- Current Data Protection Lead: Hollye Day
- Data Protection Lead Contact Address: firstname.lastname@example.org
- Version Date: 16 July 2018
- Changes since last version: N/A
Capitalized terms other than those defined after the sentence in which they first appear are defined at the end of this document.
We reserve the right to change this Privacy Standard at any time without explicit notice to you, so please check this document or with the Data Protection Lead to ensure you are up-to-date.
This Privacy Standard does not override any applicable Data Protection Legislation in any territory in which ONELIVE operates, though is intended to be generally applicable with reference to EU individuals.
This document lays out how we, ONELIVE (referred to in this document as “we”, “us” or “our”), handle all Personal Data. It applies to every aspect of our processing for every individual whose Personal Data we hold, and must be observed by every employee, worker or contractor of ONELIVE (referred to as “you” or “your”).
Alongside this Privacy Standard, we have various other policies to help you understand what is expected of you when handling Personal Data in certain ways. These policies, and the relating processes must also always be complied with. If you believe that any of our policies conflict with each other, or with Data Protection Legislation, you must notify our Data Protection Lead.
This document and all associated policies are internal and confidential documents that cannot be shared with any party, including any regulatory authority, without authorization from Data Protection Lead.
The good and proper handling of Personal Data is important to ONELIVE as we recognize the importance of maintaining the trust and confidence of all of our stakeholders, and perpetuating strong ethical business practices.
Failure in our legal obligations can also have regulatory and financial implications for ONELIVE, with fines of up to the greater of €20m or 4% of our global turnover.
Senior management hold ultimate responsibility for ensuring that every part of the business has proper practices, processes, controls and training to ensure company-wide compliance.
The Data Protection Lead is responsible for this Privacy Standard and any relating policy documents or guidelines issued to you.
If you have any questions about this Privacy Standard or Data Protection Legislation, or if you have concerns that this Privacy Standard is not being properly observed anywhere within the business, you should contact our Data Protection Lead. In particular, you should contact the Data Protection Lead if:
- you are unsure of your lawful basis for processing Personal Data (see 5.1);
- you need to rely on Consent and/or need to record Explicit Consent in a way that has not previously been prescribed to you (see 5.2);
- you need to draft a new Privacy Notice/Fair Processing Notice because no current versions are appropriate for your intended processing (see 5.3);
- you are unsure of the retention period or how to calculate it for Personal Data you are processing (see 9);
- you are unsure what security/organizational measures the Personal Data you are using, or expect to use, require (see 10.1);
- you believe there has been a Personal Data Breach (see 10.2);
- you are unsure when it is ok to transfer Personal Data to third parties or outside of the EEA (see 11);
- you are unsure how to respond to or handle a request by an individual to invoke their rights (see 12);
- you are changing the way in which you handle Personal Data, or are using it in a new way that is likely to require an impact assessment (DPIA – see 13.4) or intend to use Personal Data for a reason other than that for which it was collected;
- you plan on undertaking, or implementing a system involving automated processing or decisions-making (see 13.5);
- you need help in ensuring your marketing activities are compliant (see 13.6); or
- you need help with negotiating, performing or ending a contract that involves the transfer of Personal Data to any third party (see 13.7).
Data Protection Principles
We will always follow, and you must reflect during your work for ONELIVE, the principles for processing Personal Data set out in Data Protection Legislation. Those principles are:
- To process Personal Data lawfully, fairly and in a transparent manner (“Lawfulness, Fairness and Transparency”).
- To collect Personal Data only for specified, explicit and legitimate purposes (“Purpose Control”).
- To ensure that Personal Data is adequate, relevant and limited to what is necessary for the purpose for which processing is carried out (“Data Minimization”).
- To maintain accurate and up-to-date records of Personal Data (“Accuracy”).
- To ensure that Personal Data is not kept for longer than necessary to achieve the purposes for processing (“Retention Control”).
- To ensure that Personal Data is secured using appropriate technical and organizational measures to protect it from unauthorized or unlawful processing, accidental loss, destruction or damage (“Security, Integrity and Confidentiality”).
- Not to transfer Personal Data to another country without appropriate safeguards (“Transfer Control”).
- To observe the rights of individuals, assist with their exercising those rights and make Personal Data available (“Rights and Requests”).
We must demonstrate compliance with these principles (“Accountability”).
Lawfulness, Fairness and Transparency
Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the individual.
You may only collect, process or share Personal Data fairly and lawfully and for a specified purpose. Data Protection Legislation does place restrictions on when we can process Personal Data. However, these restrictions are intended to ensure that we process Personal Data fairly and without adversely affecting individuals, rather than prevent processing.
This means that we must identify a lawful basis for our processing from the following list:
- An individual’s Consent to our processing.
- Processing necessary for performance of a contract.
- Processing necessary for meeting our legal obligations.
- Processing that protects an individual’s vital interests (typically life preserving activity).
- Processing in pursuit of our legitimate interests that are not overridden by the rights interests or freedoms of an individual. ‘Legitimate interests’ must always be notified to individuals in advance of processing taking place and must be evidenced as existing and signed off by the Data Protection Lead.
If you are unsure that your processing fits with any of the lawful bases, or that you are not operating under the most appropriate lawful basis, please contact the Data Protection Lead. The Data Controller is ultimately responsible for determining the appropriate lawful basis for your processing. Where we are Data Controller, the Data Protection Lead shall be responsible for determining the appropriate lawful basis.
We should only rely upon Consent where no other lawful basis would be appropriate as Consent should not be replaced by another basis if an individual withdraws their Consent. This would mislead individuals as to the level of control that they have over their Personal Data and put us in breach of the requirement to be fair and transparent.
If Consent is appropriate, individuals must clearly indicate it to us by a statement or other positive action. Opt-outs, pre-ticked boxes or similar are no longer permitted for use in ONELIVE business relating to Personal Data.
Where Consent is our lawful basis for processing, the right to withdraw consent is unqualified, and processing for the purposes for which Consent has been withdrawn must end promptly. Consent applies only to purposes disclosed at the time Consent was gathered and must be renewed at appropriate intervals (these intervals to be determined by the Data Protection Lead) or if it is required for another purpose.
Unless you have been made specifically aware of another lawful basis being appropriate through our policies or by the Data Protection Lead, Explicit Consent will be required for any processing of Special Categories of Personal Data, automated decision making and overseas transfers. Explicit Consent requires the use of a Fair Processing Notice issued by the Data Protection Lead.
All Consents given must be evidenced by recording:
- The technical method of how Consent was acquired (e.g. by a web-form, email or in person);
- what you told the individual about the processing when Consent was given; and
- when (and where, if applicable) it was acquired.
Data Protection Legislation requires us to provide individuals with detailed and specific information about how we use their Personal Data. This applies even where we might be processing the Personal Data on behalf of another Data Controller.
Some of this information is already provided to individuals by our Privacy Notices and Fair Processing Notices. These are, and must be, clear, concise, intelligible and easy to access.
Where we collect Personal Data directly, we must inform an individual (including employees, workers and contractors) of who the Data Controller is, how and why we use, processor, disclose, protect and retain their Personal Data at the time of, or before collection.
Where we receive Personal Data indirectly (for example, from a third party or public source), you must inform the individual in the same away as above, as soon as possible upon receipt, and no later than at the time it is first used or within thirty (30) days. You must also be satisfied that the third party has collected the Personal Data legitimately and in a way that allows us to use it for our purpose. This could be guaranteed by contractual arrangements, but such guarantees will not protect us if you or we become aware or should have been aware that those guarantees are being breached.
You must use the notices and information that we provide in order to inform individuals in a way we can be confident is compliant. If you have any doubts as to a notice’s compliance, or do not believe you have the material necessary to inform individuals appropriately, you must contact the Data Protection Lead.
Personal Data must only be collected, used or retained for specific, explicit and legitimate purposes that an individual is made aware of at the time of collection. Any further processing must not be in addition to or incompatible with those purposes.
You must inform an individual of any new purposes you wish to use that Personal Data for and obtain Consent where necessary.
Personal Data must be adequate, relevant and limited to what is necessary to achieve the purposes for which it was collected.
You may only process Personal Data when it is required for your role. Processing unrelated to your role is strictly prohibited.
You must ensure that the Personal Data you collect is adequate for the intended purposes, and not excessive for achieving those purposes in pursuit of your duties.
If any Personal Data, including specific elements of Personal Data, is no longer required for the specified purposes, you must ensure it is deleted or (where possible) anonymized. All Personal Data must be handled in accordance with our data retention guidelines (see 9).
Personal Data must be accurate and, where appropriate, kept up-to-date. It must be corrected or deleted without delay if it is found to be inaccurate (including out-of-date).
You must check the accuracy of Personal Data at the point of collection and at regular intervals afterwards, as determined by the Data Protection Lead. You must take reasonable steps to delete or fix inaccurate Personal Data upon discovery.
Personal Data must be removed or, where possible, anonymized after the purpose for which it is being processed has expired.
This section applies to Personal Data that might be held to satisfy legal, accounting or reporting requirements, which you should anonymize where permitted.
ONELIVE maintains a retention policy, and you should act upon the corresponding processes (as applicable) that it dictates.
You will take all reasonable steps to destroy or delete Personal Data from systems where either the Personal Data or the system is no longer required. This could require you to oblige third parties to destroy/delete Personal Data, where applicable.
You must inform individuals of how long their information is to be held, and how that period has been determined. You should only use notices provided by us or approved by the Data Protection Lead.
Security, Integrity and Confidentiality
Protecting Personal Data
Personal Data must be secured using appropriate technical and organizational measures to protect it from unauthorized or unlawful processing, accidental loss, destruction or damage.
We have implemented and maintain safeguards appropriate to our size, scope, resources, use of Personal Data and the associated risks. These safeguards are periodically tested in order to evaluate their effectiveness.
You also play a key role in safeguarding Personal Data by following all procedures and using all technologies that we have implemented to maintain security at all times, including abiding by our Information Security Policy. You must also make sure that the way you conduct yourself in your role does not compromise the integrity of our systems, procedures or technologies.
You must maintain security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
- Confidentiality means that only those people who need to know, and are accordingly authorized, can access Personal Data.
- Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.
- Availability means that authorized users (or an individual, where applicable) can access the Personal Data when they need it for their role.
Reporting a Personal Data Breach
We must report any breach of Personal Data (defined as being an inability to guarantee compliance with 10.1a-c).
If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the Data Protection Lead and follow the procedure set-out in our Data Breach Policy. You should preserve all evidence relating to the potential Personal Data Breach.
Data Protection Legislation restricts data transfers to countries outside the EEA to maintain the integrity of the regulatory scheme. You can transfer Personal Data across borders when you transmit, send, view or access that data in or to a different country, typically over the internet. This can easily be done inadvertently, as services belonging to international organizations and utilizing foreign servers are not immediately obvious. Therefore, you must only use systems approved by ONELIVE to guarantee compliance with this policy.
You may only transfer Personal Data outside the EEA if one of the following conditions applies:
- the European Commission has issued an ‘adequacy decision’ confirming that the country to which we transfer the Personal Data ensures suitable protections;
- appropriate safeguards are in place such as binding corporate rules (BCR), ‘model clauses’ approved by the European Commission, an approved code of conduct or a certification mechanism (such as Privacy Shield) – confirmation of this can be obtained from the Data Protection Lead; or
- the Data Subject has provided Explicit Consent to the proposed transfer after being informed of the potential risks.
Rights and Requests
Individuals have the following rights when it comes to how we handle their Personal Data:
- withdraw Consent to processing at any time;
- receive certain information about the Data Controller's Processing activities;
- request access to their Personal Data that we hold;
- prevent our use of their Personal Data for direct marketing;
- ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
- restrict processing in specific circumstances;
- challenge processing which has been justified on the basis of our legitimate interests;
- request a copy of an agreement under which Personal Data is transferred outside of the EEA;
- object to decisions based solely on automated processing, including profiling (“ADM”);
- prevent processing that is likely to cause damage or distress to them or anyone else;
- be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
- make a complaint to the supervisory authority; and
- in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.
You must verify the identity of an individual requesting data under any of the rights listed above and you must not allow third parties to persuade you into disclosing Personal Data without proper, verifiable authorization.
You must immediately forward the details of any ‘subject access request’ request you receive to Data Protection Lead.
- The Data Controller must implement appropriate technical and organizational measures in an effective way, to ensure compliance with data protection principles. The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles. We must have adequate resources and controls in place to ensure and document our compliance including:
- appointing an executive accountable for data privacy (the Data Protection Lead);
- implementing Privacy by Design where possible and completing DPIAs where processing presents a risk to rights and freedoms of individuals;
- integrating data protection into internal documents including this Privacy Standard, related policies and guidelines, Privacy Notices or Fair Processing Notices;
- providing regular training to you on Data Protection Legislation, this Privacy Standard and the issues contemplated in it; and
- regularly testing the security and organizational measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate a compliance improvement effort.
- Record Keeping
Data Protection Legislation requires us to keep full and accurate records of all our data processing activities.
You must keep and maintain accurate corporate records reflecting our processing including records of Data Subjects' Consents and procedures for obtaining Consents.
These records should include, at a minimum, the name and contact details of the Data Controller and their Data Protection Officer (where applicable), clear descriptions of the Personal Data types, Data Subject types, processing activities, processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data's retention period and a description of the security measures in place.
- Training and audit
We are required to ensure you have undergone adequate training to enable you to comply with Data Protection Legislation. We must also regularly test our systems and processes to assess compliance.
You must undergo all mandatory data privacy related training and ensure your team undergo similar mandatory training.
You must regularly review all the systems and processes under your control to ensure they comply with this Privacy Standard and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
- Privacy By Design and Data Protection Impact Assessment (DPIA)
We are required to implement Privacy by Design measures when processing Personal Data by implementing appropriate technical and organizational measures in an effective manner, to ensure compliance with data privacy principles.
You must assess what Privacy by Design measures can be implemented on all programs/systems/processes that process Personal Data by taking into account the following:
- the state of the art;
- the cost of implementation;
- the nature, scope, context and purposes of processing; and
- the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the processing.
Data controllers must also conduct DPIAs in respect to high risk processing.
You should conduct a DPIA (and discuss your findings with the Data Protection Lead) when implementing major system or business changes involving the processing of Personal Data including:
- use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
- automated processing including profiling and ADM;
- large scale processing of Special Categories of Data; and
- large scale, systematic monitoring of a publicly accessible area.
A DPIA must include:
- a description of the processing, its purposes and the Data Controller's legitimate interests (if appropriate);
- an assessment of the necessity and proportionality of the processing in relation to its purpose;
- an assessment of the risk to individuals; and
- the risk mitigation measures in place and demonstration of compliance.
- Automated processing (including profiling) and automated decision-making
Generally, ADM is prohibited when a decision has a legal or similarly significant effect on an individual unless:
- a Data Subject has Explicitly Consented;
- the processing is authorized by law; or
- the processing is necessary for the performance of or entering into a contract.
If certain types of Special Categories of Personal Data are being processed, then grounds b or c will not be allowed but such Special Categories can be processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.
If a decision is to be based solely on automated processing (including profiling), then individuals must be informed when you first communicate with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be put in place to safeguard the individual’s rights and freedoms and legitimate interests.
We must also inform an individual of the logic involved in the decision making or profiling, the significance and envisaged consequences and give the individual the right to request human intervention, express their point of view or challenge the decision.
A DPIA must be carried out before any automated processing (including profiling) or ADM activities are undertaken.
- Direct marketing
We are subject to certain rules and privacy laws when marketing to our customers.
For example, a consumer’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing consumer customers known as "soft opt in" allows us to send marketing texts or emails if we have obtained contact details in the course of a sale to that person, we are marketing similar products or services, and we gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.
The right to object to direct marketing must be explicitly offered to consumers or business contacts whose Personal Data is used (typically their name) in an intelligible manner so that it is clearly distinguishable from other information.
An individual’s objection to direct marketing must be promptly honored. If a consumer customer or named business contact opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
- Sharing Personal Data
Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the Personal Data we hold with another employee, agent or representative of our group (which includes our subsidiaries and our ultimate holding company along with its subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
You may only share the Personal Data we hold with third parties, such as our service providers if:
- they have a need to know the information for the purposes of providing the contracted services;
- sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the individual’s Consent has been obtained;
- the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
- the transfer complies with any applicable cross border transfer restrictions; and
- a fully executed written contract that contains GDPR approved third party clauses has been obtained.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of Personal Data relating to them.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of Personal Data.
Data Protection Legislation: all applicable laws and regulations relating to the processing of Personal Data and privacy including the Data Protection Act 1998, the General Data Protection Regulation 2016/679, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated. The terms “Personal Data”, “Personal Data Breach”, “Data Protection Officer”, “Data Controller”, “Data Processor”, “Data Subject”, “Special Categories of Personal Data” and “process” (in the context of usage of Personal Data) shall have the meanings given to them in the Data Protection Legislation. “Data Protection Lead” is the title given to the member of staff leading our data protection compliance program in lieu of a requirement for a Data Protection Officer.
EEA: the 28 countries in the EU, and Iceland, Liechtenstein and Norway.
Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymized Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behavior.
Privacy by Design: implementing appropriate technical and organizational measures in an effective manner to ensure compliance with the GDPR.
Pseudonymization or Pseudonymized: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.