CUSTOMER, SUPPLIER AND BUSINESS PARTNER PRIVACY PROCEDURE

Introduction

This procedure determines how personal data of HEINEKEN’s customers, suppliers, lessees and business partners, or any parties associated with them, should be handled by all of HEINEKEN’s Op Cos, including HEINEKEN UK, as well as by third parties processing such personal data on HEINEKEN’s behalf.

Personal data is any information relating to an individual that allows them to be identified, directly or indirectly (either from that information alone or when that information is put together with other available information).  Examples of customer, supplier lessee and business partner personal data are names, job titles, work email addresses and information such as a customer’s or lessee’s hobbies or family life.

Why does HEINEKEN have a Privacy Procedure for Customer, Supplier and Business Partner Data? 

1)    To ensure a high and consistent level of data protection in all Op Cos which meets the requirements of the EU General Data Protection Regulation (GDPR) and, for HEINEKEN UK, the UK Data Protection Act.

2)    To outline the circumstances in which HEINEKEN has a legitimate interest in using customer, supplier, lessee and business partner personal data.

3)    To inform customers, suppliers, lessees and business partners of their rights with respect to their personal data that is held by HEINEKEN.

4)    To set out the requirements governing the transfers of customer, supplier, lessee and business partner personal data to third parties.

What are the Main Principles of HEINEKEN’s Privacy Procedure for Customer, Supplier and Business Partner Data?

Purpose Limitation

Transparency and Quality of Data

Security and Access

Deletion

1      Customer, supplier and business partner personal data should be deleted when the purpose or purposes for which it was obtained have been fulfilled, unless it requires to be kept for a longer period in order to satisfy a specific legal requirement.

Privacy Procedure Index

The Privacy Procedure comprises 23 Articles and an Annex containing interpretations and definitions, which can be accessed by following the links below:

Article 1: Scope, Applicability and Implementation

Scope

1.1 This Procedure addresses the Processing of Personal Data of Customers, Suppliers and Business Partners and other Individuals by HEINEKEN or a Third Party on behalf of HEINEKEN. This Procedure does not address the Processing of Personal Data of Employees in the context of their employment relationship with HEINEKEN.

 

Electronic and paper-based Processing

1.2      This Procedure applies to the Processing of Personal Data by electronic means and in systematically accessible paper-based filing systems.

 

Applicability of local law and Procedure

1.3      Individuals keep any rights and remedies they may have under applicable local law. This Procedure shall apply only where it provides supplemental protection for Personal Data. Where applicable local law provides more protection than this Procedure, local law shall apply. Where this Procedure provides more protection than applicable local law or provides additional safeguards, rights or remedies for Individuals, this Procedure shall apply.

 

Sub-policies and notices

1.4      HEINEKEN may supplement this Procedure through sub-policies or notices that are consistent with this Procedure.

 

Accountability

1.5      The appropriate Responsible Manager shall be accountable for compliance with this Procedure.

 

Effective Date

1.6  This Procedure has been adopted by the Executive Board of HEINEKEN N.V. and shall enter into force as of 1st January 2018, and shall be published on the HEINEKEN website and HEINEKEN intranet and shall be made available to Individuals upon request.

 

Procedure supersedes prior policies

1.7   This Procedure supersedes all HEINEKEN privacy policies and notices that exist on the Effective Date to the extent they are in contradiction with this Procedure.

 

Implementation

1.8   This Procedure shall be implemented in the HEINEKEN organization based on the timeframes specified in Article 23.

 

Role of HEINEKEN International B.V.

1.9  HEINEKEN N.V. has tasked HEINEKEN International B.V. with the coordination and implementation of this Procedure.

Article 2: Purposes for Processing Personal Data

Legitimate Business Purposes

2.1 Personal Data shall be collected, used or otherwise Processed by HEINEKEN for one (or more) of the following purposes (Business Purposes):

(a)  Assessment and acceptance of Customers, Suppliers and Business Partners This purpose includes Processing of Personal Data that are necessary in connection with the assessment and acceptance of Customers, Suppliers and Business Partners including confirming and verifying the identity of relevant Individuals (this may involve the use of a credit reference agency or other Third Parties), conducting due diligence, and screening against publicly available government and/or law enforcement agency sanctions lists;

(b)  Conclusion and execution of agreements with Customers, Suppliers and Business Partners. This purpose addresses the Processing of Personal Data necessary to conclude and execute agreements with Customers, Suppliers and Business Partners, including required screening activities (e.g. for access to HEINEKEN's premises or systems and on compliance with the HEINEKEN Code of Business Conduct) and to record and financially settle delivered services, products and materials to and from HEINEKEN. This purpose also includes the Processing of Personal Data in connection with the execution of agreements, including the delivery of Customer Services;

(c)  Development and improvement of products and/or services. This purpose includes Processing of Personal Data that are necessary for the development and improvement of HEINEKEN products and/or services, research and development;

(d)  Relationship management and marketing. This purpose includes activities such as maintaining and promoting contact with Customers, Suppliers and Business Partners, account management, customer service, recalls and the development, execution and analysis of market surveys and marketing strategies, including online marketing activities, (e.g. advertising, analysing of online use of the services and the HEINEKEN website and the purchase of products;

(e)  Business process execution, internal management and management reporting. This purpose includes the management of company assets, conducting audits and investigations, reviewing and monitoring compliance with HEINEKEN Code of Business Conduct and other terms applicable to the relationship with Customers, Suppliers and Business Partners and other Individuals, finance and accounting, implementing business controls, provision of central processing facilities for efficiency purposes managing mergers, acquisitions and divestitures, and Processing Personal Data for management reporting and analysis, archive and insurance purposes, legal or business consulting, and preventing, preparing for or engaging in dispute resolution;

(f)   Health, safety, security and integrity.  This purpose includes the protection of the interests of HEINEKEN, its Employees, Customers, Suppliers and Business Partners and activities such as those involving health and safety, the protection of HEINEKEN and Employee assets, and the authentication of Customer, Supplier or Business Partner status and access rights;

(g)  Compliance with law. This purpose addresses the Processing of Personal Data necessary for the performance of a task carried out to comply with  a legal obligation or sectorial recommendation to which HEINEKEN is subject, including the disclosure of Personal Data to government institutions or supervisory authorities, including tax authorities, in relation thereto; or

(h)  Protection of the vital interests of Individuals. This is where Processing is necessary to protect the vital interests of an Individual.

Where there is a question whether a Processing of Personal Data can be based on a Business Purpose listed above, the appropriate Privacy Officer will be consulted before the Processing takes place.

 

Consent

2.2 If a Business Purpose does not exist or if applicable local law so requires, HEINEKEN shall (also) seek consent from the Individual for the Processing. If the Processing is reasonably necessary to address a request of the Individual (e.g. he subscribes to a service or seeks a benefit), the Individual’s consent is implied.

When seeking consent, HEINEKEN must inform the Individual:

a)    of the purposes of the Processing for which consent is required;

b)    of the possible consequences for the Individual of the Processing;

c)    which Group Company is responsible for the Processing; and

d)    that he or she is free to refuse or withdraw consent at any time;  and

e)    that withdrawal of consent does not affect the lawfulness of the relevant Processing before such withdrawal.

 

Denial or withdrawal of consent

2.3 The Individual may both deny consent and withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of the Processing based on such consent before its withdrawal.

Article 3: Use for Other Purposes

Use of Data for Secondary Purposes

3.3 Generally, Personal Data shall be used only for the Business Purposes for which they were originally collected (Original Purpose). Personal Data may be Processed for a legitimate Business Purpose of HEINEKEN different from the Original Purpose (Secondary Purpose) only if the Original Purpose and Secondary Purpose are closely related. Depending on the sensitivity of the relevant Personal Data, and whether use of the Data for the Secondary Purpose has potential negative consequences for the Individual, the use of Secondary Purpose may require additional measures such as:

a)    limiting access to the Data;

b)    imposing additional confidentiality requirements;

c)    taking additional security measures;

d)    informing the Individual about the Secondary Purpose;

e)    providing an opt-out opportunity; or

f)     obtaining an Individual's consent in accordance with Article 2.2 or Article 4.3 (if applicable).

 

Article 4: Purposes for Processing Sensitive Data

Specific purposes for Processing Sensitive Data

4.1 This Article sets forth specific rules for Processing Sensitive Data. HEINEKEN shall Process Sensitive Data only to the extent necessary to serve the applicable Business Purpose.

The following categories of Sensitive Data may be collected, used or otherwise Processed only for one (or more) of the purposes specified below:

(a)  Racial or ethnic data (including pictures and moving images of an Individual):

(i)  in some countries, photos and video images of individuals qualify as racial or ethnic data. HEINEKEN may process photos (e.g. a copy of a passport containing a photo) and video images for the protection of HEINEKEN and Employee assets, site access and security reasons;

(ii) for assessment and acceptance of Customers including the identification and authentication of Customers (including confirming and verifying the identity of relevant Individuals);

(iii) for assessment and verification of Supplier or Business Partner status and access rights; and

(iv) for verifying and confirming advice provided by HEINEKEN to Individuals (e.g. when Individuals participate in video conferencing which is recorded);

(b)  Criminal data (including data relating to criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour):

(i)    for assessment and acceptance of Customers, Suppliers and Business Partners, including the identification and authentication of Customers (including confirming and verifying the identity of relevant Individuals);

(ii) for the execution of an agreement with Customers; and further

(iii) for protecting the interests of HEINEKEN, its Employees, Customers, Suppliers and Business Partners;

(c)  Religion or philosophical beliefs:

(i)    accommodating specific products or services for a Customer and to accommodate dietary requirements or religious holidays e.g. for Customer, Supplier or Business Partner events.

 

General Purposes for Processing of Sensitive Data

4.2 In addition to the specific purposes listed in Article 4.1 above, all categories of Sensitive Data may be Processed under one (or more) of the following circumstances:

(a)  as required or allowed for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which HEINEKEN is subject;

(b)  by or allowed under applicable law;

(c)  for the establishment, exercise or defence of a legal claim;

(d) to protect a vital interest of an Individual, but only where it is impossible to obtain the Individual’s consent first;

(e) to the extent necessary to comply with an obligation of international public law (e.g. treaties);

(f) where Sensitive Data have manifestly been made public by the Individual; or

(g) to the extent necessary for reasons of substantial public interest.

 

Consent, and the denial or withdrawal thereof

4.3 In addition to the specific purposes listed in Article 4.1 and the general purposes listed in Article 4.2, all categories of Sensitive Data may be Processed if the Individual has given his explicit consent to the Processing thereof. If one of the purposes listed in Articles 4.1 and 4.2 apply, HEINEKEN shall in addition seek consent if applicable local law so requires. The information requirements set out in Article 2.2 and Article 2.3 apply to the granting, denial or withdrawal of consent.

 

Prior Authorization of Privacy Officer

4.4 Where Sensitive Data are Processed based on a requirement of law other than the local law applicable to the Processing, the Processing requires prior authorization with the appropriate Privacy Officer.

 

Use of Sensitive Data for Secondary Purposes

4.5 Sensitive Data of Individuals may be Processed for Secondary Purposes in accordance with Article 3.

Article 5: Quantity and Quality of Data

No Excessive Data

5.1 HEINEKEN shall restrict the Processing of Personal Data to those Data that are reasonably necessary for and relevant to the applicable Business Purpose. HEINEKEN shall take reasonable steps to delete Personal Data that are not required for the applicable Business Purpose.

 

Storage period

5.2 HEINEKEN generally shall retain Personal Data only for the period required to serve the applicable Business Purpose, to the extent reasonably necessary to comply with an applicable legal requirement, or as advisable in light of an applicable statute of limitations. HEINEKEN may specify (e.g., in a sub-policy, notice or records retention schedule) a time period for which certain categories of Personal Data may be kept.

Promptly after the applicable storage period has ended, the Privacy Officer shall direct that the Data be:

(a)  securely deleted or destroyed;

(b)  de-identified; or

(c)  transferred to an Archive (unless this is prohibited by law or an applicable records retention schedule).

 

Quality of Data

5.3 Personal Data should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Business Purpose.

 

'Privacy by Design'

5.4 HEINEKEN shall take commercially reasonable technical and organizational steps to ensure that the requirements of this Article 5 are implemented into the design of new systems and processes that Process Personal Data.

 

Accurate, complete and up-to-date Data

5.5 It is the responsibility of Individuals to ensure that their Personal Data, as held by HEINEKEN, are accurate, complete and up-to-date. Individuals shall inform HEINEKEN regarding any changes in accordance with Article 7.

Article 6: Individual Information Requirements

Information requirements

6.1 HEINEKEN shall inform Individuals through a privacy policy or notice of the following information, unless the Individual already has the information:

(a)  the Business Purposes (including Secondary Purposes) for which their Data are Processed;

(b)  which Group Company is responsible for the Processing as well as the contact information of the Privacy Officer;

(c)  the categories of Third Parties to which the Data are disclosed (if any) and whether any Third Party is located in a country outside the EEA which Third Party or country is not covered by an Adequacy Decision; and

(d)  other information where relevant e.g.:

(i)    the nature and categories of the Processed Data;

(ii) the period for which the Data will be stored or (if not possible) the criteria used to determine this period;

(iii) an overview of the rights of Individuals under this Procedure and how these can be exercised;

(iv) the existence of automated decision making referred to in Article 10.10 as well as meaningful information about the logic involved and potential negative consequences thereof for the Individual;

(v) the source of the Data (where the Personal Data have not been obtained from the Individual), including whether the Personal Data came from a public source.

 

Personal Data not obtained from the Individual

6.2 If applicable local law so requires, where Personal Data have not been obtained directly from the Individual, HEINEKEN shall provide the Individual with the information as set out in Article 6.1, unless the Individual already has the information:

(a)  at the time that the Personal Data are recorded in a HEINEKEN database; or

(b)  at the time that the Personal Data are used for a mailing, provided that this mailing is done within six months after the Personal Data are recorded in a HEINEKEN database.

 

Exceptions

6.3 The requirements of Article 6.2 may be set aside if:

(a) it is impossible or would involve a disproportionate effort to provide the information to Individuals; or

(b) it results in disproportionate costs.

These exceptions to the above requirements qualify as Overriding Interests.

Article 7: Individual Rights of Access and Rectification and Erasure

Rights of Individuals

7.1 Every Individual has the right to request a copy of his Personal Data Processed by or on behalf of HEINEKEN and further, where reasonably possible, the following information: the categories of Data concerned, available information as to their source, the Business Purposes of the Processing, storage periods (or the criteria to determine such periods), the categories of Third Party recipients of the relevant Personal Data, including whether such Third Party is located in a country outside the EEA and whether the Third Party or the country are covered by an Adequacy Decision, and the existence of automated decision making referred to in Article 10.1, as well as meaningful information about the logic involved and potential negative consequences thereof for the Individual.

If the Personal Data are incorrect, incomplete or not Processed in compliance with applicable law or this Procedure, the Individual has the right to have his Data rectified, deleted or the Processing thereof restricted (as appropriate).

In addition, the Individual has the right to object to:

(a)  the Processing of his Data on the basis of grounds related to his particular situation, unless HEINEKEN can demonstrate a prevailing legitimate interest for the Processing; and

(b)  the Processing of his Data for direct marketing communications, including profiling to the extent that it is related to such direct marketing.

The Individual has the right (at his option) to receive a copy of the Data that he has provided in a common machine readable format.

 

Procedure

7.2 The Individual should send his request to the contact person or contact point indicated in the relevant privacy statement or notice. If no contact person or contact point is indicated, the Individual may send his request through the general contact section of the HEINEKEN website.

Prior to fulfilling the request of the Individual, HEINEKEN may require the Individual to:

(a)  specify the categories of Personal Data to which he is seeking access;

(b)  specify to the extent reasonably possible the data system in which the Data are likely to be stored;

(c)  specify the circumstances in which HEINEKEN obtained the Personal Data;

(d)  provide proof of his identity when HEINEKEN has reasonable doubts concerning such identity, or to provide additional information enabling his identification;

(e)  pay a fee to compensate HEINEKEN for the reasonable costs relating to fulfilling the request, provided HEINEKEN can reasonably demonstrate that the request is manifestly unfounded or excessive, e.g. because of its repetitive character; and

(f)   in case of a request for rectification, deletion, or blockage, specify the reasons why the Personal Data are incorrect, incomplete or not Processed in accordance with applicable law or this Procedure.

 

Response period

7.3 Within four weeks of HEINEKEN receiving the request, the contact person, contact point, or Privacy Officer shall inform the Individual in writing or electronically either (i) of HEINEKEN’s position with regard to the request and any action HEINEKEN has taken or will take in response or (ii) the ultimate date on which he will be informed of HEINEKEN's position and the reason for the delay, which date will be no later than eight weeks after the communication was sent to the Individual.

 

Complaint

7.4 An Individual may file a complaint in accordance with Article 17.3 if:

(a) the response to the request is unsatisfactory to the Individual (e.g. the request is denied);

(b) the Individual has not received a response as required by Article 7.3; or

(c) the time period provided to the Individual in accordance with Article 7.3 is, in light of the relevant circumstances, unreasonably long and the Individual has objected but has not been provided with a shorter, more reasonable time period in which he will receive a response.

 

Denial of requests

7.5 HEINEKEN may deny an Individual’s request if:

(a)  the request does not meet the requirements of Articles 7.1 and 7.2.

(b)  the request is not sufficiently specific;

(c)  the identity of the relevant Individual cannot be established by reasonable means, including the additional information provided by the Individual;

(d)  HEINEKEN can reasonably demonstrate that the request is manifestly unfounded or excessive, e.g. because of its repetitive character. A time interval between requests of six months or less shall generally be deemed to be an unreasonable time interval; or

(e)  the request violates the rights of other individuals.

 

No requirement to Process identifying information

7.6 HEINEKEN is not obliged to Process additional information in order to be able to identify the Individual for the sole purpose of facilitating the rights of the Individual under this Article 7.

Article 8: Security and Confidentiality Requirements

Data security

8.1 HEINEKEN shall take appropriate commercially reasonable technical, physical and organizational measures to protect Personal Data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition or access. To achieve this, HEINEKEN has developed and implemented the HEINEKEN Information Security Policy and other policies relating to the protection of Personal Data.

 

Staff access

8.2 Staff members shall be authorized to access Personal Data only to the extent necessary to serve the applicable Business Purpose and to perform their job.

 

Confidentiality obligations

8.3 Staff members who access Personal Datamust meet their confidentiality obligations.

 

Data Security Breach notification requirement

8.4 HEINEKEN shall notify the Individual of a Data Security Breach within a reasonable period of time following discovery of such breach, unless a law enforcement official or supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security. In this case, notification shall be delayed as instructed by such authority. HEINEKEN shall respond promptly to inquiries of Individuals relating to such Data Security Breach.

Article 9: Direct Marketing

Direct marketing

9.1 This Article sets forth requirements concerning the Processing of Personal Data for direct marketing purposes (e.g. contacting the Individual by email, fax, phone, SMS or otherwise, with a view of solicitation for commercial or charitable purposes).

 

Consent for direct marketing (opt-in)

9.2 If applicable law so requires, HEINEKEN shall only send to Individuals unsolicited commercial electronic communication with the prior consent of the Individual ("opt-in"). If applicable law does not require prior consent of the Individual, HEINEKEN shall in any event offer the Individual the opportunity to opt-out of such unsolicited commercial communication.

 

Exception (opt-out)

9.3 Prior consent of the Individual for sending unsolicited commercial electronic communication is not required if:

(a)  an Individual has provided his electronic contact details to a Group Company in the context of a sale of a product or service of such Group Company;

(b)  such contact details are used for direct marketing of such Group Company's own similar products or services; and

(c)  provided that an Individual clearly and distinctly has been given the opportunity to object free of charge, and in an easy manner, to such use of his electronic contact details when they are collected by the Group Company.

 

Information to be provided in each communication

9.4 In every direct marketing communication that is made to the Individual, the Individual shall be offered the opportunity to opt-out of further direct marketing communications.

 

Objection to direct marketing

9.5 If an Individual objects to receiving marketing communications from HEINEKEN, or withdraws his consent to receive such communications, HEINEKEN will take steps to refrain from sending further marketing materials as specifically requested by the Individual. HEINEKEN will do so within the time period required by applicable law.

 

Third Parties and Direct marketing

9.6 No Data shall be provided to, or used on behalf of, Third Parties for purposes of direct marketing of such Third Party without the prior consent of the Individual.

 

Personal Data of Children

9.7 HEINEKEN shall not use any Personal Data of Children for direct marketing, without the prior consent of their parent or custodian.

 

Direct marketing records

9.8 HEINEKEN shall keep a record of Individuals that used their "opt-in" or "opt-out" right and will regularly check the public opt-out registers.

Article 10: Automated Decision Making (including profiling)

Automated decisions

10.1 Automated tools may be used to make decisions about Individuals but decisions with a negative outcome for the Individual may not be based solely on the results provided by the automated tool. This restriction does not apply if:

(a)  the use of automated tools is necessary for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which HEINEKEN is subject;

(b)  the decision is made by HEINEKEN for purposes of (a) entering into or performing a contract or (b) managing the contract, provided the underlying request leading to a decision by HEINEKEN was made by the Individual (e.g., where automated tools are used to filter promotional game submissions); or

(c)  the Individual has given his explicit consent.

In case Article 10.1(b) or (c) is applicable, HEINEKEN shall take suitable measures to safeguard the legitimate interests of the Individual, e.g. by providing the Individual with an opportunity to express his point of view.

Article 11: Transfer of Personal Data to Third Parties

Transfer to Third Parties

11.1 This Article sets forth requirements concerning the transfer of Personal Data from HEINEKEN to a Third Party. Note that a transfer of Personal Data includes situations in which HEINEKEN discloses Personal Data to Third Parties (e.g., in the context of corporate due diligence) or where HEINEKEN provides remote access to Personal Data to a Third Party.

 

Third Party Processors and Third Party Controllers

11.2 There are two categories of Third Parties:

(a)  Third Party Processors: these are Third Parties that Process Personal Data solely on behalf of HEINEKEN and at its direction (e.g., Third Parties that Process online registrations made by Customers);

(b)  Third Party Controllers: these are Third Parties that Process Personal Data and determine the purposes and means of the Processing (e.g., Business Partners that provide their own goods or services directly to Customers).

 

Transfer for applicable Business Purpose only

11.3 HEINEKEN shall transfer Personal Data to a Third Party to the extent necessary to serve the applicable Business Purpose (including Secondary Purposes as per Article 3 or purposes for which the Individual has provided consent in accordance with Article 2).

 

Third Party Controller safeguards

11.4 Third Party Controllers (other than government agencies) may Process Personal Data only if they have a contract with HEINEKEN. In the contract, HEINEKEN shall seek to contractually protect the data protection interests of its Individuals when Personal Data are transferred to Third Party Controllers. All such contracts shall be drafted in consultation with the appropriate Privacy Officer. Individual Business Contact Data may be transferred to a Third Party Controller without safeguards if it is reasonably expected that such Business Contact Data will be used by the Third Party Controller to contact the Individual for legitimate business purposes related to the Individual's job responsibilities.

 

Third Party Processor contracts

11.5 Third Party Processors may Process Personal Data only if they have a validly entered into written or electronic contract with HEINEKEN (Processor Contract). The contract with a Third Party Processor must include the following provisions:

(a) the Third Party Processor shall Process Personal Data only in accordance with HEINEKEN's instructions including on transfers of Personal Data to any Third Party Processor located in a country outside the EEA and which Third Party Processor or country are not covered by an Adequacy Decision, unless the Third Party Processor is required to do so under mandatory requirements applicable to the Third Party Processor and for the purposes authorized by HEINEKEN;

(b) the Third Party Processor shall keep the Personal Data confidential;

(c) the Third Party Processor shall take appropriate technical, physical and organizational security measures to protect the Personal Data;

(d) the Third Party Processor shall only permit subcontractors to Process Personal Data in connection with its obligations to HEINEKEN (a) with the prior specific or generic consent of HEINEKEN, and (b) based on a validly entered into written or electronic contract with the subcontractor, which imposes similar privacy protection-related Processing terms as those imposed on the Third Party Processor under the Processor Contract, and provided that the Third Party Processor remains liable to HEINEKEN for the performance of the subcontractor in accordance with the terms of the Processor Contract;

(e) HEINEKEN has the right to review the security measures taken by the Third Party Processor and the Third Party Processor shall subject its relevant data processing facilities to audits and inspections by HEINEKEN, a Third Party on behalf of HEINEKEN or any relevant government authority;

(f) the Third Party Processor shall promptly inform HEINEKEN of any actual or suspected Data Security Breach involving Personal Data; and

(g) the Third Party Processor shall deal promptly and appropriately with (a) inquiries of HEINEKEN related to the Processing of Personal Data; and (b) requests for assistance of HEINEKEN, as reasonably required to ensure compliance of the Processing of Personal Data with applicable law; and

(h) upon termination of the Processor Contract, the Third Party Processor shall, at the option of HEINEKEN, return the Personal Data and copies thereof to HEINEKEN or shall securely delete such Personal Data, except to the extent the Processor Contract or applicable law provides otherwise.

 

Transfer of Data to Third Parties outside the EEA and that are not covered by an Adequacy Decision

11.6 This Article sets forth additional rules for Personal Data that are (a) collected originally in connection with activities of a Group Company that is located in the EEA or located in a country outside the EEA and which Group Company or country are covered by an Adequacy Decision; and (b) transferred to a Third Party that is located in a country outside the EEA and which Third Party or country are not covered by an Adequacy Decision.

Personal Data may be transferred to such a Third Party only if:

(a)  the transfer is necessary for the performance of a contract with the Individual, for managing a contract with the Individual or to take necessary steps at the request of the Individual prior to entering into a contract, e.g., for processing orders;

(b)  a contract has been concluded between HEINEKEN and the relevant Third Party requiring that Third Party (a) be bound by the terms of this Procedure as were it a Group Company; or (b) provides for safeguards at a similar level of protection as that provided by this Procedure; the contract shall conform to any model contract requirement under applicable local law (if any);

(c)  the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Individual between HEINEKEN and a Third Party (e.g. in case of recalls);

(d)  the Third Party has been certified under a program that is recognized under applicable local law as providing an “adequate” level of data protection;

(e) the Third Party has implemented Binding Corporate Rules or a similar transfer control mechanism which provides adequate safeguards under applicable law;

(f) the transfer is necessary to protect a vital interest of the Individual;

(g) the transfer is necessary for the establishment, exercise or defence of a legal claim;

(h) the transfer is necessary to satisfy a pressing need to protect the public interests of a democratic society; or

(i) the transfer is necessary for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which the relevant Group Company is subject; or

(j) the transfer is necessary to satisfy a Business Purpose of HEINEKEN, provided the transfer is not repetitive, concerns only a limited number of Individuals, and the interests of the affected Individuals do not outweigh the Business Purpose for which the transfer is made.

Items 00, 0 and 0 above require the prior approval of the Global Privacy Officer.

 

Consent for transfer

11.7 If none of the grounds listed in Article 11.6 exist or if applicable local law so requires HEINEKEN shall (also) seek consent from the Individual for the transfer to a Third Party located in a country outside the EEA which Third Party or country is not covered by an Adequacy Decision.

Prior to requesting consent, the Individual shall be provided with the following information:

(a)  the purpose of the transfer;

(b)  the identity of the transferring Group Company;

(c)  the identity or categories of Third Parties to which the Data will be transferred;

(d)  the categories of Data that will be transferred;

(e)  the country to which the Data will be transferred; and

(f)   the fact that the Data will be transferred to a Third Party located in a country outside the EEA and which Third Party or country are not covered by an Adequacy Decision.

The requirements set out in Articles 2.2 and 2.3 apply to the requesting, denial or withdrawal of consent.

 

Transfer of Data to Third Parties outside the EEA and that are not covered by an Adequacy Decision

11.8 This Article sets forth additional rules for transfers of Personal Data that were collected in connection with the activities of a Group Company located in a country outside the EEA, and which Group Company or country is not covered by an Adequacy Decision to a Third Party also located in a country outside the EEA which Third Party or country is not covered by an Adequacy Decision. In addition to the grounds listed in Article 1.6, these transfers are permitted if they are:

(a)  necessary for compliance with a legal obligation to which the relevant Group Company is subject;

(b)  necessary to serve the public interest; or necessary to satisfy a Business Purpose of HEINEKEN.

Article 12: Overriding Interests

Overriding Interests

12.1 The obligations of HEINEKEN or rights of Individuals as specified in Articles 12.2 and 12.3 may be overridden if, under the specific circumstances at issue, a pressing need exists that outweighs the interest of the Individual (Overriding Interest). An Overriding Interest exists if there is a need to:

(a)  protect the legitimate business interests of HEINEKEN including:

(i)    the health, security or safety of Employees or Individuals;

(ii) HEINEKEN's intellectual property rights, trade secrets or reputation;

(iii) the continuity of HEINEKEN's business operations;

(iv) the preservation of confidentiality in a proposed sale, merger or acquisition of a business; or

(v) the involvement of trusted advisors or consultants for business, legal, tax, or insurance purposes;

(b) prevent or investigate (including cooperating with law enforcement) suspected or actual violations of law, breaches of the terms of contract, or non-compliance with the HEINEKEN Code of Business Conduct or other HEINEKEN policies and procedures; or

(c) otherwise protect or defend the rights or freedoms of HEINEKEN, its Employees or other persons.

 

Exceptions in the event of Overriding Interests

12.2 If an Overriding Interest exists, one or more of the following obligations of HEINEKEN or rights of the Individual may be set aside:

(a)  Article 3.1 (the requirement to Process Personal Data for closely related purposes);

(b)  Article 6.1 and 6.2 (information provided to Individuals, Personal Data not obtained from the Individuals);

(c)  Article 7 (rights of Individuals);

(d)  Articles 8.2 and 8.3 (Staff access limitations and confidentiality requirements); and

(e) Articles 11.4, 11.5  and 11.6(b) (contracts with Third Parties).

 

Sensitive Data

12.3 The requirements of Articles 4.1 and 4.2 (Sensitive Data) may be set aside only for the Overriding Interests listed in Article 12.1(a)(i), 12.1(a)(ii), 12.1(a)(v), 12.1(b) and 12.1(c).

 

Consultation with Global Privacy Officer

12.4 Setting aside obligations of HEINEKEN or rights of Individuals based on an Overriding Interest requires prior consultation of the Global Privacy Officer. The Global Privacy Officer shall document his advice.

 

Information to Individual

12.5 Upon request of the Individual, HEINEKEN shall inform the Individual of the Overriding Interest for which obligations of HEINEKEN or rights of the Individual have been set aside, unless the particular Overriding Interest sets aside the requirements of Articles 6.1 or 7.1, in which case the request shall be denied.

Article 13: Supervision and Compliance

Global Privacy Officer

13.1 HEINEKEN International B.V. shall appoint a Global Privacy Officer who is responsible for:

(a)  Supervising compliance with this Procedure;

(b)  Coordinating the Privacy Officers network and communicating and consulting with the Privacy Officers network on central data protection issues;

(c)  Providing annual privacy reports, as appropriate, to the Executive Board on data protection risks and compliance issues, and as described in article 16.2;

(d)  Coordinating, in conjunction with the Privacy Officers network and the relevant compliance officers, official investigations or inquiries into the Processing of Personal Data by a government authority;

(e)  Dealing with conflicts between this Procedure and applicable law as described in Article 20.2;

(f)   Approving transfers as described in Articles 20.1 and 11.6;

(g)  Monitoring the performance and periodic review of a Privacy Impact Assessment (PIA) before a new system or a business process involving Processing of Personal Data is implemented as described in Article 14.3.

(h)  Monitoring the documentation, notification and communication of Data Security Breaches;

(i)    Deciding on complaints as described in Article 17; and creating and maintaining a framework for:

(i) the development, implementation and updating of local data protection policies and procedures;

(ii) the maintaining, updating and publishing of this Procedure and related sub-policies;

(iii) the creating, maintaining and updating of information regarding the structure and functioning of all systems that process personal data (as required by Article 14);

(iv) the development, implementation and updating of the relevant data protection training and awareness programs;

(v) the monitoring, auditing and reporting on compliance with this Procedure to the management board;

(vi) the collecting, investigating and resolving privacy inquiries, concerns and complaints; and

(vii) determining and updating appropriate measures/sanctions for violations of this Procedure (e.g. disciplinary standards);

(viii) Devising the data management processes, systems and tools to implement the framework for data protection management as referred to under 0(i).

In addition, and notwithstanding Article 13.2, the Global Privacy Officer can determine for which specific Organizational Unit a Privacy Officer is appropriate (see Article 13.2), after which the respective Organizational Unit shall designate a Privacy Officer.

 

Privacy Officer

13.2 HEINEKEN shall for each Organizational Unit designate a Privacy Officer. HEINEKEN may also designate a Privacy Officer for a group of Organizational Units. These Privacy Officers may, in turn, establish a network of Privacy Officers sufficient to direct compliance with this Procedure within their respective regions or functions. A list of designated Privacy Officers is published on the HEINEKEN intranet.

The Privacy Officers shall perform the following tasks:

(a)  Implement the data management processes, systems and tools, devised by the Global Privacy Officer to implement the framework for data protection management in their respective  Organizational Unit;

(b)  Support and assess overall data protection management compliance within their Organizational Unit;

(c)  Regularly advise their respective executive teams, Responsible Manager and the Global Privacy Officer on privacy risks and compliance issues;

(d)  Maintain (or ensure access to) an inventory of the system information about the structure and functioning of all systems that process Personal Data (as required by Article 14.2);

(e)  Be available for requests for privacy approvals or advice as described in Articles 2.1, 2.2, 4.4, 7 and 11.7;

(f)   Provide information relevant to the annual privacy report of the Global Privacy Officer (as required in Article 16);

(g)  Assist the Global Privacy Officer in the event of official investigations or inquiries by government authorities;

(h)  Own and authorize all appropriate privacy sub-policies in their organizations;

(i)    Direct that stored Personal Data be deleted or destroyed, de-identified or transferred as required by Article 5.2;

(j)    Decide on and notify the Global Privacy Officer of complaints as described in Article 17; and

(k)  Cooperate with the Global Privacy Officer, other Privacy Officers, and the general business principles compliance officers to:

        (i)Ensure that the instructions, tools and training are in place to enable the Organizational Unit, to comply with this Procedure;

(ii) Share and provide guidance on best practices for data protection management within their Organizational Unit;

        (iii) Ensure that data protection requirements are taken into account whenever new technology is implemented in their Organizational Unit; and

        (iv) Notify the Responsible Manager of the involvement of external service providers with data processing tasks for their Organizational Unit.

 

Responsible Manager

13.3 The Responsible Manager is accountable that effective data protection management is implemented in his Organizational Unit (including but not limited to the obligation to appoint a Privacy Officer and the responsibility for executing Privacy Impact Assessments, where necessary), is integrated into business practices, and that adequate resources and budget are available.

Responsible Managers are accountable for:

(a)  Ensuring overall data protection management compliance within their Organizational Unit, also during and following organisational restructuring, outsourcing, mergers and acquisitions and divestures;

(b)  Implementing the data management processes, systems and tools, devised by the Global Privacy Officer to implement the framework for data protection management in their respective  Organizational Unit;

(c)  Ensuring that the data protection management processes and systems are maintained up to date against changing circumstances and legal and regulatory requirements;

(d)  Ensuring and monitoring ongoing compliance of third parties with the requirements of this Procedure in case Personal Data are disclosed by HEINEKEN to a Third Party (including entering into a written or electronic contract with such Third Party and obtaining a sign off of such contract from the legal department);

(e)  Ensuring that relevant individuals in their  Organizational Unit follow the prescribed data protection training courses; and

(f)   Directing that stored Personal Data be deleted or destroyed, de-identified or transferred as required by Article 5.2.

Responsible Managers are responsible for:

(g)  Appointing a Privacy Officer for their  Organizational Unit;

(h)  Consulting with the Global Privacy Officer in all cases where there is a conflict between applicable local law and this Procedure as described in Article 20.2; and

(i)    Informing the Global Privacy Officer of any new legal requirement that may interfere with HEINEKEN's ability to comply with this Procedure as required by Article 20.3.

 

Privacy Officer with a statutory position

13.4 Where a Privacy Officer holds his position pursuant to law, he shall carry out his job responsibilities to the extent they do not conflict with his statutory position.

Article 14: Policies and Procedures

Policies and procedures

14.1 HEINEKEN shall develop and implement policies and procedures to comply with this Procedure.

 

System information

14.2 HEINEKEN shall maintain readily available information regarding the structure and functioning of all systems and processes that Process Personal Data (e.g. inventory of systems and processes, Privacy Impact Assessments).

 

Privacy Impact Assessments

14.3 HEINEKEN shall maintain a procedure to conduct and document a prior assessment of the impact that processing may have on the protection of Personal Data, where such Processing is likely to result in a high risk for the rights and freedoms of Individuals, in particular where new technologies are used.

Article 15: Training

Staff training

15.1 HEINEKEN shall provide training on this Procedure and related confidentiality obligations to Staff members who have access to Personal Data.

Article 16: Monitoring and Auditing Compliance

Audits

16.1 HEINEKEN Global Audit shall audit business processes and procedures that involve the Processing of Personal Data for compliance with this Procedure. The audits shall be carried out in the course of the regular activities of Global Audit or at the request of the Global Privacy Officer. The Global Privacy Officer may request to have an audit as specified in this Article 16.1 conducted by an external auditor. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Global Privacy Officer and the appropriate Privacy Officers shall be informed of the results of the audits. Reported violations of the Procedure will be reported back to senior management. A copy of the audit results will be provided to the Dutch Data Protection Authority upon request.

 

Annual Privacy Report

16.2 The Global Privacy Officer shall implement appropriate processes to monitor compliance with this Procedure and produce an annual Personal Data privacy report for the Executive Board on compliance with this Procedure, data protection risks and other relevant issues. Each Privacy Officer shall provide information relevant to the report to the Global Privacy Officer.

 

Mitigation

16.3 HEINEKEN shall, if so indicated, ensure that adequate steps are taken to address breaches of this Procedure identified during the monitoring or auditing of compliance pursuant to this Article 16.

Article 17: Complaints Procedure

Complaint

17.1 Individuals may file a complaint regarding compliance with this Procedure or violations of their rights under applicable local law:

(a)  in accordance with the applicable complaints procedure set forth in the HEINEKEN Code of Business Conduct or contract; or

(b)  with the appropriate Privacy Officer.

The appropriate Privacy Officer shall:

(a)  notify the Global Privacy Officer;

(b)  initiate an investigation; and

(c)  when necessary, advise the business on the appropriate measures for compliance and monitor, through to completion, the steps designed to achieve compliance.

The appropriate Privacy Officer may consult with any government authority having jurisdiction over a particular matter about the measures to be taken.

 

Reply to Individual

17.2 Within four weeks of HEINEKEN receiving a complaint, the appropriate Privacy Officer shall inform the Individual in writing, or electronically either (i) of HEINEKEN’s position with regard to the complaint and any action HEINEKEN has taken or will take in response, or (ii) when he will be informed of HEINEKEN’s position, which date shall be no later than twelve weeks thereafter. The appropriate Privacy Officer shall send a copy of the complaint and his written reply to the Global Privacy Officer.

 

Complaint to Global Privacy Officer

17.3 An Individual may file a complaint with the Global Privacy Officer if:

(a)  the resolution of the complaint by the appropriate Privacy Officer is unsatisfactory to the Individual (e.g., the complaint is rejected)

(b)  the Individual has not received a response as required by Article 17.2;

(c)  the time period provided to the Individual pursuant to Article 17.2 is, in light of the relevant circumstances, unreasonably long and the Individual has objected, but has not been provided with a shorter, more reasonable time period in which he will receive a response; or

(d)  in the events listed in Article 7.4.

The procedure described in Articles 17.1 and 17.2 shall apply to complaints filed with the Global Privacy Officer.

Article 18: Legal Issues

Complaints procedure

18.1 Individuals are encouraged to first follow the complaints procedure set forth in 0 of this Procedure before filing any complaint or claim with the competent DPA or courts.

 

Local law and jurisdiction

18.2 The rights contained in this Article are in addition to and shall not prejudice any other rights or remedies that either party may otherwise have by law.

In case of a violation of this Procedure, the Individual may only, at his choice, submit a complaint or a claim to the following DPAs or courts (as applicable):

(a)  in the EEA country at the origin of the Data transfer against the Group Company in such country of origin responsible for the relevant Data transfer;

(b)  of the EEA country where the Individual resides, against the Group Company being the Data Controller of the relevant Data; or

(c)  in the Netherlands, against HEINEKEN International B.V.

The DPAs and courts shall apply their own substantive and procedural laws to the dispute. Any choice made by the Individual will not prejudice the substantive or procedural rights he or she may have under applicable law.

 

Right to claim direct damages

18.3 In case an Individual brings a claim under Article 18.2, such Individual shall be entitled to compensation of damages, to the extent provided by applicable EEA law, suffered by an Individual resulting from a violation of this Procedure.

 

Burden of proof in respect of claim for damages

18.4 In case an Individual brings a claim for damages under Article 18.2, it will be for the Individual to demonstrate that he has suffered actual damages and to establish facts which show it is plausible that the damage has occurred because of a violation of this Procedure. It will subsequently be for the relevant Group Company to prove that the damages suffered by the Individual due to a violation of this Procedure are not attributable to HEINEKEN. 

 

Mutual assistance and redress

18.5 All Group Companies shall co-operate and assist each other to the extent reasonably possible to handle:

(a)  a request, complaint or claim made by an Individual; or

(b)  a lawful investigation or inquiry by a competent DPA or public authority.

The Group Company that receives a request, complaint or claim from an Individual is responsible for handling any communication with the Individual regarding his request, complaint or claim except where circumstances dictate otherwise.

The Group Company that is responsible for the Processing to which the request, complaint or claim relates, shall bear all costs involved and reimburse HEINEKEN International B.V.

 

Advice of the Lead DPA

18.6 HEINEKEN International B.V. shall abide by the advice of DPAs, competent pursuant to Article 18.2, issued on the interpretation and application of this Procedure.

 

Mitigation

18.7 HEINEKEN International B.V. shall ensure that adequate steps are taken to address violations of this Procedure by a Group Company.

 

Law applicable to this Procedure

18.8 This Procedure shall be governed by and interpreted in accordance with Dutch law.

Article 19: Sanctions for Non-compliance

Non-compliance

19.1 Non-compliance of Employees with this Procedure may result in appropriate measures in accordance with applicable local law up to and including termination of employment.

Article 20: Conflicts between the Procedure and Applicable Local Law

Conflict of law when transferring Data

20.1 Where a legal requirement to transfer Personal Data conflicts with the laws of the Member State(s) of the EEA or the law of Switzerland, the transfer requires the prior approval of the Global Privacy Officer. The Global Privacy Officer shall seek the advice of Global Legal Affairs if appropriate. The Global Privacy Officer may seek the advice of the Dutch Data Protection Authority or another competent government authority.

 

Conflict between Procedure and law

20.2 In all other cases, where there is a conflict between applicable local law and the Procedure, the relevant Responsible Manager shall consult with the Global Privacy Officer to determine how to comply with this Procedure and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.

 

New conflicting legal requirements

20.3 The relevant Responsible Manager shall promptly inform the Global Privacy Officer of any new legal requirement that may interfere with HEINEKEN's ability to comply with this Procedure.

Article 21: Changes to the Procedure

21.1 Any changes to this Procedure require the prior approval of the Executive Director Global Legal Affairs of HEINEKEN. HEINEKEN shall notify the Dutch Data Protection Authority in case of material changes to this Procedure on a yearly basis.

21.2 This Procedure may be changed by HEINEKEN without Individual's consent even though an amendment may relate to a benefit conferred on Individuals.

21.3 Any amendment shall enter into force and take immediate effect after it has been approved in accordance with this Article 21 and is published on the HEINEKEN website.

21.4 Any request, complaint or claim of an Individual involving this Procedure shall be judged against the Procedure that is in force at the time the request, complaint or claim is made.

Article 22: Exception for local-for-local systems

22.1 This Procedure does not apply to the Processing of Personal Data collected in connection with local activities of a HEINEKEN Group Company located in a country outside the EEA and which Group Company or country are not covered by an Adequacy Decision, with the exception of the security and governance requirements of this Procedure which will remain applicable. In respect of such Processing of Personal Data, the relevant HEINEKEN Group Company may decide whether to apply this Procedure. Such Processing of Personal Data shall at least be compliant with applicable local law.

Article 23: Transition Periods

General transition period

23.1 Except as indicated below, there shall be a two-year transition period for compliance with this Procedure. Accordingly, except as otherwise indicated, within two years of the Effective Date, all Processing of Personal Data shall be undertaken in compliance with this Procedure. During the transition period, any transfer of Personal Data to a Group Company under this Procedure as a data transfer mechanism may only take place to the extent that (i) the Group Company receiving such Personal Data is compliant with this Procedure, or (ii) the data transfer meets one of the grounds for transfer listed in Articles 11.6 through 11.8.

 

Transition period for new Group Companies

23.2 Any entity that becomes a Group Company after the Effective Date shall comply with this Procedure within two years of becoming a Group Company.

 

Transition Period for Divested Entities

23.3 A Divested Entity may remain covered by this Procedure after its divestment for such period as may be required by HEINEKEN to disentangle the Processing of Personal Data relating to such Divested Entity.

 

Transition period for IT Systems

23.4 Where implementation of this Procedure requires updates or changes to information technology systems (including replacement of systems), the transition period shall be three years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.

 

Transition Period for Existing Agreements

23.5 Where there are existing agreements with Third Parties that are affected by this Procedure, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.

 

Transition Period for Local-for-Local Systems

23.6 Processing of Personal Data that were collected in connection with activities of a Group Company located in a country outside the EEA and which Group Company or country are not covered by an Adequacy Decision shall be brought into compliance with this Procedure within five years of the Effective Date.

 

Contact details

HEINEKEN Global Privacy Officer
c/o HEINEKEN International B.V.
Tweede Weteringplantsoen 21
1017 ZD Amsterdam
The Netherlands
Tel: +31 (0)20 523 92 39

Annex: Interpretations & Definitions

Interpretations of this procedure

(a)       Unless the context requires otherwise, all references to a particular Article or Annex are references to that Article or Annex in or to this document, as they may be amended from time to time;

(b)       headings are included for convenience only and are not to be used in construing any provision of this Procedure;

(c)       if a word or phrase is defined, its other grammatical forms have a corresponding meaning;

(d)       the male form shall include the female form;

(e)       the words "include", "includes" and "including" and any words following them shall be construed without limitation to the generality of any preceding words or concepts and vice versa;

(f)        a reference to a document (including, without limitation, a reference to this Procedure) is to the document as amended, varied, supplemented or replaced, except to the extent prohibited by this Procedure or that other document; and

(g)       a reference to law includes any regulatory requirement, sectorial recommendation, and best practice issued by relevant national and international supervisory authorities or other bodies.

 

Definitions

 

Adequacy Decision

ADEQUACY DECISION shall mean a decision issued by the European Commission under Article 25 of the EU Data Protection Directive that a country or region outside the EEA or a category of recipients in such country or region is deemed to provide an ‘adequate’ level of data protection.

 

Archive

ARCHIVE shall mean a collection of Personal Data that are no longer necessary to achieve the purposes for which the Data originally were collected or that are no longer used for general business activities, but are used only for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes. An archive includes any data set that can no longer be accessed by any Employee other than the system administrator.

 

Article

ARTICLE shall mean an article in this Procedure.

Binding Corporate Rules

BINDING CORPORATE RULES shall mean a privacy policy of a group of undertakings which under applicable local law (such as Article 25 of the EU Data Protection Directive) is considered to provide an adequate level of protection for the transfer of Personal Data within that group of undertakings.

 

Business Contact Data

BUSINESS CONTACT DATA shall mean any data typically found on a business card and used by the Individual in his contact with HEINEKEN.

 

Business Partner

BUSINESS PARTNER shall mean any Third Party, other than a Customer or Supplier, that has or had a business relationship or strategic alliance with HEINEKEN (e.g. joint marketing partner, joint venture or joint development partner).

 

Business Purpose

BUSINESS PURPOSE shall mean a purpose for Processing Personal Data as specified in Article 2 or 3 or for Processing Sensitive Data as specified in Article 3 or 4.

 

Children

CHILDREN shall mean individuals under the age of 13 years.

 

Customer

CUSTOMER shall mean any person, private organization, or government body that purchases, may purchase or has purchased a HEINEKEN product or service.

 

DPA

DPA shall mean any data protection authority of an EEA country.

 

Data Security Breach

DATA SECURITY BREACH shall mean the unauthorized acquisition, access, use or disclosure of unencrypted Personal Data that compromises the security or privacy of such information to the extent the compromise poses a high risk of financial, reputational, or other harm to the Individual. A Data Security Breach is deemed not to have occurred where there has been an unintentional acquisition, access or use of unencrypted Personal Data by an Employee of HEINEKEN or Third Party Processor or an individual acting under their respective authority, if:

(a)  the acquisition, access, or use of Personal Data was made in good faith and within the course and scope of the employment or professional relationship of such employee or other individual; and

(b)  the Personal Data are not further acquired, accessed, used or disclosed by any person.

 

Divested Entity

DIVESTED ENTITY shall mean the divestment by HEINEKEN of a Group Company or business by means of:

 

(a) a sale of shares as a result whereof the divested Group Company no longer qualifies as a Group Company and/or

(b) a demerger, sale of assets, or any other manner or form.

 

EEA

EEA or EUROPEAN ECONOMIC AREA shall mean all Member States of the European Union, plus Norway, Iceland and Liechtenstein.

 

Effective Date

EFFECTIVE DATE shall mean the date on which this Procedure becomes effective as set forth in Article 1.5.

 

Employee

EMPLOYEE shall mean the following persons:

 

(a)       an employee, job applicant or former employee of HEINEKEN including temporary workers working under the direct supervision of HEINEKEN (e.g. independent contractors and trainees). This term does not include people working at HEINEKEN as consultants or employees of Third Parties providing services to HEINEKEN;

(b)       a (former) executive or non-executive director of HEINEKEN.

 

Employee Data

EMPLOYEE DATA shall mean any information relating to an identified or identifiable Employee in the context of their employment relationship with HEINEKEN. This definition does not cover the processing of Employee Data in the Employee’s capacity as a customer of HEINEKEN.

Employment-at-will

EMPLOYMENT-AT-WILL means an employment relationship in which either the employer or employee can terminate the employment relationship at any time for any reason, with or without advance notice.

 

EU Data Protection Directive

EU DATA PROTECTION DIRECTIVE shall mean the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of and the free movement of such data or any successor or replacement thereof.

 

Executive Board

EXECUTIVE Board shall mean the Executive Board of HEINEKEN N.V.

 

Global Privacy Officer

GLOBAL PRIVACY OFFICER shall mean the officer as referred to in Article 13.1.

 

Group Company

GROUP COMPANY shall mean HEINEKEN N.V. and any company or legal entity of which HEINEKEN N.V., directly or indirectly owns more than 50% of the issued share capital, has more than 50% of the voting power at general meetings of shareholders, has the power to appoint a majority of the directors, or otherwise directs the activities of such other legal entity; however, any such company or legal entity shall be deemed a Group Company only as long as a liaison and/or relationship exists, and  that is covered by the HEINEKEN Code of Business Conduct.

 

HEINEKEN

HEINEKEN shall mean HEINEKEN N.V. and its Group Companies.

 

HEINEKEN International B.V.

HEINEKEN INTERNATIONAL B.V. shall mean HEINEKEN International B.V., having its registered seat at Tweede Weteringplantsoen 21, 1017 ZD, Amsterdam, The Netherlands.

 

HEINEKEN Code of Business Conduct

HEINEKEN CODE OF BUSINESS CONDUCT shall mean the HEINEKEN Code of Business Conduct as published on the HEINEKEN intranet and any amendments thereto from time to time.

HEINEKEN N.V.

HEINEKEN N.V. shall mean HEINEKEN N.V., having its registered seat at Tweede Weteringplantsoen 21, 1017 ZD, Amsterdam, The Netherlands.

 

Individual

INDIVIDUAL shall mean any individual (employee of or any person working for) Customer, Supplier or Business Partner and any other individual whose Personal Data HEINEKEN processes in the context of the provision of its services.

 

Organizational Unit

ORGANIZATIONAL UNIT shall mean each operating company or Global Function of HEINEKEN.

 

Original Purpose

ORIGINAL PURPOSE shall mean the purpose for which Personal Data was originally collected.

 

Overriding Interest

OVERRIDING INTEREST shall mean the pressing interests set forth in Article 12.1 based on which the obligations of HEINEKEN or rights of Individuals set forth in Article 12.2 and 0 may, under specific circumstances, be overridden if this pressing interest outweighs the interest of the Individual.

 

Personal Data or Data

PERSONAL DATA or DATA shall mean any information relating to an identified or identifiable Individual.

 

Privacy Impact Assessment (PIA)

PRIVACY IMPACT ASSESSMENT (PIA) shall mean a procedure to conduct and document a prior assessment of the impact which a given Processing may have on the protection of Personal Data, where such Processing is likely to result in a high risk for the rights and freedoms of Individuals, in particular where new technologies are used.

 

A PIA shall contain:

 

(a)  a description of:

(i)      the Processing;

(ii)     the Business Purpose for which Personal Data is Processed;

(iii)   the specific purposes for which Sensitive Data is Processed;

(iv)   the categories of Personal Data recipients, including recipients located in a country outside the EEA which recipients or countries are not covered by an Adequacy Decision;

(v)     Personal Data storage periods;

(b)an assessment of:

(i)      the necessity and proportionality of the Processing;

(ii)     the risks to the privacy rights of Individuals and the measures to mitigate these risks.

 

Privacy Officer

PRIVACY OFFICER shall mean the privacy officers appointed pursuant to Articles 13.1 and 13.2.

 

Processing

Processing shall mean any operation that is performed on Personal Data, whether or not by automatic means, such as collection, recording, storage, organization, alteration, use, disclosure (including the granting of remote access), transmission or deletion of Personal Data.

 

Procedure

PROCEDURE shall mean this Privacy Procedure for Customer, Supplier and Business Partner Data and any amendments thereto.

 

Processor Contract

PROCESSOR CONTRACT shall mean any contract for the Processing of Personal Data entered into by HEINEKEN and a Third Party Processor

 

Responsible Manager

RESPONSIBLE MANAGER shall mean the head of an Organizational Unit.

 

Secondary Purpose

SECONDARY PURPOSE shall mean any purpose other than the Original Purpose for which Personal Data is further Processed.

 

Sensitive Data

SENSITIVE DATA shall mean Personal Data that reveal an Individual's racial or ethnic origin, political opinions or membership in political parties or similar organizations, religious or philosophical beliefs, membership in a professional or trade organization or union, physical or mental health including any opinion thereof, disabilities, genetic code, addictions, sex life, criminal offenses, criminal records, biometric data, proceedings with regard to criminal or unlawful behaviour, or social security numbers issued by the government.

 

Staff

STAFF shall mean all Employees and other persons who Process Personal Data as part of their respective duties or responsibilities using HEINEKEN information technology systems or working primarily from HEINEKEN premises.

 

Supplier

SUPPLIER shall mean any Third Party that provides goods or services to HEINEKEN (e.g. an agent, consultant or vendor).

 

Third Party

THIRD PARTY shall mean any person, private organization or government body outside HEINEKEN.

 

Third Party Controller

THIRD PARTY CONTROLLER shall mean a Third Party that Processes Personal Data and determines the purposes and means of the Processing.

 

Third Party Processor

THIRD PARTY PROCESSOR shall mean a Third Party that Processes Personal Data on behalf of HEINEKEN that is not under the direct authority of HEINEKEN.