MUNDO MEDIA LTD. AND AFFILIATES

GDPR-COMPLIANT DATA PROTECTION POLICY

 


1    Introduction. 2

2    Who does this policy apply to?. 2

3    Why is this policy important?. 3

4    Which terms used in the data protection laws and this policy you need to know?. 3

5    How do I look after the Data Protection principles?. 5

6    What security measures must I comply with?. 12

7    Disclosure and sharing of personal information. 16

8    What do I do if a personal data breach occurs?. 17

9    Where can I transfer personal data?. 21

10    When do I need to carry out Data Protection Impact Assessments ("DPIA")?. 22

11    How do I handle data subject rights?. 26

12    Monitoring and review. 35

13    Staff awareness and training. 35

14    Reporting concerns. 35

 

1              Introduction

1.1          This policy has been established in light of the European Union ("EU") Regulation No. 2016/679 of 27 April 2016, known as the General Data Protection Regulation ("GDPR"), and mirroring legislation the other countries (Norway, Iceland and Liechtenstein) forming with the EU Member States the European Economic Area (the "EEA"), as well as the data protection laws in each relevant EEA country covering particular areas that the GDPR allowed to be regulated by national legislation (including the GDPR itself, the "data protection laws").

1.2          This policy sets out how we, Mundo Media Ltd., and its existing and future affiliates including Mundo Media (Luxembourg) S.ar.l. in Luxembourg, carry out as controllers or processors personal data processing activities falling within the territorial scope of the GDPR, namely:

(a) all personal data processing activities of Mundo Media Ltd. (and our affiliates established in the EEA; and

(b) personal data processing activities of our affiliates not established in the EEA which either (a) are inextricably linked to those of an EEA affiliate so as to be carried out in the context of the activities of such EEA affiliate or (b) meet the following two cumulative criteria: (i) the personal data being processed belongs to individuals located in the EU or the EEA and (ii) the processing relates to the offering of goods and services to these individuals or the monitoring of their behaviour in

1.3          At the time of establishment of this policy, Mundo Media Ltd. and its non-EEA affiliates including Mundo Media Ltd. are not carrying data processing activities inextricably linked to those of Mundo Media (Luxembourg) S.ar.l. or another EEA affiliate of Mundo Media Ltd. so as to be carried out in the context of the activities of that EEA affiliate. Therefore the main personal data processing activities of Mundo Media Ltd. and its non-EEA affiliates including Mundo Media Ltd. falling within the territorial scope of the GDPR are those in relation to individuals located in the EU or EEA who are targeted by advertising or whose online behaviour is monitored be it for the purpose of identifying the webpage or app which one visited before buying the advertised good or service or otherwise registering with the advertiser. Should Mundo Media Ltd. or other non-EEA affiliates including Mundo Media Ltd. sell services to advertisers who happen to be unincorporated businesses operated by individuals located in the EU or EEA the processing of personal data, the processing of the personal data of these individuals would also fall within the scope of the GDPR.

1.4          This Data Protection policy is a principal document. It refers to other policies which contain more detail about certain aspects of the data protection laws. Where those are relevant to your role, you should read them and make sure you are familiar with them.

1.5          We need all of our employees to think about privacy in their roles every day to ensure that this policy is put into practise and to avoid being in breach of the data protection laws.

1.6          If you are unsure about anything in this policy, in general or on a case-by-case basis contact our Legal Department.

2              Who does this policy apply to?

2.1          This policy (and all other linked policies relating to data protection) applies to all staff members. "Staff member" means all permanent and temporary employees of Mundo and its affiliates and any other individuals who are working for Mundo or its affiliates but are not directly employed (including officers, consultants, contractors, elected members, employees of associated organisations or volunteers, interns and agency workers).

2.2          When we refer to "you" in this policy, we mean each individual staff member. Use of the term "staff member" shall not be taken to imply that any particular individual has employment status with the company.

2.3          This policy does not form part of any employee's contract of employment and it may be amended at any time. We will notify you if changes are made to this policy.

2.4          If there is anything in this policy which you do not understand or you have questions about, please contact your manager or the Human Resources Department for assistance.

3              Why is this policy important?

3.1          A breach of the data protection laws can result in enforcement action by a EEA-country supervisory authority against us and in significant fines being imposed on us, up to €20,000,000, or 4% of worldwide turnover, whichever is higher. Further, some breaches of the data protection laws are a criminal offence in many EEA countries.

3.2          More importantly, a breach may cause serious harm or distress to individuals.

3.3          Consequently, any breach of this policy will be taken seriously and may result in disciplinary action to the greatest extent permitted by applicable law.

4              Which terms used in the data protection laws and this policy you need to know?

4.1          This section gives definitions of the terms used in the data protection laws and which are used in this policy.

4.2          For the purpose of this policy:

Data controller

means party who (either alone or jointly) determines the purposes for which and the manner in which any personal data is, or will be, processed.

For instance, Mundo Media (Luxembourg) S.ar.l. is a data controller when it process personal data about its employees, its advertising clients who are natural persons (if any), individuals representing its advertising clients who are legal entities, its publishers and other suppliers who are individuals as well as Internet/app users who view advertising made available by Mundo Media (Luxembourg) S.ar.l. including through publishers.

Mundo Media Ltd. is a data controller when it process personal data about (i) Internet/app users in the EU or EEA who view advertising made available by Mundo Media Ltd. including through publishers and (ii) customers who are unincorporated businesses operated by individuals in the EU or EEA.

Data processor

means a supplier who processes personal data on behalf of a data controller (other than an employee of the data controller). For example, publishers are our processors when they help us collect information on the individuals reading (impressions and clicks) their websites/apps/emails containing a web beacon or verifying cookies we installed on their terminal when they downloaded advertising.

If we were to offer retargeting advertising to an online distributor, we would be acting as processor of that online distributor (itself being a data controller) when installing our cookies for this purpose. We would also be acting as processor if we were installing audience measuring cookies on the terminal of users of an online distributor for the use and on the  instructions of that online distributor.

Data subject    

means an individual to whom the personal data relates.

In relation to processing activities of Mundo Media Ltd.[1], data subjects for the purposes of this policy are (i) individuals located in the EU or EEA who are targeted by advertising or whose online behaviour is monitored be it for the purpose of identifying the webpage or app which one visited before buying the advertised good or service or otherwise registering with the advertiser and (ii) its customers who are unincorporated businesses operated by individuals in the EU or EEA.

Personal data

means information from which a living individual can be identified. 

This includes factual information such as telephone numbers, names, addresses, e-mail addresses, photographs, CCTV footage, voice recordings. Personal data includes expressions of opinion and indications of intentions about individuals (and their own expressions of opinion/intentions), such as performance appraisals. It also includes location data, online identifiers (e.g. IP addresses) and genetic data.

Information which does not on its own identify an individual is still 'personal data' for the purposes of the data protection laws if it can be combined with other information that we hold or that we could obtain fairly easily. For example, if personal data has been "pseudonymised" but we also hold the key to 'de-pseudonymise' the information or could easily obtain that key, then the pseudonymised information will still be personal data for the purposes of the data protection laws.

Anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable, in however not personal data.

In relation to processing activities of Mundo Media Ltd.[2], personal data for the purposes of this policy is limited to (i) information from which individuals located in the EU or EEA who are targeted by advertising or whose online behaviour is monitored, can be identified and which is being processed in relation to the offering of goods or services to such individuals or the monitoring of their behaviour and (ii) information from which individuals located in the EU or EEA who are customers (unincorporated businesses) can be identified and which is being processed in relation to the offering of our services to them.

Processing

means covers virtually anything you can do with personal data (whether processed in an electronic format or in a structured paper-based format), including:

       Obtaining, recording, retrieving, consulting or holding it;

       Organising, adapting or altering it;

       Disclosing, disseminating or otherwise making it available; and

       Aligning, blocking, erasing or destroying it.

In relation to processing activities of Mundo Media Ltd.[3], processing is limited to (i) processing of personal data of individuals located in the EU or EEA who are targeted by advertising or whose online behaviour is monitored in relation to the offering of goods or services to such individuals or the monitoring of their behaviour and (ii) processing of personal data of individuals located in the EU or EEA who are our customers (unincorporated businesses) in relation to the offering of our services to them.

Special categories of data or sensitive date

Means personal data relating to:

       racial or ethnic origin;

       political opinions;

       religious beliefs or beliefs of a similar nature;

       trade union membership;

       physical or mental health or condition;

       sexual life;

       biometric data where processed to uniquely identify a person; or

       genetic data.

Supervisory authority

means an independent public authority which is established by a EU Member State pursuant to Article 51 of GDPR, including the Commission nationale pour la protection des donneacutees (CNPD) for Luxembourg.

 

5              How do I look after the data Protection principles?

There are six principles that we must comply with. The table below gives a high level summary of the principles. The sections that follow describe how you apply those principles in practice.

DATA PROTECTION PRINCIPLES

1              Personal data must be processed fairly and lawfully and in a transparent manner in relation to individuals;

2              Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

3              Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data are processed;

4              Personal data must be accurate and, where necessary kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, are erased or rectified without delay (having regard to the purposes for which they are processed);

5              Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures in order to safeguard the rights and freedoms of individuals;

6              Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction of or damage to that data, using appropriate technical or organisational measures.

 

5.1          How do I process personal data fairly and lawfully?

(a) To process personal data fairly, you need to make sure that you only process personal data if the data subject has been told certain information including:
(i) who the data controller is;
(ii) the purpose(s) for which the data is to be processed by the data controller; and
(iii) the persons or categories of persons to whom the data may be disclosed or transferred. (b) This information is contained in 'privacy notices' which Mundo Media (Luxembourg) S.ar.l. and any other EEA affiliate of Mundo Media Ltd. would give to employees, job applicants, and any other individuals whose personal data it processes in different circumstances, and those which Mundo Media Ltd or any other non-EEA affiliate would give to (i) individuals located in the EU or EEA who are targeted by advertising or whose online behaviour is monitored in relation to the offering of goods or services to such individuals or the monitoring of their behaviour and (ii) individuals located in the EU or EEA who are our customers (unincorporated businesses) in relation to the offering of our services to them.. You must ensure that you are familiar with our privacy notices and only process personal data as described in those privacy notices. Our general privacy notices for advertising viewers and customers can be found on our website. Our general privacy notice for European staff members can be requested from our Legal Department.
(c) Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the data protection laws. This means that personal data must not be collected for certain purposes and then used for other purposes not disclosed. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before carrying out any new processing (except in certain circumstances where a legal exemption applies).
(d) To process personal data lawfully we must meet certain conditions that are set out in the data protection laws. Those conditions which are most relevant to us as an organisation are summarised in Tables A and B below. If the processing you are doing does not meet one of the conditions, please consult our Legal Department.

IMPORTANT

As a general rule (for personal data other than special categories of data and personal data relating to criminal convictions and offences or related security measures), when processing personal data, you must make sure that at least one of the conditions in Table A applies.

When processing special categories of data, you must make sure that one of the conditions in Table A applies and at least one of the conditions in Table B also applies. The conditions in Table B are exemptions and therefore fairly limited, so when processing special categories of data it is likely that we will need to get written consent from the data subject to the processing of their special categories of data.

Personal data relating to criminal convictions and offences or related security measures cannot be processed unless under the control of official authority or when the processing is authorised by the law of the relevant EEA country, which may be limited to the purposes of exercising its rights as a victim of an offence.

 

TABLE A (Key conditions for processing any personal data (one must apply))

Consent

Any freely given, specific, informed and unambiguous consent of the data subject.

Consent must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form.

Data subjects can withdraw their consent to the processing of their personal data at any time.

Contracts

Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract between the data subject and Mundo Media Ltd. or the relevant affiliate. This is the main basis under which Mundo Media (Luxembourg) S.ar.l. processes personal data about its employees as well as its unincorporated publishers and customers. This is the main basis under which Mundo Media Ltd. process personal data about its unincorporated customers who are individuals in the EU or EEA.

Legal Obligations

Processing is carried out in order to comply with a legal obligation placed on Mundo Media Ltd. or the relevant affiliate as data controller. Certain processing by Mundo Media (Luxembourg) S.ar.l. of the personal data of its employees rely on this basis.

Vital Interests of Data Subject

Processing is carried out in order to protect the vital interests of a data subject or another person (e.g., where the data subject needs medical care).

Legitimate Interests

Processing is carried out in order to pursue Mundo Media Ltd. or the relevant affiliate's legitimate business interests (e.g., collecting personal data from representatives of incorporated customers of Mundo Media (Luxembourg) S.ar.l. or other EEA affiliates, direct marketing directed to end-users who are legal entities, creation of dataroom for equity and debt investors).

This condition only applies if the processing does not adversely affect the interests or fundamental rights and freedoms of the individual concerned (e.g. combining data from different sources to gain an insight into individual's lives and preferences). If there is a serious mismatch of competing interests between the business and the individual, the individual's interests will have priority over business interests.

There is debate as to whether the use of personal data of Internet/app users for advertising purposes could be based on legitimate interest. It could not form the basis of the display of advertising on a website which is directed to a specific identified or identifiable end-user in the EU or EEA - as opposed to the general public - would require consent under the draft e-privacy regulation.

 

TABLE B (Key conditions for processing special categories of data (one or more must apply))

Explicit Consent

Processing is carried out with the explicit consent of the data subject, unless reliance on consent is prohibited by law.

Employment Obligations

Processing is carried out as part of AE or another EEA affiliate exercising its obligations under employment, social security or social protection law, or a collective agreement.

Vital Interests of Data Subject

Processing is carried out in order to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent (e.g., to give medical care).

Publicly Available Information

Processing is carried out where it relates to the personal data manifestly made public by the data subject.

Legal Rights

Processing is carried out for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.

Health and Social Care

Processing is carried out for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.

 

(e)Consent and explicit consent:

(i)            One of the possible legal bases set out in Table A is that the data subject has given their consent to. Consent should only be used as a condition of 'last resort'. This is for various reasons:

(A)          data subjects can withdraw consent at any time and that would mean that we would have to stop processing their data which will complicate systems and may not be possible;
(B)          the GDPR requirements to verify that consent is valid (i.e. the data subject had a genuine choice about whether or not to allow us to use their data) and was freely given, specific and informed are hard to meet so there is a risk that any consent could be valid; and
(C)          it will be very difficult to get consent where there is an imbalance in position between us and the data subject.

(ii)           The requirement for 'explicit' consent where processing special categories of personal data must meet all the requirements for 'consent' but must be accompanied by a very clear statement which is selected or ticked by the data subject equivalent to, "I consent to processing of data relating to [ ] in order to [ ] ".

5.2          How do I ensure processing is adequate, relevant and not excessive?

(a) Personal data should only be collected because it is required for the specific purpose notified to the data subject. Any personal data which is not necessary for that purpose should not be collected. (b) Please be cautious when inputting information about individuals into CRM systems/contacts databases. Do not include information that is not required, e.g. notes/observations about an individual, because this could go beyond the purpose for which the data was originally collected and is not necessary for the processing carried out by us. (c) As well as ensuring that any personal data which you process is necessary and relevant for the purpose for which you are processing it, you must at the same time ensure that you have adequate personal data for your purpose. In other words, you should obtain enough information about an individual to enable you to perform your purpose(s) but no more.

5.3          How do I keep personal data accurate and up to date?

(a) Personal data must be accurate and kept up to date. Information which is incorrect or inaccurate is misleading and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out of date personal data should be destroyed or erased from our systems.
(b) Although ultimately it is our responsibility to make sure personal data is up to date and accurate, we will often be reliant on data subjects themselves to tell us of changes to their personal data. From a practical perspective you should encourage data subjects to contact us if personal data we hold about them becomes out-of-date or if they are aware of any inaccurate data we hold about them (and we encourage data subjects to do this in our privacy notices).

5.4          How do I ensure personal data is not kept for longer than necessary?

(a) Personal data should not be kept longer than is necessary for the purpose for which it was obtained. This means that personal data should be destroyed or erased from our systems when it is no longer required.
(b) To ensure compliance with our legal obligations regarding data retention and destruction, the retention periods applicable to the types of information we collect and use throughout our business have been defined in Appendix 1 to this policy.
(c) All information should be securely destroyed once the relevant retention period has lapsed, unless there are special factors that mean destruction should be delayed, e.g.:
(i) potential/ongoing litigation or complaints for which the documents in question may be relevant as evidence (note potential does not mean 'keep just in case', but where there is a real possibility/risk of a complaint and/or litigation);
(ii) ongoing matters/projects and the documents in question are still required;
(iii) contractual obligations to retain data for longer (if it is lawful to do so), e.g. because we are using it to perform services for a customer; or
(iv) regulatory reasons for retaining it, such as for tax purposes; or
(v) if that personal information will be processed solely for archiving purposes in the public interest, or for scientific or historical research purposes or statistical purposes, provided appropriate technical and organisational measures are implemented in order to safeguard the rights and freedoms of the individual.
(d) Therefore, any decisions about how long to keep certain personal data will be a decision which we need to make on a case by case basis, keeping in mind any other relevant statutory retention requirements.
(e) Information must be securely destroyed or deleted, or anonymised, as appropriate at the end of the relevant retention period. Hard copy information must be confidentially shredded and disposed. Electronic information must be securely deleted from our systems and any third party systems where it may be stored (please ask IT for assistance if electronic information needs to be deleted ? note that simply using the delete button does not completely erase it from the system).

5.5          How do I process data in accordance with data subjects' rights?

(a)           Data subjects are granted various rights by the data protection laws. They can request that we do various things with their data, which we will have to action promptly and no later than within a month (extendable by two further months where necessary and provided that the data subject is informed of the extension before the end of the first month). The key rights and what you need to do are set out below - and in a more detailed fashion under the heading "How do I handle data subject rights?" - but you should always consult with our Legal Department before taking any action:

(i)            The right to rectify personal data if it is inaccurate or incomplete. For example, if Mundo Media Ltd. is requested to change the address of an unincorporated customer who is an individual in the EU or EEA or (in case of Mundo Media (Luxembourg) S.ar.l. or another EEA affiliate) any unincorporated customer or supplier and any representative of an incorporated customer or supplier, you should make those changes immediately. If inaccurate personal data about a data subject has been passed on to a third party, it may also be necessary to correct the third party's data, depending on the nature of the data and whether the third party is still likely to be using it. If the personal data is of a more serious nature, keep a record of the change made and circumstances in which it was made and if you feel it is necessary, talk to your manager or our Legal Department about it.

(ii)           The right to erasure ('right to be forgotten'). Data subjects have a right to have their personal data erased so it can no longer be used in some circumstances such as where the individual withdraws their consent (and there is no other condition for processing) or where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. We have processes in place to identify other data controllers to whom we have disclosed personal data to tell them that the data subject wants to have that personal data erased. There are some exemptions when we will not have to erase data e.g. where it could be needed for us to defend our legal rights. As a general rule, any Internet/user who withdraws his or her consent or object to us using personal data has the right to request that we erase his or her data, whereupon we must ensure that our customers (to the extent we have provided to them personal data) erase it as well.

(iii)          The right to restriction of processing to verify the accuracy of personal data, where the processing is unlawful but the data subject does not want erasure. We are permitted to store the personal data (e.g., for defence of legal claims) but not further process it.

(iv)          The right to data portability which allows data subjects to obtain and reuse their personal data for their own purposes across different services, if the data is being processed by automated means with the consent of the data subject or for the purposes of a contract with the data subject. We have to give data subjects their personal data in a machine-readable, interoperable format that the individual can move to another organisation or use themselves.

(v)           The right to object to processing where that processing is based on public interests or legitimate interests including for direct marketing. We can only continue to process if its legitimate interests override the rights and freedoms of the data subject or to exercise or defend legal claims.

(vi)          The right to ask to see what personal data we hold about them and to confirm from us that their personal data is being processed. Please refer to the section "How do I handle data subject rights?" for further details.

(vii)         The right not to be subject to a decision when it is based on automated processing or profiling which produces a significant legal effect or similar on the data subject. We shall ensure that data subjects are able to obtain an explanation of the automated decision and challenge it, including requiring a human intervention.

(b)           Sometimes requests for personal data may be made over the telephone - in which case you should:

(i)            Check the caller's identity to make sure that information is only given to a person who is entitled to it.

(ii)           Ask the caller to put their request in writing if you are not sure about the caller's identity and where their identity cannot be checked.

(iii)          Refer to your manager or to our Legal Department for assistance in difficult situations. No-one should be bullied into disclosing personal data.

6              What security measures must I comply with?

6.1          Personal data must be kept secure from unauthorised access and from being accidentally lost, destroyed or damaged. We have IT security policies in order to keep personal data secure and protected.

6.2          Security procedures also include:

(a)           Entry controls. Any stranger seen in entry-controlled areas should be reported. (b)           Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.) (c)           Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required. (d)           Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

6.3          General "Do's and Don'ts" are attached as Appendix 2 to this policy.

7              Disclosure and sharing of personal information

7.1          We may disclose personal data we hold to third parties such as:

(a)           our advertising customers to whom we send log data evidencing that an Internet/app user who visited their website (and possibly made a purchase on their website or registered for a guide or newsletter on their website) visited the website or app of an affiliate of Mundo Media Ltd. or a publisher; (b)           previous employers and other persons whom it is necessary to contact in order to take steps at the request of the relevant data subject prior to entering into a contract with a data subject; (c)           persons whom it is necessary to disclose personal data under the contract with the relevant data subject; (d)           legal, judicial, other authorities and other persons to whom we have a legal obligation to disclose personal information, including in relation to Mundo Media (Luxembourg) S.ar.l.'s employees; (e)           providers of business development and marketing support services, in order to provide event and marketing support (and e.g. to other providers if we hold joint marketing events); (f)            organisations that provide us with services such as payroll administrators, pensions administrators, IT service providers, training providers, recruitment agencies, security vetting service providers, travel/visa companies, other professional advisers (including lawyers and accountants), occupational health professionals, banks or other contractors; (g)           debt or equity investors envisaging investing or who have invested, directly or indirectly, in any of our entities, businesses or assets.

It being noted that although publishers act as our processors when they collect personal data on our behalf on the users of their websites/apps and install cookies on their terminals, we do not provide them with personal data when we send them advertising content for displaying to these users.

7.2          Working with data processors: Whenever we work with data processors including first and foremost publishers, we must:

(a)           carry out checks to ensure that they understand their obligations and responsibilities when processing personal data for us and that they are capable of meeting the requirements of GDPR;
(b)           include a schedule to the contract with the data processor containing the clauses required by article 28 of the GDPR including obligations around sub-processors, security, responding to data subject requests and reporting breaches - please contact our Legal Department for assistance with data processor agreements and clauses;
(c)           carry out regular audits or inspections during the life of any agreement, or obtain copies of reports from the data processor which have been carried out by an independent assessor that verify the data processor's compliance with the contract;
(d)           consider whether information will be transferred outside of the EEA (see section below);
(e)           ensure that the processing meets one of the conditions and is covered by the relevant privacy notices and that the other data protection principles will be adhered to i.e. only relevant and minimum personal data is disclosed and processed.

8              What do I do if a personal data breach occurs?

You need to act really quickly! We have an obligation under the GDPR to report personal data breaches to the relevant European supervisory authority or authorities without undue delay and, where feasible, not later than 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. We may also have to report it to the relevant individuals if the personal data breach is likely to result in a high risk to their rights and freedoms.

8.1          For the purpose of this section, the following definitions apply:

Competent supervisory authority

means, in relation to:

(i) cross-border processing by Mundo Media (Luxembourg) S.ar.l. or another EU affiliate of Mundo Media Ltd.: the supervisory authority (as lead supervisory authority) of the EU country where this EU affiliate is established;

(ii) other processing (not cross-border processing) by Mundo Media (Luxembourg) S.ar.l. or another EU affiliate of Mundo Media Ltd.: the supervisory authority of each Member State where affected data subjects are located;

(iii) processing by Mundo Media Ltd., or any other non-EU affiliate of Mundo Media Ltd.: the supervisory authority of each Member State where affected data subjects are located.

Cross-border processing

means the team responsible for investigating personal data breaches. This team will include members of our Legal Department and our IT Department and will include others depending on the nature of the breach.

Data breach team    

means the team responsible for investigating personal data breaches. This team will include members of our Legal Department and our IT Department and will include others depending on the nature of the breach.

Personal data breach

means any act or omission that may compromise the security of personal data, e.g. accidental loss, damage, destruction, theft, corruption or unauthorised disclosure of or access to personal data.

 

8.2          What can cause a personal data breach? A Personal data breach can happen for a number of reasons:

(a)           loss or theft of data or equipment on which data is stored, e.g. loss of a laptop or a paper file;
(b)           inappropriate access controls allowing unauthorised use;
(c)           equipment failure;
(d)           human error, e.g. sending an email to the wrong recipient;
(f)            hacking, phishing and other blagging attacks where information is obtained by deceiving whoever holds it.

8.3          If you discover a breach:

If you know or suspect a personal data breach has occurred or may occur, you should take urgent action to notify the IT Department who will: (a)           log the incident and take any immediate steps that are available e.g. remote wipe a lost device; (b)           notify our Legal Department and key individuals in the IT Department and raise a priority ticket as appropriate.

8.4          Managing and recording the breach

(a)           On being notified of a suspected personal data breach, our Legal Department will establish and assemble the data breach team. (b)           The data breach team will take immediate steps to assess the information provided and establish whether a breach has, in fact, occurred and consider all possible consequences. The Data breach team will then take appropriate action to:

(i)            contain the personal data breach and (so far as reasonably practicable) recover, rectify or delete the data that has been lost, damaged or disclosed

(ii)           mitigate any possible adverse effects

(iii)          decide whether a notification needs to be made to the Information Commissioner

(iv)          decide what steps are necessary to prevent recurrence of this incident

(c)           As part of this initial assessment, the data breach team will make a decision as to whether the personal data breach must be escalated or whether it can be investigated, addressed and resolved by the Data breach team.

8.5          Containment and recovery

(a)           The data breach team will identify how the security breach occurred and take immediate steps to stop or minimise further loss, destruction or unauthorised disclosure of data, or implement plans to address incidents such as cyber attack or system availability.

(b)           The data breach team will identify ways to recover, correct or delete data. This may include contacting the police, e.g., where the breach involves stolen hardware or data.

(c)           Depending on the nature of the breach, the data breach team will notify the our professional indemnity insurer and /or cyber insurer, as the insurer can provide access to data breach management experts.

8.6          Assess and record the breach

(a)           Having dealt with containment and recovery, the data breach team will assess the risks associated with the breach, including:

(i)            what type of data is involved?

(ii)           how sensitive is the data?

(iii)          who is affected by the breach, i.e. the categories and approximate number of data subjects involved

(iv)          the likely consequences of the breach on affected data subjects, e.g. what harm can come to those individuals, are there risks to rights and freedoms of the individual?

(v)           where data has been lost or stolen, are there any protections in place such as encryption and is this uncompromised? Do we have backups for any lost data?

(vi)          what has happened to the data, e.g. if data has been stolen, could it be used for harmful purposes?

(vii)         what could the data tell a third party about the data subject, e.g. the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people?

(viii)        what are the likely consequences of the personal data breach on the firm, e.g. loss of reputation, loss of business, liability for fines?

(ix)          are there wider consequences to consider, e.g., loss of public confidence in an important service we provide?

(b)           This information will be recorded in our data breach register, following the template in Appendix 3 to this policy.

8.7          Notifying other parties

(a)           Notifying data subjects - In determining whether to notify affected data subjects, the Data breach team will have regard to guidance from the competent supervisory authority(ies) that has(ve) been notified. They will consider who should be notified, how and what they should be told.

(b)           Notifying the police - If it subsequently transpires that the breach arose from a criminal act perpetrated against or by a representative of Mundo Media Ltd. or an affiliate, the data breach team will notify the police and/or relevant law enforcement authorities.

(c)           Notifying the competent supervisory authority(ies) -The data breach team will notify the competent supervisory authority(ies) within 72 hours when a personal data breach has occurred. If the data breach team is unsure whether or not to report, the presumption should be to report.

(d)           Notifying any Canadian authority -The data breach team will liaise with our Legal Department who will consider whether the breach should be reported to any Canadian authority.

(e)           Notifying other parties -The data breach team will consider whether there are any legal or contractual requirements to notify any other parties, e.g. pursuant to an outsourcing contract or contractual arrangements with a client or business partner.

8.8          Preventing future breaches

Following a personal data breach, our Legal Department and the data breach teams will:

(a)           establish what security measures were in place when the breach occurred;

(b)           assess whether technical or organisational measures could be implemented to prevent the breach happening again;

(c)           consider whether there is adequate staff awareness of security issues and look to fill any gaps through training or tailored advice;

(d)           update the any risk register.

9              Where can I transfer personal data?

9.1          We must not transfer personal data to a country outside of the EEA (European Economic Area) unless either:

(a)           it is to perform a contract with the data subject;

(b)           the data subject has consented;

(c)           the country is on the European Commissioner's approved countries list. Canada is on this list as long as the relevant entity is governed by PIPEDA legislation, which is the case of Mundo Media Ltd. You can find a maintained list of approved countries here http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm;

(d)           the personal data is being sent to a US-based organisation which is compliant with 'Privacy Shield'. A list of companies which are signed up to the Privacy Shield can be found here https://www.privacyshield.gov/list; or

(e)           a contract has been put in place with the third party/third parties to which the personal data will be transferred, based on European Commission approved standard contracts for transfers of personal data outside of the EEA (known as "Model Contracts").

9.2          Note that a transfer of personal data outside of the EEA not only includes sending data to an entity in a non-EEA country (e.g., by email) but also includes allowing access to data from another country, even if the data itself remains within the EEA.

10           When do I need to carry out Data Protection Impact Assessments ("DPIA")?

10.1       The GDPR requires organisations to carry out Data Protection Impact Assessments (DPIA) where there is a "high risk to the rights and freedoms of individuals". What does that mean? Projects or processes that involve the following types of processing will require a DPIA as they are deemed to have a high risk:

(a)           systematic and extensive evaluation of personal aspects relating to individuals based on automated processing (including profiling) and on which decisions are based that produce legal effects or similarly significantly effects

(b)           large scale processing of special categories of data or personal data relating to criminal convictions and offences

(c)           a systematic monitoring of a publicly accessible area on a large scale

10.2       If your project or process falls into one of the 3 descriptions above, you have to do a DPIA.

10.3       If it is not clear if your project or process falls into one of the 3 descriptions above, consider the following factors. If two factors or more are engaged, you must carry out a DPIA:

Factor

Description

Examples

Evaluation or scoring

Evaluation or scoring individuals including profiling and predicting aspects of individuals' performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements

A bank that screens its customers against a credit reference database

A biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks

A company building behavioural or marketing profiles based on usage or navigation on its website

Automated-decision making with legal or similar significant effect:

Processing where the outcome is a decision about an individuals that has a legal effect on them, or something which is similarly significantly.

Processing leading to the exclusion or discrimination against individuals

An e-recruitment website discounting CVs which do not meet a certain set of criteria

A bank refusing credit on the basis of an automated assessment of credit

Systematic monitoring

Processing used to observe, monitor or control individuals, including data collected through systematic monitoring of a publicly accessible area. Personal data may be collected in circumstances where individuals may not be aware of who is collecting their data and how it will be used. Additionally, it may be impossible for individuals to avoid being subject to such processing in public spaces

CCTV systems

Sensitive data

Processing of special categories of personal data.

Processing other data increases the possible risk to individuals, such as electronic communication data, location data, financial data (that might be used for payment fraud). It will be relevant here whether the individual has made the data publically available themselves.

Consider also information used by individuals for domestic, non-commercial purposes, such as cloud computing services for personal document management, life-loggins services, email services, diaries, e-readers equipped with note-taking features. If this was used for non-domestic purposes, this could have a very intrusive effect.

Hospital keeping patients' medical records

A private investigator keeping offenders' details

Large scale processing

There is no absolute definition of large scale.

Consider the following factors:

a. the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;

b. the volume of data and/or the range of different data items being processed;

c. the duration, or permanence, of the data processing activity;

d. the geographical extent of the processing activity.

-

Datasets that have been matched or combined

Data originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that individuals would not expect.

A supermarket combining loyalty card information with medical records to promote medicinal/herbal remedies to shoppers

Vulnerable data subjects

There is a bigger power imbalance between the individual and the controller, meaning the individual may be unable to consent to, or oppose, the processing of their data.

Employees cannot oppose processing by their employer which is linked to workforce management

Children may not be able to make a proper decision about processing of their data.

The mentally ill

asylum seekers

the elderly

medical patients

any case where an imbalance in the relationship between the position of the data subject and the controller can be identified

Innovative use of data or new technologies

The use of such technology can involve novel forms of data collection and usage, possibly with a high risk to individuals' rights and freedoms. The personal and social consequences of the deployment of a new technology may be even be unknown.

Combining use of finger print and face recognition for improved physical access control

Internet of Things applications

International transfers outside of the EEA

Not all international transfers will require a DPIA. You should take into consideration where data is being sent to or accessed from, the possibility of further transfers or the likelihood of transfers based on derogations for specific situations set out in the GDPR.

-

Preventing access to services

When the processing itself prevents data subjects from exercising a right or using a service or a contract

A bank screens its customers against a credit reference database in order to decide whether to offer them a loan

 

Some more examples (these are taken from the Article 29 Working Party guidance):

Examples of processing

Possible relevant criteria

DPIA required?

A hospital processing its patients' genetic and health data (hospital information system).

Sensitive data

Vulnerable data subjects

Yes

The use of a camera system to monitor driving behaviour on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognize license plates.

Systematic monitoring

Innovative use or applying technological or organisational solutions

Yes

A company monitoring its employees' activities, including the monitoring of the employees' work station, internet activity, etc.

Systematic monitoring

Vulnerable data subjects

Yes

The gathering of public social media profiles data to be used by private companies generating profiles for contact directories.

Evaluation or scoring

Data processed on a large scale

Yes

An online magazine using a mailing list to send a generic daily digest to its subscribers.

None

No

An e-commerce website displaying adverts for vintage car parts involving limited profiling based on past purchases behaviour on certain parts of its website.

Evaluation or scoring, but not systematic or extensive

Not necessarily

 

10.4       Consequently, if we plan to install or cause our publishers to install cookies on the terminals of website/app users and then verify these cookies when these website/app users visit our website or the website or app of any of our publisher in order to profile the interest of the relevant user and present to him or her matching advertising, we should undertake a DPIA.

10.5       Where you have to do a DPIA, use the DPIA questionnaire and follow the process set out in the flow chart in Appendix 4.

11           How do I handle data subject rights?

11.1       What rights do data subjects have?

When the GDPR applies, any data subject, who can be an individual in the EEA who is displayed advertising by Mundo Media Ltd or who is an unincorporated business to whom Mundo Media Ltd. is offering its advertising services, or an individual located anywhere in the world who is displayed advertising by Mundo Media (Luxembourg) S.ar.l. as well as any employee, individual supplier including a publisher) of Mundo Media (Luxembourg) S.ar.l., any individual customer of Mundo Media (Luxembourg) S.ar.l. and any individual representing a customer or supplier of Mundo Media (Luxembourg) S.ar.l., has the rights set out below under the data protection laws.

This subsection describes the rights that individuals have, apart from data subject access rights which are the most commonly exercised right. That is described in more detail in the subsection headed "Data subject access requests in more detail".

The process for identifying and responding to all rights is the same and is described in the section headed "'How do I identify and respond to a data subject rights request?'".

Note that exemptions apply to many rights. They are described below. They are important and will need to be considered carefully for each individual request. We must tell individuals if we are applying an exemption and why we are therefore refusing their request. If you have any questions about applying the exemptions, contact our Legal Department.

(a)           The right to rectify personal data if it is inaccurate or incomplete

For example, if you are requested to change an address of a customer or supplier, etc. If we have shared inaccurate personal data about a data subject with a third party, we should tell the third party if they are still likely to be using it. If the personal data is of a more serious nature, keep a record of the change made and circumstances in which it was made and if you feel it is necessary, talk to your manager or our Legal Department about it.

(b)          The right to erasure ('right to be forgotten')

Data subjects have a right to have their personal data erased so it can no longer be used where:

(i)            the data subject believes that we no longer need to process it for the purposes set out in the privacy notice provided to the data subject;

(ii)           the data subject had given us consent to process it, but they withdrew that consent and there is no other legal ground upon which we can process it;

(iii)          the data subject has successfully objected to our processing it; or

(iv)          it has been processed unlawfully or has not been erased when it should have been.

If we have passed the data that needs to be erased to other controllers, we need to tell them that the data subject wants to have that personal data erased.

EXEMPTIONS: We can refuse to erase data where it is necessary for:

(i)            us to defend its legal rights

(ii)           us to comply with a law;

(iii)          reasons of public interest in the area of public health (such as protecting against serious cross-border health threats);

(iv)          archiving for scientific reasons or statistical purposes.

(c)           The right to restriction of processing

This means that we have to temporarily suspend processing whilst we respond to the data subject's challenge to one of the following points:

(i)            Where the data subject does not think that their personal data is accurate. We can start processing again once we have checked whether or not you're the personal data is accurate.

(ii)           Where the processing is unlawful, but the data subject does not want us to erase their data.

(iii)          Where we no longer need the personal data for the purposes of our processing, but the data subject needs the data to establish, exercise or defend their own legal claims.

(iv)          Where the data subject has objected to processing (see below). In this case we will start processing again once we have checked whether or not our legitimate interests override the data subject's interests.

If our processing is restricted in any of the circumstances described above, when the restriction is life, we need to tell the data subject in advance of lifting it.

We can store the personal data during the restriction, but not do anything else with it.

(d)           The right to data portability

Where we process data in order to perform a contract with the data subject or with their consent, the data subject can ask us to give them their personal data in a machine-readable, interoperable format that the individual can move to another organisation or use themselves.

(e)           The right to object to processing

Where we are processing based on our legitimate interests including for direct marketing, the data subject can object to this processing. We can only continue to process if our legitimate interests override the rights and freedoms of the data subject or to exercise or defend legal claims. You should contact the Legal Department to obtain the explanation of why our legitimate interests override the data subjects' rights and freedoms. If someone objects to direct marketing, our legitimate interest will be overridden by the data subjects' rights and freedoms - for other issues, an appreciation may be required.

(f)            The right not to be subject to a decision when it is based on automated processing or profiling which produces a significant legal effect or similar on the data subject

We don't make any automated decisions about data subjects that could have such impact so this right is not relevant.

(g)           The right to ask to see what personal data we hold about them (known as the data subject access request)

See section headed 'Data subject Access Requests - in more detail' below for further details.

11.2       How do I identify and respond to a data subject rights request?

(a)           Is the data rights request valid?

(i)            For a data subject access request to be valid, it must comply with the requirements set out in Table A below.

TABLE A: VALID REQUEST REQUIREMENTS

(a)                           

The request may be made in any way - in writing, which includes letters, faxes, emails, social media (e.g. through the company's Facebook/Twitter accounts), but also over the phone or in person. 

There are no particular words or phrases that data subjects have to use for a request to be valid. You should be alert to data subjects asking us to do anything with their data to check if they are in fact exercising one of their rights.

(b)                           

The request must be made to our legal entity which is the controller. The request should not, for example, be submitted to our third party processors who are only processing the requested personal data in their capacity as processors. 

We should always make sure that if we are using processors, they are contractually obliged to promptly pass any data subject access requests to us.

(c)                           

The request must be submitted by the data subject unless a third party has been properly authorised by the data subject to make the request on their behalf e.g. a lawyer, legal representative, or someone with a power of attorney. 

If a third party makes a request on behalf of a data subject, you should ask to see a copy of the written appointment. 

There are some exceptions to this general requirement, for example where an individual does not have mental capacity to handle their own affairs or where the request relates to a minor. Such exceptions are very unlikely to be relevant to our organization and so these are not dealt with in this policy. Please contact our Legal Department if you think an exception applies.

(d)                           

The data subject provides reasonable ID such as a copy of their passport or driving licence. You need to be careful not to disclose data to someone who is not the data subject (or authorised on their behalf).

We may waive the requirement for ID in circumstances where the data subject's identity is not in doubt e.g. where the request is made in person or in the course of litigation.

(e)                           

The request must be sufficiently clear to enable us to comply with it. If not sufficiently clear, request clarification from the data subject as soon as possible.

For data subject access requests in particular, it is helpful if the data subject can be specific in their request so that we are more likely to locate the data that they want e.g. data processed between certain dates, in certain systems, or by particular teams. However we cannot require data subjects to narrow their requests.

Note that there is no requirement to pay a fee for exercising any data subject rights.

If a data subject access request is not valid, you must write to the data subject as soon as possible requesting the necessary information or, if appropriate, explaining why we are unable to comply with the request.

(b)           How should I respond?

We must respond in writing to the data subject unless they have specifically requested that we respond in another way e.g. by telephone.

You should keep a copy of the response that is provided. If we do respond by telephone, you must record the date and time of your respond and what you told the data subject.

(c)           How long do we have to respond?

Once a valid request has been received (including response to any clarification), the time limit starts to run. We must respond to a data subject rights request as soon as possible and in any case within thirty calendar days. 

If the request is particularly complex, or if we are trying to respond to a very large number of data subject rights requests at once, the time limit can be extended by an additional two months (as long as you notify the data subject within thirty days to explain why we need longer to respond).

11.3       Data subject access requests in more detail

(a)           What do I have to tell individuals?

The data subject access right entitles individuals to ask for:

(i)            A copy of their personal data. See 'What should I disclose?' for information on how to find this;

(ii)           Details of the purpose for which it is being, or is to be, processed;

(iii)          Details of the recipients or classes of recipients to whom it is disclosed (or might be disclosed). We also have to detail whether the recipient is based in a country outside of the European Union and what protections are in place in relation to the transfer to that recipient.;

(iv)          The period for which it is held (or the criteria we use to determine how long it is held);

(v)           Any information available about where we obtained it from; and

(vi)          Confirmation as to whether we carry out any automated decision-making (including profiling) and, where we do, information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

(b)           What should I disclose?

Only the data subject's personal data should be disclosed i.e. not information about other people, not information which relates to our organization or other companies, not information within a document in which an individual is named or referred to.

You should follow this process to collate the personal data that has been requested:

(i)            Determine what key words to use to search our systems in order to identify the personal data that the data subject has requested. These key words will be driven by the data requested but will typically be variations on the data subject's name (including common mis-spellings and abbreviations), post code or address, job role.

(ii)           Search our systems. You will need to work out which systems are relevant to the data subject's requests. This could include certain people's inboxes, CCTV footage, recorded phone calls, texts and archived files. You should contact our IT Department to work out what systems to search and how they can be searched.

(iii)          Identifying and assessing whether or not information is personal data about the data subject. The search of the systems will return a lot of information. Not all of it will be personal data. Remember that personal data is broad - you do not need a person's name to be able to identify them. Also remember that opinions about Person X will be Person X's data. See the definitions in this policy for a detailed description of personal data.

(iv)          Extracting personal data from wider documents. For example, if a data subject is referred to in an email chain, or meeting minutes, we only need to disclose the bits that are personal data. This can be achieved either by redacting (i.e. blanking out) the information that is not relevant, or by extracting the personal data into a new document. It is important that you do not disclose whole documents/emails that contain lots of other information that is not personal data as this information is confidential to us.

(v)           Consider whether any exemptions apply. See the exemptions paragraph 11.3(e) below for a list of the exemptions where data should not be disclosed;

(vi)          Remove personal data of others. Information about many people is usually contained in the same document (i.e. sender and recipient of an email). The information relating to the other person should be redacted (blanked out) unless:

(A)          The other person has consented to the disclosure. (Bear in mind whether the data subject has seen the document before as in that instance, you do not need consent of the others referred to in the document). If consent is refused, the relevant information should be redacted; or
(B)          If it is not possible to obtain the other person's consent, but, it would be reasonable in the circumstances to disclose the other person's personal data, then you can disclose it. 

When considering whether it would be reasonable to disclose, you should consider:

1)            whether or not the information is confidential;
2)            how sensitive the information is;
3)            how likely it is that the other person will suffer damage and/or distress if the information were to be disclosed;
4)            if the data subject already knows the identity of the other person.

(c)           Can I ask the data subject to be more specific about their request?

We are allowed to ask for clarifications if the request is not clear. However, a broad request for "all personal data that Mundo Media Ltd. and its affiliates hold about me" is not considered to be unclear. You can ask a data subject if there is specific information that they are looking for, as this will help us locate it, but data subjects are not required to narrow or limit or be more specific about their requests.

(d)           What if we do not hold the personal data that has been requested?

If we do not hold personal data about the data subject, or do not hold the personal data that was requested, you should notify the data subject of this as soon as possible.

We are entitled to routinely destroy/delete information in accordance with our policies and to ensure that we only hold personal data as long as is necessary. However, it would be a breach of the data protection laws to destroy data requested in a DSAR in order to avoid responding to the DSAR where that destruction is not in accordance with our retention policy and we must not do so.

(e)           Do we have to disclose the personal data requested?

In the vast majority of cases, yes. We cannot choose not to respond, or to only provide some of the personal data that has been requested because the information shows us in an undesirable way or because it is embarrassing. The context in which the request is made is also irrelevant. We cannot refuse to respond because the data subject is using the DSAR in the lead up to potential litigation. If we fail to respond or withhold data where it is not allowed, that is a breach of data protection laws and could result in an investigation by a supervisory authority and a fine.

There are however some exemptions where certain pieces of personal data can be withheld. See the paragraph below.

(i)            Unfounded or excessive requests (repetitive requests)

There is no requirement to comply with DSARs for the same or similar information where requests are unfounded or excessive e.g. because they are repeated, unless the requests are made at reasonable intervals. There are no fixed timelines as to what would or would not be a reasonable interval. This will need to be decided on a case by case basis, considering factors such as sensitivity of the information, how often records are updated etc. 

(ii)           Exemptions

Union or Member State law to which a data controller or processor is subject may restrict by way of a legislative measures the scope of the right of access including by introducing exemptions, which would be expected to include the following subject to any country peculiarity:

We may withhold personal data if it falls into the following categories and it is confirmed that in the relevant EEA country this is an exemption for this (but you need to tell data subjects that some information processed is subject to an exemption and to say which exemptions apply):

EXEMPTION

COMMENT

References

A reference given by us about an employee can be exempt from disclosure. Note, however, that a reference received by us will normally be not exempt unless it is clearly stated to be given in confidence. 

Legal

Information subject to legal professional privilege or litigation privilege.

Crime

Where disclosing information would be likely to prejudice the detection and/or prevention of crime and/or the apprehension and prosecution of offenders.

If disclosure of the information requested could lead to self-incrimination i.e. it could be used as evidence of an offence having been committed by the entity to whom the request is made, the information will also be exempted.

Tax

Information relates to the assessment or collection of any tax or duty or of any imposition of a similar nature.

Management information

Where disclosing information is likely to prejudice management forecasts and planning.

Negotiations

Where disclosing information is likely to prejudice negotiations with the data subject. This might apply, for example, where the information requested relates to a current salary review relating to the data subject or in the event of a legal claim by or against the data subject.

Public records

Where the information requested is available from public records (the exemption only applies if we are required to publish the information). For the sake of courtesy, however, you should refer individuals to the relevant public records.

Other

There are other exemptions which are less likely to apply to us such as processing for research, history and statistical purposes

 

(f)            How do I need to provide the information?

The data protection laws do not specify the format in which the information should be provided, as long as it is in a concise, transparent, intelligible and easily accessible form and in writing.

Where possible, data should be provided electronically, especially where the request for data was made electronically.

Anything that is not intelligible, such as handwritten notes or codes, should be made legible (e.g. typed) or deciphered.

Where the data subject is disabled, you will need to consider the most appropriate format for disclosure, such electronic, braille, audio, etc.

If a data subject wants more than 1 copy of their data, you can charge a reasonable free based on administrative costs

12           Monitoring and review

We will monitor the effectiveness of all our policies and procedures regularly, and conduct a full review and update as appropriate, at least annually.

13           Staff awareness and training

13.1       Key to the success of our systems is staff awareness and understanding.

13.2       We provide regular data protection training to staff:

(a)           at induction;

(b)           refresher training as appropriate;

(c)           when there is any change to the law, regulation or our policy;

(d)           where significant new threats are identified;

(e)           in the event of an incident affecting our or a similar organization.

14           Reporting concerns

Prevention is always better than cure. Data security concerns may arise at any time. We encourage you to report any concerns you have to our Legal Department. This helps us capture risks as they emerge, protect our firm from data security breaches, and keep our processes up-to-date and effective.

 

APPENDIX 1

RETENTION PERIODS

 

Information Type

Description

Retention Period

(subject to decision to retain longer for as long as limitation period not elapsed and any dispute finally settled)

Disposal Action

By default-

All records/documents containing personal data and/or sensitive personal data that not falls into any of the categories below

All information that includes any data relating to a living individual. It includes names, addresses, opinions about individuals (and their opinions), and information about their behaviour or health etc. Even if you cannot identify an individual from the data it will still be personal data if an individual could be identified when the data is put together with other information, e.g. IP addresses and other metadata could be personal data.

No longer than necessary for the purpose for which it was obtained.

 

This means that personal data should be destroyed or erased from our systems when it is no longer required.

 

Secure destruction

Contact details of existing, previous and potential customers, for direct marketing purposes

Name, contact details, previous exchanges and orders.

3 years after the latest of the collection of the data, the last request for information made by relevant person, or the date of expiry of the contract with the relevant person.

Secure destruction

Account details

Minor records (pass books, paying-in 6 years + current financial year Destroy under confidential conditions

slips, cheque counterfoils, cancelled/discharged

cheques, accounts of petty cash expenditure,

travel and subsistence accounts, minor vouchers,

duplicate receipt books)

6 years + current financial year

Secure destruction

Contracts with suppliers/customers

 

6 years after expiry

Secure destruction

Correspondence

General correspondence (including emails) only.

1 year

Secure destruction

Diaries/notes

Records including general notes/information used for day to day business activity.

1 year

Secure destruction

Internal Staff Directory 

 

Including contact information, work biographies and photographs of staff members.

 

12 months after the staff member's employment/service with the organization ends.

Secure destruction

HR data

Applications for jobs-unsuccessful

2 years

Secure destruction

HR data

Payrolls

12 years

Secure destruction

HR data

Fraud case files/investigations

6 years

Secure destruction

HR data

Staff personal records

7 years after employment ceases

Secure destruction

HR data

Salary registers

5 years

Secure destruction

Consents for processing personal data.

 

This includes records documenting an individual's consent to The Company' processing of their sensitive personal data (such records will be created in circumstances where obtaining consent is necessary and the individual has given 'true' consent.

 

As a minimum, for as long as the personal data to which the consent relates is processed.

In some cases, we may need to retain a record of the consent given for longer, i.e. even if we no longer hold the personal data to which it relates, e.g. in case of a complaint. This decision will need to be made on a case by case basis though depending on the type of personal data involved.    

Secure destruction

CCTV

Video footage/images taken from CCTV cameras installed on The Company premises.

 

1 month from the date it is recorded.

Secure destruction

Access Card Records

Information about staff members used to allow access to The Company premises, including:

identification data, e.g. names and photographs; and

 

Duration of the staff member's employment/service with us..

 

Secure destruction

Biometric records

 

This includes information containing personal data relating to the physical physiological and behavioural characteristics of living individuals that can be read by electronic systems to identify or authenticate an individual, such as:

finger prints, facial images, eye movements, smiles and DNA; and

handwriting/signatures, way of walking/moving, hand patterns/movements and way of thinking (e.g. responding to specific situations).

 

Duration of the staff member's employment/service with us.

Secure destruction

Cookies

Cookies

13 months maximum

Deletion (expiration date)

Website/app user visit

Logged information collected from website/app users when they visit a webpage/app/email containing a web beacon or download advertising: Internet protocol address (which include location information), browser type, browser language, date and time of download, unique identifier of browser (through downloaded cookies) and previous pages/apps/emails visited.

18 months

Anonymization


Collective workforce agreements and past agreements that could affect present employees and Works Council minutes are to be kept permanently.

 

APPENDIX 2

What are my data security DO'S and DON'TS

  • Always keep your password and user name secure and do not share them.
  • Always lock your PC while it is unattended.
  • Do not open email attachments from an unknown source.
  • Do not download programmes or games, or run any sent by email.
  • Do not download business data onto any laptop unless authorised by your manager.
  • Ensure that any personal data held on a laptop is encrypted.
  • When taking a laptop with you to another country for business, or accessing from another country on a regular basis, ensure that it only contains the customer information you need, and you only access to the information you need.
  • If your laptop is lost or stolen, contact your manager immediately.

If I am sending an email

  • Before sending an email, please think about what you are trying to achieve and decide on the best communication method to use. For example, a telephone call might be more effective.
  • Keep your message brief and relevant and do not send unnecessary copies of the message.
  • When writing your emails, always assume that they may have to be disclosed to a court or regulator, or the people mentioned in the email, because in some circumstances that could happen.
  • Always write your emails as if they are permanent, because even when they have been deleted from your system, depending on our retention policies they can often still be retrieved and may be disclosable to a court or regulator.
  • Your emails, even if marked private or confidential, might also be viewed by network supervisors or management when lawful to do so.
  • Uphold the privacy of others by observing the company's rules and guidelines.
  • Avoid asking for sensitive personal data unless necessary for a legal or business purpose, or passing on sensitive personal data about somebody else.
  • If it is necessary to ask for sensitive personal data for a business purpose, contact our Legal Department first.
  • Consider sending confidential information by secure email.
  • Do not make negative comments about any individual, including customers, employees or suppliers. If you feel that there is an issue which other people need to be aware of, then sending an email is not the appropriate way of doing this. Speak to your manager first about the next steps.
  • Please tidy your inbox, outbox and folders regularly. Do not store messages or attachments longer than necessary. Check out our Data Retention and Destruction Policy.

If I input personal data into the company's CRM database:

  • Please do not enter negative comments on any individual, including customers, employees or suppliers, onto the CRM database. If there is an issue which other people need to be aware of, for example, you were not satisfied with the performance of a supplier, state "Contact [YOUR NAME] before contacting this person".
  • Keep any business card given by a contact whose information you propose inputting into the CRM database.
  • If a person indicates that they do not want to receive marketing communications, tick the relevant box on the CRM database. Marketing communications include newsletters and other updates or publications, and invitations to events. You should also tick this box if a person does not wish to receive a specific type of marketing communication, for example, invitations to events. In any of these cases, ensure that the person's wishes are respected by notifying all internal contacts who need to know.
  • Before entering sensitive personal data about an individual on the CRM database, ensure that it is lawful to do so.
  • If a person provides information for the personal use of particular individuals within the organisation only (for example, a home address or telephone number), or for a specific purpose or duration (for example, for the duration of a deal), you should ensure that these use restrictions are entered on the CRM database.

If we are engaging a new IT system

  • We may be obliged to carry out a Data Protection Impact Assessment (DPIA) (see: "When do I need to carry out a DPIA?").
  • We are responsible for the security of the personal data and must ensure that we have appropriate technical and organisational security measures in place, both for ourselves and for any processors that we engage for doing any of our personal data processing.
  • If we engage a processor to do any of our personal data processing, we must enter into a written contract complying with article 28 of the GDPR, whereby the processor agrees to act only on our documented instructions, to comply with specified security measures, to assist with our handling of the exercise of rights by data subjects, to appoint no sub-processor without our consent (and if we give consent in advance, reserving our right to object to a specific sub-processor), amongst others.
  • If that processor will process personal data outside the EEA, then the supplier must enter into an appropriate contract with the company potentially addressing additional security measures.
  • Individuals (including customers, employees or suppliers) whose personal data is collected should be informed that their personal data will be processed and how and where it may be processed, for example, in countries whose laws do not protect personal data adequately. This may affect the design of systems which collect personal data directly from individuals. It may be necessary to make certain information available to the individuals at the point of collection. This may take up to ten lines of text, so please leave sufficient space on the relevant page(s).
  • The exact notice to be provided will need to be reviewed on a system-by-system basis. Pages from which personal data is to be collected should indicate which fields are mandatory (for example, by way of an asterisk) and which are optional. In some countries, the consequences of not providing the personal data requested will need to be specified.
  • Drop-down boxes need to be examined carefully to avoid unnecessary sensitive personal data being collected.
  • Free text boxes also need to be examined carefully to avoid unnecessary sensitive personal data being collected. Online guidance may be needed which may take up to ten lines of text, so please leave sufficient space on the relevant page(s).
  • If the system takes decisions which significantly affect individuals through automatic processing of their personal data without any human intervention (for example, pre-screening of job candidates), the individuals concerned may need to be informed accordingly, and also informed of their statutory rights. This may take up to several lines of text, so please leave sufficient space on the relevant page(s).
  • Arrange a demonstration of the system for the people of our Legal Department as soon as possible so that they can understand how it works.

APPENDIX 3

PERSONAL DATA BREACH CHECKLIST

Name of person notifying the actual or suspected breach

 

Supervisor/Team Leader

 

Date of actual or suspected breach

 

Date of discovery of actual or suspected breach

 

Date actual or suspected breach notified to [Legal Team]

 

Summary of the facts

 

 

What type of data is involved? Check whether the breach involves personal data?

 

Categories and approximate number of data subjects concerned

 

Categories and approximate number of personal data records concerned

 

Cause of the actual or suspected breach

 

 


 

 

How sensitive is the data?

[ ie does the breach involve special categories of personal data? Criminal offence data?]

Who is affected by the breach?

[State the categories and approximate number of data subjects involved]

What is the likely consequence of the breach on affected data subjects?

[Insert, eg what harm can come to those individuals, are there risks to physical safety or reputation or financial loss?]

Where data has been lost or stolen, are there any protections in place such as encryption?

 

What has happened to the data?

[Insert, eg if data has been stolen, could it be used for harmful purposes?]

What could the data tell a third party about the data subject?

[Insert, eg the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people?]

Are there any related or other data breaches?

Yes/No

[If yes, provide more details]

 

 


APPENDIX 4

HOW DO I DO A DATA PROTECTION IMPACT ASSESSMENT?



[1] Subject to them not carrying out data processing activities that are inextricably linked to those of Mundo Media (Luxembourg) S.ar.l. or a another EEA affiliate of Mundo Media Ltd. so as to be deemed carried out in the context of the activities of Mundo Media (Luxembourg) S.ar.l. or this other EEA affiliate of Mundo Media Ltd..

[2] Subject to them not carrying out data processing activities that are inextricably linked to those of Mundo Media (Luxembourg) S.ar.l. or a another EEA affiliate of Mundo Media Ltd. so as to be deemed carried out in the context of the activities of Mundo Media (Luxembourg) S.ar.l. or this other EEA affiliate of Mundo Media Ltd.

[3] Subject to them not carrying out data processing activities that are inextricably linked to those of Mundo Media (Luxembourg) S.ar.l. or a another EEA affiliate of Mundo Media Ltd. so as to be deemed carried out in the context of the activities of Mundo Media (Luxembourg) S.ar.l. or this other EEA affiliate of Mundo Media Ltd..