This policy covers company and staff procedures required to comply with the applicable data protection laws including the gdpr from a day-to-day perspective.
To describe the processes and procedures YUM! Pizza Hut Gibraltar/ Fontenay Limited has in place to comply with European Data Protection Laws. References in this Policy to YUM! Pizza Hut Gibraltar/ Fontenay Limited”, “us” shall mean YUM! Pizza Hut Gibraltar/ Fontenay Limited unless otherwise specified.
This Policy is based on the following principles: Lawfulness, Fairness & Transparency, Purpose Limitation, Data Minimisation, Data Accuracy, Data Retention, Security, International Transfers, Individuals’ Rights and Accountability.
This document forms part of the overall YUM! Pizza Hut Gibraltar/ Fontenay Limited Compliance Manual. It covers all Personal Data processed by YUM! Pizza Hut Gibraltar/ Fontenay Limited electronically or in structured paper files, specifically in its capacity as Data Controller.
It applies to all YUM! Pizza Hut Gibraltar/ Fontenay Limited directors, officers, and employees (which, for these purposes, includes temporary employees, agency personnel and contractors) (collectively, “Personnel”). Personnel are required to read, understand, and adhere to this Policy as well as applicable laws.
All YUM! Pizza Hut Gibraltar/ Fontenay Limited managers, officers, and directors are responsible for enforcing this Policy and ensuring that employees, individuals, and entities for which they are responsible are aware of, understand, and adhere to, the requirements of this Policy. Any breaches of this Policy must be reported to the Operations Manager, Robert Rae (nominated Compliance Officer).
Wilful or negligent failure by Personnel to comply with European Data Protection Laws or this Policy is a disciplinary offence and may be considered gross misconduct in some cases and will be handled in accordance with [Franchisee]’s disciplinary procedures.
Failure to comply with this Policy may also mean that Personnel are directly liable for penalties under European Data Protection Laws. In particular, unauthorised use by an individual, for private purposes, of Personal Data obtained through work at YUM! Pizza Hut Gibraltar/ Fontenay Limited is a criminal offence in some countries.
This Policy does not substitute any applicable national data protection and privacy laws, regulations and Codes of Conduct in countries where YUM! Pizza Hut Gibraltar/ Fontenay Limited operates but has been compiled with the UK interpretation of the General Data Protection Regulation (“GDPR”) in mind. Local laws must be followed at all times and will take precedence over this Policy where they provide for stricter standards on privacy and data protection. Any variations will be set out in an Appendix to this Policy. Supplemental guidance for specific teams may be issued from time to time.
Consult with Robert Rae or with the Legal Team for any advice, help or support on any matter covered by this Policy. Any exceptions to this Policy must be approved by Robert Rae. If you are unsure about whether an issue is worth rising, err on the side of caution, and speak to this person.
YUM! Pizza Hut Gibraltar/ Fontenay Limited has elected not to formally appoint a Data Protection Officer (“DPO”) on the basis that YUM! Pizza Hut Gibraltar/ Fontenay Limited’s activities do not meet the requirements of Article 37(1) of the GDPR, specifically taking into consideration the Article 29 Working Party Guidelines on Data Protection Officers. External legal counsel was sought in this respect. YUM! Pizza Hut Gibraltar/ Fontenay Limited will continue to monitor this requirement and will appoint a formal DPO if required.
General Data Protection duties are instead coordinated by Robert Rae (200 77242).
Data Controller is the legal or natural person which (alone or jointly with others) determines the purposes and means of Processing of Personal Data. For the purposes of this Policy, [Franchisee] is considered to be a Data Controller.
Data Processor means any legal or natural person that Processes Data on behalf of the Data Controller, for example, [Franchisee]’s external IT provider.
European Data Protection Laws means the EU Data Protection Directive (95/46/EC) and any legislation and/or regulation implementing or made pursuant to it (including the Data Protection Act 1998) and any law or regulation which amends, replaces, supplements or consolidates any of the foregoing (including the General Data Protection Regulation 2016/679 (“GDPR”) from time to time.
Personal Data means any information relating to an identified or identifiable living individual such as our customers, operating partners, employees or any other individuals. Examples of Personal Data are name, address, date of birth, personal financial and banking information. An identifiable person is one who can be identified directly or indirectly, in particular, reference to an identifier such as a name, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Pseudonymous Data but not information which is truly anonymous. It can include opinions about individuals as well as facts and will include CCTV footage or audio recording. The fact that information is publicly available (e.g. on LinkedIn) does not stop data protection laws applying to it.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.Pseudonymous Data means Personal Data which has been processed in such a manner that the Personal Data can no longer be attributed to a specific individual without the use of additional information.
Processing has a broad meaning that covers virtually anything we do with Personal Data, including the collection, storage, use, disclosure and destruction of the Personal Data. Personnel will almost certainly process some Personal Information about individual customers as well as other Personnel and business contacts.
Special Categories of Data are Personal Data that receive special legal protection under applicable law. They include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, health, or sex life or sexual orientation. The processing of criminal conviction and offence data (“Criminal Offence Data”) is additionally prohibited or restricted by applicable laws. For example, medical and other health information held about Personnel will be a special category of data.
The privacy of YUM! Pizza Hut Gibraltar/ Fontenay Limited ‘s Personnel, vendors, operating partners, customers and other individuals about whom it processes Personal Data in the course of providing its investment management services is extremely important to YUM! Pizza Hut Gibraltar/ Fontenay Limited. Protecting their Personal Data and using it in a fair and trustworthy manner is key to YUM! Pizza Hut Gibraltar/ Fontenay Limited ‘s core values and is an important part of maintaining its relationship and reputation with the its customers.
YUM! Pizza Hut Gibraltar/ Fontenay Limited is fully committed to complying with its obligations under European Data Protection Laws, whenever it is Processing Personal Data. To this end, YUM! Pizza Hut Gibraltar/ Fontenay Limited fully endorses the data protection principles set out below.
We can only Process Personal Data where we have a lawful basis as set out in European Data Protection Laws. A lawful basis includes where we are Processing Personal Data:
Additional (and more restrictive) grounds apply to the Processing of Special Categories of Personal Data and Criminal Offence Data. These are very limited under European Data Protection Laws and in the context of investment data, only four grounds are of potential relevance. These include processing which is (i) in the substantial public interest, on the basis of Union or Member State law; (ii) data which has been manifestly made public by the data subject; (iii) criminal offence data which is permitted to be processed by Union or Member State law (which for UK purposes, we should anticipate that this can be processed on the same grounds as Special Categories of Data); or (iv) data which is processed with the explicit consent of the data subject.
Personnel should ensure there is a lawful basis for any Processing of Personal Data for which they are responsible. Staff should seek guidance from Robert Rae if they wish to Process Personal Data based on consent.
If Personal need to ask for additional Personal Data or are changing how Personal Data are processed, always consider if this Personal Data or the changes are for a lawful reason.
In order to be fair and transparent, we must tell individuals how their Personal Data is Processed by us in a concise, transparent, intelligible and easily accessible way, using clear and plain language. This should include what Personal Data is collected, how we intend to use it, who we share it with, if we intend to transfer it to another country outside of the European Economic Area as well as how individuals can contact us with questions or in order to exercise their rights. For more detail on exactly what information needs to be provided to individuals, please see our Guidance Note on Fair and Lawful Processing of Investment Data.
We do this for our employees in our Employee Privacy Notice and for website visitors in our YUM! Pizza Hut Gibraltar/ Fontenay Limited Privacy & Cookies Policy.
If Personnel need to ask for more Personal Data or change how Personal Data is Processed, always consider if further information needs to be given to relevant individuals. Personnel should pay particular attention to providing information on any uses of Personal Data which the individual would not expect.
Personal Data must only be used for the purposes for which it was collected. Personnel should not use Personal Data for any purposes which we have not told the individual about or which would not be obvious to that individual (or compatible with the original purpose). For example:
The Personal Data which we collect must be adequate, relevant and limited to that which is necessary for the purposes for which it is collected. We should not ask for more Personal Data than we need for the lawful basis for which we are collecting it. We shall make regular checks on the relevance of Personal Data being collected by Personnel to ensure it continues to be proportionate to the purpose.
The following data minimisation techniques should be considered wherever feasible:
Personal Data must be accurate and up to date. We will encourage individuals to inform us of any changes to their Personal Data (and update, rectify or erase records as a result).
Personal Data shall not be kept for longer than is required in order to meet the lawful purpose for which it was collected. It should then be securely deleted. This requirement is subject to other laws and obligations that require us to retain information for certain periods. For more details, see our Employee Privacy Notice (our data retention policy).
If Personal Data cannot be deleted (or anonymised) because for instance archived tapes are kept in a third party storage location, the above principle will be satisfied if such information has been ‘put beyond use’ provided that we:
Personal Data needs to be kept and used securely. It needs to be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. This applies to our information systems, sites and our day to day handling of Personal Data. At a minimum, we will comply with any security and organizational measures required by law. Further guidance is contained in the Acceptable Use Policy and the Information Security Policy, but in summary, some of the areas covered by these Security Standards and Policies include:
Further detail of how YUM! Pizza Hut Gibraltar/ Fontenay Limited has implemented these measures is included in the Appendix.
Appointment of Data Processors
If YUM! Pizza Hut Gibraltar/ Fontenay Limited (as data controller) engages another organization to process Personal Data on its behalf, that organisation (the “Data Processor”) must have implemented “appropriate technical and organizational measures” to meet the requirements of applicable European Data Protection Law and ensure the protection of individuals’ rights. As part of this process, a written contract must be put in place with the Data Processor which contains specific contractual obligations.
Where YUM! Pizza Hut Gibraltar/ Fontenay Limited is acting as a Data Processor on behalf of the Master Franchisor (the Data Controller), it cannot engage another processor without prior specific or general written authorisation of the Data Controller. In the case of general written authorisation, YUM! Pizza Hut Gibraltar/ Fontenay Limited will need to inform the Data Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes. It will also need to ensure that it flows down the relevant obligations to the sub-processors.
European data protection rules restrict transfers of Personal Data outside the EEA (including to other group companies and external Data Processors) unless there is adequate protection for the Personal Data or prescribed steps have been taken to ensure the Personal Data is protected. YUM! Pizza Hut Gibraltar/ Fontenay Limited may on occasion exports to other parties located outside of the EEA. If we do so, we will do so pursuant to European Commission approved standard contractual clauses to regulate the transfers of certain Personal Data between us and other members of our Group.
All files containing personal information that are exported are subject to the same requirements outlined in the Information Security Standard. These describe the processes that should be followed by Personnel when exporting this data as well as the technological controls used to ensure onward processing is controlled.
There are a (limited) number of other circumstances where Personal Data can be transferred outside of the EEA, including:
Seek advice from Robert Rae if:
We will always honour individuals rights under European Data Protection laws (to the extent applicable):
We will respond to any requests without undue delay, and usually within one month of receipt of the request.
European data protection laws require us to implement a wide range of measures to reduce our risk of breaching GDPR and to demonstrate that we are taking data governance seriously. A description of some of the measures we have put in place to meet these requirements are set out below.
Records of Processing Activity
Prior to GDPR, many data protection authorities (including the Information Commissioner’s Office in the UK) required Data Controllers to notify the relevant Data Protection Authority about their Processing activities. These obligations are likely to disappear under GDPR. However, we will be obliged to maintain a record of processing activities in relation to the Personal Data which we process. This record is to be made available to a competent supervisory authority on request. Accordingly, relevant Personnel and their team must ensure they notify Robert Rae who will update YUM! Pizza Hut Gibraltar/ Fontenay Limited ‘s record of processing.
Training and Guidance
Upon joining YUM! Pizza Hut Gibraltar/ Fontenay Limited, all Personnel are required to read this policy, agree to abide by its terms and provide an annual declaration to this effect. All Personnel who process Personal Data as a significant part of their function will receive appropriate training on data protection and security as part of their induction programme and there will be ongoing training for existing Personnel.
New Systems and Processes
European data protection laws require us to implement technical and organizational measures to show that we have considered and integrated data compliance measures into our Processing activities (known as “Data Protection by Design and by Default” principle).
We commit to this Principle by:
Each new product, system or service developed or purchased by us which involves the Processing of any Personal Data: (i) that is not of a type currently being Processed or (ii) in a way that it is not currently being used for; or (iii) that might be perceived by our customers, employees or other relevant individuals, as being privacy intrusive will go through a privacy impact process to determine whether it implicates the rights and freedoms of the relevant individuals and whether or not the processing is considered to be “high risk”.
Where “high risk” processing is identified, a more thorough assessment (a “Data Protection Impact Assessment”) will be required before it is commenced in accordance with GDPR.
A Data Protection Impact Assessment will include a description of the processing activities, the risks arising and measures adopted to mitigate those risks and in particular safeguards and security measures to protect Personal Data and comply with GDPR. In limited circumstances, we may be required to consult with the relevant individuals or the relevant data protection authority.
In order to demonstrate compliance with the Data Protection Principles and other applicable law requirements, we will undertake internal audits of our Processing activities from time to time. All Personnel must cooperate with these audits.
Physical security is of paramount importance to us and is crucial to ensure the safety and security of our equipment as well as the information that our Personnel use or manipulate. Physical Security measures are illustrated in the Information Security Policy.
Data Discovery, Cataloguing and Classifying
In addition to the above, we have implemented controls to ensure Personal Data is handled appropriately outside of our core systems. These include protecting and securing information such as:
Controls that Personnel are expected to follow in this respect are documented in the Information Security Policy whereas detailed notes on how these resources are secured from a technical perspective are included in the Information Security Standard.Data Loss Prevention
We control data loss through measures such as automatically blocking outgoing email, other messages and file movements that contain Personal Data that has not been protected by appropriate safeguards, e.g. data encryption.
In some situations encryption can be automatically applied to Personal Data when it is classified or identified in an email message or document attachment, while in other situations messages can be quarantined to enable an organizational response.
Data and Email Encryption
Encryption is one of the few specific technologies called out in the text of the GDPR, and its presence there essentially mandates its use by organizations. We have implemented measures to encrypt data while at rest and when be used or transmitted. This ensures that if a breach occurs on any system, the information remains confidential and does not trigger the GDPR penalties.
Data Breach Identification and Blocking
European Data Protection Laws require us to report Personal Data Breaches to the relevant data protection authority without undue delay (and where feasible within 72 hours) after becoming aware of the Personal Data Breach (unless this is unlikely to result in a risk to the rights and freedoms of the individual). We may also need to notify individuals in certain circumstances and we must document the Personal Data Breach in line with the Data Breach Policy.
We have therefore implemented measures to proactively sense that data has been breached, audit the extent of the breach, and create an appropriate organizational response.
In the event any individual becomes aware of a Personal Data Breach, they must notify Robert Rae immediately and provide as much information as they have (including the nature and the consequences of the Personal Data Breach and any measures taken or proposed to mitigate any adverse effects). Examples of Personal Data Breaches include Personal Data being sent to an incorrect recipient, Personal Data being accessed without authority and paperwork or computers containing Personal Data being lost or stolen.
Further to section 5.9 on Individuals’ Rights, data subjects have the right to request an export of their data in a usable format that can be given to another vendor or service provider to import into its service in certain circumstances. Whilst this specific requirement is of low likelihood and risk for the organisation, YUM! Pizza Hut Gibraltar/ Fontenay Limited uses widely available products (such as Office 365 and Microsoft Exchange for email) to facilitate this requirement.
Endpoint Security and Mobile Device Management (“MDM”)
The GDPR requires computing devices to be protected from loss or theft through mobile device management capabilities, such as remote wipe and kill. A lost device could be the weak link in the data protection chain, leading to a data breach based on information stored on the device or accessible through still active user credentials. YUM! Pizza Hut Gibraltar/ Fontenay Limited has rolled out MDM to all its staff, with specific measures taken detailed in the Information Security Standard.
Cloud Storage and Sharing Services
YUM! Pizza Hut Gibraltar/ Fontenay Limited conducts a periodic review of documents shared externally to minimise the extent of sharing with external parties. Use of default restrictions (such as time-limited links) is also encouraged to restrict sharing by default without the need for user intervention. Measures taken by YUM! Pizza Hut Gibraltar/ Fontenay Limited to review these permissions are outlined in the Data Governance Model whereas measures embedded within the design of the system are described in the Information Security Standard.
Any transfers of Personal Data must be done securely, whether externally or internally.
When emailing or posting, double check that information is being sent to the right recipient.
Be aware that those seeking information sometimes use deception. Before sending out any Personal Data to any third party, be sure of their identity. This may involve carrying out checks to verify their identity particularly if you are releasing information over the phone. If in doubt, contact Robert Rae.
While a successful malware infiltration can render computers unusable, of more serious concern under GDPR is the potential for malware to harvest credentials for user and administrator accounts. Harvested credentials can then be used to access data sources across the organization (both on-premises and in cloud services), including those containing personal and sensitive personal data.
YUM! Pizza Hut Gibraltar/ Fontenay Limited works closely with its managed IT service provider to ensure the strongest practical level of security is applied in this respect (predominantly through the use of anti-virus and intrusion detection software). Identity and Access Management
A cohesive identity and access management system that seamlessly unifies employee identity across applications is a foundational requirement for GDPR compliance. YUM! Pizza Hut Gibraltar/ Fontenay Limited uses the latest identity management protocols (Windows 10 Azure Active Directory) to manage this aspect of GDPR Compliance]. Furthermore, user identities are connected to third-party software providers using Single-Sign-On where appropriate. This ensures access can be controlled centrally (and quickly) across a number of applications in a uniform way.