Rotarex S.A. and its Companies (“Rotarex Group”) seek to ensure and demonstrate compliance with applicable provisions of the General Data Protection Regulation (Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016.;"GDPR") and the National Data Protection Law of Luxembourg – 1st August 2018 (effective date 20th August 2018); and thereby minimize legal liability, regulatory risk and brand and reputational exposure of potential infringements. Moreover, this policy facilitates business integration and consolidation by ensuring that privacy practices across the Rotarex Group is consistent, aligned and designed to meet the business objectives.
This Policy applies, subject to and in accordance with any applicable legal or regulatory requirement to all business partners e.g. customers, clients, suppliers.
2.2 Material scope
This Policy applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data.
2.3 Territorial scope
This Policy applies to the processing of personal data in the context of the activities of an establishment of Rotarex Group or a data processor in the EU, regardless of whether the processing takes place in the EU or not.
Rotarex Group will comply with the GDPR to the extent Rotarex processes of personal data in the context of an establishment in the EU and, where applicable, as a non-EU entity where it offers goods/products/services or monitors the behavior of individuals in the EU.
Rotarex Group: Rotarex S.A. and its companies; group of companies, which is a collection of parent and subsidiary corporations.
Personal data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data processing: means any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.
Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymisation: processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Filing system: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; it shall be Rotarex Group`s sub-contractor.
Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent of data subject: any freely given, specific, informed and unambiguous indication of the data subject's – i.e. employee, customer, vendor, supplier - wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Representative: a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under GDPR.
Binding Corporate Rules (“BCR”): personal data protection policies which are adhered to by Rotarex Group as data controller or any other data processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
Supervisory Authority: National Commission for Data protection (Commission Nationale pour la Protection des Données; “CNPD”) an independent public authority which is established by Grand-Duchy of Luxembourg.
4. PRINCIPLES, LAWFULLNESS OF PROCESSING
These Principles are required to be followed in conjunction with the Business Rules.
4.1 Lawfullnes, fairness and transparency
Rotarex Group is processing fairly and in a transparent manner in relation to the data subject.
4.2 Legitimate business purposes
Rotarex Group is collecting data for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Rotarex Group provides insight in the processing that it renders being in its legitimate interests and have established guidance on how to assess and qualify Company's business interests as a legitimate basis for personal data processing.
4.3 Lawful processing grounds
Rotarex Group only processes personal data in a lawful manner and to the extent that it can be based on a legitimate processing ground: i.e. insofar the processing is necessary for the performance of a contract, for the purposes of Rotarex Group`s legitimate interests, for compliance with a legal obligation, for tasks carried out in the public interest, in order to protect the vital interests of an individual, or if an individual has given his/her consent for the processing.
4.4 Secondary use of personal data
Rotarex Group ensures that, whenever personal data is processed for other purposes than those initially collected for, the compatibility of such secondary usage is assessed in a verifiable manner. This is to ensure that personal data is processed in accordance with the "purpose limitation" principle and individuals are adequately informed of such secondary use.
4.5 Data minimization
Personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Personal data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
4.7 Storage limitation
Personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
4.8 Integrity and confidentiality:
Personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.Personal data is processed lawfully, fairly and in a transparent manner to the data subject; collected only for specified, explicit and legitimate purposes; adequate, accurate, relevant and limited to the purposes; processed in a manner that ensures appropriate security of the personal data. Rotarex Group will consider any information (including pseudonymized) relating to an identified or identifiable natural person, processed wholly or partly by automated means or which are (intended to be) part of a filing system as personal data and in the material scope of the GDPR. This includes pseudonymized data, but excludes data that is rendered anonymous. Rotarex Group further defines a clear scope the personal data that are particularly sensitive in nature and that require specific protection.
5. CONSENT CONDITIONS
Rotarex Group shall only process personal data on basis of the individual's consent where this is the most appropriate data processing ground. The individual's consent shall be collected in a lawful, transparent and fair manner in an intelligible and easily accessible form, using clear and plain language.
For each processing activity of personal data that is based on the lawful processing ground of consent, Rotarex Group shall ensure that it is able to demonstrate that the individual has given its consent to the processing operation in a compliant manner by maintaining an effective audit trail of the consent giving process is in place.
Where data processing is based on the data subject`s consent Rotarex Group is able to demonstrate that the data subject has consented to processing of his/her personal data. Consent should therefore be recorded when it is given to Rotarex Group, in order to demonstrate and provide evidence that, and how, consent was given. This means that Rotarex Group must use an effective audit trail of the process deployed for obtaining consents and keeping it up-to-date.
Rotarex Group should, on a case by case basis, define what the most appropriate solution is to record consent in situations where they collect personal data based on consent as processing ground.
These Business Rules aim to provide guidance on how to ensure that the consent relied upon can be demonstrated (upon request). It focuses on three scenarios for obtaining consent that are most common: consent being given (i) in written form (electronically and/or paper-based), (ii) online and (iii) verbally.
The following Business Rules are formulated by Rotarex Group Data Privacy Officer and approved by Rotarex Group Executive Committee, and will be reviewed on an annual basis. Any changes to this Business Rules shall be approved by both the Rotarex Group Data Protection Officer and Rotarex Group Executive Committee.
5.1 Business rules on consent recording
Rotarex Group is adhering to the following business rules:
(i) The texts in forms and (call) scripts, with which consent is being requested, must be approved by the Rotarex Group Data Protection Officer.
(ii) Rotarex Group keeps record of (a) for what purpose, (b) from whom (at the individual level), (c) when, and (d) how consent was obtained.
(iii) Rotarex Group keeps record of what individuals were informed about at the time the consent was obtained (the actual text of the consent language, based on which an individual gave his/her consent). Therefore, a complete revision history of (a) the relevant privacy statements or notices, as well as (b) the consent information must be recorded. This applies at least for the privacy statement, privacy notice and data retention policy.
(iv) Data that is processed - based on consent as the processing ground - should be timestamped or dated so that it can be compared with the timestamp or the date that was recorded with the consent being given. This should allow Rotarex Group to demonstrate which data was obtained through consent, and as of when.
(v) Rotarex Group should act on withdrawals of consent without undue delay; i.e. stopping with the processing activities based on it, erasing of personal data according to the applicable data retention policy and updating of the consent registry. For each consent based processing, a consent-withdrawal process should be implemented and tested.
(vi) Rotarex Group Data Protection Officer will review the consent registry on an annual basis to check if the consents recording is still valid.
(vii) Rotarex Group should preferably use a consent management system as a consent registry; i.e. an IT system that manages and records individual consent. If not feasible, Rotarex Group should document the alternative process, as well as the reasons for not using a designated consent management system.
5.1.1 Audit trail
Good records help Rotarex Group to demonstrate that the consent relied upon was given in a valid manner. It will also enable Rotarex Group to monitor and process any withdrawals and/or consent renewals/reaffirmations as appropriate. Rotarex Group must keep record of the process followed to obtain consent to be able to demonstrate on a case by case basis that the individual has indeed consented to the data processing in question. Evidence of the following details should be kept:
5.1.2 What is covered
As consent should be specific, explicit and "unbundled", the records need to be specific to ensure that the scope of the consent can be demonstrated in a sufficiently detailed manner. Unbundled consent means that the individuals are offered the opportunity to give their consent to different types of data processing, as opposed to having to choose between consenting to or objecting against all the data processing activities.
5.1.3 Who consented
Rotarex Group records who consented and keep at least the name of the individual, and/or another identifier (e.g. online user name, session ID, or other attribute). Rotarex Group, as a matter of good practice, should confirm each consent with a(n e-)mail message to the consenting individual.
5.1.4 When consented
For written (including electronic) consent, Rotarex Group needs to keep a timestamped or dated copy of the document in question. Online records need to be timestamped as well to prove when the record was entered. For an orally given consent, a note of the details, including at least the time and date, of the conversation needs to be recorded at the time of the conversation.
5.1.5 How consented
For written consent, a copy of the relevant document should be kept. For online consent giving, the records should include the means of consenting (e.g. ticking a box, or altering a technical setting in the browser), together with the timestamp to link it to the relevant version of the data capture form. If consent was given orally, it should be recorded at the time of the conversation.
5.1.6 Content of notice
Rotarex Group keeps a copy of the (written) document or (online) data capture form containing the consent statement (e.g. the privacy notice) in use at the time of consent giving, along with any privacy policies that might have been referred to, including version numbers and dates matching the timestamped or dated consent was given. If consent was given orally, records should include a copy of the (call) script used at that time.
5.1.7 What data collected
For processing personal data it is important to record which data has been collected based on consent as the lawful ground. Therefore, a time-stamped/dated copy from the data capture form should be kept with the written consent. If consent was given online, the timestamp should be recorded and the consent record should point to the data stored in the source system. If consent was given orally, this should be recorded at the time of the conversation (it doesn’t need to record the conversation verbatim).
5.1.8 Existing consents` refreshing
It is not required to completely refresh all existing consent relations with individuals in preparation for the GDPR. Consent which has been obtained to date under current national data protection law continues to be valid insofar as it is in line with the conditions laid down in the GDPR. As the GDPR requires that Rotarex Group should be able to demonstrate that valid consent was obtained, all presumed consents of which no references are kept will automatically be below the consent standard and will need to be renewed.
5.1.9 Maintaining audit trail
Rotarex Group should annually check its records to see if the consents are still valid. As consent may be withdrawn at any time, each time a consent is withdrawn the related consent registration record must be updated. Processes or systems should be adapted to ensure further processing of the data at hand will cease. Often, such personal data of which the associated consent has expired, needs to be deleted or anonymized as there is no longer a legal ground for the processing anymore. Timeframes for processing the withdrawal and erasing the related personal data should be specified in the data retention policy.
5.2 Children`s consent
Rotarex Group is in compliance with the requirements of GDPR, so they do not collect any information from anyone under 16 years of age. Rotarex Group`s websites, products and services are all directed to people who are at least 16 years old or older.
6. SPECIAL CATEGORIES - SENSITIVE PERSONAL DATA
Rotarex Group is not processing of sensitive personal data (GDPR Art. 9) regarding to the business partners (2.1).
7. RIGHTS OF DATA SUBJECTS
7.1 Subject access request
Rotarex Group acknowledge and comply the data subjects' right to obtain confirmation as to whether personal data concerning them are being processed, and, if that is the case, to access the personal data pertaining to them.
7.2 Right to rectification
Rotarex Group acknowledges and complies with the data subjects' right to rectify inaccurate or incomplete personal data about them that is processed by Rotarex Group as a data controller.
7.3 Right to erasure (Right to be forgotten)
Rotarex Group acknowledges and complies with the data subjects' right to erasure of their personal data on request, if data (i) is no longer necessary, (ii) consent has been withdrawn, (iii) there is no overriding lawful processing ground for continuing the processing, (iv) was unlawfully processed, (v) shall be erased to comply with a legal obligation that applies; or (vi) is processed in relation to the offer of information society services to a child.
7.4 Data portability
Rotarex Group acknowledges and complies with the data subject's right to receive personal data, where he/she had been providing it to the company, in a structured, commonly used and machine-readable format, and to transmit this data to the data subject or another data controller if requested.
7.5 Restriction of processing
Rotarex Group acknowledges and complies with the data subject's right to obtain restriction of processing of his/her personal data.
7.6 Responsible disclosure
When dealing with requests from data subject to access, delete or restrict the use of their personal data, Rotarex Group is aware that these rights may be restricted under certain circumstances and will verify whether a restriction ground applies whenever an individual exercise their right(s) under the GDPR.
7.7 Identification of data subject
Rotarex Group verifies the identity of data subject requesting access, rectification, deletion, restriction, portability, or object to the use of their personal data with upmost care. This is to avoid that any personal data is disclosed or altered unauthorized, either accidentally or as result of deception.
7.8 Submission of complaint
Data subject has the right to lodge a complaint to the Data Protection Commissioners’ Office (Commission nationale pour la protection des données/CNPD, 1, avenue du Rock`n`Roll, L-4361 Esch-sur-Alzette, Luxembourg) if (s)he believes that Rotarex Group has not complied with the requirements of the GDPR or DPA with regard to his/her personal data.
8. DATA TRANSFER
8.1 International data transfer
Rotarex Group ensures that the level of protection of data subjects is guaranteed where personal data is transferred to other countries, including for onward transfers. The international transfer of personal data to countries outside the EU/EEA may only take place: (i) where the European Commission (EC) has decided that such country (or territory or one or more specified sectors within that country), ensures an adequate level of data protection, OR(ii) where the European Commission (EC) has not decided that such country (or territory or one or more specified sectors within that country) ensures an adequate level of data protection, on basis of appropriate data transfer mechanisms.
9. PERSONAL DATA INVENTORY
9.1 Register of Processing
Rotarex Group maintains records of personal data processing activities under its responsibility and makes those records, on request, available to the supervisory authorities. Rotarex Group is able to identify what special categories of data, or sensitive personal data is processed across the organization.
9.2 Personal data location register
Rotarex Group maintains a data location register which keeps an overview of the personal data that are held in the company's IT systems. The register holds information on the business/system owner, where the applications or systems are hosted and where personal data is stored physically.
9.3 Data retention
Rotarex Group shall only retain personal data for as long as this is reasonably necessary related to the purpose of processing and shall delete such data afterwards or render it anonymous. In determining the appropriate data retention period, Rotarex Group shall take into account specific data retention obligations arising from other laws than the GDPR, which laws may prohibit the deletion of data before expiry.
10. PRIVACY IN OPERATIONS
10.1 Permission management
Rotarex Group has established guidance on the required transparency and permission controls such for processing personal data in the business context. The strictness of the required controls will be determined on basis of the level of privacy invasiveness of the business purpose and the (sensitive) nature of the personal data.
Rotarex Group balances the economic and societal value of profiling with the individual's right to privacy. Rotarex Group shall limit or prevent profiling where this could discriminate the individual or causes other legal or similar negative effects on them.
10.3 Privacy by Design
When developing or selecting products or services that process personal data, Rotarex Group consider the privacy-by-design principles and requirements laid down by the GDPR right from the start.
10.4 Privacy Impact & Risk Assessment
Rotarex Group takes the responsibility to assess the privacy impact and risk of business processes and systems holding and processing personal data to ensure, and to be able to demonstrate, that personal data processing is unlikely to result in a high risk to the rights and freedoms of individuals.
10.5 Privacy requirements baseline
Rotarex Group takes the responsibility to implement appropriate technical and organizational measures into business processes and systems holding and processing personal data to ensure, and to be able to demonstrate, that personal data is processed in accordance with the GDPR.
11.1 Pseudonymization and anonymization
Where appropriate, pseudonymization of personal data is used as a measure to reduce the risks of personal data processing operations, and anonymization of personal data is used as an alternative to deletion of personal data.
11.2 Authority disclosure
Rotarex Group considers disclosure of personal data to public authorities as a potential risk for the rights and freedoms of individuals. Rotarex Group handles these requests with upmost care in accordance with their authority disclosure process.
12.1 Third-party processing
Where Rotarex Group processes personal data together with other parties or on the other party's or Rotarex Group`s behalf, Rotarex Group ensures that appropriate contractual arrangements are made with such other parties. This applies with respect to third parties as well as in intra-group context.
12.2 Joint controllership arrangements
Where Rotarex Group qualifies as a data controller jointly with others, appropriate arrangements will be made with such joint controller(s) to determine their respective responsibilities for compliance with the obligations of the GDPR.
12.3 Data processor agreement
Where Rotarex Group qualifies as a data controller and instructs another party to process personal data on its behalf as a data processor, or where Rotarex Group qualifies as a data processor and instructs another party to process personal data on its behalf as a sub-processor, Rotarex Group shall ensure that such (sub)processor processes such data pursuant to instructions from the Rotarex Group.
12.4 Vendor privacy risk management assessment
Because Rotarex Group relies on vendors for delivering products, services and solutions, as well as for the supporting Rotarex Companies` business processes, Rotarex Group applies a procedure to review the privacy management capability of such vendors at an early stage in the procurement process.
13. PRIVACY NOTICES
13.1 Layered privacy notice
Rotarex Group is transparent about processing of personal data and is determined to provide information relating to the processing of such data to data subjects in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
13.2 Just in time notice
Rotarex Group ensures that, upon collection and processing of personal data, the individual is informed of the existence of the processing operation and its purposes in compliance with the GDPR. Rotarex Group will strive for customizing the information content and information provision process to fit the needs of the targeted individuals as much as possible.
14. DATA BREACH MANAGEMENT
Rotarex Group ensures that it is prepared to act appropriately and promptly on data breaches, as defined under the GDPR. This includes the obligation to notify personal data breaches to supervisory authorities and/or to the individuals concerned, where applicable.
15. DATA PROTECTION OFFICER
Rotarex Group ensures that the Data Protection Officer is involved, properly and timely manner, in all issues which relate to the protection of personal data.
Name: Dr. Timea Barta
Address: 24 rue de Diekirch, L-7440 Lintgen
Postal address: B.P. 19, L-7505 Lintgen
Telephone: +352 32 78 32 613