Talaria’s Global Data Protection Policy
1.0 Purpose
This data security policy (the “Policy”) defines the requirements to ensure compliance with laws and regulations applicable to TALARIA FLATS LLC’s (together with its subsidiaries’) (collectively, “TALARIA” or “Company”) collection, use, storage, maintenance and transmission of regulated and protected data throughout the world.
2.0 Glossary
2.1 CONSENT means any freely given specific and informed indication of his/her wishes by which the Data Subject signifies agreement to Personal Data relating to him/her being processed. The word “signifies” means that there must be some active communication between the parties. Thus, a mere non-response to a communication from TALARIA cannot constitute consent. Nevertheless, consent may be obtained by a number of methods. These may include clauses in employment contracts, check boxes on replies to application or purchase forms, and click boxes on online forms where Personal Data are entered, as long as an active act deed is required by the Data Subject (e.g. clicking a check box). If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. The data subject shall have the right to withdraw his or her consent at any time. Prior to giving consent, the data subject shall be informed thereof.
In most European Union countries, consent to the processing of Sensitive Data needs to be clear and unequivocal. This generally means that some form of specific, active consent is required. For purposes of TALARIA’s compliance, and in the interest of a uniform Policy that will be acceptable in all countries outside the United States, TALARIA will follow the “opt-in” form of affirmative consent.
Consent is limited to the specific purposes disclosed to the individual. Further notification and consent is required for new processing activities that extend beyond the scope for which consent was originally obtained. In the context of new data aggregating activities for which consent had not previously been obtained, additional consent is required. Thus, if data that was collected under an original consent is later aggregated with other data for purposes of transferring the aggregated data to third parties and/or overseas, the original consent likely did not cover this latter activity, requiring additional consent specific to the new uses of the data.
In the case of Sensitive Data (as defined below), an express opt-in approach is required. The Data Subject’s consent must be communicated to TALARIA before any processing can take place, unless an exception applies (e.g., a situation in which the processing of data is mandated by employment law cases, even when it is impossible for the Data Subject to consent, and where the data to be processed is public information or information manifestly intended to be made public).
Any processing of Sensitive Data not needed for the proper business operations of TALARIA must be terminated.
2.2 DATA (whether or not having an initial capital letter) as used in this Policy means information which either: (i) is being processed by means of equipment operating automatically in response to instructions given for that purpose; (ii) is recorded with the intention that it should be processed by means of such equipment; (iii) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; and/or (iv) does not fall within any of the above, but forms part of a readily accessible record covering an individual.
Data therefore includes any digital Data by computer or automated equipment, and any manual information which is part of a relevant filing system.
2.3 DATA CONTROLLER means a person who (alone or with others) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed.
2.4 DATA PROCESSOR means any person, other than an employee of the Data Controller, who processes the data on behalf of the Data Controller.
2.5 DATA SUBJECT means an identified or identifiable natural person to whom the Personal Data relates. Data Subjects include customers and web users, individuals on contact/e-mailing lists or marketing databases, employees, contractors and suppliers.
2.6 OPT-IN means a system whereby Data Controllers obtain specific consent from the Data Subject before the Data Subject’s personal information is processed or otherwise used for a particular purpose.
2.7 PERSONAL DATA means any data related to a Data Subject who can be identified from those data or from those data and other information in the possession of, or likely to come into the possession of, a Data Controller or Data Processor.
2.8 PROCESSING covers a wide variety of operations relating to data, including obtaining, recording or holding the data or carrying out any operation or set of operations on the data, including: (i) Organization, adaptation, or alteration; (ii) Disclosure by transmission, dissemination, or otherwise; and (iii) Alignment, combination, blocking, erasure, or destruction.
2.9 RELEVANT FILING SYSTEM means any set of information relating to individuals, whether kept in manual or electronic files, structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
Therefore any digital database and/or organized manual files relating to identifiable living individuals fall within the scope of data protection laws and regulations, while a database of pure statistical or financial information (which cannot either directly or indirectly be related to any identifiable living individuals) will not.
2.10 SENSITIVE DATA means Personal Data containing information as to the Data Subject’s: (i) Race or ethnic origin; (ii) Religious beliefs or other beliefs of a similar nature; (iii) Political opinions; (iv) Physical or mental health or condition; (v) genetic data, biometric data for the purpose of uniquely identifying a natural person; (vi) Sexual history or orientation; (vii) Trade union membership; and (viii) Commission or alleged commission of any offense and any related court proceedings.
3.0 Scope
TALARIA is committed to complying with the applicable data privacy and security requirements in the countries in which it/they operate(s). Because of differences among these jurisdictions, the Company has adopted a data protection Policy which seeks to create a common core of values, policies and procedures intended to achieve nearly universal compliance, supplemented with alternative or additional policies or implementation procedures applicable in those jurisdictions that mandate unique requirements.
This Policy applies to all TALARIA full and part-time employees, agency employees, employees of TALARIA majority-owned subsidiaries, joint venture employees, and all suppliers and vendors who receive Personal Data from TALARIA, have access to Personal Data collected or processed by TALARIA, or who provide information to TALARIA, regardless of geographic location.
In addition to the foregoing, all of the provisions contained in this Policy are subject to those laws and regulations, from jurisdiction to jurisdiction, to which TALARIA is subject. In the event of a conflict between any of the provisions contained in this Policy and any such laws/regulations, the laws and regulations shall supersede and govern TALARIA’s obligations hereunder. In addition, from time to time TALARIA may supplement this Policy with additional riders (whether required by applicable law or due to process changes within TALARIA) that will be appended to Schedule 1 attached hereto to which TALARIA shall adhere.
Various business units within TALARIA as well as subsidiaries and affiliates of TALARIA shall be tasked with assisting and supporting TALARIA’s Privacy Team (see Section 4.0) in the development of specific protocol and guidance in connection with this Policy. Factors that will go into such process include determining what Personal Data the business unit is collecting, or intends to collect, the purposes of the data collection and processing, any additional permitted purposes, the actual uses of the data, what disclosures have been made about the purposes of the collection and use of such data, the existence and scope of any Data Subject consents to such activities, any legal obligations regarding the collection and processing of such data, and the scope, sufficiency, and implementation status of security measures.
It shall be the ongoing responsibility of the Chief Privacy Officer (“CPO”) to review each such TALARIA business unit’s protocol, procedures and practices and make recommendations thereto to improve compliance under this Policy and applicable law.
4.0 Requirements
4.1 Privacy Team. TALARIA’s privacy program will be overseen by individuals entrusted with establishing a Privacy Team.
4.1.1 In addition to the personnel appointed by TALARIA to oversee the operations of the Privacy Team, there shall be designated representatives who are employees of TALARIA in various offices, regions and/or subsidiaries that will serve as a communications channel between the Privacy Team and such offices / regions / subsidiaries of TALARIA in order to ensure alignment of the data security practices within and among the entire TALARIA organization. In addition to the CPO’s other tasks and responsibilities set forth elsewhere in this Policy, the CPO shall be tasked with:
4.1.1.1 establishing procedures and standard contractual provisions for obtaining compliance with this Policy by vendors, suppliers, and third parties who receive Personal Data from TALARIA, have access to Personal Data collected or processed by TALARIA, or who provide information to TALARIA, regardless of geographic location.
4.1.1.2 establishing mechanisms for periodic audits of compliance with this Policy, implementing procedures, and applicable law.
4.1.1.3 establishing, maintaining, and operating a system for prompt and appropriate responses to Data Subject requests to exercise their rights.
4.1.1.4 ensuring that TALARIA’s privacy program is kept current.
4.1.1.5 informing senior managers, officers, and directors of the Company of the potential corporate and personal civil and criminal penalties which may be assessed against the Company and/or its employees for violation of applicable data protection laws.
4.2 Data Protection Principles. The Company has adopted the following principles to govern its use, collection, and transmittal of Personal Data, except as specifically provided by this Policy to the contrary or as otherwise required by applicable laws:
4.2.1 Personal Data shall be processed fairly and lawfully and in a transparent manner.
4.2.2 Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
4.2.3 Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or processed.
4.2.4 Personal Data shall be accurate, complete and current as appropriate to the purposes for which they are collected and/or processed.
4.2.5 Personal Data shall not be kept in a form which permits identification of the Data Subject for longer than necessary for the permitted purposes.
4.2.6 Personal Data shall not be collected or processed unless:
4.2.6.1 TALARIA has reason to presume that the Data Subject provided a valid and informed consent, See Section 4.3;
4.2.6.2 processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
4.2.6.3 processing is necessary for compliance with a TALARIA legal obligation;
4.2.6.4 processing is necessary in order to protect the vital interests of the Data Subject as may be required by applicable law and/or to consummate a works council agreement;
4.2.6.5 processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller or in a third party to whom the data are disclosed; or
4.2.6.6 processing is necessary for legitimate interests of TALARIA or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject.
4.2.7 Personal Data shall be collected and processed in accordance with the rights of the Data Subjects. See Section 4.8.
4.2.8 TALARIA shall have the ability to destroy and erase Personal Data when required to do so by applicable law and/or in accordance with the requirements of this Policy.
4.2.8 Appropriate physical, technical, and procedural measures shall be taken to: (i) prevent and/or to identify unauthorized or unlawful collection, processing, transmittal of Personal Data; and (ii) prevent accidental loss or destruction of, or damage to, Personal Data under TALARIA’s control.
4.3 Consents. The CPO, in cooperation with the business units within TALARIA, shall establish systems for the collection and documentation of Data Subject consents to the collection, processing, and/or transfer of Personal Data and, if applicable, Sensitive Data, in compliance with applicable laws. The systems shall be able to effectively process withdrawals of consent as well.
4.4 Transfers to Third Parties.
4.4.1 Personal Data shall not be transferred to another entity, country or territory, unless reasonable and appropriate steps have been taken to maintain the required level of data protection and TALARIA is otherwise in compliance with applicable laws governing such transfers.
4.4.2 Personal Data may be communicated to third persons only for reasons consistent with the purposes for which the data were originally collected or other purposes authorized by applicable law.
4.4.3 All Sensitive Data transferred outside of the Company or across public communications networks shall be de-identified or shall be protected against unauthorized access by use of encryption.
4.4.4 All transfers of Personal Data to third persons for further processing shall be subject to written agreements and in compliance with applicable laws. The CPO shall, develop standard terms and conditions along with protocol which can be used for this purpose. Accordingly, Personal Data may be transferred where any of the following apply:
(a) The Data Subject has given consent to the proposed transfer;
(b) The transfer is necessary for the performance of a contract between the Data Subject and the Company, or the implementation of pre-contractual measures taken in response to the Data Subject’s request;
(c) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Company and a Third Party;
(d) The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise, or defense of legal claims;
(e) The transfer is required by law;
(f) The transfer is necessary in order to protect the vital interests of the Data Subject; or
(g) The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest.
4.5 Management of New/Expanded Collection & Processing Activities.
4.5.1 No new or expanded collection or processing activities involving Personal and/or Sensitive Data may be undertaken without first consulting with the CPO.
4.5.2 The Company’s Information Technology Department, in cooperation with the CPO, shall establish a procedure for assessing the impact of any new technology uses on the privacy and security of Personal Data. The Information Technology Department shall include such an assessment for each such proposed new or expanded use of technology resources in its application design review process and shall provide such assessments to the CPO. For purposes of this Section, “Technology” shall be interpreted broadly, to include any means of collecting or processing Data, including, without limitations, computers and networks, telecommunications systems, video and audio recording devices, biometric devices, closed circuit television, etc.
4.5.3 Personnel at all levels of the Company will apply the following guidelines when designing new systems, uses or processes involving Personal Data and/or reviewing or expanding existing activities involving the collection or processing of Personal Data:
4.5.3.1 Collection and use of Personal Data will be avoided or limited when reasonably possible.
4.5.3.2 Personal Data will be de-identified when the purposes of data collection or processing can be achieved without maintaining personal identification, so long as the foregoing can be carried out at a reasonable cost.
4.5.3.3 The purpose(s) of the collecting or processing of Personal Data will be expressly identified by the business unit preparing any new or expanded data collection and processing activity or function.
4.5.3.4 Personal Data may only be used for the purposes for which they were originally collected, plus historical, statistical, scientific, or legally mandated purposes, unless the Data Subject has given consent or an exception set forth in Section 3.2.6 applies.
4.6 Disclosures at the Time of Data Collection.
4.6.1 TALARIA recognizes that any Personal Data with which it comes into contact must have been collected in accordance with applicable law, including that appropriate disclosures (including, without limitation, the reason for a Data Subject’s Personal Data to be collected and/or processed) were made at the time a Data Subject was asked to give consent to the collection or processing of his/her Personal Data.
4.6.2 Where TALARIA is collecting Personal Data directly from Data Subjects (e.g., employees, via the website, processing on behalf of customers, etc.), TALARIA must ensure that specific information is disclosed to the Data Subject and/or any other person from whom Personal Data are obtained prior to or at the time of collection. Accordingly, the CPO shall work with the various business units within TALARIA to establish technical or administrative means for documenting the fact that the necessary disclosures were made, that the Data Subject received such disclosures, and that his/her consent was given following such disclosures.
4.6.3 The foregoing disclosure requirements shall not apply where there is an exemption to the requirements for disclosure and/or consent.
4.6.4 In the case of employees of TALARIA who are asked to disclose Personal Data, the disclosures should preferably be made in the employment contract (if any). Appropriate disclosures should also be made in any job application form or employee handbook. The disclosures should be made in a manner calculated to draw attention to them.
4.6.5 If inadequate disclosures are made initially, additional disclosures may have to be made at a later time, and the fact, date, content, and method of these additional disclosures shall be recorded.
4.7 Sources of Personal Data. If Personal Data are collected from someone other than the actual Data Subject, TALARIA must have a reasonable basis upon which to presume that the Data Subject was informed of, and consented to, the collection and processing of his/her Personal Data or that the collection was otherwise in accordance with applicable law.
4.8 Data Subject Rights.
4.8.1 The CPO shall establish a system to enable and facilitate exercise of Data Subject rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of Personal Data.
4.8.2 Data Subjects shall be entitled to obtain the following information about their own Personal Data upon a request made in compliance with reasonable policies and procedures established, and set forth in writing, by the CPO:
4.8.2.1 Whether the Company has stored Personal Data concerning the Data Subject.
4.8.2.2 Whether any of the data are Sensitive Data.
4.8.2.3 The source(s) of the data, if known.
4.8.2.3 The recipients or categories of recipients to whom the data have been or may be transmitted.
4.8.2.4 The purposes of the collection, processing, use and storage of the data.
4.8.2.5 A hard copy of the data in an intelligible form.
4.8.3 Unless applicable laws and regulations shall require otherwise, the Company will provide its response to a request under Section 3.8.2 within 30 days of the date the Company receives a written request from the Data Subject and appropriate verification that the requestor is the Data Subject or an authorized legal representative. If the Company cannot respond fully to the request within the time indicated, then the Company will follow the protocol established by the CPO, as required under applicable law.
4.8.4 Data Subjects shall have the right to require the Company to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.
4.8.5 All business units receiving a Data Subject request for access to Personal Data shall notify the CPO and follow the protocol which the CPO shall implement.
4.8.6 Where providing the information about the requesting Data Subject would disclose Personal Data about another individual, the business unit handling the request must review the data and redact or withhold the information as may be necessary or appropriate to protect that person’s rights.
4.9 Sensitive Data.
4.9.1 Unless an applicable exemption shall apply, Sensitive Data should not be processed by TALARIA unless (i) such processing is specifically authorized or required by applicable law, and (ii) the Data Subject expressly consents to such collection.
4.9.2 If the Company is relying upon one of the exemptions to authorize processing of Sensitive Data, the exemption relied upon, and the basis for the exemptions should be recorded with the data.
4.10 Data Quality Assurance.
4.10.1 Each business unit shall take steps to assure that Personal Data it collects or processes is complete and accurate in the first instance. Data must be accurate and updated in such a way as to give a true picture of the current situation of the Data Subject.
4.10.2 The Company shall correct data which it knows to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification. Inaccurate data must be erased and replaced by corrected or supplemented data.
4.10.3 Personal Data must be kept only for the period necessary for permitted uses. When defining a permitted use for data, the business unit shall establish a sunset or review date for the stated purpose.
4.10.4 Personal Data should be erased if their storage violates any of the data protection rules or if knowledge of the data are no longer required by the Company or for the benefit of the Data Subject. See Record Retention Policies.
4.10.5 Personal Data should be blocked, rather than erased, insofar as the law prohibits erasure, erasure would impair legitimate interests of the Data Subject, erasure is not possible without disproportionate effort due to the specific type of storage; or if the Data Subject disputes that the data are correct and it cannot be ascertained whether they are correct or incorrect.
4.11 Proportionality. This Policy will be applied in a reasonable manner with cost and effort proportionate to the importance of the proposed processing and the sensitivity of the data at issue.
5.0 Notification to Data Privacy Authorities Regarding TALARIA’s Processing Activities
TALARIA shall not process Personal Data without notification to the data protection authorities in jurisdictions which require such notification. The CPO shall keep the notifications up to date at all times.
6.0 Use of Third Party Data Processors
6.1 Requirements for Third Party Processors. Where the Company relies on others to assist in its processing activities, the Company will choose a Data Processor that provides sufficient security measures and take reasonable steps to ensure compliance with those measures.
6.2 Written Contracts for Third Party Processors. TALARIA shall enter into a written contract with each data controller and/or processor requiring it to comply with data privacy and security requirements imposed on TALARIA under local legislation and under the GDPR.
6.3 Audits of Third Party Processors. As part of TALARIA’s internal data auditing process, TALARIA shall conduct regular checks on processing by third party data processors, especially in respect of security measures.
7.0 Notice to Directors, Managers, and Officers of Potential Sanctions for Non- Compliance
The CPO shall notify directors, managers, and other officers of TALARIA that: i) failure to comply with relevant data protection legislation may trigger criminal and civil liability, including fines, imprisonment, and damage awards; and ii) they can be personally liable where an offense is committed by TALARIA with their consent or connivance, or is attributable to any neglect on their part.
8.0 Data Security
8.1 Physical, Technical and Organizational Security Measures.
8.1.1 The Company shall adopt physical, technical, and organizational measures to ensure the security of Personal Data, including the prevention of their alteration, loss, damage, unauthorized processing or access, having regard to the state of the art, the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
8.1.2 Adequate security measures will comprise the following:
8.1.2.1 Entry Control: Prevention of unauthorized persons from gaining access to data processing systems in which Personal Data are processed.
8.1.2.2 Admission Control: Prevention of data processing systems from being used by unauthorized persons.
8.1.2.3 Access Control: Preventing persons entitled to use a data processing system from accessing data beyond their needs and authorizations. This includes preventing unauthorized reading, copying, modifying or removal during processing and use, or after storage.
8.1.2.4 Disclosure Control: Ensuring that Personal Data in the course of electronic transmission during transport or during storage on a data carrier cannot be read, copied, modified or removed without authorization, and providing a mechanism for checking to establish who is authorized to receive, and who has received, the information.
8.1.2.5 Input Control: Ensuring that it can be subsequently checked and established whether and by whom Personal Data have been entered into, modified on or removed from data processing systems.
8.1.2.6 Job Control: Ensuring that in the case of commissioned processing of Personal Data, the data can be processed only in accordance with the instructions of the Data Controller.
8.1.2.7 Availability Control: Ensuring that Personal Data are protected against undesired destruction or loss.
8.1.2.8 Use Control: Ensuring that data collected for different purposes can and will be processed separately.
8.1.2.9 Longevity Control: Ensuring that data are not kept longer than necessary, including by requiring that data transferred to third persons be returned or destroyed.
8.1.2.10 Technical Control/Security: Ensuring reasonable means are adopted to secure the Personal Data within TALARIA’s systems at all times, and also when such data is being transmitted. Such means may include, without limitation, encryption, de-identification and the use of VPN/VPS technologies.
8.2 Employee Confidentiality Agreements. All persons involved in any stage of processing Personal Data should explicitly be made subject to a requirement of secrecy which should continue after the end of the employment relationship.
9.0 Dispute Resolution
9.1 Data Subjects. Data Subjects with inquiries or complaints about the processing of their Personal Data should bring the matter to the attention of the CPO in writing. Any disputes concerning the processing of such Personal Data will be resolved through consultation of the parties, then the Data Subject may, at his/her option, seek redress through resort to mediation, binding arbitration, litigation, or complaint to a data protection authority with jurisdiction (all as permitted by applicable local law or procedure).
9.2 New Facing Issues. From time to time Data-related issues will arise within TALARIA that are not contemplated in this Policy. Upon such an occurrence, those issues shall be promptly escalated to the CPO for direction and guidance. Following the rendering of such guidance, the CPO shall decide, in its sole discretion, whether such issue is likely to arise in the future thereby necessitating the incorporation of such guidance within this Policy in the form of an update or modification, or to abstain from doing so.
10.0 Training
10.1 Talaria Employees. All employees within TALARIA will be required to undergo security training to teach, or re-emphasize privacy and security related procedures. These procedures should be set forth in written guidelines to employees and shall include at least the following:
10.1.1 Each employee’s duty to use and permit the use of Personal Data only by authorized persons and for authorized purposes;
10.1.2 A substantial amount of the contents of this Policy;
10.1.3 The correct use of passwords, security tokens and other access requirements and mechanisms;
10.1.4 Securely storing Personal Data and other non-public confidential information;
10.1.5 Requirements and restrictions around the transfer of Personal Data; and
10.1.6 Special risks associated with particular activities and/or types of Data.
11.0 Special Rules for Specific Countries
11.1 Country Specific Rules. The CPO may publish and append to this Policy guidelines and riders that apply in specific countries.
11.2 Integration with Other TALARIA Policies. Where TALARIA has issued other policies specifically applicable to particular countries or locations (i.e., works counsel agreements), those policies shall take precedence over this Policy.
11.3 Limited Effect of Policy. This Policy shall not be interpreted or construed as giving any individual rights greater than those which such person would be entitled to under applicable law and other binding agreements.
12.0 Compliance Measurements
The CPO shall establish schedules for, and implement data protection compliance reviews, throughout the TALARIA organization. The CPO, in cooperation with the business units, shall devise a plan and schedule to correct any identified deficiencies within a fixed, reasonable time.
13.0 Implementation
13.1 Access to Policy. This Policy shall be available to employees through the CPO.
13.2 Effective Date. This Policy is adopted as of September __, 17, 2018. The CPO, in cooperation with the Business Units, will develop a timeline and program for implementing this Policy. This implementation program will include the resolution of any conflicts between this Policy and other existing policies.
13.3 Revisions. This Policy may be revised at any time. Notice of significant revisions shall be provided to employees by the CPO and to others through mechanisms selected by the CPO.
14.0 MISCELLANEOUS
14.1 Custodian. The custodian of this Policy is the CPO. Each business unit manager is responsible for implementation of this Policy. Any questions regarding the implementation of this Policy should be directed to the CPO.
14.2 Severability. Whenever possible, each section/sub-section of this Policy shall be interpreted in a manner as to be valid under applicable law, but if any provision shall be held to be prohibited or invalid, such provision shall be ineffective only to the extent of such prohibition or invalidity, without invalidating the remainder of such provision or the other remaining provisions of this Policy.