This is a daily task that allows us to check on time if any request for EOR was sent to us and also to keep the box clean of any other type of requests that generate clutter.
EOR requests have a deadline on 30 days to be treated so we need to be on top of them.
All emails should be replied just as a form of being polite with guidelines for the correct way and also to inform that this mailbox is not for those kind of issues.
Hopefully this will reduce the “garbage” that enters daily on Privacy box.
There’s only no need to reply to emails like newsletters and advertising, these ones can be deleted (in any case they also need to be included on the report).
When replied and registered on the report the emails can be deleted, no need to archive. The ones that we archive are only GDPR related.
To facilitate and speed up the taks, it was created two template replies.
For emails related to other issues than EOR, select Generic email reply which covers emails such as products information, suppliers presentations, CVs, SDS requests and accounting related issues.
For Exercise of Rights emails, the first action is to send a confirmation email - EOR First Ack - that will request more information to the requester in case it’s not provided on their first emails - info like first name, last name, birth date and the nature of the relationship they have with Solvay.
In case this information is provided, select EOR ack reply. Edit the template only to select which option was requested - Erase, modification, access...
For other emails that do not match with these instructions you can check and contact DPPO Responsible member.
When entering the box we need also to open the google sheet - Privacy Mailbox - Daily Report
On the file you must insert the number of emails received each day of the month. This was a procedure that was initially done to provide detailed information to the GDPR team but nowadays is just to provide numbers to our Data leaders
At the first day of each month we will need to insert the total number on file (meter link) and create a new tab for the next month.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the two areas.
GDPRs primary aim:
The regulation contains
The responsibility of Data Controllers is
No personal data may be processed
Individuals may contact your company/organization to exercise their rights under the GDPR (rights of access, rectification, erasure, portability, etc.). Where personal data is processed by electronic means, your company/organization should provide means for requests to be made electronically. Your company/organization must reply to their request without undue delay, and in principle within 1 month of the receipt of the request.
It can ask them for additional information in order to confirm the identity of the person making the request.
If your company/organization rejects the request then it has to inform the person of the reasons for doing so and of their right to file a complaint with the Data Protection Authority and to seek a judicial remedy.
Dealing with requests of individuals should be carried out free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, you may charge a reasonable fee or refuse to act.
The requests for access to information don’t imply any other action other than provide all the information we have in the company (all applications) about the Data Subject
PP9 (actual payroll tool)
Avature if is a candidate
YouGrow if wants to access the training information
NOTE: To create a Case for HR should be by Service One and follow the following path: Catalog/Human resources/HR admin and document requests/HR Admin / Personal Data /GDPR
Title /Summary : GDPR Exercise of Rights (URGENT) - Add the code of the EOR (first letters of Name and surname + date of the request)
e.g.: URGENT - EOR ACCESS JD010122
In “Description” field you can use a text like this two according the request, according the relation that the person has with Solvay:
-----------------------------------
Dear team,
We have received an urgent Exercise of Rights request and we need to verify if the request exists on AVATURE.
The concerned data subject is: REQUESTER FIRST AND LAST NAME + DATE OF BIRTH + REASON
Could you please send us the request data?
If Requester needs some specific data, you should also inform in the case.
Thank you so much for your support.
Best regards,
4. Send an email to DPPO Office with the reply letter attached for approval and to sign.
5. Attached the reply letter and sent it to the data requester.
7. Archive all information, reply letter and proofs in Adequacy.
The requests for erasure to information oblige us to find all Data Subject information and delete it from our system. There are only some exceptions like fiscal information that must be kept by the company for a period determined by the law in that country.
Avature if is a candidate
NOTE: To create a Case for HR should be by Service One and follow the following path: Catalog/Human resources/HR admin and document requests/HR Admin / Personal Data /GDPR
Title /Summary : GDPR Exercise of Rights (URGENT) - Add the code of the EOR (first letters of Name and surname + date of the request)
e.g.: URGENT - EOR DELETION JD010122
In “Description” field you can use a text like this two according the request, according the relation that the person has with Solvay:
-----------------------------------
Dear team,
We have received an urgent Exercise of Rights request for data erasure and we need to verify if the data subject exists on AVATURE.
The concerned data subject is: REQUESTER FIRST AND LAST NAME DATE OF BIRTH + REASON
Could you please check, erase her data and send us the proof of the deletion?
Thank you so much for your support.
Best regards,
Other Option:
Dear team,
We have received an urgent Exercise of Rights request with High Priority to have all Data extraction from transaction PP9.
The concerned employee is: REQUESTER FIRST AND LAST NAME + CONCERNING PERIOD + ID of the employee + SITE
Could you please send us this information?
Thank you so much for your support.
----------------------------------
4. Send an email to DPPO Office with the reply letter attached for approval and to sign.
5. Attached the reply letter and sent it to the data requester.
7. Archive all information, reply letter and proofs in Adequacy.
The requests for modification are usually for data update so we need to find all Data Subject information related to what he needs to correct and replace for the information provided.
Nowadays, most of situation is handled directly by the requester by Solvay Portal unless is a former employee.
NOTE: To create a Case for HR should be by Service One and follow the following path: Catalog/Human resources/HR admin and document requests/HR Admin / Personal Data /GDPR
Follow the model below:
Title: GDPR Exercise of Rights (URGENT)
In “Description” field you can use a text like this two according the request, according the relation that the person has with Solvay:
-----------------------------------
Dear team,
We have received an urgent Exercise of Rights request for data change.
The concerned data subject is: REQUESTER FIRST AND LAST NAME DATE OF BIRTH + REASON
Could you please check, and update the information as requested by the user ?
(provide the information)
Thank you so much for your support.
Best regards,
Other Option:
Dear team,
We have received an urgent Exercise of Rights request with High Priority to have the following Data changed.
The concerned employee is: REQUESTER FIRST AND LAST NAME + CONCERNING PERIOD + ID of the employee + SITE
Could you please update this information?
Thank you so much for your support.
-----------------------------------
4. Send an email to DPPO Office with the reply letter attached for approval and to sign.
5. Attached the reply letter and sent it to the data requester.
7. Archive all information, reply letter and proofs in Adequacy.
With this new platform - SERVICE ONE - the HR Team will reply to your e-mail therefore, you should do the additional steps:
1 - Forward the HR conformation email to sco-privacy@syensqo.com
And the, in the Privacy mailbox we can continuing EOR Process by sending to DPPO and with letter to be approved by the team.
2 - It is also positive if you save the case to attach in Adequacy
-» This should be deleted right after adding in Adequacy Tool as this info should not be kept in any other storage
SBS has selected the tool of the Infhotep company (ADEQUACY) to build and maintain the Solvay Register.
The register has been populated first with the processing operated by SBS and is progressively populated with the processing operated by the other Solvay companies.
The accesses are restricted to the DP&P Office.
By mandatory enriching the registry with additional information, the registry shall be a real tool to manage Solvay compliance with the GDPR. Indeed, the GDPR documentation requirements are not limited to the obligation to keep a register, and ADEQUACY will propose additional functions to cover other GDPR documentation needs like history of data breaches, documents related to data transfers outside the European Union (contractual clauses, BCR, etc.)…
https://syensqo.adequacy-corporate.com/
If the identity is confirm click in “Identity confirmed”
Closing date: the process is closed
For attach the Acknowledgement letter, Final letter and any information about the EOR.
Click on the first symbol
The following window will open
Date: is the date you attach the document
Nature of the document: choose the option that fits better
Kind of document: file or URL
Description: what is the objective of the document
_____________________________________________________________