Privacy Protection Policy & Information
Policy Brief & Purpose
Our Company Data Protection and Privacy Policy refers to our commitment to treat information of employees, customers, stakeholders and other
interested parties with the utmost care and confidentiality. With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
Scope
This policy refers to all parties (employees, job candidates, customers, suppliers etc.) who provide any amount of information to us. Employees of our
company and its subsidiaries must follow this policy. Contractors, consultants, partners, and any other external entity are also covered. Generally,
our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.
Policy Elements
As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names,
addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc. Our company collects this information in a transparent way
and only with the full cooperation and knowledge of interested parties.
Once this information is available to us, the following rules apply:
Our data will be:
- Accurate and kept up-to-date
- Collected fairly and for lawful purposes only
- Processed by the company within its legal and moral boundaries
- Protected against any unauthorized or illegal access by internal or external parties
- Purged basis the SLA’s with the Customers
Our data will not be:
- Communicated informally
- Stored for more than a specified amount of time
- Transferred to organizations, states or countries that do not have adequate data protection policies
- Distributed to any party other than the ones agreed upon by the data's owner.
In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Wherever applicable, we;
- Let people know which of their data is collected
- Inform people about how we'll process their data
- Inform people about who has access to their information
- Have provisions in cases of lost, corrupted, or compromised data
Data protection principles
The Organisation is committed to processing data in accordance with its responsibilities under the
DPA. DPA requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
-
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those
purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
-
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard
to the purposes for which they are processed, are erased or rectified without delay;
-
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal
data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes
in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical
and organisational measures required by the DPA in order to safeguard the rights and freedoms of individuals; and
-
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
General Provisions
- This policy applies to all personal data processed by the Organisation.
- The Responsible Person shall take responsibility for the Organisation’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
- The Organisation shall register with the Information Commissioner’s Office as an organisation that processes personal data.
To exercise data protection we're committed to:
The Organisation is committed to processing data in accordance with its responsibilities under the
DPA. DPA requires that personal data shall be:
- Restrict and monitor access to sensitive data
- Develop transparent data collection procedures
- Train employees in online privacy and security measures
- Build secure networks to protect online data from cyberattacks
- Establish clear procedures for reporting privacy breaches or data misuse
- Include contract clauses or communicate statements on how we handle data
- Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization, etc.)
Lawful, fair and transparent processing
- To ensure its processing of data is lawful, fair and transparent, the Organisation shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to the Organisation shall be dealt with in a timely manner.
Lawful purposes
- All data processed by the Organisation is done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
- The Organisation shall note the appropriate lawful basis in the Register of Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in-consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available
and systems should be in place to ensure such revocation is reflected accurately in the organisation’s systems.
Data minimisation
The organisation shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy
- The Organisation shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Archiving / Purge
-
To ensure that personal data is kept for no longer than necessary, the organisation shall put in place an archiving policy
for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be retained, for how long, and why.
- The data purge policy shall consider the frequency of data purge and also whether it is conducted manually or automated.
Security
- The Organisation shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data, the Organisation shall promptly assess the risk and follow necessary protocol.
Data Privacy Principles
This Policy describes generally acceptable privacy principles (GAPP) for the protection and
appropriate use of personal information at Avon Global Solutions. These principles shall govern the use, collection,
disposal and transfer of personal information, except as specifically provided by this Policy or as required by applicable laws:
- Notice: Avon Global Solutions shall provide data subjects with notice about how it collects, uses, retains, and discloses personal information about them.
- Choice and Consent: Avon Global Solutions shall give data subjects the choices and obtain their consent regarding how it collects, uses, and discloses their personal information.
- Rights of Data subject: Avon Global Solutions shall provide individuals with the right to control their personal information, which includes the right to access, modify, erase, restrict, transmit, or object to certain uses of their information and for withdrawal of earlier given consent to the notice.
- Collection: Avon Global Solutions shall collect personal information from data subjects only for the purposes identified in the privacy notice / SoW / contract agreements and only to provide requested product or service.
Notice
Notice shall be made readily accessible and available to data subjects before or at the time of collection of personal information or otherwise,
notice shall be provided as soon as practical thereafter. Notice shall be displayed clearly and conspicuously and shall be provided through online
(e.g. by posting it on the intranet portal, website, sending mails, newsletters, etc.) and / or offline methods (e.g. through posts, couriers, etc.).
All the web sites (including Intranet portals), and any product or service that collects personal information internally, shall have a privacy notice.
In case of any cross-border transfer of personal information, the data subjects shall be informed by a notice sufficiently prior to the transfer. Privacy notices may include:
- The organization's operating jurisdictions; Third Parties involved; business segments and affiliates; lines of business; locations;
- Types of personal information collected; sources of information; who is collecting the personal information, including contact information;
- The purpose of collecting the personal information;
- Assurance that the personal information will be used only for the purpose identified in the notice and only if the implicit and / or explicit consent is provided unless a law or regulation specifically requires otherwise;
- Any choices the data subject have regarding the use or disclosure of the information; the process and data subject shall follow to exercise the choices;
- The process for a data subject to change contact preferences and ways in which the consent is obtained.
- Collection process and how the information is collected; how the information is used including any onward transfer to Third-Parties.
-
Retention and disposal process for personal information; assurance that the personal information to be retained only as long as necessary to fulfil the stated purposes,
or for a period specifically required by law or regulation and will be disposed-off securely or made anonymous post the identified purpose is completed.
- Process of accessing personal information; the costs associated for accessing personal information (if any); process to update / correct the personal information; the resolution of
disagreements related to personal information; how the information is protected from unauthorized access or use;
- How users will be notified of any changes made to privacy notice;
- Disclosure process for Third Parties; the assurance that the personal information is disclosed to Third Parties only for the purpose identified; the remedial actions in place for any misuse of personal information by the Third Parties;
- Security measures in place to protect the personal information; ways of maintaining quality of personal information;
- Monitoring and enforcement mechanisms in place; description of the complaint channels available to data subjects; how the internal personnel,
key stakeholders and the customers can contact the Company related to any privacy complaints or breaches; relevant contact information and / or other
reporting methods through which the complaints and/or breaches could be registered;
- Consequences of not providing the requested information.
Choice and consent
Choice refers to the options the data subjects are offered regarding the collection and use of their personal information.
Consent refers to their agreement to the collection and use, often expressed by the way in which they exercise a choice option.
- Avon Global shall establish systems for the collection and documentation of data subject consents to the collection, processing, and/or transfer of personal data.
- Data subjects shall be informed about the choices available to them with respect to the collection, use, and disclosure of personal information.
- Consent shall be obtained (in writing or electronically) from the data subjects before or at the time of collecting personal information or as soon as practical thereafter.
- The changes to a data subject’s preferences shall be managed and documented. Consent or withdrawal of consent shall be documented appropriately.
- The choices shall be implemented in a timely fashion and respected. If personal information is to be used for purposes not identified in the notice / SoW / contract agreements at the
time of collection, the new purpose shall be documented, the data subject shall be notified, and consent shall be obtained prior to such new use or purpose.
- The data subject shall be notified if the data collected is used for marketing purposes, advertisements, etc.
- Avon Global shall review the privacy policies of the Third Parties and types of consent of Third Parties before accepting personal information from Third-Party data sources.
Collection of Personal Information
- Personal information may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all personal information.
Personal information shall not be collected unless either of the following is fulfilled:
- - the data subject has provided a valid, informed and free consent;
- - Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- - Processing is necessary for compliance with the organizations legal obligation;
- - Processing is necessary in order to protect the vital interests of the data subject; or
- - Processing is necessary for the performance of a task carried out in the public interest
- Data subjects shall not be required to provide more personal information than is necessary for the provision of the product or service that
data subject has requested or authorized. If any data not needed for providing a service or product is requested, such fields shall be clearly labelled as optional.
Collection of personal information shall be avoided or limited when reasonably possible.
- Personal information shall be de-identified when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost.
- When using vendors to collect personal information on the behalf of Avon Global, it shall ensure that the vendors comply with the privacy requirements of Avon Global as defined in this Policy.
- Avon Global shall at minimum, annually review and monitor the information collected, the consent obtained and the notice / SoW / contract agreement identifying the purpose.
- The project team/support function shall obtain approval from the IT Security team before adopting the new methods for collecting personal information electronically.
- Avon Global shall review the privacy policies and collection methods of Third-Parties before accepting personal information from Third-Party data sources.
Use, Retention and Disposal
- Personal information may only be used for the purposes identified in the notice / SoW / contract agreements and only if the data subject has given consent;
- Personal information shall be retained for as long as necessary for business purposes identified in the notice / SoW / contract agreements at the time of collection or
subsequently authorized by the data subjects.
- When the use of personal information is no longer necessary for business purposes, a method shall be in place to ensure that the information is destroyed in a manner
sufficient to prevent unauthorized access to that information or is de-identified in a manner sufficient to make the data non-personally identifiable.
- Avon Global shall have a documented process to communicate changes in retention periods of personal information required by the business to the data subjects who are authorized to request those changes.
- Personal information shall be erased if their storage violates any of the data protection rules or if knowledge of the data is no longer required by Avon Global
or for the benefit of the data subject. Additionally, Avon Global has the right to retain the personnel information for legal and regulatory purpose and as per applicable data privacy laws.
- Avon Global shall perform an internal audit on an annual basis to ensure that personal information collected is used, retained and disposed-off in compliance with the organization’s data privacy policy.
Access
Avon Global shall establish a mechanism to enable and facilitate exercise of data subject’s rights of access, blockage, erasure, opposition, rectification,
and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of personal information.
- Data subjects shall be entitled to obtain the details about their own personal information upon a request made and set forth in writing.
Avon Global shall provide its response to a request within 72 hours of receipt of written request.
- The data subjects shall have the right to require Avon Global to correct or supplement erroneous, misleading, outdated, or incomplete personal information.
- Requests for access to or rectification of personal information shall be directed, at the data subject’s option, to the manager of the projects team or support function responsible for the personal information.
- The privacy coordinators shall record and document each access request as it is received and the corresponding action taken.
- Avon Global shall provide personal information to the data subjects in a plain simple format which is understandable (not in any code format).
Disclosure to Third Parties
Data Subject shall be informed in the privacy notice / SoW / contract agreement, if personal
information shall be disclosed to Third Parties / partner firms, and it shall be disclosed only for the purposes described in the privacy notice / SoW / contract agreements and for which the data subject has provided consent.
- Personal information of data subjects may be disclosed to the Third Parties / partner firms only for reasons consistent with the purposes
identified in the notice / SoW / contract agreements or other purposes authorized by law.
- Avon Global shall notify the data subjects prior to disclosing personal information to Third Parties / partner firms for purposes not previously identified in the notice / SoW / contract agreements.
- Avon Global shall communicate the privacy practices, procedures and the requirements for data privacy and protection to the Third Parties / partner firms.
- The Third Parties shall sign a NDA (Non-Disclosure Agreement) with Avon Global before any personal information is disclosed to the Third Parties partner firms. The NDA shall include the terms on non-disclosure of customer information.
Security
Information security policy and procedures shall be documented and implemented to ensure reasonable security for personal information collected, stored, used, transferred and disposed by Avon Global.
- Information asset labelling and handling guidelines shall include controls specific to the storage, retention and transfer of personal information.
- Management shall establish procedures that maintain the logical and physical security of personal information.
- Management shall establish procedures that ensure protection of personal information against accidental disclosure due to natural disasters and environmental hazards.
- Incident response protocols are established and maintained in order to deal with incidents concerning personal data or privacy practices.
- Individuals noticing or becoming aware of any breach of personal data shall notify the DPO within 2 hours. It shall be the DPO’s responsibility
to analyse and act on the intimation of the same within 12 hours.
Quality
Avon Global shall maintain data integrity and quality, as appropriate for the intended purpose of personal data collection and use and ensure data is reliable, accurate, complete and current.
- For this purpose, the data privacy officer and privacy coordinators shall have systems and procedures in place to ensure that personal information
collected is accurate and complete for the business purposes for which it is to be used.
- Avon Global shall perform an annual assessment on the personal information collected to check for accuracy, completeness and relevance of the personal information.
Dispute Resolution and Recourse
Avon Global shall define and document an Incident and Breach Management policy which addresses the privacy related incidents and breaches.
- The incident and breach management program includes a clear escalation path up to the executive management, legal counsel, and the board based on type and/or
severity of the privacy incident/breach. It shall define a process to register all the incidents/complaints and queries related to data privacy
- Avon Global shall perform a periodic review of all the complaints related to data privacy to ensure that all the complaints are resolved in a timely
manner and resolutions are documented and communicated to the data subjects.
- An escalation process for unresolved complaints and disputes which shall be designed and documented.
- Communication of privacy incident / breach reporting channels and the escalation matrix shall be provided to all the data subjects.
Dispute Resolution and Escalation Process for Employees
Employees with inquiries or complaints about the processing of their personal information shall first discuss the matter with their immediate supervisor.
If the employee does not wish to raise an inquiry or complaint with an immediate manager, or if the manager and employee are unable to reach a satisfactory
resolution of the issues raised, the employee shall bring the issue to the attention of the Grievance Officer.
Dispute Resolution and Escalation Process for Customer / Third Party Customers
With inquiries or complaints about the processing of their personal information shall bring the matter to the attention of the Grievance Officer in writing.
Any disputes concerning the processing of the personal information of non-employees shall be resolved through arbitration.
Compliance Review
Privacy Review Team shall conduct an internal audit annually (at minimum) to ensure compliance with the established privacy policies and applicable laws.
-
The internal audit shall consist of the review of the following:
- personal information collected from data subjects;
- the purposes of the data collection and processing;
- the actual uses of the data;
- disclosures made about the purposes of the collection and use of such data;
- the existence and scope of any data subject consents to such activities;
- any legal obligations regarding the collection and processing of such data, and
- the scope, sufficiency, and implementation status of security measures.
- The Privacy Review team shall document all the instances of non-compliance with privacy policies and procedures and report the same with the Privacy Management committee.
- The Data Privacy Officer along with Privacy Coordinators shall take actions on the findings from the internal audit and work on the recommendations for improvement of the privacy posture
- Any changes made to the policies shall be communicated to all the employees, the stakeholders and the customers / clients.