British American Tobacco p.l.c. has adopted this policy about the protection of personal data (the “Policy”). It is essential as a multi national group of companies that personal data is allowed to flow freely within the British American Tobacco group of companies while still complying with applicable data protection laws. The Policy has been adopted in order to assist in establishing and maintaining an adequate level of personal data protection in the collecting, Processing, disclosing and cross-border transfer of personal data including that relating to current, past and prospective BAT Personnel, consumers, customers, enquirers, complainants, suppliers, contractors, business associates, and other agents of the Group.
The Policy reflects current international standards for the protection of personal data. Each company within BAT must either adopt this Policy or its own data protection policy which reflects this Policy and which incorporates detailed and specific procedures for the protection of personal data.
The Company Secretary, through the Records Management Counsel, is responsible for maintaining and updating this Policy and for promoting compliance with it throughout the Group.
This Policy comprises the following sections:
- Scope of the Policy
- Data Protection Principles
- Use of Personal Data
- International Databases
- Keeping Personal Data Secure
- Onward Transfers
- Individual’s Rights
- Complaints Questions and Additional Information
BAT Personnel means all partners, directors, officers, employees, individual contractors and other personnel of a Group company.
Company Secretary means the company secretary of British American Tobacco p.l.c.
Controller means: a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed.
Group means British American Tobacco p.l.c. and all Group companies.
Group company means any company which is a direct or indirect subsidiary of British American Tobacco p.l.c.
Individual means any identified or identifiable natural person; an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity.
Local Personal Data means Personal Data in respect of which a Group company can demonstrate that: (i) it has not been processed outside of the jurisdiction in which the Group company is established; and (ii) it is stored in such a manner that it is reasonably capable of separate identification from any other Personal Data held by the Group company which is not Local Personal Data of that Group company.
Personal Data means any information that relates to a living Individual (not companies or other legal persons) which can be reasonably linked to that Individual.). It includes information by which that individual can be identified and includes facts and expressions of opinion about individuals;
Processing of Personal Data shall mean any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation, alteration, maintenance, retrieval, access, consultation, use, transfer, transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Records Management Counsel means the senior employee responsible for promoting data protection compliance, overseeing the development of the Policy and providing advice, guidance and training on all aspects of the Policy as required.
Third Party means any organisation that is not a Group company or any person that is not employed by a Group company
2. Scope of the Policy
This Policy only applies to Personal Data:
2.1 held at any time by Group companies in a jurisdiction which is either: (a) in the EU or EEA; or (b) not in the EU or EEA, but is a jurisdiction which imposes restrictions on the use of Personal Data substantially equivalent to those in the EU and EEA; or
2.2 transferred by Group companies across national boundaries.
This Policy does not apply to Local Personal Data. Decisions and compliance in relation to Local Personal Data is the preserve of the relevant Group company.
For the Group, Personal Data means the Personal Data belonging to its employees and contractors and the Individuals of each Group company and any Third Party, held by any Group company in both computerised and manually filed records
This Policy should conform to all applicable national and/or regional laws in the jurisdictions in which Group companies operate and the Policy shall be so construed wherever possible. In the event of any conflict between this Policy and any applicable national and/or regional laws, the provisions of the relevant law shall govern. In this event, the relevant Group company shall immediately notify the Records Management Counsel.
3. Data Protection Principles
The Policy is based on eight fundamental principles, which are common to data protection laws which exist in many jurisdictions in which the Group operates. These are designed to protect Personal Data and represent key rules, compliance with which is required. In handling Personal Data as a Controller, Group companies and BAT Personnel will abide by the following eight key principles:
- Processing - Personal Data must be processed fairly and lawfully.
- Purpose - Personal Data must be obtained only for one or more specified and lawful purposes, and must not be further processed in any manner incompatible with that purpose or those purposes.
- Adequacy - Personal Data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.
- Accuracy - Personal Data must be accurate and, where necessary kept up to date.
- Retention - Personal Data processed for any purpose or any purposes must not be kept for longer than is necessary to meet the purpose (s) and any legitimate operational, legal and regulatory requirements.
- Individual’s rights - Personal Data must be processed in accordance with the rights of the Individual to whom it relates. This includes the right to access the information, and the right to request that the Group ceases Processing it.
- Security - Appropriate technical and organisational security measures must be taken against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data.
Any non Group company engaged to process Personal Data on behalf of a Group company can only process such data under contract to the Group company which will stipulate the way in which the Group company allows the Processing to take place.
- International Data Transfers - Some countries restrict the transfer of Personal Data outside of that country and impose particular requirements to ensure the protection and freedoms of Individuals which must be met before Personal Data can be transferred to another country. Personal data must not be transferred to a country or territory outside the European Economic Area unless the recipient of the data ensures an adequate level of protection for the rights and freedoms of Individuals in relation to the Processing of Personal Data.
The above principles apply to all Processing but specific attention is drawn to the Processing set out below.
4. Use of Personal Data
A Group company may import, collect, use and process Personal Data for a number of reasons including in relation to:
- an individual’s employment and the role of contractors, volunteers, temporary or casual workers in the Group’s business;
- supplying services/projects to the Group;
- Third Party suppliers.
- Enquiries or complaints received
- Market research carried out
- Users of Group websites – further information regarding the collection and Processing of data in this regard can be found in the Terms and Conditions of the relevant websites.
5. International Databases
For legitimate business and professional reasons, the Group has created, will continue to create, and will maintain, databases that contain Personal Data about BAT Personnel (and, where applicable, their immediate family members) and consumers, customers, complainants, suppliers, contractors, business associates and other agents of the Group. These databases are part of the shared electronic communications, knowledge management, and information technology environments of the Group and are used to share this Personal Data between Group companies to the extent permitted by law and applicable professional standards.
6. Keeping Personal Data Secure
The Group will take reasonable technical and organisational security measures to prevent the loss, misuse or alteration of Personal Data. Any Third Party, agent or representative of a Group company who requires access to Personal Data is also required to implement reasonable technical and organisational security measures to protect Personal Data.
7. Onward Transfers
Within the global network of the Group, Personal Data may be transferred outside the country in which it was collected, including countries outside of the European Economic Area, for legitimate business activities in accordance with applicable law. In addition, in accordance with applicable law, a Group company may store Personal Data in facilities operated by other Group companies and/or Third Parties on behalf of the Group outside the country in which the data was collected.
Any Third Party, agent or representative of the Group or any Group company who imports Personal Data is required to keep that information confidential and comply with national data protection laws or where applicable be bound by appropriate contractual obligations that protect Personal Data.
8. Individual’s Rights
Where rights are provided to an Individual under an applicable data protection law, an Individual may inquire about what Personal Data the Group holds relating to them.
The Group will take all reasonable steps to ensure Personal Data held by the Group is accurate and shall operate with transparency in regards to the fair Processing of Personal Data and the rights of the Individual.
9. Complaints, Questions and Additional Information.
To express a concern, raise a question, make a complaint, or to obtain additional information about the Processing of Personal Data by the Group, the concerned individual should contact Company Secretary, British-American Tobacco (Holdings) Limited, Globe House, 4 Temple Place, London WC2R 2PG in the first instance.