Personal Data Protection Policy

Version 1.1 EN

SECTION I – PURPOSE AND SCOPE

1. This Policy sets out the rules relating to the protection of individuals, including Staff Members, with regards to the processing of their Personal Data by the World Customs Organization (the “WCO”) or on its behalf (hereinafter the “Policy”).

2. The implementation of any processing of Personal Data by the WCO is subject to compliance with this Policy and any other relevant rules of the WCO adopted for its implementation.

3. This Policy protects all Personal Data relating to individuals, whether collected by the WCO or disclosed to the WCO by a third party.

SECTION II - DEFINITIONS

For the purposes of the present Policy, the following terms are defined as follows:

1. “Personal Data” means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Company registration numbers, generic email addresses (such as info@company.com) and anonymised data are not considered Personal Data;

2. “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, by manual or automated means (including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data);

3. “Data Controller” means any Staff Member who has the authority to determine, alone or jointly with others, the purposes, conditions and means of the processing of Personal Data on behalf of the WCO;

4. “Data Processor” means any Staff Member or other individual, legal entity, public authority or similar body, including a third party, authorized to process Personal Data on behalf and under the direct authority of the Data Controller;

5. “Recipient” means the individual, legal entity, public authority or similar body to which Personal Data are disclosed;

6. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

7. “Sensitive Data” means data related to or revealing the national registration number, genetic data, judicial data (such as litigations, suspicions, prosecutions, criminal convictions etc.), data revealing racial or ethnic origin, data concerning health or sex life, political opinions, trade-union membership, and religious or philosophical beliefs;

8. “Consent” means the freely given, specific, informed and unambiguous permission expressed by an individual by which he or she agrees with the processing of his/her Personal Data. This consent is given either by a written statement or by a clear affirmative action;

9. “Data Protection Officer” means the Staff Member appointed by the Secretary General to perform the duties listed in this Policy or assigned to him/her by decision of the Secretary General; and

10. “Staff Members” means any staff member of the WCO.

SECTION III – PRINCIPLES RELATING TO PROCESSING AND TRANSFER OF PERSONAL DATA

A. Processing of Personal Data

3.1 The WCO shall ensure that Personal Data disclosed to the WCO are collected and processed according to the principles expressed in this Policy.

3.2 Personal Data shall be processed and used lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’).

3.3 Personal Data shall be collected for specified, explicit and legitimate purposes consistent with the WCO’s official activities (‘purpose limitation’).

3.4 The Processing of Personal data shall always be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and/or further processed (‘data minimization’).

3.5 Personal Data stored by the WCO shall be accurate and, where necessary, kept up-to- date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).

3.6 Personal Data shall be kept or stored for no longer than is reasonably necessary for the purposes for which they are processed (‘storage limitation’).

3.7 Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

3.8 The WCO shall not process Sensitive Data, except if:

1. the Processing is in reference to medical or social protection under the applicable WCO internal rules, including health insurance coverage and the payment of family or other social benefits by the WCO;

2. the Processing is for the copying of passports where a Staff Member uses the WCO’s assistance when requesting either a visa for entering the duty country or applying for any other visa in connection with official travel for the WCO;

3. individuals have given Consent to the processing of Sensitive Data or made the Sensitive Data manifestly public. The WCO may be asked to prove that the individual has explicitly and without reservation consented to the processing of such Sensitive Data for the purpose at stake.

In case Sensitive Data is processed, the WCO shall take all appropriate and necessary measures to ensure the security and confidentiality of such Sensitive Data.

3.9 Should the WCO intend to use Personal Data for the purposes of direct marketing, Consent shall be received regarding the Processing of data resulting from participation in events and activities of the WCO. Electronic means shall be used to ensure that participants have consented to the processing of their Personal Data for the purposes of direct marketing. The opt-in regime shall be seen as the general rule in order to ensure that participants have provided their Consent.

B. Transfer of Personal Data

3.10 Personal Data may be transferred within the WCO on the following conditions:

1. the Personal Data are necessary for the performance of tasks covered by the activities of the Recipient;

2. only the Personal Data necessary for the performance of these tasks shall be transferred; and

3. the Recipient may process the Personal Data only for the purposes for which they are transferred.

3.11 The WCO may transfer Personal Data towards its Members, international organizations and other third parties with which the WCO entered into an agreement, in only one of the following cases:

(i) the WCO Members, international organizations or other third parties observe this Policy and any other relevant rules which the WCO may adopt for its implementation; or

(ii) sufficient safeguards exist, including effective enforcement mechanisms and appropriate measures put in place by the WCO Members, international organizations or other third parties, to ensure a continuing level of security and protection consistent with this Policy and any other relevant rules which the WCO may adopt for its implementation; or

(iii) the concerned individual has explicitly consented to the proposed transfer; or

(iv)the transfer is necessary for the establishment, exercise or defense of legal claims;\

(v) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the concerned individual between the Data Controller and another natural or legal person;

(vi) the transfer is necessary to protect the vital interests of the concerned individual; or

(vii) to allow the WCO to achieve its legitimate aims and to carry out its official activities. In this regard, it is understood that the Organization is amongst others authorized to transfer to its Members the contact data (emails) of Directors General of Customs and persons appointed as Customs Attachés, for the sole purpose of allowing for the exchange of information.

3.12 Where the Data Controller intends to instruct a Data Processor to process Personal Data on its behalf, the Data Controller shall use only Data Processors providing sufficient adequate guarantees of compliance with the level of security and protection of the Personal Data set forth by this Policy to ensure the protection of the rights of individuals

3.13 In the context of events of the WCO and the distribution of a list containing participants’ Personal Data, the WCO shall ensure that it has received consent from the individuals before issuing such a list. Such Consent shall also be obtained using the opt-in regime.

SECTION IV – RIGHTS OF INDIVIDUALS

A. Information to be given to the individuals

1. 4.1 Upon request by the concerned individual, the WCO shall provide the individual with the following information on the Processing of data which is personal to him/her:

1. the identity and the contact details of the Data Controller;

2. the contact details of the Data Protection Officer;

3. the purpose of the Processing for which the personal data are intended as well as the legal basis for the processing;

4. the categories of Personal Data concerned;

5. the Recipients or category of Recipients of the Personal Data;

6. where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the reason why no such period is fixed;

7. where applicable, the fact that the WCO intends to transfer Personal Data to a Member of the WCO, another international organization or a third party and the reasons for such transfer; and

8. the existence of the right to request access, rectification or erasure of Personal Data and to submit claims

4. 2 The section above shall not apply where the provision of such information proves impossible or would involve a disproportionate effort, and such impossibility or disproportionate effort is duly motivated by the Organization. In such instances, the WCO shall take appropriate measures to protect the concerned individuals’ rights and legitimate interests to the extent reasonably possible.

B. Right to access

4.3 Every individual shall have the right to obtain from the Data Controller at any time, on request, confirmation as to whether or not Personal Data relating to him/her are being processed.

C. Right to rectification and erasure

4.4 Individuals have the right to obtain, without undue delay, the rectification or completion of their inaccurate or incomplete Personal Data.

4.5 Individuals shall have the right to obtain from the Data Controller erasure of their Personal Data without undue delay, and the Data Controller shall have the obligation to erase Personal Data without undue delay where one of the following grounds applies:

(i) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or

(ii) the Personal Data have been processed in such a way that does not comply with this Policy.

4.6 Where the WCO is not the Data Processor, the WCO shall make every reasonable effort to ensure that the third party Data Processor complies with the request of the concerned individuals.

4.7 The above section does not apply to the extent that the Processing is necessary for statistical or archiving purposes, for the delivery of the WCO’s mission and programme of work, in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that Processing.

D. Right to object

4.8 Every individual shall have at any time the right to submit a request objecting, on grounds relating to his or her particular situation, to the Processing of Personal Data concerning him or her. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates that such Processing is necessary for the performance of the task carried out in the exercise of the WCO’s official activities or in the framework of its missions.

E. Right to data portability

4.9 Each individual shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller to which the Personal Data have been provided, where technically feasible and as long as it shall not adversely affect the rights and freedoms of others.

SECTION V – DATA PROTECTION OFFICER

A. APPOINTMENT

1. 5.1 Data Protection Officer (hereinafter the “DPO”) shall be appointed by the Secretary General and report directly to him/her.

   5.2 The DPO shall act independently, in a neutral and impartial manner and shall not accept instructions.

B. DUTIES

5.3 The DPO shall monitor the application of this Policy.

5.4 The DPO shall, on request or on his/her initiative, advice individuals on their rights and Data Controllers on their rights and obligations.

C. COOPERATION OF DATA CONTROLLERS WITH THE DPO

5.5 Data Controllers shall cooperate with the DPO by assisting the DPO and making available any information necessary for the DPO to carry out his/her tasks. Data

Controllers shall involve the DPO in the process of designing new information systems and to ensure that measures of data protection are built in those systems from the beginning.