Personal information collected
Purpose of this Policy
This Data Privacy Policy outlines the organisation's commitment to ensuring the proper collection, processing, storage, and sharing of personal and sensitive data in compliance with relevant data protection laws and regulations, such as the General Data Protection Regulation (GDPR), Australian Privacy Act, and the Notifiable Data Breaches (NDB) scheme. The policy aims to provide a framework for managing data privacy risks and maintaining the trust of individuals whose data is processed by the organisation.
Scope
This Data Privacy Policy applies to all employees, contractors, consultants, and third-party vendors who handle personal and sensitive data on behalf of the organisation, regardless of their location. The policy covers all systems, networks, devices, and communication channels used for the collection, processing, storage, and sharing of personal and sensitive data, including physical and electronic records, databases, and cloud services.
The policy is applicable to all personal and sensitive data processed by the organisation, irrespective of the data subject's nationality or residency. This includes, but is not limited to, customer, employee, and supplier data, as well as any other data protected under relevant data protection laws and regulations, such as the General Data Protection Regulation (GDPR), Australian Privacy Act, and the Notifiable Data Breaches (NDB) scheme.
The Data Privacy Policy must be read and understood in conjunction with other related policies, procedures, and guidelines, as well as any relevant legal, regulatory, and contractual obligations.
Risk Framework
The organisation must establish and maintain a risk management framework to identify, assess, and mitigate data privacy risks. This includes conducting regular data privacy impact assessments and implementing appropriate safeguards to protect personal and sensitive data from unauthorised access, disclosure, alteration, or destruction.
Data Collection, Processing, and Storage
All personal and sensitive data collected, processed, and stored by the organisation must adhere to the following principles to ensure compliance with relevant data protection laws and regulations:
- Lawfulness: Data must be collected and processed in compliance with applicable legal and regulatory requirements. This includes obtaining proper consent from data subjects where required and ensuring that data processing activities have a legitimate legal basis.
- Fairness: Data processing must be conducted in a fair manner, without adversely affecting the rights and interests of the data subjects. The organisation must ensure that data subjects are not subject to unjust or discriminatory treatment as a result of data processing activities.
- Transparency: The organisation must clearly inform data subjects about the purpose and scope of data collection, processing, and storage activities. This includes providing accessible and easy-to-understand privacy notices, as well as ensuring that data subjects are aware of their rights and the ways to exercise them.
- Accuracy: The organisation must take all reasonable steps to ensure that personal and sensitive data is accurate, up-to-date, and complete. This includes implementing appropriate measures to rectify or delete inaccurate or outdated data without undue delay.
- Storage Limitation: Personal and sensitive data must only be stored for as long as necessary to fulfil the specific purposes for which it was collected, or as required by applicable laws and regulations. The organisation must establish and follow appropriate data retention policies and procedures to comply with storage limitation requirements.
- Integrity: The organisation must implement suitable security measures to protect personal and sensitive data from unauthorized access, disclosure, alteration, or destruction. This includes maintaining robust physical, technical, and administrative safeguards to ensure data integrity.
- Confidentiality: Personal and sensitive data must be treated as confidential and only accessed by authorized personnel on a need-to-know basis. The organisation must establish and enforce strict access controls, as well as provide training and awareness programs to educate employees and other relevant parties about their responsibilities in maintaining data confidentiality.
Data must only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The organisation must conduct regular assessments to ensure that data processing activities align with the original objectives and comply with applicable data protection laws and regulations.
Data Sharing and Disclosure
Personal and sensitive data may only be shared with third parties when necessary for the performance of a contract, compliance with legal obligations, or the pursuit of legitimate interests. Data sharing agreements must be in place to ensure that third parties adhere to the same data protection standards as the organisation.
Data Breach Notification and Communication
In the event of a data breach, the organisation must have a communication framework to promptly notify the relevant authorities and affected individuals. This includes:
Notifying the appropriate data protection authority within 72 hours of becoming aware of the breach, as required by the GDPR or within 30 days for the Australian Notifiable Breach Disclosure
Informing affected individuals without undue delay if there is a high risk to their rights and freedoms.
Designating an executive or management team responsible for managing the breach and coordinating the organisation's response.
Media and Third-Party Communications
Any discussions or communications with the media or other third parties regarding a data breach or data privacy matters must be authorised by the executive or management team. Employees must not share information about data breaches or data privacy incidents with the media or other external parties without proper authorisation.
Data Retention
The organisation must establish and maintain a Data Retention Process that outlines the retention periods for different types of personal and sensitive data. Data must be securely destroyed or anonymised when no longer needed for the purposes for which it was collected, in accordance with the Data Retention Process and applicable laws and regulations.
Roles and Responsibilities
All employees, contractors, and third-party vendors must adhere to this Data Privacy Policy and ensure that they handle personal and sensitive data in a manner that complies with relevant laws and regulations. The organisation must provide regular training and awareness programs to ensure that all personnel understand their data privacy responsibilities.
Related Policies
This Data Privacy Policy should be read in conjunction with other relevant policies, such as the Network Security Policy, Encryption Policy, Incident Response Policy, and Third-Party Vendor Security Policy.
Annual Assessment and Testing
The organisation must conduct an annual Data Privacy Impact Assessment (DPIA) to evaluate and manage privacy risks associated with the processing of personal and sensitive data. The DPIA should include a comprehensive review of the organisation's data privacy practices, potential risks, and the effectiveness of existing safeguards.
In addition to the DPIA, the organisation must also test its breach notification processes annually to ensure preparedness and compliance with the GDPR, Australian Privacy Act, and the Notifiable Data Breaches (NDB) scheme. The testing process should simulate a data breach scenario, allowing the organisation to evaluate its response capabilities and identify areas for improvement.
The annual assessment and testing should also consider the risks presented by the Australian NDB scheme, ensuring that the organisation complies with the scheme's requirements for notifying affected individuals and the Australian Information Commissioner in the event of an eligible data breach.
The results of the annual assessment and testing should be documented, and any identified gaps or areas for improvement should be addressed promptly to ensure the ongoing protection of personal and sensitive data and compliance with relevant data protection laws and regulations.
Compliance and Audit
Failure to comply with this Data Privacy Policy may result in disciplinary action, up to and including termination of employment or contract. The IT Department is responsible for monitoring compliance with this policy, conducting audits, and reporting any non-compliance to appropriate management personnel.
Policy Review
This Data Privacy should be reviewed at least annually, or whenever significant changes are made to the organisation's operations or new legislation is identified in regions that Mondiale VGL operations in. The IT Department is responsible for communicating any changes to stakeholders and Managed Service Providers (MSPs).
Failure to Comply
Compliance with this policy is a condition of employment or other engagement with Mondiale VGL. Breaches of this policy may constitute misconduct or serious misconduct and may also lead to disciplinary action, which can include termination.
About this version
This policy supersedes any previous or existing policies within the Mondiale VGL group. Certain countries may choose to employ stricter guidelines, which will take precedence over this policy, however no country may be more lenient than the guidelines set out here.
Questions on this Policy
Please contact your manager or Human Resources Manager if you need guidance or have any questions about this Policy.