Global Data Protection Policy

Scope and Introduction

This policy is about data protection and the Processing of personal data by and between members of the Spectris Group. The Spectris Group means Spectris plc, and includes its subsidiary ESG Solutions. 

This policy is mandatory and applies to all employees and directors of the Spectris Group (‘Spectris employees’).  Employees who are directors or offices on boards of non-controlled joint ventures shall actively encourage the joint venture to adopt this policy as a model or use a similar policy.

Common Terms

There are certain common terms used in this policy and they are set out in Appendix 1:

1    Policy

1.1    This policy applies to all processing of personal data by us globally including the transfer or personal data between members of the Spectris Group.
1.2    This policy sets out the minimum requirements and procedural steps that all Spectris employees must follow.

2    Our Privacy Commitments

In its Binding Corporate Rules, the Spectris Group has agreed to the following key privacy commitments covering how personal data shall be treated:

2.1    We comply with applicable privacy laws and our Binding Corporate Rules
We understand privacy rules and our responsibilities when collecting, using and storing personal data.

2.2    We only process personal data for legitimate business purposes
We shall not process personal data unless (1)     the purpose for processing is clearly defined and explained to the individual and (2) one of the following conditions apply:

2.2.1    the personal data needs to be processed in respect of a contract with the individual;

2.2.2    the personal data needs to be processed based on a legal obligation;

2.2.3    the personal data needs to be processed to avoid serious harm to an individual;

2.2.4    the personal data needs to be processed to pursue a legitimate business interest which does not harm the interests and rights of the individual;

2.2.5    The individual consented to the processing of his or her personal data

2.3        We are accountable, we know where our personal data is, and we identify privacy risks proactively
We keep records of our data processing activities and compliance, and we execute data protection impact assessments if there is a high risk to rights and freedoms of individuals and we implement safeguards suitable for the risk identified.

2.4        We keep personal data confidential & secure and notify incidents
We keep personal data confidential at all times and only have access to or use it if necessary to perform our job. We protect personal data from misuse and unlawful processing. Data security incidents will be reported immediately by contacting the ESG Solutions Privacy Lead.

2.5    We treat data with care
We do not process more personal data than necessary for a specific purpose. We do not keep personal data longer than necessary and make sure that personal data remains up to date. The principles of privacy by design and by default are embedded in our work and systems.

2.6        We are transparent about our privacy practices
We shall clearly and transparently explain to individuals how their data will be processed. This information shall be easily accessible. Privacy notices are written in accordance with Spectris guidance.

2.7        We safeguard personal data before disclosing it to third parties and transferring it abroad
We do not share personal data with third parties unless we have conducted due diligence and have data processing agreements in place.

2.8        We respect the privacy rights of individuals
We respect the rights of individuals regarding their personal data processed by the Spectris Group, such as the right to

2.8.1    be informed;

2.8.2    retrieve access;

2.8.3    correction of any mistake;

2.8.4    erasure (‘the right to be forgotten’);

2.8.5    restrict processing;

2.8.6    receive their own personal data which they provided to the Spectris Group, in a machine-readable format and to transfer that data to a new data controller;

2.8.7    object to the processing, including for direct marketing purposes.

If we receive a request or complaint of an individual regarding privacy or his or her personal data, we immediately involve our ESG Solutions Privacy Lead.

2.9        We familiarize ourselves with data protection rules
We actively participate in the data protection training sessions the Group organizes and encourage colleagues to do so too.

3    All Employees

You shall:

3.1        familiarise yourself with this policy and act in accordance with it and our privacy commitments;

3.2        not process personal data in breach of the terms of this policy;

3.3        attend and complete all data protection training as required by the Group Privacy Counsel, or ESG Solutions;

3.4        report as soon as possible if you know of, or suspect, a breach of this policy by you or any other person.  Reports should be made to the ESG Solutions Privacy Lead, the Group Privacy Counsel, a member of the Legal Function or the Ethics Help Line, and;

3.5        seek help from the ESG Solutions Privacy Lead if you are in doubt or have any questions in relation to personal data.

4    Operating Company Presidents, Directors of Spectris Hosting Entities and Function Heads

4.1    You shall ensure that:

4.1.1        all employees in your organisational unit are aware of and follow this Data Protection Policy and all applicable Data Privacy Laws and regulations and guidance and tools made available to you;

4.1.2        all employees in your organisational unit receive regular messages from line management to comply with this Data Protection Policy e.g. via an agenda item for team meetings or other communication methods;

4.1.3    all employees in your organisational unit shall complete on time any required data protection training and refresher training, as appropriate to their roles, and keep records of the same;

4.1.4        sufficient resources and personnel (including a Privacy Lead), and appropriate systems and reporting requirements, are in place to properly implement and operate the Data Protection Policy as applicable;

4.1.5        the records required by the Data Protection Policy, guidance or toolkits, Data Protection Laws and regulations are complete, up to date and accessible for internal and external review; and

4.1.6    any non-compliance with this Data Protection Policy and Data Privacy Laws and regulations within your organisational unit are dealt with in an appropriate and timely manner and promptly reported to the Group Privacy Counsel.

4.2    The ESG Solutions Presidents and Accountable Executives under the Binding Corporate Rules and have specific obligations concerning the overall implementation of effective data protection management in their operating company, details of which are set out in Chapter 5 below.

5    Privacy Leads & Accountable Executives

If you are a Privacy Lead or Accountable Executive, you shall:

5.1        familiarize yourself with our Binding Corporate Rules and accompanying documentation;

5.2    comply with your tasks listed in the Binding Corporate Rules, a copy of which can be provided to you by the Group Privacy Counsel upon request.

6    Group General Counsel and Company Secretary

The Group General Counsel and Company Secretary shall in collaboration with the Group Privacy Counsel:

6.1        from time to time revise and issue updates to the Data Privacy Policy;

6.2        provide guidance to the Data Privacy Policy where appropriate; and

6.3        make training available on the Data Privacy Policy as required.

7    Privacy Audits

Compliance with this policy will be audited as part of Internal Audit’s annual audit programme. In addition, such audits may be conducted by an external auditor. 

8    Breaches of this Policy

8.1        All employees are responsible for their compliance with this policy and local data protection laws.  If local laws are stricter than the terms of this policy, than local laws shall apply. In this situation the Group Privacy Counsel will be consulted to determine how to resolve the conflict.

8.2    Breaches of this Policy may be subject to disciplinary action, including dismissal.

9    Complaints & Data Subject Requests

9.1        Individuals can file a complaint regarding compliance with this Policy or violations of their rights under applicable law by sending an email to the Privacy Lead

9.2        If a Spectris employee wishes to enforce any of its rights concerning his or her personal data processed by the Spectris Group (as set out in Chapter 2.8) then it shall follow the local process as described in the applicable employee privacy notice and submit its requests to the ESG Solutions Privacy Lead.

10    Regulating Authority

Binding Corporate Rules are authorised by supervising authorities. Authorisation of the Spectris Binding Corporate Rules is pending at the Dutch Data Protection Authority ‘Autoriteit Persoonsgegevens’, The Hague, the Netherlands:

11    Where to find out more

The Spectris Data Protection team


The office of the Group Privacy Counsel:

Danielle Folkersma
Group Privacy Counsel
Spectris Netherlands B.V.
Lelyweg 1, 7602 EA, Almelo, Netherlands
Mobile:  +44 (0) 7901 988 184
Email: Danielle.Folkersma[at]

The Spectris Whistleblowing Line


ESG Solutions Privacy Lead

Sanaz Pournasseh
20 Hyperion Court, Kingston, ON
Telephone: 613-548-8287 ext. 352
Email: Sanaz.Pournasseh[at]

Appendix 1 – Common Terms

Accountable Executive means each Spectris operating company President

Function Heads are Spectris Plc functional leaders: Chief Financial Officer, Group HR Director and Group General Counsel & Company Secretary.

Personal data is any information that could be used to identify an individual, e.g. name, email & home addresses.

Processing means the collection, use, storage altering, destroying, accessing, transfer or sharing of personal data

Privacy Lead means an employee appointed by the relevant Accountable Executive, with tasks as set forth in the Binding Corporate Rules.