The Policy sets out the high-level statements and principles applicable to Compass Group and is supplemented by more detailed data protection policies, standards and processes contained within our Privacy Framework.
The protection of Personal Data is very important to Compass. We are committed to international compliance with data protection laws and recognise we have a regulatory, ethical and contractual responsibility to protect and safeguard the Personal Data we hold of our employees, customers and suppliers. Maintaining the confidentiality and security of our employees, customer and suppliers ensures that we maintain their trust and uphold Compass’ reputation.
In certain countries, the application of all the elements of the Policy will not be required under local regulations. Where the Policy exceeds local regulations, we will discuss how to apply the relevant elements of the principles without creating unreasonable burdens on the business.
1.1 Policy Scope
The Policy shall apply to Personal Data relating to Compass employees, customers, suppliers and other people Compass does business with and any other individual whose personal information Compass holds and uses.
Personal Data only includes information relating to natural persons who:
• Can be identified or who are identifiable, directly from the information in question; or
• Who can be indirectly identified from that information in combination with other information
1.2 Policy Objective
The objective of the Policy is to set out the general principles necessary to enable us to systematically identify, assess and manage privacy risks with the aim of ensuring that we apply appropriate measures to comply with Data Privacy laws as well as ensuring the lawful and compliant Processing of Personal Data, including the prevention of its unauthorised use, disclosure or access. The Policy also sets out the Compass data governance, responsibility, accountability as well as a systematic approach to identify, assess and manage Data Privacy Risk.
2 Privacy Principles
The Data Privacy Principles set out below are intended to assist us in meeting Compass’s Data Privacy obligations. Where required under local law, these principles must be met whenever Personal Data is processed by Compass for whatever purpose.
Within Compass Personal Data shall be subject to the following seven principles:
1. Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
2. Collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes (purpose limitation);
3. Adequate, relevant and limited to what is necessary for the purposes for which they are Processed and only if the purpose of the Processing could not reasonably be fulfilled by other means (data minimisation);
4. Kept up to date and take reasonable steps to update or delete any inaccurate, out-dated or incorrect Personal Data without undue delay (accuracy);
5. Not stored for longer than is necessary for the purposes for which the Personal Data is Processed and in compliance with Compass Retention Policy (storage limitation);
6. Processed in a manner that ensures the confidentiality, integrity and availability of Personal Data including protection against unauthorised access, accidental loss, destruction or damage (data security);
7. Compass shall be responsible for, and be able to demonstrate compliance with, principle 1 (accountability)
2.1 Record of Processing
Prior to implementation of a new process, Compass must ensure that a record of all Personal Data which is Processed is maintained. This requires Compass entities to maintain an up-to-date log of the following information:
(i) Name of the Personal Data Processing operation;
(ii) Purpose of processing;
(iii) Categories of Data Subject;
(iv) Categories of Personal Data being Processed;
(v) Categories of Recipients to whom the Personal Data have been or will be disclosed (internal or external)
(vi) Categories of Recipients in countries that are not deemed to be adequate under applicable Data Privacy Laws;
(vii) Retention period for such Personal Data
2.2 Transparency and Notice
Compass is required to inform Data Subjects in a clear and transparent manner about the type of Personal Data we collect about them, the intended Processing of their Personal Data and the Purpose for such Processing. Compass will fulfil its legal obligation in the form of issuing a fair processing notice (“Privacy Notice”) which sets out an overview of the Processing activities relating to the Data Subject.
Whether we collect the Personal Data directly from the Data Subject or through Third Parties, the following information is to be provided to the Data Subject: (i) Information about the purpose and legal basis of the Processing operation; (ii) The identity of the Controller and the Controller’s Country Data Protection Coordinator; (iii) The Categories of Personal Data concerned; (iv) The Recipients or categories of Recipients to whom the Personal Data are disclosed; (v) Where applicable, if the Controller intends to transfer the Personal Data to a Recipient in a country that is not deemed to provide adequate level of privacy environment under local Data Privacy laws; (vi) The existence of the Data Subject’s rights; (vii) The time limits for storing the Personal Data, or if that is not possible, the criteria used to determine that; (viii) The right to lodge a complaint with the Regulator responsible for compliance with Data Privacy laws; and (ix) The existence of automated decision-making using Personal Data, including and meaningful information about the logic involved in, the significance of, and the envisaged consequences of such Processing for the Data Subject.
Where local regulations create an obligation to provide a Privacy Notice as the Controller of the Personal Data, must follow the requirements under our Privacy Framework that sets out the elements necessary to comply with the obligation.
Where we are a Processor, we will assist our clients in meeting their Data Privacy obligations by providing them with all the information they need to know about Personal Data Compass processes on their behalf so that they can draft their Privacy Notice to their Data Subject.
If Compass wishes to Process Personal Data for a purpose other than that for which the Personal Data was originally collected, the Data Subject must be provided with information about what that other purpose is prior to the commencement of such additional Processing, unless such additional processing is regarding a legal obligation to which Compass is subject to, such as e.g. undertaking anti-money laundering or other sanction checks.
2.3 Purpose Limitation
Prior to the collection of Personal Data Compass must know the legitimate purposes and not further Process such data in a manner that is incompatible with those purposes.
(i) Any further Processing of Personal Data that is incompatible with the original purpose that it was collected for must be approved by the Country’s Privacy Lead.
(ii) If the Personal Data proposed to be Processed for an incompatible purpose relates to Special Categories of Personal Data, it must be submitted for a DPIA.
Compass shall ensure that Personal Data shall be accurate and, where necessary, kept up to date. Appropriate controls must be put in place to ensure that Personal Data is kept up-to-date and accurate.
2.5 Retention of Personal Data
Personal Data shall not be kept for longer than what is required for the purpose of the Processing.
This means that Compass will set and apply maximum retention periods to all Personal Data that is processed and delete Personal Data once the retention periods have been reached. It should be noted that Compass may have a legal obligation that may require the retention of Personal Data.
The specific retention periods are defined by a combination of legal requirements and business needs and can be found in our Data Retention Policy.
2.6 Processing Children’s Personal Data
Processing personal information for children under the age of 16 will only be allowed if consent has been given or authorised by the holder of the child’s parental responsibility.
Whenever Compass is required to process personal information from children, we will take all reasonable measures to ensure that the child’s legal representative has given consent before the processing can take place.
Compass will implement the necessary controls to demonstrate that it has received the appropriate consent and it must also implement the necessary measures to stop processing the child’s personal data if consent is withdrawn.
If Compass processes children’s personal information on behalf of another organisation (i.e. school), we must ensure that the other organisation, as data controller, has the required parental consent before we can process the data.
2.7 Processing of Special Categories of Personal Data
The special categories of data are:
i. racial or ethnic origin
ii. political opinions
iii. religious or philosophical belief
iv. trade union membership
v. genetic and biometric data
vii. natural person sex life or sexual orientation.
In all circumstances, Compass will only process special categories of personal information if:
a) the data subject has given explicit consent to the processing of their Personal Data for one or more specific purposes
b) processing is necessary for carrying out obligations for employment and social security and social protection laws.
If the data subject has given consent for the processing of personal information, Compass will implement the necessary controls to demonstrate that it has received the appropriate consent and it must also implement the necessary measures to stop processing the personal data if consent is withdrawn.
If Compass processes special categories of personal information on behalf of another organisation (i.e. hospital), we must ensure that the other organisation, as data controller, has the required consent before we can process the data.
2.8 Data Subject Rights
As a principle, a Data Subject should be able to understand how they may exercise their ability to request from Compass certain actions related to the personal data we hold and process about them.
In certain countries, Compass has a legal obligation to facilitate the rights of our Data Subjects in a timely manner and accordingly, must ensure that there are appropriate mechanisms in place to identify and respond to Data Subjects’ requests. Please see Appendix A for Data Subjects’ Rights applicable to the European Economic Area under the GDPR.
2.9 Processing Employee Data
Compass needs to process Personal Data about its employees, including its consultants and contractors’ employees, (together “Employees”) to meet various contractual and legal obligations as well as for its own legitimate interests.
Compass will not be relying on Employee consent as a legal basis for processing Employee Data but instead, will process Employee Personal Data to fulfil its contractual obligations and for legitimate interest purposes.
2.10 Employee Monitoring
Compass shall only monitor Employees where there is a legitimate business need to do so. This means that the methods and technologies used for Processing must be necessary and proportionate to the risk. Compass shall be transparent about Employee monitoring activities and ensure that the basis and purpose for undertaking Employee monitoring are communicated to Employees through a Privacy Notice.
It should be noted that Employee monitoring rules may vary between countries.
2.11 Security of Personal Data
Compass shall implement appropriate measures to ensure the integrity, availability and confidentiality of Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Head of Information Security shall be responsible for implementing such measures and shall review them with the Privacy Lead on a regular basis.
2.12 Breach Notification
Compass entities are required to inform their applicable Regulator of certain Personal Data breaches. Further, in cases where a breach presents a high risk on the rights and freedoms of an affected Data Subject, we may be required to inform the affected Data Subject. We may also be under a contractual obligation to report an actual or suspected breach to an affected client. Accordingly, it is important that Compass entities ensure all Employees and Third Parties that Process Personal Data on our behalf are adequately trained to handle and process Personal Data, to identify any actual or potential Personal Data breach, to comply with Compass’s breach notification process and to report potential or actual Personal Data breaches upon identification.
Please note that the only people authorised to notify Data Subjects or the Regulator in the event of a data breach are the country DPO/Privacy Lead in conjunction with the Group Head of Ethics and Compliance and Group Legal.
2.13 Privacy by Design and Default
Compass shall give due consideration to privacy by design and default before the implementation of a new or change to an existing business process and/or IT system that involves the Processing of Personal Data. In such cases, Compass shall build in privacy into systems that use Personal Data.
2.14 Data Protection Impact Assessment (DPIA)
Where Processing of Personal Data is likely to result in a high risk to the rights and freedoms of a Data Subject, Compass shall, prior to Processing, carry out an assessment of the impact the envisaged Processing operation(s) will have on those rights and freedoms of the Data Subject.
High risk Processing includes:
• Processing of Special Categories of Personal Data, for example Personal Data relating to medical and health;
• Monitoring public areas through video surveillance;
• Processing of Personal Data about vulnerable people, for example children’s Personal Data;
• Processing of Personal Data based on automated decision making and profiling;
• Processing of Personal Data on a large scale;
• Processing data sets that have been matched or combined;
• Transfer of Personal Data to a Third Country.
Each Compass entity is responsible for carrying out its own DPIAs. Where a Processing activity cannot be remediated such that it no longer presents a high level of risk to the rights and freedoms of the Data Subject, then such Processing must not be undertaken.
2.15 Third Party Risk Management
Third Party Risk Management applies to any activities that have been outsourced and the sourcing of products and services to Compass including independent consultants, network partners and service providers. When transferring or giving access to Personal Data to Third Parties, Compass must ensure that Third Parties have adequate safeguards and procedures in place to protect the Personal Data being handled.
Third Party Assessment is not only considered best practice but mandatory. It is Compass’s responsibility as a Controller to allocate responsibility and instruction to Processors and Joint Controllers. Third Party Risk Management is an effective way to identify privacy risks with Compass’s Third Parties. These assessments allow Compass to better understand and manage data privacy risks, which in turn reduces the risk of fines, and damage to the Compass brand, our reputation and customers and stakeholders’ trust.
2.16 Transfer of Personal Data
Compass shall ensure that any Personal Data Transferred to a Third Country is adequately protected and appropriate safeguard mechanisms (which may be prescribed by the applicable Data Privacy laws) are in place prior to such Transfer to ensure that it is Processed in accordance with this Policy. It is the responsibility of the relevant Compass entities to ensure that the Transfer is in compliance with this Policy, the applicable Data Privacy laws and all applicable contractual obligations.
2.17 Legal Obligation to Disclose Personal Data
Compass may be required to disclose Personal Data without seeking consent or providing notice to the Data Subject. Compass will only do so where it is required:
• By statute, by order of the court or a competent authority, or
• For the purpose of obtaining legal advice, or
• Where Processing is necessary for the establishment, exercise or defence of legal claims, or
• For the safeguarding of national security.
To ensure we maintain effective Data Privacy compliance, it is important that we have an effective governance framework and clearly defined lines of accountability across Compass with the responsibilities defined below.
3.1 The Group Executive Committee
The Group Executive Committee is responsible for:
• Ensuring that Group Privacy risks are identified, understood and effectively managed;
• Defining the risk-based approach for Country Management Teams to work within; and
• Overseeing the development of a risk management culture across the Group which promotes the open active and transparent management of Data Privacy risk in accordance with this Policy and applicable Data Privacy laws.
3.2 Country Management Teams
Each Country Management Team is responsible for the identification, mitigation and management of Data Privacy risks relevant to their business as risk management is an operational responsibility. The Group Executive Committee delegates the overall responsibility for day-to-day Data Privacy risk management to the Country Management Teams across the Group. The Group recommends that each Compass Country shall appoint a Privacy Lead / Data Protection Officer to ensure that the governance and risk management of Data Privacy risks are appropriate effective for their business.
3.3 Group Head of Ethics and Compliance
The Group Head of Ethics and Compliance is responsible for:
• Designing, maintaining and deploying an effective Group Privacy Framework;
• Creating best practice templates as guidance for all countries and updating them as regulatory requirements demand;
• Ensuring that all other department policies are aligned with the Group Data Privacy;
• Outline and maintain Group level Data retention period for Customer and Employee (current, former and potential) Data;
• Supporting local breach process in cases where it needs to be reported to a Supervisory Authority;
• Supporting the Country Privacy Leads in embedding the Group Privacy Risk Management Framework and practices to effectively identify and mitigate privacy risk;
• Oversee the implementation and compliance of this Policy;
3.4 Country Privacy Leads / Data Protection Officers
Country Privacy Leads / Data Protection Officers are responsible for:
• Advising the business on all Data Privacy matters;
• Proactively identifying, assessing, mitigating and monitoring Data Privacy risks within their business operations;
• Maintaining an inventory of all processing activities;
• Ensuring that all Personal Data Processing activities comply with the requirements of Privacy by Design;
• Working with key stakeholders to ensure Data Privacy risk are a key consideration in major new services;
• Ensuring that country specific statutory retentions are kept up-to-date in the Data Retention Policy;
• Maintaining a Data Privacy risk register and escalating unmitigated Data privacy risks to the relevant committee;
• Data Privacy training and awareness;
• Investigation and remediation of Personal Data and data security incidents;
• Drafting Privacy notices.
3.5 Group & In-country Legal
Responsible for providing legal advice on Data Privacy laws and Data Privacy risks to ensure compliance with applicable Data Privacy laws and for advising on actual or suspected data incidents and breaches.
Each manager is responsible for ensuring that their line reports comply with this Policy within their respective area of responsibility and that changes in Personal Data Processing activities are notified to the respective Country Privacy Lead / Data Protection Officer.
All Compass Employees play an important role in the implementation of this Policy and Compass’s compliance with Data Privacy laws. This includes amongst other things identifying and escalating any material Data Privacy risk, actual or suspect data incident, data losses and Policy breaches to their manager and adopting, practising and cultivating the culture and risk behaviours as outlined in this Policy.
Appendix A – Data Subject Rights under the GDPR
Those Compass business units who reside or do business in the European Economic Area have a legal obligation to facilitate the rights of their Data Subjects in a timely manner and accordingly, must ensure that there are appropriate mechanisms in place to identify and respond to Data Subject requests.
Data Subject rights under the GDPR include the following:
1. Right to access;
2. Right to rectification;
3. Right to erasure (also known as the “right to be forgotten”)
4. Right to restriction of Processing;
5. Right to notification regarding rectification or erasure of Personal Data or restriction of Processing;
6. Right to Data Portability;
7. Right to Object; and
8. Right not to be subject to automated decision-making and profiling using their Personal Data.
The above rights may only be effectuated by Compass once the Data Subject has been authenticated and identified as the correct individual. Compass is not under any obligation to give effect to the above rights where it is not possible to or where it is unable to identify which Personal Data relates to the relevant Data Subject whose request has been made.
Compass will not maintain, acquire or gather additional information about a Data Subject solely for identifying such Data Subject.