Introduction
Syensqo, as Data Controller, recognizes and supports the privacy interests of all Data Subjects and respects these interests when processing Personal Information. In particular, Syensqo respects the privacy of its Customers, Suppliers, Subjects representative of Customers, Employees and other individuals with whom it interacts.
In addition to the restrictions and obligations of this Policy, Syensqo complies with the applicable national laws that protect Personal Information, including the EU General Data Protection Regulation 2016/679, applicable from May 25, 2018, and all laws and regulations in the jurisdictions in which it conducts its business.
Scope
This Policy applies to:
(1) Personal Information that is collected, maintained, used or otherwise processed by any Global Business Unit, Function/Business Support Activity or Affiliate of Syensqo. This Policy is global, applying to all Syensqo locations and it is the imperative basis for using Personal Data and can only be replaced by stricter national regulations;
(2) Personal Information in any format, including computerized records and electronic information as well as paper-based files;
(3) Personal Information that Syensqo collects and uses for its own business purposes.
In some cases, Syensqo processes Personal Information that belongs to other companies in particular in the framework of Transitional Services Agreements. In these cases, Syensqo shall protect the Personal Information in compliance with this Policy, comply with all laws that regulate the information, and use information only as authorized by the data owner as specifically set out in a Transitional Services Agreement.
The terms of this Policy are also intended to apply to agents and contractors that handle and process Personal Information on behalf of Syensqo.
Definitions
For purposes of this Policy, the following definitions shall apply.
- “Data Controller”, means Syensqo which alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- “Data Processor”, means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller.
- “Data Subject”, means the individual the personal data relates to, and specifically Customers, Suppliers, Subjects representative of Customers and Employees and other individuals with whom Syensqo interacts.
- “Personal Information” (or person’s information) - also called Personally Identifiable Information (PII) or Personal Data, means any information that can be used to identify directly or indirectly a person. It includes any information that enables an individual to be identified either from that piece of data alone, or from that data and other data that is available or likely to be available such as his/her name, home address, email, identification number, salary and benefits information. There is no distinction between Personal Information about an individual in their private, public or work roles, as all are covered by this Policy.
- “Processing”, means any operation or set of operations that is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Sensitive Personal Information”, means Personal Information that reveals medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life or sexual orientation of the individual.
- “Third Party”, means a natural or legal person, public authority, agency or body other than the Data Subject, Data Controller, Data Processor and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process Personal Data.
Privacy principles
a) Purposes of processing
Syensqo processes Personal Data to support and further its businesses only for limited, explicit and legitimate purposes and always in accordance with applicable laws. The types of information and the purposes for which Personal Data are collected may include:
For Employees, prospective Employees and former Employees
Processing needed for human resources and employment purposes from current and prospective Employees and independent contractors. For former Employees the processing is aimed at ensuring fulfillments with legal obligations or legitimate interests.
For Customers, Vendors, Suppliers and Subcontractors
Although customers, vendors, suppliers and subcontractors are mostly companies, Syensqo collects Personal Information about individuals who are employed by them. This business contact information and other personal details are used to administer existing and future business arrangements, therefore the purpose of processing is related to contractual obligations or pre-contractual measures.
Others
Additional Personal Data may be collected, used and disclosed for the purposes for which it was collected and for legal compliance purposes, including regulatory reporting, investigation of allegations of wrongdoing, internal investigations, the management and defense of legal claims and actions, and compliance with subpoenas, court orders and other legal obligations. For example, Syensqo may collect information about individuals that visit our facilities.
Syensqo processes Personal Data only in a reasonable and lawful manner according to the necessity, minimization and need-to-know principles.
b) Transparency of processing
Where required, Syensqo informs Data Subjects about its processing of their Personal Data and also makes this information available upon request. In particular, its Privacy Notices specify:
- the type of Personal Data processed;
- the purposes for which Personal Data are processed;
- the Third Parties to whom Personal Data will be disclosed;
- the privacy and information safeguards applied to ensure confidentiality, integrity and availability of Personal Data;
- how to exercise the Data Subjects’ rights (e.g. access, modification, deletion, automated individual decision making, portability etc.).
Syensqo also offers transparency with regard to international information transfers. Where possible, Privacy Notices include information about how Personal Data may be used within the Syensqo Group and by Third Parties, the purposes of such transfers, the potential recipients, and the safeguards that Syensqo has put into place to ensure an adequate level of protection for the transferred information.
c) Lawfulness and fairness of the processing
Syensqo processes Personal Data lawfully and fairly in relation to the Data Subjects. This implies that all processing is based on legitimate grounds, such as the necessity of the processing for: (i) preparing and/or performance of a contract with the individual; (ii) compliance with a legal obligation; (iii) protection of vital interests of the individual; (iv) performance of a task carried out in the public interest; (v) legitimate interests pursued by Syensqo or by a Third Party except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of Personal Data.
In addition, where law, contract or agreement requires consent of an individual for the processing of Personal Data, Syensqo must collect such consent prior to the processing or transfer of the Personal Information.
d) Sensitive Personal Information
There are certain types of Personal Data that Syensqo considered particularly sensitive and for which provides additional and appropriate protection and confidentiality. Syensqo will only collect and use this Sensitive Personal Information where there is an appropriate legal basis, or where the individual’s consent has been obtained, or where there are compelling business reasons if legally permitted.
e) Accuracy of information
Syensqo takes appropriate technical and organizational measures to keep Personal Information reasonably accurate, complete, and up- to-date, as needed for the purposes for which it was collected.
f) Personal Data disclosure
Internal Disclosure
In general, Personal Data may be shared within Syensqo, where legally permitted for reasonable and appropriate corporate purposes. However, even within Syensqo, access to Personal Data is restricted to those Employees, agents, or contractors who need access to carry out their assigned functions according to the minimization and need-to-know principles.
External Disclosure
Disclosure of Personal Data to Third Parties may be performed only as permitted or required by law or legal process, or pursuant to an agreement, business necessity, or with the consent of the individual. In particular, by way of example and not limitation:
- Syensqo may disclose Personal Data about workers and Employees to a range of Third Parties who provide the same with services, such as payroll or benefits management;
- Personal Data may always be disclosed in connection with legal compliance initiatives, in response to a government request for information or as part of the due diligence, negotiation and completion of a sale or transfer of all or part of our businesses.
g) Location of Personal Data and international transfers
Personal Information may be stored and processed at Syensqo national, regional or global headquarters, at the locations of a Syensqo Affiliate or of our service providers, at one or more of our international data centers and in the cloud via our service providers and always in accordance with the applicable laws.
The international footprint of Syensqo involves a large number of transfers of Personal Data between different Syensqo entities, as well as to Third Parties located in various Countries. Syensqo endeavors to ensure that appropriate technical, organizational and contractual safeguards are implemented to secure such information transfers according to applicable laws.
h) Protecting Personal Data
To help protect the confidentiality, integrity and availability of Personal Data, Syensqo implemented and keeps updated over time security safeguards appropriate to the sensitivity of the information. These safeguards include reasonable administrative, technical and physical measures to protect the confidentiality and security of Personal Information against threats and unauthorized accesses. Syensqo also maintains an effective Data Protection & Privacy incident and Data Breach management program. When required by applicable law, Syensqo will report Data Breaches to the relevant authority and/or inform the affected person if deemed necessary.
i) Rights of Data Subjects
Syensqo shall generally provide Data Subjects upon request with an opportunity to examine their own Personal Data, confirm the accuracy and completeness of their Personal Information, and have the same updated, if appropriate. Syensqo provides individuals with a reasonable opportunity to object to the collection, use, and disclosure of their Personal Information. All the Data Subjects’ rights are properly explained in the Privacy Notices provided to Data Subjects.
j) Personal Data Retention & Deletion
Syensqo process and retain Personal Data only for the time strictly necessary to achieve the purposes of processing according to its policies and applicable laws.
Syensqo has adopted and maintain updated over times a Record Retention Policy in order to ensure that Personal Data is retained only as soon as necessary. All information related to data retention & deletion are provided with respective Privacy Notices and Data Subjects can always ask more details and clarifications about this.
Responsibilities/Accountabilities
It is the responsibility of all Employees to assist Syensqo in the protection of Personal Data, by acting in accordance with this Policy. Each Employee is also responsible for helping to ensure that the Personal Information processed by Syensqo is always accurate and up-to-date.
Syensqo has established a Data Protection & Privacy Office, led by the Group Data Protection Officer, which is responsible for coordinating the Syensqo privacy compliance efforts, as well as for deploying effective communication and training related to this Policy. Where required by national laws, Syensqo will appoint Data Protection Officers at national or local level.
It is the responsibility of each Global Business Unit, Function/Business Support Activity or Affiliate of Syensqo, and of every Employee to ensure compliance with this Policy when processing Personal Information and to report to the Data Protection & Privacy Office any non-compliance or violation.
The Data Protection & Privacy Office is responsible for defining and updating this Policy.
Any violation of this Policy may result in appropriate actions, including disciplinary actions, mitigation actions and discontinuation of business relations, subject to and in conformance with applicable laws.
This Policy has been updated on 07/29/2024.