Scope and Introduction
This policy is about data protection and the processing of personal data in regards to the ESG Solutions website. This policy is mandatory and applies to all employees and directors of ESG Solutions. Employees who are directors or offices on boards of non-controlled joint ventures shall actively encourage the joint venture to adopt this policy as a model or use a similar policy.
There are certain common terms used in this policy and they are set out in Appendix 1:
1.1 This policy applies to all processing of personal data by us globally including the transfer or personal data between members of ESG Solutions.
1.2 This policy sets out the minimum requirements and procedural steps that all Spectris employees must follow.
2 Our Privacy Commitments
ESG Solutions has agreed to the following key privacy commitments covering how personal data shall be treated:
2.1 We comply with applicable privacy laws and our Binding Corporate Rules
We understand privacy rules and our responsibilities when collecting, using and storing personal data.
2.2 We only process personal data for legitimate business purposes
We shall not process personal data unless (1) the purpose for processing is clearly defined and explained to the individual and (2) one of the following conditions apply:
2.2.1 the personal data needs to be processed in respect of a contract with the individual;
2.2.2 the personal data needs to be processed based on a legal obligation;
2.2.3 the personal data needs to be processed to avoid serious harm to an individual;
2.2.4 the personal data needs to be processed to pursue a legitimate business interest which does not harm the interests and rights of the individual;
2.2.5 The individual consented to the processing of his or her personal data
2.3 We are accountable, we know where our personal data is, and we identify privacy risks proactively
We keep records of our data processing activities and compliance, and we execute data protection impact assessments if there is a high risk to rights and freedoms of individuals and we implement safeguards suitable for the risk identified.
2.4 We keep personal data confidential & secure and notify incidents
We keep personal data confidential at all times and only have access to or use it if necessary to perform our job. We protect personal data from misuse and unlawful processing. Data security incidents will be reported immediately by contacting the ESG Solutions Privacy Lead.
2.5 We treat data with care
We do not process more personal data than necessary for a specific purpose. We do not keep personal data longer than necessary and make sure that personal data remains up to date. The principles of privacy by design and by default are embedded in our work and systems.
2.6 We are transparent about our privacy practices
We shall clearly and transparently explain to individuals how their data will be processed. This information shall be easily accessible.
2.7 We safeguard personal data before disclosing it to third parties and transferring it abroad
We do not share personal data with third parties unless we have conducted due diligence and have data processing agreements in place.
2.8 We respect the privacy rights of individuals
We respect the rights of individuals regarding their personal data processed by ESG Solutions, such as the right to:
2.8.1 be informed;
2.8.2 retrieve access;
2.8.3 correction of any mistake;
2.8.4 erasure (‘the right to be forgotten’);
2.8.5 restrict processing;
2.8.6 receive their own personal data that they provided to ESG Solutions, in a machine-readable format and to transfer that data to a new data controller;
2.8.7 object to the processing, including for direct marketing purposes.
If we receive a request or complaint of an individual regarding privacy or his or her personal data, we immediately involve our ESG Solutions Privacy Lead.
2.9 We familiarize ourselves with data protection rules
We actively participate in the data protection training sessions the Group organizes and encourage colleagues to do so too.
3 All Employees
3.1 familiarise yourself with this policy and act in accordance with it and our privacy commitments;
3.2 not process personal data in breach of the terms of this policy;
3.3 attend and complete all data protection training as required by the Group Privacy Counsel, or ESG Solutions;
3.4 report as soon as possible if you know of, or suspect, a breach of this policy by you or any other person. Reports should be made to the ESG Solutions Privacy Lead, the Group Privacy Counsel, a member of the Legal Function or the Ethics Help Line, and;
3.5 seek help from the ESG Solutions Privacy Lead if you are in doubt or have any questions in relation to personal data.
4 Operating Company Presidents and Function Heads
4.1 You shall ensure that:
4.1.1 all employees in your organisational unit are aware of and follow this Data Protection Policy and all applicable Data Privacy Laws and regulations and guidance and tools made available to you;
4.1.2 all employees in your organisational unit receive regular messages from line management to comply with this Data Protection Policy e.g. via an agenda item for team meetings or other communication methods;
4.1.3 all employees in your organisational unit shall complete on time any required data protection training and refresher training, as appropriate to their roles, and keep records of the same;
4.1.4 sufficient resources and personnel (including a Privacy Lead), and appropriate systems and reporting requirements, are in place to properly implement and operate the Data Protection Policy as applicable;
4.1.5 the records required by the Data Protection Policy, guidance or toolkits, Data Protection Laws and regulations are complete, up to date and accessible for internal and external review; and
4.1.6 any non-compliance with this Data Protection Policy and Data Privacy Laws and regulations within your organisational unit are dealt with in an appropriate and timely manner and promptly reported to the Group Privacy Counsel.
4.2 The ESG Solutions Presidents and Accountable Executives under the Binding Corporate Rules and have specific obligations concerning the overall implementation of effective data protection management in their operating company, details of which are set out in Chapter 5 below.
5 Privacy Leads & Accountable Executives
If you are a Privacy Lead or Accountable Executive, you shall:
5.1 familiarize yourself with our Binding Corporate Rules and accompanying documentation;
5.2 comply with your tasks listed in the Binding Corporate Rules, a copy of which can be provided to you by the Group Privacy Counsel upon request.
6 Group General Counsel and Company Secretary
The Group General Counsel and Company Secretary shall in collaboration with the Group Privacy Counsel:
7 Privacy Audits
Compliance with this policy will be audited as part of Internal Audit’s annual audit programme. In addition, such audits may be conducted by an external auditor.
8 Breaches of this Policy
8.1 All employees are responsible for their compliance with this policy and local data protection laws. If local laws are stricter than the terms of this policy, than local laws shall apply. In this situation the Group Privacy Counsel will be consulted to determine how to resolve the conflict.
8.2 Breaches of this Policy may be subject to disciplinary action, including dismissal.
9 Complaints & Data Subject Requests
9.1 Individuals can file a complaint regarding compliance with this Policy or violations of their rights under applicable law by sending an email to the Privacy Lead
9.2 If an ESG Solutions employee wishes to enforce any of its rights concerning his or her personal data processed by the company, then it shall follow the local process as described in the applicable employee privacy notice and submit its requests to the ESG Solutions Privacy Lead.
10 Regulating Authority
Binding Corporate Rules are authorised by supervising authorities. Authorisation of the Spectris Binding Corporate Rules is pending at the Dutch Data Protection Authority ‘Autoriteit Persoonsgegevens’, The Hague, the Netherlands: https://autoriteitpersoonsgegevens.nl
Appendix 1 – Common Terms
● Accountable Executive means each ESG Solutions operating company President
● Function Heads are ESG Solutions functional leaders: Chief Financial Officer, Group HR Director and Group General Counsel & Company Secretary.
● Personal data is any information that could be used to identify an individual, e.g. name, email & home addresses.
● Processing means the collection, use, storage altering, destroying, accessing, transfer or sharing of personal data
● Privacy Lead means an employee appointed by the relevant Accountable Executive, with tasks as set forth in the Binding Corporate Rules.
Thank you for visiting the ESG Solutions website.
Unless otherwise stated, all content on this site, including text, graphics, logos, publications, and images, is owned by ESG Solutions and its clients, and is protected by Canadian copyright laws and international copyright treaties and agreements. All rights reserved.
Distribution, transmission or republication of any material from esgsolutions.com is strictly prohibited without the prior written permission of ESG Solutions.
The content of this website can be accessed, printed, and downloaded in an unaltered form on a temporary basis for the purposes of gaining information related to the products and services offered by ESG Solutions.
Please note that some materials on this website are subject to copyrights held by other organizations or client companies. In some cases, it may be necessary to seek permission to reproduce the materials from the original author or copyright holder.
For more information or to request permission for reuse of information on this website, please contact:
20 Hyperion Court
Kingston, ON K7K 7K2
TF: 1-800-813-4406 (North America only)