Title Enterprise Privacy Policy
Approved date 18 Oct 2018
Reviewed date 03 May 2024
Geographic Scope EEA
Legal Entity(ies) Aera (All)
Objective and target group
This policy is valid for all Aera’s operations and all Aera companies.
Content
1. Introduction
This policy forms part of the internal control and governance system in Aera, and is approved by Board of Directors. The purpose of this policy is to ensure compliance applicable privacy regulations and that the data subjects‘ rights are protected.
2. Definitions
Definitions in GDPR will apply to all privacy documentation in Aera, unless otherwise defined in this policy.
3. Aera’s team responsible for privacy related issues
3.1 Aera’s Board of Directors
The Board of Directors is responsible for oversight and governance of Aera, including ensuring adequate privacy compliance.
3.2 CEO
The CEO is responsible for maintaining a sound system of internal control that supports the achievement of policies, values and objectives while safeguarding customers, employees, shareholders and other stakeholders. This includes privacy.
The CEO defines boundaries, principles and directives under which the operative execution of privacy risk management is done, and serves as the escalation and resolution body for controversial operative issues and for highest impact risk areas
The CEO has authorized the Compliance officer in Aera to manage and execute policies on a day-to-day basis.
3.3 Data Protection Officer (DPO)
The Data Protection Officer has the day-to-day responsibility for – in accordance with Article 39 of the General Data Protection Regulation (GDPR) – monitoring Aera’s compliance with applicable data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits. The DPO reports to the CEO [and Board of Directors].
Due to the close relation between privacy and IT security, there is close cooperation between CISO, who (indirectly) reports to the CEO, and DPO who reports to the CEO and the Board of Directors in the areas of privacy and data security. Aera shall support the DPO in the performance his/her tasks referred to in Article 39 of the GDPR by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his/her expert knowledge.
Aera shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks. He/she shall not be dismissed or penalized by Aera for performing his or her tasks. The DPO may fulfill other tasks and duties. Aera shall ensure that any such tasks and duties do not result in a conflict of interests.
4. Purposes for processing personal data and governing documentation
The policies relating to Aera’s processing of Personal Data is illustrated in the document “Document Hierarchy” as updated from time to time.
5. Lawful basis for processing
The GDPR requires a lawful basis for any personal data to be processed. In Aera, this is the lawful basis for processing the following types of personal data
5.1 Aera’s key rules for processing personal data as controller
No processing of personal data will take place unless one or more of the lawful basis below are in place:
When the basis for processing as listed above is no longer in place, all personal data shall be anonymized or deleted.
5.2 Aera’s key rules for processing personal data as processor
No processing of personal data will take place unless the following lawful basis is in place:
When the basis for processing as listed above is no longer in place, personal data shall be anonymized or deleted from Aera’s systems.
All suppliers shall adhere to these rules or similar rules approved by Aera to meet Aera’s requirements set herein.
5.3 Lawful basis for processing Employee personal data
Aera’s employees sign an employment agreement with the following content:
• Terms & conditions which are similar for all Aera’s employees
• Individual information referring to specific information covering the tasks of the respective employee, individual role, salary and benefits, pension scheme, place of work, working time, vacation and vacation payment, sick leave, maternity leave etc.
• Trial period
• Termination period in trial period and thereafter
• Actions by termination – Off-boarding
• Competition clause
• Confidentiality obligations
• IPR-rights to IPR resulting from the employment
• Information duties by employment
• Availability for employer, and activities outside the employment
In addition, all employees are presented with the Employee Handbook, a document containing important policies and regulations for the Data Controller.
5.4 Lawful basis for processing Customer personal data
Aera’s customers enter into agreements for various service deliveries, and to receive support and in some cases to receive consulting services. The customer contracts may include the following documents:
- NDA
- Customer Agreement
- Service Delivery Agreement
Customers frequently insist on applying own standards, to which Aera sometimes complies.
5.5 Lawful basis for processing personal data on behalf of Customer
Aera’s customers enter into agreements for Data Controller to provide payment service, and to receive support and in some cases to receive consulting services. A Data Processing Agreement is entered in addition to the services contracts. Aera provides its template Data Processing Agreements, but customers frequently insist on applying own standards, which Aera sometimes accepts.
It is made clear in all contracts that customer is the controller in relation to the customers’ customer data, and that customer is therefore under obligation to ensure that all data is collected and processed in accordance with applicable law.
Aera shall draft its Data Processing Agreements to ensure compliance with GDPR.
In addition to the above, Aera provides an overview of its processing for Customers’ customers in its Security statement, available on its homepage.
5.6 Lawful basis for processing Supplier personal data
Aera’s suppliers vary greatly, and enter into agreements suitable for the services in question.
All suppliers must commit to Aera’s Code Of Conduct. Suppliers that may process personal data on behalf of Aera will in all cases be required to sign a Data Processing Agreement.
5.7 Lawful basis for processing Visitor personal data
Aera provides the possibility for customers and interested parties to provide information on the home page in order for them to receive updates, information, invitations etc.
6. Information to data subjects
Information to data subjects for which Aera is the Controller will, as a minimum, include the following:
- The name and address of the Aera entity that is the Controller
- The name and address of the person responsible for data processing within Aera, or Aera’s Data Protection Officer
- The purposes of the processing including the contract terms where the controller relies on contract performance as the legitimate basis for processing and the legitimate interests that are relied on, as applicable
- the period for which the data will be processed
- the existence of rights to request access, rectification and erasure or to object to the processing
- the right to lodge a complaint with the supervisory authority, and contact details; recipients or categories of recipients of the personal data; and
- any further information necessary to guarantee fair processing.
This information is generally available on Aera’s webpage. All suppliers shall adhere to these rules or similar rules approved by Aera to meet Aera’s requirements set herein.
For consumers, a more detailed set of information as available on the Consumer Portal.
7. Documentation of data and processing facilities
This section describes personal data processed in Aera, and Aera’s processing facilities.
7.1 Overview
In the course of its business, Aera processes personal data from, Aera’s customers, Aera’s employees, applicants to positions, service providers, suppliers, subcontractors, visitors and prospects. For such data, Aera is the Controller, as defined in the EU General Data Protection Regulations (GDPR). The processing of such data is described in the following policies:
- Processor Personal Data Protection Policy
- Employee Personal Data Protection Policy
- Customer Personal Data Protection Policy
- Supplier Personal Data Protection Policy
These policies are approved by the CEO.
In addition, Aera processes personal data in connection with the services delivered to its customers. Such data is controlled by Aera’s customers, and may be personal data from Aera’s customers’ or customers’ customers as the case may be. For such data, Aera is the Processor, as defined in the EU General Data Protection Regulations (GDPR). The processing of such data is described in the Processor Personal Data Protection Policy. This policy is approved by the CEO.
An up to date overview of systems and components where personal data is stored or and processed can be found in the Aera’s enterprise architecture repository.
7.2 Transfer of personal data to Third Parties/ Sub-Processing
- Sub-processing of Personal data in the role as Processor is governed by the Data processor agreement entered into with each Data controller on whose behalf the “Data Controller” acts as a Data processor.
- Transfer and Sub-processing of Employee Personal Data, Customer Personal Data, Supplier Personal Data and Visitor Personal Data is governed by the respective Data Protection Policy (Ref Section 1).
7.3 Correction and deletion
Aera’s processes to ensure that data is corrected or deleted according to GDPR follows for each category of Data Subjects from guidelines in the following policies:
- Processor Personal Data Protection Policy
- Employee Personal Data Protection Policy
- Customer Personal Data Protection Policy
- Supplier Personal Data Protection Policy
7.4 Controller to controller transfers
Transfer of data to or from other controllers (controller-controller transfers) should always be made on the basis of a written data transfer agreement.
8. Procedures for audit and control
8.1 Management review
A review of Aera’s managing of privacy is part of a minimum yearly review by the management.
8.2 Revision and internal audit
The personal data protection Policy is within the scope of Aera’s Internal Control scope. Process for audit is described in the Audit Management Policy.
8.3 Non-conformity
Aera has procedures and routines in order to react according to breach and other non-compliant events. Aera´s Code of Conduct, containing whistleblower provisions, apply to all areas in Aera, including the privacy area.
If a breach is discovered as part of management review, or as part of an audit, reporting to CISO and to Data Protection Officer shall be done without delay.
8.4 Improvement action and follow up
Any breach shall be assessed by Data Protection Officer. Report to the top management shall be done without delay.
In cases where reports to authorities, customers or data subjects are required according to applicable law, such report will be performed within the required time frames.
In cases where report to customers or data subjects are required according to an agreement with customer, such report will be performed within the required time frames.