Introduction and Summary
Sun Chemical and its group companies, hereby demonstrate our commitment to data protection and privacy by establishing a global data protection program to support compliance with applicable data protection and privacy laws and standards for protecting Personal Data. This Data Protection Policy, including its appendices and sub-policies (collectively the “Policy”), provides a general framework and sets out the general requirements for ensuring that we Process Personal Data in a compliant, fair, lawful, transparent, and secure way, locally and globally. In addition, local policies and procedures may be applicable to specific topics.
This Policy aligns with (and in some cases exceeds) the requirements of applicable laws and regulations, in particular the EU Data Protection Directives (e.g., Directive 95/46/EC and Directive 2002/58/EC) and any national laws implementing these and the General Data Protection Regulation 2016/679 (“GDPR”) effective 25 May, 2018 (replacing Directive 95/46/EC and respective national laws). In some cases, local laws and regulations may be more restrictive than this Policy; where that is the case, the more restrictive rules must be followed when Processing Personal Data in that jurisdiction. Local addenda, where applicable, may be issued from time to time, laying out more specific rules that shall prevail over this Policy in the event of inconsistency. The relevant Sun Chemical entity is expected to adhere to both this Policy and any specific policy, if any, which is applicable to its jurisdiction.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Subject” means an identified or identifiable natural person, to whom the Personal Data relates. Examples of Data Subjects may include our (i) employees and their family members; (ii) temporary workers; (iii) candidates seeking employment with Sun Chemical; (iv) the staff of our suppliers and customers; (v) visitors to our buildings; and (vi) website users.
“Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
“Processing” means the carrying out of any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of the Controller.
“Special Categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the Processing of genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. Similar or even stricter rules may apply to Personal Data relating to criminal convictions and offences and to identification numbers.
“Sun Chemical” means Sun Chemical Group Coöperatief U.A. and each of its affiliated companies. “Sun Chemical entity” means an individual, affiliated company of Sun Chemical. “Sun Chemical Region” means a designated region of Sun Chemical.
Sun Chemical Group Coöperatief U.A., Sun Chemical Corporation, and the relevant local EU Sun Chemical entities will be the Controllers for the Processing of Personal Data in the context of the activities of the EU Sun Chemical entities.
Centralized and Local Processing
All Sun Chemical entities will Process some Personal Data for their purposes locally. However, as a global organization, many of our business activities can also be carried out (and business efficiencies achieved) by Processing and/or consolidating information about Data Subjects in specific or centralized databases and systems located at various worldwide facilities. Such Personal Data is also shared with other systems and databases hosted by and/or on behalf of Sun Chemical. However, Sun Chemical and those other systems and databases will only collect, receive, use, share, or otherwise Process such Personal Data in accordance with applicable laws, this Policy, additional policies (to the extent applicable) and any applicable specific local policy for a Sun Chemical entity (as may be required under applicable local law).
Controllers and Data Privacy Contact Groups
Sun Chemical entities will be the Controllers for the Processing of Personal Data. For specific regional and for global Processing activities, Sun Chemical entities, Sun Chemical Regional, and Sun Chemical Global will be Controllers for the Processing of Personal Data.
If a Data Subject has any questions, complaints, or wants to exercise his/her rights, the Data Subject may contact the Data Privacy Contact Group in its region. Sun Chemical will use good faith efforts to answer each question, investigate each complaint, and to respond within a reasonable timeframe. Sun Chemical will deal with each complaint in a fair, impartial, and unbiased manner. No Data Subject will be victimized or prejudiced directly or indirectly as a result of lodging a complaint.
Sun Chemical and anyone acting on its behalf must always act in accordance with the following Data Protection Principles and consider the privacy risks before collecting, using, retaining, disclosing, or otherwise Processing Personal Data, such as in a new system or as part of a project.
Notice, Consent, and Data Subject Rights
When collecting Personal Data from the Data Subject or from third parties, Sun Chemical will provide a privacy notice to the Data Subject in accordance with Articles 12 to 14 of the GDPR. Depending on the context and case, different information will be included in the notice.
Sun Chemical shall provide Data Subjects with appropriate access to Personal Data about them, and shall facilitate the Data Subjects to exercise their rights to correct, erase, restrict, or port Personal Data.
Confidentiality, Data Security, and Breach Notification
Sun Chemical will implement appropriate technical and organizational measures to ensure appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction, or damage.
In the event of any Personal Data Breach, Sun Chemical will notify the appropriate supervisory authority without undue delay and, where feasible, no later than seventy-two (72) hours after having become aware of it. In addition, Sun Chemical may also provide notification of any Personal Data Breach to Data Subjects who’s Personal Data may have been compromised if the Personal Data Breach is likely to result in a high risk to their privacy.
Sun Chemical will retain Personal Data in a form that permits identification of Data Subjects only for so long as necessary for the purposes for which it is processed or as required pursuant to applicable law, whichever is longer. Sun Chemical will dispose of (or retain only in an anonymous or de- identified form to the fullest extent possible) Personal Data that is no longer required in a secure manner and in accordance with applicable law, unless (i) to defend itself against legal claims; (ii) there are mandatory (statutory or contractual) retention or archiving obligations that require longer storage; or (iii) Personal Data will be Processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to implementation of the appropriate technical and organizational measures.
Transfer of Personal Data to Third Parties
Sun Chemical will only make Personal Data available to third parties in appropriate circumstances, will inform Data Subjects of same, and will put measures in place to safeguard the Personal Data
Sun Chemical will carry out international transfers of Personal Data (whether intercompany, intracompany, or otherwise) outside the European Union (EU), European Economic Area (EEA), or Switzerland only where (a) the transfer is in accordance with the laws of the transferor’s jurisdiction; and (b) the transferor has ensured that there is an adequate level of protection in the recipient’s jurisdiction or adequate safeguards have been put in place to protect the Personal Data. The transferor is responsible for assessing such adequacy and if necessary, will require the recipient to adopt protections similar to those under the transferor’s policy and jurisdiction.
Subject to applicable law, Sun Chemical may revise, amend, or supplement this Policy at its discretion at any time or from time to time. Data Subjects are advised to check periodically to ensure that they are aware of any change. To the fullest extent permissible under applicable laws, any Data Subject who permits Sun Chemical to be a Controller and/or Processor of his/her Personal Data agrees to be bound by the latest version of this Policy.