OUR PRIVACY GOALS & GLOBAL PRIVACY POLICY
INTRODUCTION
The purpose of data privacy and protection is to safeguard and protect, in the context of personal data processing, the public freedoms and fundamental rights of natural persons, especially their reputation and personal privacy. Its objective is to regulate personal data processing, irrespective of the format in which the data is processed, the rights of data subjects and the obligations of data processors and controllers.
PURPOSE AND SCOPE
1.1 This policy defines the privacy control requirements of Colt that will enable its employees and those processing Colt personal data to effectively protect personal data and manage privacy risks to Colt's business services, functions, information systems, assets and people.
1.2 It is the responsibility of every Colt employee to understand these principles when fulfilling their daily activities.
1.3 The requirements defined in this document are mandatory and apply to all Colt employees.
DEFINITIONS
2.1 Personal data: means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; In addition, there are "sensitive data" types, which refer not only to health but to ideology, religion, ethnic background, sex life and history of criminal or administrative convictions or offences. Due to sensitive data use restrictions and specificities, Colt has implemented a separate privacy policy to govern the processing of sensitive data, the Colt Sensitive Information Policy.
2.2 Employees: means Colt employees, Colt authorised contractors, supplier sub- contractors, partners, temporary workers and any individual employed directly by supplier or who the supplier has tasked and involved in the provision of services to Colt.
2.3 Supplier: means an organisation or individual that enters into an agreement with Colt for the supply of a product or service. This includes all suppliers in the supply chain.
2.4 Colt Personal Data: means personal data relating to employees, customers and suppliers.
2.5 "Data Protection Legislation" means Regulation (EU) 2016/679 ("GDPR"), and any and all applicable data protection laws and regulations, as amended, revised or replaced from time to time.
COMPLIANCE
3.1 Compliance with this policy is mandatory for all Colt employees involved in processing Colt personal data.
3.2 The Data Protection Officer will monitor and report on the level of compliance that Colt employees achieve in respect of this policy and the requirements set out within this document.
3.3 Non-compliance with this policy will require explicit authorisation from the Colt Data Privacy Officer.
3.4 Prior approval should be obtained from the Data Privacy Officer before this document is provided to any third parties.
ROLES AND RESPONSIBILITIES
4.1 The Data Protection Officer is responsible for maintaining this document and ensuring it remains effective in reducing the level of privacy risk to the Colt.
4.2 Colt employees are responsible for the day-to-day application of the policy and controls contained within this document. The Data Privacy Officer may require evidence to be provided from Colt employees in respect of how the requirements of this document have been applied.
TRAINING AND AWARENESS
5.1 All Colt employees must complete mandatory general privacy and information security training as well as specific training modules tailored to their role in their first 30 days of employment and annually throughout their employment. Employees who handle personal data must receive training before receiving access to Colt systems containing personal data. Supervisors are encouraged to request privacy training for themselves or for employees reporting to them if they feel it is appropriate.
5.2 In addition, the Data Protection team provides ongoing guidance and awareness materials, including newsletters, guidance documents, webinars and client-facing collaterals as appropriate.
5.3 The Data Protection team works with the Human Resources and Marketing departments to ensure that training and awareness materials are up to date, relevant and assigned or distributed appropriately. Failure to satisfactorily complete mandatory Privacy training may result in disciplinary action or loss of access to Colt IT infrastructure.
DATA PRIVACY ROLES AND RESPONSIBILITIES
6.1 Colt must define, document, and assign privacy risk management and governance roles.
6.2 Colt must educate and train Colt employees and those performing specific privacy risk management activities, so they can fulfil their duties effectively.
6.3 Colt has designated a single global DPO, engaged internally and located within the European Union. In addition, Colt has local Data Protection Officers as required by national privacy legislation and local representatives in each country who will report directly to the global DPO. The DPO´s team can be reached via email at [email protected] or [email protected].
The details of the Group Data Protection Officer are as follows:
Alessandro Galtieri
Group Data Protection Officer
Colt Technology Services Group Limited
Colt House | 20 Great Eastern Street | London | EC2A 3EH | UK
6.4 In addition, the local DPOs are as follows:
6.4.1 Italy DPO: Alessandro Galtieri
6.4.2 Germany DPO: Sebastian Kraska
6.4.3 Netherlands DPO: Ellen Koopman
6.4.4 Spain DPO: Cristina Sirera
6.4.5 India Grievance Officer: Alessandro Galtieri
FUNDAMENTAL PRINCIPLES
Colt must safeguard the security and integrity of personal data for which it is responsible. This includes personal data which it processes directly (Colt as a data controller), through the provision of services by third parties (as data processors to Colt) or as a provider of services (Colt as a data processor) to a third party.
In all cases, whether Colt acts as a data controller or processor, the personal data must be processed in compliance with the required legal and contractual obligations and guarantees.
The applicable data protection regulation directly affects the operations of Colt, as personal data is processed in its day-to-day activity. When processing this data, certain principles and measures must be fulfilled. These principles are as follows:
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Colt must process personal data in accordance with the following:
(a) Lawfulness: the processing of personal data must be justified on a lawful basis
(b) Fairness: personal data must be processed fairly in ways that would be reasonably expected.
(c) Transparency: information must be provided about the processing in a clear, precise and unambiguous way.
PURPOSE LIMITATION
Colt must ensure that personal data is processed only for the specific, explicit and legitimate purposes for which it was gathered and not further processed in a way which is incompatible with the purpose for collection.
DATA MINIMISATION
Personal data collected must be adequate, relevant and be limited to the purposes for which it is processed.
STORAGE LIMITATION
Colt must store personal data allowing identification of the individual for no longer than is necessary in accordance with the purpose of its collection and processing.
Colt stores personal data in accordance with the Colt Retention and Destruction Policy which can be found on the intranet.
ACCURACY
Colt must take reasonable steps to ensure that that personal data is accurate, complete and where necessary, kept up to date.
Where Colt discovers that personal data is inaccurate or out of date all reasonable steps will be taken to correct or erase this data as soon as possible.
SECURITY
Colt must ensure that the personal data that is collected and processed is protected by implementing appropriate technical and organisational measures to prevent unauthorised or unlawful data processing, accidental loss, destruction or damage.
In particular, Colt must ensure that its employees who, in the performance of their duties, have access to personal data, undertake to treat such data as confidential and refrain from disclosing it to other parties, unless it is lawful to do so.
Where there is a suspected (or confirmed) breach of security which involves accidental, unauthorised or unlawful access to, or disclosure, alteration, loss or deletion of any personal data by any Colt employee or any third party, please contact CSIRT in line with the Personal Data Incident Response Process.
DATA PROTECTION BY DESIGN AND BY DEFAULT
Colt must apply measures to safeguard and demonstrate compliance with data protection legal requirements by designing and implementing data protection by design and by default:
(a) Privacy by design: When designing a product or service, from the outset the Colt must take into account issues such as information requirements or obtainment of appropriate consent to process customer personal data.
(b) Privacy by default: By default, only the personal data necessary to achieve the legal objective pursued must be processed, whilst ensuring confidentiality of personal data.
7.8.2 The Privacy Impact Assessment (PIA) is a useful tool for ensuring that privacy is built in to all new processing activities and so Colt has developed guidelines and templates for:
(a) When to conduct a PIA (see PIA Justification for details);
(b) How to complete a PIA (see PIA Completing Guide and FAQs); and
(c) A template PIA document.
7.8.3 Colt has established that a PIA must be undertaken in the following circumstances:
(a) Systematic and thorough evaluation of personal aspects relating to individuals, based on automated data processing, including profiling, and on which decisions about those natural persons are based.
(b) Large-scale data processing of sensitive data or data related to criminal convictions and offences. In Colt, large scale data processing is defined as 100 or more data subjects.
(c) Systematic monitoring of a publicly accessible area.
(d) Processing of sensitive personal data.
(e) Personal data transferred, external to Colt, outside of the EEA (i.e. the EU, Iceland, Norway and Liechtenstein) or adequate country .
(f) Impact to a person's privacy is significant or maximum. Please refer to the PIA guidance document for further examples of impact.
7.8.4 The Colt PIA methodology must be followed to assess and determine the privacy controls required for any business activity involving a privacy risk e.g. projects, procurement of goods and services.
7.8.5 Employees should refer to the above documentation when conducting a PIA or assessing if one is needed and should contact the Colt Data Protection team if required (on [email protected]).
ACCOUNTABILITY
Colt as a data controller is responsible for how it processes personal data and complying with this policy.
All Employees are required to act in accordance with this policy and, where appropriate, ensure that it is enforced.
The Data Protection team is responsible for this policy and providing training on it, however many Employees will be required to fulfil parts of this policy, most notably the Individual Rights principle. Where this is the case Employees must follow the procedures laid out in the principle and Individual Rights Policy.
Colt must maintain records of the processing activities it undertakes; the information contained in this record will differ depending on whether Colt is processing the personal data as a data controller or a data processor.
INDIVIDUAL RIGHTS
Colt shall inform all individuals about how to exercise their rights and ensure that individuals are able to exercise their rights freely. Colt will respond as appropriate to requests to exercise any of the following individual rights:
(a) Right of access: Individuals have the right to access a copy of the personal data that has been collected about them (whether held by Colt itself or at its providers), and be provided with information about the processing.
(b) Right of rectification: Individuals have the right to rectify any inaccurate or incomplete personal data concerning them (whether held by Colt itself or at its providers), in order to guarantee their accuracy and the appropriate processing thereof.
(c) Right of erasure (right to be forgotten): Individuals have the right to the deletion of personal data concerning them.
(d) Right to object: Individuals have the right to object to the processing of personal data at any time.
(e) Right of restriction: Individuals have the right to restrict the processing of personal data concerning him or her. This means that the processing will be "paused" and the personal data will only be stored.
(f) Right of data portability: Individuals have the right to receive personal data concerning them and to have that data transmitted to another controller in a structured, commonly used, machine-readable format.
(g) Right to non-automated data processing: Individuals have the right not to be subject to a decision affecting them, where this decision is based on automated data processing of information, including profiles. This includes cases in which Colt uses cookies as a technical tool to evaluate customers and predict their behaviour, performance or preferences, comparing their profile with that of other users or similar customers.
7.10.2 Colt responds to these requests in accordance with the procedure provided by the Individual Rights Policy.
Last updated
Was this helpful?