1 Corporate Policy. Data Protection for Data of Customers & Partners.
2 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing body of legal regulations on data protection are placing increased demands in the handling of personal data of our prospects and customers, which we aim to meet. As a global company, Daimler AG and its subsidiaries face the task of meeting the broad range of legal provisions around the world concerning the acquisition and processing of personal data. We aim to offer our customers and business partners worldwide a high, uniform standard in the handling of their personal data. Careful data handling is in line with the expectations of our customers and business partners and forms the basis for a trusted business relationship. This corporate policy sets out a global standard in the group companies for the handling of personal data of our prospects, customers and business partners, which is in conformity with the legal requirements and globally accepted principles of data protection. In the event of a cross-border exchange of personal data between the individual group companies, special legal requirements must be observed. Frequently, cross-border data transfers are only permitted if the data recipient is able to guarantee an adequate level of data protection. This adequate level of data protection is established by the corporate policies Data Protection for Customer and Partner Data and Data Protection for Human Resources Data. The management and employees of the company are responsible for ensuring observance of the obligations resulting from the data protection guidelines and compliance with national data protection legislation. The Chief Officer for Corporate Data Protection is responsible for making sure that the data protection guidelines and laws are implemented. My staff and I would be happy to assist you with any questions you may have concerning data protection. Dr. Joachim Rieß Chief Officer for Corporate Data Protection
3 03 Table of Contents I. Aim of the Data Protection Policy 4 II. Definitions 4 III. Scope of and amendments to the Policy 6 IV. Application of the Law of Individual Nations 6 V. Principles for Processing of Personal Data 7 1. Fairness and lawfulness 7 2. Restriction to a specific purpose 7 3. Transparency 7 4. Data Economy 7 5. Factual accuracy and up-to-dateness of data 7 6. Data requiring special protection 7 7. Need-to-know principle 8 8. Automated individual decisions 8 VI. Data Processing Legitimacy 8 1. Data processing for a contractual relationship 8 2. Data processing for advertising purposes 8 3. Consent to data processing 9 4. Data processing based on legal authorization 9 5. Data processing based on legitimate interest 9 VII. Transmission of Personal Data 9 VIII. Data Transmission within the Group 10 IX. Data Processing on Behalf 10 X. Telecommunications and Internet 11 XI. Rights of the Data Subject 11 XII. Data Processing Confidentiality 12 XIII. Data Processing Security 12 XIV. Responsibilities and Sanctions 12 XV. Chief Officer Corporate Data Protection 13
4 04 I. Aim of the Data Protection Policy Customer and partner data represent an important competitive factor and make an extensive contribution to value creation in the Daimler Group. These data must be protected against the threats posed by unauthorized access. In addition to this technical security aspect, customers and partners expect us in general to handle their data with care. We cannot build long-term business relationships with our customers and partners unless that relationship is based on trust. Daimler has recognized this challenge, and also acknowledges that its corporate responsibilities include responsible processing of this data. With this Policy, Daimler is adopting a consistent, globally valid data protection and data security standard for processing the personal data of customers and partners in line with globally accepted principles. The Policy undergirds the Group s competitive ability and forms the basis for long-lasting business relationships built on trust. The Policy also creates one of the important basic conditions for the global exchange of data between affiliated group companies, because it guarantees an adequate level of data protection for transborder data flows in compliance with the EU Data Protection Directive and other national laws, including in countries in which no adequate data protection legislation is yet in force. II. Definitions» The EU Commission considers the level of data protection in third countries to be adequate if the core privacy elements, according to the understanding agreed upon by the EU member states, are essentially protected. In making its decision, the EU Commission takes into account all of the circumstances that play a role in data transmission, or in a category of data transmission. This includes an evaluation of the national legislation, as well as the code of professional conduct and security measures in place in each case.» Data are anonymized when a connection to a person can no longer be made, or when a connection to a person can be restored only with a disproportionately large outlay in terms of time, cost, and labor.» Data require special protection if they relate to the racial or ethnic background, political views, religious or philosophical convictions, trade union membership, health, or sexual orientation of the data subject. Further data categories may be classed as requiring special protection, or the content of these data categories may be filled in differently, according to the laws of individual nations. Similarly, data regarding criminal offenses may often be handled only in compliance with special requirements set out in the applicable national laws.» Under the terms of this Policy, a data subject is any natural person who is the subject of the data being handled. In some countries, the data subject may also be a legal entity. 1 Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; available at privacy/law/index_en.htm#guideline
5 05» A third party is any person, other than the data subject in question, who cannot be ascribed to the data controller. Contractors processing data on behalf of the controller (see Sec. IX) are not legally considered third parties.» Under the terms of this Policy, third countries include all states that are not members of the European Union/EEA. An exception is made for states whose level of data protection has been recognized as adequate by the EU Commission.» Consent is a legally binding expression of will, given voluntarily, in which the data subject declares his/her agreement to the processing of data.» The processing of personal data is considered necessary if the valid purpose or legitimate interest could not be achieved without the personal data in question, or could be achieved only at a disproportionately large expense.» The EEA is an economic area associated with the EU, to which Norway, Iceland, and Liechtenstein belong.» Personal data is any information about a specific or definable natural person. A person is considered definable if, for example, a relation to the person can be established by the information from the data combined with supplementary knowledge, even if such knowledge is available only by coincidence.» Transmission is any disclosure of protected data to third parties by the data controller.» The processing of personal data is any action, carried out with or without the assistance of automated processes, that serves to collect, save, organize, store, change, access, use, pass on, transmit, distribute, combine, or reconcile the data. This also includes destroying, deleting, or blocking data and data storage media.» The data controller is the legally independent entity within the Daimler Group that initiated the data processing measure in question through its business activities.
6 06 III. Scope of and amendments to the Policy This Corporate Policy applies for all of the companies in the Daimler Group, i.e. Daimler AG and all of its dependent subsidiaries, as well as associated companies and their employees. Under the terms of this Policy, a dependent subsidiary is a company that Daimler AG can require either directly or indirectly to adopt the Policy by virtue of a majority voting interest, a majority in the company management, or an agreement. This Corporate Policy applies to all processing of personal data relating to customers and partners. This includes data relating to prospects, suppliers, and shareholders. This Policy also applies for data relating to legal entities, to the extent that the law of the individual nation in question includes legal entities within the scope of data protection law. Individual Group companies are not entitled to put in place regulations that deviate from this Policy. This Policy can be amended only by the Chief Officer Corporate Data Protection, and only within the terms of the procedure set out for the amendment of Corporate Policies. Group companies must comply with this Policy in its current valid version. The version that was valid at the time the data was processed will apply only in the case that the subsequent version entails a less advantageous position for the data subject. In the event that the current version should expire and no new version be put in place, the Group companies must comply with last valid version of this Policy as regards data processed up until that point. IV. Application of the Law of Individual Nations This Policy for data protection comprises the internationally accepted principles of data protection, without replacing the existing national laws. It applies in all cases as far as it is not in conflict with the respective national law; additionally, the national law shall apply if it makes greater demands. National law applies in the case that it entails a mandatory deviation from, or exceeds the scope of, this Policy for data protection. This Policy also applies in countries in which there is no corresponding national legislation in place. For the transborder flow of data originating from the European Union/EEA or from countries that require an adequate standard of protection for transborder data flows, the party importing the data must comply with the national legislation in force in the country from which the data originated when processing such data. This does not apply for data flows within the European Union/EEA or for transborder data flows into non-eu/eea countries that have been deemed by the European Commission to have an adequate level of data protection. The notification requirements for data processing set out in the laws of individual nations must be met. Each legally independent entity within the Daimler Group must check whether and to what extent such notification requirements exist. If there is any doubt, the Chief Officer Corporate Data Protection is available to give advice.
7 07 V. Principles for Processing of Personal Data 1. Fairness and lawfulness In processing personal data, the individual rights of the data subjects must be protected. Data must be processed fairly and in accordance with legal provisions. 2. Restriction to a specific purpose Personal data may be processed only for the purposes for which they were originally collected. Subsequent changes to the purpose are possible only to a limited extent. Such changes may take place by virtue of a contractual agreement with the data subject, consent given by the data subject, or national legislation. 3. Transparency The data subject must be informed of how his/her data is being handled. As a matter of principle, personal data must be collected directly from the data subject concerned. When collecting the data, the data subject must either be aware of or be informed of the following:» The identity of the data controller» The purpose for which the data is being processed» Third parties or categories of third parties to whom the data may potentially be transmitted. The data subject should be informed that the provision of data for marketing purposes is voluntary. Guidelines on information that must be provided to the data subject regarding the handling of his/her personal data are set out in Corporate Standards. In addition to the guidelines set out in Corporate Standards, national legislation may impose additional or differing requirements regarding the content and scope of this information. Such requirements might include, for example, information on the data subject s right to object to contact made for marketing and advertising purposes. 4. Data Economy Before any step is taken to process personal data, it must be checked whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. This Policy does not apply for statistical analysis or studies based on anonymized data. Personal data may not be collected in advance and stored for potential future purposes unless required under the law of the individual nation. Data that are no longer needed should be deleted in compliance with existing archival requirements. 5. Factual accuracy and up-to-dateness of data Personal data must be correct and up to date when stored. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, or supplemented. 6. Data requiring special protection Personal data requiring special protection may be processed only under certain conditions. The processing of such data must be expressly permitted or required according to the applicable national law, or it must be necessary in order to assert, exercise, or defend legal claims against the data subject. The data subject may also give his/her express consent to the data being processed.
8 08 7. Need-to-know principle In the context of increasingly flexible company organization, it must be ensured that employees have access to personal data on a need-to-know basis only. The need-to-know principle means that employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities. 8. Automated individual decisions Automated processing of personal data intended to evaluate certain personal aspects of the data subject (e.g. creditworthiness) must meet special requirements. It must not form the sole basis for decisions that have negative consequences or result in significant detriment to the data subject. In order to avoid incorrect decisions, it must be ensured that a test and a plausibility check are carried out by an employee. In addition, the data subject must be informed of the fact that an automated individual decision-making procedure is carried out and of its result, and he/she must be given the opportunity to respond. Stricter requirements for automated individual decisions set out in national legislation must be observed. VI. Data Processing Legitimacy 1. Data processing for a contractual relationship The data subject s personal data may be processed solely for the purpose of executing a contract. This includes advisory services for the contracting partner after the contract has been concluded, to the extent that this is consistent with the purpose of the contract. This does not include measures undertaken for customer loyalty or advertising purposes. Before the conclusion of a contract during the contract initiation phase the processing of personal data is permitted in order to draw up offers, prepare purchase orders, or for fulfilling any other wish of the prospect leading up to the conclusion of a contract (e.g. a test drive). During the contract initiation phase, it is permitted to contact prospects using the data that they have provided. Any restrictions that the prospects may specify must be observed. For further advertising measures, the requirements set out in VI.2. below must be met. 2. Data processing for advertising purposes Processing personal data for advertising purposes is permitted as long as this is consistent with the purpose for which the data were originally collected. As part of the communication process with the data subject, consent should be obtained from the data subject to use his/her data for advertising purposes. (See VI.3.). If the data subject makes an information-related request to a Daimler Group company (e.g. requests to be sent information on a product), the data processing required in order to respond to this request is always permitted, regardless of whether consent has been obtained. If the data subject objects to his/her data being used for advertising purposes, no further use may be made of the data for such purposes. In addition, existing restrictions regarding the use of data for advertising purposes in place in some countries must be observed. Such restrictions may relate, in particular, to advertising via , telephone, and fax.
9 09 3. Consent to data processing Data processing may take place by virtue of consent obtained from the data subject. Similarly, the purpose of the data processing may be changed if consent is given by the data subject. Before consent is given, the data subject must be informed as specified in section V.3. of this Policy. For documentation purposes, statements of consent must be generally obtained either in written or electronic form. In certain circumstances, e.g. during a telephone consultation, consent may be given verbally, in which case the consent must be documented. Special requirements for statements of consent set out in national legislation must be met. 4. Data processing based on legal authorization The processing of personal data is also permitted if requested, required, or permitted under the applicable national law. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions. 5. Data processing based on legitimate interest The processing of personal data may also be carried out if it is necessary in order to realize a legitimate interest held by either the data controller or a third party. Legitimate interests are usually of a legal nature (e.g. collecting outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence over the interest being pursued through the processing of such data. This must be checked before any data processing is undertaken. VII. Transmission of Personal Data For some business processes, it is necessary to pass on personal data relating to customers or partners to third parties. If this does not occur owing to a legal obligation, it must be checked in each instance whether it is in conflict with any interest of the data subject that merits protection. When transferring personal data to a party external to the Daimler Group, the conditions set out in section VI. must be met. If the recipient is located in a third country, he/she must guarantee an adequate level of data protection in line with this Policy. This does not apply if the data transmission is carried out owing to a statutory obligation, or to any other permissible legal obligation. The recipient must be bound under contract only to use the data for the specified purpose. Data shall be transmitted to government institutions or authorities to the extent required according to the relevant legal provisions in each case. In the case that data is transmitted to Daimler Group companies by third parties, it must be ensured that the data have been collected lawfully in accordance with the relevant legal provisions, and that the use of such data for the intended data processing activities is permitted.
10 10 VIII. Data Transmission within the Group If a legally independent entity within the Daimler Group passes on personal data to another Group company, from a legal point of view this constitutes transmitting data to a third party. For a data transmission of this kind, the conditions set out in section VI. must be in place. If personal data are transferred from a Group company with its registered office in the European Union/EEA to a Group company with its registered office in a third country, both the Chief Officer Corporate Data Protection and the company importing the data are obliged to cooperate with any inquiries made by the relevant supervisory authority in the country in which the party exporting the data has its registered office, and to comply with any observations made by the supervisory authority with regard to the processing of the transmitted data. In the event that a data subject claims that this Policy has been breached by the Group company located in a third country that is importing the data, the Group company located in the European Union/EEA that is exporting the data undertakes to support the data subject concerned, whose data was collected in the European Union/EEA, in establishing the facts of the matter and also asserting his/her rights in accordance with section XI. of this Policy against the Group company importing the data. In addition, the data subject is also entitled to assert his or her rights, as set out in section XI., against the Group company exporting the data. In the case of personal data being transmitted from a Group company located in the European Union/EEA to a Group company located in a third country, the data controller transmitting the data shall be held liable for any violations of this Policy committed by the Group company located in a third country with regard to the data subject whose data was collected in the European Union/EEA, as if the violation had been committed by the data controller transmitting the data. The legal venue is the competent court at the location of the registered office of the company exporting the data. IX. Data Processing on Behalf When data is processed on behalf of the data controller, a service provider is engaged to process the data, without taking on responsibility for the associated business process. In the case that personal data is disclosed during data processing on behalf, the controller remains responsible for the data processing. Any claims from the data subject must be made against the controller. In addition, the following measures must be taken when awarding contracts: 1. When selecting a data processor, it must be ensured that the candidate can guarantee the necessary technical and organizational requirements and security provisions. When making the selection, the criteria established by the Chief Officer Corporate Data Protection must be taken into account. 2. The terms and conditions for carrying out data processing on behalf must be set out in a written contract, in which the parties agree on the data protection and information security requirements. In particular, it must be established that the processor may process the data only in accordance with the controller s instructions. 3. Corporate policies must be taken into account when drawing up the contract.
11 11 4. When appointing service providers outside of the European Union/EEA to process personal data from the European Union/EEA, the service provider must guarantee an adequate level of data protection in line with this Policy if it intends to process the data in a third country. Similarly, comparable regulations set out in the data protection laws of individual nations must also be observed. In addition, when appointing service providers outside of the European Union/EEA, the requirements set out in section VII. must be met. X. Telecommunications and Internet The processing of personal data that have been gathered exclusively through telecommunications with the data subject, including Internet communication, is subject to the relevant local instructions, or the relevant law. Corporate Standards regarding putting legal obligations into practice when designing Websites must be complied with. XI. Rights of the Data Subject Every data subject has the following rights. The assertion of these rights is to be processed directly by the responsible department. 1. The data subject may request information on which personal data relating to him/her have been stored, how the data were collected, and for what purpose. 2. If personal data are transmitted to third parties, the data subject must also be informed of the recipient s identify, or of the category of recipients. 3. If personal data are incorrect or incomplete, the data subject may request for them to be corrected. 4. The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing archival requirements must be observed. 5. The data subject may object to his/her personal data being used for purposes of direct marketing, market research, or opinion research. Access to the data for these purposes must then be blocked. 6. The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
12 12 XII. Data Processing Confidentiality The personal data of customers and partners is treated confidential; any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorised to carry out as part of his/her legitimate duties is unauthorized. In particular, it is forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or make it available in any other way. XIII. Data Processing Security Appropriate technical and organizational measures are implemented in order to guarantee data security. These measures safeguard personal data from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification, or destruction. They relate to the security of data which merit protection, whether processed electronically or in paper form. These technical and organizational measures form part of an integrated information security management plan, and are constantly revised in accordance with technological developments and organizational changes. XIV. Responsibilities and Sanctions The boards of management and management staff of the Group companies, who in each case bear responsibility for data processing activities, are obliged to ensure that legal data protection requirements and requirements formulated in this Policy for data protection are met. Management staff are responsible for ensuring that organizational, HR, and technical measures are in place so that any data processing undertaken in their department is carried out in accordance with regulations and with due regard for data protection. Compliance with the Data Protection Policies and the applicable Data Protection Laws is controlled by regular data protection audits. In many countries, abusive processing of personal data or other violations of data protection laws may lead to criminal proceedings and claims for damages. In principle, contraventions for which individual employees can be held responsible are subject to employment law sanctions in accordance with the applicable national legislation in the country in question (see Guideline on Disciplinary Measures).
13 13 XV. Chief Officer Corporate Data Protection The Chief Officer Corporate Data Protection, being internally independent of professional orders, supervises the observance of national and international data protection regulations. He is responsible for the Policies on data protection, and supervises their compliance. He carries out data protection checks and audits. The Chief Officer Corporate Data Protection is appointed by the Daimler AG board of management. The business management or plant management must indicate to the Chief Officer Corporate Data Protection that they have appointed a data protection coordinator. In organizational terms, and with the agreement of the Chief Officer Corporate Data Protection, one data protection coordinator may also be appointed to carry out this role for several companies or plants. The data protection coordinators act as on-site advisors for data protection issues. They can carry out checks, and they are responsible for ensuring that employees are familiar with the content of the Data Protection Policies. The management of the company in question is obliged to support the Chief Officer Corporate Data Protection and the data protection coordinators in their activities. The business units must inform the data protection coordinators of any new activities involving the processing of personal data. The data protection coordinators shall promptly inform the Chief Officer Corporate Data Protection of any data protection risks. If data processing activities are planned that could entail particular risks to the personal rights of the data subjects, the Chief Officer Corporate Data Protection must be involved in advance of any data processing activity. This applies in particular for personal data requiring special protection. The business units ensure that their employees obtain the necessary education on data protection. The Chief Officer Corporate Data Protection provides a web based training tool. In the event of data protection breaches or complaints, the management staff responsible must immediately inform the responsible data protection coordinator or the Chief Officer Corporate Data Protection. In addition, any data subject may approach the Chief Officer Corporate Data Protection at any time to raise concerns, ask questions, request information, or make complaints relating to data protection or data security issues. If requested, concerns and complaints will be handled confidentially. Decisions made by the Chief Officer Corporate Data Protection to remedy data protection breaches must be respected by the management of the company in question. Contact details for the Chief Officer Corporate Data Protection and his staff are as follows: Daimler AG Chief Officer Corporate Data Protection HPC 0646 D Stuttgart Tel. +49 (0) Fax +49 (0) Intranet:
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...
Binding Corporate Rules Privacy (BCRP) Binding Corporate corporate Rules rules Privacy for (BCRP) the protection of personal Telekom Group rights in the handling of personal data within the Deutsche Telekom
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting
Privacy Rules for Customer, Supplier and Business Partner Data Contact details Philips Privacy Office c/o Philips International BV, Amstelplein 2, 1096 BC, the Netherlands. E-mail: Philips_Privacy_Office@philips.com
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on
FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION v 1.3 Supersedes: v 1.2 Summary Owner: Corporate
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their
PRINCIPLES OF CORPORATE GOVERNANCE FOR SUPERVISED INSTITUTIONS Content of principles I. ORGANISATION AND ORGANISATIONAL STRUCTURE 1. 1 The organisation of a supervised institution should enable meeting
Law No. 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, amended and completed The Romanian Parliament adopts the present law.
CEIOPS-DOC-07/08 General Protocol relating to the collaboration of the insurance supervisory authorities of the Member States of the European Union March 2008 CEIOPS e.v. - Westhafenplatz 1 60327 Frankfurt
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
PROTECTION OF PERSONAL INFORMATION Definitions Privacy Officer - The person within the Goderich Community Credit Union Limited (GCCU) who is responsible for ensuring compliance with privacy obligations,
Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.
Personal Data Protection Policy and Practices ( the Policy ) FWD Life Insurance Company (Bermuda) Limited ("the Company") is committed to implementation and compliance with the provisions of the Personal
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 This Notice sets forth the principles followed by United Technologies Corporation and its operating companies, subsidiaries, divisions
PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
Code of Conduct for Evonik s employees Table of Contents Scope and Objectives 4 Business Conduct 6 Managing Business Transactions 6 Business Relations 8 Conflicts of Interest 10 Insider Trading 11 Maintaining
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
Rector s Directive No. 1/2013 On Data Protection and the Detailed and Uniform Data Management Regulation Budapest, 2013 Version effective as of 31 January 2013 Directives on Data Protection and the Uniform
ANNEX 1. LAW ON PERSONAL DATA PROTECTION UNOFFICIAL TRANSLATION 1 PARLIAMENT OF THE REPUBLIC OF MACEDONIA Pursuant to Article 75, Paragraphs 1 and 2 of the Constitution of the Republic of Macedonia, the
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
DRAFT BILL Provides for the processing of personal data 1 to guarantee the free development of the natural person's personality and of its dignity. The PRESIDENT OF THE REPUBLIC To be known that the National
This is an official translation. The original Icelandic text published in the Law Gazette is the authoritative text. Merchants and Trade - Act No 28/2001 on electronic signatures Chapter I Objectives and
RULES OF ELECTRONIC PAYMENTS ASSOCIATION These are the rules of Electronic Payments Association that have been made by the board of directors of EPA under Article 19 of the articles of association of EPA.
The translation is intended solely for the convenience of the reader. This translation has no legal status and although every effort has been made to ensure its accuracy, the Bank of Israel does not assume
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
Certification Scheme Y03 Compliance Management Systems ISO 19600 ONR 192050 Issue V2.1:2015-01-08 Austrian Standards plus GmbH Dr. Peter Jonas Heinestraße 38 A-1020 Vienna, Austria E-Mail: email@example.com
Directive for the transfer of personal data to third countries outside the EEA (Munich Re reinsurance group directive on third-country data transfer) Information correct at 1 July 2013 - 2 - Contents 1
TRIAL AGREEMENT FOR QUALIANCE PLEASE READ THE TERMS OF THIS TRIAL AGREEMENT (THIS AGREEMENT ) CAREFULLY BEFORE SUBMITTING YOUR TRIAL REGISTRATION REQUEST THIS AGREEMENT GOVERNS ACCESS TO AND USE BY THE
1 LAWS OF MALAYSIA Act 709 PERSONAL DATA PROTECTION ACT 2010 2 Laws of Malaysia ACT 709 Date of Royal Assent...... 2 June 2010 Date of publication in the Gazette......... 10 June 2010 Publisher s Copyright
Page: 1 di 16 CODE OF ETHICS Previous version: n. 00 Issued and approved: Board of Directors of DSN Date: 29 Maggio 2008 Page: 2 di 16 INTRODUCTION d'amico Società di Navigazione S.p.A. (hereinafter the
eprivacyseal GmbH Criteria catalogue EU November 2013 The EPS data privacy seal certifies for the respective applicant that its product or service is in line with the detailed criteria in the following
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
Opinion on a Notification for Prior Checking received from the Data Protection Officer of the European Training Foundation Regarding the Processing Operations to Manage Calls for Tenders Brussels, 22 April
RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE EFFECTIVE AS OF: August 12, 2015 This Notice sets forth the principles followed by RPM International Inc.,
27 July 2006 No.152-FZ RUSSIAN FEDERATION FEDERAL LAW PERSONAL DATA (as amended by Federal Law of 25.11.2009 No.266-FZ) Article 1. Scope of This Federal Law Chapter 1. GENERAL Adopted by The State Duma
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
PRIVACY STATEMENT OF THE WEBSITE http://www.viscontipalace.com Page 1 of 7 LEARN MORE ABOUT OUR PRIVACY STATEMENT In this privacy statement, Visconti Cesi S.r.l., with registered office at Via Vittoria
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
Ryanair Holdings PLC Code of Business Conduct & Ethics 2012 1 TABLE OF CONTENTS 1. INTRODUCTION 3 2. WORK ENVIRONMENT 3 2.1 Discrimination & Harassment 3 2.2 Privacy of Personal Information 3 2.3 Internet
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment