Data Protection
Foreword
Our Corporate Data Protection Policy lays out strict requirements for processing personal data pertaining to customers, prospects, business partners and employees. It meets the requirements of the European Data Protection Directive (GDPR) and ensures compliance with the principles of national and international data protection laws.
The policy sets the applicable data protection and security standards for our company and regulates the sharing of information between our Group companies. We have established seven data protection principles – among them transparency, data economy and data security – as our guideline.
Our managers and employees are obligated to adhere to the Policy and observe their local data protection laws.
As the person responsible for Corporate Data Protection it is my duty to ensure that the rules and principles of data protection at Dents are followed.
Robert Yentob
Chairman
23/5/18
Contents
I. Aim of the Data Protection Policy
II. Scope of the Data Protection Policy
III. Application of national laws
IV. Principles for processing personal data
1. Fairness and lawfulness
2. Restriction to a specific purpose
3. Transparency
4. Data reduction and data economy
5. Deletion
6. Factual accuracy; up-to-date data
7. Confidentiality and data security
V. Reliability of data processing
1. Customer and partner data
1.1 Data processing for a contractual relationship
1.2 Data processing for advertising purposes
1.3 Consent to data processing
1.4 Data processing pursuant to legal authorisation
1.5 Data processing pursuant to legitimate interest
1.6 Processing of highly sensitive data
1.7 Automated individual decisions
1.8 User data and internet
2. Employee data
2.1 Data processing for the employment relationship
2.2 Data processing pursuant to legal authorisation
2.3 Consent to data processing
2.4Data processing pursuant to legitimate interest
2.5 Processing of highly sensitive data
2.6 Automated decisions
2.7 Telecommunications and internet
VI. Transmission of personal data
VII. Contract data processing
VIII. Rights of the data subject
IX. Confidentiality of processing
X. Processing security
XI. Data protection control
XII. Data protection incidents
XIII. Responsibilities and sanctions
- I. Aim of the Data Protection Policy
As part of its social responsibility, the Dewhurst Dent Group (the Group) is committed to compliance with data protection laws. This Data Protection Policy applies worldwide to the Group and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy business relationships and the reputation of all the companies in the Group as an attractive employer.
The Data Protection Policy provides one of the necessary framework conditions for cross-border
data transmission among the Group companies. It ensures the adequate level of data protection
prescribed by GDPR and the national laws for cross-border data transmission, including in countries that do not yet have adequate data protection laws.
- II. Scope of the Data Protection Policy
This Data Protection Policy applies to all companies and divisions of the Group, i.e. Dents, Gaby, Dents Australia Pty, Corgi Hosiery Ltd, D.Charles Astle (Auctioneers) and Hersil Fabrics.
The Data Protection Policy extends to all processing of personal data
- III. Application of national laws
This Data Protection Policy comprises the internationally accepted data privacy principles
without replacing the existing national laws. It supplements the national data privacy laws. The
relevant national law will take precedence in the event that it conflicts with this Data Protection
Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy
must also be observed in the absence of corresponding national legislation. The reporting
requirements for data processing under national laws must be observed.
Each company of the Group is responsible for compliance with this Data Protection Policy and the legal obligations. All employees must read, understand and comply with this policy and any related policies when processing personal data and any breach may lead to disciplinary action.
- IV. Principles for processing personal data
1. Fairness and lawfulness
When processing personal data, the individual rights of the data subjects must be protected.
Personal data must be collected and processed in a lawful and fair manner. Data protection legislation allows processing for specific purposes, which are set out in this policy. Data subjects will be notified of the purposes for the processing of their personal data details which can be found in the company’s Employee Privacy Notice.
2. Restriction to a specific, explicit and legitimate purpose
Personal data can be processed only for specified, explicit and legitimate purposes and will not be processed in any manner incompatible with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
3. Transparency
The data subject must be informed of how his/her data is being handled. [Employees will be given a Privacy Notice informing them of how their data is being processed.] The information will be concise, transparent, easily accessible and in clear and plan language.
In general, personal data will be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
» The identity of the Data Controller
» The purpose of data processing
» Third parties or categories of third parties to whom the data might be transmitted
Personal data may also be collected indirectly (for example, from a third party or publicly available sources). The data subject will be informed of the information above as soon as possible after collecting/receiving the data.
4. Data reduction and data economy
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Before processing personal data, you must determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken.
Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymised or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.
5. Deletion
When Personal data is no longer required, it will be deleted in accordance with the Company’s data retention guidelines and policies. Data subjects will be informed of the period for which data is stored and how that period is determined in its Privacy Policies.
Third parties must be required to delete data that is no longer needed where applicable.
6. Factual accuracy; up-to-date data
Personal data on file must be accurate, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected supplemented or updated.
7. Confidentiality and data security
Personal data is subject to confidentiality. It must be treated as confidential on a personal level and secured with suitable organisational and technical measures to prevent unauthorised access, illegal processing or distribution, as well as accidental loss, damage, modification or destruction. We have in place safeguards appropriate to our size, scope, resources and identified risks that will be regularly evaluated and tested. We have put in place procedures to deal with any suspected personal data breach and will notify data subjects or any applicable regulator where we are legally required to do so.
Personal data will only be transferred to third-party service providers who agree to comply with our required policies and procedures and who agree to put adequate measures in place to maintain data security. Personal data will not be transferred to another country without appropriate safeguards being in place.
- V. Reliability of data processing
Collecting, processing and using personal data is permitted only under the following legal bases.
One of these legal bases is also required if the purpose of collecting, processing and using the personal data is to be changed from the original purpose
1. Customer and partner data
1.1 Data processing for a contractual relationship
Personal data of the relevant prospects, customers and partners can be processed in order to establish, execute and terminate a contract. This also includes advisory services for the partner under the contract if this is related to the contractual purpose. Prior to a contract – during the contract initiation phase – personal data can be processed to prepare bids or purchase orders or to fulfil other requests of the prospect that relate to contract conclusion. Prospects can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by the prospects must be complied with.
1.2 Data processing for advertising purposes
If the data subject contacts a Group company to request information (e.g. request to receive information material about a product), data processing to meet this request is permitted.
Customer loyalty or advertising measures are subject to further legal requirements. Personal data can be processed for advertising purposes or market and opinion research, provided that this is consistent with the purpose for which the data was originally collected. The data subject must be informed about the use of his/her data for advertising purposes. If data is collected only for advertising purposes, the disclosure from the data subject is voluntary. The data subject shall be informed that providing data for this purpose is voluntary. When communicating with the data subject, consent shall be obtained from him/her to process the data for advertising purposes. When giving consent, the data subject should be given a choice among available forms of contact such as regular mail, e-mail and phone (Consent, see V.1.3). If the data subject refuses the use of his/her data for advertising purposes, it can no longer be used for these purposes and must be blocked from use for these purposes. Any other restrictions from specific countries regarding the use of data for advertising purposes must be observed.
1.3 Consent to data processing
Data can be processed following consent by the data subject. Before giving consent, the data subject must be informed in accordance with IV.3. of this Data Protection Policy. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.
1.4 Data processing pursuant to legal authorisation
The processing of personal data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorised data processing activity, and must comply with the relevant statutory provisions.
1.5 Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary for a legitimate interest of the Group. Legitimate interests are generally of a legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection.
1.6 Processing of highly sensitive data
Highly sensitive personal data can be processed only if the law requires this or the data subject has given express consent. This data can also be processed if it is mandatory for asserting, exercising or defending legal claims regarding the data subject. If there are plans to process highly sensitive data, the Chairman or CEO of the company concerned (who are the data protection officers) must be informed in advance.
1.7 Automated individual decisions
Automated processing of personal data that is used to evaluate certain aspects (e.g. creditworthiness) cannot be the sole basis for decisions that have negative legal consequences or could significantly impair the data subject. The data subject must be informed of the facts and results of automated individual decisions and the possibility to respond. To avoid erroneous decisions, a test and plausibility check must be made by an employee.
1.8 User data and internet
If personal data is collected, processed and used on websites or in apps, the data subjects must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the data subjects. If use profiles (tracking) are created to evaluate the use of websites and apps, the data subjects must always be informed accordingly in the privacy statement. Personal tracking may only be effected if it is permitted under national law or upon consent of the data subject. If tracking uses a pseudonym, the data subject should be given the chance to opt out in the privacy statement. If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during access.
2. Employee data
2.1 Data processing for the employment relationship
In employment relationships, personal data can be processed if needed to perform the employment contract, including to initiate, carry out and terminate employment. When initiating an employment relationship, the applicants’ personal data can be processed. If the candidate is rejected, his/her data must be deleted within 6 months unless the applicant has agreed for it to remain on file for a future selection process.
In the existing employment relationship, data processing may be necessary for the purposes of performing the employment contract, but there may also be other lawful bases for the processing, as set out below. If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws have to be observed. In cases of doubt, consent must be obtained from the data subject. There may be alternative legal bases to process personal data that is related to the employment relationship. This can include legal requirements, consent of the employee, or the legitimate interest of the company.
2.2 Data processing pursuant to legal obligation
The processing of personal employee data is also permitted if national legislation requests, requires or authorises this. The type and extent of data processing must be necessary for the legally authorised data processing activity, and must comply with the relevant statutory provisions.
2.3 Consent to data processing
Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in which case it must be properly documented.
An employee consents to processing of their personal data if they indicate agreement clearly either by a statement or positive action to the processing. If consent is given in a document which deals with other matters, the consent must be kept separate from those other matters. Employees must be able to easily withdraw consent at any time.
Unless there is another legal basis for processing, explicit consent is required for processing special categories of data (see para 2.5 below). Usually the Company will be relying on another legal basis and will not require explicit consent to process special category data.
2.4 Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary for the purposes of a legitimate interest of the Group or a third party. Legitimate interests are generally of a legal (e.g. filing, enforcing or defending against legal claims), financial (e.g. valuation of companies) or other nature (e.g. It is necessary to protect the vital interests of the individual or another person or It is necessary for the performance of a task carried out in the public interest)
Personal data may not be processed based on a legitimate interest if, in individual cases, those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The legitimate interests relied on will be set out in the applicable Privacy Notices. Moreover, any additional requirements under national law (e.g. rights of co-determination for the employee representatives and information rights of the data subjects) must be taken into account.
2.5 Processing of highly sensitive data
Highly sensitive personal data can be processed only under certain conditions. Highly sensitive data is data about racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data about sexual life and orientation of the data subject. Under national law, further data categories can be considered highly sensitive or the content of the data categories can be filled out differently. Moreover, data that relates to criminal convictions and offences can often be processed only under special requirements under national law. The processing must be expressly permitted or prescribed under national law. Additionally, processing can be permitted if it is necessary for the responsible authority to fulfil its rights and duties in the area of employment law. The employee can also expressly consent to processing. If there are plans to process highly sensitive data, the Data Protection Manager must be informed in advance.
Highly sensitive data can be processed in the following circumstances:
- With explicit consent from the data subject
- Where the processing is necessary for performing or exercising obligations or rights which are imposed by law on the data controller or the data subject in connection with employment, social security or social protection and the employer has an appropriate policy document and additional safeguards in place
- Where the processing is necessary to protect the vital interests of the individual or another person and the individual is incapable of giving consent
- Where the processing relates to personal data that the individual has made public
- Where the processing is necessary for establishing, exercising or defending legal claims
- Where the processing is necessary for reasons of substantial public interest, provided that the employer has an appropriate policy document and additional safeguards in place. This can include processing data for the purposes of promoting equality of treatment
- Where the processing is necessary for the assessment of the individual’s working capacity or pursuant to a contact with a health professional, and subject to confidentiality safeguards
2.6 Automated decisions
If personal data is processed automatically as part of the employment relationship, and specific personal details are evaluated (e.g. as part of personnel selection or the evaluation of skills profiles), this automatic processing cannot be the sole basis for decisions that would have negative consequences or significant impact on the affected employee. To avoid erroneous decisions, the automated process must ensure that a natural person evaluates the content of the situation, and that this evaluation is the basis for the decision. The data subject must also be informed of the facts and results of automated processing and the possibility to respond. The company does not envisage using automated decision making but will notify staff in writing if the position changes.
2.7 Telecommunications and internet
Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by the company primarily for work-related assignments. They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies. In the event of authorised use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable. There will be no general monitoring of telephone and e-mail communications or intranet/ internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the Group companies networks that block technically harmful content or that analyse the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be logged for a temporary period. Evaluations of this data from a specific person can be made only in a case of suspected violations of laws or policies of the Group. The relevant national laws must be observed in the same manner as the Group regulations.
- VI. Transmission of personal data
Transmission of personal data to recipients outside or inside the Group is subject to the authorisation requirements for processing personal data under Section V. Personal data will not be shared with third parties unless certain safeguards and contractual arrangements have been put in place. The data recipient must be required to use the data only for the defined purposes and in accordance with our instructions.
In the event that data is transmitted to a recipient outside the Group to a third country, including a country outside of the EU, we will ensure that there is an adequate level of protection in that country to protect personal data equivalent to the levels of protection set out in this Data Protection Policy. If data is transmitted by a third party to a Group company, it must be ensured that the data will be used for the intended purpose.
- VII. Contract data processing
Data processing on Behalf means that a provider is hired to process personal data, without
being assigned responsibility for the related business process. In these cases, an agreement
on Data Processing on Behalf must be concluded with external providers and among companies
within the Group. The client retains full responsibility for correct performance of data processing. The provider can process personal data only as per the instructions from the client. When issuing the order, the following requirements must be complied with; the department placing the order must ensure that they are met.
- The provider must be chosen based on its ability to cover the required technical and organisational protective measures.
- The order must be placed in writing. The instructions on data processing and the responsibilities of the client and provider must be documented.
- The contractual standards for data protection provided by the Data Protection Manager must be considered.
- Before data processing begins, the client must be confident that the provider will comply with the duties. A provider can document its compliance with data security requirements in
particular by presenting suitable certification. Depending on the risk of data processing, the reviews must be repeated on a regular basis during the term of the contract.
- Only use staff and other persons who have a duty of confidentiality with regard to the data.
- Comply with security obligations equivalent to those imposed on the employer under the GDPR.
- Notify the employer of any breach in relation to the personal data shared by the employer.
- Enlist a sub-processor only with the prior permission of the employer.
- In the event of cross-border contract data processing, the relevant national requirements for disclosing personal data abroad must be met. In particular, personal data from the European Economic Area can be processed in a third country only if the provider can prove that it has a data protection standard equivalent to this Data Protection Policy. Suitable tools can be:
- Agreement on EU standard contract clauses for contract data processing in third countries with the provider and any subcontractors.
- Participation of the provider in a certification system accredited by the EU for the provision of a sufficient data protection level.
- Acknowledgment of binding corporate rules of the provider to create a suitable level of data protection by the responsible supervisory authorities for data protection.
- In the event of cross-border contract data processing, the relevant national requirements for disclosing personal data abroad must be met. In particular, personal data from the European Economic Area can be processed in a third country only if the provider can prove that it has a data protection standard equivalent to this Data Protection Policy. Suitable tools can be:
- VIII. Rights of the data subject
Every data subject has the following rights;
- The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to
view the employer’s documents (e.g. personnel file) for the employment relationship under
the relevant employment laws, these will remain unaffected.
- If personal data is transmitted to third parties, information must be given about the identity
of the recipient or the categories of recipients.
- If personal data is incorrect or incomplete, the data subject can request that it be corrected
or supplemented.
- The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use.
- The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
- The data subject generally has a right to object to his/her data being processed where we are relying on a legitimate interest (or those of a third party) for the processing and there is something about the data subject’s particular situation which makes them want to object to processing on this ground. This must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed or if the processing is necessary for the establishment, exercise or defence of legal claims.
- The data subject can request the restriction of processing of their personal information. This enables the data subject to request the suspension of the processing of personal information, for example if they want the employer to establish its accuracy or the reason for processing it.
- The data subject can request the transfer of their personal information to another party in some circumstances.
- IX. Confidentiality of processing
Personal data is subject to confidentiality. Any unauthorised collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorised to carry out as part of his/her legitimate duties is unauthorised. The “need to know” principle applies. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities. Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorised persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
- X. Processing security
Personal data must be safeguarded from unauthorised access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organisational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification). In particular, the responsible department can consult with its Data Protection Manager.
- XI. Data protection control
Compliance with the Data Protection Policy and the applicable data protection laws is checked regularly. The results of the data protection controls must be reported to the Data Protection Manager.
- XII. Data protection incidents
All employees must inform their supervisor or data protection manager immediately about cases of breaches of this Data Protection Policy or other regulations on the protection of personal data (data protection incidents). The manager responsible for the function or the unit is required to inform the responsible Data Protection Manager immediately about data protection incidents.
In cases of
» improper transmission of personal data to third parties,
» improper access by third parties to personal data, or
» loss of personal data
the required company reports (Information Security Incident Management) must be made
immediately so that any reporting duties under national law can be complied with.
- XIII. Responsibilities and sanctions
The executive bodies of the Group companies are responsible for data processing in their area of responsibility. Therefore, they are required to ensure that the legal requirements, and those contained in the Data Protection Policy, for data protection are met (e.g. national reporting duties). Management staff are responsible for ensuring that organizational, HR, and technical measures are in place so that any data processing is carried out in accordance with data protection. Compliance with these requirements is the responsibility of the relevant employees. If official agencies perform data protection controls, the Data Protection Manager must be informed immediately. Improper processing of personal data, or other violations of the data protection laws, can be criminally prosecuted in many countries and result in claims for compensation of damage. Breaches for which individual employees are responsible can lead to sanctions under employment law.