Privacy Policy

1. PRINCIPLES

1.1 Transparency of Data Processing

1.1.1 Duty to Inform

The data subjects shall be informed about how their personal data is used in line with applicable legislation and the following conditions.

1.1.2 Content and Form of Information

(1) The company shall inform the data subjects adequately about the following items:

a) The identity of the data processor(s) and their contact details.

b) The intended use and purpose of use of the data. This information is to include which data is being recorded and/or processed/used, why, for what purpose and for how long.

c) If personal data is transferred or transmitted to third parties, the recipient, scope and purpose(s) of such transfer/transmission shall be known.

d) The rights of the data subjects in connection with the use of their data.

(2) Irrespective of the chosen medium, data subjects shall be given this information in a clear and easily understandable manner.

1.1.3 Availability of Information

The information shall be available to data subjects when the data is collected and, subsequently, whenever it is requested.

2. CONDITIONS OF ADMISSIBILITY FOR THE USE OF PERSONAL DATA

2.1 Principle

Personal data shall only be used under the following conditions and shall not be used for purposes other than those for which it was originally collected. The use of collected data for other purposes shall only be permitted if the conditions of admissibility have been satisfied in accordance with the following conditions.

2.2 Admissibility of Personal Data Use

Personal data can be used if one or more of the following criteria have been satisfied:

a) It is clearly legally permissible to use the data in the way intended.

b) The data subject has consented to his/her data being used.

c) It is necessary to use the data in this way in order for the company to fulfil its obligations under an agreement with the data subject, including its contractual duties to inform and/or secondary duties, or in order for the company to implement pre- or post-contractual measures for initiating or processing an agreement that have been requested by the data subject.

d) The data must be used to fulfil a legal obligation of the company.

e) It is necessary to use the data to safeguard the data subject's vital interests.

f) It is necessary to use the data to complete a task that is in the interest of the general public or that forms part of the exercise of public authority and with which the company or third party to whom the data is transferred was charged.

g) It is necessary to process the data in order to realize the legitimate interests of the company or the third party/parties to whom data is being transmitted, provided these interests are not clearly outweighed by interests of the data subject warranting protection.

2.3 Consent by the Data Subject

It shall be deemed that the data subject has given his/her consent pursuant to clause (3.2), item b) of these Binding Corporate Rules Privacy if:

a) Consent has been given expressly, voluntarily and on an informed basis that makes the data subject aware of the scope of what he / she is consenting to. The wording of declarations of consent shall be sufficiently precise and shall inform data subjects of their right to withdraw their consent at any time. For business models in which the withdrawal leads to a non-fulfilment of contractual obligations the data subject shall be informed.

b) Consent has been obtained in a form appropriate to the circumstances (written form). In exceptional cases it can be    obtained verbally, if the fact of the consent and the special circumstances that make verbal consent seem adequate are sufficiently documented.

2.4 Automated Individual Decisions

a) Decisions which evaluate individual aspects of a person and which may entail legal consequences for them, or which may have a considerable adverse effect on them, shall not be based exclusively on automated data use. This includes in particular decisions for which data about the creditworthiness, professional suitability or state of health of the data subject is significant.

b) If, in individual cases, there is an objective need to make automated decisions, the data subject shall be informed without delay of the result of the automated decision, and shall be given an opportunity to comment within an appropriate period of time. The data subject's comments shall be suitably considered before a final decision is taken.

2.5 The Use of Personal Data for Direct Marketing Purposes

Where data is used for direct marketing purposes, data subjects shall be:

a) Informed about the way in which their data will be used for direct marketing purposes.

b) Informed about their right to object at any time to the use of their personal data for direct marketing communications.

c) Equipped to exercise their right not to receive such communications. They shall receive, in particular, information about the company to whom the objection should be made.

2.6 Special Categories of Personal Data

a) The use of special categories of data shall only be permitted where it is governed by legal regulations or where the data subject's consent has been obtained in advance. It shall also be permissible if it is necessary to process the data in order to fulfil the rights and obligations of the company in the area of labor law, provided that suitable protection measures are taken and that this is not prohibited under national law.

b) Prior to the commencement of such collection, processing or use, the company shall inform its Data Privacy Officer accordingly and document this action. When assessing admissibility, particular consideration should be given to the nature, scope, purpose, necessity and legal basis of using the data.

2.7 Data Minimization, Data Avoidance, Anonymization and Aliasing

a) Personal data shall be appropriate, relevant and not excessive with regard to the use of the data for a specific purpose (data minimization). Data shall only be processed within a certain application when it is necessary (data avoidance).

b) Where possible and economically reasonable, procedures shall be used to erase the identification features of data subjects (anonymization) or to replace the identification features with other characteristics (aliasing).

3. TRASNFER OF PERSONAL DATA

3.1 Nature and Purpose of Transfer of Personal Data

a) Personal data can only be transferred where the receiving party assumes responsibility for the data received (transmission) or where the recipient only uses the data in accordance with the instructions and requirements of the transferring party (commissioned data processing agreement).

b) Personal data shall only be transferred for the permitted purposes pursuant to (3.2) of these Binding Corporate Rules Privacy as part of the company's business activities or legal obligations, or following consent from the data subjects.

3.2 Transmission of Data

a) If a company transmits data to bodies that are headquartered in a third country or that transfer data across national borders, steps shall be taken to ensure that this data is transmitted properly Appropriate data privacy and data security requirements shall be agreed with the recipient before data is transmitted. In addition, personal data, particularly data collected in the EU or the EEA, shall only be transmitted to controllers outside of the European Union if the appropriate level of data privacy has been ensured using these Binding Corporate Rules Privacy or other appropriate measures, such as the EU standard contractual clauses or individual contractual agreements that meet the relevant requirements of European and National law.

b) Based on the requirements of the Company and generally recognized technical and organizational standards, appropriate technical and organizational measures shall be taken to guarantee the security of personal data, including during its transmission to another party.

3.3 Commissioned Data Processing

a) When a company (customer) commissions a third party (contractor) to provide services on its behalf in accordance with its instructions, then, in addition to a service agreement comprising the work to be performed, the agreement shall also refer to the obligations of the contractor as the party commissioned to process the data. These obligations shall set out the instructions of the customer concerning the type and manner of processing of the personal data, the purpose of processing and the technical and organizational measures required for data protection.

b) The contractor shall not use the personal data (entrusted to it for performing the order) for its own or third-party processing purposes without the prior consent of the customer. The contractor shall inform the customer in advance of any plans to sub-contract work out to other third parties in order to fulfil its contractual obligations. The customer shall have the right to object to such use of subcontractors. Where subcontractors are used in the permissible way, the contractor shall obligate them to comply with the requirements of the agreements concluded between the contractor and the customer.

c) Subcontractors shall be selected according to their ability to fulfil the above-stated requirements.

4. DATA QUALITY AND DATA SECURITY

4.1 Data Quality

a) Personal data shall be correct and, where necessary, kept up to date (data quality).

b) In light of the purpose for which the data is being used, appropriate measures shall be taken to ensure that any incorrect or incomplete information is erased, blocked or, if necessary, corrected.

4.2 Data Security – Technical and Organizational Measures

The company shall take appropriate technical and organizational measures for company processes, IT systems and platforms used to collect, to process or employ data in order to protect this data.

Such measures shall include:

a) Preventing unauthorized persons from gaining access to data processing systems on which personal data is processed or used (admittance control);

b) Ensuring that data processing systems cannot be used by unauthorized persons (denial-of-use control);

c) Ensuring that those persons authorized to use a data processing system are able to access exclusively the data to which they have authorized access and that personal data cannot, during processing or use or after recording, be read, copied, altered or removed by unauthorized persons (data access control);

d) Ensuring that, in the course of electronic transmission or during its transport or recording on data media, personal data cannot be read, copied, altered or removed by unauthorized persons, and that it is possible to check and identify the controllers to which personal data is to be transmitted by data transmission equipment (data transmission control);

e) Ensuring that it is possible retrospectively to examine and establish whether and by whom personal data has been entered into data processing systems, altered or removed (data entry control);

f) Ensuring that outsourced personal data can only be processed in accordance with the instructions of the customer (contractor control);

g) Ensuring that personal data is protected against accidental destruction or loss (availability control);

h) Ensuring that data which has been collected for different purposes can be processed separately (separation rule).

5. RIGHTS OF DATA SUBJECTS

5.1 Right to Information

1. Data subjects shall be entitled at any time to contact any company using their data and request the following information:

a) the personal data held on them, including its origin and recipient(s);

b) the purpose of use;

c) the persons and controllers to whom/which their data is regularly transmitted, particularly if the data is transmitted abroad;

d) the provisions of these Binding Corporate Rules Privacy.

2. The relevant information is to be made available to the enquirer in an understandable form within a reasonable period of time. This is generally done in writing or electronically. Providing a hard copy of these Binding Corporate Rules Privacy shall suffice as a means of communicating information about their requirements.

Where permissible under the relevant national law, a company may charge a fee for supplying the relevant information.

5.2 Right of Protest, Right to Have Data Erased or Blocked, and Right to Correction

1. Data subjects can object to the use of their data at any time if this data is being used for purposes that are not legally binding.

2. This right of protest shall also apply in the event that data subjects had previously consented to the use of their data.

3. Legitimate requests to have data erased or blocked shall be promptly met. Such requests are legitimate particularly when the legal basis for the use of the data ceases to apply. If a data subject has the right to have data erased, but erasing the data is not possible or unreasonable, the data shall be protected against non-permitted usage by blocking. Statutory retention periods shall be observed.

4. Data subjects can request from the company to correct the personal data it holds on them at any time if this data is incomplete and/or incorrect.

5. For business models in which the withdrawal or the erasure leads to a non-fulfillment of contractual obligations the data subject shall be informed.

5.3 Right to Clarification, Comments and Remediation

1. If a data subject claims that his/her rights have been violated by unlawful use of his/her data, particularly by providing evidence of a verifiable violation of these Binding Corporate Rules Privacy, the responsible companies shall clarify the facts without deliberate delay. For data transferred or transmitted to companies outside of the European Union in particular, the company based in the European Union shall clarify the facts and provide evidence that the receiving party has not violated the requirements of these Binding Corporate Rules on Data Privacy or is responsible for any damage caused. The companies shall work together closely to clarify the facts and shall grant each other access to all information they require to do so.

2. The data subject concerned can file a complaint against the ONE Albania at any time if he/she suspects that a ONE Albania is not processing his/her personal data in accordance with legal requirements or with the provisions of these Binding Corporate Rules Privacy Policy. The substantiated complaint shall be dealt with within an appropriate period of time and the data subject informed according.

3. If a complaint concerns several companies, the Data Privacy Officer of the company most familiar with the subject matter shall coordinate all relevant correspondence with the data subject.

4. There shall be suitable channels in place for reporting data privacy incidents (such as a special purpose e-mail account provided by Data Privacy, Legal Affairs and Compliance or a direct contact who can be contacted online).

5. The Data Privacy Officer of the company concerned shall inform for the  data privacy incident without delay using the relevant reporting processes.

6. Data subjects can make a claim pursuant to these Binding Corporate Rules Privacy if their rights have been infringed or if they have suffered any loss.

5.4 Right to Question and Complain

Every data subject has the right at any time to contact the Data Privacy Officer of the company using his/her personal data with questions and complaints regarding the application of these Binding Corporate Rules Privacy. The company most familiar with the subject matter or the company that collected the data subject's data shall make sure that the data subject’s rights are properly observed by the other responsible companies.

5.5 Exercising of Rights of Data Subjects

Data subjects shall not be disadvantaged because they have made use of these rights. The form of communication with the data subject – e.g., by telephone, electronically or in writing – should respect the request of the data subject, where appropriate.

5.6 Hard copy of the Binding Corporate Rules Privacy

A hard copy of these Binding Corporate Rules Privacy shall be provided to anyone only upon request.

6. DATA PRIVACY ORGANIZATION

6.1 Responsibility for Data Processing

The companies shall be obligated to ensure compliance with the legal provisions on data protection and with these Binding Corporate Rules Privacy.

6.2 Data Privacy Officer

1. The company shall appoint a Data Privacy Officer, whose task is to ensure that the individual organizational units of that company are advised on the statutory and internal company/Group requirements for data privacy and, in particular, on these Binding Corporate Rules Privacy. The Data Privacy Officer shall use suitable measures, in particular random inspections, to monitor compliance with data protection regulations.

2. The company shall ensure that the Data Privacy Officer possesses the relevant expertise for evaluating the legal, technical and organizational aspects of data privacy measures.

3. The company shall provide the Data Privacy Officer with the financial and personnel resources necessary for carrying out his/her duties.

4. The Data Privacy Officer shall be granted the right to report directly to company management, and shall be connected organizationally to company management.

5. The Data Privacy Officer of each company shall be responsible for implementing the requirements of the ONE Albania  data privacy strategy.

6. All departments of each company shall be obligated to inform their company's Data Privacy Officer of any developments in IT infrastructure, network infrastructure, business models, products, staff data processing and corresponding strategic plans. The Data Privacy Officer shall be brought in on new developments at an early stage in order to ensure that any data privacy matters can be considered and evaluated.

6.3 Employee Commitment and Training

1. The companies shall obligate their employees to maintain the data and telecommunications secrecy upon commencing their employment at the latest. Employees shall receive sufficient training in data privacy matters as part of this commitment. The company shall initiate suitable processes and provide resources to this end.

2.  Employees shall receive training in the basics of data privacy regularly, or at least every two years. The companies shall be entitled to develop and run dedicated training courses for their own employees. The Data Privacy Officer of each company shall document the delivery of these training courses and inform on an annual basis.

3. The ONE Albania Data Privacy Officer can make resources and processes available centrally for obligating and training ONE Albania employees.

6.4 Cooperation with Supervisory Authorities

1. The companies shall agree to work together on the basis of trust with the supervisory authority responsible for them or for the company transmitting data, in particular, to respond to queries and follow recommendations.

2. In the event of a change in the legislation applicable to a company which might have substantial adverse effects on the guarantees provided by these Binding Corporate Rules Privacy, the company concerned shall notify the responsible supervisory authority of the change.

6.5 Responsible Contacts for Queries

The ONE Albania Data Privacy Officer can be contacted at:

E-Mail: dataprivacy@one.al during normal business hours (Central European Time).

7. LIABILITY

7.1 Area of Application of the Rules on Liability

1. The Binding Corporate Rules shall apply exclusively for the processing of personal data collected in the Albanian Law No. 9887, dated 10.03.2008 on Personal Data Protection and EU / the EEA, which falls within the scope of the EU Directive on Data Protection 95/46/EC.

2. Within the EU/EEA, the legal liability provisions of the country in which a company is headquartered shall apply. For data that is not subject to Section (1), Paragraph 8.1, of the BCRP the legal liability provisions of the country in which the respective company that collected the data has its registered office, or if there are no legal provisions existing, the terms and conditions of the company that collected the data shall apply.

3. Payment of exemplary damages, where a company must make payments to a data subject that exceed the damage itself, shall be explicitly ruled out as per the Albanian Law No. 9887, dated 10.03.2008 on Personal Data Protection.

7.2 Indention

1. Any individual who has suffered loss as a result of one or more of the duties specified in the Binding Corporate Rules Privacy being violated by a ONE Albania company or by data recipients to which a ONE Albania company has transferred or transmitted data, shall be entitled to claim corresponding damages against the ONE Albania companies concerned.

2. The data subject shall also be entitled to claim damages against the ONE Albania company. If the holding company pays damages, it shall be entitled to claim reimbursement from the companies that are responsible for the loss or that commissioned a third party which caused it.

3. The data subject shall claim damages initially against the company that transferred or transmitted the data. If the transferring company is not liable de jure or de facto, the data subject shall be entitled to claim damages from the recipient company. The recipient company shall not be entitled to withdraw from liability by appealing to the responsibility of a contractor in case of violation.

4.The data subject shall be entitled to submit a complaint to the responsible supervisory authority or to the supervisory authority responsible for the ONE Albania company at any time.

7.3 Third-party Benefits for Data Subjects

If the data subject has no direct rights, he/she shall be entitled, as a third-party beneficiary, to assert claims against companies which have violated their contractual duties, based on the provisions of these Binding Corporate Rules Privacy.

7.4  Place of Jurisdiction

At the individual's discretion, the place of jurisdiction to assert liability claims may be:

a) The Albanian Courts.

8. FINAL PROVISIONS

8.1 Reviewing and Amending these Binding Corporate Rules Privacy

1. The Data Privacy Officer shall examine the Binding Corporate Rules Privacy at regular intervals, but at least once a year, to find out about their compliance with applicable legislation, and shall make any necessary adjustments.

2. Any significant amendments to these Binding Corporate Rules Privacy that become e.g. necessary as a result of adjustments made to bring them in line with legal requirements shall be agreed with the supervisory authority. These amendments shall apply directly to all companies that have signed the Binding Corporate Rules Privacy following an appropriate transition period.

3. The Data Privacy Officer shall inform all companies that have introduced the Binding Corporate Rules Privacy of the amended content.

4. The Data Privacy Officers of the companies shall be obligated to examine whether amendments to these Binding Corporate Rules Privacy have any implications for legal compliance in their own country or whether they conflict with the legal provisions in their respective country. If the company is unable to implement the amendments for biding legal reasons, it shall inform the Data Privacy Officer and the responsible supervisory authority immediately and, if relevant, these Binding Corporate Rules Privacy shall be suspended temporarily for this company.

8.2 Procedural Law / Severability Clause

These Binding Corporate Rules Privacy shall be subject to the procedural law of the Republic of Albania in the case of disputes. If individual provisions of these Binding Corporate Rules Privacy are or become void, they shall be deemed to have been replaced by the provisions that most closely approximate the original intentions of these Binding Corporate Rules Privacy and the void provisions. In case of doubt, the applicable data protection regulations of the European Union shall apply in these cases or in the absence of relevant provisions.

8.3 Publication

The company shall make information about the rights of data subjects and the third-party benefit clause available to the public in a suitable format, such as in the notes on data protection on the Internet. This information shall be published as soon as these Binding Corporate Rules Privacy have become binding on a company.