All Processing of Personal Data by Bisnode Companies shall be carried out in compliance with the European Data Protection Directive (95/46/EC) and national laws implementing the directive.
Capitalized terms in this Policy shall have the meaning set forth in section 3 of this Policy unless separately defined.
The purpose of this Policy is to establish a common foundation for Bisnode Companies ́ Processing and protection of Personal Data. This Policy covers all Processing of Personal Data with respect to information in electronic form (including email and documents created with word processing software) and information held in paper files that reference private individuals.
The existence of, and the compliance with, this Policy does not release a Bisnode Company from its obligation to set up the policies and procedures necessary to address specific legal requirements and business needs applicable in a jurisdiction or in particular circumstances.
Where national law imposes mandatory requirements which are stricter than imposed by this Policy, the requirements in national law shall prevail and must be followed. Where national law imposes mandatory requirements which is not addressed in this Policy, the relevant national law shall be followed. If there are conflicting requirements in this Policy and national law, please consult with the General Counsel & Secretary of Bisnode AB.
Controller shall mean the natural or legal person or entity which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
Personal Data shall mean any information relating to an identified, or in some jurisdictions, identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity or by information such as identification number, bank or credit card records, social security/insurance number, telephony/fax number, email address and address.
Process(ing) shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Processor shall mean a natural or legal person, which Processes Personal Data on behalf of the Controller.
Sensitive Personal Data shall mean a special category of Personal Data for which additional protection is required. What is considered as Sensitive Personal Data may vary from country to country, but it typically includes information related to racial, ethnic origin, sexual orientation, political opinion, trade union membership, religious or philosophical belief, offences, criminal convictions or health and medical records.
4.1 Processing Each Bisnode Company will obtain Personal Data only by lawful and fair means and, where appropriate with the knowledge and consent of the individual concerned. Personal Data will be Processed in accordance with applicable law and any applicable contractual obligations.
4.2 Information to the individual Each Bisnode Company will, when required by applicable law, contract, or where the Bisnode Company considers that it is reasonably practical and appropriate to do so, provide information to the affected individuals about the purposes of the Processing of Personal Data, categories of information collected and stored, the identity of the Controller, and other information insofar as this is necessary to ensure that Personal Data is Processed in accordance with this Policy and applicable law.
4.3 Consent from the individual If a Bisnode Company is legally or contractually required to request and receive consent from an individual prior to collection, use or disclosure of information, containing Personal Data, for certain purposes, the Bisnode Company will seek such consent and honour it. The Bisnode Company shall ensure that the consent fulfils mandatory legal requirements with respect to the consent, such as for example, being voluntarily and explicitly given.
4.4 Processing of Sensitive Personal Data Each Bisnode Company will adopt additional measures for particular types of Personal Data defined by national law as Sensitive Personal Data or as otherwise requiring additional protection. Each Bisnode Company will also adopt measures to address local customs or expectations regarding the Processing of Sensitive Personal Data.
4.5 Use and retention Each Bisnode Company will only Process Personal Data for business purposes. Each Bisnode Company will only Process Personal Data that is necessary for the purposes for which it is to be used, and will only retain Personal Data for such time as is necessary for those purposes and otherwise to comply with applicable statutory retention periods.
4.6 Safeguarding Personal Data Each Bisnode Company will establish reasonable and appropriate safeguards to protect Personal Data from unauthorized use, disclosure, destruction and alteration.
4.7 Quality of Personal Data Each Bisnode Company will adopt measures to ensure that the quality of the Personal Data Processed is, to the best of its knowledge, accurate, complete, current and otherwise reliable for the purposes of which it is being used.
4.8 Request to access and correction of Personal Data If an individual makes a request to access Personal Data relating to him or her, or requests to have errors in his or her Personal Data corrected, and can demonstrate the existence of a relevant error or omission, the Bisnode Company will consider and satisfy such request, where it considers it as appropriate or where it is required to do so by applicable law. If stipulated in national law, an administration fee for complying with such a request may be charged.
4.9 Disclosures to third parties Each Bisnode Company will only disclose Personal Data to third parties (including other Bisnode Companies) for business purposes or when otherwise required by applicable law. Each Bisnode Company will identify whether, under applicable law, the third party is considered as a Controller or a Processor of the Personal Data transferred.
Each Bisnode Company will enter into a data processing agreement with each Processor (including other Bisnode Companies) clarifying each party’s responsibilities with respect to the Personal Data transferred. The data processing agreement will ensure that the Processor protects the Personal Data from further disclosure and to only Process Personal Data in compliance with the Controller’s instructions. In addition, the data processing agreement will require the Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for data breach notifications.
4.10 International transfers Each Bisnode Company will only transfer Personal Data to, or allow access by, entities situated in countries outside the European Economic Area to the extent such countries may be deemed to provide an adequate level of protection for Personal Data. An adequate level of protection of Personal Data is deemed to be achieved if the Personal Data is transferred to an entity in the United States which has signed up to the Safe Harbour agreement or if the transfer is made under a contract which includes the model clauses adopted by the European Commission to ensure that there will be adequate safeguards for Personal Data transferred outside of the European Economic Area.
Prior to any transfer pursuant to this section 4.10, the transferring Bisnode Company will review the requirements under national law for the Processing and protection of Personal Data to determine that its obligations, and the obligations of the recipients in the other countries, with respect to such requirements are met.
MONITORING AND ENFORCEMENT
5.1 Bisnode internal monitoring and enforcement Each Bisnode Company will make its employees who Process Personal Data (such as human resources staff, employee managers and supervisors, customer service representatives, marketing and sales force personnel) aware of and comply with this Policy. Each Bisnode Company will at its own discretion, and where applicable, be responsible for providing its personnel with appropriate training with respect to this Policy.
In addition, each Bisnode Company will make its vendors and/or independent sub- contractors or temporary employees who Process Personal Data aware of and comply with the contents of this Policy.
Noncompliance with this Policy may result in possible disciplinary action and/or may result in liability for a Bisnode Company pursuant to applicable law or contract.
5.2 Negative publicity in relation to the Processing of Personal Data Each Bisnode Company will immediately report to Group General Counsel & Secretary of Bisnode AB any negative publicity relating to a Bisnode Company ́s Processing of Personal data together with known details.
5.3 Data protection authorities and national law Each Bisnode Company will review the requirements under national law for the Processing of Personal Data, including without limitation any duty to notify data protection authorities, and any duty to appoint a data privacy officer.
ROLES AND RESPOSIBILITY
The Bisnode group has adopted a decentralized approach with local responsibility for implementing this Policy. This implies that the CEO of each Bisnode Company has the responsibility for ensuring that this Policy is fully implemented, managed and controlled within his/her Bisnode Company. The implementation, management and control functions for the Policy may be delegated to a local responsible person.
This responsibility includes, but is not limited to, identifying the extent to which national laws of the country in which the relevant Bisnode Company is established impose more stringent requirements, or different requirements, than this Policy, and ensuring compliance with such requirements.
Deviations from this Policy shall be documented by relevant Bisnode Company.
QUESTIONS ABOUT THIS POLICY
All inquiries about this Policy, including requests for exceptions or content change shall be directed to the General Counsel & Secretary of Bisnode AB.