1. Objectives and scope of this Policy
The objective of this HKFoods Group Data Privacy Policy (“Policy”) is to ensure that Personal Data is Processed in line with Data Protection Legislation and to provide a framework for best practice in relation to the Processing of Personal Data as well as the realization of rights of individuals in respect to their Personal Data.
In addition to HKFoods Oyj, this Policy shall always be respected and followed in subsidiaries and associate entities owned or controlled by HKFoods Oyj (together referred as “HKFoods” or “Group”).
This Policy acts as a general framework of best practice, setting out the key principles of data privacy adopted by HKFoods. This Policy shall be supplemented with data privacy related guidelines and instructions in order to assist the proper application of this Policy.
This Policy applies whenever HKFoods Processes Personal Data, as a Data Controller or as a Data Processor. This Policy is addressed to all employees of HKFoods and it covers all HKFoods business units in different countries, including operations and activities involving the Processing of Personal Data.
In the event of discrepancy or inconsistency between Data Protection Legislation and this Policy, Data Protection Legislation shall prevail.
2. Definitions
The following terms used in this Policy shall have the meaning set forth below.
“Persona Data” means any information relating to an identified or identifiable natural person.
“Data Protection Legislation” means the currently applicable European Union data protection legislation, such as the General Data Protection Regulation (2016/679) (the “GDPR”) and the Privacy and Electronic Communications Directive (2002/58), as well as data protection legislation implementing or supplementing the above, including applicable national data protection legislation, regulations issued by relevant supervisory authorities, and the resolutions of competent courts of law in respect to the application of applicable data protection legislation.
“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as (without limitation) collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, usage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Controller” means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means a natural or legal person which Processes Personal Data on behalf of the Data Controller.
“Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
3. Roles, responsibilities and data privacy management system
HKFoods’ Board of Directors (“BoD”) is ultimately responsible for HKFoods’ compliance with Data Protection Legislation, including the adoption of this Policy as well as the required data privacy organization at HKFoods.
On a tactical level, HKFoods’ Group Executive Team (“GET”) and Group Administrative Team (“GAT”) shall be responsible for guiding and monitoring compliance with this Policy. In this regard, GET and/or GAT shall also ensure the allocation of sufficient resources for the fulfillment of data privacy related responsibilities and obligations.
HKFoods shall establish a data privacy management system (“HKFoods Data Privacy Management System”) based on Nymity privacy management accountability framework in order to ensure appropriate operational structure for complying with Data Protection Legislation. HKFoods Data Privacy Management System shall be kept up to date and continuously improved.
The Data Privacy Steering Group shall be responsible for the implementation of HKFoods Data Privacy Management System which outlines the framework of data privacy controls and measures at HKFoods. Data Privacy Steering Group consists of personnel specified in HKFoods Data Privacy Management System.
Each HKFoods business unit shall be responsible for compliance with Data Protection Legislation and this Policy. Each employee of HKFoods shall be aware of his or her data privacy related responsibilities. The Group Data Privacy Manager together with the Risk Management Unit shall direct and develop data privacy and related controls and measures throughout different business units and companies of HKFoods. Moreover, the Group Data Privacy Manager and the Risk Management Unit shall provide practical assistance in data privacy matters for selected Data Privacy Contact Persons and Data Privacy Specialists in different countries and functions throughout the whole Group.
The responsibilities of different personnel in HKFoods’ data privacy organization shall be further specified in HKFoods Data Privacy Management System.
4. Principles for Processing Personal Data
4.1. Lawfulness, fairness and transparency
HKFoods shall Process Personal Data in a lawful, fair and transparent manner.
When HKFoods Processes Personal Data as a Data Controller, HKFoods shall always be able to state the legal basis (specified in Data Protection Legislation) that the Processing of Personal Data relies on. Personal Data may not be carried out if HKFoods have no legal basis for the Processing.
HKFoods shall furthermore Process Personal Data in a transparent manner in relation to the Data Subject. This shall be ensured by, for instance, intelligible and unambiguous information notices, openness regarding the Processing and measures to facilitate Data Subject’s request to exercise his or her rights (such as e.g. the right to access).
4.2. Purpose limitation
Personal Data shall only be Processed for clearly specified and documented purposes and HKFoods shall not Process Personal Data for any purposes incompatible with the purposes for which the Personal Data was originally collected, except where Data Protection Legislation permits such Processing.
4.3. Data minimization
HKFoods shall Process Personal Data in accordance with the principle of data minimization. This entails that HKFoods shall only Process Personal Data that is necessary in order to fulfill the purposes for which the Personal Data was collected.
4.4. Accuracy of Personal Data
HKFoods shall take appropriate measures to ensure that Personal Data Processed by HKFoods is accurate complete and, where necessary, up to date. In the event HKFoods Processes inadequate or inaccurate Personal Data, such Personal Data shall be rectified or erased without any undue delay.
4.5. Storage limitation
Personal Data shall not be stored for a longer period than is necessary having regard to the purposes of the Processing or applicable legal obligations requiring the storage of Personal Data. HKFoods shall thus ensure that Personal Data is stored in accordance with HKFoods Personal Data Retention Guidelines. HKFoods has a practice in place for erasing unnecessary personal data.
4.6. Integrity and confidentiality (i.e. security of Personal Data)
HKFoods shall take appropriate technical and organizational measures to ensure that the Personal Data is protected and otherwise Processed in a secure manner. Secure Processing entails that the Personal Data shall be kept confidential and protected against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data. Only IT-systems that can ensure an appropriate level of protection may be used by HKFoods for Processing Personal Data.
4.7. Accountability
When acting as a Data Controller, HKFoods shall always be able to demonstrate its compliance with the principles for Processing Personal Data. This includes e.g. that HKFoods can demonstrate that there is a legal basis for the Processing, and that appropriate technical and organizational measures have been implemented to ensure the security of Personal Data.
As an essential step in this context is to maintain and update documentation that describes the steps taken to ensure compliance with Data Protection Legislation and the principles for Processing Personal Data. This entails keeping internal records of processing activities carried out by HKFoods.
5. Security and data breach incident management
HKFoods shall take technical and organizational measures to protect the Personal Data from unlawful or accidental loss, destruction or alteration, and from unauthorized or unlawful access. The security measures shall be appropriate having regard to the risks that are connected to the particular Processing activity, as well as the level of sensitivity of the Personal Data being Processed. Sensitive Personal Data requires that HKFoods implement more robust security and control mechanisms than in relation to Personal Data in general.
Any IT-system that is used to Process Personal Data shall be designed to facilitate compliance with the fundamental rights and freedoms of the Data Subject and ensure that the Personal Data is Processed in a secure and lawful manner. Moreover, IT-systems shall be designed to ob¬serve and comply with the principles of Processing of Personal Data by default.
In the event of an incident which leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, HKFoods shall immediately upon be-coming aware of the incident, investigate the incident and its potential consequences. Unless it is unlikely that the incident poses a risk to the rights and freedoms of the Data Subjects, HKFoods shall notify the relevant supervisory authority about the incident in accordance with Data Protection Legislation. If the incident poses a significant risk to the rights and freedoms of Data Subjects, HKFoods shall also notify the Data Subjects about the incident.
6. Rights of the Data Subjects
In order to comply with Data Protection Legislation HKFoods shall at all times observe and fulfil the various rights afforded to the Data Subjects under Data Protection Legislation. To this end, HKFoods shall take appropriate technical and organizational measures to be able to respond to requests from Data Subjects on the exercise of the following rights:
- Right to receive information on the Processing
- Right of access to Personal Data
- Right to rectify Personal Data
- Right to erasure (‘right to be forgotten’)
- Right to restriction of Processing
- Right to data portability
- Right to object the Processing
The applicability of the various rights of the Data Subject are subject to conditions set out in Data Protection Legislation and HKFoods shall always review the applicability of any request made by the Data Subject by following HKFoods Data Subject Rights Related Guidelines.
7. Data transfers
Where HKFoods transfers Personal Data to another Data Controller, HKFoods shall ensure that the Data Controller, which receives the Personal Data, complies with Data Protection Legislation by way of an agreement or by way of ensuring that the Data Controller has appropriate legal basis to receive the Personal Data. HKFoods shall also ensure that the Data Subjects receive information on the transfers of their Personal Data to the other Data Controller.
HKFoods assigns third party service providers in several instances that in many cases will, directly or indirectly, Process Personal Data on behalf of HKFoods. HKFoods shall only engage Data Processor that provide HKFoods with sufficient guarantees that the Data Processor will comply with Data Protection Legislation. To ensure compliance with Data Protection Legislation, HKFoods shall always enter into a data processing agreement with any Data Processor that will Process Personal Data on behalf of HKFoods.
When HKFoods transfers Personal Data from the EU or the EEA to a country outside the EEA, HKFoods shall ensure that it fulfills the requirements for such transfer as set out in Data Protection Legislation. This include e.g. ensuring an adequate level of protection by means of entering into the EU Commission’s Standard Contractual Clauses (or similar framework applicable from time to time) with the entity receiving the Personal Data (data importer).
8. Policy changes
Amendments to this Policy must be approved by the BoD, except for amendments, which are more of a technical nature and which do not alter the overall concept of this Policy. Such technical amendments shall be approved by the Policy owner. All modifications made shall be informed to the BoD.
9. Communication and implementation
HKFoods shall ensure that all relevant employees are aware of the importance of protection of Personal Data and shall thus develop training and awareness programs where the employees are trained in data privacy related matters. Training of newly hired personnel shall be a part of the onboarding process. HKFoods shall document successful participation in training sessions in order to demonstrate that employees possess general knowledge and awareness of data privacy related matters.
Risk Management Unit and Group Data Privacy Manager shall be responsible for communicating, training and implementing this Policy to the whole Group.
10. Internal controls and reviews
Policy owner is accountable for making sure that there are adequate internal controls in place to ensure compliance with this Policy, related guidelines, instructions and processes. Regular reviews by internal and external parties shall be conducted to assess implementation and compliance with this Policy.
11. Consequences of non-compliance
In case an employee of HKFoods is breaching this Policy or any guideline or instruction based on this Policy, any such breach shall be subject to appropriate consequences, including possible termination of the employment relationship. Moreover, where HKFoods suspects that the breach fulfils the criterion of punishable offense under applicable legislation, such breach shall also be reported to a relevant authority.
Approved by the Board of Directors 23 September 2020.