Hydro's Binding Corporate Rules (BCR)

Here you will find the public version of Hydro’s BCR that provides a legal basis for the transfer of personal data within the Hydro Group of companies. The BCR apply to all personal data, within the Hydro Group, which are protected by applicable EU data protection law.

1 Introduction

While conducting its day-to-day business Hydro processes Personal Data related to employees, customers, suppliers and other business partners. On a regularly basis Personal data is transferred between members of the Hydro Group in the course of the company’s legitimate business activities.

Norsk Hydro ASA and all Hydro Legal Entities established within in the EEA are bound by rules in the Applicable EU Data Protection Law that contains strict requirements on the Processing and Transfer of Personal Data. As a general rule, the Applicable EU Data Protection Law does not allow for the Transfer of Personal Data to Third Countries that do not ensure an adequate level of protection of the Personal Data.

Hence, Norsk Hydro ASA has committed itself on the general principle of the protection of Personal Data in the Hydro Code of Conduct.

This Data Protection Procedure sets out how such protection shall be implemented to ensure consistent and uniform principles in Hydro for the Processing of all Personal Data and to establish the necessary legal basis for Transfer of Personal Data from Hydro Legal Entities established in EEA to Hydro Legal Entities established outside EEA in accordance with Applicable EU Data Protection Law.

This Data Protection Procedure is based on the Applicable EU Data Protection Law and the Norwegian data protection legislation that implements said Applicable EU Data Protection Law. The purpose of this Data Protection Procedure is to ensure compliance with the Applicable EU Data Protection Law, and to ensure adequate safeguards for the Transfer of Personal Data.

2 Scope and applicability

2.1 Scope

This Data Protection Procedure is a procedure under the responsibility of the Corporate Compliance Department. This Data Protection Procedure forms the Hydro Binding Corporate Rules (BCR) as defined in Section 7.

This Data Protection Procedure addresses all Hydro’s Processing of Personal Data protected by Applicable EU Data Protection Law.

The routines and requirements described herein are supplementary to information security measures and requirements set out in Hydro Steering Documents.

2.2 Applicability

This Data Protection Procedure applies to all Legal Entities in the Hydro Group as defined in section 7 and to all Hydro employees including contractors and other personnel representing Hydro. In addition, Third Party Data Subjects shall benefit from the rights granted to them herein.

2.3 Implementation

This Data Protection Procedure shall form part of Hydro’s Steering Documents from the time of adoption by the Head of Corporate Compliance of Norsk Hydro ASA.

The Head of Data Privacy has the supervisory role of the implementation of and compliance with this Data Privacy Procedure in the Hydro Group.

2.4 Accountability

In accordance with the designated ownership of IT-systems and -applications, the relevant Corporate function or Business Area management shall ensure that the operations and procedures are in compliance with this Data Protection Procedure when relevant. This includes the accountability for ensuring the establishment and maintenance of adequate internal control documentation as outlined in this Data Protection Procedure.

3 Processing and Transfer covered by this Procedure

3.1 IT-registers and data-flow

This Data Protection Procedure covers the Processing and Transfer of Personal Data by use of IT-systems and applications in Hydro involving data flowing between Legal Entities and across the national borders. The Head of Data Privacy maintains a list of all Legal Entities to which this Data Protection Procedure applies, with information on their geographical location.

3.2 Personal Data categories and purposes of Processing

This section provides an overview of categories of Personal Data and the purposes for Processing that is covered by this Data Protection Procedure.

HR management data
Administer and manage the employee relationship (including applicants, former employees, contractors and dependents)

IT-administration data
Support and manage information technology (IT) and information system (IS) administration and information security.

HSE data
Support and manage occupational health services and the registration, managing and reporting of health, service and environment (HSE) related information (incidents, issues, etc.)

Video surveillance / access logs
Support and manage safeguarding against illegal or unauthorized entry into areas, buildings or rooms or to support the control of equipment and/or production processes

Business relations data
Support and manage customer, supplier or partner relationships (internal /external) as well as handling of information in recruitment processes

Complaints
Follow up on complaints and concerns reported by employees

Investigation information
Support and manage investigation of incidents and concerns (e.g. related to employee’s potential violation of terms of employment or incidents or concerns that may have an adverse effect on the business)

4 Hydro’s responsibilities when Processing Personal Data

4.1 Hydro in the role as a Controller

Generally, each Legal Entity is considered an individual Controller that determines the purposes and means of the Processing of Personal Data. In certain cases, where Norsk Hydro ASA determines the purposes and means of the Processing of Personal Data in the Hydro Group Norsk Hydro ASA is considered the Controller. To the extend two or more Legal Entities determines the purposes and means of the Processing of Personal Data they are considered joint Controllers.

A Data Processing Agreement in accordance with the General Data Protection Regulation shall be executed in a situation where a Legal Entity acting as a Controller contracts with a Third Party service provider for the delivery of services that involve the Processing of Personal Data protected by EU Data Protection Law on behalf of the Controller.

The required legal grounds for the Transfer of Personal Data involved shall be established cf. section 6, in a situation where a Legal Entity established in the EEA contracts with a Third Party Processor established in a Third Country on the delivery of services that involve the Processing of Personal Data protected under Applicable EU Data Protection Law.

4.2 Hydro in the role as a Processor

A Legal Entity may provide services that involve the Processing of Personal Data on behalf of another Legal Entity that is regarded the Controller of such Personal Data.

In the course of such Processing, the Legal Entity providing the relevant services will be regarded as a Processor that Processes the Personal Data on behalf of the receiving Legal Entity, which has the responsibility as a Controller. In such cases, the Legal Entity acting as Processor acts solely on behalf of the Controller and shall act at the Controller’s direction and in accordance with the requirements and principles set out in this Data Protection Procedures, cf. section 6. To the extent required under applicable local data protection law, the Controller shall instruct the Processor by written agreement in accordance with the local requirements.

5 Key principles of this Data Protection Procedure

This section provides an overview of the key principles to be observed by the Hydro Group and its personnel in relation to the Processing of Personal Data under the scope of this Data Protection Procedure.

5.1 Duty to respect the Procedure

This Data Protection Procedure applies to all Legal Entities in the Hydro Group. Each Legal Entity shall be committed to comply with this Data Protection Procedure by the reference in Hydro’s Code of Conduct and shall execute agreements with Norsk Hydro ASA regarding the duty to respect this Data Protection Procedure.

All Hydro personnel shall be required to adhere to the rules in this Data Protection Procedure as part of Hydro’s Code of Conduct and according to the relevant terms of employment.

Hydro personnel reporting personal data breaches shall not suffer any negative consequences as a result thereof. Where appropriate, additional data privacy training shall be provided, cf. section 5.4 of this Data Protection Procedure.

5.2 Data Subjects rights

All Data Subjects whose Personal Data is being Processed under this Data Protection Procedure shall benefit from the rights herein.

The Data Subject’s rights include the right to enforce the general privacy principles set out in section 6 of this Data Protection Procedure including the principles on:

  • Fair and lawful Processing
  • Purpose limitation
  • Data quality and proportionality
  • Legitimate Processing
  • Transparency and information
  • Rights of access, rectification, erasure and blocking of data
  • Right to object to the Processing
  • Security and confidentiality
  • Restrictions on onward Transfer outside of the group of companies

The rights enforceable by the affected Data Subjects as third-party beneficiaries includes judicial remedies for any breach of the rights granted, and the right to receive compensation, where appropriate, according to Applicable EU Data Protection Law.

Data Subjects can choose to lodge a claim before

  • a competent data protection authority, or
  • the court of Norsk Hydro ASA (EEA headquarters) in Norway, the court where the EEA-based Controller or Processor has an establishment or where the Data Subject has his or her habitual residence.

Data Subjects are encouraged to first follow the complaints procedure set forth in section 5.7 of this Data Protection Procedure before filing any complaint with the competent data protection authorities or the courts.

5.3 Information to Data Subjects

All Data Subjects who benefit from this Data Protection Procedure shall have easy access to information describing their data privacy rights.

Information shall be provided for in the following documents:

  • Hydro Code of Conduct
    Sets out the principles for how Personal Data shall be protected in order to ensure compliance with applicable laws and regulations.
  • Privacy Statement (internal)
    The purpose of the internal privacy statement is to give information to all Hydro personnel about the processing of Personal Data undertaken by Hydro. The statement is available at Hydro intranet. A link is provided in the statement to this Data Protection Procedure.
  • Hydro Privacy Statement (external)
    The purpose of the external privacy statement is to give information to external individuals visiting Hydro.com including subsites. A link is provided to other relevant documents such as this public version of the Data Protection Procedure.
  • Public version of the Data Protection Procedure
    This public version of the Data Protection Procedure, which extracts the non-confidential information, shall be available on Hydro.com. This public version explains Hydro’s Binding Corporate Rules (BCR) for Processing of Personal Data, the legal basis for Transfer of Personal Data to Third Countries and affected Data Subject’s rights pursuant to these rules.

5.4 Training and awareness

Appropriate data privacy training and awareness programs in Hydro shall ensure implementation and compliance with this Data Protection Standard in all functions and areas of the Hydro Group. The aim of appropriate training is to make this Data Protection Procedure known, understood and effectively applied throughout the Hydro Group.

5.5 Supervision and Compliance

Hydro has established internal roles overseeing supervision and compliance with this Data Protection Procedure. Contact information to the Head of Data Privacy is available in section 8.

5.6 Audit and review

To ensure compliance with this Data Protection Procedure, Hydro will carry out audits and reviews regarding Hydro's compliance with the Data Protection Procedure.

5.7 Complaint handling

If any Data Subject is of the opinion that the Processing of Personal Data within Hydro is not compliant with this Data Protection Procedure or applicable local laws or regulations, the Data Subject may file a complaint to Hydro.

A complaint may be made anonymous or under full name by addressing the Head of Data Privacy, a Data Privacy Coordinator or Data Privacy Champion or the line management or by using Hydro’s “AlertLine”.

Within four (4) weeks after receipt of a complaint, Hydro shall revert to the Data Subject in writing of the result of the complaint handling. If, due to the complexity of the complaint, a response cannot be given within the four (4) weeks period, Hydro will inform the Data Subject accordingly and provide a reasonable estimate for the timescale within which a response will be provided. The time limit shall not exceed three (3) months from receipt of the complaint.

The above stated procedure is without prejudice to the Data Subject’s right to take a case to the competent data protection authorities or courts, cf. sections below.

5.8 Liability

Norsk Hydro ASA takes on the responsibility for any damages by a Legal Entity established outside the EEA resulting from a violation of additional safeguards, rights or remedies granted under this Data Protection Procedure for the Processing of Personal Data protected under the Applicable EU Data Protection Law and in accordance with the scope of this Data Protection Procedure. Further, Norsk Hydro ASA shall take necessary actions to remedy such acts of a Legal Entity established outside the EEA and shall, where appropriate, pay compensation for the damages resulting from the violation.

The burden of proof lies with Norsk Hydro ASA and not the Data Subject. Hence, where Norsk Hydro ASA can prove that a Legal Entity of the Hydro Group is not responsible for a breach of additional safeguard under this Data Protection Procedure resulting in the damage claimed by a Data Subject, it may discharge itself from any responsibility.

5.9 Cooperation with the data protection authorities

Hydro undertakes to cooperate with the competent data protection authorities, particularly by applying recommendations and advice from the authorities, and by responding to requests from the authority regarding this Data Protection Procedure. The competent data protection authorities may conduct audits in order to verify compliance with this Data Protection Procedure.

The Head of Data Privacy will be the contact point for the Norwegian Data Protection Authority on any matter relating to this Data Protection Procedure or the Processing of Personal Data in Hydro in general.

5.10 Applicable law and jurisdiction

This Data Protection Procedure shall be governed by and interpreted in accordance with the Applicable EU Data Protection Law and the relevant Norwegian data protection legislation implementing such law.

Data Subjects shall keep their rights and remedies as available in their local jurisdictions where such applicable local law provides more protection than this Data Protection Procedure. Where this Data Protection Procedure provides more protection than applicable local law, or provides additional safeguards, rights or remedies for Data Subjects, this Data Protection Procedure shall precede.

Without prejudice to the jurisdiction of the competent data protection authority or other government authorities according to applicable local law, compliance with this Data Protection Procedure is supervised by the Norwegian Data Protection Authority, appointed as the Lead Authority in the process of approval of Hydro’s Binding Corporate Rules under the Applicable EU Data Protection Law. The Norwegian Data Protection Authority is authorized to advise Norsk Hydro ASA on the application of this Data Protection Procedure at all times and shall have investigative powers based on the Norwegian data protection law. To the extent the Norwegian Data Protection Authority has discretionary powers related to enforcement of the Norwegian data protection law, it shall have similar discretionary powers for enforcement of this Data Protection Procedure.

Any complaints or claims of a Data Subject concerning any right supplemental to the rights under Applicable EU Data Protection Law, and that the Data Subject may have under this Data Protection Procedure, shall be directed to Norsk Hydro ASA. The complaints or claims can, at the Data Subject's choice, be brought before the competent data protection authority at the Data Subject's place of habitual residence, place of work or place of the alleged infringement, or before the competent courts in the jurisdiction where the Controller or Processor has an establishment or at the Data Subject's place of habitual residence. Data subjects are encouraged to follow the complaints procedure set forth in section 5.7 of this Data Protection Procedure before filing complaints or claims under any such supplemental rights with the competent data protection authorities or the courts.

5.11 Update of this Data Protection Procedure

Hydro may amend this Data Protection Procedure, e.g. due to changes to relevant legislation or changes to Hydro’s Legal Structure. Norsk Hydro ASA shall notify the Norwegian Data Protection Authority in case of changes to this Data Protection Procedure or of the list of members of the Hydro Group on a yearly basis. If any amendment would possibly affect the level of protection or significantly affect this Data Protection Procedure, Norsk Hydro ASA shall promptly notify the Norwegian Data Protection Authority.

Hydro shall communicate any substantial amendments to this Data Protection Procedure to the Data Subjects by making the necessary changes to the relevant documents, including the Code of Conduct, the Privacy Statements and this Data Protection Procedure. The current version of this Data Protection Procedure shall always be available for all Legal Entities, Hydro personnel and third-party beneficiaries.

6 General data privacy principles for the Processing of Personal Data

The following general data privacy principles shall apply to Hydro in accordance with the Applicable EU Data Protection Law.

By implementing this Data Protection Procedure, including the Binding Corporate Rules for Transfer of Personal Data, Hydro is committed to establish internal control and relevant routines when Processing and Transferring Personal Data to ensure compliance with these principles.

6.1 Fair, lawful and transparent Processing

Personal Data shall be Processed fairly, lawfully and in a transparent manner and pursuant to the principles stipulated in this Data Protection Procedure. This means that Personal Data shall be processed in accordance with law, and that the legitimate interests of the Data Subject should be taken into account when Processing Personal Data.

6.2 Purpose specification and limitation

Personal Data shall be collected only for specified, explicit and legitimate purposes and not further Processed in a manner incompatible with those purposes, cf. section 3.

6.3 Data quality and proportionality

Personal Data shall be:

  1. adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and /or further Processed ("data minimisation");
  2. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate, having regard to the purposes for which they were collected or for which they are further Processed, are erased or rectified without delay ("accuracy");
  3. kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed ("storage limitation").

6.4 Criteria for lawful Processing of Personal Data

Personal Data may lawfully be Processed only if at least one of the following legal bases applies:

  1. Data Subject has given his or her Consent for one or more specific purposes. In order to rely on Consent, the conditions in section 6.12 must be fulfilled;
  2. Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  3. Processing is necessary for compliance with a legal obligation to which the Controller is subject;
  4. Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; or
  6. Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by the Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require Protection of Personal Data under Applicable EU Data Protection Law.

6.5 Criteria for legitimate Processing of Sensitive Personal Data

Except from such circumstances as stated below it is prohibited to process Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, and the Processing of genetic data, biometric data for the uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (Sensitive Personal Data).

The Processing of Sensitive Personal Data shall be lawful if at least one of the following legal bases applies:

  1. the Data Subject has given explicit Consent to the Processing of those Personal Sensitive Data, except where applicable law provide that the prohibition above may not be lifted by the Data Subject’s giving his Consent. In order to rely on Consent, the conditions in section 6.12 must be fulfilled;
  2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment and social security law in so far as it is authorized by applicable law or a collective agreement pursuant to applicable law providing for adequate safeguards for the fundamental rights and the interests of the Data Subject;
  3. Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent;
  4. the Processing relates to data which are manifestly made public by the Data Subject or is necessary for the establishment, exercise or defence of legal claims: or
  5. the Processing is allowed according to rules other than a)-d) above that have been established in accordance with the Applicable EU Data Protection Law.

Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards for the rights and freedoms of Data Subjects are provided under law, subject to derogations which may be granted by applicable law.

6.6 Automated decision making

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision:

a) is necessary for entering into, or performance of, a contract between the Individual and a Legal Entity;

b) is authorized by applicable local law to which the Legal Entity is subject and which also lays down suitable measures to safeguard the Data Subject's rights, freedoms and legitimate interests; or

c) is based on the Data Subject's explicit Consent.

In the cases referred to in a) and c) above, the Legal Entity shall implement suitable measures to safeguard the Data Subject's rights, freedoms and legitimate interests, and at least the right to obtain human intervention on the part of the Legal Entity, to express his or her point of view and to contest the decisions.

The automated decisions referred to in this section shall not be based on Sensitive Personal Data unless section 6.5 a applies and suitable measures to safeguard the Data Subject's rights, freedoms and legitimate interests are in place.

6.7 Duty of information

In cases of collection of Personal Data from a Data Subject, and provided the Data Subject does not already have the information, the following information shall be provided:

  1. the identity and contact details of the Controller and of his representative, if any;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the Processing and legal basis for such Processing;
  4. which legitimate purposes are pursued when the Processing is based on section 6) f;
  5. the recipients or categories of recipients of the Personal Data, if any;
  6. when relevant, the fact that the Controller intends to Transfer the Personal Data to a Third Country and the legal basis for making such Transfer lawful.

In addition, when required by Applicable EU Data Protection Law and if necessary to ensure fair and transparent processing, the Data Subject shall be provided the following further information:

  1. the period for which the Personal Data will be stored, or the criteria used to determine that period;
  2. the existence of the right to request access to, correction, deletion or restriction of Processing or to object to Processing as well as the right to data portability;
  3. where the Processing is based on the Data Subject's Consent, the existence of the right to withdraw Consent at any time, without affecting the lawfulness of Processing based on Consent before its withdrawal;
  4. the right to lodge a complaint with a data protection authority;
  5. whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
  6. the existence of automated decision-making, including profiling, referred to in section 6.6 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.

Where the Personal Data have not been collected from the Data Subject, the Data Subject shall be provided with the following information:

  1. the identity and contact details of the Controller and of his representative, if any;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the Processing and legal basis for such Processing;
  4. the categories of Personal Data concerned;
  5. the recipients or categories of recipients of the Personal Data, if any;
  6. when relevant, the fact that the Controller intends to Transfer the Personal Data to a Third Country and the legal basis for making such Transfer lawful.

In addition, when required by Applicable EU Data Protection Law and if necessary to ensure fair and transparent processing, the Data Subject shall be provided the following further information:

  1. the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
  2. which legitimate purposes are pursued when the Processing is based on section 6.4 f;
  3. the existence of the right to request access to, correction, deletion or restriction of Processing concerning the Data Subject or to object to Processing as well as the right to data portability;
  4. where the Processing is based on the Data Subject's Consent, the existence of the right to withdraw Consent at any time, without effecting the lawfulness of the Processing based on Consent before its withdrawal;
  5. the right to lodge a complaint with a data protection authority;
  6. from which source the Personal Data originate, and if applicable, whether it came from publicly accessible sources;
  7. the existence of automated decision-making, including profiling, referred to in section 6.6 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Individual.

Information mentioned in paragraph 3 and 4 above shall be provided within reasonable time, however no later than one month after the Personal Data are obtained or, where relevant, at the latest at the time of the first communication with the Data Subject by use of said data or at the time of disclosing the data the first time. Derogations may apply if the Data Subject already has the relevant information, or where the provision of such information proves impossible, or would involve a disproportionate effort, or is likely to seriously impair the achievement of the objectives or according to applicable law.

6.8 Data Subject's rights

6.8.1 Data Subject's right of access

Every Data Subject shall have the right to obtain from the Controller:

a) confirmation as to whether or not data relating to him are being processed and where that is the case, access to the Personal Data processed by the Controller;

b) information about the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the data are disclosed, in particular recipients located in a Third Country. If the Third Country is not recognized by the EU Commission as ensuring an adequate level of protection, the Data Subject shall have the right to be informed of the appropriate safeguards referred to in section 6.10

c) where possible, information about the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;

d) information about the existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of the Processing of Personal Data concerning the Data Subject or to object to such Processing;

e) information about the right to lodge a complaint with a Data Protection Authority;

f) where the Personal Data have not been collected from the Data Subject, any available information as to their source; and

g) the existence of automated decision-making, including profiling, referred to in the section 6.6 and, at least in those cases, meaningful information about the logic involved in any automatic Processing as well as the significance and the envisaged consequences of such Processing for the Data Subject.

6.8.2 Data Subject's right of rectification

The Data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the Processing, the Data Subject shall further have the right to have incomplete Personal Data completed, including by means of a supplementary statement.

6.8.3 Data Subject's right of erasure

Where required by applicable law, the Data Subject shall have the right to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay. The Controller shall have the obligation to meet such a request by erasing Personal Data without undue delay when one of the following grounds applies:

a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise Processed;

b) the Data Subject withdraws his or her Consent to the Processing and where there is no other legal basis for the Processing;

c) the Data Subject objects to the Processing pursuant to Section 6.8.7 (a) and there are no overriding legitimate grounds for the Processing, or the Data Subject objects to the Processing pursuant to Section 6.8.7 (b);

d) the Personal Data have been unlawfully Processed;

e) the Personal Data have to be erased for compliance with a legal obligation in applicable EU/EEA law to which the Controller is subject.

The Data Subject's right to erasure shall not apply to the extent that Processing is necessary for:

a) exercising the right of freedom of expression and information;

b) compliance with a legal obligation which requires Processing by applicable EU/EEA law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

c) the establishment, exercise or defence of legal claims.

6.8.4 Data Subject's right of restriction of Processing

Where required by applicable law, the Data Subject shall have the right to obtain from the Controller restriction of Processing where one of the following applies:

a) the accuracy of the Personal Data is contested by the Data Subject for a period enabling the controller to verify the accuracy of the Personal Data;

b) the processing is unlawful and the data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead;

c) the controller no longer needs the Personal data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;

d) the Data Subject has objected to the Processing under Section 6.8.7 pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

Where Processing has been restricted under paragraph 1, such Personal Data shall, with the exception of storage, only be Processed with the Data Subject's Consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU/EEA or of a EU/EEA country where the Controller is established. The Controller shall inform the Data Subject who has obtained restriction of Processing, prior to the lifting the restriction.

6.8.5 Notification obligation regarding rectification or erasure of Personal Data or restriction of Processing

Where required by applicable law, the Controller shall communicate any rectification or erasure of Personal Data or restriction of Processing carried out in accordance with Section 6.8.2 to 6.8.4 above to each recipient to whom the Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort.

Where required by applicable law, the Controller shall inform the Data Subject about those recipients if the Data Subject so requests.

6.8.6 Data Subject's right of data portability

Where required by applicable law, the Data Subject shall have the right to data portability, being the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable form and have the right to transmit those data to another Controller without hindrance.

6.8.7 Data Subject's right to object to the Processing

The Data Subject has the right to object at any time, on grounds relating to his/her particular situation, to the Processing of data concerning him or her in the cases referred to in Section 6.4 e) and f), save where otherwise provided by applicable law. This includes profiling based on those provisions.

If a Data Subject objects to the Processing, the Controller shall no longer Process the Personal Data unless:

a) the Controller demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject; or

b) the Processing is necessary for the establishment, exercise or defence of a legal claim.

The Data Subject shall, where Personal Data are Processed for the purposes of direct marketing, have the right to object at any time to Processing of Personal Data concerning him or her for such marketing. This includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to Processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes.

The right to object shall be explicitly brought to the Data Subject's attention in a clear way and separately from any other information, at the latest at the time of the first communication with the Data Subject.

6.9 Security and confidentiality

Appropriate technical and organizational measures, including such measures by design and by default, shall be implemented and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of the data over a network, and against all other unlawful forms of Processing. Having regard to the particular kind and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the data to be protected.

6.10 Transfer of Personal Data to Third Parties

The Transfer of Personal Data to Third Parties includes situations in which Hydro discloses Personal Data to a natural or legal person or other body or institution that is not a member of the Hydro Group, including the onward Transfer of Personal Data to such Third Parties.

There are two categories of Third Parties:

a) Third Party Controllers that Process and determine the purposes and means of the Processing of the Personal Data (e.g. government authorities such as tax authorities or service providers that provide services directly to the Data Subject).

b) Third Party Processors, that Process the Personal Data solely on behalf of Hydro and at its direction (e.g. a service provider that Process salaries on behalf of Hydro).

Below is an overview of the requirements on Transfer of Personal Data protected by the Applicable EU Data Protection Law.

Transfer to a Third Party Controller established in the EEA

Transfer to a Third Party Controller established in the EEA may take place, provided that:

  • it is not incompatible with the legitimate purpose for which the Personal Data were collected;
  • it is in accordance with the principle of data quality and proportionality;
  • the criteria for making data Processing legitimate is fulfilled;
  • relevant information is given to the Data Subject (if applicable); and
  • appropriate security measures is implemented to protect the Personal Data during the Transfer and in relation to the further Processing by the receiving party.

Applicable local law may have additional requirements and should always be considered before making such Transfer.

Transfer to a Third Party Controller established outside the EEA
Transfer to a Third Party Controller established outside the EEA is prohibited, except when one of the following requirements is fulfilled:

  • the receiving Controller is established in a country which the EU Commission has considered having an adequate level of protection, cf. the Commission’s decisions on the adequacy of the protection of Personal Data in third countries provided at: http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm; or
  • the receiving Controller has been certified under a program that is recognized under Applicable EU Data Protection Law as providing an “adequate” level of data protection; or
  • one of the derogations for specific situations according to Applicable EU Data Protection Law applies (e.g. the Data Subjects having explicitly consented to the Transfer or the Transfer is necessary to conclude or perform a contract); or
  • the Transfer is regulated by the Standard Contractual Clauses for Controller to Controller Transfer of Personal Data.

Transfer to a Third Party Processor established within the EEA
Transfer to a Processor established in the EEA may take place, provided that:

  • the Processor provides sufficient guarantees in respect of the technical security measures and organizational measures governing the Processing to be carried out; and
  • the carrying out of Processing by way of a Processor is governed by a contract or legal act (Data Processing Agreement) in accordance with the requirements set out in the third paragraph of Section 4.1.

Transfer to a Third Party Processor established outside the EEA
Transfer to a Processor established outside the EEA is prohibited, except when, in accordance with Applicable EU Data Protection Law:

  • the receiving Processor is established in a country which the EU Commission has considered having an adequate level of protection (on the basis of “an adequacy decision”), or
  • the receiving Processor has been certified under a program that is recognized under Applicable EU Data Protection Law as providing an “adequate” level of data protection; or
  • one or more of the derogations for specific situations set out in the Applicable EU Data Protection Law applies (such as the Data Subjects having explicitly consented to the Transfer or the Transfer is necessary to conclude or perform a contract etc.); or
  • the Transfer is regulated by the Standard Contractual Clauses for Controller to Processor Transfer of Personal Data;

and the following conditions are fulfilled;

  • the Processor provides sufficient guarantees in respect of the technical security measures and organizational measures governing the Processing to be carried out;
  • the carrying out of Processing by way of a Processor is governed by a contract or legal act (Data Processing Agreement) in accordance with the General Data Protection Regulation Article 28 (3).

6.11 Demonstrating compliance

Every Legal Entity acting as a Controller shall be responsible for and able to demonstrate compliance with the Data Protection Procedure.

If a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall, prior to the Processing, carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (data protection impact assessment). If the data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the competent supervisory authority prior to the Processing.

6.12 Conditions for Consent

If Consent is required or appropriate as a legal basis under applicable law for the Processing of Personal Data or Processing of Sensitive Data, the following conditions apply:

a) The Controller must be able to demonstrate that the Data Subject has consented to the Processing of his/her Personal Data. Where Processing is undertaken at the request of the Data Subject, he or she is deemed to have provided Consent to the Processing;

b) The Controller must inform the Data Subject in accordance with the provisions set forth in Section 6.7 above;

c) If the Data Subject's Consent is given in the context of a written declaration which also concerns other matters, the request for Consent shall, where applicable law so requires, be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form using clear and plain language; and

d) Consent is only to be used when it is likely to be valid as a legal basis for the Processing. With regard to employment relationships, Consent should therefore not be used as a legal basis, unless it is clear that it is freely given. This will typically be when the Data Subjects voluntarily participate in a survey or events arranged by Hydro or register for a newsletter from Hydro.

e) The Data Subject may withdraw his/her Consent at any time and the Data Subject shall, where applicable law so requires, be informed of his or her right to withdraw the Consent. The withdrawal of Consent shall not affect the lawfulness of the Processing based on such Consent before its withdrawal. It shall be as easy to withdraw as to give Consent.

7 Definitions

Unless otherwise specifically stated, where relevant, the following definitions shall be interpreted in consistency with and have the same meaning as definitions set out in the Applicable EU Data Protection Law:

Applicable EU Data Protection Law
Applicable EU Data Protection Law shall mean the EU Directive 95/46/EC and the EU Regulation 2016/679 (General Data Protection Regulation) repealing Directive 95/46/EC.

Binding Corporate Rules (BCR)

Binding Corporate Rules or BCR shall mean a set of data protection rules approved by the EU data protection authorities that is legally binding on and enforced by every member of a group of undertakings, including their employees, and which under Applicable EU Data Protection Law provides the adequate level of protection for the Transfer of Personal Data within that group of undertakings. This Data Protection Procedure constitutes Hydro’s BCR.

 

Business Area
A Business Area is a division of operations in Hydro with common core business activities as described on Hydro’s website. The Business Areas are divided into business units when applicable and may represent one or more Legal Entities established in one or more countries

Consent
A Consent shall mean any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by statement, or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Controller
A Controller is a Legal Entity that determines the purposes and means of the Processing of Personal Data of Data Subjects irrespective of whether the Processing takes place by and within the Legal Entity or by an external Processor.

Head of Data Privacy
The Head of Data Privacy is the person who shall supervise implementation of the Data Protection Procedure and who is responsible for overall monitoring data privacy compliance in the Hydro Group.

Data Privacy Coordinator
A Data Privacy Coordinator shall mean the dedicated staff with responsibility for monitoring and coordinating data privacy compliance in a given Hydro corporate function or Business Area.

Data Processing Agreement
A Data Processing Agreement is an agreement that regulates how the Processor may process Personal Data on behalf of the Controller.

Data Subject
A Data Subject is the identified or identifiable natural person to whom the Personal Data being Processed relates. A Data Subject may for example be an employee of Hydro, an external consultant working for Hydro, or a person applying for a job in Hydro.

European Economic Area (EEA)
EEA means the European Economic Area, meaning the EU member states together with the EFTA countries (Liechtenstein, Iceland and Norway).

Hydro (Hydro Group)
For the purpose of this Data Protection Procedure Hydro or Hydro Group (or Hydro Group of companies) shall mean Norsk Hydro ASA and all Legal Entities. The term Hydro refers to the whole Hydro Group of companies or each of the members of the Hydro Group, as the case may be.

Legal Entity
For the purpose of this Data Protection Procedure, a Legal Entity is a fully owned subsidiary of Norsk Hydro ASA as well as other legal entities where Hydro directly or indirectly controls more than 50% of the voting rights and that adheres to the Hydro Code of Conduct and Hydro’s Steering Documents.

Data Privacy Champion
A Data Privacy Champion shall mean the staff designated at the relevant level in Hydro with tasks to ensure implementation and management of and compliance with this Data Protection Procedure in the given area, unit or function.

Personal Data
Personal Data means any information relating to an identified or identifiable natural person (Data Subject) who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing of Personal Data
Processing means any operation performed upon or use of Personal Data, whether or not by automatic means, such as collection, recording, alignment, storage and disclosure, or a combination of such use. The definition is technology neutral and includes fully or partly Processing of Personal Data with the aid of computers or similar equipment that is capable of automatically Processing of Personal data. The definition also includes manual registration or filing systems if Personal Data is included.

Processor
A Processor is any natural or legal person, public authority, agency or other body, which Processes Personal Data on behalf of a Controller. Examples of Processors include external IT-service providers or outsourcing partners of Hydro. A Hydro Legal Entity (such as Norsk Hydro ASA) may act as an internal Processor, which Processes the Personal Data on behalf of another Legal Entity acting as a Controller.

Sensitive Personal Data
Sensitive Personal Data is any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for uniquely identifying a natural person), health, sex life or sexual orientation or offences and criminal conviction.

Standard Contractual Clauses (SCC)
The Standard Contractual Clauses or SCC are standard data protection contracts as adopted by the EU Commission to be executed between a Controller established in an EEA member country and a Controller or Processor in a Third County in order to provide a legal basis for the Transfer of Personal Data from an EEA member country to a Third Country.

Third Country
A Third Country shall mean a country outside the EEA, i.e. all countries except the EU member states and the EFTA countries (Liechtenstein, Iceland and Norway).

Third Party
For the purpose of this Data Protection Procedure a Third Party shall mean any person, private organization or government body outside Hydro.

Transfer
A Transfer shall include any disclosure, copy or move of Personal Data, which are undergoing Processing or are intended for Processing after the disclosure, copy or move, from one Legal Entity to another Legal Entity or to a Third Party, irrespectively of the type of medium or technical measures used to access the Personal Data.

8 Contact

The Head of Data Privacy may be contacted at:

Email: malin.tonseth@hydro.com

Postal address: Norsk Hydro ASA, Drammensveien 264, Oslo, Norway

9 Effective date and last update

Effective date: May 24, 2018

Last update: May 24, 2018


Updated: June 14, 2018