Our website uses cookies. By continuing we assume your permission to deploy cookies, as detailed in our privacy policy.
Accept
eCom
about us news contacts
1. Purpose, Scope and Users
ELKO Grupa AS, hereinafter referred to as the “ELKO”, strives to comply with applicable laws and regulations related to Personal Data protection in countries where the ELKO operates. This Policy sets forth the basic principles by which the ELKO processes the personal data of customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.
This Policy applies to ELKO and its directly or indirectly controlled subsidiaries conducting business within the European Economic Area (EEA) or processing the personal data of data subjects within EEA.
The users of this document are all employees, permanent or temporary, and all contractors working on behalf of ELKO.
2. Reference Documents
  • EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
  • Relevant national laws or regulations for GDPR implementation in each respective country where ELKO is represented
  • Employee Personal Data Protection Policy
  • Data Retention Policy
  • Guidelines for Data Inventory and Processing Activities
  • Data Subject Access Request Procedure
  • Data Protection Impact Assessment Guidelines
  • Cross Border Personal Data Transfer Procedure
  • IT Security Policy
  • Access Control Policy
  • Security Procedures for IT Department
  • Bring Your Own Device (BYOD) Policy
  • Mobile Device and Teleworking Policy
  • Anonymization and Pseudonymization Policy
  • Policy on the Use of Encryption
  • Breach Notification Procedure
3. Definitions
The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:
Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.
Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;
Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR;
Each “local supervisory authority” will still maintain in its own territory, and will monitor any local data processing that affects data subjects or that is carried out by an EU or non-EU controller or processor when their processing targets data subjects residing on its territory. Their tasks and powers includes conducting investigations and applying administrative measures and fines, promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means.
“Main establishment as regards a controller” with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
“Main establishment as regards a processor” with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
ELKO Group: ELKO Grupa AS and its subsidiaries within EU and EEA territories.
Sales Office: Any EU and EEA territories based subsidiary of ELKO.
ELKO Data Privacy Team: A group of advanced trained professionals within ELKO Grupa AS, which may change from time to time, but will at all times include designated persons from Legal department and IT department and which altogether can be reached, at any time, via e-mail: Data_Privacy@elkogroup.com.
ELKO Data Guardians: Designated persons from each European Economic Area (EEA) country, where ELKO Group is represented, which in most cases include local HR and IT managers, but as well could include representatives from other departments, and which are advanced trained professionals within ELKO Group in field of Personal Data processing. For contact details of specific Data Guardians please send request via e-mail: Data_Privacy@elkogroup.com.
4. Basic Principles Regarding Personal Data Processing
The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. ELKO Group must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, ELKO Group must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.
5. Building Data Protection in Business Activities
In order to demonstrate compliance with the principles of data protection, an organisation should build data protection into its business activities.
(See the Fair Processing Guidelines section.)
(See the Fair Processing Guidelines section.)
ELKO Group must strive to collect the least amount of personal data possible. If personal data is collected from a third party, ELKO Data Privacy Team must ensure that the personal data is collected lawfully.
The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Notice. ELKO Group must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. ELKO Data Privacy Team is responsible for compliance with the requirements listed in this section.
Whenever ELKO Group uses a third-party supplier or business partner to process personal data on its behalf, ELKO Data Privacy Team must ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks. For this purpose, the ELKO Processor GDPR Compliance Questionnaire must be used.
ELKO Group must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards ELKO Group or upon the instructions of ELKO Group and not for any other purposes. When ELKO Group processes personal data jointly with an independent third party, ELKO Group must explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the ELKO Personal Data Processing Agreement template.
Before transferring personal data out of the European Economic Area (EEA) adequate safeguards must be used including the signing of a Data Transfer Agreement, as required by the European Union and, if required, authorization from the relevant Data Protection Authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set forth in Cross Border Data Transfer Procedure.
When acting as a data controller, ELKO Data Privacy Team is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the ELKO Data Subject Access Request Procedure.
Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. ELKO Data Privacy Team is responsible to ensure that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals.
Upon request, Data Subjects have the right to obtain from ELKO Group the erasure of its personal data. When ELKO Group is acting as a Controller, ELKO Data Privacy Team must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.
6. Fair Processing Guidelines
Personal data must only be processed when explicitly authorised by ELKO Data Privacy Team.

The Company must decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the ELKO Guidelines for data inventory and processing activities mapping.
At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, ELKO Data Privacy Team, in cooperation with ELKO Data Guardians in each European Economic Area (EEA) country, where ELKO Group is represented, is responsible to properly inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and ELKO Group’s security measures to protect personal data. This information is provided through Privacy Notice.

Where personal data is being shared with a third party, ELKO Data Privacy Team must ensure that data subjects have been notified of this through a Privacy Notice.

Where personal data is being transferred to a third country according to Cross Border Data Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which entity personal data is being transferred.

Where sensitive personal data is being collected, the ELKO Data Privacy Team must make sure that the Privacy Notice explicitly states the purpose for which this sensitive personal data is being collected.
Whenever personal data processing is based on the data subject's consent, or other lawful grounds, ELKO Data Privacy Team is responsible for retaining a record of such consent. ELKO Data Privacy Team is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.

Where collection of personal data relates to a child under the age of 16, ELKO Data Privacy Team must ensure that parental consent is given prior to the collection using the Parental Consent Form.

When requests to correct, amend or destroy personal data records are received, ELKO Data Privacy Team must ensure that these requests are handled within a reasonable time frame. ELKO Data Privacy Team must also record the requests and keep a log of these.

Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Data Protection Officer is responsible for complying with the rules in this paragraph.

Now and in the future, ELKO Data Privacy Team must ensure that collection methods are compliant with relevant law, good practices and industry standards.

ELKO Data Privacy Team is responsible for maintaining a Register of the Privacy Notices at: http://elkogdpr.elkogroup.com.
7. Organization and Responsibilities
The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with ELKO Group and has access to personal data processed by ELKO Group.

The key areas of responsibilities for processing personal data lie with the following organisational roles:

ELKO`s Board makes decisions about, and approves the ELKO’s general group level strategies on personal data protection.

ELKO Data Privacy Team is responsible for managing the personal data protection program and is responsible for the development and promotion of end-to-end personal data protection policies.

ELKO Data Guardians together with ELKO Sales Office director are responsible for implementation and localization (within each corresponding European Economic Area (EEA) country, where ELKO Group is represented with sales office) of all necessary personal data protection activities and actions according to ELKO Group general personal data processing policies, as well as ELKO Data Privacy Team instructions and recommendations.

ELKO HQ Legal Department together with remaining ELKO Data Privacy Team is responsible for:
  • Monitoring and analysing personal data laws and changes to regulations, developing compliance requirements, and assisting business departments in achieving their Personal data goals.
  • Ensuring flow down of personal data requirements to any third party it is using as outsource service provider.
  • Ensuring control over personal data requirements compliance within legal function at ELKO Group level.
ELKO HQ Chief Technology Officer is responsible for:
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Ensuring flow down of personal data requirements to any third party it is using as outsource service provider.
  • Ensuring control over personal data requirements compliance within IT function at ELKO Group level.
ELKO HQ Marketing director, is responsible for:
  • Approving any data protection statements attached to communications such as emails and letters.
  • Addressing any data protection queries from journalists or media outlets like newspapers.
  • Where necessary, working with ELKO Data Privacy Team to ensure marketing initiatives abide by data protection principles.
  • Ensuring flow down of personal data requirements to any third party it is using as outsource service provider.
  • Ensuring control over personal data requirements compliance within marketing function at ELKO Group level.
ELKO HQ Human Resources and Administration director is responsible for:
  • Improving all employees' awareness of user personal data protection.
  • Organizing, working with ELKO Data Privacy Team, Personal data protection expertise and awareness training for employees working with personal data.
  • End-to-end employee personal data protection. It must ensure that employees' personal data is processed based on the employer's legitimate business purposes and necessity.
  • Ensuring flow down of personal data requirements to any third party it is using as outsource service provider.
  • Ensuring control over personal data requirements compliance within HR function at ELKO Group level.
ELKO HQ Finance director is responsible for:
  • Ensuring flow down of personal data requirements to any third party it is using as outsource service provider.
  • Ensuring control over personal data requirements compliance within Finance function at ELKO Group level.
ELKO HQ Logistics director is responsible for:
  • Ensuring flow down of personal data requirements to any third party it is using as outsource service provider.
  • Ensuring control over personal data requirements compliance within Logistics function at ELKO Group level.
ELKO HQ Chief Commercial Officer is responsible for:
  • Passing on personal data protection responsibilities to vendors, and improving vendors' awareness levels of personal data protection.
  • Ensuring flow down of personal data requirements to any third party it is using as outsource service provider.
  • Ensuring control over personal data requirements compliance within Commercial function at ELKO Group level.
ELKO Sales Office director is responsible for:
  • Ensuring implementation of and control over personal data requirements compliance in his Sales Office.
  • Monitoring and analysing personal data local laws of his Sales Office domicile country and changes to regulations, developing local compliance requirements, based on ELKO group level personal data protection policies and practices, as well as local laws and regulations.
  • Ensuring flow down of personal data requirements to any third party it is using as outsource service provider.
  • Passing on personal data protection responsibilities to local vendors (if any), and improving local vendors' awareness levels of personal data protection.
  • Passing on personal data protection responsibilities to clients, and improving clients' awareness levels of personal data protection.
8. Guidelines for Establishing the Lead Supervisory Authority
Identifying a Lead supervisory authority is only relevant if the company carries out the cross-border processing of personal data.

Cross border of personal data is carried out if:

a) processing of personal data is carried out by subsidiaries of the company which are based in other Member States;

or

b) processing of personal data which takes place in a single establishment of the company in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

If the company only has establishments in one Member State and its processing activities are affecting only data subjects in that Member State than there is no need to establish a lead supervisory authority. The only competent authority will be the Supervisory Authority in the country where company is lawfully established.
8.2.1. Main Establishment for the Data Controller

ELKO`s Board needs to identify the main establishment so that the lead supervisory authority can be determined.

If the company is based in an EU Member State and it makes decisions related to cross-border processing activities in the place of its central administration, there will be a single lead supervisory authority for the data processing activities carried out by the company.

If company has multiple establishments that act independently and make decisions about the purposes and means of the processing of personal data, ELKO`s Board needs to acknowledge that more than one lead supervisory authority exists.

8.2.2. Main Establishment for the Data Processor

When the company is acting as a data processor, then the main establishment will be the place of central administration. In case the place of central administration is not located in the EU, the main establishment will be the establishment in the EU where the main processing activities take place.

8.2.3. Main Establishment for Non-EU Companies for Data Controllers and Processors

If the company does not have a main establishment in the EU, and it has subsidiarie(s) in the EU, then the competent supervisory authority is the local supervisory authority.

If the company does not have a main establishment in the EU nor the subsidiaries in the EU, it must appoint a representative in the EU, and the competent supervisory authority will be the local supervisory authority where the representative is located.
9. Response to Personal Data Breach Incidents
When the ELKO learns of a suspected or actual personal data breach within ELKO Group, ELKO Data Privacy Team must perform an internal investigation and take appropriate remedial measures in a timely manner, according to the Data Breach Policy. Where there is any risk to the rights and freedoms of data subjects, ELKO must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.
10. Audit and Accountability
ELKO Data Privacy Team is responsible for auditing how well business departments implement this Policy.

Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
11. Conflicts of Law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which ELKO Group operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
12. Managing records kept on the basis of this document
13. Validity and document management
This document is valid as of 21st May 2018.

The owner of this document is ELKO Data Privacy Team, who must check and, if necessary, update the document at least once a year.