This document details the approach to handling Employees’ and Customers’ private information. Any exceptions identified are followed up and reported to Management. Employees of GFL or subsidiary companies authorized to handle private information must familiarize themselves with this policy.
Privacy Policy
-
Introduction
-
Scope
This policy covers all private information collected by GFL or transferred from GFL customers for processing, or otherwise made accessible to GFL contractors and employees including but not limited with the following:
• Information about GFL employees or contractors;
• Information about GFL customers’ employees, contractors or clients;
• Private Information transferred to GFL for processing other from listed above.
Any private information GFL assumed accountability for is in scope of this policy. -
Roles and Responsibilities
Dmytro Dolyna, CISO – responsible for development of this policy, enforcement of the policy and executive support of all Privacy related initatives;
-
Identifying purposes
Any private information GFL assumes accountability for must be justified by a business purpose. GFL contractors or employees are prohibited to collect private information of any origin unless otherwise approved by Senior Management. Senior Management must evaluate the purpose based on understanding of the consequences of assuming accountability for private data such as: costs to protect the private data, legal and reputation risks etc.
-
Private information obtained from the owners
GFL must obtain explicit consent from private information owners in cases when GFL directly collects private information. Such cases include but re not limited to the following:
• Employees’ and contractors’ private data collection upon induction to the company;
• Aspirants’ and potential employees’ private data collection for background verification purposes;
• Web site visitors’ information collection;
• Information of the participants of the events organized by GFL;
• Private information of the partners, potential partners and potential customers.
Data owners must be informed about the following without limitations:
• Types of private data collected;
• The purpose of colleting private information;
• Who will have access to private data;
• Process of removing or updating the private data upong data owner request. -
Private information transferred from the third parties
GFL must ensure prior to the private data transfer from the importer that such private data has been collected lawfully and following the similar principles GFL uses when collects data from the owners directly.
Such principles are listed in paragraph 6.1 of this policy. -
Limiting collection
A consent must be obtained explicitely and directly. A consent must not be obtained by deceptive means.
GFL must not collect more information then is required for identifying purposes. -
Limiting use, disclosure, and retention
GFL must not use disclose or store personal information in a way other then a data owner gave their explicit consent for.
When possible GFL must avoid storing private information transferred or granted access to GFL for processing. For this purposes the automatic means must be employed to flush any temporary storage on GFL end immediately after the data is processed by a GFL employee.
Private information collected by GFL for the purpose of conducting business must be stored for as long as it is required by the identifying purpose. The data deemed obsolete must be destroyed using technics preventing from restoring such data such as low level formatting or physical media destruction if necessary. -
Accuracy
GFL must take all commercially reasonable efforts to ensure the private data GFL is accountable for is accurate to avoid taking decisions based on inaccurate prerequisites, disclosing the data by incident etc.
-
Safeguards
GFL must take measures to secure and protect private data from disclosure, destruction or alteration.
Corporate Security Policy provides with the detailed guidelines on the exact measures and controls GFL employs to protect private data. Private data breach must be accounted for during risk assessment for any new or ongoing project. GFL must educate its employees and contractors on the principles documented in this policy. -
Openness and individual access
GFL must be transparent in all of its relationships involving private data handling. This policy must be made available to customers, employees and other private data owners. Private data owners must be provided with the access to their information in a timely fashion upon a written request.
-
Right to be forgotten
Private data owners must be provided with the means to erase their data stored by GFL upon request and receive confirmation of such action.
-
Compliance
GFL must comply with the following laws and regulations:
• Ukraine’s Law about Private Data Protection;
• Canada’s Private Information Protection and Electronic Documents Act;
• Regulation (EU) 2016/679 (EU GDPR);
• U.S. – EU Safe Harbor Framework’s principles.
together to build something great