance Assessment

Company shall establish a schedule for and implement a data protection compliance audit for all business units. The responsible manager, in cooperation with the business units, shall devise a plan and schedule for correcting any identified deficiencies within a fixed, reasonable time.

Annual Data Protection Audit

Each business unit shall review annually its data collection, processing, and security practices. This annual review shall consist of at least the following: 

  1. The business unit shall determine what Personal Data the business unit is collecting, or intends to collect, the purposes of the data collection and processing, any additional permitted purposes, the actual uses of the data, what disclosures have been made about the purposes of the collection and use of such data, the existence and scope of any Data Subject consents to such activities, any legal obligations regarding the collection and processing of such data, and the scope, sufficiency, and implementation status of security measures.
  2. The business unit shall determine what Personal Data it has in manual systems that constitute “relevant filing systems.” 
  3. The business unit shall identify all transferees of Personal Data in its possession or control. The business unit shall determine where the transferee is located, the purposes of the transfer, what physical, technical, and procedural systems are in place to maintain at least the existing level of data protection and to prevent or control further transfers.
  4. The information collected in this annual review shall be delivered to the managing body for review and appropriate action including making recommendations for improvement to policies and procedures in order to improve compliance with this policy and applicable law.

Glossary

Consent means “any freely given specific and informed indication of his wishes by which the Data Subject signifies agreement to Personal Data relating to him being processed.”

Data (whether or not having an initial capital letter) as used in this Policy shall mean information which either:

  • is being processed by means of equipment operating automatically in response to instructions given for that purpose;
  • is recorded with the intention that it should be processed by means of such equipment;
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
  • does not fall within any of the above, but forms part of a readily accessible record covering an individual.

Data Subject means the person to which data refers. Data Subjects include customers and web users, individuals on contact /e-mailing lists or marketing databases, employees, contractors and suppliers.

Personal Data means data related to a living individual who can be identified from those data or from those data and other information in the possession.

Processing covers a wide variety of operations relating to data, including obtaining, recording or holding the data or carrying out any operation or set of operations on the data

Sensitive Data means Personal Data containing information as to the Data Subject’s:

  • Race or ethnic origin;
  • Religious beliefs or other beliefs of a similar nature;
  • Political opinions;
  • Physical or mental health or condition;
  • Sexual history or orientation;
  • Trade union membership;
  • Commission or alleged commission of any offence and any related court proceedings.