Objectives and scope of this Policy
The objective of this HKScan Group Data Privacy Policy (“Policy”) is to ensure that Personal Data is Processed in line with Data Protection Legislation and to provide a framework for best practice in relation to the Processing of Personal Data as well as the realization of rights of individuals in respect to their Personal Data.
In addition to HKScan Oyj, this Policy shall always be respected and followed in subsidiaries and associate entities owned or controlled by HKScan Oyj (together referred as “HKScan” or “Group”).
This Policy acts as a general framework of best practice, setting out the key principles of data privacy adopted by HKScan. This Policy shall be supplemented with data privacy related guidelines and instructions in order to assist the proper application of this Policy.
This Policy applies whenever HKScan Processes Personal Data, as a Data Controller or as a Data Processor. This Policy is addressed to all employees of HKScan and it covers all HKScan business units in different countries, including operations and activities involving the Processing of Personal Data.
In the event of discrepancy or inconsistency between Data Protection Legislation and this Policy, Data Protection Legislation shall prevail.
Definitions
The following terms used in this Policy shall have the meaning set forth below.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Data Protection Legislation” means the currently applicable European Union data protection legislation, such as the General Data Protection Regulation (2016/679) (the “GDPR”) and the Privacy and Electronic Communications Directive (2002/58), as well as data protection legislation implementing or supplementing the above, including applicable national data protection legislation, regulations issued by relevant supervisory authorities, and the resolutions of competent courts of law in respect to the application of applicable data protection legislation.
“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as (without limitation) collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, usage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Controller” means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means a natural or legal person which Processes Personal Data on behalf of the Data Controller.
“Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Roles, responsibilities and data privacy management system
HKScan’s Board of Directors (“BoD”) is ultimately responsible for HKScan’s compliance with Data Protection Legislation, including the adoption of this Policy as well as the required data privacy organization at HKScan.
On a tactical level, HKScan’s Group Executive Team (“GET”) and Group Administrative Team (“GAT”) shall be responsible for guiding and monitoring compliance with this Policy. In this regard, GET and/or GAT shall also ensure the allocation of sufficient resources for the fulfillment of data privacy related responsibilities and obligations.
HKScan shall establish a data privacy management system (“HKScan Data Privacy Management System”) based on Nymity privacy management accountability framework in order to ensure appropriate operational structure for complying with Data Protection Legislation. HKScan Data Privacy Management System shall be kept up to date and continuously improved.
The Data Privacy Steering Group shall be responsible for the implementation of HKScan Data Privacy Management System which outlines the framework of data privacy controls and measures at HKScan. Data Privacy Steering Group consists of personnel specified in HKScan Data Privacy Management System.
Each HKScan business unit shall be responsible for compliance with Data Protection Legislation and this Policy. Each employee of HKScan shall be aware of his or her data privacy related responsibilities. The Group Data Privacy Manager together with the Risk Management Unit shall direct and develop data privacy and related controls and measures throughout different business units and companies of HKScan. Moreover, the Group Data Privacy Manager and the Risk Management Unit shall provide practical assistance in data privacy matters for selected Data Privacy Contact Persons and Data Privacy Specialists in different countries and functions throughout the whole Group.
The responsibilities of different personnel in HKScan’s data privacy organization shall be further specified in HKScan Data Privacy Management System.
Principles for Processing Personal Data
1) Lawfulness, fairness and transparency
HKScan shall Process Personal Data in a lawful, fair and transparent manner.
When HKScan Processes Personal Data as a Data Controller, HKScan shall always be able to state the legal basis (specified in Data Protection Legislation) that the Processing of Personal Data relies on. Personal Data may not be carried out if HKScan have no legal basis for the Processing.
HKScan shall furthermore Process Personal Data in a transparent manner in relation to the Data Subject. This shall be ensured by, for instance, intelligible and unambiguous information notices, openness regarding the Processing and measures to facilitate Data Subject’s request to exercise his or her rights (such as e.g. the right to access).
2) Purpose limitation
Personal Data shall only be Processed for clearly specified and documented purposes and HKScan shall not Process Personal Data for any purposes incompatible with the purposes for which the
Personal Data was originally collected, except where Data Protection Legislation permits such Processing.
3) Data minimization
HKScan shall Process Personal Data in accordance with the principle of data minimization. This entails that HKScan shall only Process Personal Data that is necessary in order to fulfill the purposes for which the Personal Data was collected.
4) Accuracy of Personal Data
HKScan shall take appropriate measures to ensure that Personal Data Processed by HKScan is accurate complete and, where necessary, up to date. In the event HKScan Processes inadequate or inaccurate Personal Data, such Personal Data shall be rectified or erased without any undue delay.
5) Storage limitation
Personal Data shall not be stored for a longer period than is necessary having regard to the purposes of the Processing or applicable legal obligations requiring the storage of Personal Data. HKScan shall thus ensure that Personal Data is stored in accordance with HKScan Personal Data Retention Guidelines. HKScan has a practice in place for erasing unnecessary personal data.
6) Integrity and confidentiality (i.e. security of Personal Data)
HKScan shall take appropriate technical and organizational measures to ensure that the Personal Data is protected and otherwise Processed in a secure manner. Secure Processing entails that the Personal Data shall be kept confidential and protected against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data. Only IT- systems that can ensure an appropriate level of protection may be used by HKScan for Processing Personal Data.
7) Accountability
When acting as a Data Controller, HKScan shall always be able to demonstrate its compliance with the principles for Processing Personal Data. This includes e.g. that HKScan can demonstrate that there is a legal basis for the Processing, and that appropriate technical and organizational measures have been implemented to ensure the security of Personal Data.
As an essential step in this context is to maintain and update documentation that describes the steps taken to ensure compliance with Data Protection Legislation and the principles for Processing Personal Data. This entails keeping internal records of processing activities carried out by HKScan.
Security and data breach incident management
HKScan shall take technical and organizational measures to protect the Personal Data from un- lawful or accidental loss, destruction or alteration, and from unauthorized or unlawful access. The security measures shall be appropriate having regard to the risks that are connected to the particular Processing activity, as well as the level of sensitivity of the Personal Data being Processed. Sensitive Personal Data requires that HKScan implement more robust security and control mechanisms than in relation to Personal Data in general.
Any IT-system that is used to Process Personal Data shall be designed to facilitate compliance with the fundamental rights and freedoms of the Data Subject and ensure that the Personal Data is Processed in a secure and lawful manner. Moreover, IT-systems shall be designed to observe and comply with the principles of Processing of Personal Data by default.
In the event of an incident which leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, HKScan shall immediately upon becoming aware of the incident, investigate the incident and its potential consequences. Unless it is unlikely that the incident poses a risk to the rights and freedoms of the Data Subjects, HKScan shall notify the relevant supervisory authority about the incident in accordance with Data Protection Legislation. If the incident poses a significant risk to the rights and freedoms of Data Subjects, HKScan shall also notify the Data Subjects about the incident.
Rights of the Data Subjects
In order to comply with Data Protection Legislation HKScan shall at all times observe and fulfil the various rights afforded to the Data Subjects under Data Protection Legislation. To this end, HKScan shall take appropriate technical and organizational measures to be able to respond to requests from Data Subjects on the exercise of the following rights:
- Right to receive information on the Processing
- Right of access to Personal Data
- Right to rectify Personal Data
- Right to erasure (‘right to be forgotten’)
- Right to restriction of Processing
- Right to data portability
- Right to object the Processing
The applicability of the various rights of the Data Subject are subject to conditions set out in Data Protection Legislation and HKScan shall always review the applicability of any request made by the Data Subject by following HKScan Data Subject Rights Related Guidelines.
Data transfers
Where HKScan transfers Personal Data to another Data Controller, HKScan shall ensure that the Data Controller, which receives the Personal Data, complies with Data Protection Legislation by way of an agreement or by way of ensuring that the Data Controller has appropriate legal basis to receive the Personal Data. HKScan shall also ensure that the Data Subjects receive information on the transfers of their Personal Data to the other Data Controller.
HKScan assigns third party service providers in several instances that in many cases will, directly or indirectly, Process Personal Data on behalf of HKScan. HKScan shall only engage Data Processor that provide HKScan with sufficient guarantees that the Data Processor will comply with Data Protection Legislation. To ensure compliance with Data Protection Legislation, HKScan shall always enter into a data processing agreement with any Data Processor that will Process Personal Data on behalf of HKScan.
When HKScan transfers Personal Data from the EU or the EEA to a country outside the EEA, HKScan shall ensure that it fulfills the requirements for such transfer as set out in Data Protection Legislation. This include e.g. ensuring an adequate level of protection by means of entering into the EU Commission’s Standard Contractual Clauses (or similar framework applicable from time to time) with the entity receiving the Personal Data (data importer).
Policy changes
Amendments to this Policy must be approved by the BoD, except for amendments, which are more of a technical nature and which do not alter the overall concept of this Policy. Such technical amendments shall be approved by the Policy owner. All modifications made shall be informed to the BoD.
Communication and implementation
HKScan shall ensure that all relevant employees are aware of the importance of protection of Personal Data and shall thus develop training and awareness programs where the employees are trained in data privacy related matters. Training of newly hired personnel shall be a part of the onboarding process. HKScan shall document successful participation in training sessions in order to demonstrate that employees possess general knowledge and awareness of data privacy related matters.
Risk Management Unit and Group Data Privacy Manager shall be responsible for communicating, training and implementing this Policy to the whole Group.
Internal controls and reviews
Policy owner is accountable for making sure that there are adequate internal controls in place to ensure compliance with this Policy, related guidelines, instructions and processes. Regular reviews by internal and external parties shall be conducted to assess implementation and compliance with this Policy.
Consequences of non-compliance
In case an employee of HKScan is breaching this Policy or any guideline or instruction based on this Policy, any such breach shall be subject to appropriate consequences, including possible termination of the employment relationship. Moreover, where HKScan suspects that the breach fulfils the criterion of punishable offense under applicable legislation, such breach shall also be reported to a relevant authority.
Approved by the Board of Directors 23 September 2020.