Who this policy applies to
This Policy applies to all Employees (as defined below) of Telsita, as well as Supply Chain Partners (as defined below).
It is the responsibility of all Employees (and Supply Chain Partners) to assist Telsita to comply with this Policy. All Employees (and Supply Chain Partners) must familiarise themselves with this Policy and apply its provisions in relation to all Processing of Personal Data.
The Policy covers all Personal Data in any form, including but not limited to electronic data, paper documents and disks and all types of Processing, whether manual or automated that is under Telsita’s possession or control.
Telsita complies with the data privacy laws of the countries in which it operates, regulations and guidance documents in those respective countries, as well as applicable data transfer obligations. Telsita will also apply this Policy to the maximum extent possible across Telsita, except where local requirements contradict with, or are more onerous than those set out in this Policy, in which case those local requirements will be followed.
As set out in Telsita’s Code of Conduct it is the policy of Telsita to take all necessary steps to ensure that Personal Data (as defined below) we hold about our employees, customers, suppliers and all other individuals are kept secure, processed (as defined below) in a fair and lawful manner and in compliance with all applicable data privacy laws.
It is the policy of Telsita to ensure that all relevant statutory requirements are complied with and that our internal procedures are monitored periodically to ensure compliance.
We have adopted this Data Protection Policy (“Policy”) to provide general overarching guidelines to ensure that Telsita is aware of its data protection compliance obligations.
This policy is not intended as a definitive statement of the application of all applicable data privacy laws; instead it acts as a general framework of best practice, setting out the principles of data privacy adopted within Telsita to assist in the application of this Policy.
This Policy is based on the General Data Protection Regulation (“GDPR”), which is applicable throughout the European Economic Area.
Data Processor shall mean a legal entity who processes personal data on behalf of the Controller.
Data Controller shall mean the legal entity that, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Subject shall mean an identified or identifiable natural person whose Personal Data is being processed.
Employees shall include all contractors, consultants, temporary and permanent employees of Telsita.
Informed Consent shall mean that the individual agrees to the processing of his or her personal data by a clear affirmative act that is freely given, specific, informed and unambiguous.
Personal Data shall mean any information relating to an identified or identifiable natural living person; an identifiable natural person is one who can be identified directly, or indirectly via use of other information. Examples: name, address, birth date, employee number, photographs, IP address, health data, geographical location and movements, online activities, behaviour patterns.
Personal Data Breach shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Processing shall mean any operation or set of operations performed on personal data or on sets of personal data, whether or not performed by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, erasure or destruction.
Special categories of personal data shall mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a person’s sex life or sexual orientation.
Supply Chain Partners shall mean a third party (i.e. supplier / service provider) who receives from Telsita or who is otherwise entrusted with Personal Data on behalf of Telsita.
Data Protection Principles
Telsita will comply with the following principles which promote good conduct in relation to the processing of Personal Data:
Personal Data will be processed in a fair, lawful and transparent manner;
Personal Data will be obtained for specified, explicit and legitimate purposes and will not be further processed in any manner incompatible with those purposes;
Personal Data will be adequate, relevant and not excessive in relation to the purposes for which it is processed;
Personal Data will be accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that Personal Data that are inaccurate (having regard to the purpose (or purposes) for which they are processed) are immediately deleted or rectified;
Personal Data processed for any purpose (or purposes) will not be kept in a form which permits identification of Data Subjects for longer than is necessary for the purpose (or purposes) for which the Personal Data is processed;
Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data; and
Personal Data will at all times be processed in a manner that can demonstrate compliance with the above-mentioned principles.
Data Protection Requirements When considering how the data protection principles and overarching requirements apply to the Personal Data you process, it is important to keep in mind that Telsita may act as Data Controller in certain situations and Data Processor in others. For example, we act as data controller when we Process the Personal Data we collect from our Employees, and we act as Data Processor when we process the Personal Data of our customers’ customers.
Where Telsita acts as Data Processor for our customers, we act on the instructions of our customers, which means that we are reliant on our customers to tell us how we should use/Process their Personal Data. For example, if a customer receives a data subject access request from one of its Data Subjects, our customer may ask us to assist it complying with the request and/or we may be under a contractual obligation to assist them.
The following overarching requirements set out how Personal Data should be treated:
A. Notice to Data Subjects (also known as a privacy or “fair processing” notice)
Data Subjects must be informed about how their Personal Data is used, including about the types of data collected, the purposes for which the data are collected, anyone to whom their Personal Data may be disclosed outside of Telsita, the identity and contact details of the Data Controller, where applicable, the fact that the Data Controller intends to transfer Personal Data outside the EEA and reference to the safeguards in place, and the rights available to the Data Subjects.
B. Fair and Lawful Processing
The way in which Personal Data is held and used must be kept consistent with the privacy notice provided to the Data Subject.
Personal Data should be used only as anticipated in the privacy notice. No further or alternative use should be made of the Personal Data without first considering the need to obtain Informed Consent (as defined in this policy) from the Data Subject and/or issuing an updated privacy notice.
If Telsita is considering implementing a new project or way of working or making changes to an existing project or way of working, which will involve the processing of Personal Data, it is important to consider (and record) the condition which can be relied upon together with the rationale for the processing.
All processing of Personal Data must be justified by reference to one of a number of lawful bases for processing. These are:
• The processing is required for compliance with a legal obligation to which Telsita is subject;
• The processing is required for the performance of a contract to which the data subject is party;
• The processing can be performed on the basis of the legitimate interests pursued by the controller;
• The processing can be performed if the data subject has given his or her consent to it;
• The processing is necessary to protect the vital interests of the data subject;
• The processing is necessary to perform a task carried out in the public interest or in the exercise of official authority.
Special categories of personal data may not be processed without prior consultation with the HR Team.
Telsita maintains a Data Register which records certain details about all business processes which use Personal Data and Special Categories of Data, including the lawful basis for each such business process. If any part of Telsita considers implementing a new project or way of working or making changes to an existing project or way of working, which will involve the Processing of Personal Data, it is important to consider (and record) the lawful basis which can be relied upon together with the rationale for the Processing. The Data Register may need to be updated to reflect the new or revised project or way of working. Employees are required to contact their GDPR OU representative to notify them of any updates need to be made.
In addition, in such situations, consideration should be given to whether a data protection impact assessment should be carried out. Please refer to the Data Protection Impact
Assessment template via the Telsita webpage for further details about Data
Protection Impact Assessments and when they should be carried out.
Where Telsita processes Personal Data on behalf of customers, it is each of our customer’s responsibility to ensure that the processing we undertake on its behalf is justified by reference to a lawful basis for processing. Further, it is the responsibility of our customers to ensure that their Data Subjects are informed about how their Personal Data will be used and that actual usage is in line with their privacy notice.
The nature and type of Personal Data held must be proportionate and necessary for the purpose for which it is to be required.
There should be a clear business justification, or legal need to hold the specific types of Personal Data that are collected from individual Data Subjects. Care must be taken to avoid collecting excessive or irrelevant elements of Personal Data or allowing Personal Data to be used for purposes that cannot be justified as ‘necessary’. A Purpose limitation checklist can be obtained from the UK OneTelsita GDPR webpage to ensure compliance. If this test cannot be satisfied then advice should be sought from the HR Risk and Compliance Team as it may be unlawful to collect the Personal Data without Informed Consent from the Data Subject.
Data sharing /transfers
A. Sharing Personal Data outside Telsita
Personal Data should only be disclosed outside Telsita where there is a legitimate business need, or overarching legal justification to do this. Disclosure must be made on a strictly limited ‘need to know’ basis where there is clear justification for transferring Personal Data – either because the Data Subject has consented to the transfer or because it is for a legitimate business need.
If a particular disclosure is required to meet a legal obligation (for example to a government agency or police force/security service) or in connection with legal proceedings, the Personal Data may be provided so long as the disclosure is limited to that which is legally required.
If you need to share Personal Data you must consult with HR Risk and Compliance Team who will advise you further on the appropriate way to share Personal Data.
B. Transferring Personal Data Overseas
Generally, Personal Data originating in the European Economic Area (EEA) must not be transferred outside of the EEA, unless there is a mechanism for ensuring adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Be aware that transfers may take place that are not obvious. For example, if a Supply Chain Partner located in the EU sub-contracts some of its processing obligations to a third party outsource provider in India, there will be a transfer of Personal Data out of the EEA, i.e. from the Supply Chain Partner (who is a data processor of Telsita) to the third party outsource provider (who is a sub-processor) which will be prohibited unless certain conditions are met.
Managing overseas data transfers in accordance with these principles requires particular care. Where any Personal Data is proposed to be transferred to another country or outside of the EEA, please consult with the HR Risk and Compliance Team who will advise on how to comply applicable data transfer restrictions.
Accuracy and retention Personal Data must be kept accurate, complete and up-to date and not retained for longer than the purposes for which it was collected unless there is a clear overriding business need or legal / regulatory requirement to retain the Personal Data. Telsita’s Data Retention Policy and Retention Schedule sets out the procedures for ensuring that documents/records are updated, archived and deleted appropriately.
Special categories of Personal Data such as criminal convictions and ethnicity must also be kept up to date and retained only for as long as possible. The Retention Schedule should be sought for further guidance.
During the services we provide to our customers, we retain Personal Data. It is important to note that on behalf of our customers and, in such cases, we may be under customer- specific requirements in respect of the management/retention/disposal of such data.
Rights of data subjects Data Subjects have the right to:
• access their Personal Data;
• require rectification of any errors in their Personal Data;
• require deletion of their Personal Data if continued Processing is not required;
• restrict the way in which their Personal Data are Processed (including the purpose of the Processing);
• transfer their personal data between Data Controllers; and
• object to Processing.
Data Subjects must be provided with a reasonable opportunity to access their Personal Data at reasonable intervals for purposes of examining it, confirming its accuracy and amending it if it is incomplete or inaccurate. Data Subjects should also be provided with
contact information to enable them to access a full copy of their Personal Data in accordance with their legal ‘subject access rights’.
All requests from Data Subjects relating to how Telsita processes their Personal Data (for example requests to access to their Personal Data or cease processing their Personal Data) require careful consideration. Requests of this kind should be made via the Enquiry Form available on the UK GDPR OneTelsita intranet page. Whereby an employee receives such a request in writing from another employee they must immediately refer it to the GDPR inbox as the timescales for responding to such a request are short.
As mentioned above, where Telsita acts as a data processor and we are asked by our customers to assist them to comply with data subject rights requests they receive from their Data Subjects, it is important that we act on the instructions of our customers and in accordance with any contractual requirements.
Security of personal data Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration or damage to Personal Data.
Employees and Supply Chain Partners have a responsibility to help keep Personal Data secure. In particular, Employees should be aware of their obligations, and at all times follow Company recommendations, for example in Telsita’s Information Security Policy available on the Telsita Policies and Procedures intranet webpage. Further information can be found under the Telsita webpage.
All Employees who have access to Personal Data are under a legal responsibility to keep information confidential. Access and use of personal data must be limited on a strict ‘need to know’ basis.
Where Personal Data is transmitted outside Telsita, for example to a Supply Chain Partners, a secure medium must be used to transmit such data and written agreements (containing the required level of security standards) should be in place with each such Supply Chain Partners. As set out above, if you need to transfer Personal Data outside Telsita, you must consult with HR Risk and Compliance Team who will advise you further on the appropriate way to share Personal Data.
Personal data breaches All Personal Data Breaches should be contained and remedied as soon as possible. In the event of a Personal Data Breach, the Data Controller must notify the appropriate supervisory authority, usually the ICO, without undue delay and, where feasible, not later than 72 hours after having become aware of the Personal Data Breach (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons). A Data Processor must notify the Data Controller of any Personal Data Breach without undue delay after becoming aware of it.
Examples of Personal Data Breaches include: third party attacks on IT infrastructure designed to harvest personal data for criminal purposes; accidental loss or theft of Telsita devices (e.g. mobile phones, laptops, USB devices); the passing to third parties or disposal of personal information without appropriate security measures being in place.
All Employees (and Supply Chain Partners) have an obligation to report Personal Data Breaches (or suspected Personal Data Breaches) to the HR Risk and Compliance Team who alone will make the decision on whether to notify the ICO. The Reporting Personal Data Breaches – Employee Guide provides further details on how Personal Data Breaches should be managed and resolved. Employees should familiarise themselves with, and at all times follow, the plan in the event of a Personal Data Breach.
If a Personal Data Breach occurs and impacts on Personal Data we process on behalf of our customers, we will need to notify the customer without undue delay. Further, we may be required to provide the customer with specific details relating to the Personal Data Breach within a short timescale upon becoming aware of it. Please see the Reporting Personal Data Breaches – Employee Guide document for more information.
Employee monitoring Please refer to the Electronic Communications Policy.
Direct marketing Direct marketing is the transmission by any means (including post, telephone, email, SMS, direct messaging, fax etc.) of materials advertising or promoting Telsita’s products and services to a specific individual (including where that individual is acting in a business capacity, for example the work email address of an employee of one of our customers).
The level of consent required to market to an individual will depend on the type of direct marketing activity to be undertaken and country specific privacy rules, which (in relation to electronic marketing) sit outside of the GDPR.
As a general rule, Data Subjects should only be contacted for marketing purposes by electronic means (i.e. email or text) if they have either expressly ‘opted-in’ to receiving communications in this way, or there is an existing commercial relationship and they are given the opportunity to ‘opt-out’ of marketing communications when we first collect their details, and in all subsequent communications.
In all cases, Data Subjects must be given the chance to decline to receive direct marketing material and a suppression list should be held listing Data Subjects who have indicated that they do not want to be contacted in the future. Where telephone marketing is carried out, telephone numbers should be screened against the public suppression list maintained by the Telephone Preference Service.
Cookies Telsita websites use cookie technology and we maintain a clear statement explaining to users how cookies are deployed by Telsita AB and give individuals an opportunity to consent before having cookies placed on their computers on the Telsita website.
Automated decision- making Decisions should not be made about individuals using entirely automated processes. Advice should be sought from the Data Protection Officer (“DPO”) before considering any techniques that will result in decisions being made about individuals through automated means, to ensure appropriate manual reviews are embedded into the decision-making process. This extends to automated processes which may be used for screening recruitment candidates, as well as profiling techniques used to automatically make
decisions about policy applicants or claimants in underwriting and claims management contexts.
CCTV CCTV systems should be operated with care to avoid disproportionate risk of privacy intrusion to individual Data Subjects. CCTV systems should be installed and operated in a way that is proportionate to the risks being covered and prominent notices should be displayed in the area covered by the CCTV system to make sure people are aware that the system is in operation. Where you are considering installing a CCTV system, please consult with the Data Protection Officer (“DPO”).
Consequences of Non- compliance If Telsita is found to be in breach of applicable data protection laws, Telsita could face fines and enforcement action taken against it from data protection supervisory authorities. Employees and Supply Chain Partners are also responsible for data protection. Failure to comply with this policy may lead to disciplinary action, up to and including summary dismissal for serious or repeated non-compliance.
Accountability for our actions Periodic monitoring of adherence to this Policy takes place to help ensure compliance with this Policy, applicable data protection laws and/or contractual agreements in connection with the handling of Personal Data. Initially this will be undertaken once a year but Telsita retains the right to amend this schedule pending guidance from the ICO.
As set out earlier in this Policy, it is the responsibility of all our Employees (and Supply Chain Partners) to assist Telsita to comply with this Policy. It is therefore key that all Employees (and Supply Chain Partners) familiarise themselves with both this Policy and apply their provisions in relation to all Processing of Personal Data. Failure to do so could amount to misconduct, which is a disciplinary matter and could ultimately lead to dismissal or, in the case of Supply Chain Partners, termination of contract.
Complaints Telsita is committed to resolving the legitimate privacy issues of its Employees, Supply Chain Partners, customers, suppliers and all other individuals. If any employee or Supply Chain Partners discovers a breach of this policy, either through their own actions or actions of others, they must contact the Data Protection Officer (“DPO”) to report it.
If an individual covered by this Policy makes a complaint about the processing of his/her or someone else’s Personal Data, and the complaint is not satisfactorily resolved through this internal procedure, the Telsita will co-operate with the appropriate data protection authority (or authorities) and comply with the advice of such authorities to resolve any outstanding complaints. In the event that the Data Protection Officer (“DPO”) or the data protection authorities determine that Telsita or one or more of its Employees failed to comply with this Policy or any relevant data protection laws, upon recommendation of the authorities or Data Protection Officer (“DPO”), Telsita will take appropriate steps to address any adverse effects and to promote future compliance.
Policy ownership and responsibility The owner of this Policy is Head of Data Protection and Compliance who shall ensure that this Policy is properly applied across Telsita supported by the HR Risk and Compliance Team.
The Data Protection Officer (“DPO”) is responsible for the oversight and implementation of this Policy and may delegate responsibility of communicating Policy requirements and any revisions made to this Policy to the Data Protection Officer (“DPO”).
Monitoring and non-compliance handling The Data Protection Officer (“DPO”) will report breaches of and potential exceptions to this Policy to the Head of Data Protection and Compliance as soon as possible. Internal audit may also review compliance with this Policy and report exceptions to this Policy to the Data Protection Officer (“DPO”). The Data Protection Officer (“DPO”) will escalate such reports to the Telsita Board when appropriate.
An annual report on compliance with this Policy and on the effectiveness of the systems in place to manage the non-compliance risk, together with a list of breaches, will be presented to the Head of Risk and Compliance.
Policy review cycle This Policy shall be reviewed as required to ensure that the Policy is meeting Telsita’s Policy Statement and Purpose set out earlier in this Policy. Changes to applicable data protection laws, regulation or regulatory regimes, together with Telsita’s risk profile in the global operating environment, may form triggers for revisions or updates to this Policy. It is the responsibility of all Employees (and Supply Chain Partners) to assist Telsita to comply with this Policy.
Queries and waivers Any queries relating to this Policy, should (in the first instance) be directed to the Data Protection Officer (“DPO”) via the GDPR inbox at email@example.com
Any instances where a waiver of this Policy is sought must first be reported to the Data Protection Officer (“DPO”) and be approved by the Data Protection Officer (“DPO”)
Please see the Telsita webpage for further guidance and supporting documents.