Corporate policy on data protection for employees of The Browery Holding GmbH, The Browery Cosmetics GmbH and The Browery Services GmbH.
Note: The following regulations must be observed by every employee of The Browery Group.
I. Meaning, Objective, Accessibility
- This Corporate Policy is the binding basis for the legally compliant and sustainable protection of personal data within the company.
- The purpose of this Corporate Policy is to safeguard and protect the fundamental rights and freedoms of data subjects, in particular their right to the protection of personal data.
- the Corporate Policy must be easily accessible to all employees and managers at all times.
II. Scope of Application
- This Corporate Policy applies to all companies of The Browery Group (The Browery Holding GmbH, The Browery Cosmetics GmbH and The Browery Services GmbH) (hereinafter “The Browery”). However, it shall only apply if the registered office or a branch of the company placing the order is in Germany.
- It applies personally to all employees and executives of the company.
- The requirements and prohibitions of this Corporate Policy apply to all handling of personal data, regardless of whether this is carried out electronically or in paper form. They also apply to all types of data subjects (customers, employees, suppliers, etc.).
- Personal data is any information relating to an identified or identifiable natural person (data subject). Customer data is considered personal data as well as personnel data of employees. For example, the name of a contact person can be used to draw conclusions about a natural person, as can his or her e-mail address. It is sufficient if the respective information is linked to the name of the person concerned or can be established independently of this from the context. A person can also be identifiable if the information must first be linked to additional knowledge, e.g. in the case of a car registration number. The origin of the information is irrelevant for a reference to a person. Photos, video or audio recordings can also constitute personal data.
- Special types of personal data include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation of a natural person.
- Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Restriction of processing means the marking of stored personal data with the aim of limiting their future processing.
- Profiling means any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.
- ‘Pseudonymisation’ means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.
- Controller means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party.
- Third party means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.
- The data subject’s consent is any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to personal data relating to him or her being processed.
IV. Data Protection Organisation
- The Browery has appointed a data protection officer. You can reach him under the following contact details: Hubertus Staehle, Dr.-Lindner-Str. 4, 82031 Grünwald; email@example.com; +49 89 641 08 37.
- The data protection officer monitors compliance with the GDPR and other legal requirements, including the requirements of this and other company guidelines on data protection. The data protection officer advises and informs the company management regarding existing data protection obligations and is responsible for communicating with supervisory authorities. Selected processes are checked by them for data protection compliance on a random, risk-oriented basis and at appropriate intervals.
- The data protection officer shall perform his duties free of instructions and using his expertise. He reports directly to the management.
- The company or its employees shall support the data protection officer in the performance of his duties.
V. Handling of Personal Data
- The processing of personal data is generally prohibited, unless a legal norm explicitly permits the handling of data. Personal data may in principle be processed according to the GDPR:
– In the case of an existing contractual relationship with the data subject.
Example: The storage and use of necessary personal data in the context of a service or rental contract.
– In the course of pre-contractual measures at the request of the data subject and the processing of the contract with the data subject.
Example: Customer K requests information about product X and purchases it. The data required to send the information material and to process the legal transaction (delivery of the goods and payment of the purchase price) may be processed.
– If and insofar as the data subject has consented.
Example: The data subject registers to receive a newsletter.
– If there is a legal obligation to which the company is subject.
Example: Legal retention periods according to the German Commercial Code (HGB) and the German Fiscal Code (AO).
– If there are legitimate interests of the company, unless the interests or fundamental rights of the data subject prevail, especially if the data subject is a child. However, data processing invoking a legitimate interest should not be undertaken without prior consultation with the Data Protection Officer.
Example: The use of the postal address to send out advertising mail.
- Data subjects must not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
- Personal data shall be processed for a predetermined, explicit and legitimate purpose. Data retention without a purpose, such as the retention of data, is inadmissible.
- If possible, personal data should not be processed. Pseudonymous or anonymous data processing is preferable.
- The change of a purpose on which a data processing operation was originally based is only permissible – in addition to the declared consent of the data subject – if the purpose of the further processing is compatible with the original purpose. In particular, the reasonable expectations of the data subject with regard to such further processing vis-à-vis the company, the type of data used, the consequences for the data subject as well as possibilities of encryption or pseudonymisation must be taken into account.
- The data subject shall be comprehensively informed about the handling of his/her personal data when it is collected. The information shall include the purpose, the identity of the controller, the recipients of his or her personal data as well as any other information within the meaning of Art. 13 GDPR in order to ensure fair and transparent processing. The information shall be provided in a comprehensible and easily accessible form and in the simplest possible language.
- If personal data are not collected from the data subject but are obtained from another company, for example, the data subject must be informed subsequently and comprehensively about the handling of his or her data in accordance with Art. 14 of the GDPR. This also applies to changes in the purpose of data processing.
- Personal data must be factually correct and, if necessary, kept up to date. The scope of data processing should be necessary and relevant with regard to the specified purpose. The respective department must ensure implementation by establishing appropriate processes. Likewise, data files must be regularly checked for accuracy, necessity and up-to-datedness.
VI. Special Categories of Personal Data
Special categories of personal data may in principle only be collected, processed or used with the consent of the data subject or, in exceptional cases, on the basis of explicit legal permission. Furthermore, additional technical and organisational measures (e.g. encryption during transport, minimal assignment of rights) must be taken to protect special categories of personal data.
VII. Data Transfer
- The transmission of personal data to third parties is only permissible on the basis of legal permission or the consent of the data subject.
- If the recipient of personal data is located outside the European Union or the European Economic Area, special measures must be taken to protect the rights and interests of the data subjects. Data may not be transferred if the recipient does not have an adequate level of data protection or if this cannot be achieved, for example, by means of special contractual clauses.
VIII. External Service Providers
- If external service providers are to be given access to personal data, the Data Protection Officer must be informed in advance.
- Service providers with possible access to personal data must be carefully selected before the contract is awarded. The selection must be documented and should take into account the following aspects in particular:
– Technical suitability of the contractor for the specific data handling;
– Technical and organisational security measures;
– Experience of the provider in the market;
– Other aspects that indicate the reliability of the provider (data protection documentation, willingness to cooperate, response times, etc.).
- If a service provider is to collect, process or use personal data on behalf of a third party, a contract for commissioned processing must be concluded. Data protection and IT security aspects must be regulated in this contract.
- The service provider shall be regularly audited with regard to the technical and organisational measures contractually agreed with him. The result shall be documented.
IX. Data Minimisation, Privacy by Design / Privacy by Default
- The handling of personal data shall be oriented towards the goal of collecting, processing or using as little data as possible from a data subject (“data minimisation”). In particular, personal data shall be made anonymous or pseudonymised as far as this is possible according to the purpose of use. For example, in the context of a statistical evaluation of data, it will not be necessary to know and use the full name of a data subject. Rather, this information can be replaced by a random value, which can also ensure that the underlying information is distinguishable.
- The same applies to the selection and design of data processing systems. Data protection shall be integrated into the specifications and architecture of data processing systems from the outset in order to facilitate compliance with the principles of privacy and data protection, in particular the principle of data minimisation.
X. Rights of Data Subjects
- Data subjects have the right to obtain information about the personal data stored by the company about them.
- When processing applications, the identity of the data subject must be established beyond doubt. If there is reasonable doubt about the identity, additional information may be requested from the applicant.
- The information shall be provided in writing, unless the data subject has submitted the request for information electronically. The information shall be accompanied by a copy of the data of the data subject which, in addition to the data available on the person, also includes the recipients of data, the purpose of the storage as well as all other legally required information pursuant to Art. 15 DS-GVO in order to make the data subject aware of the processing and to allow him or her to assess the lawfulness himself or herself. Upon special request of the data subject, the data will be provided in a structured, common and machine-readable format. The responsible IT department shall determine the standard to be provided for this purpose.
- Data subjects have the right to have their personal data corrected if it proves to be inaccurate. They may also request that incomplete personal data be completed.
- data subjects have the right to have their personal data deleted under the following conditions:
– knowledge of the data is no longer necessary for the fulfilment of the purpose for which it was stored;
– the data subject has withdrawn consent and there is no other legal basis for the processing;
– their processing is unlawful
– the data subject objects to processing for advertising purposes or invokes a right to object on the basis of a specific personal situation – which must be justified;
– it concerns special personal data whose accuracy cannot be proven; or
– there is another legal obligation to delete the data.
If there is an obligation to erase and if the personal data have previously been made public, other data controllers shall be informed of the data subject’s request to erase all copies of his or her data as well as all links to such data.
- The data subject may request the restriction of the processing of his or her data if
– the accuracy of the personal data is in dispute, but only for as long as the accuracy is being verified by the competent department; or
– the processing is unlawful, but the data subject objects to the deletion of the data; or
– the company no longer needs the personal data for the purposes of processing, but the data subject requires the data for the assertion, exercise or defence of legal claims; or
– the data subject has objected to the processing on the grounds of a specific situation and the competent department is still examining the objection.
- The data subject shall be informed within one month at the latest of any measures taken at his/her request. 8.
- The data protection officer shall be available to advise on the protection of the rights of the data subject.
XI. Third Party Requests for Information about Data Subjects
Should a body request information about data subjects, such as customers or employees of this company, disclosure of information is only permitted if
– the body providing the information can demonstrate a legitimate interest in doing so, and
– a legal norm obliges the disclosure of information, and
– the identity of the enquirer or the enquiring body is established beyond doubt.
XII. Register of Processing Activities
1 The Browery shall keep a register of all data processing activities. Each department shall appoint a responsible person who shall document all necessary information on the procedures of the respective department in accordance with the legal requirements of Art. 30 DS-GVO. The data protection officer may be consulted for advice on the information required by law.
2 The Browery shall make the directory available to the supervisory authority upon request. The data protection officer is responsible for this in agreement with the company management.
- Advertising to data subjects by letter, telephone, fax or e-mail is only permissible if the data subject has previously consented to the use of his/her data for advertising purposes.
- Exceptions may only be made if the data subject has given his/her consent to the use of his/her data for advertising purposes.
Employees who have permanent or regular access to personal data, collect such data or develop systems for processing such data must be trained in an appropriate manner on the requirements of data protection law. The Data Protection Officer shall decide on the form and frequency of such training.
XV. Data Secrecy
- Employees are prohibited from collecting, processing or using personal data without authorisation. They shall be obliged to handle personal data confidentially before taking up their work. The commitment shall be made by the management using the form provided for this purpose.
- Employees with special confidentiality obligations (e.g. telecommunications secrecy in accordance with section 88 of the German Telecommunications Act) shall be additionally obliged to do so in writing by the management.
- Every data subject and therefore every employee of The Browery has the right to complain about the processing of his or her data if he or she feels that his or her rights have been violated. Likewise, employees can report violations of this company policy at any time.
- The responsible body for the above-mentioned complaints is the data protection officer Hubertus Staehle, Dr.-Lindner-Str. 4, 82031 Grünwald; firstname.lastname@example.org; +49 89 641 08 37 as an internal independent and instruction-free body.
- In order to ensure a high level of data protection, relevant processes are reviewed by means of regular audits by internal bodies or by external auditors. In the event that potential for improvement is identified, immediate remedial action shall be taken.
- The findings obtained during the audit shall be documented. The documentation shall be handed over to the data protection officer, the management and the persons responsible for the respective process.
- An audit shall be regarded as successfully completed when all measures documented in the report have been implemented. If necessary, follow-up audits are carried out in which recommendations from the initial audit are subjected to a review of their implementation.
XVIII. Internal investigations
- Measures to clarify the facts and to prevent or uncover criminal offences or serious breaches of duty in the employment relationship must be carried out in strict compliance with the relevant statutory data protection provisions. In particular, the associated collection and use of data must be necessary, appropriate and proportionate with regard to the interests of the data subject that are worthy of protection in order to achieve the purpose of the investigation.
- The data subject shall be informed as soon as possible of the measures carried out on him or her.
- In all forms of internal investigations, the data protection officer shall be involved in advance with regard to the selection and design of the measures.
XIX. Availability, Confidentiality and Integrity of Data
- Depending on the type, scope, circumstances and purposes of the processing as well as the probability of occurrence, a documented assessment of the need for protection and an analysis of the risks for the data subjects shall be carried out for each procedure.
- In order to ensure the availability, confidentiality and integrity of data, a general security concept shall be drawn up depending on the assessment of the need for protection and the risk analysis, which shall be binding for all procedures. In particular, the state of the art shall be taken into account, as well as means and measures for encryption and data protection. The security concept shall be regularly reviewed, assessed and evaluated with regard to the effectiveness of the technical and organisational measures provided for therein.
- Data processing systems shall be prevented from being used by unauthorised persons. Doors of unoccupied rooms shall be locked. Effective access control measures on equipment shall be in place and activated. System access shall be locked at all times in the absence of personnel.
- Passwords provide access to systems and the personal data stored in them. They represent a personal identifier of the user and are not transferable. It must be ensured that passwords are always kept under lock and key. Passwords must have a minimum length of ten characters and consist of a mix of characters. Passwords must not appear in a dictionary or be formed from easily guessable terms, especially terms related to the company.
- Access to personal data should only be granted to those persons who need to know the respective data in the course of their duties (“need-to-know principle”). Access authorisations must be precisely and completely defined and documented.
- Data transmissions through public networks must be encrypted if possible. Encryption shall be mandatory if the need to protect personal data so requires.
- Personal data collected for different purposes shall be processed separately. The separation of data shall be ensured by appropriate technical and organisational measures.
- Maintenance work on systems or telecommunications equipment by external service providers shall be supervised. Furthermore, it must be ensured that service providers do not have unauthorised access to personal data. Remote maintenance access shall only be granted on a case-by-case basis and shall follow the principle of minimum rights allocation. Remote maintenance activities shall be recorded or logged if possible.
XX. Data protection impact assessment
- Each specialised department is obliged to carry out data protection impact assessments for procedures under its responsibility if a high risk to the rights and freedoms of data subjects is to be expected as a result of the data processing. The data protection impact assessment shall contain all legally required descriptions of Art. 35 (7) GDPR.
- The data protection officer advises the departments on the implementation of the data protection impact assessment and on the question of when processing operations may pose a high risk to data subjects.
XXI. Data Breaches
- If company data has been unlawfully disclosed to third parties, the company’s internal Incident Response Team must be informed immediately. The Incident Response Team shall immediately involve the Data Protection Officers in the clarification of the facts.
- The notification shall include all relevant information for the clarification of the facts, in particular the receiving agency, the persons concerned as well as the type and scope of the transmitted data.
- The fulfilment of any duty to inform the supervisory authority shall be carried out exclusively by the data protection officer. Data subjects shall be informed by the management, with the Data Protection Officer being consulted in an advisory capacity.
(see also our separate guideline on dealing with breaches of protection).
XXII. Consequences of Violations
A negligent or even wilful breach of this policy may result in action under employment law, including dismissal with or without notice. Criminal sanctions and civil consequences such as damages are also possible.
It must be possible to demonstrate compliance with the requirements of this policy at all times. In this context, particular attention must be paid to the traceability and transparency of measures taken, for example by means of related documentation.
XXIV. Updating of the Guideline; verifiability
- In the context of the further development of data protection law and technological or organisational changes, this policy shall be reviewed regularly to determine whether it needs to be adapted or supplemented.
- Amendments to this policy shall be effective informally. Employees and officers shall be informed immediately and in an appropriate manner of the amended requirements.