Dole: Privacy Policy
1.
Purpose and Scope of this Privacy Policy
Dole plc and its subsidiaries (the “Dole Group” or the “Company”) collect, use, share and hold
certain Personal Data about current, past and prospective, consumers,
customers, suppliers, business contacts, employees and other people in course
of its business activities. Personal Data must be Processed in accordance with
the General Data Protection Regulation (Regulation (EU) 2016/679) and other applicable
national and European privacy legislation and regulations (together the “Data Protection Law”).
The Company recognises the need to treat
Personal Data in an appropriate and lawful manner and is committed to complying
with its obligations in this regard. This Privacy Policy explains how the
Company use Personal Data.
This Privacy Policy applies to all entities
within the Dole Group and all individuals who work for, with or on behalf of
any Dole business.
The Company use the words Personal Data to
describe information that about an individual, and from which they are
identifiable. Other key data protection terms are defined in Schedule 1.
This Privacy Policy describes how the Company
use Personal Data that the Company collect as part of its business
activities. This includes Personal Data
obtained from a variety of sources, including:
·
telephone calls, emails and
other communications;
·
service providers and other
third parties;
·
the Dole website (the “Site”); and
·
social media applications.
In this Privacy Policy, the Company refer to
the Site and social media applications collectively as “Online Tools”.
Personal Data may be provided to the Company
by the individual directly or by a third party.
This Privacy Policy may be supplemented by
other privacy notices tailored to the Company’s specific relationships with the
individual.
2.
Personal Data the Company Process
The Personal Data the Company hold about employees
and other individuals may differ depending on the relationship, including the
type of communications between the Company and the individual and the services the
Company provides.
The Personal Data the Company collect generally
falls within one of three categories – Personal Data about
·
Employees;
·
Business Contacts;
·
Customers.
The Company endeavours to keep the Personal
Data it Processes accurate and up to date. Furthermore Personal Data is stored in
as few places, with as few copies, as is reasonably possible. The Company’s relevant
staff are trained to not create any unnecessary additional copies of Personal
Data.
Personal Data the Company may hold and process
is further described in Schedule 2.
3.
How the Company use Personal Data
The Company use Personal Data to carry out its
business activities. The purposes for
which the Company use an individual’s Personal Data may differ based on the
relationship, including the type of communications between the Company and the individual
and the services the Company provides.
The main purposes include using Personal Data
to:
·
facilitate general business
purposes, including payroll activities, HR records, performance management,
making business travel arrangements;
·
facilitate communication with
an employee and their nominated contacts in an emergency and protecting the
health and safety of staff and others;
·
provide products and services;
·
communicate with employees and
other individuals;
·
improve the quality of products
and services, provide training and maintain information security (for example,
for this purpose the Company may record or monitor phone calls);
·
carry out research and
analysis, including analysis of the Company’s customer base and other
individuals whose Personal Data the Company collect;
·
provide marketing information
in accordance with preferences the individual have told the Company about
(marketing information may be about products and services offered by third
party partners subject to the individual’s preferences);
·
personalise the individual’s
experience when using Online Tools or visit third party websites by presenting
information and advertisements tailored to the individual, and facilitate
sharing on social media;
·
manage the Company’s business
operations and IT infrastructure, in line with its internal policies and
procedures, including those relating to finance and accounting, billing and
collections, IT systems operation, data and the website hosting, data analytics,
business continuity, records management, document and print management, and
auditing;
·
manage complaints, feedback and
queries, and handle requests for data access or correction, or the exercise of
other rights relating to Personal Data;
·
comply with applicable laws and
regulatory obligations (including laws and regulations outside the individual’s
country of residence), for example, laws and regulations relating to anti-money
laundering, sanctions and anti-terrorism; comply with legal process and court
orders; and respond to requests from public and government authorities
(including those outside the individual’s country of residence); and
·
establish and defend legal
rights to protect the Company’s business operations, and those of its business
partners.
4.
Automated decisions using Personal Data
The Company may use automated decision making
tools (i.e. where a person is not involved in the decision). The Company typically use these tools when
making straightforward decisions about an individual. Where this is the case the Company may
provide the individual with more information at the time to aid in understanding
of what is involved.
5.
Responsibility for Personal Data
The Company is responsible for looking after
Personal Data in accordance with this Privacy Policy, internal standards and
procedures, and the requirements of data protection law.
When the Company provide Personal Data to
third parties, the third parties will be selected carefully and required to use
appropriate measures to protect the confidentiality and security of the Personal
Data. In such circumstances, the Company will disclose requested Personal
Data to the extent permitted by, and in accordance with, applicable Data
Protection Law. Those third parties will
assume certain responsibilities under data protection law for looking after the
Personal Data that they receive from the Company.
6.
Sharing of Personal Data
In connection with the purposes described
above, the Company may need to share Personal Data with third parties (this may
involve third parties disclosing Personal Data to the Company and the Company disclosing
Personal Data to them).
The types of third parties with which the
Company may share Personal Data are further described in Schedule 4.
In certain circumstances, Data Protection Law
allows Personal Data to be disclosed to law enforcement agencies without the consent
of the Data Subject. In such
circumstances, the Company will disclose requested Personal Data to the extent
permitted by, and in accordance with, applicable Data Protection Law. Prior to
any such disclosure of Personal Data the Company will ensure the request is
legitimate and in accordance with Data Protection Law, seeking assistance from
Group Legal Counsel where necessary.
7.
International Transfers of Personal Data
For the purposes set out in this Privacy
Policy the Company may transfer Personal Data to parties located in other
countries (including the USA and other countries that have data protection
regimes which are different to those in the country where the individual is
based, including countries which have not been found by the European Commission
to provide adequate protection for Personal Data).
The Company may transfer information internationally
to its service providers, business partners, and government or public
authorities.
When making these transfers, the Company will
take steps to ensure that the Personal Data is adequately protected and
transferred in accordance with the requirements of Data Protection Law.
This may involve the use of data transfer
agreements in the form approved by the European Commission or another mechanism
recognised by data protection law as ensuring an adequate level of protection
for Personal Data transferred outside the EEA (for example, the standard
contractual clauses).
For further information about these transfers
and to request details of the safeguards in place, please contact the Company
using the details in Schedule 8.
8.
Security of Personal Data
The Company uses appropriate technical,
physical, legal and organisational measures, which comply with data protection
laws to keep Personal Data secure.
As most of the Personal Data the Company holds
is stored electronically the Company has implemented appropriate IT security
measures to ensure this Personal Data is kept secure. For example, the Company may use anti-virus
protection systems, firewalls, and data encryption technologies. The Company have
procedures in place at their premises to keep any hard copy records physically
secure. The Company also train its staff regularly on data protection and
information security.
When the Company provides Personal Data to a
third party (including its service providers) or engages a third party to collect
Personal Data on its behalf, the third party will be selected carefully and
required to use appropriate security measures to protect the confidentiality
and security of Personal Data. For example Personal Data is encrypted /
password protected where appropriate.
Unfortunately, no data transmission over the
Internet or electronic data storage system can be guaranteed to be 100% secure.
If an individual has reason to believe that their interaction with the
Company is no longer secure (for example, if they feel that the security of any
Personal Data sent to the Company has been compromised), they should immediately
notify the Company.
The manner in which Personal Data is kept
secure is further described in the Company’s security policy, a copy of which
can be obtained from the contact details in Schedule 8.
9.
Legal Justifications for Processing of Personal Data
To comply with Data Protection Law, the
Company need to describe the legal justification it relies on for using Personal
Data for its purposes.
While the law provides several legal
justifications, the table in Schedule 5 describes the main legal justifications
that apply to the purposes for using Personal Data.
In order to obtain Personal Data from an
individual to comply with applicable legal requirements, and certain Personal
Data may be needed to enable the Company to fulfil the terms of its contract
with an individual, or in preparation of entering into a contract with an
individual. The Company may inform the individual of this at the time that the
Company obtain the Personal Data. In
these circumstances, if the individual does not provide the relevant Personal
Data to the Company, the Company may not be able to provide its products or
services to the individual. To obtain
more information, please contact the Company using the details set out in
Schedule 8.
Where the Company rely on its legitimate
business interests or the legitimate interests of a third party to justify the
purposes for using Personal Data, its legitimate interests are:
·
pursuit of its commercial
activities and objectives, or those of a third party (for example, by carrying
out direct marketing);
·
compliance with applicable
legal and regulatory obligations, and any guidelines, standards and codes of
conduct (for example, by carrying out background checks or otherwise
preventing, detecting or investigating fraud or money laundering);
·
improvement and development of
business operations and service offering, or those of a third party;
·
protection of the business,
shareholders, employees and customers, or those of a third party (for example,
ensuring IT network and information security, enforcing claims, including debt
collection); and
·
analysing competition in the
market for the Company’s services (for example, by carrying out research,
including market research).
The Company may need to collect, use and
disclose Personal Data in connection with matters of important public interest,
for instance when complying with its obligations under anti-money laundering
and terrorist financing laws and regulations, and other laws and regulations
aimed at preventing financial crime. In
these cases, the legal justification for the use of Personal Data is that the
use is necessary for matters of public interest. Additional justifications may
also apply depending on the circumstances.
For Processing of more Sensitive Personal
Data the Company will rely on either:
·
consent; or
·
that use of Sensitive Personal
Data is necessary for the establishment, exercise or defence of legal claims,
or whenever courts are acting in their judicial capacity (for example, when a
court issues a court order requiring the Processing of Personal Data).
Processing of Personal Data relating to
criminal convictions and offences is subject to the requirements of applicable
law.
10.
Monitoring
The Company may record telephone calls with employees
so that the Company can:
·
improve the standard of service
that the Company provide by providing employees with feedback and training,
where applicable;
·
address queries, concerns or
complaints;
·
prevent, detect and investigate
crime, including fraud and money laundering, and analyse and manage other
commercial risks; and
·
comply with the Company’s legal
and regulatory obligations.
In addition, the Company monitor electronic
communications between the Company and employees (for example, emails) to
protect the employees, the business and IT infrastructure, and third parties
including by:
·
identifying and dealing with
inappropriate communications; and
·
looking for and removing any
viruses, or other malware, and resolving any other information security issues.
The use of CCTV involves Processing of
Personal Data. Further information on how the Company Process Personal Data
using CCTV is set out in Schedule 6.
11.
Retention of Personal Data
The Company will keep Personal Data for as
long as is necessary for the purposes for which the Company collects it. This
mean the Company will retain Personal Data for so long as the Company has a
relationship with the individual to whom the Personal Data relates. Once this
relationship comes to an end the Company will retain such Personal Data for a
period of time that allows it to: (a) comply with legal record retention
requirements; (b) defend or bring legal claims; (c) maintain records for
business analyses and audit; and (d) address complaints and other issues
regarding its business.
Where the Company holds Personal Data to
comply with a legal or regulatory obligation, the Company will keep the
information for at least as long as is required to comply with that obligation.
In some cases a retention period will apply once the initial purpose has ceased
e.g. payroll files are required to be kept for current year plus 6 years.
Where the Company holds Personal Data in
order to provide a product or service, the Company will keep the information
for at least as long as the Company provides the product or service, and for a
number of years thereafter. The number
of years varies depending on the nature of the product or service provided.
The Company endeavours to ensure that
Personal Data will only be kept which is relevant and not excessive to achieve
the purposes for which it is being held. Personal Data will be deleted once that
purpose is achieved or it is no longer required as set out
For further information about the period of
time for which the Company retains Personal Data, please contact the Company
using the details in Schedule 8.
12.
Personal Data Rights
Schedule 7 sets out a summary of the data
protection rights available to individuals in the EEA in connection with their
Personal Data. These rights may only apply in certain circumstances and are
subject to certain legal exemptions.
To exercise any of these rights, please
contact the Company using the details set out in Schedule 8.
13.
Who to contact about Personal Data
For any questions or concerns about the way the
Company uses Personal Data, please contact the Company at the email address in
Schedule 8.
14.
Review and Revision
The Company review this Privacy Policy
regularly and reserve the right to make changes at any time to take account of
changes in the business, legal requirements, and the manner in which the
Company process Personal Data. This Privacy Policy was last updated on the date
indicated on page 1. The Company may review this policy and make changes from
time to time.
SCHEDULE 1
Definition of key data protection terms
“Data Breach” means a breach of security
leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, Personal Data transmitted, stored or
otherwise Processed.
“Data Controller” means the entity that
controls Personal Data, by deciding why and how such Personal Data is
Processed.
“Data
Processor” means the party that Processes Personal Data on behalf of the
Data Controller (for example, a payroll service provider).
“European
Economic Area” or “EEA” means
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic,
Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.
“Personal
Data” is any information relating to a living individual which allows the
identification of that individual. Personal Data can include:
·
a name, an identification
number;
·
details about an individual’s
location; or
·
any other information that is
specific to that individual.
“Processing”
includes collecting, using, recording, organising, altering, disclosing,
destroying or holding Personal Data in any way. Processing can be done either
manually or by using automated systems such as information technology systems
and “Process” and “Processing” shall be interpreted
accordingly.
“Profiling”
is the automated Processing of Personal Data for the purpose of assessing
certain aspects relating to an individual so as to analyse or predict the
individual’s performance, decisions or behaviour.
“Sensitive
Personal Data” are types of Personal Data that reveal any of the following
information relating to an individual: racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union membership.
Special Categories of Personal Data also include the Processing of genetic
data, biometric data (for example, fingerprints or facial images), health data,
data concerning sex life or sexual orientation and any Personal Data relating
to criminal convictions or offences.
SCHEDULE 2
Types of Personal Data
Type of Personal Data
|
Examples
|
Contact information
|
Name, address, email and telephone number.
|
General information
|
Gender, marital and family status, date and
place of birth, physical characteristics, expression of wishes form.
|
Education and prior employment
|
Educational background, employer details and employment
history, skills and experience, professional licences, memberships and
affiliations.
|
Government
|
Social security number, passport number, tax
number, driver’s licence number, or other government issued identification
number.
|
Financial information
|
Payment card number (credit /debit card), bank
account number, other financial account number and account details, other
financial information.
|
Information enabling us to provide products
and services
|
Status as company officer or director, or
partner, or other ownership or management interest in an organisation.
|
Marketing preferences, marketing activities
and customer feedback
|
Marketing preferences or responses to customer
satisfaction surveys.
|
Online activity information
|
The Company may receive Personal Data about an
individual when they use Online Tools; this may include social media account
identifiers, IP address and other online identifiers (to the extent that they
are Personal Data), and other Personal Data that an individual may provide to
the Company online.
|
Supplemental information from other sources
|
The Company and its service providers may
supplement the Personal Data the Company collects with information obtained
from other sources (for example, publicly available information from online
social media services and other information resources, third party commercial
information sources, and information from its business partners).
|
SCHEDULE 3
General Staff Guidelines
Everyone who works for or with the Company and
uses Personal Data has a responsibility under this Privacy Policy to ensure
Personal Data is collected, stored and handled appropriately, securely and in
accordance with Data Protection Law. Staff must to be vigilant to ensure that
they comply with the terms of this Privacy Policy. If in doubt staff should
request help using the contact details in Schedule 8.
·
The only people able to access
Personal Data covered by this Privacy Policy should be those who need it for their work.
·
Employees should keep all Personal
Data secure, by taking sensible precautions in particular, robust passwords must be used and they should never be shared.
Where necessary, the Company should ensure that Personal Data is encrypted for
storage and transmission.
·
Personal Data should not be shared informally. When
access to Personal Data is required, employees can request it from their line
managers.
·
Personal Data should not be disclosed to unauthorised
people, either within the company or externally.
·
Files containing Personal Data
should be regularly reviewed and updated.
If no longer required, it should be permanently deleted.
·
Training is available to relevant
employees to help them understand their responsibilities when handling Personal
Data. Any employee who does not feel
they have had adequate training should report this to their manager.
·
Paper-based records of Personal
Data when not required, should be filed securely or shredded/disposed securely
if no longer required
·
Employees should make sure
paper and printouts containing Personal Data are not left where unauthorised people could see them, e.g. on a
printer.
·
When Personal Data is stored
electronically, it must be protected from unauthorised access, accidental
deletion and malicious hacking attempts:
·
If Personal Data is stored on removable media, these should
be kept securely when not being used.
·
All servers and computers containing Personal Data should be protected
in accordance with the Dole Information Security Policy.
·
Personal Data should not be
downloaded to personal laptop’s/PC’s etc. in general, unless permission has
been granted by line manager and it is necessary for the execution of the
employee’s role.
·
All employees should be aware
that the Company reserves the right to inspect all files stored in the network
including emails and in the event of any investigation of employee conduct at the
Company to ensure or monitor compliance with any legal requirements or policies
of the Company for business purposes. The appointed investigator, in the course
of conducting any investigation, will have free and unrestricted access to all
records and premises and the authority to examine, copy, and/or remove all or
any portion of the contents of files, desks, cabinets, and other storage
facilities on the premises without prior knowledge or consent of any individual
who may use or have custody of any such items or facilities when it is within
the scope of their investigation. No
data should be destroyed once an investigation has begun. Employees should also be aware of the
requirement to maintain the confidentiality of all Confidential Information (i.e.
Personal Data or business data that is not in the public domain) at all times
and even after their employment with the Company has come to an end.
·
Employees should also not
disclose any Confidential Information to any third party who is not employed by
the Dole Group, without the consent of their direct manager or a director of the
Company Group plc other than to professional advisers of the Dole Group who are
informed of the confidential nature of such information.
SCHEDULE 4
Third Party Disclosees
Type of third party
|
Examples
|
Service providers and advisors
|
External third party service providers, such
as pension and payroll providers, security professionals, accountants,
auditors, experts, lawyers and other professional advisors; travel assistance
providers; call centre service providers; IT systems, support and hosting
service providers; advertising, marketing and market research, and data
analysis service providers; banks and financial institutions that service the
Company’s accounts; document and records management providers; and other
third party vendors and outsourced service providers that assist the Company
in carrying out business activities.
|
Government / Judicial authorities
|
The Company may also share Personal Data with:
(a) government or other public authorities
(including, but not limited to, courts, regulatory bodies, law enforcement
agencies, tax authorities and criminal investigations agencies); and
(b) third party participants in legal
proceedings and their accountants, auditors, lawyers, and other advisors and
representatives, as the Company believe to be necessary or appropriate.
|
Other
|
Purchaser or prospective purchaser of a
business of Dole.
|
SCHEDULE 5
Legal Bases for Processing
Purpose
of Processing
|
Legal Justifications
|
Consent
|
Contractual Necessity
|
Legal Requirement
|
Legitimate Interests
|
To communicate with individuals
|
|
l
|
l
|
l
|
For the employment
relationship
|
|
l
|
l
|
l
|
To provide products and
services
|
|
l
|
|
l
|
To improve the quality of
the Company’s products and services, for training, and to maintain
information security
|
|
|
l
|
l
|
To manage commercial
risks
|
|
|
l
|
l
|
To carry out research and
analysis
|
l
|
|
|
l
|
To provide marketing
information
|
l
|
|
|
l
|
To manage the Company’s
business operations and IT infrastructure
|
|
l
|
l
|
l
|
To manage complaints,
feedback and queries
|
|
l
|
l
|
l
|
To comply with applicable
laws and regulations
|
|
|
l
|
l
|
To personalise the user experience when using Online Tools
|
l
|
|
|
l
|
SCHEDULE 6
CCTV Policy & Procedures
The purpose of the Company’s CCTV system is to
ensure the health and safety of staff and customers, the security of the
Company’s staff and property and to protect against crime, including theft.
The Company ensures that the use of CCTV is in
line with the requirements under Data Protection Law. Staff have a
responsibility to adhere to this CCTV policy and failure to do so may result in
disciplinary action up to and including dismissal.
Access to the CCTV systems and recorded material
is strictly restricted to authorised colleagues, security colleagues and
members of the management teams.
Cameras
The Company operates cameras which are located across warehouses,
office buildings and stores. All areas display signage highlighting the
presence of CCTV cameras. These
operate on a 24-hour basis, seven days a week.
Processing the images
Recorded
images and associated information, which may include sound, will be retained
for a maximum of 30 days from the date of recording. After a period of up to a maximum of 30 days
the system will automatically overwrite images.
However the Company reserves the right to retain images for a longer
period where there are objective reasons for doing so. Any CCTV footage that has been retained will
be retained securely and will only be retained and /or used for the specific
purpose it was retained for. Once it is
no longer necessary to retain the footage it will be destroyed by a specified
person, appropriate measures must be taken to ensure that the data cannot be
reconstructed and processed by third parties.
Staff with responsibility for processing CCTV images must only do so in
line with established procedures and must ensure the security of the data at
all times. Any colleague who uses the CCTV system or CCTV images in an
unauthorised manner may be subject to disciplinary action up to and including
dismissal. Unauthorised use is any processing incompatible with the data’s
original purpose including, but not limited to: disclosure
of images containing Personal Data to an unauthorised third party, including
other colleagues; unauthorised processing of Personal Data in the form of
copying the images on to a disk, the website or print format; and/or circulation
of images containing Personal Data by email, phone or posting of images
containing Personal Data on the internet.
Access to and disclosure of images to third parties
Access to and disclosure of images recorded by
the CCTV system is carefully monitored. Access to images by third parties will
only be allowed in limited and prescribed circumstances permitted by
legislation. Such circumstances may include the disclosure of Personal Data in
order to: prevent injury or damage to property; meet legal requirements; obtain
legal advice, or for the purpose of legal proceedings; or meet a request from,
or with the consent of, the data subject, or a person acting on his or her
behalf.
Local Law Enforcement requests for copies
of CCTV footage should only be acceded to where a formal written request is
provided to the Company stating that they are investigating a criminal
matter. In some instances, where the Local
Law Enforcement indicate that the viewing of CCTV footage is deemed urgent, the
Company may facilitate a viewing without the formal written request but on the
understanding that the formal written request will be sent by the Local Law
Enforcment as soon as is reasonably practicable.
The Company also reserves the right to disclose
Personal Data to specific third parties where there are objective business
reasons for doing so. Such third parties may include: insurance providers;
medical practitioners; pension and medical insurance providers; security
providers.
Access by
Data Subjects
Under the Data Protection Law individuals have
the right to access images containing their Personal Data. This applies equally
to colleagues and members of the public. Please see Schedule 8.
Disciplinary
purposes
The Company reserves the right to use
information obtained by CCTV for disciplinary purposes. Such information can be
used as part or in conjunction of an investigation process and all relevant
parties will have the opportunity to view and comment on such footage. Example
of the use of CCTV footage for disciplinary purposes include but are not
limited to; establishing the facts of an alleged incident where other evidence
is in conflict; as evidence for alleged incidents of stock loss, theft or
misuse of time and attendance system; as evidence of health and safety incidents.
SCHEDULE 7
Data Subject Rights
Description
|
When is this right applicable?
|
Right
of access to Personal Data
Individuals have the right to receive a
copy of the Personal Data the Company holds about them and information about
how the Company use it.
|
This right is applicable at all times
when the Company hold individual’s Personal Data (subject to certain
exemptions).
|
Right
to rectification of Personal Data
An individual has the right to ask the
Company to correct Personal Data the Company holds about the individual where
it is incorrect or incomplete.
|
This right is applicable at all times
when the Company hold individual’s Personal Data (subject to certain
exemptions).
|
Right
to erasure of Personal Data
This right entitles an individual to
request that their Personal Data be deleted or removed from the Company’s
systems and records. However, this
right only applies in certain circumstances.
|
Examples of when this right applies to
Personal Data the Company hold include (subject to certain exemptions):
· when the Company no longer needs
the Personal Data for the purpose the Company collected it;
· if the individual withdraws
consent to the Company’s use of their information and no other legal
justification supports the continued use of their information;
· if an individual objects to the
way the Company use their information and the Company have no overriding
grounds to continue using it;
· if the Company have used an
individual’s Personal Data unlawfully; and
· if the Personal Data needs to
be erased for compliance with law.
|
Right
to restrict processing of Personal Data
An individual has the right to request
that the Company suspend the use of their Personal Data.
Where the Company suspend its use of the
individual’s Personal Data the Company will still be permitted to store their
Personal Data, but any other use of this information will require their
consent, subject to certain exemptions.
|
An individual can exercise this right
if:
· they think that the Personal
Data the Company hold about them is not accurate, but this only applies for a
period of time that allows the Company to consider if the Personal Data is in
fact inaccurate;
· the Processing is unlawful and the
individual opposes the erasure of their Personal Data and request the
restriction of its use instead;
· the Company no longer need the
Personal Data for the purposes the Company have used it to date, but the Personal Data is required by then
individual in connection with legal claims; or
· the individual has objected to the
Company’s processing of the Personal Data and the Company is considering
whether its reasons for processing override the individual’s objection.
|
Right
to data portability
This right allows an individual to
obtain their Personal Data in a format which enables them to transfer that
Personal Data to another organisation.
An individual may have the right to
have their Personal Data transferred by the Company directly to the other
organisation, if this is technically feasible.
|
This right will only apply:
· to Personal Data the individual
provided to the Company;
· where the Company has justified
their use of the individual’s Personal Data based on:
o the
individual’s consent; or
o the
fulfilment by the Company of a contract with the individual; and
· if the Company’s use of the
individual’s Personal Data is by electronic means.
|
Right
to object to processing of Personal Data
An individual has the right to object
to the Company’s use of their Personal Data in certain circumstances. However, the Company may continue to use their
Personal Data, despite their objection, where there are compelling legitimate
grounds to do so or the Company need to use the Personal Data in connection
with any legal claims and employment.
|
|
Rights
relating to automated decision making and Profiling
An individual has the right not to be
subject to a decision which is based solely on automated processing (without
human involvement) where that decision produces a legal effect or otherwise
significantly affects them.
This right means an individual can
request that the Company involve one of its employees or representatives in
the decision making process.
|
This right is not applicable if:
· the Company need to make the
automated decision in order to enter into or fulfil a contract with the
individual;
· the Company are authorised by
law to take the automated decision; or
· the decision is based on the
individual’s explicit consent.
|
Right
to withdraw consent to processing of Personal Data
Where the Company have relied upon an
individual’s consent to process their Personal Data, they have the right to
withdraw that consent.
|
This right only applies where the
Company process Personal Data based upon the individual’s consent.
|
Right
to complain to the relevant data protection authority
If an individual thinks that the
Company has processed their Personal Data in a manner that is not in
accordance with data protection law, they can make a complaint to the data
protection regulator. If they live or
work in an EEA member state, they may complain to the regulator in that
state.
|
This right applies at any time.
|
SCHEDULE 8
Contact Details
Contact
details for queries on matters raised in this document are as follows:
GDPR Group
Steering Committee dataprotection@doleplc.com