GDPR TEAM Responsibilities:


  • Manage the  sco-privacy@syensqo.com mailbox - where we receive Requests of EOR (Exercise of Rights) as well as companies contacts that are incorrectly sent to us, spam, invoices, etc;
  • Record the emails received on the mailbox in the file Privacy Mailbox - Daily Report;
  • Improve the procedure;
  • Manage the GDPR Documentation in Wiki/ Confluence;
  • Answer to the employees about GDPR Questions - analysis and follow up with the DPPO team (Team responsible for the reply).
  • Treat all EOR requests - do the first analysis, start the procedure, finalise it and register it on Adequacy tool 
  • Revise annually existing information in Google Drive as well as access to it.


Daily Task - Privacy Mailbox:

This is a daily task that allows us to check on time if any request for EOR was sent to us and also to keep the box clean of any other type of requests that generate clutter.

EOR requests have a deadline on 30 days to be treated so we need to be on top of them.  

All emails should be replied just as a form of being polite with guidelines for the correct way and also to inform that this mailbox is not for those kind of issues. 

Hopefully this will reduce the “garbage” that enters daily on Privacy box. 

There’s only no need to reply to emails like newsletters and advertising, these ones can be deleted (in any case they also need to be included on the report).

When replied and registered on the report the emails can be deleted, no need to archive. The ones that we archive are only GDPR related.  



Response models:

To facilitate and speed up the taks, it was created two template replies. 

For emails related to other issues than EOR, select Generic email reply which covers emails such as products information, suppliers presentations, CVs, SDS requests and accounting related issues.  

For Exercise of Rights emails, the first action is to send a confirmation email - EOR First Ack - that will request more information to the requester in case it’s not provided on their first emails - info like first name, last name, birth date and the nature of the relationship they have with Solvay. 

In case this information is provided, select EOR ack reply. Edit the template only to select which option was requested - Erase, modification, access...  

For other emails that do not match with these instructions you can check and contact DPPO Responsible member.  


Daily report:

When entering the box we need also to open the google sheet - Privacy Mailbox - Daily Report

On the file you must insert the number of emails received each day of the month. This was a procedure that was initially done to provide detailed information to the GDPR team but nowadays is just to provide numbers to our Data leaders  

At the first day of each month we will need to insert the total number on file (meter link) and create a new tab for the next month.


GDPR- General Data Protection Regulation:

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the two areas.

GDPRs primary aim: 

  • To give individuals (data subjects) control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.


The regulation contains

  • Provisions and requirements related to the processing of personal data of individuals who are located in the EEA, and applies to any enterprise that is processing the personal information of individuals inside the EEA, regardless of its location or the data subjects' citizenship or residence. 


The responsibility of Data Controllers is 

  • to design information systems with privacy in mind, so that the datasets are not publicly available by default and cannot be used to identify a subject. 


No personal data may be processed

  • unless it’s done under one of the six lawful bases specified by the regulation (consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.

GDPR - Exercise of Rights:

Individuals may contact your company/organization to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.). Where personal data is processed by electronic means, your company/organization  should provide means for requests to be made electronically. Your company/organization  must reply to their request without undue delay, and in principle within 1 month of the receipt of the request.

It can ask them for additional information in order to confirm the identity of the person making the request.

If your company/organization  rejects the request then it has to inform the person of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy.

Dealing with requests of individuals should be carried out free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, you may charge a reasonable fee or refuse to act.


  • EOR for Access:

The requests for access to information don’t imply any other action other than provide all the information we have in the company (all applications) about the Data Subject 

STEPS


  1. Email received on Privacy mailbox from the data subject with a request to access the data.
  2. Send an email of First Acknowledgement (template here) for the data subject’s email requesting the identity confirmation 
  3. Open a sub -label in Privacy Mailbox with 1st letter of Name and surname + date of the request (Ex.: Jon Doe requests an EOR ACCESS on 01.01.2022 - must add a sub-label in EOR Access with JD010122 and adding all Process data in this sublabel until recording in Adequacy)
  4. Open a confidential ticket / Case to HR/ Global Contact Center to request the data they have in:

  •  PP9 (actual payroll tool)

  • Avature if is a candidate

  • YouGrow if wants to access the training information

  • or any other current tool that HR uses for what is being requested of data of the own person.

NOTE: To create a Case for HR should be by Service One and follow the following path: Catalog/Human resources/HR admin and document requests/HR Admin / Personal Data /GDPR

HR EMAIL:

Title /Summary : GDPR Exercise of Rights (URGENT) - Add the code of the EOR (first letters of Name and surname + date of the request) 

e.g.: URGENT - EOR ACCESS JD010122

In “Description” field you can use a text like this two according the request, according the relation that the person has with Solvay:

-----------------------------------

Dear team, 

We have received an urgent Exercise of Rights request and we need to verify if the request exists on AVATURE.

The concerned data subject is: REQUESTER FIRST AND LAST NAME  + DATE OF BIRTH + REASON

Could you please send us the request data?

If Requester needs some specific data, you should also inform in the case.

Thank you so much for your support.

Best regards,


4. Send an email to DPPO Office with the reply letter attached for approval and to sign.

5. Attached the reply letter and sent it to the data requester

 

6. Record in Adequacy

7. Archive all information, reply letter and proofs in Adequacy.


EOR for Erasure:

The requests for erasure to information oblige us to find all Data Subject information and delete it from our system. There are only some exceptions like fiscal information that must be kept by the company for a period determined by the law in that country. 

STEPS


  1. Received from the request from the data subject to erase the data. 
  2. Send an email of First Acknowledgement (template here) for the data subject’s email requesting the identity confirmation 
  3. Open a sub -label in Privacy Mailbox with 1st letter of Name and surname + date of the request (Ex.: Jon Doe requests an EOR Deletion on 01.01.2022 - must add a sub-label in EOR Deletion with JD010122 and adding all Process data in this sublabel until recording in Adequacy)
  4. Open a confidential ticket to HR/ Global Contact Center to request the data they have in:
  •  PP9 (actual payroll tool)

  • Avature if is a candidate


NOTE: To create a Case for HR should be by Service One and follow the following path: Catalog/Human resources/HR admin and document requests/HR Admin / Personal Data /GDPR


Title /Summary : GDPR Exercise of Rights (URGENT) - Add the code of the EOR (first letters of Name and surname + date of the request) 

e.g.: URGENT - EOR DELETION JD010122


In “Description field you can use a text like this two according the request, according the relation that the person has with Solvay:

HR EMAIL:

-----------------------------------

Dear team, 

We have received an urgent Exercise of Rights request for data erasure and we need to verify if the data subject exists on  AVATURE.

The concerned data subject is: REQUESTER FIRST AND LAST NAME DATE OF BIRTH + REASON

Could you please check, erase her data and send us the proof of the deletion?

 

Thank you so much for your support.

Best regards,


Other Option:

Dear team, 

We have received an urgent Exercise of Rights request with High Priority to have all Data extraction from transaction PP9.

The concerned employee is: REQUESTER FIRST AND LAST NAME + CONCERNING PERIOD + ID of the employee + SITE

Could you please send us this information? 

Thank you so much for your support.

----------------------------------

4. Send an email to DPPO Office with the reply letter attached for approval and to sign.


5. Attached the reply letter and sent it to the data requester

 

6. Record in Adequacy

7. Archive all information, reply letter and proofs in Adequacy.


EOR for Modification

The requests for modification are usually for data update so we need to find all Data Subject information related to what he needs to correct and replace for the information provided.

Nowadays, most of situation is handled directly by the requester by Solvay Portal unless is a former employee.

STEPS


  1. Received from the request from the data subject to change the data. 
  2. Send an email of First Acknowledgement (template here) for the data subject’s email requesting the identity confirmation 
  3. Open a confidential ticket to HR/ Global Contact Center to request the data they have in:
  •  PP9 (actual payroll tool)
  • Avature if is a candidate

NOTE: To create a Case for HR should be by Service One and follow the following path: Catalog/Human resources/HR admin and document requests/HR Admin / Personal Data /GDPR

HR EMAIL:


Follow the model below:

Title: GDPR Exercise of Rights (URGENT)

In “Description” field you can use a text like this two according the request, according the relation that the person has with Solvay:

-----------------------------------

Dear team, 

We have received an urgent Exercise of Rights request for data change.

The concerned data subject is: REQUESTER FIRST AND LAST NAME DATE OF BIRTH + REASON

Could you please check, and update the information as requested by the user ?

(provide the information)

 Thank you so much for your support.

Best regards,


Other Option:

Dear team, 

We have received an urgent Exercise of Rights request with High Priority to have the following Data changed.

The concerned employee is: REQUESTER FIRST AND LAST NAME + CONCERNING PERIOD + ID of the employee + SITE

Could you please update this information? 

Thank you so much for your support.

-----------------------------------

4. Send an email to DPPO Office with the reply letter attached for approval and to sign.

5. Attached the reply letter and sent it to the data requester

 

6. Record in Adequacy

7. Archive all information, reply letter and proofs in Adequacy.


Very Important Note in EOR Process

With this new platform - SERVICE ONE - the HR Team will reply to your e-mail therefore, you should do the additional steps:

1 - Forward the HR conformation email to sco-privacy@syensqo.com


And the, in the Privacy mailbox we can continuing EOR Process by sending to DPPO and with letter to be approved by the team.


2 - It is also positive if you save the case to attach in Adequacy


This should be deleted right after adding in Adequacy Tool as this info should not be kept in any other storage

Adequacy Tool:


SBS has selected the tool of the Infhotep company (ADEQUACY) to build and maintain the Solvay Register.

The register has been populated first with the processing operated by SBS and is progressively populated with the processing operated by the other Solvay companies.

The accesses are restricted to the DP&P Office.

By mandatory enriching the registry with additional information, the registry shall be a real tool to manage Solvay compliance with the GDPR. Indeed, the GDPR documentation requirements are not limited to the obligation to keep a register, and ADEQUACY will propose additional functions to cover other GDPR documentation needs like history of data breaches, documents related to data transfers outside the European Union (contractual clauses, BCR, etc.)…

https://syensqo.adequacy-corporate.com/


  1. On the side bar, click on "Exercise of Rights".
  2. To register a new exercise of rights. Click on "Add a request".



  • In the Exercise of Rights registration you have to fill:


    1. Type of request: Access, Erasure, Portability...
    2. Request Date: Date that received the request (first email)
    3. Source of request: privacy mailbox, letter
    4. Data subject: as the exemple: EOR-ERA-20200121-001
      1. If erasure ERA
      2. If access ACC
      1. EOR means exercise of rights
      2. ERA means erasure
      3. 20200121 means year month day
      4. 001 number of requests of the day. In this was the first request

If the identity is confirm click in “Identity confirmed

  1. Acknowledgment date: date that Acknowledgment was sent
  2. Completion date: the process is closed
  3. Answer date: date that was sent the request information or the data was sent

Closing date: the process is closed



  • Click on “Save”


 

For attach the Acknowledgement letter, Final letter and any information about the EOR.

  1. After click on "Save" 

Click on the first symbol


The following window will open

Date: is the date you attach the document
Nature of the document: choose the option that fits better
Kind of document: file or URL
Description: what is the objective of the document


_____________________________________________________________

  • No labels