This is ERM’s Data Protection Policy ("Policy") regarding data privacy issues and the protection of Personal Data.
ERM takes data protection seriously and seeks to ensure that all Personal data processed by erm is kept secure, processed in a fair and lawful manner and is in compliance with all applicable data protection laws. erm also seeks to ensure that data subject rights are fully respected. This Policy is applicable to all members of the ERM Group of companies (each an "ERM Group Company" and collectively, "ERM").
This Policy will apply to each ERM Group Company, except where local requirements applicable to an ERM Group Company contradict or are more onerous than those set out in this Policy, in which case those local requirements will be followed by that ERM Group Company.
ERM may supplement this Policy from time to time with guidance, additional policies and procedures, including without limitation those guidance, policies and procedures referred to in this Policy.
Definitions used in this Policy are set out in Schedule 1. This Policy also refers to any related ERM policies that supplement or assist the application of this Policy.
All ERM staff should familiarise themselves with this Policy. All ERM staff have an important role to play in spotting data protection issues as they arise and escalating them immediately as set out in this Policy. Any questions about this policy should be sent to ERM’s Dataprivacy@erm.com.
This policy applies worldwide to all erm entities, all employees and all ERM Agents.
The term “Employee” or “Employees” is specifically defined, for purposes of this policy, as: any personnel hired directly by ERM (regardless of status classification of full-time, part-time, temporary, contract, etc.); interns (even if an intern does not receive payment by ERM); employees of other companies seconded into ERM, and any ERM employee seconded to a non-ERM company. The term “Agent” or “Agents” is specifically defined as any member of any ERM entity board, any officer of any ERM entity, hired personnel, consultants, intermediaries, lobbyists, agents, representatives, independent contractors, subcontractors, and any others who act on ERM’s behalf.
2.1 Policy Scope
This Policy is not intended as a definitive statement of the application of all applicable data protection laws; instead it acts as a general framework of best practice, setting out the key data protection principles that ERM will apply whenever we process personal data and establishes overarching data protection requirements to ensure that ERM’s businesses are aware of their data protection obligations.
2.2 Material Scope
The Policy covers all personal data in any form, including but not limited to electronic data, paper documents, disks, USBs or something similar, and all types of processing, whether manual or automated that is under ERM's possession or control.
The definitions of personal data and processing in data protection law generally capture a wide group of data and activities, including without limitation merely storing, deleting or remotely accessing personal data (see further definitions in Schedule 1).
2.3 Entity Scope
Data protection laws and this Policy typically apply differently to Controllers and Processors (and unless otherwise stated herein, all requirements of this Policy apply to Controllers only).
- Each ERM Group Company, which either alone or jointly with others, determines the purposes and means of processing personal data is a Controller.
- Each ERM Group Company that processes personal data on behalf of a Controller (including other ERM Group Companies, clients or other third-party Controllers) is a Processor. Where an ERM Group Company acts as a Processor for a third party (e.g. a client) it acts on the instructions of that person and is reliant on that person to tell us how we should process that personal data.
It is possible for an ERM Group Company to be processing as a Controller for certain activities and as a Processor for other activities. For example:
- an ERM Group Company will act as Controller when it processes the personal data that it collects from its ERM staff;
- an ERM Group Company will act as Processor when it processes the personal data of a client when carrying out surveys on individuals under the instructions of the client.
It is important to keep this in mind when considering how the data protection principles and overarching requirements set out in this Policy apply to the personal data processed by ERM.
3.1 Data Protection Principles
Each ERM Group Company that processes personal data shall comply with the following key data protection principles:
- Lawfulness, Fairness and Transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subjects;
- Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Data Minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accuracy: personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data is accurate having regard to the purpose or purposes for which they are processed, and that any inaccuracy is erased or rectified without delay;
- Storage Limitation: personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data shall be stored and securely deleted in accordance with local law; and
- Integrity and Confidentiality: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures. Personal data shall be processed securely in accordance with ERM’s Information Security Policy.
- Accountability: personal data will at all times be processed in a manner that can demonstrate compliance with the above-mentioned principles.
3.2 Data Protection Requirements
The following overarching requirements set out how personal data is to be treated when ERM processes personal data as a Controller (unless otherwise stated):
3.2.1 Lawful Processing
- Personal Data: Processing of personal data by ERM must be justified by reference to at least one lawful basis or condition for Processing. Please refer to Schedule 2, for details of the lawful bases / conditions for processing personal data.
- Special Categories of Data: Processing of Special Categories of personal data by ERM must be justified by reference to at least one lawful basis or "conditions" for processing Special Categories of Data, in addition to the lawful conditions that are identified under Schedule 2, please refer to Schedule 2, for further details of the lawful bases or conditions for processing Special Categories of personal data.
Where an ERM Group Company is acting as a Processor of personal data (including Special Categories of personal data) on behalf of:
- clients/other third parties: it is the responsibility of that client / third party to ensure that the processing undertaken on its behalf is justified by reference to one or more of the above lawful bases for processing.
- an ERM Group Company acting as a Controller: it is the Controller’s responsibility to ensure that the processing undertaken on its behalf is justified by reference to one or more of the above lawful bases for processing.
To the extent that an ERM Group Company relies upon consent as a lawful basis for processing personal data, that company must adhere to the requirements of Schedule 2, Part 3.
The nature and type of personal data held must be proportionate and necessary for the purpose for which it is to be required. Care must be taken to avoid collecting excessive or irrelevant elements of personal data or allowing personal data to be used for purposes that cannot be justified as necessary. If this test cannot be satisfied, then please seek help from ERM's Data Protection Team by sending an email to email@example.com.
3.2.4 Notice to Data Subjects (also known as a privacy or "fair processing" notice)
Data Subjects must be informed about how their personal data is used, including information about the types of data collected, the purposes for which the data are collected, to whom their personal data may be disclosed, and their data protection rights. Relevant Data Subjects for the purposes of ERM may include ERM staff, clients, vendors and individuals whose data ERM has collected and/or processed as part of a project. ERM’s Employee Privacy Notice provides this information for our staff.
3.2.5 Purposes of Processing
The way in which personal data is processed must be kept consistent with the original fair processing notice provided to the Data Subject. No further or alternative use should be made of the personal data without first considering the need to obtain consent from the Data Subject and/or issuing an updated fair processing notice.
It is the responsibility of the relevant Controller to ensure that the Data Subjects are informed about how their personal data will be used and that actual usage is in line with their privacy notice.
3.2.6 Accuracy and Retention
Personal data must be kept accurate, complete and up-to date and not retained for longer than the purposes for which it was collected unless there is a clear overriding business need or legal / regulatory requirement to retain the personal data. ERM’s Personal Data Retention Policy sets out the procedures for ensuring that documents/records are updated, archived and deleted appropriately.
3.2.7 Rights of Data Subjects
Data protection laws generally afford various rights to Data Subjects, including the ability to have access to their personal data on request, preventing the processing of their personal data or having it erased. All ERM Group Companies must comply with ERM’s Data Subject Rights Policy.
3.2.8 Appointment of Processors
Data protection laws set out certain requirements that apply whenever a Controller appoints someone to process personal data on its behalf. These requirements apply to any ERM Group Company acting as a Controller who appoints a Processor, whether that is another ERM Group Company or unrelated third parties. Each time that ERM enters into a contract (as a Controller or a Processor), ERM must ensure that it contains certain mandatory provisions. Please contact firstname.lastname@example.org if you have questions in this regard.
3.2.9 Transfer of Personal Data Outside the EEA
Personal data must not be transferred to another country unless there is a mechanism for ensuring adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data. These requirements apply both to transfers to other ERM Group Companies and to transfers to third parties. Therefore, managing overseas data transfers in accordance with these principles requires particular care.
ERM has an Intra-group data transfer agreement in place to cover transfers of personal data between global ERM Group Companies, so special consideration should be given to transfers to or from third parties. Please contact Dataprivacy@erm.com if you have questions in this regard.
Data protection laws generally require each ERM Group Company to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. All ERM Staff have responsibility to help keep personal data secure and confidential in the manner stated in ERM's Information Security Policy.
3.2.11 Personal Data Breach
Many data protection laws require ERM to notify personal data breaches to the relevant supervisory authority within a specified period of time e.g. within 72 hours of becoming aware of the breach. In respect of serious breaches, there may also be a requirement to notify the affected Data Subjects.
A personal data breach is an incident which involves an unauthorised or inappropriate disclosure of, or access to, personal data. Examples of data breaches include: third party attacks on IT infrastructure designed to harvest personal data; email phishing scams where an ERM Staff member sends personal data to an unauthorised third party; accidental loss or theft of ERM devices (e.g. mobile phones, laptops, USB devices).
ERM staff should immediately inform their local IT representative in the event of any data breach or suspected data breach, who will liaise with relevant members of ERM’s staff, as appropriate. The local IT representative shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This information will also be recorded by ERM’s IT Department in a centralised log.
If an ERM Group Company is processing personal data as a Processor, it shall notify the relevant Controller(s) without undue delay after becoming aware of the relevant Personal data breach.
All Staff should familiarise themselves with, and at all times follow, the plan set out in ERM's Personal Data Breach Response Policy.
3.2.12 Data Inventory
ERM maintains a central Data Inventory for all ERM Group Companies which records details about all business processes which use personal data, including the lawful basis for each such business process. This is maintained by ERM’s Data Protection team.
If any new project, way of working or changes to an existing project involves the processing of personal data, it is important to update the ERM Data Inventory to reflect the new or revised project or way of working. Staff should notify
Dataprivacy@erm.com of any such changes.
3.2.13 Data Protection Impact Assessments
Where a new project, way of working or changes to an existing project involves intensive or higher risk processing of personal data or special categories of personal data, a data protection impact assessment should be carried out. A data protection impact assessment is important for ERM to identify and mitigate privacy risks before a project launches, and to apply the principles of "privacy by design and default", whereby projects are built with privacy compliance in mind. This can save time and resource by preventing intervention at a later date. The responsibility for identifying a project that may require an assessment rests with the business owner of that project in conjunction with ERM’s Data Protection team.
Please refer to ERM’s Data Protection Impact Assessment Policy for a data protection impact assessment template and guidance in preparing an assessment. ERM’s IT Department should also refer to ERM’s Data Protection by Design Procedure
3.2.14 Direct Marketing
Direct marketing is the transmission by any means (including post, telephone, email, SMS, direct messaging, fax etc.) of materials advertising or promoting ERM's services to a specific individual (including where that individual is acting in a business capacity, for example the work email address of an employee of one of ERM's clients).
As a general rule, Data Subjects should only be contacted for marketing purposes by electronic means (i.e. email or text) if they have either expressly 'opted-in' to receiving communications in this way, or there is an existing commercial relationship and they are given the opportunity to 'opt-out' of marketing communications when we first collect their details, and in all subsequent communications.
In all cases, Data Subjects must be given the chance to decline to receive direct marketing material and a suppression list should be held listing Data Subjects who have indicated that they do not want to be contacted in the future.
3.2.15 Automated Decision-making
Decisions should not be made about Data Subjects using entirely automated processes. Advice should be sought from ERM’s HR Department before considering any techniques that will result in decisions being made about Data Subjects through automated means, to ensure appropriate manual reviews are embedded into the decision-making process. This extends to automated processes which may be used for screening recruitment candidates.
CCTV systems should be operated with care to avoid disproportionate risk of privacy intrusion to individual Data Subjects. Therefore, if you are considering installing a CCTV system, please contact ERM’s Data Protection team at Dataprivacy@erm.com.
4.1 Governance. ERM has developed governance arrangements regarding data protection, which are coordinated through our global Data Protection team, which is supported by leaders from relevant parts of the business.
4.2 Monitoring of Compliance. Periodic monitoring of adherence to this Policy takes place to help ensure compliance with both applicable data protection laws and/or contractual agreements in connection with the handling of personal data.
Each ERM Group Company, whether processing personal data as a Controller or a Processor, shall ensure that all breaches of data protection law and incidences of non-compliance with the minimum standards set out in this Policy are reported, recorded and properly addressed. As noted, it is the responsibility of all ERM Staff to assist ERM to comply with the Policy. Failure to do so may amount to misconduct, which is a disciplinary matter and could ultimately lead to dismissal.
6.0 Related Policies and Information
The Procedure section lists all procedures that are associated with the policy. Links should be used in the section.
This Policy should be read in conjunction with other ERM policies on this subject. Specifically, for any processing of personal data, these include the following:
- Employee Privacy Notice (Staff)
- Data Protection Impact Assessment Policy
- Data Protection Impact Assessment Procedure
- Personal Data Retention Policy
- Data Subject Access Rights Policy
- Personal Data Breach Policy
- Data Privacy by Design Procedure
- Legitimate Interests Procedure
You can access these policies by clicking on the hyperlinks provided.
Please contact email@example.com if you have questions in this regard.
ERM Global Policy Manual Administration
Policy Title: Data Protection
Policy Number: 21
Revision Number: 3
Effective Date of this Version: 23 May 2022
Original Approver and Original Effective Date: Group CEO / 9 June 2009 (Approval and version history maintained by ERM Legal Department)
Policy Description: This Policy defines ERM’s governance and commitments on data privacy.
Authority to Amend this Policy: Group General Counsel
Authority to Waive this Policy: None
Policy Review Cycle: 3 years from last effective date, unless a review or update is triggered by changes to applicable data protection laws, regulation or regulatory regimes, or ERM’s risk profile in the global operating environment.
Docket responsibility for review cycle: Chief Compliance Officer
Schedule 1: Definitions
"Consent" means any freely given specific and informed indication of the Data Subject’s agreement to the Processing of his/her Personal Data (together with any higher requirement for Consent arising under local data protection laws);
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
"Data Subject" means an identified or identifiable natural person whose Personal Data is being processed;
"ERM Staff" means ERM Group’s directors, officers, persons with the title ‘Partner’, employees, and contingent workers, including but not limited to all contingent workers with access to any ERM system;
"Personal Data" means any information capable of identifying a natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity. Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link;
"Processing" means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, but not limited to collection, recording, organisation, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction (and Process, Processes and Processed shall be interpreted accordingly);
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
"Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic or biometric data Processed for the purpose of uniquely identifying a natural person; or data concerning health or data concerning a natural person's sex life or sexual orientation;
Schedule 2: Lawful bases for processing
Each ERM Group Company shall ensure that when processing personal data as a Controller, Personal data is only processed to the extent that at least one of the following lawful bases for Processing applies:
- The Data Subject has given Consent to the processing of their personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the ERM Group Company is subject.
- Processing is necessary in order to protect the vital interests of the Data Subject or another natural person.
- Processing is necessary for the performance of a task carried out in the public interest under law to which the ERM Group Company is subject.
- Processing is necessary for the purposes of the legitimate interests pursued by the ERM Group Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a minor ERM’s Standard Operating Procedure for Legitimate Interests describes the procedure for assessing if we have legitimate interests in processing personal data.
Special Categories of Personal Data
In addition to at least one of the lawful bases identified under Part 1 above, each ERM Group Company shall ensure that when Processing Special Categories of Personal Data as a Controller, at least one of the following lawful bases for Processing applies:
- The Data Subject has given explicit Consent to the Processing of their personal data for one or more specific purposes (except where local data protection law provides that explicit Consent is not a permissible ground).
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment and social security and social protection law in so far as it is authorised by local data protection law or a collective agreement pursuant to local data protection law providing for appropriate safeguards for the fundamental rights and the interests of the Data Subject.
- Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Informed Consent.
- Processing relates to personal data which are manifestly made public by the Data Subject.
- Processing is necessary for the establishment, exercise or defence of legal claims.
- Processing is necessary for reasons of substantial public interest, on the basis of local data protection law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject.
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of local data protection law or pursuant to a contract with a health professional, where the data is processed by or under the responsibility of a professional subject to the obligation of professional secrecy under local data protection law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under local data protection law or rules established by national competent bodies.
Schedule 3: Consent
To the extent that an ERM Group Company relies upon Consent as a lawful basis for processing personal data, such ERM Group Company shall ensure that:
- the Consent is freely given;
- the Consent is unbundled from other terms and conditions, in an intelligible and easily accessible form, using clear and plain language;
- the Data Subject shall be informed that they have a right to withdraw their Consent at any time and provided with information about how they can exercise that right to withdraw. It must be as easy to withdraw Consent as it was to give Consent; and
- a record is kept demonstrating that Consent has been obtained including the date and time when such Consent was granted and the content of the Consent.