- General Principles for Processing Personal Data
- Transfer of Personal Data
- Rights of the Data Subject
- Procedural Rules
In support of our global business processes, it is essential that the necessary information and data are provided throughout the Platform group of companies. The company’s international operations require it to comply with the various legal requirements in different countries and regions. At the same time, adequate protection must be accorded our business partners and our employees. The transfer of personal data across national borders is only permissible if such data are properly protected or if the units of the company that process the data can give an adequate guarantee that the privacy of the individuals whose data are transmitted is being protected. This Corporate Directive on Data Protection and Personal Data Privacy, is designed to ensure that all Group companies meet this requirement.
For an innovative global company such as Platform, the acquisition and meaningful use of information is of immense importance to achieving corporate objectives in all areas of business. Contemporary communication channels such as the Internet, intranets and e-mail play an essential part in accessing and exchanging information. They allow Platform to prepare and implement corporate decisions faster and more effectively. However, improvements resulting from developments in information technology also entail greater risks, which have to be taken into account by ethical enterprises such as Platform. For instance, personal rights could be violated by the improper or incorrect use of information technology. In this regard, Platform strives to protect the personal rights of any individual whose personal data it processes – including its employees, customers, suppliers and other contractual partners, regardless of the means or methods of collection of such personal data. In this context, Platform has issued the following Corporate Directive that applies throughout, and is binding upon, the Platform Group1 and relates to data protection and personal data privacy.
This Corporate Directive has the objective of defining security standards for processing, storing, and transferring personal data within the Platform Group in order to ensure adequate protection of personal rights of the affected data subjects. Complying with the Corporate Directive is a requirement for the free exchange of personal data within the Platform Group.
This Corporate Directive governs all data privacy issues. It applies to the processing of the personal data of any individual whose personal data are processed within the Platform Group, including employees, customers, suppliers, and other contractual partners, regardless of the origin of the data. The data protection and data security standards of this Corporate Directive are binding upon all Platform Group entities. Existing legal obligations – both national and international – shall prevail over this Corporate Directive in
countries where the collection or processing of personal data occurs. Every recipient of data must therefore check whether those regulations apply in his/her field of responsibility and ensure compliance. However, where data privacy requirements under national or international law are less strict than under this Directive, this Directive shall prevail. In certain countries, the data protection authorities require notification from the data controller before any wholly or partially automated processing of personal data is performed. Each Platform Group entity is responsible for complying with any notification obligations in their respective countries. The transfer of personal data to government authorities and agencies is only permissible in accordance with the respective applicable national laws. Whenever a corporate unit has reason to believe that applicable statutory regulations are preventing it from fulfilling its obligations under mandatory internal company regulations and are significantly detrimental to the guarantees provided for thereunder, it shall notify the Platform corporate legal department immediately unless prohibited from doing so by a law enforcement agency under national law.
4. General Principles for Processing Personal Data
4.1 Permissibility of Data Processing The processing of personal data is permitted only if the data subject has consented thereto or if permissible under applicable law at the place of processing. The permissibility of processing personal data is a prerequisite for the transfer of personal data pursuant to Section 5. Consent shall be declared in writing or by other legally permissible means, whereby the data subject must be informed in advance about the purpose of such processing of personal data and the possible transfer of personal data to third parties. The declaration of consent must be clear to the data subject. 4.2 Intended Purpose Personal data may only be collected for specified, explicit and legitimate purposes and may not be further processed contrary to such intended purpose. The purpose of the data transferred by another Platform company is to be considered by the recipient when further processing and storing this data. Changes of purpose are only permissible with the consent of the data subject or if permitted by national law in the respective country from which personal data are transferred. 4.3 Data Economy The processing of personal data must be necessary for the intended purpose. Available possibilities for the anonymization or pseudonymization of personal data should be used at an early stage, as far as this is possible and the cost is appropriate to the intended protective purpose. This applies in particular with regard to the personal data of subjects and patients in clinical trials. 4.4 Data Quality Personal data must be factually correct and, as far as necessary, up-to-date. Appropriate and reasonable measures should be undertaken to correct or delete incorrect or incomplete data.
4.5 Data Security The data controller shall implement appropriate technical and organizational measures to ensure the necessary data security. These measures refer in particular to computers (servers and workstations), networks and communication links, and applications. The essential measures which have been implemented within the Platform Group to avoid the unauthorized processing of personal data. In addition, appropriate measures need to be taken to protect such data against deletion by chance, unauthorized deletion or loss.
4.6 Confidentiality of Data Processing Only authorized staff, who have undertaken to observe data secrecy requirements, are allowed to be
involved in the processing of personal data. It is prohibited for them to use such data for their own private purposes or to make it accessible to any unauthorized entity. The use of personal data by employees who do not need access to such data to fulfill their employment duties is unauthorized. The confidentiality obligation survives termination of employment. 4.7 Special Categories of Personal Data The collection and processing of sensitive data are allowed only if:
- The data subject has declared his/her consent; or
- The data subject has made public such data; or
- It is necessary for the protection of a vital interest of the data subject or a third party, and the data subject is not able for physical or legal reasons to declare his/her consent;
- It is necessary for the exercise, enforcement or defense of legal claims and it cannot be expected that the justified interests of the data subject not to collect or process Personal data prevail; or
- It is necessary for the execution of normal business and the purpose of the business cannot be achieved otherwise or only with disproportionately high effort.
4.8 Contract Data Processing If a Platform Group entity retains a contract data processor within the scope of a contract relating to the processing of personal data, the following shall apply:
- A contract data processor shall be selected who will guarantee the technical and organizational security measures required for processing personal data and provide sufficient guarantees with respect to the protection of personal rights and the exercise of rights related thereto.
- The processing of personal data by a contract data processor must be regulated in a written agreement in which the rights and duties of the principal and of the contract data processor are specified.
- The contract data processor is contractually obligated to process personal data only within the scope of the contract and the directions issued by the principal. Personal data may not be processed for any other purpose.
4.9 Automated Decisions Affecting Data Subjects Certain countries provide in their legal provisions restrictions relating to automated decisions that affect data subjects. This applies to decisions which are the result of automated personal data processing having legal consequence for the data subject or a negative effect on him/her. In those exceptional cases in which such automated decisions are rendered by Platform Group entities, the data subjects will be notified about the occurrence of such an automated decision affecting data subjects and shall be given the possibility of commenting on or questioning the decision. In such case the decision must be reviewed.
5. Transfer of Personal Data
A transfer of personal data within the European Economic Area3 (EEA) is generally permitted if processing of the data is also permitted according to Section 4.1. For transfer of personal data within the country in which data has been collected, compliance with the existing legal requirements of the respective country must be ensured.
5.1 Transfer of Personal Data from the EEA to Third Countries Based on Section 4.1 of this Corporate Directive, the transfer of personal data from an EEA country to a third country is permitted only if:
- the data subject has given his/her consent; or
- the transfer of personal data is necessary for the performance of a contract between the data subject and the data controller or in order to take steps prior to entering into a contract initiated by the data subject; or
- the transfer of personal data is necessary to complete or to fulfill a contract which was made or is to be made by the data controller in the interest of the data subject; or
- the transfer of personal data is either required or prescribed by law for the protection of an important public interest or for the exercise, enforcement or defense of legal claims; or
- the transfer of personal data is necessary for the protection of a vital interest of the data subject; or the transfer of personal data to a third country which the European Commission has deemed to have an adequate data protection standard; or
- the receiving party provides sufficient guarantees within the meaning of this Corporate Directive with respect to the protection of personal rights and the exercise of rights related thereto. This is the case for Platform Group entities to which this Corporate Directive applies.
If the recipient is not a Platform Group entity, it must be ensured that this Corporate Directive applies to the recipient accordingly. The Platform Group entity transferring personal data will take appropriate measures in case of violations by the recipient.
5.2 Transfer of Personal Data within a Third Country or to another Third Country The further transfer of personal data which have been transferred from the EEA to a recipient within the third country or to another third country is only permitted, subject to Section 4.1, if such third country has an adequate data protection standard or if one of the circumstances described in Section 5.1 of this Corporate Directive applies. 5.3 Provision of Operational Address, Function and Communication Data For the purpose of internal corporate communication it is permitted to provide operational address, function and communication data including information on cost centers – for instance via intranet or central directories – within the Platform Group to the extent necessary for that purpose. The restricted purpose of the data of all users must be borne in mind.
6. Rights of the Data Subject
6.1 Information Right Each data subject has the right to demand information about the type of personal data concerning him/her that is processed by a Platform Group entity. This information will be provided irrespective of the place where the personal data are processed. The data subject may address any such application for information to the local human resources department of the respective Platform Group entity (see also Section 7.3). The specialist departments must provide the necessary support. 6.2 Correction Claim If the stored personal data are incorrect or incomplete, the data subject may require correction. Data subjects are responsible for providing only correct personal data to the respective Platform Group entity. In addition, data subjects shall inform the respective Platform Group entity of any relevant changes (e.g. changes of address or name). 6.3 Rejection of Request for Information or Correction If the request for information or correction is rejected, the data subject will be informed about the reason for such rejection. 6.4 Deletion If the data subject demonstrates that the purpose for which the personal data are processed is no longer
permissible, necessary or reasonable under the circumstances, the respective personal data will be deleted, subject to legal provisions to the contrary. 6.5 Right to Object Each data subject has the right to object if his/her personal data are used for advertising purposes or for the purpose of market or opinion research. If required by national law, the data subject shall be informed about the right to object (opt-out) and about the data controller. In this case, the personal data must be blocked for this purpose. It must also be noted that some countries require consent prior to the processing of personal data for the purposes mentioned above (opt-in). Furthermore, the data subject has a general right to object to the processing of his/her data. This objection must be heeded if an investigation shows that the need for protection of the subject’s interests in light of his/her special personal situation outweighs the interest that the responsible unit would have in processing his/her data. Such objection shall not, however, be heeded if processing of the subject’s data is mandatory under applicable law. 6.6 Questions and Complaints/Remedies Regarding possible questions, complaints or remedies please refer to Section 7.3. The Platform Group will adhere to the Safe Harbor Agreement concerning the transfer of personal data from the European Union to the United States of America, as well as, from Switzerland to the United States of America. Accordingly, the Platform Group will follow the Safe Harbor Privacy Principles published by the U.S. Department of Commerce and the Swiss Federal Act on Data Protection with respect to all such data.
7. Procedural Rules
7.1 Implementation within the Platform Group The Group companies, as data controllers, must ensure compliance with the principles embodied in this Corporate Directive. In this respect, the managerial employees of the Platform Group entities shall ensure that this Corporate Directive is implemented, which includes in particular providing information to the employees. 7.2 Questions and Complaints/Remedies Data subjects may contact the Corporate legal department at any time with any questions and complaints regarding the processing of personal data. Such questions and complaints will be treated confidentially.
If a question or complaint raised by a data subject relates to an alleged violation of this Corporate Directive by a Platform Group entity located in a country other than the country in which the data subject resides, the data subject may contact the Platform Group entity which transferred the data. Should the alleged violation be confirmed, the Platform Group entities affected will cooperate with the respective parties (e.g. data protection agencies, other entities) in line with this Corporate Directive and remedy such alleged violation. If the issue raised by a data subject is not remedied, the data subject may file a complaint with the Corporate legal department. The Corporate legal department will inform the data subject about his/her decision and the respective remedies. The procedures described in this Corporate Directive apply in addition to any other legal remedies and procedures available to the data subject, including the right of the data subject to submit questions and complaints to the responsible data protection agency. 7.3 Obligation towards Data Protection Agencies The party receiving personal data transferred from the EEA to a third country is obligated, upon request, to cooperate with the data protection agency of the country in which the transferring party is located and
to respect its findings, provided that these have been rendered following due process of law with respect to the transferring and receiving parties. The transferring party in the EEA also has the right to review the processing of personal data by the receiving party. 7.4 Amendment of the Corporate Directive and Continued Application Platform reserves the right to amend this Corporate Directive as necessary, for instance to comply with changes to statutes, regulations, requirements of data protection agencies or internal Platform procedures. Where required by law, Platform will submit any amended version for regulatory review. Should this Corporate Directive become invalid, irrespective of the reasons or causes for such invalidity, all Platform Group entities are bound by this Corporate Directive with respect to personal data transferred prior to the date of such invalidity, unless the Corporate Directive has been replaced by a new regulation. 7.5 Publicity The current version of this Corporate Directive shall be made available to all data subjects in a suitable manner, e.g. via the Intranet or Internet.
Anonymization is the changing of personal data such that this can no longer be assigned to a certain or ascertainable individual. Consent is any freely given, informed declaration by the data subject that he/she accepts the processing of his/her personal data. Consent may be subject to particular requirements arising from respective national laws. Contract data processor is the individual or legal entity that processes personal data on behalf of a data controller. Data controller is Platform Group entity that decides the purposes and means of processing personal data. Data protection/privacy is the sum of all actions taken to protect the personal rights of data subjects when handling their personal data. Data subjects are all individuals whose personal data are processed within the Platform Group, including current, future and former employees, customers, suppliers and other contractual partners. Personal data are any information relating to an identified or identifiable individual. An individual is identifiable if he/she can be directly or indirectly identified, e.g. by assigning a reference number. Processing of personal data is any automated or non-automated operation or set of operations performed in respect of personal data – such as collection, recording, storage, adaptation, alteration, selection, retrieval, use, transmission, blocking, deletion or erasure. This definition will also apply to the word “processed” when used in this context. Pseudonymization is the replacement of a data subject’s name and other identifiable characteristics with a label for the purpose of preventing identification of the data subject by unauthorized parties or to greatly impede such identification. Safe third country is a country which the EU Commission deems to have an adequate data privacy standard.
Sensitive data are special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and sexual orientation. Third country is every country outside the European Economic Area (EEA). Transfer of personal data is the forwarding of personal data, its distribution or all other forms of transfer to third parties. This definition also applies analogously to the words “transferred” and “transferring” when used in this context.
The Platform Group means Platform Specialty Products Corporation (“Platform”) and all companies in which Platform, directly or indirectly, holds more than 50 % of the shares or has comparable control rights.