Personal Data Protection & CCTV Policy
- Purpose: To establish the basic principles regarding personal data protection in the Retail Group.
- Scope: Applicable to the files containing personal data.
- Observations and Definitions
Local Regulations: All national or local regulations on Personal Data Protection & CCTV, which are applicable by law in each location where the Retail Group operates, must be applied. Local management will be responsible for compliance with these national or local regulations. Personal data: Any information concerning identified or identifiable individuals.
File: All organized sets of personal data, whatever their form or type of creation, storage, organization and access.
File Manager: Individual in Retail Group who decides on the contents, use of the treatment and authorized users of the data.
File User: Any employee with authorized access to the files. CCTV: Closed Circuit Television
Sensitive Personal Data: Is the information about the racial or ethnic origin of the Data Subject, his/her political opinions, his/her religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, Union and Labour Relations, his/her physical or mental health or condition, his/her sexual orientation, the commission or alleged commission by him of any offence, or any proceedings for any offense committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Personal data shall be obtained only for specific and lawful purposes, and shall not be further processed in any manner incompatible with that initial purpose or those purposes.
Security Manager: Person(s) responsible for compliance with applicable data protection legislation and the basic principles established in this policy
- Distribution All the Retail Group companies.
- Data Protection Principles
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless. • At least one of the following conditions is met. • The individual who the personal data is about has consented to the processing. • The processing is necessary in relation to a contract which the individual has entered into. • The processing affects public data, does not include data from other sources and the processing is strictly limited to achieve the objective that justified the creating of file • Any other case included in applicable law • In the case of sensitive personal data, the personal consent will always be required, unless local law permits such processing to discharge certain obligations of the Data Controller
- Personal data shall be obtained only for specific and lawful purposes, and shall not be further processed in any manner incompatible with that initial purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
- Personal data shall be accurate and, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the following rights of Data Subjects. • A right of access to a copy of the information comprising their personal data • A right to prevent processing for direct marketing; • A right to rectify and cancel his / her personal data in accordance to applicable law.
- Appropriate technical and organizational measures shall be taken to prevent unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- In Europe, personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data. For other countries, any possible transfer must comply with local law.
- Personal Data Management
- File creation. The creation of files exclusively to store sensitive personal data is forbidden.
- File record. There must be a record of the files containing personal data in each country.
- Security manager. There must be a security manager for files containing personal data in each country.
- Duty of data secrecy and security. Employees involved in any stage of the processing of personal data are compelled to professional secrecy regarding said data and to the duty of ensuring its security.
- Data transferral to third parties. Wherever third parties providing services to Retail Group require access to the personal data, they must undertake compliance obligations by entering into adequate contracts.
In Europe, personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data.
- Query e-mail. Employees must be provided with a local e-mail address where queries on the correct processing of personal data can be sent.
- Location in protected network resources. All files or databases must preferably be saved in protected network resources or in the most secure computer in the Centre when access to the corporate network is unavailable.
- Passwords. The File Manager shall ensure data is accessed via a password. Files on a physical medium (paper, files, etc.) must be saved in cabinets with security measures, such as a lock and key or a padlock.
- Filing criterion. The filing of documents (print-outs or files, etc.) must guarantee the correct preservation, location and consultation of the information.
- Unauthorized accesses. No employee will be permitted access to personal data without due authorization.
- Removal of media. The removal of personal data from the Retail Group premises in any medium, without the knowledge and approval of an immediate superior, is expressly forbidden.
- Incoming and outgoing record. A record must be kept of authorized incoming or outgoing personal data.
- Destruction of media. Any physical medium containing personal data must be securely destroyed, i.e. in a manner that prevents the retrieval of this information. When destroying digital media containing personal data (computers no longer in use, hard drives or any other type of digital medium), the IT management shall be required to use the most appropriate and secure form of destruction.
- Audits. A review of the points established in these regulations shall be carried out at least every two years. Correction of discrepancies shall be monitored regularly.
- Principles Covering the Use of Cameras
- Security cameras. The responsible manager for each headquarters’ CCTV must keep a plan for the location of the security cameras in each center.
- Signs in place. According to local regulations Retail Group must place adequate signs to advise of the existence of CCTV surveillance. The most effective way of doing this is by using signs at the entrance to the CCTV zone and further signs inside each relevant area. The format and content of the signs will comply with local regulations.
- Image recording. Any CCTV images will be regarded as personal data and must be appropriate for the purpose for which they are collected. It is essential to choose camera equipment and locations that achieve the purposes for which CCTV is used. Both permanent and movable cameras should be sited, and image capture restricted, to ensure areas that are not of interest are not viewed and are not intended to be the subject of surveillance within shops or premises.
- Security camera image file. Images should be kept for no longer than strictly necessary to meet the purposes for recording them. On occasion, images may need to be retained for a longer period, where a law enforcement body is investigating a crime, to give them opportunity to view the images as part of an active investigation.
- Incident Management
- Security incident. Refers to any loss of data. Undue copies of data in work stations. Severe errors in the computer systems handling the data that require the re-installation of programmes or back-up copies and, in general, any abnormality detected regarding personal data.
- The Security Administrator must be notified of every security incident
- Privacy Notices
The privacy notices is the legal statement that discloses some or all of the ways a party gathers, uses, discloses and manages a personal data of customers, employees, or third parties. Privacy notices must be included in forms for gathering personal data, its exact contents depends upon the applicable law in each country and must be reviewed and revised by the legal department when necessary. Privacy notices must include the following general conditions:
1. To identify the organisation in control of the processing 2. To describe what types of information are collected, used and the purpose or purposes for which you intend to process the information; 3. To request consent when necessary and to warn of the consequences of not giving consent 4. Explain briefly the security of our operations 5. To provide the method to view and modify personal information and 6. To provide the method of contact for users concerned about questions about privacy 7. Reserve the right to change the privacy notices at any time 8. Any other information required by local regulation Image Recording : Any CCTV images will be regarded as personal data and must be adequate for the purpose for which they are collected.
- Data Protection Principles
Canadian Privacy Notice
Within Canada, the applicable legislation includes the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and the British Columbia Personal Information Protection Act (“PIPA”).
In Canada, WDFG Vancouver collects, uses and discloses personal information for the following purposes:
- To ensure each sales transaction is for export purpose only;
- To process a pre-order;
- To process transactions, such as financial information;
- To provide customer services such as inquiries, refunds and exchanges;
- To investigate theft or fraud;
- To meet our statutory and legal obligations including the Customs Act and Regulations;
- For the purposes of reporting to the Canada Border Services Agency;
- As required or authorized by law;
- Pursuant to our contractual obligations to the US Customs and Border Agency, when a customer in the preclearance area exceeds their personal allowance, and personal information is collected in relation to that transaction.
WDFG Vancouver may also collect, use or disclose personal information without consent in Canada as allowed or required by applicable privacy legislation.
From time to time, personal information collected may be stored outside of Canada including at our headquarters in Spain and UK where it will be kept securely and with a level of protection that matches the Canadian legislative requirements.
If you have any questions, complaints or inquiry, wish to request access or a correction of your personal information, please contact our local privacy officer, firstname.lastname@example.org