Data Privacy i Norsk Hydro ASA og Yara International ASA Malin Tønseth Head of Data Privacy and Legal Counsel Norsk Hydro ASA Cecilie Kjelland Yara International ASA

Hvordan arbeides det med personvern i Hydro og Yara - hvilken relevans har nye GDPR regler for internadvokater/jurister? Agenda: Part I Organization of the data privacy work in Yara and Hydro Part II Data Privacy red flags to be aware of when advising clients The role as Controller – how to comply with the GDPR requirements in the Legal Department

Hvorfor oppfattes GDPR implementering som vanskelig? Nye begreper (GDPR, BCR, DPIA….) Manglende «mage-følelse» «Data» = IT?? Problemer med å forstå relevans for eget arbeid Oversettelse til interne arbeidsstrømmer

Data Privacy in Yara

Arbeid med Data Privacy i Yara 2014: Arbeid med utkast til «Binding Corporate Rules» starter - HR initiert 2015- 2016: Gap-analyse av personopplysning håndtering og eksterne/interne krav 2015-2016: Utvikling av internt rammeverk: Direktiver og prosedyrer 2016: Søknad om godkjennelse av «Binding Corporate Rules» sendt Data tilsynet. Godkjent av utenlandske tilsyn (co-reviewers) Venter p.t. på endelig godkjennelse fra DT. 2016: Kartlegging av persondata starter Innsikt i hva slags data vi har Vesentlige applikasjoner med persondata – sentralt - lokalt Identifikasjon av risiko 2016: BCR/Data Privacy opprettet som et eget prosjekt 2017: Oppnevnelse av Yara’s Data Privacy organisasjon Oppstart intern opplæring av ansatte Januar 2018: Lansering av Yara’s Data Privacy program globalt Mot mai 2018: Fortsettelse intern opplæring, gjennomgang av databehandleravtaler, utvikling av interne arbeidsprosesser, kundedatabaser

Yara Data Privacy internal framework Internal Control procedures Mapping document Overview of data flows Audit Plan Data Security Breach reporting Role descriptions Annual work cycle Yara Data Privacy operational procedures Procedure for inspection of emails/electronic docs Access Request Procedure Complaint Handling Procedure Retention Procedure Digital Marketing procedure Secondary Purpose Procedure Off-boarding Procedure Yara Data Privacy directives (BCRs) Employee directive Customer/3rd party directive

Data Privacy Organization in Yara Management Key Contributors to DP Network DP contacts IT collaboration teams (examples) Head of DP Crop Nutrition Supply Chain HR Appointed? IT Regional DP Coordinators Europe Asia North America Latin America Brazil Africa RDPC RDPC RDPC RDPC RDPC RDPC Existing IT roles Regional IT Managers Regional IT Manager Regional IT Manager Regional IT Manager Regional IT Manager Regional IT Manager

Data Privacy Pulse intranet side i Yara

Organization of the Data Privacy compliance work in Hydro Data Privacy i Norsk Hydro ASA of the Data Pri compliance work in Hydro Organization of the Data Privacy compliance work in Hydro

Risk Universe in Hydro Data Privacy a part of the overall risk picture As part of internal compliance project, 16 main compliance risks were identified, of which “Data Privacy was defined as one of the “top-5” high risks. Hydro’s compliance system for managing compliance risks sets out certain minimum requirements for the governance of compliance risks that are defined as «high» HSE Compliance Data Privacy Commercial Competition Corruption Financial reporting Operational Financial Strategical Legal & Regulatory Cyber Security

Data Privacy compliance system Main components for the governance of data privacy compliance ‘‘Tone at the top’’ Risk mapping Internal control systems Steering documents Guidelines/tools Awareness training Monitoring controls Self assessment reviews Internal audits Data breach alert functions Consequences Recognition Line reporting Reporting to BoD IAC reporting Corporate staff reporting

Data Privacy body of rules Legal and Corporate framework EU General Data Protection Regulation (GDPR) Enters into force 25 May 2018 Stricter rules for data protection in the EU/EEA Substantial fines for non-compliance Hydro’s Data Protection Procedure Establish the general requirements for the processing of personal data in Hydro Constituting Hydro’s Binding Corporate Rules - BCR (the Legal basis for transfer of personal data from EU/EEA countries to non EU/EEA countries within Hydro group pf companies)

Hydro’s plan for getting ready for the GDPR Actions implemented by Hydro Global policy for the protection of personal data (Global Data Protection Procedure - BCR) Sub-procedures and instructions regarding specific issues of data protection Organization of a Data Privacy Network - staff designated to supervise compliance with the data protection requirements Records of data processing activities (current and future) Reviews and assessments of third party suppliers and available Data Processing Agreements Legal basis for transferring personal information to suppliers outside of the EU (Model Clause agreements or ensure that the supplier is Privacy Shield Certified) eLearning, training material, guidelines and Intranet articles (awareness material) Data Privacy Information on Intranet (static webpage) Corporate guideline available on Hydro intranet (ENG / DE / NO / PT-BR)

Data Privacy work in Hydro – Organizational setup Corporate Compliance RP DP Coordinator* Rolled Products Bauxite & Alumina Corporate Functions Energy Head of Data Privacy B&A DP Coordinator* RP DP Champions Primary Metal Energy DP Coordinator* PM DP Coordinator* Corp. DP Coordinators** B&A DP Energy DP Champions PM DP Champions Corp. DP Champions Legally appointed DPO‘s (where applicable) Solid line reporting DP Compliance alignment Data Privacy Network Extruded Solutions ES DP Coordinator* ES DP Champions * BA Data Privacy Coordinator assist line management with coordinating the data privacy compliance work in relevant BA ** Main Corp. functions appoint their Data Privacy Coordinator to assist line management with compliance work in relevant function

Governance and organization of work Roles and responsibilities Head of Data Privacy Supervise Data Privacy Compliance in Hydro globally Monitor and support global implementation of Hydro’s BCR Chair Hydro’s Data Privacy Network Report to management board on DP issues Data Privacy Coordinators (BA / Corporate level) Monitor and coordinate data privacy compliance work in business areas Report data privacy compliance to the Head of Data Privacy Contribute to Hydro’s Data Privacy Network Data Privacy Champions (HR/ISIT/Communications) Hands-on data privacy compliance work in areas and units Assist the Data Privacy Coordinators as appropriate

Applicable data privacy principles Derived from Hydros’ Data Protection Procedure (planned to be launched in March) Guidance sheets available on Hydro Intranet: General introduction to data protection (GS#1) Protect personal data and respect confidentiality (GS#2) Keep Personal data secured (GS#3) Keep collection of personal data to a minimum (GS#4) Personal data retention and deletion (GS#5) Information security measures (GS#6) Data Processing agreements (GS#7)

Data Privacy awareness activities Timeline / plan 2018 Q1 Q2 Q3 Q4 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec International Data Privacy Day Launch DP static site Intranet Awareness activity DP Mgt. Info. package DP workshops / specific target groups DP eLearning training launch

Red flags to be aware of when advising clients

Our global presence is growing 14 736 The number of people we employ +160 The number of countries we sell to +60 The number of countries we operate in 300 million people our products help to feed 50 million citizens our products deliver fresh air for 240 million tons of grains our products help produce 15 million The number of farmers we work with

Our integrated business model creates value through scale and flexibility

Data Privacy – hvorfor relevant for alle ansatte? Forskjeller fra «traditional Compliance»: Kompleksitet: Stort antall krav De fleste krav kommer til anvendelse i mange arbeidsstrømmer Eksempel: Vurderinger ved bruk av data til nytt formål Ofte manglende oversikt over egen lagring/bruk av personopplysninger Hva er persondata egentlig – nødvendig å forstå for å se relevans Er Data Privacy en IT-greie? En juridisk greie?

Eksempel på oversettelse av regelverk/prosedyrer til arbeidsstrøm (HR) Rekrutteringsprosess: Kartlegging av nåværende/interne ressurser → Annonsering og mottagelse av CV’er Distribusjon av CV’er internt Vurderinger og utvalg av kandidater → Bruk av eksterne rådgivere? → Utenfor EU/EØS? → → Databehandleravtale? → EU Model Clause Agrm? Intervjuvurderinger Tilbakemeldinger til søkere Lagring av CV’er til senere bruk Lagring av den nyansattes persondata i HR-systemer→

Red flags to be aware of when advising your clients Are the use of Personal Data within the intended purpose? Secondary purpose assessment (Art. 1 b GDPR) Be aware by use of Employee information for control/monitoring purposes What happens to the data after collection/processing? Client must be aware of duty to delete data when the purpose is fulfilled (Chapter 2 GDPR) Limit distribution (Chapter 2 GDPR) Avoid collection of Personal Data which is not necessary for fulfilling the purpose (Chapter 2 GDPR) Do the client rely on consent from the data subject as legal basis? Consent for processing of Employee Personal Data normally not valid (Art. 7 GDPR) Be aware by digital marketing initiatives – consent often needed (Marketing legislation) Is your company providing sufficient information to the Data subjects? Easily accessible Privacy policies and/or other information documents (Art. 12-14 GDPR) Opt-out option may have to be provided (Art 18 + 21 GDPR) Always a right by digital marketing initiatives

Red flags to be aware of when advising your clients (cont.) Are the contract implying that one Party processes data on behalf of the other Party? Data Processing agreement (Art. 28 GDPR) Software providers Travel agencies, other service providers and consultants Talent databases Sub-contractors (supply chain, construction projects, intermediates) Will Personal Data be transferred outside EU as part of the project/contract? EU Model Clause Agreement, US Privacy Shield or other basis necessary (Chapter 5 GDPR) Do your contract party use sub-contractors outside EU/EEA or store Personal Data outside EU/EEA? M&A: Is the M&A object able to demonstrate Data Privacy compliance? Ensure DP as part of the DD process Ensure secure and compliant handling of Personal Data in the IDD process Does the project imply extensive and/or new processing of Personal Data? Risk assessments – DPIA’s (Art. 35 GDPR) Assessment of legal basis and purpose for processing (Chapter 2 GDPR)

AWARENESS ASSESSMENT DOCUMENTATION

Organization of the Data Privacy compliance work in Hydro Compliance with GDPR – Legal Department in the role as data controller Organization of the Data Privacy compliance work in Hydro

Compliance with GDPR – Legal Department in the role as data controller - «Controller»: the natural or legal person, public authority, agency or other body which, alone or joinly with others determines the purposes and means of the processing of personal data - The GDPR generally applies to the legal department in it’s role as a controller - Legal departments own processing activities (including when processing client’s personal data) - Generally not regarded an (internal) processer / no need for internal data processing agreements - Legal basis for processing personal data: - GDPR art. 6 (general requirement) / GDPR art. 9 (special data) - GDPR requirements on confidentiality applies additionally to the statutory duty of confidentiality applicable to lawyers

Lawfullness of processing GDPR art. 6, 1 a) – Consent GDPR art. 6, 1 b) – Performance of a contract GDPR art. 6, 1 c) – Compliance with legal obligation GDPR art. 6, 1 d) – Protect vital interests GDPR art. 6, 1 e) – Pursue public interests GDPR art. 6, 1 f) – Pursue legitimate interests (balancing interests of data subjects) (selection) GDPR art. 9, 2 a) – Consent GDPR art. 9, 2 b) – Obligations under employment law GDPR art. 9, 2 f) – Establishment, exercise or defence of legal claims GDPR art. 9, 2 h) – Health, medicine, social care (preventive / occupational) Personal data (general) Special categories of data

Legal basis - the role as (internal) legal councel Examples Processing purposes Legal basis for processing Client relationship administration GDPR art. 6 nr. 1, a (consent), b (agreement) and c (legal requirement) GDPR art. 9 nr. 2, f (establish a legal claim) Case handling GDPR art. 6 nr. 1, a (consent) and f (legitimate interests) Knowledge management GDPR art. 6 nr. 1, f (legitimate interests) (avoid sensitive personal data) Archiving GDPR art. 6 nr. 1, b (agreement), c (legal requirement), f (legitimate interests) Employee administration GDPR art. 9 nr. 2, b (agreement)

Specific processing activities - legal department (examples) Investigations Whistleblowing Screenings Authorizations CCTV / access controls Datalogging (IT-systems) Innside lists etc.… (National law) Bokføringslov Hvitvaskingslov Arbeidsmiljølov Verdipapirlov Straffelov Diskrimineringslov etc… GDPR art. 6, 1 c) art. 9 2 b) &f)

Records of processing activities GDPR art. 30 The requirement for a controller to maintain records of processing activities under it’s respopnsibility (i.g. a description «per activity» of the following): Purpose of processing Categories of personal data and data subjects Categories of recipients Transfers of the personal data (where applicable) Envisaged time limits for erasure of different categories General description of technical and organizational security measures

… Processing purpose Personal data Legal basis Recipients outside the org. DPA ref Transfers Retention period TOMs Internal resp. Client relationship administration What? Why? Who? Legal basis disclosure? Legal basis transfer? How long? How? Case handling … Knowledge management Archiving Employee administration Security

Obligations and principles applicable to the Controller Must know why data is being used, which data is needed, what quality, not ask for more data than necessary Be transparent about the processing: Provide understandable information to affected persons Keep data no longer than necessary Observe the right to access own personal data nb: conflicting confidentiality rights? Privacy by design: thinking about data protection when designing and developing IT-solutions Ensure that data processing agreements are in place with suppliers. Ensure that the suppliers have sufficient information security

Applying the obligations in practice Data minimization: Keep collection of personal data to a minimum Privacy by design: think confidentiality, security, integrity and quality of the personal data – build into the design Privacy impact assessment; consider: The nature, sensitivity and volume of personal information The ease of identification of individuals The severity of consequences for individuals The special characteristics of the individuals The special characteristics of the data controller Storage limitation Storing collected data in as few IT systems/physical files as possible Attention to: Unstructured data, “inbox-issues”, old archives, sensitive data in case documents etc. Access restrictions and controls Supported by internal instructions and confidentiality requirements Routines for retention and deletion of personal data Legal department in the role as a data controller - not a «high risk» group - however, expected to be best in class (or, at least, «prove a good example»)

Documentation overview Recommended actions Internal routine descriptions Records of processing activities Assignment confirmation / agreements Internal control documentation Preventing Detecting Reporting / Responding Documentation of privacy risk assessments SOPs (examples): Access rights Retention and deletion of data Email access Risk assessments /DPA Data Processing Agreements Privacy Statement

Takk for oss!