PRIVACY POLICY – PERSONAL DATA

PRIVACY POLICY – PERSONAL DATA

This is valid as of 17.12.2021

1. PURPOSE

The company "ALFA – BETA" VASSILOPOULOS SINGLE MEMBER SOCIETE ANONYME (hereinafter AB), member of the Ahold Delhaize Group, recognises the importance of the issue of personal data security and electronic transactions. AB considers the protection of all necessary technical measures and the observance of the current legislation to be of utmost importance.
The trust of customers, partners and suppliers is of particular importance to AB. In order to maintain this trust, we must process personal data in a secure manner and in accordance with applicable law.
The purpose of this policy is to inform data subjects about the data collected for their service, to inform them about offers and new services. Through this policy, data subjects can be informed of their rights in accordance with applicable law.
In the context of this policy:
"Personal Data" means any information through which an individual is identified or identifiable.
"Processing of Personal Data" is any action performed using personal data, such as their collection, storage, use, disclosure to third parties that undertake the management of personal data in the name and on behalf of AB to achieve a specific business purpose.


2. KEY PRINCIPLES OF PERSONAL DATA PROTECTION

AB recognises that the existence of clear guidelines for the proper use of personal data is an integral part of the proper functioning of the company and is absolutely necessary to ensure the personal data we handle and may concern customers, partners and suppliers. For this reason, AB:
• is committed to protecting the data of customers, partners and suppliers;
• handles only those data that are necessary for legitimate business purposes;
• provides its customers with information on the use of their data and how to exercise their rights;
• uses personal data for the benefit of its customers;
• complies with applicable laws and regulations.
Based on these principles regarding the security of personal data, the following applies:

Collection and processing
AB collects and processes personal data in a legal manner and in accordance with applicable law. The personal data collected and processed are absolutely necessary for the intended purpose and data subjects are clearly informed as regards both the purpose of collecting and processing their data and their rights.

Providing information
AB has created various channels of information of the data subjects, in order to always provide them with clear and complete information as to the purpose of processing their personal data. Through these information channels, data subjects also receive clear information, in addition to the purpose of processing, about any third party recipients of their data that, as part of serving the intended purpose, act in the name and on behalf of AB. Customers can access the relevant information through the AB site www.ab.gr

Processing management
AB enables data subjects to manage their personal data and to manage the form of processing they want and if they want it. AB enables data subjects, in accordance with applicable law and the trading relationship connecting it with the data subjects, to consent or to withdraw their consent, as the case may be.

Use and data retention period
AB uses the data of the data subjects solely for purposes related to its business activities and in accordance with the values of the AHOLD – DLHAIZE Group. In any case, data use is limited solely to the purpose for which they have been collected. AB may use your data to inform you about offers, new products, new services and anything else related to the operation and organisation of our company.
The retention time of the data is determined taking into account the purpose for which they have been collected and the applicable law. AB does not retain data for a longer period of time than required either under the trading relationship, connecting the data subject to AB, or under applicable law.

Security measures
AB has taken all appropriate technical measures to secure your personal data. It provides limited access only to those of its employees / partners that need to have access to the data. It takes all necessary measures to avoid any unauthorised access to, use of or modification to such data. It complies with applicable law and has established data protection procedures.

Updated data
AB always strives to ensure that the personal data it processes is always up to date, complete and relevant to the purpose of the processing being performed.

Data access
Only authorised employees of AB have access to the data. AB cooperates with third companies for the purposes of communication, advertising, information, to whom, if and when required, personal data are disclosed. AB ensures that all necessary organisational and technical means for data protection have been obtained from those companies and that they have informed and obliged their employees regarding the confidential nature of such data.

Exercise of rights
Data subjects have the rights provided in the current legislation. AB may object to the exercise of certain rights if this is required by law or a judgement.

 

3. General matters

Links to other websites
Other companies' websites may be accessed through AB's website. AB is not responsible to users for any leakage of their personal data due to their use of products and third party services through the company's website.

COOKIES
AB may use cookies to recognise users. Cookies are small text files stored on each user's terminal which do not receive any information nor gain access to a user's personal data or documents. Cookies are used solely for the purpose of facilitating the user's access to specific products and/or services and for statistical purposes in order to determine the areas, in which AB products and/or services are popular or for marketing purposes.


Cookies
Use of cookies from the ab.gr website

Cookies are small text files that are stored on your computer from the websites you visit or from certain emails you open. They are widely used for the operation of websites, as well as for providing commercial or marketing information to website owners.
AB Vassilopoulos uses cookies on this website for the following purposes:

1. Necessary cookies
These cookies are necessary to visit our websites. These cookies allow, for example, the navigation of the various sections of the website or the completion of forms. If you reject cookies, certain sections of the website may not work properly.

2. Functional cookies
Functional cookies are cookies that provide you with a more personalised browsing experience. These cookies store your preferences as well as your settings regarding your favourites.

3. Performance cookies
For performance monitoring purposes, we use cookies to collect information about the use of our websites by visitors in order, on the one hand, to satisfy more visitors' needs and to improve the content of our websites and, on the other hand, to facilitate the use of our websites. For example, one particular cookie helps us count the number of unique visitors, while another identifies the pages that are most popular.

4. Third party cookies
So-called "third party" cookies may be used to display personalised ads. Personalised ads mean ads that are tailored to your gender, age, area, or preferences. No data about your identity are collected or stored by using third-party cookies.

5. Built-in content
This website sometimes links to other websites through a link that the user clicks on. When you visit those external websites, it is possible that cookies will also be created by them. For more information on the creation of cookies on these websites, AB Vassilopoulos recommends that you refer to the Privacy Policy of those websites.
 
Deleting or blocking cookies

If you wish to block cookies, you can do so through the browser you are using.

Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-9
Chrome: https://support.google.com/chrome/answer/95647?hl=el&hlrm=nl
Firefox: https://support.mozilla.org/el/kb/energopoihsh-apenergopoihsh-cookies-parakoloy8hsh-protimhsewn?redirectlocale=el&s=cookies&r=5&as=s&redirectslug=enable-and-disable-cookies-website-preferences
Safari http://support.apple.com/kb/PH5042
 
When disabling the use of cookies, you should be aware that some graphics may not be properly displayed or that you may not be able to use certain sections of the website.

List of cookies used by the ab.gr website

For a detailed list of cookies used on this website, see the list below.  The list is updated periodically by upgrading the services provided.

Cookie: groceryCookieLang 
Purpose: This cookie is used to maintain the user's chosen language.
Type: Functional cookie - expiration: 1 year

Cookie: AWSELB 
Purpose: This technical cookie helps manage, access the website and user sessions (Load balancer).
Type: Necessary cookie - session cookie

Cookie: StoreAndDate
Purpose: This cookie is used to allow better space management (caching).
Type: Necessary cookie - session cookie

Cookie: JSESSIONID
Purpose: This cookie is used to manage the user's session.
Type: Necessary cookie - session cookie

Cookie: websiten|#|lang
Purpose: This cookie is used to manage the website's language.
Type: Necessary cookie - session cookie

Cookie: ASP.NET_SessionID
Purpose: The cookie is created automatically by asp.net.
Type: Necessary cookie - session cookie

Cookie: Adobe Analytics cookies: c_m, gpv, s_cc. s_chStacking, s_fid, s_isFP, s_pfm, s_sq, s_stv
Purpose:  These cookies allow you to analyse and customise the site, as well as generate statistics. Some are session cookies, others are retained for 1, 2 or 5 years.
Type: Third party cookies

Cookie: Facebook Pixel
Purpose: Marketing and re-targeting on Facebook. Sending information about: Language, page type, category, order amount, delivery method, total order discount
Type: Third party cookies.

Cookie: Google Analytics Cookies: _ga, _gid
Purpose: with Google Analytics we measure how the user uses the website and how the user has found the www.ab.gr website. We use this knowledge to improve the sites. Google Analytics is the Web analysis application that analyses visitor behaviour at an aggregated level in order to improve the website for visitors based on aggregated insights and to make it more in line with the preferences.
Technique: cookie / local storage

Cookie: Google Analytics Cookies: a2t, a1t, pv
Purpose: This cookie is used to measure the amount of time each visitor spends on our web pages.
Technique: cookie

Cookie: Google Analytics Cookies: _gali, _gat_UA-171410646-1, _gat_UA-171410646-3, _gat_UA
Purpose: this cookie ensures that Google Analytics correctly registers via which link a page is reached.
Technique: cookie

Cookie: Google Analytics Cookies: analytics.js
Purpose: this cookie ensures that Google Analytics correctly registers via which link a page is reached.
Technique: script

Cookie: Google Analytics Cookies: collect
Purpose: this cookie ensures that Google Analytics correctly registers via which link a page is reached.
Technique: web beacon

Cookie: Google AdServices
Purpose: Measuring Adwords Campaign Performance
Type: Third party cookies
 

Name: _ga
Purpose: AH uses Google Analytics to measure how the user uses the website and how the user found the www.ab.gr website. AH uses this data in the DoubleClick services to adapt the www.ab.gr website and advertisements to the behaviour of the user. Google DoubleClick is the advertising platform with which Google enables AH to display (targeted) advertisements on its own and external websites.
Technique: cookie

Name: hole _UA-171410646-3
Purpose: Registration of the opt-in for sharing data collected with Google Analytics with the DoubleClick advertising services.
Technique: cookie

Cookie: DoubleClick (google)
Purpose of the "DSID" cookie: the measurement of results, frequency and targeting for Doubleclick of advertising systems over a period of 15 days
Purpose of the "HERE" cookie: the measurement of results, frequency and targeting for Doubleclick of advertising systems for a period of 21 months
Purpose of the "id" cookie: the measurement of results, frequency and targeting for Doubleclick of advertising systems for a period of 2 years
Purpose of the "_gcl_dc" cookie: to assign sales to the correct channel for a period of 92 days
Type: Third party cookies

Cookie: Linkwise
Purpose: affiliate marketing campaigns
Type: Third party cookies

Cookie: e-satisfaction
Purpose: Measuring user satisfaction on the site
Type: Third party cookies

Cookie: baloon script
Purpose: Help users navigate the website
Type: Third party cookies

Cookie: cpab
Purpose: This cookie is used to manage session information
Type: Necessary Cookie

Cookie: cp_laternotif
Purpose: It is used to manage notifications in popups.
Type: Necessary cookie - Session cookie

Cookie: cp_trigger_add2cart
Purpose: Used to manage the addition of products to the basket
Type: Necessary cookie - Session cookie

Cookie: cp_total_cart_items
Purpose: It is used to manage the basket
Type: Necessary Cookie 

Cookie: cp_total_cart_value
Purpose: It is used to manage the basket
Type: Necessary Cookie

Cookie: cp_sessionTime
Purpose: It is used to manage the user's stay time on the website.
Type: Necessary cookie - Session cookie

Cookie: bi 
Purpose: It is used to manage request load.
Type: Necessary Cookie

Cookie: cptmpc1/cptmpc2/cptmp3
Purpose: It is used to manage information when refreshing a page.
Type: Necessary cookie - Session cookie
 
This policy will be renewed and updated from time to time in accordance with applicable national and EU law.

You can change the cookie settings, here.

Global Personal Data Protection Policy

1.    Purpose
The business strategies of Ahold Delhaize (“the Company”) and its Brands and Functions1 depend upon the use of data that enables Ahold Delhaize to efficiently interact with associates as well as to make it easier for customers to Save Money, Save Time and Eat Healthier.

Trust is critical to our business. We depend on the trust of our customers, associates and the vendors and suppliers with whom we do business. To maintain this trust, we must observe our legal obligations and use appropriate care when processing their personal data.

While our business strategy determines what we want to achieve through the legitimate use of personal data, it is crucial to consider that customer trust, associate loyalty and the reputation of our Brands are affected by how we treat data. The Ahold Delhaize Values guide our conduct.

Specifically, Integrity (“We do the right thing and earn customers’ trust”) and Care (“We care for our customers, our colleagues, and our communities”) require that we do what’s right for our stakeholders. We are committed to protecting the personal data of customers, associates and business partners (Data Subjects). This Ahold Delhaize Global Personal Data Protection Policy (“Policy”) describes how the Brands and Functions of Ahold Delhaize protect personal data, and defines the principles and governance relating to personal data.

For purposes of this Policy, “Personal Data” refers to any information relating to an identified or identifiable natural person. "Processing” of Personal Data includes any operation which is performed upon Personal Data, such as collection, storage, alteration, access, use, disclosure or otherwise making available to third parties, combination, blocking, erasure or destruction.

Scope of this Policy
This is a global Policy applicable to all Ahold Delhaize Brands and Functions. Each Ahold Delhaize Brand and Function should adopt and implement the Policy in the context of the legal and regulatory environment in which it operates and to the extent to which it Processes Personal Data. The Brands and Functions may implement their own data protection policies to comply with the law and address business needs. In those instances, the Brand- or Function-specific policy will govern.

This Policy is intended to support compliance with data protection laws and regulations everywhere the Company or its Brands or Functions do business. This Policy will be updated as needed.

1 In this Policy, the term “Brands and Functions” includes the retail Brands of Ahold Delhaize, all support offices such as the Global Support Office (GSO), and affiliated shared services companies that control or process personal data. Any reference in this Policy to Ahold Delhaize or “the Company” includes Ahold Delhaize and its Brands and Functions.


2.    Personal Data Protection Principles
At Ahold Delhaize, we recognize that having appropriate guidance for the use of Personal Data to meet our business objectives is a prerequisite to using such Personal Data. The following principles guide how Ahold Delhaize and its Brands and Functions manage the Personal Data of customers, associates, business partners and service providers:
1.    Our Brands and Functions are committed to protecting the Personal Data of their customers, associates, business partners and service providers
2.    Our Brands and Functions process and maintain Personal Data for legitimate business purposes only, and are transparent about when and how they collect, use or share Personal Data.
3.    Our Brands and Functions provide customers with reasonable notice and control over their Personal Data.
4.    In achieving their business objectives, our Brands and Functions strive to use the Personal Data of customers to benefit customers.
5.    Our Brands and Functions are committed to comply with legal and regulatory obligations
everywhere we do business.

Based on these principles, Ahold Delhaize and its Brands and Functions are committed to the following:

COLLECTION AND PROCESSING
Ahold Delhaize and its Brands and Functions will obtain Personal Data in a lawful and ethical manner, and, where required, with the consent of the Data Subject. Personal Data will be Processed in accordance with applicable legal requirements. The collection of Personal Data will be limited to that which is necessary for the purposes identified by Ahold Delhaize or its Brand or Function in a notice to or communication with affected Data Subjects, as described below.
NOTICE
Ahold Delhaize and its Brands and Functions will, when required by applicable law, or where the company otherwise considers that it is appropriate to do so, provide Data Subjects with relevant information regarding the processing of their Personal Data. This information will include identity of the Data Controller2, the purposes of and legal basis for which the Personal Data is being collected and used. Where based on a legitimate business interest, that interest will be explained. This notice will be provided in clear and plain language at or before the time the Personal Data is collected. To provide transparency, each Brand will communicate this information towards customers in a publicly accessible notice on their website and mobile applications and via other channels where appropriate. The notice for associates will be accessible via the Brand or Function intranet and/or other internal channels, such as HR policies and other appropriate sources.

2 Data Controller means the entity that determines the purposes and means of the processing of Personal Data.

CHOICE AND CONSENT
Ahold Delhaize and its Brands and Functions will, when required by applicable law, request the consent of the Data Subject prior to collection or Processing of Personal Data, and will, when appropriate, offer Data Subjects the opportunity to choose (opt-in or opt-out) whether their Personal Data can be disclosed to a third party or be used for any purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subjects.

USE AND RETENTION
Ahold Delhaize and its Brands and Functions will Process, store, and disclose Personal Data only for business-related purposes, and in a manner consistent with the values of Ahold Delhaize, with respect for the privacy of the Data Subject and the protection of Personal Data, and in accordance with applicable law. Ahold Delhaize and its Brands and Functions will use Personal Data only for the identified purposes, and the Personal Data will be retained for no longer than necessary to fulfil the stated purpose, and will be disposed in a manner that prevents loss, theft, misuse, or unauthorized access.

SAFEGUARDING PERSONAL DATA
Ahold Delhaize and its Brands and Functions will establish and implement safeguards to reasonably, appropriately, and adequately protect Personal Data from unauthorized use, disclosure, destruction, and alteration according to the risks presented by Processing the Personal Data.

PROCESSING SENSITIVE INFORMATION
Ahold Delhaize and its Brands and Functions will adopt additional measures for particular types of Personal Data (e.g., Sensitive Information) or otherwise requiring additional protections. In addition, Ahold Delhaize and its Brands and Functions may adopt additional measures to address local custom or social expectation over the Processing of Sensitive Information.

DATA INTEGRITY
Ahold Delhaize and its Brands and Functions will use reasonable measures to ensure that Personal Data that it holds and Processes is accurate and complete, relative to the purpose(s) for which the Personal Data is being used. Ahold Delhaize and its Brands and Functions will only use Personal Data that it believes is adequate and relevant to the purposes for which it is to be used.

ACCESS
Upon request and where required or otherwise appropriate, Ahold Delhaize and its Brands and Functions will endeavor to grant Data Subjects reasonable access to Personal Data that it holds about them. However, such access under certain circumstances may be legally denied by Ahold
 
Delhaize or one of its Brands and Functions, e.g. where such access could potentially harm the rights and freedoms of others, or potentially disclose information relating to any ongoing investigation. In addition, Ahold Delhaize and its Brands and Functions will endeavor to take reasonable steps to permit Data Subjects to correct, amend, or delete information about them that is inaccurate or incomplete.

DISCLOSURES TO THIRD PARTIES
Ahold Delhaize and its Brands and Functions will disclose Personal Data to third parties only for legal and business-related purposes, and only when Ahold Delhaize or its Brand and Function has assurances that the Personal Data will be Processed and protected appropriately and in compliance with applicable laws and regulations.

INTERNATIONAL TRANSFERS OF PERSONAL DATA
Ahold Delhaize and its Brands and Functions will transfer Personal Data to or allow access by entities in other countries only for legal and business-related purposes. Ahold Delhaize and its Brands and Functions will routinely review its requirements under local law, regulation and policy for the Processing and protection of Personal Data to ensure that its obligations and the obligations of the recipients in the other countries are met for the Processing and protection of the Personal Data.

MONITORING AND ENFORCEMENT
Ahold Delhaize and its Brands and Functions will ensure that associates who process or have access to Personal Data are aware of and comply with the contents of this Policy and will appropriately inform and train its personnel regarding this Policy. Noncompliance with the Policy may result in disciplinary action, up to and including termination of employment.

 

3.    Data Protection Governance
Ahold Delhaize has adopted the three lines of defense model for assigning roles and responsibilities for managing risks.

See Appendix A for additional information regarding governance.
 
Relationship with Ahold Delhaize Information Security 3
An important element of the protection of Personal Data is the security of such Personal Data through all phases of Processing, including when at rest or in transfer over our own network or when transferred to third parties. The Information Security principles are described in the Global Information Management and Security Policy. Information Security and Data Protection have complementary objectives that specifically overlap on issues such as Security Incident Response, controls to mitigate data protection risk, and creating an appropriate level of data protection awareness.

4.    Additional Information
For additional information regarding Data Protection at Ahold Delhaize or its Brands and Functions, you may contact:

dataprotection@aholddelhaize.com

This Policy will be made available on the Ahold Delhaize intranet and will be reasonably accessible internally and externally. The Corporate Privacy Officer will review the Policy at least annually and propose any necessary revisions to the Ahold Delhaize GRC Committee and/or the Ahold Delhaize Executive Committee.

3 The Global Information Security Council (GISC) is responsible for Ahold Delhaize Information Security.
 
Appendix A– Governance & Responsibilities

[Updated March 3, 2021] Ahold Delhaize has adopted the three lines of defense model for assigning roles and responsibilities for managing risks. The following key roles with regard to data protection are identified and applicable to the non-US activity and operations of Ahold Delhaize and its Brands.

1st Line of Defense in the Brands and Functions
The Management of each Brand and Functions is accountable for:
•    The availability of adequate resources and budget to support Data Protection within and by the Brand and Functions.
•    Supporting the ongoing effectiveness of the Global Personal Data Protection Policy within all processes where Personal Data is collected and Processed.
•    Responsibility for the management of key data protection risks and data protection compliance issues within all processes in the Brand and Functions.

Process Owners
Process owners are responsible business functions (functional areas) where Personal Data is collected and Processed, such as Human Resources, Digital Marketing, Customer Loyalty, Online Shopping, Marketing and NFR.

The process owner of a Brand and Function is accountable for:
•    Complying with the relevant processes set forth in the data protection procedures.
•    Maintaining the quality, accuracy, availability (and supporting the Data Subject Rights) of the data and following data breach procedures.
•    Ensuring adequate implementation of the management processes, systems and tools to support the
•    Personal Data Protection Policy within their functional area (e.g. record keeping and assessment).
•    Ensure that the Processing of Personal Data is compliant with internal and external rules and data protection regulations.
•    Ensuring the appropriate level of data protection awareness, in all phases and activities of the business Processing of Personal Data.
•    Ensuring that relevant individuals in the functional areas are appropriately informed and trained about data protection risks.
•    Overseeing the management of data protection risks within their functional area.
•    Performing the control activities as indicated in the Data Protection Checklist (as described in Appendix B), within their functional area and for the collection and retention of the evidence supporting these control activities.

The process owner interacts with the Data Protection Lead (DPL) as follows:
•    Consult the DPL in case of a new product or service, change in current process or outsourcing involving the Processing of Personal Data (including providing the DPL with all relevant information in a timely manner to allow the DPL to provide adequate advice).
•    Get support from the DPL for the execution of data protection procedures as needed.
•    Consult the DPL for available training and awareness tools on data protection.
•    Immediately notify the DPL in case of any known or suspected Information Security Incident or Data Breach.

2nd Line of Defense in the Brands and Functions

The Data Protection Lead (DPL) of a Brand or Function supports Data Protection activity within the Brand and Functions as follows:
•    Supporting process owners with the implementation of the Global Personal Data Protection Policy (e.g., record keeping and assessment) including making available data protection training, awareness tools (e.g., privacy by design), best practices, and consulting the DPO as required in advising data protection impact assessments (e.g., whether such assessment should be carried out, how it should be carried out, and what safeguards should be applied to mitigate risks to Data Subjects).
•    regularly advising the respective process owners on data protection risks and compliance issues (e.g., participate in decision-making that may affect (the protection of) Personal Data and consulting the DPO’ as appropriate).
•    Coordinating data protection related requests and responding to complaints from Data Subjects.
•    Cooperating with the DPO in responding to official investigations or inquiries regarding the Processing of Personal Data by a public authority.
•    Participating in the response to and resolution of any known or suspected Information Security Incident or Data Breach.
•    Advising and assisting with the selection and monitoring design of third parties Processing relevant Personal Data and requesting the DPO’s advice as appropriate.
•    Reporting to Brand and Functional management regarding data protection risks and issues.
•    Ensuring that the Annual and Quarterly Data Protection Checklist is completed by the
responsible process owners, and that the responsible area of the business has provided sufficient evidence for each of the requirements on the checklist, and that this evidence has been retained.
The DPLs interact with the Corporate Privacy Officer (CPO) and, where applicable, the Data Protection Officer (DPO), as follows:

•    Providing information for the quarterly updates of the Corporate Privacy Officer to the Global Privacy Steerco.
•    Coordinating with the CPO in the event of official investigations or inquiries by public authorities.
•    Informing the Corporate Privacy Officer:
     o    Of any new legal requirement that may affect the ability of Ahold Delhaize or its Brands and Functions to comply with this Policy
     o    In case of any questions, inquiries or formal investigations of data protection authorities.
     o    In case of any known or suspected Information Security or Data Breach. The DPL will inform the CPO as soon as possible and appropriate, but in any case, before the Information Security or Data Breach will be communicated externally (to Data Subjects directly or through a press release), and/or before the Data Protection Authority will be notified.
     o    In case the Brand will not be able to (timely) complete the Data Protection Checklist, and/or provide the supporting evidence.
•    Consulting with the Corporate Privacy Officer:
     o    In all cases where there is a conflict between applicable local law and this Policy
     o    To determine whether additional assessment is required in case of a high risk Processing activity
     o    Regarding any new Processing activity involving cross-border transfers of Personal Data.

2nd Line of Defense Global

The Ahold Delhaize Executive Committee is responsible for:
•    Establishing the Ahold Delhaize Global Personal Data Protection Policy.
•    Overseeing the effectiveness of the Ahold Delhaize Global Personal Data Protection Policy.
•    Overseeing the documentation, notification and reporting of significant Information Security Incident and Data Breaches.

The Corporate Privacy Officer (CPO) is responsible for:
•    Coordinating the maintenance, update and accessibility of the Global Personal Data Protection Policy.
•    Advise and assist the Executive Committee (via the Global Privacy Steerco) regarding the management of key data protection risks.
•    Monitoring compliance with this Policy by conducting periodic reviews and proposing
remediation actions for identified gaps or weaknesses.
•    Overseeing official investigations or inquiries at the global level regarding the Processing of Personal Data, by a public authority and assist with any such investigations or inquiries at the Brand and Functions level.
•    Informing the Chief Legal Officer of Information Security Incidents and Data Breaches
as soon as possible and appropriate, but in any case, before the Information Security or Data Breach will be communicated externally (to Data Subjects directly or through a press release), and/or before the Data Protection Authority will be notified.
•    Providing quarterly progress reports to the GRC Committee and more frequently provides updates to the Chief Legal Officer on data protection risks, compliance issues and the overall effectiveness of the Global Personal Data Protection Policy.
•    Establishing and maintaining the Ahold Delhaize Global Privacy Network.
•    Advising the DPL’s on the local implementation of the Global Personal Data Protection Policy.
•    Reviewing and implementing, as appropriate, conclusions and recommendations of Internal Audit regarding overall data protection risk management and the effectiveness of the Global Personal Data Protection Policy.

Where required by applicable data protection laws, Brands or Functions will appoint a Data Protection Officer (DPO),[1] who is responsible for:
•    Informing and advising the relevant Brand or Function on its obligations in relation to the Processing of Personal Data, including assisting to monitor their internal compliance with this Policy, and other obligations relating to the Processing of Personal Data (e.g., collecting information to identify Processing activities, analyze the compliance of Processing activities, and inform, advise, and issue recommendations to the Brands and Function).
•    Advising on decision-making (including meetings with senior management) that may affect the protection of Personal Data by the Brand or Function.
•    Monitoring the Brand or Function’s compliance with requirements relating to the Processing of Personal Data, including as appropriate, collecting information on Personal Data Processing activities and analyzing and checking compliance with Personal Data Processing activities.
•    Advising on data protection impact assessments as requested by the DPL (e.g., on the safeguards that should be applied to mitigate risks to Data Subjects, whether the assessment has been correctly carried out, and whether its conclusions are in compliance with this Policy and other requirements to the Processing of Personal Data).
•    Monitoring the performance of data protection impact assessments (e.g., whether such assessment should be carried out, and what methodology should be followed).
•    Cooperating with, and acting as a contact point for, data protection authorities, and consulting them when appropriate.

3rd Line of Defense
The third line of defense is Ahold Delhaize Internal Audit. Responsibility of Internal Audit is to provide independent assurance and insight to the board and senior management concerning the effectiveness of Ahold Delhaize’s Data Protection risk management. Internal Audit can also perform audits at the request of the Ahold Delhaize Executive Committee or Audit Finance & Risk Committee.


[1] Where applicable, the DPO role may be performed by the CPO.
 
Appendix B– Key Risks & Control Objectives

Key Risks
Data protection risks include non-compliance with legal obligations (such as laws and regulations) or social and ethical standards that could compromise the trust of customers and associates. Materialization of these risks could result in an adverse impact on the reputation of Ahold Delhaize and its Brands, as well as a negative financial impact through lost sales, fines and penalties. This policy and the control objectives included herein, are intended to address the following key risks:

A.    Unauthorized use of personal data
B.    Rights and freedoms of data subjects in relation to the processing of personal data not ensured
C.    Loss of and unauthorized access to (sensitive) personal data
D.    Data breaches are not notified or insufficiently followed up on Record Keeping obligations and Data Protection Impact Assessments (DPIA) are insufficiently executed, documented and followed-up
E.    Lack of data protection compliance culture
F.    A processor handling Ahold Delhaize personal data is non-compliant with data protection rules and regulations or in breach of contractual obligations following from processor agreement

Control Objectives
The control objectives below represent the minimum requirements that must be met by global and local management in order to mitigate the relevant data protection risks described above (and referenced below) and be able to demonstrate their compliance with relevant laws and regulations. The execution of activities in order to meet these control objectives is the responsibility of the relevant process owner, unless denoted otherwise.

1)    For all new initiatives (projects, systems, etc.) related to personal data processings, a record keeping and additional assessment (e.g. Record Keeping obligations and, if high risk, Data Protection Impact Assessments (DPIA)), are executed to assess whether the personal data involved in the processing is documented and protected appropriately. (Risks A, B, C, E)
2)    A process owner is assigned for each personal data processing (Risks A, B, C, E, F)
3)    When the processing of personal data is identified as a high risk (Quick Scan scores risks of processing), the Process Owner (supported by DPL / ISO / R&C) conducts a Data Protection Impact Assessment (DPIA) (Risks A, B, D, E)
4)    Processes are in place to manage data subject rights as defined by GDPR / local regulations (Risks B, D, E)
5)    On a systematic basis, the inventory of processing's of personal data the classification and the ownership of the data is reassessed to ensure the record keeping obligation is still appropriate (Risks A, B, C, E, F)
6)    Data Protection risks are identified and managed throughout all stages of the relationship with processors (Risk G)
7)    Education / training is given to provide staff and business users with the skills they need to apply personal data protection principles to ensure the appropriate treatment of the personal data (Risk F)
8)    Privacy compliance is reported by the CPO to the Chief Legal Officer (Risk B)
9)    A process is in place for data breach / security incidents (accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed) to identify and notify, via the ISO owned incident process to stakeholders, including, the ISO, CPO, the appropriate regulatory authorities and individual impacted data subjects in accordance with the legal obligations of the company (Risk D)

Data Protection Checklist
Control objectives 1 – 9 above have been extrapolated into a Data Protection Checklist which includes individual requirements / activities that must be performed (and required evidence for each activity) on a recurring basis by the process owners within the Ahold Delhaize Brands and functions. The Brand DPL will follow up with local management and relevant process owners to ensure the activities have been completed and the evidence is collected and retained.