About the GDPR
The GDPR, effective May 25th 2018, replaces the previous European Data Protection Directive and is a response to changes that have taken place over the last 20 years, for example, the rise of social media. It strengthens and unifies data protection for all individuals within the European Union (EU).
The GDPR expands the definition of 'personal data' to include identifiers such as IP addresses and cookies and has stricter consent standards meaning agreement cannot be inferred from silence, pre-ticked boxes or inactivity. It also introduces some new rights, for example, the right to be forgotten where there is no compelling reason for the continued processing of that person’s data.
The GDPR changes the way that PepsiCo processes your employee data and we have created a new employee privacy notice (below). There are also some frequently asked questions about the GDPR at the end of this document.
PepsiCo Europe employee privacy notice
1. Introduction & General Terms
As a global employer PepsiCo, Inc. (together with its subsidiaries and affiliates) (“PepsiCo”) collects and processes the personal data of its employees, contractors, workers, other personnel and job applicants (“Personnel”) in the ordinary course of business, and in some circumstances transfers that data outside the country where it was collected.
In doing so, PepsiCo is fully committed to keeping safe all its Personnel’s Personal Data (as subsequently defined) by meeting or exceeding all those applicable data security standards imposed by law in all of the countries in which it does business.
This Europe Employee Privacy Notice (the “Notice”) describes how PepsiCo’s EU subsidiaries (“PepsiCo Europe”) collect, use and process personal data relating to their Personnel. The PepsiCo Europe entity that employs you or to which you made a job application is the data controller of your personal data. The names and contact details of all PepsiCo Europe data controllers are set out in Annex 1 below.
This Notice supplements the PepsiCo, Inc. Global Privacy Notice for Employees effective January 28, 2015, and all subsequent versions thereof.
PepsiCo Europe monitors its employees’ use of PepsiCo Europe’s computers and email system in accordance with its Information Security Policies and all applicable laws.
2. Scope and Application of this Notice
This Notice applies to all Personal Data (defined below) of current and former Personnel, which PepsiCo Europe collects, uses, discloses or retains.
If the Notice conflicts with any applicable law, such law will prevail. Accordingly, each of PepsiCo Europe’s businesses may adapt the Notice to ensure it complies with any applicable law.
3. What is Personal Data?
For the purposes of this Notice ‘Personal Data’ means any information which relates to an identified or identifiable individual, or which could be used to identify an individual as well as any other information about an individual that is protected by applicable privacy and data protection laws (“Personal Data”).
The types of Personal Data that PepsiCo Europe may collect from or about you include:
- Identification documentation
- Recruiting records
- Payroll, benefits and Personnel services data
- Contact information
- Data required for regulatory agency reporting (e.g., Equal Employment Opportunity data)
- Attendance records
- Disciplinary and grievance records
- Performance records
- Records regarding your use of digital products and services (including your use of email, the internet, social media and user generated content), including such data that we collect through use of “cookie” technology
- Information gathered from your voluntary participation in marketing and research for PepsiCo products and services
- Information you choose to share (e.g., via SpeakUp, PepChat or other sharing tools and services)
- Public records (including, in some countries insofar as is permitted by local law, criminal offence records)
- Details of your emergency contacts
- Vehicle tracking and monitoring information
- Other records
4. Why does PepsiCo Europe collect, use, disclose or retain Personal Data?
PepsiCo Europe collects, uses, discloses and retains Personal Data for the following purposes:
- Managing our workforce: Managing work activities and personnel generally, including recruitment, appraisals, performance management and efficiency initiatives, promotions and succession planning, rehiring, administering salary, and payment administration and reviews, wages and other rewards and bonuses, healthcare, pensions plans, training, leave, monitoring and managing safety behaviours promotions, transfers, secondments, honouring other contractual commitments, providing employment references, loans, performing workforce analysis and planning, performing employee surveys, performing background checks, providing access to facilities, managing disciplinary matters, grievances and terminations, reviewing employment decisions, making and monitoring business travel arrangements, managing business expenses and reimbursements, planning and monitoring of training requirements and career development activities and skills, and creating and maintaining one or more internal employee directories.
- Communications, Facilities and Emergencies: Facilitating communication with you, ensuring business continuity, providing references, protecting the health and safety of employees and others, safeguarding and maintaining IT infrastructure, office equipment, facilities and other property, facilitating communication with you and your nominated contacts in an emergency.
- Business Operations: Operating and managing IT, communications systems and facilities, managing service development, improving our services, managing company assets, allocating company assets and human resources, strategic planning, project management, business continuity, compilation of audit trails and other reporting tools, maintaining records relating to business activities, budgeting, financial management and reporting, communications, managing mergers, acquisitions, sales, re-organizations or disposals and integration with purchaser.
- Compliance: Complying with legal and other obligations, such as income tax and national insurance deductions, record-keeping and reporting obligations, physical access policies, conducting audits, management and resolution of health and safety matters, such as accident and insurance claims, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal policies and procedures.
- Sensitive Information: We may also collect certain types of sensitive personal information for specific purposes, including: collection of health/medical information in order to accommodate a disability or illness or to provide benefits; health and safety and accident information, in order to comply with legal obligations and in order to make insurance claims; diversity-related Personal Data (such as gender, race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and anti‑discrimination; information relating to criminal background checks in some countries insofar as permitted by local law in order to comply with legal obligations and internal policies. The Personal Data that PepsiCo Europe collects about you is required by us either to satisfy legal obligations in the context of employment law to which we are subject, to perform our obligations in our contract employment with you, or for our legitimate businesses purposes as an employer, as described above.
Where we are obliged to collect Personal Data, or its collection is necessary to permit PepsiCo Europe to discharge the duties which it owes to you as an employer, it is an express term of each employee’s contract of employment, and of the PepsiCo Europe recruitment process, that the employee or job applicant must disclose certain Personal Data to PepsiCo Europe for the purposes set out above. Personnel are obliged to provide their Personal Data to PepsiCo Europe; if any Personnel does not wish to disclose any Personal Data then PepsiCo Europe will review whether in the circumstances it will be possible to continue to employ or (as the case may be) continue to work with or proceed with the application of the person refusing to disclose the requested Personal Data.
5. Does PepsiCo Europe share or transfer Personal Data?
PepsiCo Europe may from time to time disclose Personal Data to other entities in the PepsiCo group or to third parties for any of the purposes listed above. Examples of relevant third parties to whom PepsiCo Europe may disclose Personal Data includes governmental agencies and third parties who render services in connection with (among other things) job application processes, payroll, employee benefits, training and security.
When we disclose your Personal Data to third parties who perform services on our behalf, we ensure that such service providers use Personal Data only in accordance with our instructions, and we do not authorise them to use or disclose Personal Data except as necessary to perform services on our behalf or to comply with applicable legal obligations.
PepsiCo Europe may also disclose Personal Data to third parties:
- (i) where such disclosure is required by law,
- (ii) for the purposes of, or in connection with, any legal proceedings to which it is a party, or otherwise for the purpose of establishing, exercising or defending its legal rights,
- (iii) who are law enforcement authorities or other government agencies and who have made a lawful request for such disclosure,
- (iv) where we believe disclosure is necessary to prevent harm or financial loss, or in connection with an investigation of suspected or actual misconduct or criminal activity, or
- (v) if PepsiCo Europe sells or transfers all or part of its business or assets (including through a merger, reorganisation, spin-off, dissolution or liquidation.
6. International Transfers of Personal Data
Due to the global nature of our operations, we may disclose your Personal Data to PepsiCo, Inc. in the U.S. and to its affiliates in other countries whose data protection laws may not be as extensive as those in the EU.
When PepsiCo Europe transfers Personal Data outside the European Economic Area, whether within the PepsiCo group of companies or to third parties, PepsiCo Europe will only do so:
- (i) to a country which the European Commission considers to have adequate data protections laws;
- (ii) to a company which has a current and valid U.S.-EU Privacy Shield certification in relation to the category of Personal Data which is being transferred; or
- (iii) where we have put in place an appropriate data transfer mechanism, such as EU Standard Contractual Clauses, to ensure that your Personal Data is adequately protected.
If none of these criteria are satisfied, PepsiCo Europe may still transfer Personal Data outside of the EEA if the Personnel explicitly consents, or if the transfer is legally necessary.
Access to your Personal Data by PepsiCo, Inc. will be limited to those who need to know the data for the purposes described in this Notice, and may include personnel in the HR, IT, compliance, legal, finance and accounting, and internal audit functions.
You may obtain a copy of the relevant data transfer mechanisms that we have put in place under which your Personal Data is transferred outside the EU by contacting us using the applicable address in Annex 1.
7. Protecting Personal Data
PepsiCo Europe maintains appropriate technical and organisational measures designed to protect your Personal Data against loss or accidental, unlawful or unauthorised, alteration, access, disclosure or use.
PepsiCo Europe, in general, retains Personal Data relating to its Personnel for up to six years following the end of employment with PepsiCo Europe. PepsiCo Europe retains Personal Data relating to unsuccessful job applicants for up to two years following communication of our decision in relation to the job application, unless you agree that we can retain the Personal Data for a longer period in connection with future employment opportunities.
The retention periods described above may be extended if we are required to preserve your Personal Data in connection with litigation, investigations and proceedings, or if a longer retention period is required by applicable law.
8. Personnel Rights
PepsiCo Europe expects employees to update their Personal Data through myPepsiCo or such other procedures and systems established by PepsiCo Europe. PepsiCo Europe will take such other reasonable steps as necessary to ensure that Personal Data is accurate and complete for the purposes for which it was collected, used, disclosed or retained.
To the extent required by applicable law, you may have the right to request a copy of any Personal Data that PepsiCo Europe holds about you.
You also may have the right to
- request that your Personal Data is rectified or deleted, or that its processing is restricted,
- object to the processing of your Personal Data, or
- receive it in a portable format.
If you would like to discuss or exercise any of these rights, please use the applicable contact details in Annex 1.
If PepsiCo Europe has collected your Personal Data with your consent, you have the right to withdraw that consent at any time, which you may do so using the applicable contact details in Annex 1.
If you are dissatisfied with PepsiCo Europe’s handling of your Personal Data, you also have the right to complain to an EU data protection supervisory authority. You can find the details of your relevant supervisory authority here: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
PepsiCo Europe may update this Notice from time to time, and will notify Personnel of any significant changes on its intranet sites, through internal publications, or via other appropriate communication channels. All changes are effective from the date of publication unless otherwise noted.
10. Contact Us
If you have any questions or concerns about this Notice, or would like to exercise any of your rights, please contact the relevant data controller by using the address below or email email@example.com.
Data controllers (Annex 1 privacy notice)
- PBI Fruit Juice Company BVBA | Legal Department, Jozef Verschaveweg, USA Kaai 411-412, 8380 Zeebrugge, Belgium
- Tropicana Europe NV | Legal Department, Sint Truidersteenweg 301, 3840 Borgloon, Belgium
- PepsiCo BeLux BVBA, | Legal Department, Corporate Village, - Bayreuth Building, Da Vincilaan 3, 1935 Zaventem, Belgium
- Veurne Snack Foods BVBA | Legal Department, Albert-I-Iaan 33, B-8630 Veurne, Belgium
- Corina Snacks Ltd | Legal Department, 4 Riga Feraiou str, Omega Court, 1st floor, Limassol 3905, Cyprus
- Czech Republic
- PepsiCo CZ s.r.o | Legal Department, Kolbenova 50, 190 00 Prague 9, the Czech Republic,
- PepsiCo Nordic Denmark Aps | Legal Department, Vesterbrogade 149, 1620 Kobenhaven, Denmark
- PepsiCo Eesti AS | Legal Department, Tuglase 2, 51014 Tartu, Estonia
- PepsiCo Nordic Finland OY | Legal Department, Atomitie 2a, 00370 Helsinki, Finland
- PepsiCo France SNC | Legal Department, 420 rue d’Estienne d’Orves – 92705 Colombes
- PepsiCo Management Services SASU | Legal Department, 420 rue d’Estienne d’Orves – 92705 Colombes
- Quaker Oats | Legal Department, 420 rue d’Estienne d’Orves – 92705 Colombes
- PepsiCo Deutschland GmbH | Legal Department, Hugenottenalle 173, 63263 Neu-Isenburg, Germany
- Punica Getränke GmbH | Legal Department, Hugenottenalle 173, 63263 Neu-Isenburg, Germany
- Tasty Food S.A | Legal Department, Agios Stefanos (22nd km Athens-Lamia National Road) 145 65 Greece
- PepsiCo IVI EPE | Legal Department, Agios Stefanos (22nd km Athens-Lamia National Road) 145 65 Greece
- FÁÜ Zrt. | Legal Department, 121-123 Helsinki út, 1239 Budapest, Hungary
- Republic of Ireland
- The Concentrate Manufacturing Company of Ireland | Legal Department, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
- Pepsi-Cola International Cork | Legal Department, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
- PepsiCo Ireland Food & Beverages | Legal Department, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
- Pepsi-Cola Trading Ireland | Legal Department, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
- PepsiCo Beverages Italia S.r.l. | Legal Department, Via Tiziano 32, 20145 Milan, Italy
- UAB Lithuania Snacks | Legal Department, Paneriu g. 37, Vilnius, Lithuania
- PepsiCo Nordic Norway | Legal Department, Lilleakerveien 4, 0283 Oslo, Norway
- Duyvis Production BV | Legal Department, Diederik Sonoyweg 17, 1509 BR Zaandam, The Netherlands
- PepsiCo Nederland N.V. | Legal Department, Zonnebaan 35, 3542 EB Utrecht, The Netherlands
- Quaker Oats BV | Legal Department, Brielselaan 7, 3081 AA Rotterdam, The Netherlands
- Frito Lay Poland Sp. z.o.o. Oddział Warszawa | Legal Department, Warsaw, 03-801, Zamoyskiego 24/26 street, Poland
- Frito Lay Poland Sp.z o. o. Oddział II Biuro Główne | Legal Department, Warsaw, 03-801, Zamoyskiego 24/26 street, Poland
- PepsiCo Logistyka Sp. z.o.o. | Legal Department, Grodzisk Mazowiecki, 05-825, Zachodnia 1 street, Poland
- Pepsi-Cola General Bottlers Poland Sp. z.o.o. | Legal Department, Warsaw, 03-801, Zamoyskiego 24/26 street, Poland
- PepsiCo Consulting Polska Sp. z o. o. | Legal Department, Warsaw, 03-801, Zamoyskiego 24/26 street, Poland
- Frito Lay Sp. z o. o. Oddział Fabryka w Grodzisku Mazowieckim | Legal Department, Grodzisk Mazowiecki, 05-825, Zachodnia 1 street, Poland
- Frito Lay Sp. z o. o. Oddział Fabryka w Tomaszowie Mazowieckim | Legal Department, Tomaszów Mazowiecki, 97-200, Włókiennicza 12/18 Street
- Matudis-Comercio de Produtos Alimentares LDA | Legal Department, Lagos Park-Edificio 5C-5o, Oeiras, Portugal
- Matutano-Sociedade de Produtos Alimentares LDA Legal Department, Estrada Banco de Portugal number 2, Trombeta, Carregado, Portugal
- Quadrant–Amroq Beverages S.r.l | Legal Department, Bucharest, Calea Vacaresti Street, 4th floor, 1st section, 4th district, Romania
- S.C. Star Foods E.M S.r.l | Legal Department, Bucharest, Calea Vacaresti Street, 4th floor, 1st section, 4th district, Romania
- PepsiCola SR s.r.o | Legal Department, Nadrážná 534, 901 01 Malacky
- Centro–Mediterranea de Bebidas Carbonicas PepsiCo S.L. | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- Compania de Bebidas PepsiCo S.L. | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- PepsiCo Manufacturing A.I.E. | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- Tropicana Alvalle S.L. | Legal Department, Poligono Inductrial Camposol, Puente Tocinos, Murcia (Spain)
- Onbiso Iversiones, S.L | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- PepsiCo Holdings De Espana, S.L | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- PepsiCo Iberia Servicios Centrreales, S.L | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- PET-IBERIA, S.L | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- PepsiCo Europe Support Center S.L. | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- PepsiCo Foods A.I.E. | Legal Department, Avenida de los Olmos, 2, Vitoria (Spain)
- Quaker Oats Europe, Inc | Legal Department, Stortorget 11, 211 22 Malmo, Sweeden
- United Kingdom
- PepsiCo International Limited | Legal Department, Building 4, Floor 3, Chiswick Business Park, 566 Chiswick High Road, London, W4 5YE
- PepsiCo UK Pension Plan Trustee Limited | Legal Department, 450 South Oak Way, Green Park Business Park, Reading, RG2 6UW
- Walkers Snack Foods Limited | Legal Department, 450 South Oak Way, Green Park Business Park, Reading, RG2 6UW
- Walkers Snacks Limited | Legal Department, 450 South Oak Way, Green Park Business Park, Reading, RG2 6UW
- Walkers Snacks (Distribution) Limited | Legal Department, 450 South Oak Way, Green Park Business Park, Reading, RG2 6UW
What is the GDPR?
The GDPR is the European Union’s new data protection law. It replaces the Data Protection Directive, which has been in effect since 1995. It gives people greater control over their personal data and imposes many new obligations on organizations that collect, handle or analyze personal data, including PepsiCo.
When does the GDPR take effect?
The GDPR takes effect on 25 th May 2018.
What are the main requirements of the GDPR?
The GDPR poses a wide range of requirements on organizations, like PepsiCo, that collect or process personal data, including a requirement to comply with six key principles:
- We must be clear with people about how we are using their personal data and we need to have a lawful reason for processing their data.
- We cannot re-use or disclose personal data for purposes that are not ‘compatible’ with the purpose for which the data was originally collected.
- We must minimize the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
- We must ensure that the personal data we hold is accurate and we can be corrected if errors occur.
- We must ensure that personal data is retained only as long as necessary to achieve the purposes for which the data was collected.
- We must keep personal data secure through both technical and organizational measures.
Why do I need to know about this?
It is useful for you to know about the GDPR because if you work and live within the EU it will affect the way your personal data is processed with every company you interact with. Within PepsiCo, depending on your job role, there may be different reasons why you need to know about this legislation, for example:
- It will change the way PepsiCo, gathers, stores and processes your employee data
- If you work in a division that is affected by the changes, such as Marketing, IT or HR, you will feel the effect of GDPR on your ways of working
If you have not heard about it and you have any questions you should reach out to your HR business partner in the first instance.
What is personal data?
Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable individual. For example, online identifiers like IP addresses, employee information, sales databases, consumer services data, consumer feedback forms, location data, biometric data, CCTV footage, loyalty scheme rewards, health and financial information and more. Personal data may even include information that does not appear to be personal, for example, a photo of a landscape without people but where that information is linked by an account number or unique code to an identifiable person. It also includes personal data that has been pseudonymised, if that pseudonym can be linked back to an individual. The law also includes data like race or ethnicity, health or sexual orientation.
Tell me more about my rights around my data.
The GDPR gives you certain rights over your personal data, such as the right to access or correct your personal data or have it deleted. It also means customers can ask PepsiCo to stop processing their personal data, object to direct marketing and revoke consent for certain uses of their personal data. Additionally, the right to data portability means PepsiCo must provide people with their data in a way that makes it easy for them to move it elsewhere.
PepsiCo is ensuring that plans are in place for people who want to exercise those rights both internally and externally to the organization.
How will it affect PepsiCo?
PepsiCo will comply with the law and follow the new legislation. Therefore, it is changing the way it processes data both internally within the organization (employees) as well as externally. There are two new policies that have been produced, internal and external, that provide more detailed information. You can find copies of the policies on the intranet site.
Which countries in ESSA will be affected?
UK, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
Will it affect the work that I am doing?
You will likely not notice any difference as an employee unless you work in certain functions in the organization. If the GDPR is going to affect your ways of working, you will be informed and trained as part of the change programme. If you are concerned that you may work in an area where the GDPR will change your ways of working and you have not heard anything about the changes then please reach out to your HR business partner in the first instance.
Will it change the way my employee data is handled?
Yes, if you work within the EU it will change the way your employee data is handled and there is a new policy about employee data. If you would like to understand more about the changes that are taking place to your data, then please visit the intranet site to read the new policy or reach out to your Legal or HR business partner.
I want to check the data that PepsiCo holds on me. How do I go about this?
Contact your HR business partner.
What is my role as a PepsiCo employee to ensure that PepsiCo is compliant with the new legislation?
Most employees will not need to change their ways of working. If you work with personal data you will receive training. However, we all need to be vigilant about personal data. A laptop left on a tube or a lost memory stick that contains personal data could all be considered a data breach. In the event of certain personal data breaches, the GDPR requires notice to regulators within 72 hours of detecting the breach. Individuals whose data has been compromised may also need to be notified if there is a significant risk of harm due to the breach. If you are in any way concerned that there may have been a breach of data, then please contact your line manager immediately.