GDPR Privacy Statement

1. BACKGROUND:

The General Data Protection Regulation (GDPR) (EU) 2016 / 679 is a regulation on personal data protection and privacy for all individuals within the European Union, and, when ratified, other members of the European Economic Area (EEA)¹ . It also addresses the export of personal data outside the EU. The GDPR firmly establishes personal privacy as a human right and gives control to those in the EU over their personal data. It attempts to harmonize the laws across the EU in regards to personal privacy handling and its controls. The GDPR is effective 25 May 2018. The GDPR replaces the 1995 Data Protection Directive.

2. PURPOSE:

This GDPR Privacy Statement documents Worldwide’s formal declaration of its intentions and commitments as related to the GDPR when managing the personal data and sensitive personal data (of customers, employees, contractors, Sponsors, consultants, vendors and other third parties) processed by Worldwide. Worldwide recognizes that the correct and lawful treatment of personal data is maintained confidentially within the organization. Protecting the confidentiality and integrity of personal data is a critical responsibility that Worldwide takes seriously at all times. This GDPR Privacy Statement supplements Worldwide’s Global Privacy Statement.

3. SCOPE:

This GDPR Privacy Statement applies to all personal data that is collected, used, transferred, stored, destroyed, or disclosed, regardless of the media on which that data is stored. Articles, recitals and terms referenced in this document refer to articles, recitals and terms of the GDPR.

4. POLICY:

4.1 PERSONAL DATA PROTECTION PRINCIPLES (Article 5)

Worldwide adheres to the six (6) principles relating to processing of personal data set out in the GDPR, which requires:

1. Lawfulness, Fairness and Transparency: Processed lawfully, fairly and in a transparent manner.
2. Purpose Limitation: Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those processes.
3. Data Minimization: Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4. Accuracy: Accurate and, where necessary, kept up to date.
5. Storage Limitation: Not kept in a form that permits identification of data subjects for longer than is necessary for the purposes for which the data is processed.
6. Security, Integrity and Confidentiality: Processed in a manner that ensures the appropriate security of the personal data, including unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

4.2 LAWFULNESS, FAIRNESS and TRANSPARENCY (Article 6)

4.2.1 Legal Basis (Article 6)

Worldwide confirms that its lawfulness for processing personal data is founded in legal basis for one or more specific purposes:

1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. For the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. For compliance with legal obligations to which Worldwide when serving as the controller is subject;
4. To protect vital interests of the data subject;
5. For the performance of a task carried out in the public interests or in the exercise of official authority vested in the controller;
6. For the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by their interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.

4.3 CONSENT (Article 7)

When acting as the controller and where required by law, Worldwide commits to obtaining consent for processing personal data, as demonstrated by ensuring data subjects:

1. Consent to processing of their personal data and indicates their agreement clearly either by a statement or positive action to the processing.
2. Can easily withdraw consent to processing at any time and withdrawal is promptly honored.

4.4 TRANSPARENCY (Article 12)

4.4.1 When acting as the controller, Worldwide provides detailed, specific information to data subjects depending on whether the information is collected directly from data subjects or from elsewhere. The Worldwide Employee Privacy Notice provides this information in a concise, transparent, intelligible, easily accessible format and is stated in clear and plain language.

4.4.2 Whenever Worldwide collects personal data from data subjects, including for human resources or employment purposes, the data subject is provided with all the information required by the GDPR including the identity of the controller and Data Protection Officer (DPO), how and why Worldwide uses, processes, discloses, protects and retains that personal data through a privacy notice, which is presented when the data subject first provides the personal data.

4.5 RIGHT OF ACCESS (Article 15)

4.5.1 Worldwide honors requests from the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and other information as per the GDPR.

4.6 PURPOSE LIMITATION

Personal data is collected only for specified, explicit and legitimate purposes. It is not further processed in any manner incompatible with those purposes. Personal data is not used for new, different or incompatible purposes from that disclosed when it was first obtained unless Worldwide has informed the data subject of the new purposes and he/she has consented where necessary unless otherwise deemed allowable under law.

4.7 DATA MINIMISATION

Personal data is to be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Worldwide ensures any personal data collected is adequate and relevant for the intended purposes.

4.8 ACCURACY

Personal data is accurate and, where necessary, kept up to date. It is to be corrected or deleted without delay when inaccurate. Worldwide ensures that personal data that is used and held is accurate, complete, kept up to date, and relevant to the purpose for which it was collected.

4.9 STORAGE LIMITATION

Personal data is not kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. Generally, and as required by law:

1. Worldwide does not keep personal data in a form which permits the identification of the data subject for longer than needed for the legitimate business purpose or purposes for which Worldwide originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.
2. Worldwide has Retention Policies and procedures to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time.
3. Worldwide ensures data subjects are informed of the period for which data is stored and how that period is determined in any applicable privacy notice.

4.10 SECURITY INTEGRITY AND CONFIDENTIALITY (Article 32)

4.10.1 Protecting Personal Data

Worldwide protects the personal data held by maintaining data security and protecting the confidentiality, integrity and availability of the personal data, defined as follows:

1. Confidentiality means that only people who have a need to know and are authorized to use the personal data can access it.
2. Integrity means that personal data is accurate and suitable for the purpose for which it is processed.
3. Availability means that only authorized users are able to access the personal data when they need it for authorized purposes.

4.10.2 Personal data is secured by appropriate technical and organisational measures against unauthorized or unlawful processing, and against accidental loss, destruction or damage.

4.10.3 Worldwide has developed, implemented and maintains safeguards appropriate to its size, scope and business, its available resources, the amount of personal data that Worldwide owns or maintains on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable).

4.10.4 Worldwide regularly evaluate and test the effectiveness of those safeguards to ensure security of its processing of personal data. Worldwide implements reasonable and appropriate security measures against unlawful or unauthorized processing of personal data and against the accidental loss of, or damage to, personal data.

4.11 REPORTING A PERSONAL DATA BREACH (Articles 33, 34)

When acting as the controller and where required under Articles 33 and 34, Worldwide notifies the competent supervisory authority and data subject of a personal data breach as applicable. Worldwide has procedures in place to deal with suspected personal data breaches and to notify the competent supervisory authority and/or data subjects where legally required to do so.

4.12 TRANSFER LIMITATION (Articles 44-50)

Data transfers to countries outside the EU are only permissible where conditions are in place to ensure the level of data protection afforded to individuals by the GDPR is not undermined.

4.12.1 Transfers to countries outside of the EU may be made on the basis of an adequacy decision, subject to adequate safeguards (including standard contractual clauses), by way of an approved derogation (including explicit consent) or on another basis set forth in the GDPR or local implementing law.

4.12.2 Generally, Worldwide is not allowed to share personal data with third parties unless certain safeguards and contractual arrangements have been put in place. Personal data is not shared with another employee, agent or representative of Worldwide’s group (which includes its subsidiaries and its ultimate holding company, along with its subsidiaries) unless the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

4.12.3 For example, Worldwide only shares the personal data it holds with its service providers, if:

1. They have a need to know the information for the purposes of providing the contracted services;
2. Sharing the personal data complies with the privacy notice provided to the data subject and, if required, the data subject’s consent has been obtained;
3. The third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
4. The transfer complies with any applicable cross border transfer restrictions; and
5. A fully executed written contract that contains GDPR approved third party clauses has been obtained.

4.13 DATA SUBJECT’S RIGHTS AND REQUESTS (Articles 12-21)

Worldwide protects the rights of data subjects in how their personal data is handled, inclusive of the following rights afforded to EU data subjects under the GDPR:

1. Withdrawing consent to processing at any time.
2. Receiving certain information about the controller’s processing activities.
3. Requesting access to their personal data that Worldwide holds.
4. Preventing Worldwide’s use of their personal data for unlawful direct marketing purposes.
5. Asking us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data. Restricting processing in specific circumstances.
6. Challenging processing which has been justified based on Worldwide’s legitimate interests or in the public interest.
7. Requesting a copy of an agreement under which personal data is transferred outside of the EU.
8. Objecting to decisions based solely on automated processing, including profiling or automated decision making (ADM).
9. Preventing processing that is likely to cause damage or distress to the data subject or anyone else.
10. Notification of a personal data breach which is likely to result in high risk to their rights and freedoms.
11. Making a complaint to the supervisory authority.
12. Receiving or asking for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.

4.14 ACCOUNTABILITY

4.14.1 Controller (Article 24)

4.14.1.1 Worldwide, as a controller has implemented appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. Being a controller, Worldwide is responsible for, and must be able to demonstrate, compliance with these data protection principles.

4.14.1.2 Worldwide has adequate resources and controls in place to ensure and to document GDPR compliance including:

1. Appointment of a suitably qualified DPO (where necessary) and an executive accountable for data privacy.
2. Implementation of “privacy by design” when processing personal data and completing Data Privacy Impact Assessments (DPIAs) where processing presents a high risk to rights and freedoms of data subjects.
3. Integration of data protection into internal documents including this GDPR Privacy Statement, related policies, privacy guidelines, or privacy notices.
4. Providing regular training to Worldwide personnel on the GDPR, related policies and privacy guidelines and data protection matters and maintain a record of training attendance.
5. Regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance.

4.15 PROCESSOR (Article 28)

Worldwide, as a processor, processes data only in accordance with work orders and other legal agreements, and at the explicit direction of the controller. Worldwide has implemented appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. Being a processor, Worldwide is responsible for, and must be able to demonstrate, all requirements of processor under the GDPR, including but not limited to Article 28.

4.16 RECORD KEEPING (Article 30)

Worldwide keeps full and accurate records of all its data processing activities in accordance with its respective obligations as a controller and processor.

4.17 TRAINING AND AUDIT (Articles 28, 38, 39, 58, 70)

Worldwide ensures that all personnel have undergone adequate training to enable them to comply with data privacy laws. Worldwide ensures that appropriate training records are maintained as well as processes to assess compliance.

4.18 PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENT (DPIA) (Articles 25, 35)

4.18.1 Worldwide has implemented “privacy by design” measures when processing personal data by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.

4.18.2 When acting as the controller, Worldwide conducts DPIAs in respect to high risk processing or the implementation of a major system or business programs involving the processing of personal data that involves:

1. New technologies (programs, systems or processes), or when there is a change in technologies (programs, systems or processes).
2. Automated decisions making (ADM) and profiling.
3. Large scale processing of sensitive data.
4. Large scale, systematic monitoring of a publicly accessible area.

4.19 AUTOMATED DECISION-MAKING (ADM) (Article 22)

4.19.1 ADM is decision-making based solely on automatic processing, including profiling, which produces legal or similar significant effect on an individual. Worldwide does not conduct ADM unless: 1) the data subject has explicitly consented; 2) the processing is authorized by law; or 3) the processing is necessary for the performance of or entering into a contract AND Worldwide has implemented suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject.

4.19.2 If ADM is used to process sensitive data, such processing automated processing may only be conducted where the individual has provided explicit consent, or where processing is necessary for reasons substantial public interest like fraud prevention.

4.19.3 If a decision is based solely on automated processing (including profiling), Worldwide informs the data subjects and communicate with them their right to object. Additionally, they are informed of the logic involved in the decision making or profiling, the significance and envisaged consequences, and are given the right to request human intervention, express their point of view, or challenge the decision.

4.19.4 A DPIA is carried out before any automated processing (including profiling) or ADM activities are undertaken.

4.20 DIRECT MARKETING (Articles 6, 7, 21, 25)

Worldwide complies with the rules and privacy laws when marketing to its customers. The right to object to direct marketing is explicitly offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information. Data subject’s objections to direct marketing are promptly honored. If a customer opts out at any time, their details are suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

5. Changes to this GDPR Privacy Statement

We reserve the right to amend this policy from time to time consistent with the GDPR’s requirements.

¹ For the purposes of this document, references to the EU shall be inclusive of the non-EU EEA member states upon incorporation of GDPR into the EEA agreement and each state’s parliamentary approval, enacting GDPR as national law.

Effective Date: 01 Nov 2018

Last modified: 30 March 2022