Green Tech International S.A. and all its subsidiaries (hereinafter called the “Group” or “GreenTech”) is committed to conducting business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.
On May 2016 the European Union Commission issued The EU General Data Protection Regulation (GDPR), (in force from 25 May 2018), designed to harmonise data protection laws across Europe, with the aim of protecting and empowering all EU citizens or individuals who are in the Union, (regardless of their citizenship), with rights over their data privacy and to reshape the way organisations across the region approach data privacy.
GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they control or process the person data of individuals living in the EU.
The innovations in data protection introduced by the GDPR has led to the Green Tech's decision to develop and maintain this GDPR Data Protection Policy for itself and implement it across the Group.
This Policy sets forth the expected behaviours of Employees of Green Tech and relevant Third Parties in relation to Personal Data. This Policy concerns the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to individuals (henceforth referred to as the Data Subject) under the control of a Group company. The Group has established further policies and procedures on Data Protection that should be read in conjunction with this Policy (see section 4).
The Group's leadership is fully committed to ensuring continued and effective implementation of this Policy and expects all Employees and Third Parties to share in this commitment. Any breach of this Policy will be taken seriously and may result in disciplinary actions against individuals.
This Policy has been approved by the Board of Directors of Green Tech.
The purpose of this Policy is to establish safeguards to protect Personal Data that is owned, stored, or maintained by a Group company, as well as Personal Data that is collected from or passed on to Third Parties, regardless of the format (physical or electronic). This Policy is designed to:
ensure the security and confidentiality of Personal Data; protect against any anticipated threats or hazards to the security or integrity of Personal Data; protect against unauthorised collection, access to or use of Personal Data.This Policy applies to all Group companies where Personal Data is processed.
This Policy applies to all Processing of Personal Data (see ‘Personal Data’ in the GDPR Glossary) in electronic form (including electronic mail and documents in soft copy form) or physical files that are structured in a way that allows ready access to information about individuals.
All Employees are subject to the requirements within this Policy and should attest that they have read and understood its contents.
This Policy has been designed to establish a group-wide consistent standard for the processing and protection of Personal Data by all Group companies. However, where national law imposes a requirement which is stricter than the requirements of this Policy, the requirements in the relevant national law must be followed. Furthermore, where national law imposes a requirement that is not addressed in this Policy, the relevant national law will apply.
This document should be read in conjunction with the following documents. Below documents shall be drafted and approved by the Board of Directors of Green Tech within 2022:
- Data Retention Policy - Information Security Policy - Data Subject Request Handling Procedure - Data Breach Management Policy - Health & Safety PolicySenior Management are committed to ensuring the Group of companies are fully GDPR compliant and that an appropriate Data Protection Framework, as described in Annex 6, is maintained to ensure it remains compliant.
Senior Management apply the “P -D -C -A” philosophy (Plan-Do-Check-Act) (see Annex 7.1) to determine the steps that need to be established to build a Data Protection Framework which will ensure compliance with the GDPR requirements.
In order to establish appropriate governance of Data Protection, the Group has included in the responsibilities of the Chief Risk Officer (CRO) to determine the appropriate technical and organisational measures and implement them within our organisation.
The CRO is in charge of leading the effort for enhancing data protection practices within the Group as well as reaching and maintaining compliance with GDPR requirements.
The CRO reports to the Group's (and Group companies) Board of Directors.
The CRO operates with independence. The responsibilities include the following; To inform and advise the Group of companies and its Employees who process data of their obligations pursuant to GDPR and other data protection provisions; To monitor compliance with the GDPR, other data protection provisions and this Policy and related documents under the overarching Data Protection Framework; To update the Data Protection Framework and related documents in line with Data Protection regulations; To provide guidance on carrying out Data Protection Impact Assessments (DPIAs) and to monitor their performance; To act as a point of contact for and co-operate with Supervisory Authorities and Data Subjects on issues relating to processing, including prior consultation, and to consult, where appropriate, on any other related matter; To determine the need for, make, and keep up-to-date, notifications to applicable Supervisory Authorities as a result of current or intended Personal Data processing activities; The establishment and operation of a system providing prompt, accurate and appropriate responses to Data Subject Requests; To inform senior managers, officers, and directors of the Group of any potential corporate, civil and criminal penalties which may be levied against us and/or our Employees for violation of Data Protection laws; and To establish procedures and contractual clauses for obtaining compliance with this Policy by any Third Party
The management team of each Group company must ensure that all its Employees are aware of and comply with this Policy and its contents.
Furthermore, each Group company must ensure that all Data Processors engaged to process Personal Data on their behalf are aware of and comply with this Policy and its contents. Assurance of compliance must be obtained by means of appropriate contractual agreements from all Third Party Data Processors, (whether individuals or companies), prior to allowing them access to any Personal Data controlled by us.
The Group must ensure that all data protection requirements are considered and addressed when designing new services, products, systems or processes and/or when reviewing or expanding existing services, products, systems or processes.
A Data Protection Impact Assessment (DPIA) must be conducted in co-operation with the CRO for all new and/or revised services, products, systems or process for which it has responsibility. The results of the DPIA must then be submitted to the CRO for discussing with the Board of Directors for review and approval.
When required, the Information Technology department will co-operate with the CRO to assess the impact of any new technology uses on Data Protection and the security of Personal Data.
Copies of the results of the DPIA must be kept by the CRO to demonstrate compliance with the Data Protection by Default and by Design requirement.
One of the new and important requirements introduced by the GDPR is “Accountability”; the responsibility to demonstrate compliance with the Regulation. This means all employers must demonstrate in an evidential manner that all the requirements and principles are correctly addressed.
Group companies will keep appropriate records for each requirement of the GDPR to document adherence to the Data Protection Principles outlined in section 4.2.
Responsibilities for the retention of records are shared between the different departments responsible for the systems, process, products or services involved. The CRO oversees and provides guidance on how to address this requirement.
To verify that an adequate level of compliance with the GDPR is achieved and maintained groupwide, the Data Protection Officer will carry out periodic audits. The reporting period will be defined by the Data Protection Officer in agreement with the Board of Directors based on:
the complexity of the Data Protection related processes; the results of the preceding audit activities; the occurrence of data breaches; and organisational changes that affect Group companies and their Data Protection related processesIn any case, the auditing activity will take place at a minimum on an annual basis or on an exceptional basis when so required to do. Refer to the GDPR Monitoring Procedure for more information about the auditing process.
This Policy has been developed to comply with the Data Protection principles that, together with the Data Subject’s rights, are cornerstones of Data Protection regulation.
The Group adheres to the principles set out as follows in governing the Processing of Personal Data:
1. Lawfulness, Fairness and Transparency. Personal Data must be processed lawfully, fairly and in a transparent manner. According to this principle we will always tell Data Subjects what processing will be put in place (transparency). Processing must always match the description given to the Data Subject in our Notice (fairness) and it must always be for a purpose specified in the GDPR (lawfulness).
2. Purpose Limitation. Personal Data must be collected for explicit, specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In line with this principle, we will always describe to Data Subjects how their Personal Data will be used. Furthermore, Group companies will limit the processing of Data to what is strictly necessary to meet the specified purposes.
3. Data Minimisation. Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. According to this principle we will not collect and store any Personal Data beyond what is strictly required to meet the specified purposes.
4. Accuracy. Personal Data must be accurate and kept up to date. To comply with this principle the Group has established processes for identifying and addressing out-of- date, incorrect or redundant Personal Data.
5. Storage Limitation. Personal Data must be kept in a form that allows identification of Data Subjects for no longer than is necessary for the purposes for which they are processed. To comply with this principle, the Group has adopted technical and organisational measures to store Personal Data by means of pseudonymisation (wherever possible) or to dispose of them once the purposes for Processing are met (where no further legitimate conditions for data retention occur).
6. Integrity and Confidentiality. Personal Data must be processed in a way that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. To comply with this principle the Group has established appropriate technical and organisational measures to maintain the integrity and confidentiality of Personal Data. These measures include, but are not limited to, encryption, restrictions to rights of access to Personal Data, appropriate instructions and training to Employees on how to Process Personal Data and physical security measures to access areas where paper based Personal Data are stored.
Appropriate collection of Personal Data is a key part of the Group’s Data Protection Framework. The Group has established the following rules for data collection:
Personal Data should be collected only from the Data Subject unless the business purpose necessitates collection from other persons or bodies.
If Personal Data are collected from someone other than the Data Subject, then the Data Subject must be informed of the collection. An exception to this justification can occur only if:
the Data Subject has received the required information by other means; or the information must remain confidential due to a professional secrecy obligation; or a national law expressly provides for collection, processing or transfer of Personal Data. Notification to the Data Subject should be sent promptly and in any case by the earliest of: one calendar month from the first collection or recording of Personal Data; or at the time of first communication if the Personal Data are used for communicating with the Data Subject; or at the time of disclosure if the Personal Data are disclosed to another recipient.Each Group company must provide Data Subjects with appropriate Notice containing information about the purpose of processing (see Annex 7.2). The Notice must be provided at the time the data is collected or promptly after the Data is collected from other persons or bodies. The Notice is a legal requirement that provides key information to the Data subject regarding the collection and processing of the data, their rights and how they can contact us to exercise their rights or lodge a complaint. Detailed requirements on the contents of the Notice can be found in the Annex to this Policy.
The Notice must always be provided to the Data Subject even if the process does not require consent (i.e. Processing is necessary for the performance of a contract or service). It is provided at the point of data collection and anytime there is a change in the purposes of the data processing. Notices must be retained for auditing in line with the accountability requirement.
The CRO is responsible for drafting and keeping up to date appropriate Notice and Consent templates to provide to Data Subjects.
Group companies are obliged to seek Consent from Data Subjects (when required – see Annex 7.3) for the collection and processing of Personal Data, prior to collecting, using or disclosing any Personal Data.
The CRO in consultation with the Board of Directors, shall establish a procedure for obtaining and documenting Data Subject Consent. Part of this procedure is the Consent Form, which provides the necessary information to the Data Subject to obtain valid, freely given Consent in clear and plain language, as required by the GDPR.
The procedure for Data Subject Consent ensures an audit trail of information flows as well as the validity and scope of Consent obtained and provides Data Subjects the ability to withdraw their Consent with ease at any time.
Every website attributable to a Group company must include an online Privacy Notice meeting the requirements of GDPR. The online Privacy Notice will be prepared by the CRO and approved by the Board of Directors.
The Group considers the perspectives and expectations of Data Subjects in the processing of their data and avoids any behaviour that would be contrary to their expectations or likely to raise any objection.
Group companies use Personal Data for the following purposes:
The general running and administration of the Group companies (including the administration of employment contracts). To provide products/services to Clients; and The ongoing management of customer services.Before starting any new or further processing of Personal Data, a Group company must verify whether additional Consent must be obtained from the Data Subject. Prior approval from the Data Protection Officer must be obtained before commencing any new collection or processing of Personal Data.
Where it is determined that the processing is incompatible with any previous Consent obtained, processing cannot take place unless further specific Consent can be obtained from the Data Subject in co-ordination with the CRO.
There are Special Categories of Data which require us to adopt additional protection measures. These include but are not limited to: race; ethnic origin; politics; religion; trade union membership; health; sex life; or sexual orientation.
Before collecting or processing any such data Employees must liaise with the CRO to establish a lawful basis for processing. Results of this verification must be recorded and kept as evidence of the additional protective measures having been applied.
Good quality data are essential to comply with the Accuracy principle of the GDPR. Group companies have adopted specific measures to ensure that Personal Data are complete and accurate at the point of collection and that they remain up to date, to accurately represent the Data Subject.
To achieve a high standard of data quality, Employees must be aware of the following requirements:
Correction (including erasure and replacement) of Personal Data known to be incorrect, inaccurate, misleading or outdated even if the Data Subject has not requested the rectification. Retention of Personal Data only for the period necessary to satisfy the purposes under which the data was collected or according to applicable legal retention periods. Removal of any Personal Data if the collection or processing violates any of the Data Protection Principles (see section 5.2) or if the Personal Data is no longer required. Erasure of Personal Data. Where erasure is prohibited by law or when it would impair the interests of the Data Subject the data will be made restricted. Dispute from a Data Subject on the accuracy of Personal Data that cannot be clearly determined will be made restricted.Group companies expect all Employees to assist with implementing these measures and to notify the CRO if they become aware of any circumstances that may require action to be taken.
In accordance with the Fairness and the Storage limitation principles our policy is to retain Personal Data only for the time necessary given the purpose for which they were originally collected or for which they were further Processed.
The Data Retention Policy describes the retention periods for different types of data and for their appropriate disposal. Once the retention period has ended and it is confirmed there is no longer a need to keep the data, Personal Data must be deleted (if electronic) or destroyed (if printed).
The integrity and confidentiality of Personal Data are key principles of our Data Protection Framework. This includes measures for the prevention of loss or damage, unauthorised alteration, access or processing as well as other risks to which Personal Data may be exposed due to human action or to the environment (natural, physical or electronic).
The Personal Data security measures shall be detailed in full in the Group's Information Security Policy. Employees should be aware of the key data security responsibilities of the Group, to:
prevent unauthorised persons gaining access to systems where Personal Data are stored or processed; prevent persons with access to a system containing Personal Data from accessing information beyond their needs through authorisations (“restriction to right of access”). secure electronic transmission of Personal Data to ensure that during transmission they cannot be accessed, read, copied, modified or deleted without an appropriate authorisation; access logs are in place in order to establish who entered the Personal Data in the system as well as who modified or removed them; protection of Personal Data from accidental destruction or loss; and where processing is carried out by a Third Party, it can only be done in accordance with the instructions provided by the Group company.Under the GDPR, Data Subjects can exercise rights over their Personal Data and can request from a Group company any of the following rights:
Access Rectification Erasure Restriction of Processing Data Portability Objection Objection to automated decision-making and profilingFull definitions of each of these Data Subject Rights and Requests can be found in Annex 7.4 of this Policy along with details of what information these Rights and Requests cover.
Data Subjects can request to exercise these rights in any reasonable form of communication. For audit purposes we require records in written or email form. Where a Data Subject makes a request via telephone, in person or other means, (such as company related pages on LinkedIn, Facebook Instagram etc.), these should be referred to the CRO who will contact the Data Subject in order to complete the appropriate form. Data Subjects must provide additional information upon request for the CRO to successfully verify their identity.
Any Employees who receive a request to exercise a right must immediately direct these requests to the CRO. A response to each request must legally be provided within 30 days from the receipt of the request from the Data Subject.
The CRO will log each request as soon as received and initiate the procedure for confirming the identity of the requestor as either the Data Subject entitled to exercise the rights or a person with a legitimate authorisation from the Data Subject. The CRO will handle the request as appropriate and will contact the requester directly to resolve the matter.
There is no administration fee chargeable to the Data Subject or authorised requestor for reasonable requests, in keeping with the principles of the GDPR.
Detailed guidelines for dealing with requests from Data Subjects can be found in the Group companies Data Subject Request Handling Procedure.
In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of the Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following purposes:
The prevention or detection of crime. The apprehension or prosecution of offenders. The assessment or collection of an invoice, tax or duty. By the order of a court or by any rule of law.If any Group company receives a request from a Court or any regulatory or law enforcement Authority for information relating to a Data Subject whose Personal Data is held by a Group company, you must immediately notify the CRO who will provide guidance and assistance.
Group companies may need to transfer Personal Data to internal or Third Parties located in another country. Some countries are recognised as having an adequate level of legal protection and some are not (i.e., a Third Country). The Data Protection Officer should be consulted on any proposed data transfers where the Data Subject has not already provided express Consent to the transfer.
Group company Employees should only transfer Personal Data to, or allow access by, Third Parties when it has been approved by the CRO to ensure that the information will be processed legitimately and protected appropriately by the recipient.
Employees should be aware that Third Party processors have an obligation to report to us any breaches or incidents regarding Personal Data we have supplied to them. Any outsourcing services to a Third Party (including Cloud Computing services), will require the CRO to identify whether processing will entail any Third Country transfers of Personal Data and include adequate provisions in the outsourcing agreement.
The CRO will conduct regular audits of processing of Personal Data performed by Third Parties including the technical and organisational measures they have in place. Any major deficiencies identified are reported to and monitored by the Group's Board of Directors.
Every Data Subject with a complaint about the processing of their Personal Data should contact the CRO to explain the nature of the complaint. The CRO has a strict procedure for handling data related complaints and any complaints received should be forwarded to the CRO without delay.
If the complaint cannot be amicably resolved through consultation between the Data Subject and the Data Protection Officer and in any case if the Data Subject considers that the processing of their data by a Group company infringes the GDPR, then the Data Subject may lodge a complaint with a Supervisory Authority with potentially serious repercussions (see Section 6).
Any Employee who suspects that a Personal Data Breach has occurred must immediately notify the CRO with a description of the incident and when it occurred.
The CRO will start an investigation for each reported incident to confirm whether or not a Data Breach occurred.
This procedure is outlined in the Data Breach Management Policy and will be managed according to the severity of the incident and of the quantity of Personal Data involved.
Failure to comply with this Policy, could seriously impact the reputation of the Group. If a Group company is found to be in breach of the GDPR, we can be subject to fines.
For Employees, violations of this Policy could result in severe civil and criminal penalties and/or disciplinary action that could lead to a termination of employment.
The CRO and the Group are the owners of this Policy and are responsible for its maintenance and accuracy. This Policy and all related documents including any changes and updates shall be available to accessible through the Green Tech web site.
This diagram illustrates the Data Protection Framework adopted by the Group:
where the processing is based on consent the existence of the right for the Data Subject to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; the existence of some rights for the Data Subjects: right to access, of rectification, of erasure, of restriction of processing, to object to processing and to data portability; the right to lodge a complaint with a supervisory authority; whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data; the existence of automated decision-making, including profiling, with meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the Data Subject; and if the Personal Data is collected from other persons or bodies other than the Data Subject, state where the data originate and, if applicable, whether they came from publicly accessible sources.Consent is one of the lawful bases for processing, and consent (or explicit consent) can also legitimise use of special category data, restricted processing, automated decision-making and overseas transfers of data. There are alternative lawful bases for processing which, depending on the circumstances, may be more appropriate. These include:
Contract – necessary to fulfil contractual obligations or to enter into a contract; Legitimate interests – a flexible lawful basis for processing that can include commercial interests, individual interests or broader societal benefits. The Group company's interests must be balanced against the individuals. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests; Legal obligation – necessary to comply with a common law or statutory obligation; Vital interests – necessary to protect someone’s vital interests e.g., their life; and Public task – in the exercise of official authority including public functions that are set out in law.Consent is appropriate if it is possible to offer people real choice and control over how their data is used. If a genuine choice regarding the processing cannot be offered then consent will not be appropriate. Public authorities, employers and other organisations in a position of power over individuals should avoid relying on Consent unless they are confident, they can demonstrate it is freely given.
Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly. Consent must specifically cover the Controller’s name, the purposes of the processing and the types of processing activity. Explicit consent must be expressly confirmed in words, rather than by any other positive action. There is no expiry date for consent, but it will no longer apply if the context of processing changes. Consent should be reviewed and renewed when any new processing or change to processing is set to occur.
Under the GDPR, Data Subjects can exercise rights on their Personal Data and can request from the Group company any of the following:
a right of access (to obtain confirmation as to if Personal Data concerning him or her are being Processed and access to any Personal Data stored or processed); a right to rectification (to obtain without undue delay the rectification of inaccurate Personal Data concerning him or her). a right to erasure also called the right to be forgotten (to obtain the erasure of Personal Data concerning him or her without undue delay). a right to restriction of processing (to obtain a restriction of Processing with the consequence that, except for storage, data can be processed by the Group company only with the Data Subject’s Consent or for the establishment, exercise or defence of legal claims); a right to data portability (to receive the Personal Data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from the Group company); a right to object (to object to the Processing of Personal Data concerning him or her under certain conditions); and a right to object to automated decision-making and profiling (this is the right of the Data Subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her)Data Subjects are entitled to obtain, based upon a request made in writing and upon successful verification of their identity by the CRO, the following information about their own Personal Data:
The purposes of the collection, processing, use and storage of their Personal Data; The source(s) of the Personal Data, if it was not obtained from the Data Subject; The categories of Personal Data stored for the Data Subject; The recipients or categories of recipients to whom the Personal Data has been or may be transmitted, along with the location of those recipients; The envisaged period of storage for the Personal Data or the rationale for determining the storage period; The use of any automated decision-making, including Profiling; and The right of the Data subject to:- object to processing of their Personal Data.
- lodge a complaint with the Data Protection Authority.
- request rectification or erasure of their Personal Data.
- request restriction of processing of their Personal Data.