Q: What is the EU data protection law?
A: This law became effective 25 May 2018. It affects anyone that collects, uses, shares and stores personal data relating to individuals in the EU – and even extends to businesses located outside the EU if they offer goods and services in the EU.
Q: Why is data protection important?
A: Processing personal data fairly, accurately and securely creates trust. Your customer and network base has higher expectations regarding how their information is handled due to increased awareness of data privacy rights. Also, data privacy is consistent with Oriflame’s Rules of Conduct about doing the right thing. And lastly, it is the law and not following it can result in steep fines and reputational damage.
Q: What is personal data?
A: Personal data is any information related to a living person, regardless of whether it concerns his or her private, professional or public life. It can be anything from a name, image, address, email address, bank details, telephone number, credit card number, posts on social networking websites, health and genetic records, biometric data, racial/ethnic data or computer IP addresses.
Q: What is sensitive personal information?
A: Sensitive personal information is information regarding health, race, sexual orientation, religion or political beliefs. This type of information needs to be safeguarded and can only be collected and processed in special circumstances under the data protection law. You should not be collecting any of this information as an Oriflame consultant.
Q: What is data processing?
A: The term ‘processing’ here essentially means anything that is done to, or with, personal data, including simply collecting, storing or deleting the data.
Q: What is the difference between a data processor and a data controller?
A: A data controller is a person (or company) who controls and is responsible for the storage and use of personal data. Being a data controller carries with it serious legal responsibilities. A data processor is a person (or company) who holds or processes that data on behalf of the data controller. Examples of typical data processor services include third-party data storage or cloud providers, data analytics and market research companies.
Q: What is the risk of not complying with the data protection law?
A: Data protection authorities can issue a warning, suspend processing activities (this means certain activities must be stopped, such as sales of goods) and impose fines. Heavy fines for serious data breaches can be up to 4% of annual turnover or up to €20 million.
HANDLING PERSONAL DATA
Q: I’ve received a complaint about how personal data was handled. What should I do?
A: Promptly report this to email@example.com.
Q: How long should I keep the personal data of my consultants?
A: The data protection law states that personal data may only be kept for as long as necessary to fulfil the purpose for which it was collected. Personal data belonging to consultants should be deleted following the termination of their relationship with Oriflame.
Q: I have been contacted by a consultant requesting access to, correction or erasure of their personal data. What should I do?
A: Consultants have a right to access or amend/delete their personal data under the EU data protection law. These requests need to be complied with within 30 days of receipt. Contact firstname.lastname@example.org as soon as possible for help processing the request.
DATA BREACH & SECURITY MEASURES
Q: What is a data breach?
A: A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. For example: a. loss (even temporary) or theft of a laptop, mobile device, desktop, paper file, USB stick or other storage device containing personal data. b. unintentional disclosure of personal data to an unauthorised person. This includes situations where emails, text messages or paper documents containing personal data are sent to the wrong recipient.
Q: What steps can I take to reduce the risk of a data breach?
A: To minimise the risk of a data breach, best security practices need to be followed:
- start with a strong password (IT specialists recommend a combination of letters, numbers and special characters totalling a minimum of 12 characters) - do not share your password with anyone
- never use the same password multiple times - create a difficult mobile phone passcode (not your date of birth) - don’t leave your computer or mobile devices unattended - make sure no one else has access to your computer (including access to the personal data on it) - make regular software updates, including updates to anti-virus protection software - make regular back-ups of the personal data in your possession - make sure any printouts containing personal data are shredded - avoid sending personal data by text message or email - always be vigilant when receiving email. If you receive anything you deem suspicious, delete the email or move it to the junk folder. DO NOT open the attachment if there is one, forward the email or reply to the sender.
Q: How do I report a data breach?
A: If a data breach is identified or suspected please contact email@example.com without delay. Under the data protection law, data breaches, depending on the type, must be notified to data protection authorities, as well as to the individuals affected by the breach. The timeframe for notification to an authority is very short (72 hours).
OBLIGATIONS UNDER THE DATA PROTECTION LAW
Q: What are the key principles of the data protection law?
A: The key principles are: - Be transparent! Inform individuals when you collect and use their personal data (such as with a privacy notice) and use their data lawfully. - Keep it limited! Collect only the information that you really need for the business purpose, but not more, and keep the information only for as long as necessary for that purpose. - Keep it focused! Use the information only for the original purpose at the time of collection. - Keep it accurate! Keep the information up to date and respond to requests from individuals to access or change their information. - Keep it secure! Protect the information against unauthorised access, loss or destruction. - Keep it confidential! Don’t share personal information with others, unless you’re authorised to do so.
Q: What do I need to tell new consultants when I collect their personal information?
A: You need to inform a new consultant of: - Your name and contact details.
-What personal data is collected. - How the personal data is used. - Who the personal data will be shared with, and whether the data will be transferred to countries outside of the EU.
- What their rights are under the data protection law. - How long you will keep their data.
For further information, please refer to the Oriflame Privacy Notice for Beauty Consultants in your country.
Q: What are the rights of consultants under the data protection law?
A: Consultants have the right to:
• request a copy of their personal data
• have their personal data corrected
• transfer their personal data from one service organisation to another (‘data portability’)
• have their personal data erased (‘right to be forgotten’)
• restrict the processing of their personal data
Q: Are there any changes for me when registering new consultants?
A: You will need to register new consultants through MyPages. The new consultant will receive a registration email and needs to confirm the registration.
Q: I have a name bank of prospective consultants and customers. What are my responsibilities for this personal data?
A: The data protection law applies here too. You need to keep this data secure like any other personal data. We recommend that you register the details of your prospective consultants and customers on the Oriflame database and they will receive a registration confirmation email/text message along with the Oriflame Privacy Notice – Beauty Consultants.
Q: What is direct marketing?
A: Direct marketing is a form of advertising used by businesses to communicate directly to customers through a variety of channels, including text messaging, email, websites, online adverts, database marketing, fliers, catalogue distribution, promotional letters, targeted television, newspaper and magazine advertisements, as well as outdoor advertising.
Q: Can I send marketing information to my network?
A: You can only send marketing information to the consultants in your network if they have given their consent to receive marketing. You must also give the consultants in your network the possibility to withdraw their consent. This is why it is important to check consent regularly, since consultants have the right to change their mind – and may withdraw their consent at any time.
Q: What do I do if a consultant in my network withdraws their consent to receive marketing?
A: Stop sending them marketing materials.
Q: Should I keep records of marketing consents?
A: Yes, you need to keep an accurate and regularly updated record of the marketing consents of your consultant and customer network.
Q: If a consultant has withdrawn their consent to receive marketing, can I contact them to tell them what they are missing and ask if they want to opt back in?
A: No, you should not contact consultants who have withdrawn their consent to receive marketing. This would be breaking the data protection law.
Q: How long does a marketing opt-out last?
A: A marketing opt-out does not have an expiration date. It lasts until the individual changes their stated marketing preferences.
Q: What should I do about my existing network when I am sending promotional offers?
A: You will have to obtain consent from the individual consultants already in your network before you send them email marketing campaigns, unless you have a record of their consent to receive such communication from you.
Q: When a consultant has requested not to have any marketing sent to them, I am not allowed to send them any form of marketing offers (as email or text messages). Can I still send them other information related to their performance in Oriflame?
A: Yes, a performance report is part of doing business with Oriflame.