10.1. The purposes for which the Company process or will process Personal Information is to allow the Company to ensure that it best aligns the consumer’s needs with the services available, or otherwise as is provided for under lawful processing in the Act.
10.2. Purpose of the Processing of Personal Information
10.2.1. HR
10.2.1.1. To enable the RB Group to maintain appropriate human resources records in relation to members of staff, including recruitment and selection, administration of payroll, expenses, accounts, tax, travel and benefits, work management, professional development and performance reviews, discipline and superannuation.
10.2.1.2. To enable Reckitt Benckiser Group to operate a workplace whistleblowing hotline to detect and prevent improper workplace conduct and crime prevention in accordance with relevant business conduct policies.
10.2.2. Customer Marketing
10.2.2.1. To enable the RB Group to maintain a customer relationship marketing database of individuals to whom information and promotional material may be sent in relation to products and services that may be of interest to them.
10.2.3. Customer Care
10.2.3.1. To enable consumer care via call centres to be provided including integrating external and internal management consumer information across the Reckitt Group, embracing finance, manufacturing, sales and procurement.
10.2.4. IT Administration
10.2.4.1. To enable IT administration to manage users of the Reckitt Group's network, allowing staff secure access to their IT systems, backing up information on the Company’s network, document management, email system (Microsoft Exchange) and intranet service (RBOnline).
10.2.5. Accounts and Records Procurement
10.2.5.1. To enable procurement of goods and services by Reckitt Group.
10.2.6. Crime Prevention and Prosecution of Offenders
10.2.6.1. To enable the prevention and detection of a crime or alleged crime through the use of CCTV on Reckitt Group sites.
10.3. Categories of Data Subjects and Personal Information/special Personal Information relating thereto. As per section 1 of POPIA, a data subject may either be a natural or a juristic person.
10.3.1. HR
The personal data will include:
10.3.1.1. names and contact details of the data subject;
10.3.1.2. employment details;
10.3.1.3. financial details;
10.3.1.4. educational experience, business activities and skill set;
10.3.1.5. family members (where provided as point of contact); in Mexico
10.3.1.6. social activities, hobbies (as cultural, sports, professional, civic), family information
10.3.2. Customer Marketing
The personal data will include:
10.3.2.1. names and contact details of the data subject including email and telephone details;
10.3.2.2. country of residence;
10.3.2.3. nationality;
10.3.2.4. goods or services provided.
10.3.3. Customer Care
The personal data will include
- names and contact details of the data subject;
- (ii) employment details;
- (iii) financial details; (iv) educational experience, business activities and skill set;
- (v) family members (where provided as point of contact);
- (vi) goods or services provided.
10.2.1 IT Administration
The personal data will include
- names and contact details of the data subject;
- employment details;
- (iii) family members (where provided as point of contact).
10.2.2 Accounts and Records Procurement The personal data will include
- names and contact details of the data subject;
- employment details;
- goods or services provided
10.2.3 Crime Prevention and Prosecution of Offenders
- The personal data will include images of the data subject.
10.2. Recipients or categories of recipients of Personal Information to whom Personal Information may be supplied
10.3.1. The Company may provide a data subject's Personal Information to recipients to which disclosure is required for regulatory compliance or otherwise as provided for within the provisions of the act, with reference to “processing’’:
‘Section 1: “processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or
destruction of information;”
10.3.2. The Company will not without grounds for lawful processing, disclose personal information of the data subject in contravention of the data subject’s right to privacy.
10.3. Planned Transborder flow of Personal Information
10.4. The Reckitt Group is committed to safeguarding the security of all personal data which it processes through day-to-day operations. To achieve this, the Reckitt Group has developed and implemented technical and organisational measures that strive to safeguard this important asset. The measures form a robust Information Security protection program made up of data privacy and security policies and functional specific Standard Operating Procedures, which include the following measures:
10.4.1. The following is a list of the planned cross-border transfers of Personal Information is as set out in the Intra Group Transfer agreement
10.5.1 Information Security Policies and Standards:
10.5.1.1 Reckitt will implement security requirements within the organisation and for staff and all Sub processors, service providers, or agents who have access to Personal Data to maintain the integrity, confidentiality, resilience and availability of Personal Data, to include (but not be limited to) the following:
- Prevent unauthorized persons from gaining access to Personal Data processing systems (physical access control);
- Prevent Personal Data processing systems being used without authorization (logical access control);
- Ensure that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
- Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified, with appropriate pseudonymization and encryption measures adopted to protect the confidentiality of data during transfer and storage (data transfer and storage control);
- Ensure the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing (entry control);
- Ensure that Personal Data are Processed solely in accordance with transferor / data exporter’s Instructions (control of instructions);
- Ensure that Personal Data are protected against accidental destruction or loss, and appropriate measures adopted to support access to data and / or restoration of data
in the event of a physical or technical incident impacting availability (availability control); and
- Ensure that Personal Data collected for different purposes can be processed separately (separation control).
- These rules shall be kept up to date and revised whenever relevant changes are made to any information system that uses or houses Personal Data, or to how that system is organised.
- These rules shall be routinely reviewed to evaluate efficacy and areas for improvement and where relevant adopt and apply changes as part of a continuous improvement programme.
10.5.2 Physical Security
10.5.2.1 The transferee / data importer will maintain commercially reasonable security systems at all transferee / data importer sites at which an information system that uses or houses Personal Data is located. The Suppler reasonably and appropriately restrict access to such Personal Data.
10.5.2.2 Physical access control shall be implemented for all data centres. unauthorised access is prohibited through 24x7 onsite staff and security camera monitoring.
10.5.3 Organisational Security
10.5.3.1 The transferee / data importer shall ensure that it has implemented security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.
10.5.3.2 All Personal Data security incidents shall be managed in accordance with appropriate incident response procedures.
10.5.4. Network Security
10.5.4.1 The transferee / data importer shall maintain network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection systems, access control lists and routing protocols.
10.5.5 Access Control
10.5.5.1. Only authorised staff shall be permitted to grant, modify or revoke access to an information system that uses or houses Personal Data.
10.5.5.2. User administration procedures shall be adopted which define user roles and their privileges, how access is granted, changed and terminated; addresses appropriate segregation of duties; and defines the logging/monitoring requirements and mechanisms.
10.5.5.3. All employees of the transferee / data importer shall be assigned unique User- IDs.
10.5.5.4. Access rights shall be implemented adhering to the “least privilege” approach.
10.5.5.5. The transferee / data importer shall implement commercially reasonable physical and electronic security to create and protect passwords.
10.5.5.6. Virus and Malware Controls
- The transferee / data importer shall install and maintain industry standard (which shall comprise the latest version) anti-virus and malware protection software on the system.
10.5.6. Personnel
10.5.6.1 The transferee / data importer shall implement a security awareness program to train personnel about their security obligations. This program shall include training about data classification obligations, physical security controls, security practices and security incident reporting.
10.5.6.2 The transferee / data importer shall have clearly defined roles and responsibilities for its employees. Screening is implemented before employment with terms and conditions of employment applied appropriately.
10.5.6.3. The transferee / data importer personnel shall strictly follow established security policies and procedures. Disciplinary process will be appropriately applied if employees commit a security breach.
10.5.7 Additional Security Requirements
10.5.7.1 The transferee / data importer shall not delete or remove any proprietary notices contained within or relating to Personal Data.
10.5.7.2 The transferee / data importer shall perform and maintain secure back-ups of all Personal Data and shall ensure that up-to-date back-ups are stored off- site. transferee / data importer shall ensure that such back-ups are available to transferor / data exporter (or to such other person as transferor / data exporter may direct) at no additional cost to transferor / data exporter, and that the data contained in the back-ups are available at all times upon request and are delivered to transferor / data exporter at no less than six (6) monthly intervals (or such other intervals as may be agreed in writing between the Parties).
10.5.7.3 The transferee / data importer shall ensure that any system on which it holds any Personal Data, including back-up data, is a secure system that complies with all security requirements.
10.5.7.4. If Personal Data is corrupted, lost or sufficiently degraded as a result of the transferee / data importer 's default so as to be unusable, transferor / data exporter may:
- require the transferee / data importer (at the transferee / data importer ’s expense) to restore or procure the restoration of Personal Data to the extent possible and transferee / data importer shall do so as soon as practicable but not later than five (5) days from the date of receipt of transferor / data exporter’s notice; and/or
- itself restore or procure the restoration of Personal Data and shall be repaid by the transferee / data importer any reasonable expenses incurred in doing so.
10.5.7.5 If at any time the transferee / data importer suspects or has reason to believe that Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the transferee / data importer shall notify transferor / data exporter immediately and inform transferor / data exporter of the remedial action the transferee / data importer proposes to take.
10.5.8 Malicious Software
10.5.8.1 The transferee / data importer shall, as an enduring obligation and at no cost to transferor / data exporter, use the latest versions of anti-virus definitions and software available from an industry accepted anti-virus software vendor (unless otherwise agreed in writing between the Parties) to check for, contain the spread of, and minimise the impact of Malicious Software in the relevant IT environment (or as otherwise agreed by the Parties).
10.5.8.2 The transferee / data importer may be required to provide details of the version of anti-virus software being used in certain circumstances (e.g. in response to a specific threat).
10.5.8.3 Notwithstanding the above, if Malicious Software is found, the Parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Personal Data, assist each other to mitigate any losses and to restore the Services to their desired operating efficiency.
10.5.8.4 Any cost arising out of the actions of the Parties taken in compliance with the above provisions shall be borne by the Parties as follows:
- by the transferee / data importer where the Malicious Software originates from the transferee / data importer ’s software, the third- party software supplied by the transferee / data importer (except where transferor / data exporter has waived the obligation) or Personal Data (whilst such Personal Data was under the control of the transferee / data importer or any of its Sub processors) unless the transferee / data importer can demonstrate that such Malicious Software was present and not quarantined or otherwise identified by transferor / data exporter when provided to the transferee / data importer ; and
- Otherwise by transferor / data exporter
- Annexure A: J752 PAIA Form C
Link to the form