Applies To: Individuals who reside in countries other than New Zealand who submit personal information to ANZCO Foods Limited, and its Subsidiaries
Policy Approval: ANZCO Privacy Officer
Approval Dates: September 2020
ANZCO Foods Limited and its subsidiaries (ANZCO, the company, its) comply with the laws and regulations in all countries in which it operates and undertake to maintain appropriate measures to safeguard the personal information the company collects and holds about individuals. Personal information is information about an identifiable individual (a natural person).
This policy sets out how ANZCO, including its subsidiaries collect, use, disclose and protect an individual's personal information. An individual may have certain rights under local privacy laws, such as the European Union (EU) General Data Protection Regulation 2016/679 as nationally implemented (the GDPR) if an individual resides in the EU, or similar or equivalent legislation in other countries. ANZCO provides information about these rights, and the ways that ANZCO processes personal information more generally, in this policy. If an individual has any questions about any of the details in this policy, or requires further information, they may raise this in writing to the Data Protection and Privacy Officer: firstname.lastname@example.org.
ANZCO collects personal information about an individual from:
- The individual, including
- An individual who buys or use its services and products as a customer or provides services to the company as a farmer/producer (a farmer supplying livestock to ANZCO), supplier or vendor; e.g., through interaction that may or will lead to a contractual agreement/s with ANZCO to purchase, sell, or transact business with or on behalf of the Company.
- Third parties where an individual has explicitly consented or authorised this, or the information is publicly available; e.g. through information listed and available on social media channels such as Facebook or LinkedIn.
ANZCO will use an individual's personal information:
ANZCO may disclose an individual's personal information to:
- another company or subsidiary within the ANZCO Foods Limited Group of companies
- an outsourced service provider, including:
- a regulatory authority, including:
- any other person authorised by an individual.
A business that supports ANZCO's services and products may be located outside of an individual's location. This may mean personal information is held and processed outside of the location it was originally submitted.
To better match an individual's business request, where required in order for ANZCO to supply or a service or as necessary in order to perform our contract with an individual, personal data may be transferred to subsidiaries in countries across international borders as well as ANZCO's global offices.
Other countries' privacy laws may be different from those in an individual's home country. Where ANZCO transfers data to another country ANZCO has security measures in place to protect all personal data subject to that transfer. To find out more about how ANZCO safeguards information as related to transfers individuals may contact the company using the details below.
ANZCO only retains personal information for as long as is necessary for the company to use the information as described above or to comply with its legal obligations. However ANZCO may retain some information after an individual ceases to use the company's services, or the company ceases to use the services provided to ANZCO in an individual's capacity as a farmer/producer, supplier or vendor; or if this is necessary to meet its legal obligations in the countries it operates in, such as retaining the information for tax and accounting purposes.
When determining the relevant retention periods, ANZCO will take into account factors including:
ANZCO will take every reasonable measure and precaution to protect and secure personal data and prevent information from unauthorised access, alteration, disclosure or destruction. ANZCO requires the same of its third party service providers. Details of how third party service providers protect personal information are documented within ANZCO's contractual agreements and/or within the Privacy and Data Protection Policies of the third party service provider.
ANZCO has multiple layers of security measures in place; e.g. electronic data is stored on company servers and located in secure premises. The company's servers have appropriate security including firewall, antivirus protection and all data is encrypted. Company computers and laptops have two factor authentications to login.
The definition of a data breach is very wide and includes accidental as well as deliberate or malicious actions. If personal data held by ANZCO is exposed in any way the following process will commence:
1. Alert – any breach, whether suspected or actual, must be immediately reported in writing to the Data Protection Officer: email@example.com. The report to the Data Protection Officer should include details regarding the nature and scope of the data breach, the period the breach took place, and an initial assessment of how the information was breached (i.e; an accidental or deliberate breach, if known).
2. Investigation and Analysis – the Data Protection Officer will lead an Incident Response Team who will thoroughly assess the impact of a data breach or a security event on a system or application. The Incident Response Team may include members of the ICT, Communications, Human Resources and Senior Leadership Team.
3. Contact Affected Individuals – under the GDPR, breach notification is mandatory in all member states where a data breach is likely to "result in a risk for the rights and freedoms of individuals". Should a data breach meet the mandatory reporting requirements above then The Data Protection Officer is responsible for reporting a data breach to the National Data Protection Authorities within 72 hours of ANZCO first having become aware of the breach. The National Data Protection Authorities for each member state is located here. ANZCO will also notify all affected individuals, without undue delay after first becoming aware of a data breach.
For regions not subject to the GDPR reporting requirements, ANZCO will notify all affected individuals, without undue delay after first becoming aware of a data breach.
The Data Protection Officer will effect a communication plan that identifies internal communication requirements between departments to ensure a smooth response to a breach, and external communication requirements that specify who is authorised to communicate to external entities, such as the press or law enforcement on behalf of ANZCO.
4. Corrective and Preventative Actions – while the relevant parties are being contacted regarding any breach, the Incident Response Team will work to identify the source of the breach. Actions may include patching software, updating firewall rules, or implementing further safeguards to prevent a recurrence of the breach. ANZCO routinely tests its systems and infrastructure to ensure system security and effectiveness and regularly advises employees where to report suspicions data requests and to be aware of phishing software and schemes.
Where a breach has occurred through a third party or external provider, ANZCO will contact all relevant parties to advise of the breach and will work together to fix vulnerabilities that exist in external or hosted infrastructure.
An individual has the right to access readily retrievable personal information that may be held by ANZCO and to request a correction, restrict or object to its processing, have it erased, have it transferred to another organisation or complain to a regulator. Before exercising any right, ANZCO will verify the identity of the individual to whom the personal information relates.
If an individual wishes to exercise the above rights, they may raise this in writing to the Data Protection and Privacy Officer: firstname.lastname@example.org.
Correspondence should provide evidence to verify an individual's identity and set out the details of the request (e.g. the personal information, or the correction, that is requested).
If an individual has any further questions about this policy, or wish to raise a complaint about how ANZCO has handled information, this should be raised with the company by writing to the Data Protection Officer at the address listed above.