1. What is this document and why should you read it?
1.1 This privacy notice explains how and why Innospec Inc. group companies and offices to which the EU General Data Protection Regulation applies (also referred to as “Innospec”, “we”, “our” and “us”) use personal data about the third parties with which we engage or do business. This includes our customers, suppliers, agents, consultants and partners who are individuals, as well as, where any of these are entities, their respective shareholders, directors, officers, managers, key employees or other individuals(referred to as “you”).
1.2 You should read this notice so that you know what we are doing with your personal data or the personal data you might provide on behalf of any individual. Please also read any other privacy notices that we give you that might apply to our use of your personal data in specific circumstances in the future.
1.3 If you give us personal information about another person, in doing so you confirm that they have given you their prior permission or you have their authorisation to provide it to us and for us to be able to process their personal data (including any sensitive personal data). You must also ensure this and other relevant privacy notices are brought to their attention so they can review how their personal information may be used.
1.4 This notice does not form part of any contract with Innospec.
2. Innospec’s data protection responsibilities
2.1 “Personal data” is any information that relates to an identifiable natural person. A name, address and contact details are all examples of personal data if they identify you or another person.
2.2 The term “process” means any activity relating to personal data including, by way of example, collection,storage, use and transmission.
2.3 Innospec is a “controller” of your personal data and of any personal data you provide. This is a legalterm – it means that we make decisions about how and why we process any personal data and, because of this, we are primarily responsible for making sure it is used in accordance with applicable data protection laws.
3. What types of personal data do we collect, where do we get it from and for what purposes is it processed?
3.1 We collect many different types of personal data about you and individuals within your business that
you provide for lots of reasons including:-
- 3.1.1 to conduct screening or due diligence to comply with global anti-corruption laws, trade sanctions and other relevant laws and regulations to prevent improper conduct contrary to public policy;
- 3.1.2 to administer, manage and/or perform any current or potential contract or other business relationship with you;
- 3.1.3 for security and/or health and safety related reasons; and/or
- 3.1.4 for direct marketing purposes, including sending you details of our newsletters to keep you up to date with news relating to the Innospec business.
3.2 Further details of the personal data we collect are set out in Schedule 1. Paragraph 6.7 below lists the categories of recipients with whom we may share the personal data.
3.3 We receive personal data when any questionnaires, checklists or account creation forms are provided to us (or to third parties acting on our behalf) or when you correspond with us in connection with our business. This may be provided directly by you or provided on your behalf by a colleague acting for your business. We also create some personal data ourselves and obtain some personal data from other sources such as screening and background check providers, credit reference agencies and from public sources such as publically available directories and online resources for the purposes above.
3.4 If any of the personal information given to us changes, such as your contact details or those of a relevant colleague within your business, please inform us without delay by letting your Innospec contact know or by contacting us in accordance with paragraph 12 below.
4. What do we do with personal data of our business contacts, and why?
4.1 We process the personal data of business contacts for particular purposes in connection with current or potential contracts or other business relationships with us, and the management and administration of our business.
4.2 We are required by privacy laws to always have a permitted reason or justification (called a “lawful basis”) for processing your personal data. There are six such permitted lawful bases for processing personal data.
4.3 Our processing of your personal data is either:
- 4.3.1 based upon your consent;
- 4.3.2 necessary for us to ensure compliance with legal obligations including compliance with global anti-corruption laws and/or trade sanctions;
- 4.3.3 necessary for us to take steps to potentially enter into a contract with you, or to perform it; and/or
- 4.3.4 based upon our legitimate interests including the evidencing of appropriate due diligence for global anti-corruption and trade sanctions related purposes, including protecting ourselves and the public from bribery and corruption. We believe our own, and the public’s, interests
to prevent such conduct outweighs any prejudice to you by our practices and is not unfair. If you would like more information on how we balance the respective interests, please contact us in accordance with paragraph 12 below.
Should you choose not to provide the relevant personal data to us, we may not be able to enter into or continue our contract or business relationship with you. For some processing activities, we consider that more than one lawful basis may be relevant depending on the circumstances. If you wish to know
the specific lawful basis applicable to the processing of your personal data, please contact us in
accordance with paragraph 12 below.
4.4 In some cases where personal data is processed for due diligence purposes, some of that personal data may be used for the automated determination of risk and consequent level of additional due diligence required. This includes risk being allocated to a low, medium or high risk category based upon a number of factors including: territory of operation, potential interaction with Government Officials1, product to be sold, contract value, nature of contractual relationship (e.g. distributor, agent or consultant), whether owned or controlled by any Government Officials1 or state-owned entities and whether there has been any involvement in any material compliance related litigation or violations (e.g. fraud, money laundering, corruption).
4.5 We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports for example, to help us understand contract volume and trends).
5. Special category personal data (including criminal data)
5.1 We are required by law to treat certain categories of personal data with even more care than usual. These are called sensitive or special categories of personal data, and different lawful bases apply to them. The primary purpose for collecting any sensitive or special category personal data is the conduct of screening and/or due diligence. Our processing of your sensitive or special category personal data is for the reasons set out in paragraph 4.3 above or is otherwise necessary:-
- 5.1.1 for the establishment, exercise or defence of legal claims; or
- 5.1.2 for reasons of substantial public interest, on the basis of European Union or Member State law, including the United Kingdom Bribery Act 2010.
6. Who do we share your personal data with, and why?
6.1 Sometimes we need to disclose the personal data we process to other people. Inside the Innospec group
6.2 We are part of the Innospec group of companies. Therefore, we will need to share your personal data with other companies in the Innospec group for our general business, reporting to management, authorisations/approvals from relevant decision makers, and where systems and services are used or provided on a shared basis.
6.3 Access rights between members of the Innospec group are limited and granted only on a need to know basis, depending on job functions and roles.
6.4 Where any Innospec group companies process your personal data on our behalf (either as our processor or joint controller), we will make sure that they have appropriate security standards in place to protect your personal data and we will enter into a written contract imposing appropriate security standards on them. Outside the Innospec group
6.5 From time to time we ask third parties to carry out certain services for us. These third parties may process your personal data on our behalf (either as our processor or joint controller). We will disclose your personal data to these parties so that they can perform those functions. Before disclosing personal data to third party data processors, we will enter into a written contract with them requiring them to have in place appropriate security standards to ensure that they protect your personal data.
6.6 In certain circumstances we will also disclose your personal data to third parties who will receive it as
controllers of your personal data in their own right for the purposes set out above, in particular:
- 6.6.1 if we transfer, purchase, reorganise, merge or sell any part of our business and we disclose or transfer your personal data to the prospective seller, buyer or other third party involved in any such business transfer, reorganisation or merger arrangement (and their advisors); and
- 6.6.2 if we need to disclose your personal data in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, customers, suppliers or others.
6.7 We have set out below a list of the categories of recipients with whom we may share your personal data:
- 6.7.1 consultants and professional advisors including legal advisors and auditors;
6.7.2 screening and background check providers including Thomson Reuters (in respect of their WorldCheck product (http://my.thomsonreuters.com/pages?name=gdpr_productinfo)), The Red Flag Group and The Risk Advisory Group; - 6.7.3 courts, court-appointed persons/entities, receivers and liquidators;
- 6.7.4 business partners and joint ventures;
- 6.7.5 training providers including GAN Integrity;
- 6.7.6 translators;
- 6.7.7 credit reference agencies including Graydon, Creditsafe, Credit Risk Monitor and Dunn & Bradstreet;
- 6.7.8 insurance companies;
- 6.7.9 software and IT systems and/or service providers; and
- 6.7.10 government departments, statutory and regulatory bodies including the relevant data protection Supervisory Authority, the police and relevant tax and customs authorities.
Where they have provided us with their own privacy policy, we have included links above. If you have any questions, please contact them direct, or if you need any further information from us, contact us in accordance with paragraph 12 below.
We may also share your personal data with third parties as directed by you. Where those recipients are controllers in respect of your personal data, they will process your personal data for the purposes set out in their own fair processing notices and are directly responsible to you for their use of your personal data.
7. Where in the world is your personal data transferred to?
7.1 Screening checks are carried out by Innospec, and the results of those checks may be transferred to the relevant Innospec group company with whom you are doing, or proposing to do, business and who may be based outside of the European Economic Area (“EEA”). In addition, your data may be shared with other Innospec group companies in accordance with paragraph 6.2 above.
7.2 If any of our processing activities require your personal data to be transferred outside the EEA we will only make that transfer if:
- 7.2.1 the country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
- 7.2.2 we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient. This includes use of European Model Clause contracts which are approved by the European Commission. You can find out what these are here: http://ec.europa.eu/justice/dataprotection/internationaltransfers/transfer/index_en.htm;
- 7.2.3 the transfer is necessary for one of the reasons specified in data protection legislation, such
as the performance of a contract between us and you; and/or - 7.2.4 you explicitly consent to the transfer.
8. How do we keep your personal data secure?
We will take specific steps (as required by applicable data protection laws) to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.
9. How long do we keep your personal data for?
9.1 We will retain your personal data as required depending on a number of factors, including:
- 9.1.1 any laws or regulations that we are required to follow including anti-bribery laws which may require personal data to be kept indefinitely;
- 9.1.2 whether we are or could potentially in the future be in a legal or other type of dispute with each other or any third party;
- 9.1.3 the type of information that we hold about you; and/or
- 9.1.4 whether we are asked by you or a regulatory authority to keep your personal data for a validreason.
Please contact us in accordance with paragraph 12 below for further details.
10. What are your rights in relation to your personal data and how can you exercise them?
10.1 Individuals have certain legal rights, which are briefly summarised at Schedule 2, in relation to any of their personal data which we hold.
10.2 Where our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data unless there is another lawful basis we can rely on, in which case we will let you know. Your withdrawal of consent will not impact any of our processing of your personal data up to that point.
10.3 Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.
10.4 If you wish to exercise any of your rights please contact us in accordance with paragraph 12 below in the first instance. You also have the right to lodge a complaint with your local data protection Supervisory Authority.
11. Website cookies
11.1 When you use our website, the cookie policy at the following link will also apply: http://www.innospecinc.com/index.php/cookie-policy.
12. Where can you find out more?
12.1 If you want more information about any of the subjects covered in this privacy notice or if you would
like to discuss any related issues or concerns with us, you can contact us in either of the following ways:
- By email at: [email protected]
- By post at: Legal Compliance Department, Innospec Limited, Innospec Manufacturing Park, Oil Sites Road, Ellesmere Port, Cheshire, CH65 4EY, United Kingdom.
SCHEDULE 1
Categories of personal data
NOTE: NOT ALL CATEGORIES OF PERSONAL DATA ARE COLLECTED FROM OR PROCESSED IN RELATION TO ALL THIRD PARTIES. WE INCLUDE THIS ONLY FOR COMPLETENESS AND TRANSPARENCY TO COMPLY WITH DATA PROTECTION LAWS. PERSONAL DATA IS ONLY PROCESSED WHERE AND TO THE EXTENT REQUIRED (SEE PARAGRAPH 3 ABOVE FOR DETAILS).
SCHEDULE 2
Your rights in relation to personal data