Group Data Privacy Policy

1 Background

With the digital revolution, social media and mobile devices, companies are processing and holding an increasing volume of personal information about individuals. The General Data Protection Regulation (“GDPR”) is the baseline of the EU´s view upon how personal data must be processed in order to secure personal integrity. For the Toly Group, it is of utmost importance to conduct business in an honest and transparent manner and to always maintain high ethical standards. Therefore, any information relating to an identified or identifiable natural person (“Personal Data”) must, at all times, be handled in a compliant manner within the Toly Group.

This Policy on Data Privacy describes what Toly expects from its employees and business partners regarding the recording and processing of Personal Data and how Toly performs its work tasks and conducts its business to maintain and protect the fundamental rights and freedoms of individuals whose Personal Data Toly processes. Correspondingly, this Policy also describes what employees and other stakeholders (“Data Subjects”) can expect from Toly with respect to Toly's Processing of their Personal Data.

Further details as well as definitions of key terms and requirements related to the transfer of data can be found in the Toly Manual on Data Privacy.

2 Scope of the Policy on Data Privacy

Irrespective of the fact that GDPR is an EU regulation, within the Toly Group, GDPR shall serve as the baseline globally. Therefore, this Policy on Data Privacy is applicable to any and all activities, regardless of geographic location, which include processing of Personal Data by any Toly Group Company globally, excluding Toly China and Toly Korea. Any Toly Group Company and any Toly Group full or part time employee processing Personal Data shall comply with the applicable legislation in each Toly Group Company's respective jurisdiction.

Apart from having GDPR as the baseline, this Policy aims to set forth a supplementary framework to the applicable data protection legislation in each jurisdiction where Toly operates. In the event of inconsistency between this Policy and the applicable legislation, the applicable legislation shall prevail. However, if this Policy provides for a higher standard of protection for Personal Data, the provisions herein shall prevail, unless applicable legislation provides otherwise.

3 Principles for processing of Personal Data

3.1Principles for processing of Personal Data

When collecting and processing Personal Data this must:

  • Be processed fairly and lawfully and in compliance with applicable legislation;
  • Be obtained only for a specific purpose that can be justified (whereas some purposes are never justified);
  • Be processed in a manner compatible with the purpose;
  • Be adequate, relevant and not excessive in relation to the purpose, i.e. a “nice to have” purpose is not permitted;
  • Be accurate, complete and, where necessary, kept up to date;
  • Not be kept for longer than is necessary;
  • Be processed in accordance with the rights of data subjects;
  • Be kept secure in a solid system, with appropriate technical and organizational measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information;
  • Not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data.

For more information on how to ensure an adequate level of protection in connection with transfers of Personal Data outside the European Economic Area, please contact your Data Protection Officer, in your Company.

3.2 Accountability

Toly shall always be able to demonstrate its compliance with the general and fundamental principles (as reflected in this Policy) relating to Processing of Personal Data. This includes e.g. that Toly always shall be able to demonstrate that the general principles for processing of Personal Data are fulfilled, that there is a legal ground for the processing, and that the appropriate technical and organizational measures have been taken to ensure that the Personal Data is protected.

4 Legal Grounds for processing of Personal Data

4.1 Legal Grounds

Personal Data may only be obtained for a specific purpose that can be justified, i.e. there must be a legal ground for the processing of Personal Data, which must be based upon one of the following.

  • The individual's prior given, voluntary and informed consent.
  • Necessary for specific purposes, e.g. performance of a contract or compliance with a legal obligation.
  • Based on a legitimate interest, which overrides the individual's privacy interest.
4.2 To consider when selecting a Legal Ground
  • When selecting a legal ground, you have the burden of proof.
  • It must be clearly distinguishable if part of an agreement.
  • Conditional consents are not valid.
  • In practice, new consents must be obtained.

For more information on how to select a legal ground and how to justify the processing of Personal Data, please contact your Data Protection Officer in your Company.

5 Rights for the Data Subjects

Toly shall observe the rights that are granted to the Data Subjects according to applicable legislation, whereas

  • Individuals have a right to information, i.e. to know what data is stored and processed related to their person.
  • Individuals have a right to access the data (also electronically).
  • Individuals have a right to rectification, should the stored data not be correct.
  • Individuals have a right to demand that their data is erased ("right to be forgotten").
  • Individuals have a right to request that the processing of their data is restricted.
  • Individuals have a right to require data portability.
  • Individuals have a right to object, e.g. against processing for direct marketing purposes.

6 Incident Management

In the event of an incident which leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, Toly shall immediately upon becoming aware of the incident, investigate the incident. If it is likely that the incident may pose a risk to the rights and freedoms of the Data Subjects, Toly shall notify the supervisory authority about the incident no later than 72 hours from when Toly became aware of the incident. Thus, any unauthorized access to data following the loss of a mobile phone, lap top or similar, such report must be submitted. If the incident poses a significant risk to the Data Subject's integrity, Toly shall also notify the Data Subject about the incident.

Reports on unauthorized data access/disclosure shall be made immediately to the Data Protection Officer in your Company.

7 Compliance and Governance

Each legal entity within Toly must have internal procedures to ensure that this Data Privacy Policy as well as applicable legislation are complied with. This Data Privacy Policy is supplemented by a Data Privacy Manual, which provides more detailed guidance on how to handle and transfer Personal Data. Furthermore, Toly has a Group Data Protection Officer, who serves as the interface and contact area when it comes to ensuring compliance and good conduct in relation to the Data Privacy legislations applicable in the jurisdictions where the Toly Group is operating.

Toly shall ensure that all relevant employees in the Toly Group are aware of the importance of the protection of Personal Data and shall provide corresponding training and awareness sessions. Toly shall document successful participation in training sessions, which each respective employee has undergone.

8 Consequences of breaches

Non-Compliance with this Policy may lead to disciplinary and legal actions.