Sorry, you need to enable JavaScript to visit this website.
You are in Nestlé Singapore Global links dropdown
Sort by
Sort by
  1. Home
  2. Data Handling Principles

Data Handling Principles

DATA HANDLING PRINCIPLES

1. Collection: The Supplier shall only collect an individual's personal data after having notified the individual of the purpose for the collection of that personal data, and obtained the individual's consent to use and/or disclose the personal data for the specified purposes.

2. Purpose: The Supplier shall not use or disclose personal data received from Nestlé for any purpose other than to perform and/or deliver the goods and/or services ordered within the specified time stated (“Purposes”) (and such purposes shall be consistent with the purposes for which Nestlé may use and disclose the personal data in accordance with the PDPA);

3. Use and disclosure: The Supplier shall only use and disclose personal data received from Nestlé in a manner and to the extent permitted in the Purchase Order (and such use and disclosure shall be consistent with the ability of Nestlé to use and disclose the personal data in accordance with the PDPA);

4. Access and correction: The Supplier shall provide such information and assistance to Nestlé as Nestlé may reasonably require to allow it to comply with the rights of individuals, including individual access or correction rights, or to comply with information notices served by the PDPC or a data protection supervisory authority, or to facilitate timely resolution of any such matter or any related investigation, and in the case of an access request, the Supplier shall furnish the information required no later than 10 days after the request was made;

5. Accuracy: The Supplier shall make a reasonable effort to ensure that the personal data received from Nestlé is accurate and complete, if the personal data is likely to be (i) used by the Supplier to make a decision that affects the individual to whom the transferred personal data relates; or (ii) disclosed by the Supplier to another organisation;

6. Protection: The Supplier shall protect personal data received from Nestlé in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks;

7. Retention: The Supplier shall cease to retain its documents containing personal data received from Nestlé, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that (i) the Purposes are no longer being served by retention of the personal data; and (ii) retention is no longer necessary for legal or business purposes;

8. Transfer limitation: The Supplier shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA and Nestlé's prior written consent to ensure that recipients provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA.

9. Policies: The Supplier shall ensure that its employees, agents and sub-contractors who may receive or have access to any of the personal data received from Nestlé are aware of the obligations specified under this Agreement, and agree to abide by the same.

EXAMPLES OF TECHNICAL AND ORGANISATIONAL MEASURES

(capitalized terms which are not defined herein will assume the meaning(s) as defined in the PDPA)

1.1 The Supplier undertakes to implement appropriate technical and organizational measures considering (i) the technical possibilities; (ii) the costs for the measures; (iii) the risks; and (iv) the sensitivity of the Processed Personal Data. All equipment used by the Supplier in relation with its obligations hereunder shall be of good quality and any software used shall be of the newest or second newest versions released on the market.

1.2 The technical and organisational measures mentioned under clause 1.1 shall include but not be limited to:

1.2.1 Adoption of a company-wide security policy, which clearly defines how Personal Data shall be Processed (including within the Supplier and its third party service provider and/or Data Intermediary) and which shall be made available to all relevant employees and other personnel.

1.2.2 Implementation of a secure IT environment, including but not limited to (i) the implementation of appropriate security routines for the avoidance of virus attacks or other actions which are detrimental to the IT environment; (ii) the implementation of a coding system and/or any other security measures to avoid bugging and the revealing of signals; (iii) the implementation of appropriate security routines for portable IT equipment; (iv) implementation of a user authorisation control system, which will enable the identification of user identity (through the use of passwords or otherwise); (v) storing of Processing history (logging data); (vi) implementation of automatic back-up routines, including the storage of back-up copies; and (vii) destruction of any and all medias that have contained Personal Data and which are no longer used.

1.2.3 Implementation of security measures such as (i) locking devices; (ii) building entering checking system; (iii) alarms for fire, water, burglary, etc; (iv) protective equipment in case of power failure or water damages; (v) fire-extinguisher; (vi) security lockers; (vii) marking of equipment, etc.

1.2.4 Implementation of security routines for third party service providers (if any).

SECURITY REQUIREMENTS

1 The Supplier will implement technical and organisational measures to:

1.1. Ensure that rights to process personal data or access thereto are only granted to persons duly authorised, on a confidential and need-to-know basis and such access is recorded;

1.2. Prevent/deny unauthorised persons to access/use personal data processing areas, including via:
(a) Locked premises accessible only to persons authorised to process personal data;
(b) CCTV; and
(c) Clean desk policies.

1.3. Ensure that persons engaged in the processing of personal data are bound by relevant data secrecy undertakings and have been instructed as to the law.

1.4. Ensure that personal data cannot be unduly read, copied, modified, transferred or removed during (electronic) transfer or storage on a data media, including via:
(a) Functional separation of personal data (storage, modification, deletion, transmission) according to the purposes for which it is processed; and
(b) Ensuring that relevant personal data is only accessed by the relevant person(s) (e.g. German data should not be accessible to a French entity without reason).

1.5. Prevent/deny unauthorised persons to access/use systems used for the processing of personal data, including by:
(a) Regulating the inputting, modifying, removal, management and transfer of personal data from and to the systems including via appropriate company policies;
(b) A login and password policy for networks and user accounts, including the requirements for special characters with capital letters and numbers, a minimum length of eight characters and regular password renewals;
(c) Automatic disabling (e.g. desktop locked after inactivity period);
(d) Key-carded physical access controls;
(e) Different forms of access permissions (e.g. per role, per object) reviewed regularly;
(f) Regular reviews by IT staff of HR's listing of temporary staff;
(g) Special access rights for sensitive data directories;
(h) Limiting administrative access to firewalled platforms to IT staff;
(i) Procedures to modify/terminate logical access to active directories;
(j) Taking particular care of data leaving the processing of personal data areas, including by:
   (i) Ensuring that persons using portable computers with personal data take special care during transport, storage and use of the device outside the processing areas (including by encryption);
   (ii) Securing (by encryption), so as to ensure data confidentiality and integrity, devices/storage media containing sensitive personal data that are transferred outside the processing areas;
   (iii) Removal of personal data from carriers which are made available to unauthorised persons (including for repair or destruction);
(k) Taking particular measures vis-à-vis public networks, including:
   (i) Securing systems used for the processing of personal data against dangers originating from public networks by implementing physical and logical safeguards against unauthorised access. Logical safeguards should include controls of information flows between internal IT systems and external public networks as well as of actions initiated in public networks and in the systems used for the processing of personal data; and
   (ii) Cryptographic safeguarding of data used for authentication purposes that are transferred in public networks.

1.6. Ensure that personal data is only processed in accordance with Nestlé’s instructions, including via:
(a) Implementing and enforcing a document retention policy;
(b) Implementing and enforcing policies on access, use and disclosure of personal data;
(c) Implementing privacy policies, including data protection security policies and instructions for managing IT systems pursuant to the law;
(d) Cooperating with Nestlé to the fullest reasonable extent, including by answering its queries, informing it of inspections conducted by an authority and adopting requests to comply with the law; and
(e) Appointing an information security/data protection officer where required by the law, responsible for compliance with security/data protection principles set out in such law. The Supplier will give the contact details of such officer to Nestlé.

1.7. Ensure that personal data is protected from accidental destruction or loss, including via:
(a) Backup procedures (e.g. automated online and tape backup systems);
(b) Storing backup copies in places secured against unauthorised takeover, modification, damage or destruction (and deleted immediately after they cease to be needed);
(c) Backup power sources for critical infrastructure;
(d) Virus protection systems to protect work stations and servers;
(e) Firewall rules, periodically reviewed by IT staff;
(f) Housing of sensitive IT equipment in secured areas;
(g) Contingency plans to recover from disaster situations, including those caused by power cuts or interference with power networks; and
(h) Any physical or environmental threats.”

To The Top