Global Data Privacy Policy

1. Objective

Data Privacy (also referred to as data protection) is an individual’s right to the protection of his or her personal information. This right is governed by a system of laws, rules and principles that are applicable throughout the entire information lifecycle.

When a Varel Company collects and uses Personal Data of for example employees, suppliers, or customers, it is subject to data privacy laws and regulations in those jurisdictions where the processing takes place. When Personal Data is transferred across country borders, or when Personal Data relating to individuals in one jurisdiction is processed in another jurisdiction, the rules of several jurisdictions will need to be taken into account. Breaches of data privacy laws can have severe financial and reputational consequences for Varel.

Varel’s Code of Conduct and the Core Values form the foundation for conducting our business with honesty, integrity, and high ethical standards. The fundamental data privacy commitments by the Group are set out in the Code of Conduct.

The purpose of this Data Privacy Policy is to set out rules for the Processing of Personal Data within Varel, to ensure that Varel can comply with applicable Data Privacy laws and requirements. The Policy aims to establish a common Data Privacy platform that will minimize the risk for breaches.

The Data Privacy Policy also describes what employees and other stakeholders can expect from Varel Companies with regards to their data privacy.

2. Definitions

For purposes of this Policy, the defined terms below shall have the following meaning:

  • Personal Data means any information relating to an identified or identifiable natural person('Data Subject'). For example, personal data includes information such as name, address, date ofbirth, or a description of the way someone looks or behaves.
  • Data Subject means an identifiable natural person who can be identified, directly or indirectly, inparticular by reference to an identifier such as a name, an identification number, location data,an online identifier or to one or more factors specific to the physical, physiological, genetic,mental, economic, cultural or social identity of that natural person.
  • Processing means any operation or set of operations which is performed on Personal Data or onsets of Personal Data, whether or not by automated means. This includes, but is not limited to,collecting, recording, organizing, structuring, storing, adapting, or altering, retrieval, consultation,use, disclosure by transmission, dissemination or otherwise making available, alignment orcombination, restriction, erasure or destruction.
  • Varel Company means Varel and any company in which Varel, directly or indirectly, has a majorityshareholding or owns or controls the majority of the voting rights.
  • Data Controller means the legal which, alone or jointly with others, determines the purposes andmeans of the processing of personal data.
  • Data Processor means a legal entity which processes Personal Data on behalf of the DataController.
  • Sensitive Personal Data means Personal Data revealing racial or ethnic origin, political opinions,religious or philosophical beliefs, or trade-union membership, as well as genetic data, biometricdata for the purpose of uniquely identifying a natural person, data concerning health or dataconcerning a natural person's sex life or sexual orientation. This is known as “special categories”of Personal Data in certain jurisdictions.

3. Scope

The Data Privacy Policy applies to all Processing of Personal Data by any Varel Company. Together with the applicable procedures, it sets out the rules for the Processing of Personal Data within Varel. The Data Privacy Policy is also applicable when a Varel Company uses a Data Processor. This Data Privacy Global Policy applies globally to all Varel Companies and its employees.

4. Relation to National Laws

This Data Privacy Policy comprises the minimum standard of privacy principles under which the Varel must conduct its business without replacing requirements in national laws. The relevant national law will take precedence in the event that it conflicts with this Data Privacy Policy, or if the national laws have stricter requirements than the Data Privacy Policy. The content of this Data Privacy Policy must be observed even in the absence of corresponding national legislation or where the national legislation is less strict than the principles of this Policy.

5. General data protection rules

All Processing of Personal Data within Varel must meet the following requirements:

(a)Collection for a purpose - Personal Data may only be collected for specified explicit and legitimatepurposes.

(b)Purpose and use specified at the time of collection - The purposes for which Personal Data arecollected shall be specified no later than at the time of the collection of data. Further Processingof collected Personal Data may not be done in a manner that is incompatible with the initialpurposes.

(c)Limit Processing to what is necessary - Personal Data shall at all times be limited to what isnecessary, adequate, relevant, and not excessive in relation to the purposes for which the data isprocessed.

(d)Retention - Personal Data shall not be kept for a longer period of time than necessary.

(e)Accurate, complete and up-to-date - Personal Data shall at all times be accurate, complete, andkept up-to-date.

(f)Security, integrity and confidentiality - All Personal Data shall be processed in a manner thatensures appropriate security of the Personal Data, including protection against unauthorized orunlawful access and Processing and against accidental loss, destruction or damage, usingappropriate technical or organizational measures. This includes a requirement that all PersonalData be handled in accordance with the Varel Information Security Procedure.

(g)Fairness, lawfulness, and transparency - All Processing of Personal Data shall be done in a fair,lawful and transparent manner towards the Data Subject and with a general guiding principle ofopenness about the developments, practices and policies with respect to Personal Data.Furthermore, the Data Subjects right to access to their Personal Data must be facilitated.

Because Personal Data flows in every part of the organization throughout the Varel, the policy requires that controls are integrated into the standard processes and systems that manage such data. These processes and systems are owned by the functions such as HR, Communications, IT, Legal etc.

The policy requires that the various processes and systems owners assess the gaps that exist in existing process and systems and amend these to ensure policy compliance. The Data Privacy Interdisciplinary Team shall provide tools and advice to assist process/systems owners to carry out the required gap analysis and make such amendments as necessary.

6. Requirements for Processing Personal Data

The rules to be followed in order for Processing of Personal Data to be lawful will vary depending on the type of data.

Additional requirements for Sensitive Personal Data are out lined in section 6.3.

6.1 Employee data

Processing of employee data is prohibited unless the Processing is done in accordance with at least one of the following conditions.

(a)Administration of the employment relationship - In employment relationships, Personal Datacan be processed if needed for recruitment, to carry out and terminate the employmentagreement.

(b)Consent by the employee - Employee data may be processed on the basis of consent only ifthis is explicitly authorized in national law. A consent is only valid if it is freely given and isunambiguous. Each consent must be individually documented in writing or electronic form.Before a consent is given the employee must have been informed about all relevantcircumstances in a clear and plain language. The employee must at all times have access to asimple and efficient procedure that allows him or her to withdraw the consent for future Processing without negative consequences for him or her.

(c)Legitimate interest of Varel - The Processing is necessary for the purposes of the legitimateinterests pursued by the Varel Company being the Data Controller and there are no reasonsfor assuming that the employee has an overriding interest or right which require protectionand thus precludes the processing. Before the processing of personal data based on thelegitimate interest of Varel begins a balancing test must be conducted and documented.

(d)Permitted or required by law - The Processing is stipulated or permitted by the EuropeanUnion (EU) or EU Member State laws and regulations that apply for the relevant VarelCompany.

(e)Emergency – Processing is also allowed, exceptionally, to protect the life, health or safety ofthe employee or any other person.

6.2 Business partner data

Business partner data is all Personal Data that relate to customers, suppliers, commercial intermediaries, contact persons, shareholders and other business partners and contracting partners.

Processing of business partner data is prohibited unless the Processing is done in accordance with at least one of the following conditions.

(a)Consent – The Data Subject has given his or her free and unambiguous consent. Each consentmust be individually documented in writing or electronical form. Before a consent is given theData Subject must have been informed about all relevant circumstances in a clear and plainlanguage. The Data Subject must at all times have access to a simple and efficient procedurethat allows him or her to withdraw the consent for future Processing without negativeconsequences for him or her.

(b)Performance of a contract – If the Processing of business partner data is required for thepurpose of creating, executing or terminating a contractual relationship or similar relationshipwith the Data Subject.

(c)Legitimate interest of Varel - The Processing is necessary for the purposes of the legitimateinterests pursued by the Varel Company being the Data Controller and there are no reasonsfor assuming that the employee has an overriding interest or right which require protectionand thus precludes the processing. Before the processing of personal data based on thelegitimate interest of Varel begins a balancing test must be conducted and documented.

(d)Permitted or required by law - The Processing is stipulated or permitted by the EU or EUMember State laws and regulations that apply for the relevant Varel Company.

(e)Emergency -The Processing is required, exceptionally, to protect the life, health or safety ofthe Data Subject.

6.3 Additional requirements for Sensitive Personal Data

Processing of Sensitive Personal Data is always prohibited unless one of the following circumstances apply:

(a)Consent - The Data Subject has given a valid consent according to the requirements in section2.1 or 2.2 to the Processing of those specific Sensitive Personal Data for one or more specifiedpurposes, except if EU or EU Member State law states that the prohibition cannot be lifted bythe Data Subject;

(b)Employment relationship - The Processing is necessary for the purposes of carrying out theobligations and exercising specific rights of the Data Controller or of the Data Subject in thefield of employment and social protection law in so far as it is authorized by law or a collectivelabor agreement;

Before processing of Sensitive Personal Data begins a Privacy Impact Assessment must be conducted.

7. Data transfers

The transfer of Personal Data between different entities, be they Varel Companies or counterparties external to Varel, is subject to specific rules. These are indicated below.

7.1 Intra Group Transfers

Personal Data may be transferred from a Varel Company to another Varel Company if:

(a)Both Varel Companies are within the same jurisdiction with restrictions on data transfer, suchas within the EU/EEA, or

(b)Both the sending and the receiving Varel Company have signed the Varel Intra Group DataTransfer Agreement (VIGDTA), or

(c)Other measures have been taken which allows the transfer of Personal Data in accordancewith applicable law, but not in violation of EU Law, for example obtaining the data subject’sconsent to the transfer, registering the transfer with the relevant authorities or

(d)None of the above prerequisites is applicable but the transfer is confirmed permissible by theData Privacy Interdisciplinary Team or the Executive Leadership Team.

7.2 External Transfers

External transfer is the transfer of Personal Data from a Varel Company to a company, organization, or person not part of the Varel. The recipients of transferred Personal Data will be either Data Processors or Data Controllers.

7.2.1 External transfers to Data Controllers

Before Personal Data is transferred from a Varel Company to a Data Controller outside of the Varel, the Varel Company must assure that the external Data Controller will process the transferred data in accordance with applicable laws. This should be done through both parties executing a written contract between the Varel Company and the receiving Data Controller.

7.2.2 External transfers to Data Processors

When Processing is to be carried out by an external Data Processor on behalf of and under the instructions of a Varel Company, the Varel Company shall only use Data Processors which provide adequate guarantees such that the Processing will meet the requirements of applicable laws and ensure the protection of the rights of the Data Subject.

The Processing by a Data Processor shall be governed by a contract (Data Processing Agreement). Specific contractual requirements are detailed in the Guidance on external data transfer.

7.2.3 External cross border transfers to Data Controllers or Data Processors

Transfer of Personal Data from a Varel Company within a jurisdiction (country or region) with restrictions on data transfers to a Data Processor or a Data Controller in another jurisdiction (country or region) is subject to additional requirements. Specialist legal advice must be sought (refer Data Privacy Interdisciplinary Team). An international data transfer agreement with model contractual clauses will be required to be entered into.

8. Rights of the Data Subject

Every Data Subject whose Personal Data is processed by a Varel Company has the following rights.

(a)Right to access and right to information - Each Data Subject may demand a copy of andinformation about Personal Data processed in relation to him or her, its origin, and thepurpose of the Processing. The Data Subject also has the right to information about theidentity of the Data Controller and, in the event of the transfer of Personal Data, informationabout the recipients.

(b)Rectification - The Data Subject has the right to demand rectification if his or her PersonalData is found to be incorrect or incomplete and the right to have inaccurate Personal Datarectified.

(c)Deletion - The Data Subject has the right to demand that his or her Personal Data be deletedif the data Processing was unlawful or has become unlawful in the interim, as soon as the datais no longer required for the purpose of the Processing, or if he or she withdraws his or herconsent to processing and there is no other legal ground for processing.

(d)Restriction – The Data Subject has the right to request that their Personal Data is not used orno longer used for a particular purpose. The right to restrict processing applies in limitedcircumstances only and does not necessarily apply to all Personal Data held about the DataSubject.

(e)Data portability - The Data Subjects have the right to request a copy of their Personal Data ina commonly used, machine readable format, but is limited to information directly provided bythe individual pursuant to their consent or where it is necessary for the performance of acontract and the processing is carried out by automated means.

(f)Withdraw consent/object to processing – The Data Subject has the right to withdraw theirconsent from processing activities, including but not limited to marketing and/or where theprocessing is based on legitimate interests, public task/interest grounds or where it isprocessed for the purposes of historical or scientific research, or statistical purposes.

(g)Automated decision making – The Data Subject has the right not to be subjected to purelyautomated decision making, where it would have a legal or a significant effect on them.

8.1 Data Subject Requests

All communication with the Data Subject shall be in a clear and plain language. The information may be provided in writing, electronically or if requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means.

(a)Varel shall provide information on any actions taken on such a request without undue delayand in any event within one month of receipt of the request. That period may be extendedby two further months where necessary, taking into the complexity and number of requests.Varel shall inform the data subject of any such extension within one month of the requestreceipt of the request, together with the reasons for the delay.

(b)In the event Varel does not take action on the request of a data subject request, it shall informthe data subject without delay and at the latest within one month of receipt of the request ofthe reasons for not taking action and on the possibility of lodging a complaint with asupervisory authority and seeking a judicial remedy.

9. Breach and incident management

Breaches or incidents endangering the security and/or the confidentiality of the Personal Data including breaches or incidents which could result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed shall be reported in accordance with the Information Security Procedure or the IT Security Procedure.

All reporting to Data Protection Authorities of breaches and incidents as defined in this section shall be done by the Data Privacy Interdisciplinary Team.

All employees have an obligation to report all actual and potential data breaches.

10. Training

Training in the principles of the Data Privacy Policy shall be available through e-learning and face-to-face packages. These include general awareness training and more detailed training for specific employees who have direct responsibilities for aspects of policy implementation. Details of the training packages may be obtained from the Data Privacy Interdisciplinary Team and the intranet.

11. Security

Varel has to take appropriate organizational and technical measures to keep personal information secure from accidental, unlawful or unauthorized destruction, loss, alteration, disclosure or access.

The data protection laws require Varel to put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data may only be transferred to a third-party data processor if the processor agrees to comply with those procedures and policies, or if the processor puts in place adequate measures itself.

Maintaining data security means guaranteeing the confidentiality, integrity, and availability of the personal data, defined as follows:

  • Confidentiality means that only people who are authorized to use the data can access it.
  • Integrity means that personal information should be accurate and suitable for the purpose forwhich it is processed.
  • Availability means that authorized users should be able to access the data if they need it forauthorized purposes. Personal Data should therefore be stored in an appropriately secure way onVarel’s central computer system.

12. Third Party Processing

Varel is committed to ensuring that third party Controllers and Processors with whom Personal Data is shared afford a similar level of protection for the Personal Data as Varel. Varel has established processes which require that prior to a transfer of Personal Data to a third party the contracting Varel entity:

  • Carries out pre-contractual due diligence assessment(s) to ensure the Processor(s) arecompliant with applicable data protection laws and is able to provide sufficient guarantees toimplement measures as may be appropriate;
  • Ensure written agreements are put in place and documented;
  • Ensure appropriate procedures are implemented to carry out regular and ongoing duediligence assessment(s) on the Processor(s) to ensure continued compliance with applicabledata protection laws and appropriate security measures identified.

13. Roles and responsibilities

The rules in this Data Privacy Policy should be transcribed and implemented in relevant policies, procedures and guidelines as laid down in this section.

Group Functions

Group Function and Department Heads are responsible for:

(a)Implementing the data privacy requirements of applicable common functionalprocesses (policy and procedures);

(b)Amending applicable and existing common processes (policy and procedure) withintheir functional authority to ensure they are compliant with the processing and transferof personal data requirements as outlined in this policy;

(c)Communicating amendments made to existing functional processes (policy andprocedure) through the existing networks and channels to applicable functionalmanagers throughout the Group for implementation; and

(d)Facilitating Group function employees to source advice on Data Privacy.

Data Privacy Interdisciplinary Team

(a)The Data Privacy Interdisciplinary Team is the owner of the Data Privacy Policy and as suchresponsible for:

  • ensuring that the Data Privacy Policy is properly communicated to the applicable responsiblepersons in the Business Areas and Group Functions,
  • having oversight of the implementation,
  • developing further guidance on the Data Privacy Policy and its objectives,
  • creating systems for monitoring and reporting,
  • issuing legal advice on Data Privacy related issues,
  • coordinating contacts with Data Protection authorities,
  • ensuring that Data Privacy training is made available.

Each Varel Employee

Varel employees are responsible for complying with this Data Privacy Policy and supporting standards and procedures.

Anyone who becomes aware of any violation of this Policy, should report the matter immediately to the Human Resources department. Alternatively, the relevant national data protection authority may be contacted.

14.Measurement of success

The implementation of this policy shall be evaluated on a regular basis by the Data Privacy Interdisciplinary Team. This is carried out in consultation with, and with the assistance of, the Group Functions.

15.References to further information

(a)Privacy Impact Assessment template,

(b)Privacy and Cookie Notice Assessment template,

(c)Privacy Notice to employees Assessment template,

(d)Risk Assessment template,

(e)Data Processor Assessment template.