In our day-to-day work we are not always aware that when we talk about personal data and its management, we do not readily see the bigger implications and scope.
First, let’s be clear what we mean by personal data (PD). PD refers to “any information related to an identified or identifiable person expressed in alphabetical, numerical, graphic, acoustic, photographic or any other form, concerning natural or legal persons, identified or identifiable, directly or indirectly, and whose dissemination directly affects the right to privacy of its owner.” Within this, there are also “sensitive data,” which need special protection, given that they can reveal intimate details about someone or could, if shared, be used to discriminate against them (physical, ideological, religious, health).
PD belongs to their owner, and only they can decide whether their data can be used and for what purpose. The owner has ARCO rights (Access, Rectification, Cancellation, or Opposition to the publication of PD).
In many cases, it is enough to adapt and implement a privacy notice that includes these aspects. But stopping at that point implies that we believe necessary measures have already been taken to protect the personal data held in internal documents and contracts that are available to all the different areas of the business. However, many people across the business who handle the PD of third parties daily could unintentionally share them without knowledge of the regulations.
Where to find PD in your organization
Digitalized platforms and applications collect PD from clients and users of these digital tools.
Staff recruitment and selection process through headhunters necessarily collects PD.
Highly regulated sectors
Whether due to labor or health regulations, some business units carry out medical examinations and provide care to employees, giving rise to the handling of sensitive personal data.
Providers of specialized services
Where, for example, security guards are responsible for registering visitors and verifying their identity by requesting PD embodied in official identity documents such as passports, voting credentials, professional licenses, etc.
Made up of tend users who purchase products created by your company or distributed through its partners.
Why are all these activities relevant? Some of these areas collect and, where appropriate, transfer PD, including sensitive PD, to Syngenta. As a legal area, we must ensure that anyone handling PD has the knowledge to properly use it, through the Privacy Notice and the Policy. In addition, to prevent incorrect handling, it is important to approach all the areas involved with PD in a didactic and friendly way to convey the need to comply with regulation in accordance with the current legislation of each country.
If we do not consider the correct protection for requested, stored and, where appropriate, transferred PD, there is a significant risk for our organization in the form of large fines. The use of sensitive PD is even more delicate since it can involve discriminatory categories, such as: the recruitment process and selection of personnel and the medical examination on entry or exit that is carried out on employees. Everything related to a person's health is sensitive information.
What can be done to safeguard your company?
Make a list
Know who is collecting PD. Catalogue the different PD databases existing at your company in order to adequately protect the PD collected by its different stakeholders.
Identify third-party PD
Do any third parties handle from third-parties that is handled within Syngenta and that is not the latter's primary responsibility, for example, PD that is collected relating to subcontracted doctors and guards.
Ensure privacy notices are implemented
that prevent and protect the company by implementing the requirements of PD standards are placed in media such as social networks or virtual media, in writing, by telephone and on office reception signs.
Train for the specific PD risks
attached to the PD owner exercising their ARCO rights, in the event that the company does not have the authorizations and/or consent for their handling and/or transfer, or with the necessary infrastructure to protect them.
Finally, we must promote these initiatives to raise awareness among different functions of the regulations applicable to their area in their country. The goal is to bring about cultural change, making staff aware that when collecting PD from third parties, they are ambassadors of the company. Of course, this can only be done in collaboration with other areas that have the necessary expertise.
Disclaimer: The information in any resource in this website should not be construed as legal advice or as a legal opinion on specific facts, and should not be considered representing the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical guidance and references for the busy in-house practitioner and other readers.