PRIVACY POLICY PRIVACY AND DATA PROTECTION Last updated: May 24, 2018 Policy statement: Royal HaskoningDHV Group (further: “RHDHV”) needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the organization has a relationship with or may need to contact. Royal HaskoningDHV ensures that it: ➢ Complies with privacy and data protection law and follows good practice; ➢ Protects the rights of individuals; ➢ Is open about how it stores and processes individuals’ data; and ➢ Protects itself from the risks of a data breach. Contents: ➢ 1. Binding Corporate Rules (“BCR”) ➢ 2. About this Privacy Policy ➢ 3. What personal data do we collect, how, and with what purpose ➢ 4. Data storage and security ➢ 5. Retention Policy ➢ 6. Data Subject Rights ➢ 7. Internal communication & training ➢ 8. Responsibility ➢ 9. General staff guidelines ➢ 10. Data breach procedure and register This is the privacy policy for Royal HaskoningDHV and associated applications, projects and processes. Royal HaskoningDHV is committed to protecting the privacy and confidentiality of the information entrusted to us. That means that Royal HaskoningDHV aims to safeguard the protection and correct use of your personally identifiable information (referred to as ‘personal information’). Changes in the privacy policy will be mentioned at the top of this document. Contact us: For privacy related queries including correction requests, access requests and complaints people can contact our Corporate Privacy & Data Protection Officer (CDPO) via dataprotection@rhdhv.com. 1. Binding Corporate Rules (“BCR”) Binding Corporate Rules, so called “BCR”, are the system of privacy principles, rules and tools based on European Law that govern data privacy at Royal HaskoningDHV. BCR represent today’s best practice to data protection requirements for the transfer of personal data within a Group of companies. To be legally effective, the BCR need to be approved by EEA Data Protection Agencies. Royal HaskoningDHV is currently in the process of application for approval. Royal HaskoningDHV has the Dutch authority as the “lead” authority. More information on BCR can be found on the official European site. 2. About this Privacy Policy This privacy policy is applicable to the processing and controlling of all personal data of Business Contacts of Royal HaskoningDHV and its group companies. ‘Business Contacts’ or ‘you’ means each individual whose personal data is processed by Royal HaskoningDHV in the scope of delivering services to clients, recipients of commercial messages or Royal HaskoningDHV, receiving services May 24, 2018 1 Royal HaskoningDHV Royal HaskoningDHV – Privacy Policy v2.2 - Internal Use Only from suppliers, providing services together with business partners and internal operations. This includes people working at Royal HaskoningDHV. 3. What personal data do we collect, how, and with what purpose 3.1 Collection of personal data: Royal HaskoningDHV collects personal information from internal as well as external data subjects for their processing. By internal data subjects we mean Royal HaskoningDHV Group B.V., all entities and branches of RHDHV, all staff and all business partners, suppliers and other people working on behalf of RHDHV. External data subjects are individuals that are not working for RHDHV like customers, visitors, etc. 3.2 Principles for the processing of personal data: Personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); b) collected for specified, explicit and legitimate purposes and not purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with the general data protection regulation1, not be considered to be incompatible with the initial purposes (‘purpose limitation’); c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data limitation’); d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the general data protection regulation2 subject to implementation of the appropriate technical and organizational measures required by applicable privacy and data protection regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’). 3.3 Data collection internal data subjects: To conduct business globally and comply with government regulations (employment, tax, insurance, etc.), we collect various personal and other data depending on employment responsibilities, citizenship, location of employment, and other factors. In paragraph 3.3.1. is mentioned which information is collected. If an employee sends any unsolicited data to RHDHV by any means, he/she explicitly consents to storage, destruction, processing, disclosure, and/or any other use by RHDHV. Most of the personal information RHDHV processes, is information that employees knowingly provide to us. However, in some instances, we process personal information that we are able to infer about employees based on other information they provide to us or on our interactions with them, or personal information about employees that we receive from a third party with their knowledge. 3.3.1 What personal data do we collect from internal data subjects: Through the purpose and nature of our employment of staff and engagement with directly employed contractors we may collect the following information: ➢ Name, address and personal contact details including private phone number and private email address; ➢ Date and place of birth; ➢ Valid information to verify employees’ identity including copies of photographic ID such as copies of employees’ passport or identity card including the personal details printed on the ID; ➢ Valid information to verify employees’ right to work in Europe such as staying and working permits or visa; 1 In accordance to Article 89 of the General Data Protection Regulation. 2 In accordance to Article 89 of the General Data Protection Regulation. May 24, 2018 2 Royal HaskoningDHV Royal HaskoningDHV – Privacy Policy v2.2 - Internal Use Only ➢ Vocational qualifications and competence evidence that supports employees’ ability to undertake assigned tasks. E.g. diploma’s, professional certificates, and charters; ➢ Health data relating to employees’ occupational health; ➢ In Case of Emergency (ICE) contact details; ➢ References – prior to the commencement of employment; ➢ Tax and National Insurance details; ➢ Bank details for remuneration purposes; ➢ Performance appraisal information for the completion of employees’ duties whilst in the employment of RHDHV. 3.3.2 Purposes for which RHDHV processes personal data from internal data subjects: Our HR process contains a Personal Data Inventory (HR Management Information System) mechanism that enables us to: ➢ Map the data we hold for internal HR purposes; ➢ Ensure its suitability and accuracy; ➢ State our retention obligations; ➢ Identify the sources from which the data will be obtained; ➢ State the storage mechanisms used to retain such data and protect it from unauthorized access or disclosure; ➢ For internal data subjects to exercise their Data Subject Rights. 3.3.3 Disclosure of data: We may disclose employees’ personal information in the following circumstances: ➢ Requests and investigations by Official Regulators – We may disclose any data about employees when, in our opinion, such disclosure is necessary to prevent crime or fraud, or to comply with any statute, law, rule or regulation of any governmental authority or any order of any court of competent jurisdiction. ➢ Third-party service providers – We may, from time to time, outsource some specific operations to specialist third-party service providers. In such cases, it will be necessary for us to disclose employees’ data to those service providers. In some cases, the service providers may collect data directly from employees on our behalf. We restrict how such service providers may access, use, disclose, and protect that data through a Data Processing Agreement. ➢ Business transfers – As we continue to develop our business, we might sell or buy companies, subsidiaries, or business units. In such transactions, data generally is one of the transferred business assets but remains subject to the protections in any pre-existing privacy statement and applicable legal requirements. Also, in unlikely event that RHDHV or all of its assets is acquired, employees’ data may be one of the transferred assets. ➢ Protection of RHDHV and others – We may release data when we believe release is appropriate or necessary to conduct the company’s business, comply with the law, enforce or apply our policies and other agreements, or protect the rights, or safety of RHDHV, our employees, or others. 3.3.4 Sensitive data internal data subjects: RHDHV does not actively seek to obtain or process sensitive data about our staff other than those sources listed above and limited to what is legally required. Sensitive data communicated to RHDHV by the data subject regarding health matters will be maintained under the strictness confidentiality and prevented from unauthorized access. Any such sensitive data outside of these sources will only be obtained as a result of performance review, managing business continuity or due to matters relating with employment. Such information, if collected will only be retained by the business if it relates to ongoing disciplinary or litigation obligations and shall be deleted upon end of employment in order to protect the data subject rights and basic Human Rights of the data subject. For some sensitive or strategic Governmental projects RHDHV has to provide a Statement on Good Behaviour of the involved data subject. The employee background check for this statement is executed by the applicable Governmental Investigative Authority. 3.4 Data collection external data subjects: RHDHV will usually obtain personal data from the data subject directly or via the relevant client, supplier or business partner. Their personal data may also be obtained by RHDHV via public sources, including official sanction debarment and professional suspension lists, trade registers and online social media like LinkedIn. We collect personal data when data subjects or parties they represent: ➢ become registered for an account on the RHDHV services; ➢ contract with RHDHV for delivering products/services; May 24, 2018 3 Royal HaskoningDHV Royal HaskoningDHV – Privacy Policy v2.2 - Internal Use Only ➢ attend to events; ➢ enter surveys within projects we execute; ➢ sign up for RHDHV newsletters; ➢ post in RHDHV online community or social media; ➢ access RHDHV sites, through cookies; ➢ when they contact us via email, social media, our apps or similar technologies or when they mention/tag us on social media. 3.4.1 What personal data do we collect from external data subjects: The following categories of personal data from external data subjects are processed by RHDHV for the purposes described in paragraph 3.4.2: ➢ Name; ➢ Work email, phone number and address; ➢ Job function or position; ➢ Picture or video (only when required or voluntarily submitted); ➢ Company and communication details; ➢ Correspondence between the data subject and RHDHV; ➢ Information to check identity (only when required); ➢ Their relationship with RHDHV; ➢ Credibility of their business; ➢ Online available information (information on the processing of personal data that is collected via cookies or similar technologies, can be found in the cookie policy on the RHDHV websites); ➢ Other personal information provided by data subjects to give substance to their requests; 3.4.2 Sensitive data external data subjects: In the course of the business relationship between the data subject and RHDHV, RHDHV may need to collect certain data seen as ‘sensitive’ personal information. Such sensitive data shall only be used within the strict limits set out by applicable local law. Such sensitive data processing activities conducted by RHDHV may, in accordance with applicable local requirements, include the following: ➢ Their image may be processed by RHDHV in as far as necessary for identification, for site access and security reasons and for the identification and authentication of clients, suppliers or business partners; ➢ Data relating to criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour may be processed by RHDHV in as far as necessary for assessment and acceptance of clients, suppliers or business partners, for the protection of the rights, interests and assets of RHDHV, its employees and clients, suppliers and business partners and to comply with applicable legal obligations; ➢ Physical or mental health data may be processed by RHDHV in as far as necessary for the compliance with RHDHVs’ duty of care towards clients, suppliers and business partners and for the protection of their vital interests. For some sensitive or strategic Governmental projects RHDHV has to provide a Statement on Good Behaviour of the involved data subject. The background check for this statement is executed by the applicable Governmental Investigative Authority. 3.4.3 Purposes for which RHDHV processes personal data from external data subjects: RHDHV processes personal data from external data subjects for the purposes as set out below. If RHDHV processes personal data for other purposes than as listed in this Privacy Policy, data subjects will be informed thereof separately where required and consent will be sought if applicable local law so requires. ➢ Assessment and acceptance of a third party (e.g. clients, subcontractors, suppliers and business partners), conclusion and execution of agreements with third parties. This purpose includes processing of personal data that is necessary in connection with assessments and acceptance of third parties, including confirming and verifying the identity of relevant business contacts (this may involve the use of a credit reference agency or other third parties), conducting due diligence and screening against publicity available government and/or law enforcement agency sanctions lists (e.g. for compliance requirements). This purpose also includes the processing of personal data necessary to conclude and execute agreements with clients, suppliers and business partners, including screening activities (e.g. for access to RHDHVs’ premises or systems), delivery of customer services, and to record and financially settle delivered services to and from RHDHV. ➢ Development and improvement of RHDHVs’ services. This purpose addresses processing of personal data that is necessary for the development and improvement of RHDHV services and for research and development. This includes processing of business contacts personal May 24, 2018 4 Royal HaskoningDHV Royal HaskoningDHV – Privacy Policy v2.2 - Internal Use Only data for surveys and reviews. ➢ Relationships management and marketing. This purpose includes processing of personal data that is necessary for activities such as maintaining and promoting contact with clients, suppliers and business partners via marketing communications, account management, customer services, execution and analysis of market surveys and marketing strategies. ➢ Business process execution, internal management and management reporting. This purpose includes processing of personal data that is necessary for the management of company assets, conducting audits and investigations, finance and accounting, implementing business controls, providing central processing facilities for efficiency purposes and managing mergers, acquisitions and divestitures. This purpose also includes processing personal data for management reporting and analysis, archiving and insurance, legal or business consulting and preventing, preparing for or engaging in dispute resolution. ➢ Health, safety, security and integrity purposes. This purpose includes the processing of personal data that is necessary for the protection of the rights, interests and assets of RHDHV and its employees, clients, suppliers and business partners and activities such as those involving health and safety. It also includes the authentication of client, supplier or business partner status and access rights. ➢ Compliance with the law. This purpose includes the processing of personal data that is necessary for the performance of a task carried out to comply with a legal obligation to which RHDHV is subject, including the disclosure of personal data to government institutions or supervisory authorities in relation thereto. ➢ Protection of the vital interests of business contacts. This purpose includes the processing of personal data that is necessary to protect the vital interests of the data subject as business contact. 4. Data storage and security Data should always be stored safely. Our rules are described in the IT Security Policy which can be found on Insight (RHDHV intranet) and are imbed in the corporate policies, processes, and standards. 5. Retention Policy The information from internal and external data subjects shall be retained and destroyed according to our Retention Policy and in compliance with applicable laws and regulations. The Retention Policy can be found on Insight (RHDHV intranet) and imbed in the corporate policies, processes, and standards. For specific applications, projects and programmes, the Retention Policy is published in the applicable Privacy Notifications. 6. Data Subject Rights Both internal and external data subjects have Data Subject Rights. RHDHV has a Data Subject Rights Policy available on Insight (RHDHV intranet) which is in compliance with applicable laws and regulations. For specific applications, projects and programmes, the Retention Policy is published in the applicable Privacy Notifications. The following is a summary of the Data Subject Rights. The Data Subject Rights include: ➢ The right to be informed – encompasses the obligation to provide ‘fair processing information’, typically through a Privacy Notice. It emphasizes the need for transparency over how RHDHV uses personal information; ➢ The right of access – data subjects have the right to access their personal data, so that they are aware of, and can verify the lawfulness of the processing of the information by RHDHV; ➢ The right of rectification – data subjects are entitled to have their personal data rectified if it is inaccurate or incomplete; ➢ The right to erasure – the right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable a data subject to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This right does not provide an absolute ‘right to be forgotten’; ➢ The right to restrict processing – data subjects have the right to restrict processing when they contest the accuracy of the personal data (until the accuracy is verified), they object to the processing and the organizations’ legitimate grounds cannot override those of the data subject, or when processing is unlawful; ➢ The right to data portability – allows data subjects to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal May 24, 2018 5 Royal HaskoningDHV Royal HaskoningDHV – Privacy Policy v2.2 - Internal Use Only data easily from one place to another in a safe and secure way, without hindrance to usability; ➢ The right to object – data subjects have the right to object to their personal data being processed. RHDHV must stop processing the personal data unless: it can demonstrate compelling legitimate grounds for the processing (which override the interests, rights and freedoms of the data subject) or the processing is for the establishment, exercise or defense of legal claims; ➢ The rights related to automatic decision making – the GDPR provides safeguards for data subjects against the risk that a potentially damaging decision is taken without human intervention. If a data subject wants to use his or her rights they can contact RHDHVs’ DPO by sending the request to dataprotection@rhdhv.com. We may need to request specific information from the requester to help us confirm their identity or to specify their request, this is done via the Subject Access Request Form provided by the DPO when a request comes in. 7. Internal communication & training 7.1 GDPR Insight (intranet) page: To provide all employees within RHDHV with the needed information, policies, guidance documents, quick reference cards, and forms, regarding GDPR, an Insight (intranet) page is available which includes all the mentioned documents. This page can be reviewed when employees have questions or encounter a problem. This page is managed by the CDPO and is called ‘privacy & data protection (GDPR)’. 7.2 GDPR Yammer group: Yammer is the internal digital network within RHDHV that helps to stay updated, to post messages, and interact with colleagues. A GDPR specific group, where the CDPO and Corporate Information Security Officer post information, is available for people to stay updated on the GDPR topic but is also suitable for asking questions regarding GDPR. The CDPO will make sure questions will be answered as quickly as possible. Next to information sharing will this page be used for announcements about changes in policies or procedures, if there are any. 7.3 GDPR awareness training: To make everyone aware of GDPR and their responsibilities related to GDPR there is a GDPR pitch available for managers to share/present with their staff. This pitch can be found on the GDPR Insight page. This pitch explains the fundamentals of the GDPR and the way RHDHV wants to be compliant with the regulation. Management is required to get their staff aware and informed. When assistance is required they can ask the CDPO, Local DPO’s, Business Line Project Excellence Managers (PEM), or Local Compliancy Officers (LCO). 8. Responsibility Everyone who works for or with RHDHV has responsibility for ensuring data is collected, stored and handled appropriately. Each part of the organisation that handles personal data must ensure that it is handled and processes in line with the policy and data protection principles. Any non-compliance with the Privacy & Data Protection Policy is a violation of our Global Code of Business Principles and will be handled as such. People who have key areas of responsibility: ➢ The Executive Board (EB) is ultimately responsible for ensuring that RHDHV meets its legal obligations. ➢ The Corporate Privacy and Data Protection Officer (CDPO) is responsible for: ➢ Keeping the EB updated about data protection responsibilities, risks and issues; ➢ Reviewing all data protection procedures and related policies; ➢ Arranging data protection training and advice for the people covered by this policy; ➢ Handling data protection questions from all staff and anyone else covered by this policy; ➢ Dealing with ‘subject access requests’ from individuals to see the data RHDHV holds about them; ➢ Checking and approving any contracts or agreements with third parties that may handle RHDHV’s sensitive data. ➢ The Corporate Information Security Officer (CISO) is responsible for: ➢ Ensuring all systems, services and equipment used for storing data meet acceptable security standards; May 24, 2018 6 Royal HaskoningDHV Royal HaskoningDHV – Privacy Policy v2.2 - Internal Use Only ➢ Performing regular checks and scans to ensure security hardware and software is working properly; ➢ Evaluating any third-party services RHDHV is considering using to store or process data (for instance, cloud computing services). ➢ The Corporate Group Director Marketing & Communications is responsible for: ➢ Approving any data protection statements attached to communications such as emails and letters; ➢ Addressing any data protection queries from journalists or media outlets; ➢ Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles. 9. General staff guidelines ➢ The only people able to access data covered by this policy should be those who need it for their work; ➢ Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers; ➢ RHDHV will provide training to all employees to help them understand their responsibilities when handling data; ➢ Employees should keep all data secure, by taking sensible precautions and following the guidelines below; ➢ In particular, strong passwords must be used, and they should never be shared; ➢ Personal data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of; ➢ Employees should request help from their line manager or the Local Data Protection Officers if they are unsure about any aspect of data protection. 10. Data breach procedure and registration 10.1 Data breach procedure: A personal data security breach (“data breach” in short) occurs when personal data is made available to one or more third parties or individuals without the consent of the data subject i.e. unauthorized access to, collection, use disclosure or disposal of personal information. RHDHV has set up a ‘Data Breach and Response Procedure’ which has the purpose to set out the processes that represent best practice in the event of a data security breach involving personal data or sensitive personal data. This procedure explains what a data breach is, and the variety of contexts in which it can occur, but also how RHDHV will identify, classify, contain, recover, asses the risk, notify, evaluate, and respond to the data breach. This procedure document is available on Insight (RHDHV intranet). In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with the regulation3, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons of the delay. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. 10.2 Data breach register: When a data breach occurs RHDHV needs to register this breach, even if the breach isn’t notified to the supervisory authority. This register is managed by the data protection officer (CDPO) who will also asses the breach and notify the supervisory authority. The notification and shall at least: ➢ describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned; ➢ communicate the name and contact details of the data protection officer; ➢ describe the likely consequences of the personal data breach; ➢ describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate measures to mitigate its possible adverse effects. The CDPO shall register any personal breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That document shall enable the supervisory authority 3 In accordance to Article 55 of the General Data Protection Regulation. May 24, 2018 7 Royal HaskoningDHV Royal HaskoningDHV – Privacy Policy v2.2 - Internal Use Only to verify compliance with the regulation4. RHDHV reserves the right to change, supplement and/or amend this Privacy Policy at any time, and in such case, notification will be given through our (internal)website and/or by any other methods allowed by applicable law. 4 In accordance to Article 33 of the General Data Protection Regulation. May 24, 2018 8 Royal HaskoningDHV Royal HaskoningDHV – Privacy Policy v2.2 - Internal Use Only
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-