Safe Haven
Philips and its Group Companies and staff shall Process Personal Data of its Customers, its Employees and other Individuals fairly and in accordance with applicable legislation and this Code, therefore creating a ‘Safe Haven’ in which Personal Data can be transferred between Philips’ Group Companies around the world within the boundaries as set forth by this Code and applicable law.
Purpose Specification
Personal Data shall be Processed only for legitimate purposes as appropriate in connection with Philips’ business activities including without limitation its employment and marketing activities as well as its control and security measures or for purposes required by law.
Collection and Use Limitation
The collection of Personal Data shall be limited to the specified purposes. Personal Data shall be used for the specified purposes or for purposes which are compatible with the specified purposes. Personal Data shall be adequate and relevant to the purposes and not be excessive.
Sensitive Data
Philips shall limit the Processing of Sensitive Data to the purposes required or authorized by law or consented to by the Individual.
Data Quality
Personal Data shall be accurate, complete and kept up-to-date. Reasonable steps shall be taken to ensure that inaccurate, incomplete or out-dated Data is corrected, completed or deleted.
Confidentiality and Security
Philips shall take appropriate and commercially reasonable technical and organizational measures to keep the Personal Data confidential and secure and to protect the Data against all unlawful forms of Processing. Access to and disclosure of Personal Data will be limited to Philips’ Staff or third parties or their staff in connection with their specific roles or responsibilities.
Transparency
Philips shall inform the Individual about the purposes of the Processing, the identity of the Data Controller and other information insofar as this is necessary to ensure fair Processing, unless the Individual already has such information.
Disclosure to Third Parties
Philips shall only disclose Personal Data to a Third Party when required by law or to the extent necessary for the purposes permitted by this Code. Such disclosures may include:
a) Exchange of Personal Data with a Third Party with which Philips provides a product or service in a joint marketing effort with such Third Party; or
b) Collection by or disclosure of Personal Data to a Data Processor; or
c) Disclosure of Personal Data to a Third Party which provides products or services to the Individual as agreed to in a contract or similar agreement between Philips and the Individual.
Where appropriate, Philips may require such Third Party to enter into a contract containing provisions which protect the (privacy)interests of the Customers or Employees whose Data are disclosed at at least the same level of protection as provided by the Code.
Philips shall not sell or similarly disclose Personal Data of Customers or Employees to Third Parties, except where the sale of Personal Data is part of the sale of a business or part thereof to a Third Party and the Data have been collected or are used in connection with the relevant commercial or employment operations of such business.
Employees
While performing its rights and duties as an employer, Philips shall take into account the (privacy)interests of its Employees. In view of the subordinate nature of the employment relationship Philips shall not seek the consent of Employees for Processing their Personal Data or monitoring their performance, attendance or behavior, if the Processing or monitoring is directly or indirectly related to the employment context, unless consent is legally required or appropriate.
Instead, Philips will limit its Processing of Employee data or the monitoring of their performance, attendance or behavior to (i) what is necessary to perform Philips’ obligations under the employment contracts or collective bargaining agreements or to close a contract with a Third Party in the interest of the Employee, (ii) what is required or authorized by law, (iii) what is necessary to protect the vital interests of the Employee, (iv) what is necessary to pursue the legitimate business interests of Philips insofar these interests do not disproportionately interfere with the (privacy)interests of the Employees, or (v) what is necessary to protect Philips’ Compelling Business Interests.
Direct Marketing
Philips will obtain the consent of the Customer before using his Personal Data for the purposes of direct marketing via electronic means, except where the Customer has provided his Personal Data to Philips in the context of a sale of a Philips product or service, has subscribed to a service provided by Philips or has participated in a sales or marketing event organized by Philips, and such customer has been provided the clear and distinctive opportunity to object to such use at the time of the registration.
When using Personal Data for direct marketing purposes via other means, Philips shall provide the Customer at least with a possibility to opt-out from such use.
Protection of Children
Philips will only Process the Personal Data of a Child under the age of fourteen (14) either with the prior verifiable consent of the Child’s parent or legal guardian, or where necessary for the performance of a contract with the parent or legal guardian, or where the Processing of the Child’s Personal Data is required by law.
Rights of Individuals
Philips respects the rights of Individuals to request an overview of their Personal Data kept by or on behalf of Philips, to request to rectify or to block their Data and to object to the Processing of their Personal Data.
Any Individual may declare with the Chief Privacy Officer or the appropriate Privacy Officer that a Group Company, a Philips-employee or a Data Processor (i) is not complying with this Code, (ii) is not cooperating with a lawful investigation or inquiry by a competent Supervisory Authority, (iii) is not abiding by the lawful decision given by a competent Supervisory Authority or court; or (iv) is not able to comply with this Code because of any legal requirements applicable to such Group Company or Data Processor prohibiting it from complying with this Code.
The Group Companies do not object to representation of an Individual or group of Individuals by an association or other body if they so wish and if permitted by applicable law.
Applicable law, Supervising Authorities
This Code shall be applied without prejudice to applicable legislation.
Notwithstanding the powers of other competent authorities under the applicable laws, compliance with this Code shall be primarily supervised by the College Bescherming Persoonsgegevens(hereinafter called the ‘Dutch Data Protection Authority’).
This Code does not affect the substantive rights and remedies nor the dispute settlement procedures which are available to an Individual in accordance with the ordinary rules of private international law.
The Dutch Data Protection Authority is authorized to advise on the application of this Code at all times.
Mutual Assistance
All Group Companies and Staff as well as all Data Processors and their staff are required to cooperate and assist each other in order to handle (i) a request of the Individual, (ii) a complaint made by the Individual, (iii) a claim made by the Individual; or (iv) a lawful investigation or inquiry by a competent authority.
Philips Privacy Rules / Governmental Permits
The principles of this Code shall be applied and executed in accordance with the details specified in the Philips Privacy Rules and in accordance with the permits, approvals, authorizations or similar documents issued by competent authorities in connection with this Code.
Compliance and Dispute Resolution
This Code is binding on all Companies belonging to the Philips Group. It has a complementary character and shall be applied without prejudice to legislation applicable to the Processing of Personal Data by a Group Company.
The Individual may bring a complaint or claim before the Dutch Data Protection Authority or the Dutch courts against the Group Company or Group Companies which violated this Code, provided that the Individual has first filed his complaint with Philips and the outcome thereof is not to the satisfaction of the Individual. In case the Group Company which violated this Code is unknown to the Individual, a complaint brought before the Dutch Data Protection Authority may be made against “Philips” in general.
The Group Company which violated this Code can be held liable for any direct damage suffered by the Individual resulting from any violation of this Code by such Group Company.
An Individual can enforce the obligations of Philips contained in this Code which directly relate to the lawful or fair Processing of his Personal Data as third-party beneficiary against the Group Company that does not comply with this Code, or – where his Data have been exported from the territory of the European Union or the European Economic Area to a Group Company in a country that does not provide a level of protection similar to this Code and that Group Company does not comply with his Code – against the Exporting Group Company.
Koninklijke Philips Electronics N.V. hereby unilaterally declares that it will take reasonable measures to procure compliance with this Code by all Group Companies, its Staff or Data Processors, and that in addition to the local rights and remedies available to the Individual with respect to the Data Processing by one or more Group Companies, it may be held liable by the Individual for damages resulting from failure to take said reasonable measures.
The Board of Management of Koninklijke Philips Electronics N.V.
Amsterdam
January 16, 2007
Note
The Philips objective is to bring all data processing into compliance with this Code before January 17, 2011.
Inquiries relating to the Philips Privacy Code should be directed to: