1. Introduction
In the same way as the society as a whole, Pierce Group owned companies, our customers, employees and suppliers are affected by digitization and globalization. This has led to a significant increase in the use and spreading of personal data. Digitization means increased opportunities, but also a greater need for protection of individuals’ personal data and integrity. Processes and IT services shall be set up or adapted to secure compliance with the data protection legislation. This policy describes the overall principles that apply to personal data processing at Pierce AB and Pierce owned companies (Pierce Group).
1.1 Purpose
The purpose of this policy is to ensure that Pierce Group processing of personal data is done on lawful grounds and in accordance with the principles of relevant data protection legislation such as the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 and to ensure that personal data of our customers, employees and suppliers is handled in a safe and transparent way.
1.2 Objective
The objective of this policy is to define the Pierce Group roles, responsibilities and governing documents to demonstrate compliance with relevant data protection legislation. This may be essential to avoid sanctions and damage to the Pierce Group brands.
1.3 Scope
The scope of this policy is limited to Personal Data processing as required by the General Data Protection Regulation (GDPR). This covers the Pierce Group, external consultants performing tasks on behalf of the Pierce Group and Data processors performing data processing on behalf of the Pierce Group. In case Pierce is Data Processor for an external organisation, the data processing should be done in accordance with this policy, unless otherwise stated in a Data Processing Agreement between Pierce and a Data controller.
1.4 Target groups
The Data Protection Policy applies to all staff, who perform tasks on behalf of Pierce regarding processing of personal data. It is intended to be the basis for information to data subjects regarding personal data processing.
2. Roles and Responsibilities
2.1 CEO
The CEO shall ensure that Pierce is appropriately organized with delegated responsibilities and sufficient resources for the processing of personal data.
2.2 Data Protection Coordinator (DPC)
The main responsibility of the Data Protection Coordinator (DPC) is to ensure awareness and provision of the GDPR in the organization. The DPC is required to keep a register of all processing operations involving personal data carried out by the organization. There must be a DPC in each legal entity in the Pierce Group.
2.3 Data Controller
The Controller is always responsible for the processing of personal data. The Controller is always the legal person who controls and decides the handling of personal data. Within Pierce Group, each legal entity may be a Data Controller of either employee, customers or supplier data.
2.4 Data Processor
External suppliers of Pierce Group such as IT operations, cloud service providers, external consultants and similar that process personal data on behalf of Pierce are called data processors. A data processor shall perform the data processing as specified in a data processing agreement. There may also be internal data processors within Pierce.
2.5 Employees
All employees are personally responsible for correct processing of Personal Data in their daily work. By following Pierce standard operating procedures (SOPs) relating to Personal Data processing, the employees contribute to data processing compliance.
3. Data Protection Requirements
3.1 Records of processing activities
A record of processing activities shall be compiled and maintained as a prerequisite to govern Personal Data processing in a lawful way. Each legal entity within Pierce group is responsible for documenting all local data processing.
3.2 Legal ground for Processing
Personal data may only be processed if certain conditions are met, for example
a) if the individual to whom the personal data pertains has given his or her consent to the processing;
b) the processing is necessary for the performance of a contract to which the individual is a party;
c) the processing is necessary for compliance with a legal obligation of Pierce;
d) Pierce’s legitimate interest to process personal data outweighs the individual’s interest of not having his or her personal data processed.
3.3 Data Processing Principles
When processing personal data, Pierce will do so according to the following principles:
- Lawful processing – When processing Personal Data within Pierce we shall make sure that the processing is lawful and that we are transparent towards the Data Subjects.
- Purpose limitation – When collecting Personal Data, we must have a clear and legitimate purpose with the collection and further processing. If the purpose ends, we must delete the Personal Data processed under that purpose. If we want to process Personal Data for a new purpose, it must not be incompatible with the original purpose, for instance outside of what the Data Subject concerned would reasonably expect. We must also make sure to inform the Data Subject about this, and under which legal ground we are processing the Personal Data.
- Data minimisation – Within Pierce we shall never collect and handle more Personal Data than is required to perform the purpose for which the data was collected. That means that we must ask ourselves at each collection of Personal Data, if it is required. If the purpose for the data processing has expired, we must delete the Personal Data that is no longer needed.
- Accuracy – Personal data must be accurate and up to date. Personal data that is inaccurate or incomplete should be erased or corrected.
- Storage limitation – Personal data should only be stored for as long as is necessary for the purposes for which it is processed, or as required by applicable law. When the retention period has expired, it should be erased in a permanent and secure way. If we want to keep Personal Data for a longer period than required for the purpose which is was collected, we must see to it that the data no longer can be connected to a Data Subject, directly or indirectly (anonymization). Pierce only keep customer information for sales & delivery and accounting purpose and is maintained as such.
- Security – Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). This is done by “IT System inventory” and documented routines.
3.4 Data Subjects rights
Pierce shall respond to Data Subject’s requests in the manner required by applicable law or otherwise deemed reasonably practical and appropriate in consultation with the DPC.
- Transparency and information – Individuals whose personal data is being processed should be provided with notice thereof. Such notice should be concise, easily accessible, be written in clear and plain language, and must contain certain specific information.
- Access rights – An individual may request to receive information regarding Pierce’s processing of personal data.
- Rights to rectification and erasure – An individual may request to have personal data corrected or erased.
- Right to restriction of processing – The data subject shall have the right to obtain from the controller restriction of processing under the circumstances described in GDPR Article 18.
- Right to data portability – The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a
structured, commonly used and machine-readable format and have the right to transmit those data to another controller. - Right to object – An individual may request the processing of personal data to be restricted.
- An individual has the right to complain against Pierce’s processing of his/her personal data.
3.5 Data Controllers and Data Processors Obligations
Where processing is to be carried out by a processor on behalf of Pierce group, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of the data subject.
There shall be a legal binding agreement between the Data controller and the Data Processor, which fulfils the requirements in the Data Protection Laws, and in which the distribution of responsibilities between the parties is specified regarding the personal data processing.
- Records of processing activities
- Data protection by design and by default – Each new service or business process introduced by Pierce that involves the processing of personal data should be designed
to take the protection of such data into consideration, for example by ensuring that necessary security measures are built into its design (“privacy by design”). Each such new service or business process should also be designed to ensure that, by default, only personal data which is necessary for the specific purpose of the processing is processed (“privacy by default”). - Data Protection Impact Assessment (DPIA) – Where a type of processing, in particular using new technologies such as new IT systems or cloud services, is likely to result in a high risk to the privacy of an individual, Pierce should, prior to the processing, carry out an assessment of the impacts the contemplated processing activities may have on the protection of personal data. The data protection impact assessment should be done in consultation with the Data Protection Coordinator (DPC).
- Data breach notification – Employees who suspect that this policy or relevant data protection laws have been violated should contact the DPC immediately for Pierce to be able to comply with statutory notification requirements.
- Provision of all Data Subjects rights
- Security measures – An employee who has access to personal data must only process the data in accordance with the purpose of the processing, and may not share,
distribute, or otherwise disclose the personal data to a third party unless instructed to do so by Pierce. - Appropriate technical and organisational measures should be implemented to protect personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access, and any other unlawful forms of processing. Such measures should be appropriate to the risks represented by the processing, and the nature of the personal data.
- Cross border data transfers – Transfers of personal data to entities outside the EEA, is only allowed when the importing entity has provided sufficient assurances that the personal data will be adequately protected. This may be accomplished by using one of the EU Commission’s standard data transfer agreements. Consult the DPO for further information.
- Training and awareness – Pierce provides adequate training for all employees appropriate to employee responsibilities.
4. Governance
The DPC is responsible for compliance monitoring of this policy and for monitoring applicable Data Protection Laws.
The CEO of Pierce is responsible for the overall oversight and implementation of this Policy.
5. Appendix
5.1 Terms and definitions
Data Controller: Data Controller is the natural or legal person, public authority, agency or other body, which determines the purposes and means of the processing of personal data. In the GDPR directive, the term controller has particular importance because compliance obligations are primarily imposed on controllers.
Data Subject: The natural living person to whom personal data relates to. A Data Subject is in this policy defined as any natural person that Pierce has any kind of relation with, e.g. private customer, employee, consultant and other.
Data Processor: A natural or legal person, public authority, agency or other body handling personal data under on behalf of the personal data controller. Processors have direct compliance obligations under the GDPR.
Personal data: Any information relating to an identified or identifiable individual (data subject). Can be anything from a name, photo, email address, bank details or IP address that directly or indirectly identifies the person.
Sensitive personal data (special categories of personal data): Sensitive Personal Data is for example data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation.
Processing: Processing is any operation performed on personal data such as creation, collection, storage, view, transport, use, modification, transfer, deletion, etc.
Accountability: Accountability is the ability to demonstrate compliance with the GDPR. The Regulation explicitly states that this is the organization’s responsibility. In order to demonstrate compliance, appropriate technical and organizational measures have to be implemented.
Consent: Consent means any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. The consent has to be:
- freely given
- specific
- informed
- unambiguous
Privacy Impact Assessment (PIA): The GDPR imposes a new obligation on data controllers and data processors to conduct a Data Protection Impact Assessment (PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope, or purposes.
Subject access: this is the data subject’s right to obtain information relating to the processing of his/her personal data from the data controller.
Territorial scope: The territorial scope of the GDPR includes the European Economic Area (EEA – all 28 EU member states), Iceland, Lichtenstein, and Norway. It does not include Switzerland. Third party: A third party is any natural or legal person other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.
Transfer: The transfer of personal data to countries outside the EEA. Transfer includes both physical transport but also viewing data.