Integrity Hotline Privacy Policy
This privacy policy sets out how COFCO International uses and protects personal data collected during the lifecycle of a report of a concern submitted through our Integrity Hotline.
1 Overview
At COFCO International (CIL, “we” “our” or “us”), we are committed to protecting the confidentiality, accuracy and integrity of any personal data you provide to us. We always strive to safeguard such data from misappropriation, loss, misuse, unauthorized access, disclosure and/or alteration. We only collect personal data that is relevant for our described purposes, as described herein.
The data controller of your personal data when using CIL Integrity Hotline will be:
- COFCO International Netherlands B.V., having its registered offices at Weena 505 (31st Floor), AL Rotterdam, 3013 Netherlands (primary responsible party)
- COFCOINTL II Services Portugal, Unipessoal, Lda., having its registered offices at R. da Lionesa – Espaço D2, 4465-671 Leça do Balio, Matosinhos, Portugal (CIL member with delegated data protection responsibilities)
- The CIL entity you are affiliated with.
COFCO International Netherlands B.V. signed the Integrity Hotline management services agreement with NAVEX on behalf of the entire CIL Group. Where a report relates to employees or other data subjects of a CIL entity other than COFCO International Netherlands B.V., processing of personal data in the context of our integrity hotline procedure will be jointly controlled by COFCO International Netherlands B.V. and the other CIL entity or entities in question.
CIL has also appointed a Data Protection Officer who can be reached at [email protected].
By submitting a report of Concern through our Integrity Hotline, you confirm to have read and agree to the terms and conditions of this Privacy Policy.
2 Scope
This Policy explains what information we collect during the lifecycle of a report of Concern submitted through the Integrity Hotline and why we collect it, how we use that information and how to access and update that information.
Unless otherwise required by a local law or jurisdiction or provided for in a subsequent or different notice coming from a local CIL company, this Policy applies to all CIL companies, including its wholly owned or controlled subsidiaries and affiliates.
This Policy applies to all individuals, including employees, contractors, vendors, customers and other stakeholders who provide personal data when using the Integrity Hotline.
3 Which Personal Data We Collect
Using our Integrity Hotline to submit a report of Concern does not require submitting any personal data. When you use the Integrity Hotline, you are assigned a unique case ID and password, that cannot be used to identify you.
However, in the event that a person making a report of Concern in the Integrity Hotline includes personal data pertaining to his/herself or to another person, e.g. a person alleged of a wrongdoing, in the report of Concern, such personal data will be processed in accordance with this Privacy Policy.
Thus, the personal data processed in connection with the Integrity Hotline could, without limitation include:
a) Name of the person submitting a report (if provided);
b) Name of the alleged wrongdoer or of any person connected thereto (if provided);
c) Contact information (e.g. e-mail addresses, phone numbers) (if provided); and
d) Any other personal data voluntarily provided in the report.
Please note that you may submit reports anonymously, and in such cases, we do not collect personal data that could directly identify you and this policy won’t apply to you.
4 How We Collect Your Personal Data
Your Personal Data may be collected when you voluntarily provide the information through our Integrity Hotline. Moreover, Personal Data pertaining to you may be processed if another person has identified or otherwise indicated information relating to you in a report made by them.
Where applicable, information from other sources, as applicable, may be used to verify the accuracy of reports and where such report leads to an investigation, additional Personal Data may be collected and processed in connection with the investigation. Such Personal Data may be collected from publicly available sources or based on information received from the authorities or other third parties within the limits of the applicable laws and regulations.
5 How We Use Your Personal Data
We process the personal information that we collect about you solely for the purpose of addressing and investigating reported concerns. This includes:
a) Assessing and verifying the accuracy of the information provided
b) Conducting internal investigations and prevention of future misconduct
c) Protecting the rights and safety of individuals and of CIL
d) Complying with legal and regulatory requirements
CIL will only process your personal data where it has a legal basis for doing so. Our legitimate interests of preventing, detecting, investigating and addressing wrongdoing are used as a basis to process your personal data when they are not overridden by your data protection interests or fundamental rights and freedoms. Your personal data may also be processed in order to comply with legal requirements, namely legal requirements in accordance with whistleblowing channels and procedures.
6 How And Why We Share Your Personal Data
CIL does not sell, share, or otherwise distribute your personal data to third parties for promotional purposes.
CIL will only share your Personal Data with third parties in strict compliance with this policy and applicable laws and regulations, as part of our investigation measures if there is valid legal basis for doing so.
We may disclose personal information collected and contained in reports made through our Integrity Hotline to the following categories of recipients:
a) Within CIL
CIL operates globally, which means your information may be stored and processed outside of the country or region where it was originally collected in order to carry out the activities specified in this Policy.
We restrict information to people within our company based on a “need to know” principle, for example, relevant personnel of our teams of Internal Audit, Legal, Compliance, Security, and Human Resources may need access to your personal data to initiate investigation procedures. In order to conduct an investigation, we may also have to transfer your data to other CIL entities. Such group data transfers may occur, in particular, if the investigation affects several or other CIL entities.
If your data has to be shared outside of the European Economic Area (“EEA”) or in a country where you may have fewer rights in respect of your information than you do in your country of residence, we will make sure that there is a legal basis for such transfer and that your personal information is adequately protected as required by applicable law, for example, by using standard agreements approved by relevant authorities and by requiring the use of other appropriate technical and organizational measures to protect your personal information or by implementing “Binding Corporate Rules” within our company.
Regardless of where your information is processed, we apply the same protections described in this Policy.
b) Outside CIL
We may also share your personal data with our third-party services providers that may need your data for the purposes described in this policy, such as law firms or auditing companies. These third-party service providers act on our behalf and are bound by law or contract to protect your Personal Data and only use your Personal Data in accordance with our instructions.
We may also only disclose your Personal Data outside CIL:
- When legally needed to comply with legal obligations, investigate legal issues, enforce our rights, protect our property or as needed for any other legal or regulatory investigation or proceeding; or
- When you give us your explicit consent to disclose your Personal Data.
We also utilize the services of a third-party processor, NAVEX, who operates our Integrity Hotline on our behalf. This processor processes personal data collected through the Integrity Hotline on CIL’s behalf and according to our explicit instructions. Contractual arrangements have been established between CIL and this processor to ensure that your personal data is handled securely and in compliance with applicable data protection regulations.
7 How Long We Keep Your Information
Unless otherwise required by law, CIL will keep your personal data for a period of 3 years from the submission date. Where investigations or potential legal proceedings extend beyond this 3-year period, personal data will be promptly deleted upon the conclusion of the investigation and/or settlement of legal proceedings, without undue delay.
For Sensitive Personal Data or personal data classified as very high risk, deletion will be prioritized as soon as its purpose is fulfilled, regardless of the standard retention period.
Properly anonymized or aggregated data stands exempt from these retention periods and may be retained for statistical analysis and to oversee the comprehensive performance and efficacy of our Integrity Hotline procedures.
8 How And Where We Store Your Personal Data
We store your Personal Data carefully. We follow industry standard measures to protect them against unauthorized access to, and unlawful interception or processing of Personal Data. Once we have received your Personal Data, we will use strict procedures and security features to prevent unauthorized access.
The personal data and information you provide will be stored in a database which is located on servers hosted and operated by NAVEX in the United Kingdom. NAVEX has entered into contractual commitments with CIL to secure the information you provide in accordance with applicable law. NAVEX is committed to maintaining stringent data protection and privacy and security practices, including those related to notice, choice, onward transfer, security, data integrity, access, and enforcement.
When your Personal Data has to be transferred to a destination outside the EEA, you must be aware that such destination countries may have different levels of privacy protection than in your country of residence. In such cases we will take all steps legally necessary to ensure that your Personal Data is treated securely and in accordance with this Privacy Policy and the applicable legislation, namely by entering into international transfer agreements or other appropriate safeguards, such as imposing contractual obligations on the recipients of your Personal Data. We may alternatively implement “Binding Corporate Rules”.
9 Your Rights
Depending on and subject to applicable laws, you have certain rights regarding the Personal Data we hold about you. These rights are detailed in our established policies that outline your data protection rights, such as the Data Privacy Policy and Employee Privacy Policy.
These rights can be exercised by contacting our Data Privacy Team and Data Protection Officer at [email protected].
We will respond to your request as soon as practically possible and always within the timeframes set forth by applicable law.
10 Changes to this Policy
CIL may revise this Privacy Policy in response to changes in regulations, established policies, or other relevant circumstances that warrant updates, by updating this document. If we make revisions to this Privacy Policy, we will update the date of this Privacy Policy. We will continue to use and/or disclose Personal Data in accordance with the version of this Policy that was in effect at the time the Personal Data was collected, unless you have agreed to have an updated version of the Privacy Policy apply to the Personal Data collected while a prior version of our Privacy Policy was in force.
11 How You Can Contact Us
Please contact us if you have any complaints, questions or comments about our privacy practices, your privacy choices, or this Policy. You can always reach us by e-mail at [email protected].
You may also contact us to exercise any of the rights mentioned in this Policy.
12 Application of Local Laws
This Policy is designed to set a uniform minimum standard for every CIL entity with respect to its protection of Personal Data. CIL recognizes that certain local laws and regulations may impose additional requirements than those described in this Policy. CIL will endeavor to collect and process Personal Data in accordance with local laws applicable.
13 Relevant Definitions
In the context of this document:
Personal Data
“Personal Data” means any information relating to you that would allow a party to identify you as an individual or to contact you, including, for example, your full name, address, telephone number, document number, birthdate or email address.
Sensitive Personal Data
“Sensitive Personal Data” refers to specific categories of personal information that, if disclosed, can pose a higher risk to your privacy and may include details about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning your sex life, sexual orientation, personal relationships or financial information that could potentially be exploited for unauthorized purposes.
Company, CIL, COFCO
COFCO International Limited and its affiliated companies
Data Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers make decisions about processing activities (GDPR).Data Processor
The natural or legal person, public authority, agency or other body which, processes personal data on behalf of the data controller, in accordance with their instructions and for specific purposes, while not making independent decisions about the processing activities (GDPR).
Data Subjects
A data subject is any person whose personal data is being collected, held or processed.
Updated May 2024.