Applies To: Individuals who reside in countries other than New Zealand who submit personal information to ANZCO Foods Limited, and its Subsidiaries
Policy Approval: ANZCO Privacy Officer
Approval Dates: September 2020
ANZCO Foods Limited and its subsidiaries (ANZCO, the company, its) comply with the laws and regulations in all countries in which it operates and undertake to maintain appropriate measures to safeguard the personal information the company collects and holds about individuals. Personal information is information about an identifiable individual (a natural person).
This policy sets out how ANZCO, including its subsidiaries collect, use, disclose and protect an individual's personal information. An individual may have certain rights under local privacy laws, such as the European Union (EU) General Data Protection Regulation 2016/679 as nationally implemented (the GDPR) if an individual resides in the EU, or similar or equivalent legislation in other countries. ANZCO provides information about these rights, and the ways that ANZCO processes personal information more generally, in this policy. If an individual has any questions about any of the details in this policy, or requires further information, they may raise this in writing to the Data Protection and Privacy Officer: firstname.lastname@example.org.
Changes to this Policy
Sourcing and Collecting Personal Information
ANZCO collects personal information about an individual from:
- The individual, including
- through any registration, subscription or prospective employee process; e.g. when an individual opts-in to receive newsletters, job alerts, or applies for a position of employment with ANZCO
- through any contact with ANZCO; e.g. when an individual contacts ANZCO via telephone, email or in person
- An individual who buys or use its services and products as a customer or provides services to the company as a farmer/producer (a farmer supplying livestock to ANZCO), supplier or vendor; e.g., through interaction that may or will lead to a contractual agreement/s with ANZCO to purchase, sell, or transact business with or on behalf of the Company.
- Third parties where an individual has explicitly consented or authorised this, or the information is publicly available; e.g. through information listed and available on social media channels such as Facebook or LinkedIn.
- Where possible, ANZCO will collect personal information from individuals directly.
Use of Personal Information
ANZCO will use an individual's personal information:
- to fulfil requests to provide services and products to an individual
- to market its services and products to individuals, including contacting individuals electronically (e.g. by email or phone for this purpose); this will not apply to any individuals governed by the GDPR without their specific written consent
- to improve the services and products that it provides to individuals
- to respond to communications from an individual, including any complaint
to comply with its legal obligations and rights, under contracts and at law, and to cooperate with authorities and investigations
- when a customer requests farmer/producer information for audits and/or supply chain traceability. ANZCO realises this information is important to customers, but does not provide individual farmer information to customers. The only exception, on request, is the provision of individual randomly selected Animal Status Declaration (ASD) forms to initiate a supply chain trace back to prepare for an audit of ANZCO Foods' quality assurance systems
- during site visits and/or audits customers have the right to inspect ANZCO's information about farmers/producers to ensure it is being collected and is accurate. Customers are not able to remove or collate any personal information.
Disclosure of Personal Information
ANZCO may disclose an individual's personal information to:
- another company or subsidiary within the ANZCO Foods Limited Group of companies
- an outsourced service provider, including:
- any service provider or business that supports ANZCO's services and products either relating to its internal operations or to customer, producer, supplier or vendor relations
- a credit reference agency for the purpose of credit checking an individual's credit history
- a service provider commissioned to protect the rights, property or safety of ANZCO, or others
- a regulatory authority, including:
- a person/body or authority who can require ANZCO to supply an individual's personal information; e.g. for financial reporting and auditing purposes
- any other person authorised by ANZCO's legal obligations or another law; e.g. a law enforcement agency
- any other person authorised by an individual.
Transferral of Personal Information Across International Borders
A business that supports ANZCO's services and products may be located outside of an individual's location. This may mean personal information is held and processed outside of the location it was originally submitted.
To better match an individual's business request, where required in order for ANZCO to supply or a service or as necessary in order to perform our contract with an individual, personal data may be transferred to subsidiaries in countries across international borders as well as ANZCO's global offices.
Other countries' privacy laws may be different from those in an individual's home country. Where ANZCO transfers data to another country ANZCO has security measures in place to protect all personal data subject to that transfer. To find out more about how ANZCO safeguards information as related to transfers individuals may contact the company using the details below.
Retention of Personal Data
ANZCO only retains personal information for as long as is necessary for the company to use the information as described above or to comply with its legal obligations. However ANZCO may retain some information after an individual ceases to use the company's services, or the company ceases to use the services provided to ANZCO in an individual's capacity as a farmer/producer, supplier or vendor; or if this is necessary to meet its legal obligations in the countries it operates in, such as retaining the information for tax and accounting purposes.
When determining the relevant retention periods, ANZCO will take into account factors including:
- its contractual obligations and rights in relation to the information involved;
- legal obligations under applicable law to retain data for a certain period of time;
- if an individual has made a request to have information deleted; and
- guidelines issued by relevant data protection authorities
Protecting Personal Information
ANZCO will take every reasonable measure and precaution to protect and secure personal data and prevent information from unauthorised access, alteration, disclosure or destruction. ANZCO requires the same of its third party service providers. Details of how third party service providers protect personal information are documented within ANZCO's contractual agreements and/or within the Privacy and Data Protection Policies of the third party service provider.
ANZCO has multiple layers of security measures in place; e.g. electronic data is stored on company servers and located in secure premises. The company's servers have appropriate security including firewall, antivirus protection and all data is encrypted. Company computers and laptops have two factor authentications to login.
Responding to a Data Breach
The definition of a data breach is very wide and includes accidental as well as deliberate or malicious actions. If personal data held by ANZCO is exposed in any way the following process will commence:
1. Alert – any breach, whether suspected or actual, must be immediately reported in writing to the Data Protection Officer: email@example.com. The report to the Data Protection Officer should include details regarding the nature and scope of the data breach, the period the breach took place, and an initial assessment of how the information was breached (i.e; an accidental or deliberate breach, if known).
2. Investigation and Analysis – the Data Protection Officer will lead an Incident Response Team who will thoroughly assess the impact of a data breach or a security event on a system or application. The Incident Response Team may include members of the ICT, Communications, Human Resources and Senior Leadership Team.
3. Contact Affected Individuals – under the GDPR, breach notification is mandatory in all member states where a data breach is likely to "result in a risk for the rights and freedoms of individuals". Should a data breach meet the mandatory reporting requirements above then The Data Protection Officer is responsible for reporting a data breach to the National Data Protection Authorities within 72 hours of ANZCO first having become aware of the breach. The National Data Protection Authorities for each member state is located here. ANZCO will also notify all affected individuals, without undue delay after first becoming aware of a data breach.
For regions not subject to the GDPR reporting requirements, ANZCO will notify all affected individuals, without undue delay after first becoming aware of a data breach.
The Data Protection Officer will effect a communication plan that identifies internal communication requirements between departments to ensure a smooth response to a breach, and external communication requirements that specify who is authorised to communicate to external entities, such as the press or law enforcement on behalf of ANZCO.
4. Corrective and Preventative Actions – while the relevant parties are being contacted regarding any breach, the Incident Response Team will work to identify the source of the breach. Actions may include patching software, updating firewall rules, or implementing further safeguards to prevent a recurrence of the breach. ANZCO routinely tests its systems and infrastructure to ensure system security and effectiveness and regularly advises employees where to report suspicions data requests and to be aware of phishing software and schemes.
Where a breach has occurred through a third party or external provider, ANZCO will contact all relevant parties to advise of the breach and will work together to fix vulnerabilities that exist in external or hosted infrastructure.
Links to other websites
Access to Personal Information
An individual has the right to access readily retrievable personal information that may be held by ANZCO and to request a correction, restrict or object to its processing, have it erased, have it transferred to another organisation or complain to a regulator. Before exercising any right, ANZCO will verify the identity of the individual to whom the personal information relates.
If an individual wishes to exercise the above rights, they may raise this in writing to the Data Protection and Privacy Officer: firstname.lastname@example.org.
Correspondence should provide evidence to verify an individual's identity and set out the details of the request (e.g. the personal information, or the correction, that is requested).
If an individual has any further questions about this policy, or wish to raise a complaint about how ANZCO has handled information, this should be raised with the company by writing to the Data Protection Officer at the address listed above.