1. Policy and Scope

The Board and management of INEOS Inovyn are committed to compliance with all relevant national and EU laws in respect of personal data, and to protecting the rights and freedoms of individuals whose information they collect in accordance with (i) the General Data Protection Regulation 2016/679 (as amended from time to time) or (ii) the UK-GDPR (as amended from time to time), as applicable (“GDPR”).

We will maintain and continually improve our management systems to ensure that we meet our obligations under the GDPR.  We have processes and procedures in place to manage personal data activities; provide staff with awareness training; ensure data security measures are in place; and ensure we have an appropriate legal basis for processing personal data.

To contact us regarding data protection queries please email Pascale Belvaux.

2. Data Controllers and Data Processors

As a “data controller” INEOS Inovyn collects and holds personal data on current and past employees, contractors, suppliers, job applicants, visitors and members of the public so as to be able to fulfil employment and business contracts, for security reasons, and to manage its business obligations and interests.

We will also share personal data with other organisations where necessary to help us fulfil our business requirements, legal obligations, comply with contracts and/or where it is in the interests of the individual.  Where this type of sharing occurs, these organisations are known as “data processors”.  Sometimes data processors can offer additional services or request additional personal data that is not required by INEOS Inovyn or part of our agreement with them.  In these circumstances, INEOS Inovyn is not responsible for any additional information that you may provide directly to these third parties.

3. Personal Data

Personal data means any information relating to an identified or identifiable natural person (“data subject”).  This is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.

4. Sensitive Data/Special Categories

There are also special categories of personal data (often referred to as a “sensitive personal data”), which covers any “personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or a natural person’s sex life or sexual orientation.”

Processing of such sensitive data is prohibited unless it meets the strict requirements of the GDPR.

5. Objectives

INEOS Inovyn will ensure that it adheres to the six core principles of the GDPR.

5.1  Process personal data lawfully, fairly and in a transparent manner:

INEOS Inovyn will clearly inform individuals of how their personal data is being processed and with whom they will share the data.  Privacy notices shall be provided to individuals directly or via Company intranet/internet sites to explain how personal data is being used.

5.2  Only collect personal data for a specified, explicit and legitimate purpose:

INEOS Inovyn will only process personal data for legitimate organisational purposes.  We will not use personal data for a different purpose outside the reasons we have given without informing the individual(s) directly.  We will ensure that the purpose for processing the data is recorded and is assessed.

5.3  Ensure personal data is adequate, relevant and limited to what is necessary:

INEOS Inovyn will endeavour to ensure that it will only collect and process information that is necessary for the required purpose.  Where relevant, we will conduct an impact assessment in order to adequately define the purpose for processing any personal data and to identify, assess, evaluate and reduce the privacy risk to individuals.

5.4  Ensure personal data is accurate and, where necessary, kept up to date:

INEOS Inovyn will regularly review the accuracy of personal data and will correct any inaccuracies as soon as reasonably practicable.  Where data is part of a data system/application that cannot be deleted or altered, restrictions shall be put in place to prevent misuse or unauthorised access. 

5.5  Ensure we only retain personal data for as long as necessary:

INEOS Inovyn will retain personal data in accordance with any legislative and regulatory requirements.  We may hold personal data for historical purposes; in the interests of INEOS Inovyn (e.g. incident investigations/lessons learned); or where it is in the public interest.  INEOS Inovyn will ensure that personal data is accurate before it is used and will define an appropriate retention period within its retention policy.  Where appropriate, the personal data will be anonymised or aggregated to reduce any risk.

INEOS Inovyn will ensure that procedures are in place so that personal data is disposed of in a secure and appropriate manner, when retention periods have expired.  Where personal data is being shared with data processors, INEOS Inovyn will ensure that procedures are in place with those data processors for the subsequent deletion of the personal data.  However, please note that INEOS Inovyn cannot guarantee that the data processors will delete all data in accordance with the GDPR.

5.6  Ensure we have appropriate technical and organisational measures in place to maintain security:

INEOS Inovyn will evaluate all processing of personal data to assess any risks to the rights and freedoms of individuals.  The assessment will ensure there are legitimate reasons for processing; will review who will have access to the personal data; and will ensure that the security measures taken to protect the data are commensurate to the type of personal data held and privacy risks to individuals.  Records will be kept of these assessments.

6. Consent

If consent is sought to obtain and process personal data, we will ensure the data subjects are able to give it freely and willingly.  The reasons for processing data will be made unambiguous and clear to them through the use of privacy notices.  

7. Rights of the Individuals

INEOS Inovyn will ensure that individuals are made aware of their rights when it requests personal data from them, usually through the use of privacy notices. 

Any Subject Access Requests (SARs) will be actioned in accordance with the GPDR.  INEOS Inovyn shall be entitled to redact any data that may affect the rights and freedoms of other individuals. 

8. Transfers Outside the European Economic Area (EEA) or UK, as applicable

INEOS Inovyn will ensure that adequate protection measures are taken where personal data is transferred outside the EEA or the UK, as applicable.

9. Contractual Agreements

A data protection clause will be included within any contract where there is the expectation of personal data being shared or where the contractor or supplier is acting as a data processor on behalf of INEOS Inovyn.

10. Data Breaches

All data breaches will be reported internally, and included on an internally maintained register, within 24 hours.  The date and time of the breach shall be included on the register.  The extent of the breach must be evaluated and documented.  Where possible action is to be taken to stop further loss, access or theft of data.

Any data breaches must be reported within 72 hours to the supervisory authority where there is a high risk that the rights and freedoms of an individual(s) could be affected.  The report will provide as much information as possible to the supervisory authority including details of the breach; number of individuals affected; and any actions taken to reduce/stop the breach.  Ongoing progress and a final report shall be agreed with the supervisory authority, which will vary depending on the seriousness of the breach.

Individuals who intentionally access personal data that they are not authorised to may be subject to disciplinary procedures by INEOS Inovyn (including dismissal) and prosecution by the supervisory authority.

11. Point of Contact

Each business/site shall appoint someone to be responsible for ensuring compliance with data protection requirements.  The following table sets out contact details for the person(s) responsible within INEOS Inovyn:

END

Downloads

Dutch / English / French / German / Italian / Norwegian / Spanish / Swedish