PERSONAL DATA
PROTECTION POLICY
Table of Contents
EXECUTIVE SUMMARY
POLICY PRESENTATION
- POLICY DETAILS
- SCOPE OF COVERAGE
- ORGANIZATIONAL RESPONSIBILITIES
- STATEMENT OF ACCOUNTABILITY & REQUESTING EXCEPTIONS
- ASSOCIATED DOCUMENTS & FURTHER INFORMATION
- APPROVAL AND REVISION HISTORY
GENERAL DISCLAIMER
Technicolor Creative Studios (TCS) complies with all laws, regulations, and the Technicolor Code of Ethics and will not exercise its rights referred to in this policy in countries or jurisdictions where such rights are or will be unlawful (for example, certain European countries have different legislation on privacy).
EXECUTIVE SUMMARY
Technicolor takes very seriously all its obligations to comply with the requirements of the European General Data Protection Regulation (GDPR) and any equivalent legislation applicable where any entity in the Technicolor Group is present, including, but not limited to, CCPA (United States), LGPD (Brazil), DPA (United Kingdom), and DPA (Australia).
The purpose of this policy is to ensure that Technicolor, its staff, contractors, suppliers, and other people working on its behalf comply with any applicable provisions of the Data Protection Legislations where and when appropriate, as well as comply with any other applicable legislation when processing personal data.
Failure to comply with Data Protection Legislations may have severe consequences for Technicolor and its personnel, agents, and contractors.
POLICY PRESENTATION
Purposes of this policy:
- Technicolor needs to collect and use certain information about These can include customers, suppliers, business contacts, employees, and other people the Technicolor Group has a relationship with or may need to contact.
- This document provides the policy framework for compliance with the data privacy protection legislations and best practices, through which effective management of data protection matters can be
1. POLICY DETAILS
1.1 Risks
- Lack of information to data subjects regarding Personal Data processed by Technicolor
- Improper data Processing that violates local or national laws regarding data protection
- Confidentiality of Personal Data is breached
- Personal Data improperly disclosed to internal and/or external entities
- Improper disclosure of personal information in violation of the EU General Data Protection Regulation
1.2 DEFINITIONS
For the purposes of this policy, and in compliance with European regulation definitions:
- “BCR” means Binding Corporate Rules, as defined and approved by the European Commission as internal rules adopted by multinational group of companies which define its global policy regarding the international transfers of Personal Data within the same corporate group to entities located in countries which do not provide an adequate level of
- “CCPA” means California Consumer Privacy Act (CCPA) which was enacted in 2018 and takes effect on January 1, CCPA aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share consumer data, whether the information was obtained online or offline.
- “Data Controller” means any legal entity or person which (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data is or is to be
- “Data Processor” means any legal entity or person (other than an employee of the
Data Controller) who Processes the data on behalf of the Data Controller.
- “Data Protection Legislations” means the Data Protection EU Directive 95/46/CE, the
GDPR, or any equivalent legislation regarding the data protection.
- “DPA” means Data Protection Authority, the organization representing the local data protection As a group whose mother company is headquartered in France, the French DPA (CNIL) is considered a Lead Supervisory Data Protection Authority.
- “DPO” means the person who acts as a Data Protection Officer in the sense of the He or she oversees all data protection activities and is the primary contact point for data protection authorities.
- “EU/EEA” means European Union / European Economic
- “GDPR” means the General Data Protection Regulation enacted in May 2018, applies uniform rules for data protection legislation throughout Europe. The GDPR lays down rules on the protection of natural persons with regard to the processing of personal data and protects the fundamental rights and freedoms of natural persons, in particular their right of protection of personal
- “Personal Data” means any information identifying or enabling an individual to be identified directly or indirectly. It may include name, date of birth, contact details (individual address, email address, place, and cellphone number), profession, position, driver’s license, financial information, as well as technical information (IP address, PC name, ) when they allow indirect identification.
- “LGPD” means Brazil General Data Protection Law enacted in Sept
- “Processing” means obtaining, recording, or holding the Personal Data or carrying
out any operation or set of operations on the information or data, including:
- Organization, adaptation or alteration of the Personal Data;
- Retrieval, consultation or use of the Personal Data;
- Disclosure of the Personal data by transmission, dissemination or otherwise making available; or
- Alignment, combination, blocking, erasure, or destruction of the Personal
- “Registry” means list of data processing for a legal
- “Technicolor Group” means any Technicolor entity that, directly or indirectly through one or more intermediaries, controls, or is controlled by Technicolor SA, or is under common control with, another entity of the Technicolor The term
“control” includes, without limitation, the possession, directly or indirectly, of the power to direct the management and policies of an entity, whether through the ownership of voting, securities, by contract or otherwise and the term “entity” will
be construed broadly and will include an individual, a partnership, a corporation, a limited liability company, an association, a joint stock company, a trust, a joint venture, or an unincorporated organization.
- “Technicolor Information Systems” means all “Computing Assets” defined as 1) Technicolor-owned or managed computing assets, g., laptops, desktops, mobiles, networks, clouds; or 2) personal computing assets, e.g., Bring Your Own Device (BYOD) and other mobile devices. Such Computing Assets are used to conduct business on behalf of Technicolor by connecting to Technicolor networks or other networks for the purposes of managing, storing, or transmitting Technicolor business information, intellectual property or customer content.
- “Sub-processor” means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing
- “White-listed countries” are recorded by European Commission, as countries where the level of protection of Personal Data is equivalent to the European one, a list of which can be found here: http://ec.europa.eu/justice/data- protection/international-transfers/adequacy/index_en.htm.
1.3 PROCESSING
The purpose of this policy is to ensure that Technicolor, its staff, contractors, suppliers, and other people working on its behalf comply with any applicable provisions of the Data Protection Legislations where and when appropriate, as well as comply with any applicable other legislation when Processing Personal Data. Failure to comply with Data Protection Legislations may have severe consequences for Technicolor and its personnel, agents, and contractors.
This policy applies regardless of where the data is held, i.e., whether it is held on Technicolor-owned equipment or outside Technicolor property (for example, by a subcontractor).
To the extent Technicolor obtains possession of or collects any Personal Data and is obliged to comply with the Data Protection Legislations and/or any similar local legislation, the relevant Personal Data shall be:
- Processed fairly and
- Processed for specified purposes
- Not sold to any third party
- Not kept longer than
- Processed and held
- Adequate, relevant, and not
- Accurate and up to
In addition, where the Personal Data is European (i.e. collected in a country of the EU/EEA), it shall be:
- Not transferred outside the countries of the EU/EEA (except if data is transferred to a White-listed country, or covered with BCR, or appropriate EU Standard Clauses, or any other adequate mechanism approved by EU).
- Treated in a manner respectful of their right to be
1.4 SECURITY
Technicolor may maintain Personal Data in hard copies or electronic format. Regardless of the location of the Personal Data, Technicolor will undertake necessary, steps to maintain the security and confidentiality of Personal Data and protect it from unauthorized use and disclosures as appropriate.
1.5 DATA SUBJECT INFORMATION
Technicolor must inform the data subject of all new treatment which processes his/her
Personal Data, and must ensure the data subject’s rights to modify, access, object, rectify and delete any of his/her Personal Data is respected. This information shall contain the exact purpose of the processing, the retention period which must be, at least if not
defined, proportionate and necessary to the purpose, and in some situations, such as when sensitive data is collected, the Data Controller must obtain the express prior consent of the data subject before any Processing of his/her Personal Data.
1.6 COMPLIANCE WITH THE EURPEAN DATA PROTECTION LEGISLATIONS
Within the Technicolor Group, data protection is treated with the utmost serious care. Technicolor designates a DPO1 at Technicolor’s Headquarters, in charge of the relations with French Data Protection Authority (CNIL). For all new data Processing, please contact the Data Protection Officer at the following email address: TCS-privacy@technicolor,com
Before any new treatment takes place, the Data Controller must implement appropriate technical and organizational measures for ensuring that, by default, only Personal Data which is necessary for each specific purpose of the Processing is processed. Furthermore, the GDPR imposes a “privacy by design” principle, both at the time of the determination of the means for processing and for the processing itself. The Data controller should finally ensure
the correct recording of the processing in the “Registry” and that a privacy risk assessment
has been conducted.
1.7 SUBJECT ACCESS REQUESTS
Pursuant to his/her access right, the data subject can make a request to the DPO to access, rectify, delete and modify his/her Personal Data by contacting the
Data Protection Officer at the following email address: TCS-privacy@technicolor,com
1.8 DATA PROTECTION BREACHES
Where a Data Protection breach occurs, or is suspected to have occurred, the DPO should be notified as soon as possible. The DPO will work alongside the relevant department(s) to:
- minimize the damage;
- assess the extent of the damage and determine whether the CNIL or any other data protection authority should be notified;
- inform the data protection authority within 72 hours of the data breach knowledge;
- notify affected individuals as appropriate, without delay;
- ascertain how the breach occurred and, if appropriate, determine how to prevent or minimize future
1.9 THIRD_PARTY DATA PROCESSORS established outside the EU/EEA intervening for TECHNICOLOR
Where external companies are used to process Personal Data on behalf of Technicolor, responsibility for the security and appropriate use of that Personal Data remains with Technicolor
Technicolor shall ensure that the third-party Data Processor complies with any applicable regulations, rules and laws related to the handling of Personal Data, by the implementation of the adequate mechanism of protection. Additionally, all third-parties are vetted through Technicolor’s vendor security assessment program.
In particular, where a third-party Data Processor is used:
- such Data Processor may be retained in such capacity under condition that Technicolor is satisfied that its security measures offer sufficient guarantees to protect the Processing of Personal Data;
- a data processing provisions/agreement will be signed by both parties, establishing amongst other, which Personal Data will be processed and for which purpose;
- no subcontracting outside the EU/EEA may take place without Technicolor’s prior written approval.
For the export of Personal Data out of the EU/EEA, the same level of protection shall be guaranteed either by (i) the integration of the terms of the EC Standard Contractual Clauses, Controller to Processor, to all contracts, or (ii) transfer to a White-listed country, or (iv) transfer to a company which has implemented Binding Corporate Rules.
For further guidance about the use of Third-Party Data Processors please contact the Legal Department.
2.SCOPE OF COVERAGE
This policy is applicable to all Technicolor Brands and Services Lines within the Creative
Studios business group (collectively referred to as “Creative Studios”)
This policy applies to all Creative Studios employees, whether senior, full-time, part-time,
temporary or interns (collectively referred to as “Employees”)
This policy applies to all Creative Studios consultants, contractors, vendors, employees of vendors, and staffing agencies, and customers who have access to or use Technicolor’s Valued Information ore Technicolor facilities (collectively referred to as “Third-Parties”)
This policy applies to all Technicolor Creative Studios including subsidiaries (collectively referred to as "Technicolor" or the "Company")
This policy applies to all Employees or Third-Parties whose user account(s) has been
granted system administrator permission (collectively referred to as, “E-Mail and System
Administrators”).
This policy applies to all Technicolor Information Systems resources which are used to store or service e-mail and file services (collectively referred to as “Computing Assets”).
This policy applies to all Employees who have been appointed or designated as
responsible for the management and control of Computing Assets at one of Technicolor’s
facilities (collectively referred to as, “Site IT Managers”).
3.ORGANIZATIONAL RESPONSIBILITIES
- Technicolor Data Control Organization (DCO)
- As a Data Controller, Technicolor is responsible for establishing policies and procedures in-order-to comply with the requirements of any applicable Data Protection
- Personal Data Protection encompasses Security, Information Technology, and Legal As such, it is governed by the Security organization, Information Technology
organization (IT), and Legal teams. A Data Control Organization Team (“DCO team”) is set up under the authority of the General Counsel and the Chief Security Officer, with representatives from HR, IT and Legal. As the Technicolor Group is headquartered in France, all legal entities of Technicolor are bound by an Intra Group contract, which ensures corporate rules compliant with the European Data Protection Legislations. Every legal entity of the Technicolor group designates a contact point to the DCO team.
Every legal entity remains responsible for compliance with applicable local Data Protection Legislations.
- As the Technicolor Group is headquartered in France, the French DPA is identified as a Lead Supervisory Authority, as defined by GDPR 26.
- A Technicolor correspondent to the French DPA is designated as a The DPO belongs to the DCO team.
- The DCO team shall:
- Ensure compliance with relevant access rights and ensure that Personal Data is released in accordance with data subject access legislation under European Data Protection Legislations, where
- Ensure that all data protection breaches are resolved and reported without delay to the concerned data subject(s), as required consistent with any applicable European Data Protection
- Support privacy contact points in every Technicolor legal entity to comply with applicable local Data Protection Legislations. As such, the DCO team will identify Business division coordinators who will support identification and nominations of legal entities point of
- Investigate and respond to complaints regarding data protection including requests to cease Processing Personal
- Handle any data transfer outside the EU/EEA to its affiliates under the EC Standard Contractual Clauses Controller to Controller, intragroup agreement and update any corporate changes and new data
- The DPO shall:
- Inform and advise the Controller, the Processor and the Employees who carry out Processing of their obligations pursuant to European Data Protection
- Cooperate with the supervisory authority and act as the contact point for the supervisory authority on issues relating to
- Maintain a list of all Corporate treatments that process Personal Data submitted to European Data Protection
- Centralize the lists of EU legal entities treatments maintained by each Data Privacy contact point. Provide guidance, give advice and promote compliance with the European Data Protection Legislations and with this policy in such a way as to ensure the easy, appropriate and timely retrieval of
- As soon as it is aware of any data protection breach, ensure the report within 72 hours to the French Data Protection Authority (CNIL), following the terms set forth in the
- Maintain a list of all third-party Data Processors established outside the EU/EEA and intervening for
- The Human Resources (HR) teams shall:
- For the Employees, directly or indirectly attached to a European legal entity:
- Inform the Employees:
- that entities of the Technicolor Group may Process any Personal Data necessary to the performance of the employment contract
- of the manner in which they may obtain information about the Processing of their Personal Data
- of the manner in which they can exercise their rights to access, modify, rectify, and delete their Personal Data
- Inform the Employees:
- For the Employees, directly or indirectly attached to a European legal entity:
- For all Employees:
- Notify the Employees:
- of the existence of Group policies, including this policy, and that they must read and comply with such policies
- of their responsibilities with respect to this policy, especially as they apply to the teams identified in Technicolor Data Control Organization, if they are part of any such team
- Collect and record the individual acknowledgement of all
- The Sourcing teams shall:
- For all request for proposal involving some Technicolor data storage or access, the sourcing team should insert some generic security clauses, with provisions in case of Personal Data
- Assess whether Personal Data directly or indirectly attached to a European legal entity is
- In such a case, the sourcing team shall:
- Contact the DPO to check whether this Process is legally compliant, and list it among corporate treatments, if
- If the Data Processor is located in the EU or White-listed countries, the Legal team shall ensure that the list of sub-processor(s) and their location is clearly identified and approved by the Technicolor contract
- If the Data Processor is located in any other country, the sourcing team shall include EC Standard Contractual Clauses, Controller to
- Get Legal approval of the final
- The Legal teams shall:
- Maintain knowledgeable expertise with respect to Privacy regulations in the EU, and awareness of Privacy regulations in other
- Designate a referent for any Privacy regulation in other countries with significant impact to Data privacy processes, such as CCPA and
- Conduct training on Data privacy of the Data Privacy contact points in legal 3.6.4.Advise sourcing teams and business divisions on privacy matters.
- Notify the Employees:
3.6.5.Review and approve third party contracts which involve Personal Data directly or indirectly attached to a European legal entity.
- The Security Office shall:
- Be responsible for the content, management and communication of this 3.7.2.Annually review and, where necessary, revise this policy.
- Allow or disallow requests for exceptions to this policy and manage all exceptions granted to it (see Accountability and Exceptions).
- Within the provisions of this policy, have the authority to audit, consistent with applicable local and regional legal requirements, Company-provided Computing Assets and all devices connected to the Company voice or data
- The Security Operations Center (SOC) shall:
- Be responsible to define and enforce security controls and safeguards required to protect all information gathered or accessed from damage, loss, misuse or inappropriate disclosure in accordance with Technicolor's
- Within the provisions of this policy, have the authority to audit, consistent with applicable local and regional legal requirements, Company-provided Computing Assets and all devices connected to the Company voice or data
- The System and Application Administrators must:
- Never access or provide access to an Employee or Third-Party information repositories and logs, as set forth in the IT Privileged User Access
- Obtain written authorization approved by qualified approvers from the lists detailed under section 4.2 prior to accessing an Employee or Third-Party data or voice repositories or
- Ensure that information is provided only to the person or people authorized by the written
- Ensure that the information requested is the only information Requests for additional information require additional approval.
- Never provide user account and password access using another user’s
- Maintain the confidentiality of the requestor and approvers of the request to the extent consistent with business
- Maintain a copy of the written request for at least one year from completion of the request or in accordance with local or regional laws and regulations
- Ensure that local procedures or processes are developed, documented and communicated in accordance with this policy as well as in accordance with local and regional laws governing information
- Technicolor managers and all persons having management or supervisory responsibility shall be responsible to ensure that every Employee within their organization and every Third Party their organization deals with has been informed of and is knowledgeable of the contents of this policy
- Technicolor Employees and Third-Parties shall:
- Be knowledgeable of this policy and all associated guidelines and comply with elements thereof applicable to their jobs
- Report all incidents of violation of this policy or associated guidelines in accordance with Technicolor's Corporate Ethics Charter, Technicolor's Significant Business Incident Policy and any related policies, guidelines or standards
- IT Support Administrators are obliged to keep Employee personal information private and confidential except as necessary to comply with this policy, conduct investigations, operate the business of the Company, comply with legal obligations, and respond to legitimate government inquiries, in which case DPO should be informed
4.STATEMENT OF ACCOUNTABILITY & REQUESTING EXCEPTIONS
4.1 STATEMENT OF ACCOUNTABILITY
Any Employee found in non-compliance with this or any other TCS policy or standard may be subject to disciplinary action up to, but not limited to, termination of employment
consistent with applicable local, regional legal requirements and the Company’s Rules
and Regulations.
Any Third-Party found in non-compliance with this policy may be deemed in violation of contract terms and conditions and may be subject to disciplinary action and/or other sanctions up to, but not limited to, termination of working contracts consistent with applicable local, regional legal requirements and the Company’s Rules and Regulations.
Technicolor will not exercise its rights referred to herein in countries and jurisdictions where such rights are or will be unlawful.
4.2 REQUESTING EXCEPTIONS
- Any exception to a TCS Security Policy must be formally requested and approved by the Security The Security Office has the authority to grant exceptions to a TCS security policy. Requests must be made from Service Now.
- Exceptions must identify the requestor, the policy to which an exception is being requested, and a description of the reason for the
- Requests are for a period of no more than one year and must be renewed upon The Security may modify a policy upon its revision to take into account identified exceptions.
- The Security Office may deny a request for exception if the security risk is deemed
Exceptions can be filed here: Security Exception Request
The list of approved authorities to deliver exceptions is as follows:
- Chief Executive Officer
- General Secretary
- Chief Security Officer
- Data Privacy Officer
5.ASSOCIATED DOCUMENTS & FURTHER INFORMATION
This document may not be the most current version if not obtained directly from the document repository. The most current electronic version is found at: https://technicolor.sharepoint.com/sites/Policies_TCS/SitePages/Security.aspx.
Document Title |
Document URL |
Code of Ethics |
|
Acceptable Use Policy |
|
Information Protection Policy |
|
IT Privileged User Access Policy |
|
|
|
6. APPROVAL AND REVISION HISTORY
6.1 Document Status
Status: Final |
|
|
Prepared by: |
Team: Global Content Security |
Date: 10 January 2024 |
Reviewed by: |
DPO, Jacques-Olivier Halle CCO: Berangere Meggiolaro |
Date: 18 February 2024 Date: 18 February 2024 |
Approved by: |
SVP, Information Security & Content Protection: Micah Littleton |
Date: 18 February 2024 |
Review: Document sent, reviewed only, or reviewed and officially signed off if a date is entered. Does not necessarily indicate full acceptance, only that the reviewer has had the opportunity to review, comment and approve/disapprove.
Validation or Approval: Document officially signed off if a date is entered.
6.2 Document Revision History
Date |
Ver. |
Author |
Description |
Previous Approvers: EIT, TSO-GRC, Jacques-Olivier Halle, CCO, Security Steering Committee |
|||
January 2024 |
1.0 |
GCS |
Rebranding to TCS v1.0 from Vantiva TCS Shared Security Policies and related approvers |
|
|
|
|
Confidential & Proprietary:
The information contained herein is the property of Technicolor and shall not be reproduced, copied, or used for any purpose without permission.