GDPR FAQ

We provide this note to answer the most frequently asked questions that our customers ask us about the GDPR.  It does not (and is not intended to) confer legal advice – you should always speak to your own, independent legal advisers to understand your legal responsibilities under the GDPR.

  1. What are data protection laws?

  2. What is the General Data Protection Regulation?

  3. Who does the GDPR apply to?

  4. What is a data controller and a data processor?

  5. Does Avery Dennison comply with the GDPR?

  6. What type of personal data is Avery Dennison collecting?

  7. Is Avery Dennison a controller or processor?

  8. What is Avery Dennison's lawful basis for processing personal data?

  9. What data protection rights do data subjects have?

  10. Will customer personal data ever be transferred outside Europe?

  11. What data transfer solution does Avery Dennison have in place?

  12. What security measures does Avery Dennison apply to protect personal data?

  13. Who do I contact if I have further questions?

 

  1. What are data protection laws?

    • 1.1   Data protection laws are a set of laws that govern the way that businesses collect, use, and share personal data about individuals.  Among other things, they require businesses to process individuals' personal data fairly and lawfully, to allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and to have in place appropriate security protections in order to protect the personal data that they process.

  2. What is the General Data Protection Regulation?

    • 2.1   The General Data Protection Regulation (or "GDPR") (Regulation (EU) 2016/679) is Europe's new data protection law that applies from May 25, 2018.  The GDPR is a major overhaul of the current data protection rules under the Directive, and Avery Dennison, like many organizations, is taking steps to ensure that it is GDPR-ready when the new law comes into effect.

    • 2.2   The GDPR aims to update Europe's existing data protection rules to make sure they are fit for the 21st century.  Amongst other things, it harmonizes data protection rules throughout European Union member states, introduces new requirements for data processors (the current law applies only to data controllers), enhances individual's privacy rights (introducing new rights to be forgotten and to data portability) and creates significant penalties for non-compliance (including potential fines of up to 4% annual worldwide turnover).

  3. Who does the GDPR apply to?

    • 3.1   The GDPR applies to any organization which is established within the European Union (i.e. has a subsidiary or branch in the EU).  It also applies to any non-EU organization which either:

      • (a)   offer goods or services to individuals in the EU (including free goods and services); or

      • (b)   monitors the behaviour of individuals in the EU (for example, through the use of advertising or analytics technologies).

  4. What is a data controller and a data processor?

    • 4.1   A data controller is the entity that determines the "purposes and means of the processing" – or, in layman's terms, how and why personal data will be processed.  A data processor processes personal data only on behalf of, and under the instruction of, a data controller.

  5. Does Avery Dennison comply with the GDPR?

    • 5.1   Like any responsible organization, Avery Dennison aims to comply with the data protection laws that apply to it.  Avery Dennison does have an EU establishment, and therefore would be directly subject to the GDPR.

  6. What type of personal data is Avery Dennison collecting?

    • 6.1   We mainly process personal data about our employees and business contact data relating to our customers, suppliers and other individuals with whom we have a business relationship. We also gather personal information through our website, for more information please see our Website Privacy Notice. The information that we process may include limited amounts of sensitive personal data and we take care to protect all the personal information that we hold in accordance with law.

  7. Is Avery Dennison a controller or processor?

    • 7.1   When providing its services to customers, Avery Dennison processes data both as a data controller and a data processor.

  8. What is Avery Dennison's lawful basis for processing personal data?

    • 8.1   Avery Dennison will only be able to process personal data if it can demonstrate it has a lawful processing ground, such as reliance on its legitimate interests, where processing is to comply with a legal obligation or with consent from the individual whose personal information is processed.

  9. What data protection rights do data subjects have?

    • 9.1  Under the GDPR, individuals can exercise the following rights against data controllers:

      • (a)  a right to request access to, and a copy of, personal information processed about them;

      • (b)  a right to correct any inaccurate or outdated personal information processed about them;

      • (c)  a right to object to processing of their personal information;

      • (d)  a right to request erasure of their personal information – for example, end users may want that their data gets deleted;

      • (e)  a right to request that processing of their personal information be restricted – for example this can be supported with the “do not track” option in the browser; and

      • (f)   a right not to be subject to automated decisions that significantly affect them or legally affect them.

    • 9.2  Avery Dennison has put in place procedures to ensure that it handles all such requests made to it as a controller in compliance with the GDPR. Please click here to submit your request.  For data where Avery Dennison is a processor, Avery Dennison will forward any such requests it receives to the relevant controller to respond.

  10. Will customer personal data ever be transferred outside Europe?

    • 10.1  If our customers are located outside of Europe, then yes – of course!

    • 10.2  Aside from that, please note that Avery Dennison is a US headquartered company with affiliates in the European Union.  Customer personal data may be transferred outside Europe, including in the US and such data transfers will be carried out in accordance the GDPR requirements.  We also work with international service providers who help us to manage and deliver our services; however they do so under strict contractual terms to ensure they protect the privacy and security of customer personal information.

  11. What data transfer solution does Avery Dennison have in place?

    • 11.1  Avery Dennison is currently working towards implementing Binding Corporate Rules to organise the data flows between the various Avery Dennison entities.

  12. What security measures does Avery Dennison apply to protect personal data?

    • 12.1  Avery Dennison is committed to ensuring that personal data is secure.  Avery Dennison implements appropriate technical and organisational security measures to protect personal data against: (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorised disclosure or access.

  13. Who do I contact if I have further questions?

    • 13.1  If you have any further questions about Avery Dennison's compliance with EU data protection requirements or the GDPR, please contact GDPR.info@averydennison.com.