Background
Data protection laws regulate the processing of personal data and set limitations on how personal data may be processed under Bong’s1 daily operations.
This policy applies to everyone at Bong – all employees, managers, executive officers, and members of the Board of Directors (all of whom are included in the term “employees” for the purposes of this policy).
This policy is based on the principles set out in the EU General Data Protection Regulation (GDPR) which is effective as of May 25, 2018, replacing local and national data protection laws within the EU. In addition to the general guidelines set out in this policy, the applicable detailed requirements of local data protection laws must be followed by employees when processing personal data.
Processing of Personal Data
Personal data is any information which, directly or indirectly, pertains to an identified or identifiable natural person, such as name, contact details, identification number, location data, IP address, etc. Personal data may only be processed based on specified, explicit, and legitimate purposes, and not be processed for any purpose(s) incompatible with the original purpose(s).
Processing of personal data is any operation or set of operations which is performed on personal data, whether or not by automatic means, including but not limited to collection, organisation, storage, adaptation, disclosure, blocking, or erasure.
Personal data may only be processed if certain conditions are met, for example: (a) if the individual to whom the personal data pertains has given his or her consent to the processing; (b) the processing is necessary for the performance of a contract to which the individual is a party; (c) the processing is necessary for compliance with a legal obligation of Bong; or (d) Bong’s legitimate interest to process personal data outweighs the individual’s interest of not having his or her personal data processed. For further information, please contact the Bong Data Protection Manager
Processing of Special Category Data
Special category data refers to personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, an individual’s health, sex life, or sexual orientation, as well as genetic and biometric data. Special category data should only be processed if necessary and lawful under applicable law.
Other categories of personal data, such as personal identity numbers and credit information do not constitute special categories of personal data, but are nevertheless awarded particular protection and should be processed in consideration thereof.
Data Protection Impact Assessment
If a type of processing, in particular one using new technologies such as new IT systems or cloud services, is likely to result in a high risk to the privacy of an individual, Bong should, prior to the processing, carry out a Data Protection Impact Assessment. The assessment will help identify the impact of the contemplated processing activities and risk associated with the protection of personal data. The Data Protection Impact Assessment should be conducted by the local GDPR Adviser, and if necessary, under advisement of the Data Protection Manager
Notice
Individuals whose personal data is being processed should be provided with notice thereof. Such notice should be concise, easily accessible, be written in clear and plain language, and must contain certain specific information. For further information, please contact the Data Protection Manager
Data Subject Access Requests (DSARs)
An individual may request to receive information regarding Bong’s processing of personal data, to have his or her personal data transmitted to another controller, to object to the processing of personal data, to have personal data erased or the processing thereof restricted, or to have erroneous personal data corrected. Bong should respond to such requests in the manner required by applicable law or otherwise deemed reasonably practical and appropriate in consultation with the local GDPR Adviser and if necessary, under advisement of the Data Protection Manager
Data Quality, Confidentiality, and Security
Personal data must be accurate and up to date. Personal data that is inaccurate or incomplete should be erased or corrected. Personal data should only be stored for as long as is necessary for the purposes for which it is processed, or as required by applicable law. When the retention period has expired, it should be erased in a permanent and secure way.
An employee who has access to personal data must only process the data in accordance with the purpose of the processing, and may not share, distribute, or otherwise disclose the personal data to a third party unless instructed to do so by Bong.
Appropriate technical and organisational measures should be implemented to protect personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access, and any other unlawful forms of processing. Such measures should be appropriate to the risks represented by the processing, and the nature of the personal data.
Security breaches which jeopardise the confidentiality or security of personal data processed by Bong should be reported immediately to the GDPR Adviser in order to meet applicable legal notification requirements.
Privacy by Design and by Default
Each new service or business process introduced by Bong that involves the processing of personal data should be designed to take the protection of such data into consideration, for example by ensuring that necessary security measures are built into its design (privacy by design). Each such new service or business process should also be designed to ensure that, by default, only personal data which is necessary for the specific purpose of the processing is processed (privacy by default).
Disclosures to Third Parties
Personal data may only be disclosed to third parties, such as Bong’s subcontractors, partners, and affiliates, when there is a legitimate basis to do so.
The term Processor refers to a legal entity which processes personal data on behalf of the controller. The term Controller refers to a legal entity which alone or jointly with others determines the purposes and means of the processing of personal data.
When engaging a Processor, for example in connection with using cloud services or outsourcing of IT services, the parties should enter into a written Data Processing Agreement (DPA), in accordance with applicable data protection laws. For further information, contact the local GDPR Adviser.
Data Transfers outside the European Union (EU) and European Economic Area (EEA)
Transfers of personal data to entities outside the EU and EEA, is only allowed when the importing entity has provided sufficient assurances that the personal data will be adequately protected.
This may be accomplished by first investigating if the processor is from a country that has been approved by the European Commission and meets their adequate level of security. If the non-EU/EEA processor is not approved, adequate safeguards need to be taken by setting up a transfer agreement including standard contractual clauses approved by the European Commission or by having the transfer agreement approved by the authorities.
Marketing Measures and Websites
The use of personal data for marketing measures, such as direct marketing campaigns, marketing through social media websites, or the purchase of personal data for marketing purposes, requires establishment of a legitimate purpose, and may also require consent under other applicable law.
Individuals are entitled to give notice that they oppose the processing of their personal data for purposes concerning direct marketing and such a notice must be honoured. Other reservations against direct marketing also need to be respected in compliance with applicable local law.
Each of Bong’s external websites must include an online Privacy Policy, including procedures for accepting cookies, fulfilling the requirements of applicable law.
Notification of Data Processing Activities
Bong is obliged to notify its data processing activities to the applicable supervisory authority, and/or in some jurisdictions to obtain a license from the applicable supervisory authority, unless an exception or exemption applies. Bong should also keep its own records of its data processing activities.
If Bong’s data processing activities change, an assessment should be made as to whether notifications made to the applicable supervisory authority or any licenses should be updated or amended.
Sanctions
Sanctions for violations of data protection laws include claims for damages by individuals whose personal data has been unlawfully processed, fines, and in some countries imprisonment. In addition, the supervisory authority may prohibit Bong from engaging in certain acts of processing and impose other administrative sanctions. As of May 25, 2018 sanctions for violations of data protection laws will be significantly increased.
Reporting of Personal Data Breaches, Training, and Internal Audits
Employees who suspect that this policy or relevant data protection laws have been violated should contact the local GDPR Adviser immediately in order for Bong to comply with statutory notification requirements.
Bong provides adequate training for all employees consistent with Bong’s risk profile and appropriate to employee responsibilities.
Bong will conduct objective, comprehensive audits of the Corporate Compliance Program, including data protection, on a periodic basis.
Contact Information for Responsible Managers and Advisers
The Corporate Compliance Manager is responsible for the overall oversight and implementation of the Corporate Compliance Program.
The Data Protection Manager is responsible for Bong’s general GDPR compliance and assisting the local GDPR Adviser with requests and incidents in accordance to the group’s data protection policy.
The Local GDPR Adviser is responsible for their business unit’s day-to-day compliance with Bong’s data protection policy and routines, as well as local data protection laws.
Should you have any questions or need further assistance, please feel free to contact them
Version Management
Version Date Approved by
For further inquiries regarding data protection, either generally or relating to a particular situation, please contact the Bong Data Protection Manager or local Data Protection Authority.
Dos and Don’ts Do
- Exercise particular care when processing special categories of personal data and other categories of personal data awarded particular protection under applicable law.
- Provide information to individuals and respond to access requests to the extent required by applicable law or as otherwise deemed reasonably practical and appropriate in consultation with the GDR Adviser
- Keep personal data confidential, and implement a level of security appropriate to the risks presented by the processing and the nature of the personal data.
Don’t
- Collect personal data without having established the purpose of the processing and the time period during which the purpose is relevant.
- Collect personal data on a non-essential basis.
- Disclose or transfer personal data, even to Bong’s affiliates, without implementing appropriate measures, such as a Data Processing Agreement (DPA)