Application and Scope
This Policy applies to all Synlait Milk Limited (“Synlait”) sites.
In this Policy, the terms “we”, “us”, and “our” refer to Synlait.
Synlait is committed to respecting data protection and privacy rights and to complying with the Privacy Act 2020 (“Act”) and the Privacy Principles within the Act.
This Policy records the practices of Synlait regarding the collection, storage and use of personal information. Synlait will be transparent about what personal information it collects and how we use, store or process it.
“Personal information” is information about an identifiable individual and includes the individual’s name and contact details.
Data about companies or other organisations is not personal information. This Policy does not apply to information about companies or other organisations. However, it does apply to personal information that we hold about employees or representatives of other companies or organisations, as well as personal information we hold about our own employees and staff members.
Maintaining the security of your personal information is a priority at Synlait and we are committed to respecting your privacy rights. We will handle your personal information fairly and legally at all times.
This Policy provides you with information about:
- how we collect your personal information;
- how we use your personal information;
- what personal information we collect;
- how we ensure your privacy is maintained and secured; and
- your legal rights in relation to your personal information.
Collecting Personal Information
We only collect, use and process personal information for lawful purposes connected with our business operations.
Who do we collect personal information about?
We collect personal information about:
- current or prospective customers, suppliers, contractors and consultants, including their contractors, consultants and employees;
- participants and farmers in our Lead With Pride Scheme;
- current or prospective employees;
- people who visit our premises, attend our events or meet our representatives offsite;
- users of our website and individuals who contact us in other ways, including via our social media platforms, or by letter, e mail, phone or video conference; and
- other individuals for the purposes of, or in connection with, our business functions.
We collect personal information, as permitted by law:
- directly or directly from you, where possible. This includes by correspondence with us, whether by phone, e mail, letter, or through our website or social media platforms, or when you meet personally with us or our representatives;
- from third parties who have your consent to disclose personal information to us;
- from third parties where necessary to uphold or enforce the law, or where collecting it from you would undermine the purpose of collection; and
- from publicly available sources.
If we do not receive personal information as requested, we may not be able to perform certain business functions as required, or expected, by you.
What sort of personal information do we collect?
Examples of the type of personal information that we may collect, use and process (depending on our relationship with you) includes:
- name, contact and address details (physical and electronic), date of birth, age, gender, tax number, bank account number(s);
- account and communication preferences including consents to receive marketing material;
- in relation to employees of third parties we deal with business contact details, name of employer, position with employer, business type and other relevant information, services to be provided (in addition to other information listed here);
- in relation to our employees or applicants for employment with us: police checks and criminal records, details of previous employment and study/qualifications, references, photographs, emergency contacts, ethnicity, site locations (including through fob access), drug and alcohol test results and other information relevant to an employment relationship (in addition to other information listed here);
- if you visit one of our sites or attend an event run by us (including our annual meeting) your image (photograph or video);
- our correspondence, communications and interactions with you or information about our correspondence, communications or interactions with you;
- credit checks and related information;
- CCTV and security camera footage;
- your IP address, and information about your use of our website and social media platforms;
- other information relating to our relationship with you, including goods and services acquired or provided;
- other personal information you give us authority to collect;
- other publicly available personal information, including any which has been shared via a public platform (such as a twitter feed or public website);
- other information we require to perform our business activities or comply with our legal obligations; and
- any other information you provide to us, or third parties provide to us with your authorisation
This list is not exhaustive and in specific instances, we may need to collect additional personal information for the purposes set out in this Policy.
We do not knowingly collect data relating to children or young people.
How we use your Personal Information?
We collect and use, or process, personal information to enable us to perform our business activities. We will use or process personal information for a variety of reasons in connection with that purpose, including, but not limited to:
- communicating with customers, suppliers, consumers, employees and other business contacts, including answering queries or complaints and managing disputes;
- managing our relationship with you;
- establishing, maintaining, managing and otherwise conducting an employer/employee relationship, including but not limited to: reference checking, interviewing and otherwise assessing suitability for employment, activities relating to payroll, health and safety, training and performance, conducting investigations and disciplinary action;
- research activities;
- to enable us to provide a tailored website to you;
- conducting analysis within the Synlait Group;
- conducting business processing functions, including: invoicing, making and receiving payments, administration, planning, product/service development and quality control;
- promoting, marketing and advertising our products, with your consent for us to do so;
- understanding behaviours, activities, preferences, and needs;
- improving existing products and developing new products;
- complying with our legal and regulatory obligations;
- assisting with insurance claims made by customers;
- handling legal claims or regulatory enforcement actions;
- fulfilling our duties to our customers, employees, shareholders and other stakeholders; and
- as otherwise permitted by you.
We may also use your personal information if doing so is necessary to uphold or enforce the law.
We also provide the opportunity for third parties to receive promotional, marketing or other communications from us via a variety of methods. If you do not wish to receive these communications, you may change your communications preferences at any time by contacting us directly or selecting “unsubscribe” in our communications. Any election to “unsubscribe” will only work for the applicable contact details and communications. If you use more than one contact address or method, or subscribe to more than one communication, you will have to unsubscribe for each contact address or method, or each communication, as the case may be.
We may disclose your personal information to:
- third parties as permitted by you whether under this Policy or in any other manner;
- you or someone acting on your behalf;
- our employees, contractors, advisors or representatives, where necessary for them to perform their duties;
- other companies in the Synlait Group of companies;
- our customers, suppliers or others;
- our professional advisers, including lawyers, accountants or auditors;
- financial institutions and the operators of payment systems;
- persons or organisations who perform services for us or on our behalf, including but not limited to:
- contractors or consultants;
- providers of IT services to us, including hosting and data storage providers, software providers (including customer relationship management software providers and accounting software providers);
- payroll service providers; or
- mailing houses;
- anyone else to comply with our legal obligations, including contractual obligations;
- courts, tribunals and regulatory authorities.
We may also disclose your personal information:
- to enable us to comply with our legal obligations;
- if disclosure is one of the reasons we collected the information;
- if necessary to uphold or enforce the law;
- if necessary for court proceedings; or
- if we disclose it in a way that doesn’t identify you.
If we disclose your personal information to third parties located overseas, we will take reasonable steps to ensure that the overseas recipients of your personal information do not breach privacy obligations relating to your personal information as set out in this Policy. As a global organisation, personal information that we collect may be transferred internationally throughout our worldwide organisation.
If your personal information is transferred to a recipient in a country that does not provide the same level of protection for personal information that the New Zealand or the European Union privacy laws do, we will take all commercially practicable measures to ensure that your personal information is adequately protected as required by the applicable law.
We will never sell or rent personal information to other organisations for marketing purposes.
How long do we keep your Personal Information?
We will not retain your personal information for longer than necessary for the purposes set out in this Policy (Principle 9 of the Privacy Principles). Different retention periods may apply for different types of personal information.
How we protect your Personal Information?
Synlait is committed to keeping your personal information safe and secure. Our security measures include, but are not limited to:
- encryption of personal information;
- regular cyber security assessments of service providers who may handle your personal information;
- security controls, which protect Synlait’s IT infrastructure from unauthorised access; and
- internal policies setting out our data security approach and IT security training for employees.
Your rights regarding Personal Information
You have the following rights under this Policy, the Act and the Privacy Principles. These rights are not exhaustive but will provide you with an understanding of your rights:
- the right to ask for a copy of personal information that we hold about you (sometimes referred to as, the right to access – Principle 6 of the Privacy Principles);
- the right (in certain circumstances) to request that we delete personal information held where we no longer have any legal or necessary reason to retain it (sometimes referred to as, the right of erasure or to be forgotten – Principle 7 of the Privacy Principles);
- the right to ask us to update and correct any out-of-date or incorrect personal information that we hold about you (sometimes referred to as, the right of rectification – principle 7 of the Privacy Principles); and
- the right to opt out of any marketing communications that we may send you and to object to us using / holding your personal information if we have no legitimate reasons to do so (sometimes referred to as, the right to object);
- the right (in certain circumstances) to ask us to ‘restrict processing of personal information’; which means that we would need to secure and retain the personal information for your benefit but not otherwise use it (sometimes referred to as, the right to restrict processing); and
- the right (in certain circumstances) to ask us to supply you with some of the personal information we hold about you in a structured machine-readable format and/or to provide a copy of the personal information in such a format to another organisation (sometimes referred to as, the right to data portability).
Most internet browsers give you the option to reject all cookies, accept all cookies, erase cookies stored on your computer or be notified before a cookie is stored on your computer. However, if you reject or erase the cookies referred to above some of our website features or services will not function properly or may not be fully available. Please refer to your internet browser instructions if you want to find out more about rejecting or erasing cookies.
Data Protection and Privacy Officer
Synlait has appointed a Data Protection and Privacy Officer to ensure that we protect the personal information and any other relevant data of our customers (and others) and to comply with all privacy and data protection legislation.
The role of Synlait’s Data Protection and Privacy Officer includes, but is not limited to:
- Ensuring Synlait complies with the Act;
- Dealing with requests for access to personal information or correction of personal information;
- Dealing with any complaints about possible privacy breaches;
- Acting as the liaison between Synlait and the Office of the Privacy Commissioner;
- Advising Synlait, together with its Legal Team on compliance with privacy requirements; and
- Advising Synlait on the potential privacy impacts of changes to business practices.
The Data Protection and Privacy Officer shall also be responsible for all training pertaining to privacy for Synlait employees and staff members, and for maintaining a Privacy Compliance Register. This Privacy Compliance Register shall record any notified privacy breaches, together with any requests made under the Act to correct, access or delete personal information held by Synlait.
The Data Protection and Privacy Officer shall also be responsible for dealing with any complaints, queries, or questions as provided below.
- have any questions about how Synlait collects, uses or processes your personal information that are not answered in this Policy;
- have any questions about this Policy;
- want to exercise your rights regarding your personal information, including your right of correction; or
- want to report a breach of this Policy; or
- disagree with a decision made regarding your personal information,
please contact our Data Protection and Privacy Officer, Synlait Milk Limited at: firstname.lastname@example.org or at our offices at 1028 Heslerton Road, RD13, 7783.
We have a formal procedure for dealing with any complaints. Once our Data Protection and Privacy Officer receives a complaint, they will commence an investigation with the relevant business unit. We will endeavour to complete the investigation in a reasonable timeframe. We may contact you, if necessary, to discuss your concerns in more detail. If the Data Protection and Privacy Officer determines that a breach has occurred, they will escalate the complaint to Management. We will inform you of the outcome of the investigation.
If you are dissatisfied with how we handle any complaint from you regarding your personal information, you may contact the Privacy Commissioner.
Reporting of Breaches
All breaches of:
- the Privacy Principles as set out in the Act, or any other applicable privacy or data protection regime; and/or
- this Policy,
identified by any Synlait employee must be reported to that person’s direct manager or supervisor, in the first instance, and to the Data Protection and Privacy Officer, at email@example.com.
If the Data Protection and Privacy Officer deems that a reported breach will, or is likely to cause serious harm, then the breach will be notified to the Office of the Privacy Commissioner, as soon as practicably possible.
For this policy to be successful, the active participation and support of all our employees is essential.