Privacy Notice and Transparency Policy

The Privacy Notice and Transparency Policy defines the organization’s requirements for creating, approving, publishing, maintaining, reviewing, and evidencing privacy notices and transparency information for PII processing within the PIMS scope. Its stated purpose is to ensure that PII principals receive “clear, current, accessible, and auditable privacy notices before or at the required point in the PII processing lifecycle.” The policy applies across controller processing, joint-controller transparency information, and processor or subprocessor support for controller notice obligations where the organization acts under documented customer or processor instructions. It is owned by the Privacy Lead / PIMS Manager, approved by Top Management, and uses REG02, REG06, REG07, REG11, and REG12 as evidence objects. A central feature of the policy is its control of privacy notice content through REG07. The policy establishes REG07 as the authoritative evidence object for notice inventory, approval, publication, review, language, and version-control records. For controller processing, Process Owners / Business Owners must create a REG07 privacy notice record linked to the relevant REG02 processing activity before launching any new PII collection channel, service, form, campaign, product, or feature. Where PII is obtained from a source other than the PII principal, the record must be created before first communication, before first disclosure to a third party, or within 20 business days of obtaining the PII, whichever occurs first. The policy also requires notices to link to current REG02 processing purposes, lawful-basis references, PII categories, PII principal categories, source categories, recipient categories, retention references, and transfer references. The policy defines a structured approval and publication lifecycle. Process Owners / Business Owners certify the accuracy and completeness of notice content and submit the REG07 record for Privacy Lead / PIMS Manager approval before publication or collection-channel activation. The Privacy Lead / PIMS Manager verifies consistency with REG02 and approves or rejects the notice. System Owners / Application Owners may publish only the approved REG07 notice version before enabling digital collection channels, while Process Owners / Business Owners must make approved notices available through non-digital channels before PII is collected. Publication evidence, including location and timestamp or equivalent proof, must be recorded in REG07 within two business days after publication. If required approved notice evidence is missing, the new controller collection channel must not go live. Transparency quality is addressed through language, accessibility, version, and change controls. The policy requires identification of target PII principal audiences and required language versions before approval. It requires clear-language and audience suitability evidence in REG07, translated or localized versions before publication, and version parity between master and localized notices within 10 business days after a material update. Obsolete notice versions must be removed, redirected, or labeled within five business days after replacement publication, while superseded versions, effective dates, approval evidence, and publication evidence must be retained in REG07. Material changes to controller identity, contact point, processing purpose, lawful basis, PII categories, recipient categories, retention references, transfer references, rights-request channels, complaint or privacy contact channels, language coverage, publication channels, or processing context trigger notice update controls. The policy also includes governance, measurement, exception, enforcement, and maintenance requirements. Active REG07 notices are reviewed at least annually and within 30 days after material legal, regulatory, contractual, or processing changes. REG07 notice records are reconciled against REG02 processing purposes quarterly, with unresolved mismatches recorded in REG12. Metrics include the percentage of active notices linked to current REG02 purposes, notices reviewed by due date, overdue updates, unresolved mismatches, blocked or delayed collection channels, customer notice-support requests completed on time, and notices with current language, version, approval, and publication evidence. Exceptions must be recorded in REG12 before deviations occur, with required privacy advice and Top Management approval for specified notice-related exceptions. Missing, inaccurate, unpublished, unapproved, or obsolete notice evidence is recorded as a nonconformity, and material inaccurate or misleading notices are escalated to the Data Protection Officer / Privacy Advisor and Top Management within two business days of confirmation.