Data Privacy
We have a Data Privacy Policy with references to “Epiroc’s Data Privacy Framework” which contains more detailed policies and guidelines for specific areas. The policy and the steering documents in the framework contain e.g. group-wide Data Privacy principles for processing of personal data, rights of data subjects, how to report and manage personal data breaches, applicable technical and organizational security measures, how personal data may be transferred internally in the group and externally to vendors and other parties, contact information to relevant stakeholders etc.
In the framework there is an Employee Personal Data Policy which contains detailed information to our employees on the processing of employee personal data e.g. how personal data is collected and processed, retention periods, to whom personal data may be shared and to which countries, employees' rights and how to use them, and where to complain.
There are also a “main Data Privacy requirements for our entities” as well as an “Intragroup Data Processing Policy” which sets out how we process personal data within our group of companies.
In our Privacy Notice and Cookie Notice our Data Subjects can find information about our processing of their personal data. All public-facing websites we maintain at group and local level are required to have privacy notices and cookie notices as well as collect cookie consent in an appropriate way.
We have an Information Security Incident and Data Breach Policy which provides information on how, in the event of an information security incident or a personal data breach, the organization shall act and who to contact. There are also a Data Subject Rights Requirements and a Data Subject Rights procedure with information on how we handle and respond to Data Subject Rights.
When we engage a third party to process personal data on our behalf, we enter into Data Processing Agreement with said processor, based on our template agreement containing the appropriate elements.