+233(0)302 799010/799011

Privacy policy

 

Chapter 1: Goal and definitions

 

Goal of the privacy policy The goal of this privacy policy is to provide insight into the legislation and regulations, the (personal) data that we collect, how we handle this data and how long it is stored. This policy is primarily aimed at employees who are involved in the processing of personal data.

 

Definitions Explanation

 

Personal data Any information relating to an identifiable or identified natural person (‘the data subject’). This concerns all information via which a person can be identified.
Processing Any operation or set of operations which is performed upon personal data. Virtually every activity is regarded as ‘processing’.
Controller A natural or legal person, public authority, agency or other body which/ who, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor A natural or legal person, public authority, agency or other body which/ who processes personal data on behalf of the controller.
Recipient A natural or legal person, public authority, agency or another body, to which/ to whom the personal data is disclosed.
Restriction of processing The marking of stored personal data with the aim of limiting its processing in the future.
Consent of the data subject Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/ she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/ her.

 

The consent given may be withdrawn by the data subject at any time. This does not affect the legitimacy of the processing conducted prior to the withdrawal of the consent.

Biometric data Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person.
Main establishment In principle, the main establishment is the place of the central administration of the controller. However, an exception to this is when the decisions on the (purposes and means of the) processing of personal data are taken in an establishment of the controller elsewhere within the EU. In that case, that location is considered to be the main establishment.
Supervisory authority The Data Protection Authority.
Cross-border processing Cross-border processing is data processing which (a) takes place in the context of the activities of establishments in more than one EU country, and/or (b) substantially affects or is likely to substantially affect data subjects in more than one EU country.

 

 

Chapter 2: Principles relating to the processing of personal data

 

Lawful, fair and transparent The processing of personal data is only lawful if there is a legal foundation for that processing. A choice can be made from the following legal foundations:

 

Legal foundation

 

Explanation
Consent The consent of the data subject must be freely given, specific, informed and unambiguous.  Consent must be actively given.

 

The controller must describe the purposes of the processing before consent is requested. The controller must be able to demonstrate that consent has been granted. Consent can given in any form.

Contract Processing is lawful if it is necessary for the execution of a contract. ‘Necessary’ means that the contract cannot properly be fulfilled without that data processing.
Legal duty If the controller has a legal duty to carry out certain data processing, this processing is also lawful.
Vital interests Processing is lawful if it is necessary in order to protect the vital interests of the data subject or of another natural person.
Public interest/ the exercising of official authority Processing is also lawful if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate interest If the processing is necessary for the purposes of the legitimate interests of controller, the processing is lawful where these interests override those of the data subject. In that case, a balanced consideration of interests must therefore take place.

 

The processing must also be fair and transparent. This means that it must be clear to the data subject what personal data relating to him/ her is processed by us. In our privacy policy we inform the data subject about which personal data we process, the purpose of the processing, the legal foundations of the processing and how long we store the personal data. By doing so, we fulfil our duty to inform.

 

Purpose limitation. The principle of purpose limitation means that we are only permitted to process personal data if we have a specific and explicit purpose for doing so. The purposes of the processing are specified in the privacy statement and the processing register. The purposes of our processing are:

  • to handle (employment) contracts;
  • to be able to communicate with our customers and suppliers;
  • to identify our employees;
  • to recruit new employees;
  • to protect our property, employees and visitors.

 

Minimal data processing. This means that we are only permitted to process personal data if this is necessary. We only process data that is necessary for our business operations. This data is recorded in the processing register.

 

Storage limitation. This means that personal data is not stored for longer than is necessary for the processing. Our storage periods are specified in this policy, in the privacy statement and in the processing register. Where we have not stated a concrete storage period, we will formulate criteria on the basis of which a storage period can be determined. Each department is itself responsible for adhering to these storage periods and for ensuring that personal data for which the storage period has elapsed is either erased or anonymized.

 

Accuracy. Personal data must be accurate and up to date. We must take all reasonable measures to erase or rectify inaccurate personal data.

 

Integrity and confidentiality. We must take technical and organizational measures to ensure that the personal data is secured in an appropriate manner. The IT department is responsible for this.

 

In short, we process personal data when:

  • we have explicitly described the specific purpose of the processing (purpose limitation);
  • there is a legal foundation for the processing (lawful);
  • the processing of the personal data is necessary (minimal data processing);
  • the storage period has not yet elapsed (storage limitation);
  • the data is accurate and up to date (accuracy);
  • the personal data is properly secured (integrity and confidentiality).

 

Chapter 3: Rights of data subjects

 

The data subject is the person whose personal data is processed by the controller and/ or the processor. Just like the customers, job applicants and suppliers, we as employees (natural persons) have certain rights relating to our personal data.

 

  1. The rights of the data subject

 

Rights of the data subject Explanation

 

Right to information The data subject has the right to know what personal data relating to him/ her is processed by us, what the purposes of this processing are, how long we store that data, what rights he/ she can exercise and how we secure the personal data.
Right of access The data subject has the right to access his/ her personal data that is processed by us.
Right to rectification

 

 

 

 

The data subject has the right to request rectification (correction) of his/ her personal data. This means that we must ensure that the data in question is amended, blocked or erased. The data subject can request rectification if his/ her personal data:

–        Is factually inaccurate;

–        Is incomplete or does not match the purpose for which it has been collected;

–        Is used in another way which contravenes a law.

Right to restriction of the processing The data subject has the right to restriction of the processing of his/ her personal data in the following cases:

–        The data subject indicates that the data is inaccurate;

–        The processing is unlawful and the data subject opposes the erasure of the personal data;

–        The data subject wishes to initiate, exercise or substantiate a legal claim and requires the personal data for this purpose;

–        The data subject has objected to the processing, pending the verification whether our legitimate interests override those of the data subject.

Right to erasure (‘right to be forgotten’) The data subject has the right ‘to be forgotten’. This also places an obligation on us. We must erase personal data ‘without undue delay’ if any of the following circumstances apply:

–        The personal data is no longer necessary in relation to the purposes for which it was collected (principle of purpose limitation);

–        The data subject withdraws the consent on which the processing is based and there is no other legal foundation for the processing;

–        The personal data has been unlawfully processed (without a legal foundation);

–        The personal data has to be erased for compliance with a legal obligation in EU or national law.

 

No costs may be charged to the data subject in order that he/ she can exercise this right.

Right to data portability The data subject has the right to receive the personal data relating to him/ her, which he/ she has provided to us, in a structured, commonly used and machine-readable format (e.g. an Excel file). Where the processing is based on consent or a contract and processing occurs via automated processes, the data subject also has the right to transmit that data to another organization without hindrance from us. This means that we are not permitted to attach conditions to this right to data portability.
Right to object and automated individual decision-making The data subject has the right to object to processing that is based on a point of public interest or our own legitimate interest. On initial contact with a new contact person/ customer, he/ she must be informed that he/ she has the right to object to any processing on the basis of a legitimate interest, for instance when we record the gender of the customer.

 

 

  1. Rules regarding requests to exercise a right

 

Article 1. Submission of a request

  1. A request for information or to exercise a right must be sent to the Privacy Officer.
  2. The Privacy Officer handles the request and, where necessary, engages the help of colleagues or others.

 

 

Article 2. Time period to honour the request

  1. If the data subject submits a request for information or to exercise a right, we will handle this request immediately and in any event within four weeks of receipt of the request.
  2. If the data subject submits multiple requests and these requests entail greater complexity which requires more time, we can extend the time period by a maximum of two months. We will inform the data subject of this extension within four weeks, giving reasons for the increased complexity.
  3. If the request cannot be addressed within the four-week period, we will inform the data subject to this effect, within that same time period.

 

Article 3. Confirming the identity of the data subject

  1. The Privacy Officer will confirm the identity of the data subject before proceeding to handle a request. If the data subject sends in a copy of his/ her identification document, the photograph and BSN (citizen service number) must be blocked out.
  2. If the Privacy Officer is unable to determine the identity of the data subject, he/ she will request additional information in order to confirm the data subject’s identity by other means. Only if this also proves impossible can the Privacy Officer reject the request.
  3. If the data subject is not the person he/ she claims to be, the Privacy Officer will reject the request.

 

Article 4. Costs and rejection of a request

  1. No costs may be charged for the provision of information and the exercising of the rights of the data subjects, unless the request is manifestly unfounded or excessive.
  2. If a request is manifestly unfounded or excessive, a reasonable fee may be charged (administrative costs) or the request may be rejected.
    1. A request is manifestly unfounded where it clearly does not meet the conditions for a request or if the data subject requests something to which he/ she is clearly not entitled.
    2. A request is excessive if it imposes a disproportionate burden on the controller, such as the daily erasure or addition of a person’s surname.
  3. If a request is rejected because it is manifestly unfounded and/ or excessive, we will explain why this is the case.
  4. If a request is rejected, no costs will be charged to the data subject.

 

Article 5. Submission of an objection

  1. The data subject is entitled at any time, based on his/ her specific situation and reasons, to submit an objection to any processing that we carry out on the basis of our legitimate interest.
  2. If the data subject submits an objection, the processing in question will immediately be discontinued, unless our legitimate interests in conducting the processing override those of the data subject. If the objection concerns direct marketing, this will be discontinued immediately.
  3. The data subject cannot submit an objection to processing that is based on his/ her consent. In that case, the data subject can withdraw his/ her consent.

 

Article 6. Notification obligation

  1. The controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom that personal data has been disclosed.
  2. The Privacy Officer will notify the recipients as quickly as is reasonably possible.
  3. The Privacy Officer is not obliged to communicate any rectification or erasure of personal data or restriction of processing to the recipients if this proves impossible or involves disproportionate effort.

 

 

 

 

 

 

 

  • Step-by-step plan per right of the data subject

 

 

Right/ request of the data subject Steps to be taken

 

Request for access 1.     The privacy officer determines the identity of the data subject (see article 3). If the data subject is who he/ she says he/ she is, access to the personal data will be granted.

 

2.     If considerable amounts of the data subject’s data are processed, the Privacy Officer can ask the data subject which specific data he/ she wishes to access.

 

3.     The Privacy Officer can comply with the request for access in one of the following ways:

a)     Send a complete overview of the personal data;

b)     Send a copy or print out of the document with personal data;

c)     Offer the data subject on the spot access to the data.

 

4.     The overview of the personal data of the data subject (as referred to under 3a) must in any case contain the following information:

–        The request for access and the manner in which the data subject has been identified;

–        The purpose for which the data is processed;

–        The type of data used for this purpose;

–        The third parties who have received the data;

–        The source of the data.

Request for rectification 1.     The Privacy Officer determines the identity of the data subject (see article 3). If the data subject is who he/ she says he/ she is, the request will be fulfilled.

 

2.     The Privacy Officer ensures that the personal data that is factually inaccurate, incomplete, not relevant to the purpose for which it has been collected or being used in another way which contravenes a law, is immediately blocked, amended or erased.

 

3.     The Privacy Officer informs the recipients of that personal data of the rectification.

Request for data erasure 1.     The Privacy Officer determines the identity of the data subject (see article 3). If the data subject is who he/ she says he/ she is, the request will be fulfilled.

 

2.     For data subjects who submit a request for data erasure on one of the grounds referred to under a), b), c) or d), his/ her personal data will be erased without undue delay (maximum 4 weeks).

a.     The personal data is no longer necessary in relation to the purposes for which it was collected.

b.     The data subject withdraws the consent on which the processing is based and there is no other legal foundation for the processing.

c.     The personal data is being unlawfully processed.

d.     The personal data has to be erased for compliance with a legal obligation in EU or national law to which the controller is subject.

 

3.     The Privacy Officer asks the department associated with that personal data to erase the data.

 

4.     The Privacy Officer conducts a random check to verify that the relevant personal data has actually been erased. If necessary, he/ she will engage the assistance of the IT department.

 

5.     The Privacy Officer informs the recipients of that personal data of the erasure.

Request for restriction of processing 1.     The privacy officer determines the identity of the data subject (see article 3). If the data subject is who he/ she says he/ she is, the request will be fulfilled.

 

2.     The Privacy Officer will ensure that the processing of a data subject’s personal data is restricted if any of the following circumstances apply:

a.     The data subject disputes the accuracy of the data;

b.     The processing has been found to be unlawful and the data subject opposes the erasure of the personal data;

c.     The data subject wishes to initiate, exercise or substantiate a legal claim and requires the personal data for this purpose;

d.     The data subject has objected to the processing (article 21 of the GDPR), pending the verification whether our legitimate interests override those of the data subject.

 

3.     The Privacy Officer asks the IT department to transfer the personal data in question, the further processing of which has to be restricted, to a closed database until the objection/ problem has been resolved.

 

4.     The Privacy Officer informs the recipients of that personal data of the restriction of the processing.

 

5.     If the restriction is lifted, for instance where the request is rejected or the data is nevertheless found to be accurate, the Privacy Officer informs the data subject of the intention to lift the restriction. Thus: the data subject must be notified before lifting the restriction.

Request for data transfer 1.     The Privacy Officer determines the identity of the data subject (see article 3). If the data subject is who he/ she says he/ she is, the request will be fulfilled.

 

2.     This right can only be exercised with regard to the data subject’s own personal data and for personal data whose processing:

a.     Is based on the (legal foundation) consent of the data subject or on a (legal foundation) contract with the data subject; and

b.     Is conducted via automated processes (automated processing).

 

3.     Once step 2 has been completed, the Privacy Officer asks the department associated with that personal data to supply the data in a structured, commonly used and machine-readable format.

 

4.     The Privacy Officer issues a copy to the data subject or to the controller to which the data subject wishes to send this data.

Objection 1.     The Privacy Officer establishes whether the objection of the data subject is based on his/ her specific situation. General objections or objections on principle are not an option.

 

2.     (Variant) The data subject is always entitled to submit an objection to the processing of personal data for direct marketing purposes. In that case, the Privacy Officer will ensure that the personal data is no longer processed for these purposes.

 

3.     The Privacy Officer will ensure that the processing is discontinued as soon as he/ she receives the objection. The Privacy Officer will overlook the objection if our compelling legitimate interests override the interests, fundamental rights and freedoms of the data subject. A balanced consideration of interests must therefore take place.

 

 

 

Chapter 4: Obligations of the controller

 

Duty to inform (privacy statement) We are obliged to inform data subjects about the kind of personal data relating to him/ her that is processed by us, the purpose of the processing, how long we store the personal data, who we share the personal data with and which rights can be exercised by the data subject. We comply with this duty to inform through the use of two privacy statements: one for customers/ contacts and one for employees. The privacy statement for the employees is issued to every new employee on joining the organization. The privacy statement for customers and other contacts is published on our website.

 

Our privacy statements contain at least the following information:

  • Information about our organization;
  • Contact details of our organization and our Privacy Officer;
  • The categories of personal data that we process;
  • The purposes and legal foundations of the processing;
  • Where specific processing is based on a legitimate interest, we explain which processing this legitimate interest relates to;
  • The storage periods;
  • The rights of the data subjects, including the right to withdraw consent at any time and the right to submit a complaint to the Data Protection Authority;
  • The third parties with whom we share the personal data (such as the government);
  • That we utilize internet analysis instruments;
  • How we secure the personal data.

 

 

Privacy Officer. The appointment of a Data Protection Officer, an independent and expert natural person who ensures compliance with the GDPR, is not (yet) a mandatory requirement for us. The designation of a single point of contact within the organization with regard to personal data and privacy legislation is, however, desirable. We have therefore chosen to appoint a Privacy Officer (not an official Data Protection Officer). He/ she will ensure compliance with the GDPR and questions concerning personal data and requests to exercise rights will therefore be sent to the Privacy Officer via the privacy e-mail address (privacy@dunlopcb.com).

The Privacy Officer is responsible, among others, for:

  • Keeping the privacy policy and the processing register up to date.
    • Every quarter, the processing register must be checked to ensure that it still includes the correct processing activities.
  • Handling data subjects’ questions and requests to exercise a right;
  • Conducting (random) checks to verify whether the storage period is adhered to by all departments and whether relevant data has been erased or anonymized.

 

The IT department is responsible for the protection of the personal data and, where necessary, supports the departments in the erasure or blocking of data.

 

Processing register. We, as controller, are obliged to maintain a processing register (article 30 of the GDPR). In this register we keep track of the categories of personal data that we process, the purpose of the processing, how long we store this data and the third parties and countries with which the data is shared. This register is maintained by the Privacy Officer. If we start processing an item of personal data that has not yet been included in this processing register, the Privacy Officer updates the register accordingly.

 

Data leaks. A personal data breach, or data leak, means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In the event of a data leak, this will be reported to the Data Protection Authority by the IT department without undue delay (maximum 72 hours after becoming aware of data leak), unless it is unlikely that the data leak presents a risk to the rights and freedoms of natural persons. If the data leak does not present a risk to the rights and freedoms of natural persons, it does not therefore have to be reported; however, it does have to be documented. All data leaks must, in fact, be documented.

If the data leak is not reported within 72 hours, the report must be accompanied by reasons for the delay. There is no mandatory format for the report, but it must state at least the nature of the breach, the contact details of the organization or a responsible person, the likely consequences of the breach and the actions that are being/ will be taken.

 

Chapter 5: Which personal data do we process?

 

Employees

 

Item of personal data Purpose Storage period
Name Communication, execution of a contract, legal duty At least 7 years
E-mail address Communication Maximum 2 years after termination of employment
(Passport) photograph/ biometric data Identification, “Who is Who?” Maximum 2 years after termination of employment
Payroll administration Payment transactions At least 7 years
Payment information Payment transactions At least 7 years
Date of birth Execution of a contract, identification, legal duty At least 5 years after termination of employment

 

Gender Identification, legal duty At least 5 years after termination of employment
Nationality Fulfilment of a legal duty At least 5 years after termination of employment
Marital status Execution of a contract, legal duty At least 7 years
BSN (citizen service number) Identification, fulfilment of a legal duty At least 5 years after termination of employment
Home address Execution of a contract Maximum 2 years after termination of employment
Employment record and employment contract Execution of a contract Maximum 2 years after termination of employment
Employee number Identification, execution of a contract Maximum 2 years after termination of employment
Camera surveillance Protection of property, employees and visitors Maximum 3 weeks
Copy of identification document Identification, fulfilment of a legal duty At least 5 years after termination of employment
Job application information (in the employee record) CV, application letter, certificate of good behaviour Recruitment, execution of a contract Maximum 2 years after termination of employment
Position Execution of a contract Maximum 2 years after termination of employment

 

Job applicants

 

Item of personal data Purpose Storage period
Name Communication, recruitment Maximum 4 weeks, unless consent is granted for a storage period of 1 year.
E-mail address and other contact information Communication, recruitment Maximum 4 weeks, unless consent is granted for a storage period of 1 year.
Application information: CV, letters, communication Recruitment Maximum 4 weeks, unless consent is granted for a storage period of 1 year.

 

Customers

 

Item of personal data Purpose Storage period
Name Communication Maximum 7 years after last product/ service purchased
E-mail address and telephone number Communication Maximum 7 years after last product/ service purchased
Position Execution of a contract (does the person have decision-making authority?) Maximum 7 years after last product/ service purchased
Gender Communication (to address the person in the correct way) Maximum 7 years after last product/ service purchased
Language(s) spoken Execution of a contract, communication Maximum 7 years after last product/ service purchased

 

Potential customers (contact form)

 

Item of personal data Purpose Storage period
Name Communication Maximum 5 years after last contact
E-mail address (and telephone number) Communication Maximum 5 years after last contact
Postcode, town/city, country Communication, execution of a contract (prices etc. can differ depending on the area) Maximum 5 years after last contact

 

Suppliers

 

Item of personal data Purpose Storage period
Name Identification, execution of a contract Maximum 10 years after last contact
E-mail address and telephone number Identification, execution of a contract Maximum 10 years after last contact
Position Execution of a contract Maximum 10 years after last contact