Contents
- About this Policy: purpose; scope; and application
- What is personal data?
- How to manage personal data: the key principles of personal data protection
- Privacy impact assessments: what are they and when do you need one?
- Record keeping
- How does Asanplus manage data privacy breaches?
- What are the consequences of violation of this Policy?
- Further information
- About this Policy
- Purpose
In the course of our business, Asuplus collects, handles and stores personal data of our customers, employees, sellers, suppliers, contractors and other individuals (“Data Subjects”). This information is a valuable and sensitive asset, that must be managed respectfully, and in accordance with all applicable local and international laws.
This Policy explains how any personal information which we process (or others process on our behalf) must be used in accordance with the law, and for Asanplus’s legitimate business purposes only.
- Scope
This Policy covers:
- all personal data held by or on behalf of Asanplus, regardless of the media on which that data is stored, or of which individuals own that personal data; and
- all processing of such personal data, including all collection, recording, organisation, storage, use, disclosure, transfer, deletion and any other handling of personal data.
- Application
This Policy applies to all Asanplus’s employees; and to Asanplus’s sellers, suppliers, contractors and other third parties responsible for processing personal data for or on behalf of Asanplus, referred to in this Policy as our “Partners”.
We expect all Partners to maintain our standards of data privacy, as set out in this Policy.
- What is personal data?
Personal data is any information relating to an identified or identifiable person, including: name; address; date or place of birth; photographs or videos (including CCTV footage); contact details (e.g. telephone number, email, address); national identifiers (e.g. ID numbers); professional status (e.g. job title, employer); location; online identifiers (e.g. IP addresses); and personal preferences (e.g. shopping and browsing habits), among numerous other types of personal data. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, mental, economic, cultural or social identity.
Sensitive personal data or special category personal data contains information relating to a person’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health and sexual life or orientation.
- How to manage personal data: the key principles of personal data protection
Asanplus adheres to the highest personal data protection standards which require personal data to be processed in accordance with the principles set out below.
- Lawfulness and fairness
Personal data must be processed fairly and lawfully.
Asanplus shall only process personal data if so required to comply with applicable laws (e.g. for the purpose of employee tax deductions) or if it has received affirmative consent i.e. the Data Subject must make a positive statement or tick a box by way of consent.
Processing of personal data in reliance on any other legal basis, and without consent of the Data Subject, requires express written approval from the Asanplus General Counsel, and is otherwise strictly prohibited.
Processing of sensitive data requires express written approval from the Asanplus General Counsel, and is otherwise strictly prohibited.
- Transparency
Personal data must be processed in a transparent manner.
Asanplus ensures that Data Subjects are duly informed before they disclose their personal data, by a clear and comprehensive privacy notice.
- Purpose limitation and data minimisation
Personal data must be collected only for specified, explicit and legitimate purposes. Data collected must be adequate, relevant and limited to what is necessary for the identified purpose.
Collecting personal data that the business does not require for a specified purpose exposes Asanplus to unnecessary legal risks.
- Accuracy
Personal data must be accurate and kept up to date where necessary. Asanplus endeavors to maintain the accuracy of our records though:
- self-service systems e.g. our Seller Centre enables sellers to update their details periodically;
- regular verification exercises; and
- by providing information to individuals so they know who to contact if their details change.
- Data Subject’s rights and requests
Data Subjects are entitled to exercise various rights with respect to their own personal data, including but not limited to the following:
- withdrawing consent to processing of their personal data;
- requesting access to their personal data; and
- requesting erasure of their personal data in certain circumstances.
Asanplus’s Data Subject Rights Handling Guidance sets out processes for managing and responding to Data Subject requests, including mechanisms for communicating with Partners who may hold the relevant personal data in order to execute such responses.
- Storage limitation
Personal data must not be kept for any longer than is necessary. Asanplus requires personal data to be anonymized or destroyed once the purpose for retaining that data, or the relevant time in the Document Retention Policy, has expired.
- Security, integrity and confidentiality
Personal data must be processed in a manner which ensures its security using appropriate technical and organisational measures to protect against accidental loss, destruction or damage.
Security measures should be proportionate to the level of confidentiality and sensitivity of the personal data.
It is Asanplus’s goal to ensure security of personal data by:
- anonymising or pseudonymizing personal data wherever this is possible without compromising the purpose;
- putting in place appropriate contractual arrangements to ensure an appropriate level of protection for personal data when it is shared with a third party; and
- carrying out due diligence, as part of the supplier onboarding process, to verify that any third party suppliers who hold or have access to personal data on our behalf, meet our data protection standards.
- Transfer limitation
Personal data must not be transferred across borders without the appropriate safeguards and consents being in place.
Asanplus maintains a record of all personal data transfers and requires you to inform and obtain approval from the Asanplus General Counsel in respect of any personal data that is transferred across borders.
- Privacy Impact Assessments: what are they and when do you need one?
Privacy Impact Assessments are a tool which allow you to identify, assess and mitigate privacy risks. They can also help you to design more efficient and effective processes for handling personal data.
Asanplus requires a Privacy Impact Assessment to be completed where the activity falls outside Asanplus’s existing data map e.g. transferring data to a new supplier or collecting a new category of data.
- Record keeping
Asanplus maintains a full and accurate data map of all personal data processing activities and data flows, including details of records of Data Subjects consents and the procedures for obtaining consents.
We expect our Partners to maintain detailed data maps in respect of all personal data that they process on behalf of Asanplus, and to make this information available to Asanplus.
- How does Asanplus manage data privacy breaches?
Asanplus has in place procedures to deal with any suspected personal data breach and will notify affected individuals and applicable regulators where legally required to do so.
If you know or suspect that a personal data breach has occurred, immediately contact compliance@asanplus.com
- What are the consequences of violation of this Policy?
Failure to comply with this Policy is a serious compliance breach.
Non-compliance is a disciplinary matter for employees. If you are a contractor, seller or supplier, it may constitute a breach of your contract with Asanplus and we may review, and/or terminate, your assignment with us.
- Further information
The following documents contain further helpful information on how Asanplus manages personal data:
- Asanplus Privacy Impact Assessments Template and Guidance
- Asanplus Online Privacy & Cookie Notice
- Asanplus Document Retention Policy
- Asanplus Data Subject Rights Handling Guidance
If you are an employee of Asanplus and you have any questions about this Policy, or require approval of the General Counsel, please contact the lawyer responsible for your market.
If you are a Partner of Asanplus and you have any questions about this Policy or you require any approvals, please contact your Asanplus relationship manager.
If you know or suspect that a personal data breach has occurred, immediately contact compliance@asanplus.com