Zespri's Supplier Privacy Expectations
Zespri may share personal information with Suppliers to enable them to perform agreed commitments for Zespri. Suppliers are expected to take care and respect when they receive and process personal information for or on behalf of Zespri. Personal information is any information relating to a person who can be identified (directly or indirectly) from the information.
Zespri remains solely responsible for determining the purposes and manner in which personal information is to be processed and Suppliers shall only process personal information in accordance with Zespri’s express instructions.
Suppliers who receive or process personal information for on behalf of Zespri must:
a. take and implement appropriate technical and organisational security measures to ensure a level of security and confidentiality appropriate to the risk;
b. ensure the ongoing confidentiality, integrity, availability and resilience of their processing systems and services;
c. not share any personal information with any third party without prior authorisation of Zespri and a written agreement being in place with the third party to safeguard the personal information in compliance with this policy;
d. remain fully liable to Zespri for the performance of any third party obligations if the third party fails to fulfil its obligations;
e. take reasonable steps to ensure the reliability of staff having access to personal information and ensure they are fully aware of their obligations when dealing with personal information;
f. ensure all staff who have access to personal information do so under appropriate confidentiality obligations;
g. promptly notify Zespri if they receive a request from anyone in respect of Personal Information, and not respond to the request unless asked to by Zespri. Zespri expects Suppliers to assist in the fulfilment of Zespri’s obligation to respond to these requests; and
h. provide Zespri with any information requested to ensure compliance by the Supplier with its obligations under applicable privacy laws and this policy.
Personal information breaches: A breach of personal information is the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Suppliers must notify Zespri by telephone as soon as reasonably possible after becoming aware of any actual or suspected breach affecting any Zespri personal information and must provide all relevant details reasonably available, including:
a. the type of personal information believed to be affected;
b. the identity of any affected person or people; and
c. any other information which Zespri reasonably requests.
As soon as reasonably possible after the telephone notification, the Supplier must provide Zespri with a written notice confirming all relevant details and updates. Notification must be sent via email to the Supplier’s Zespri relationship manager and to Zespri’s Global Data Protection Officer at firstname.lastname@example.org. If requested by Zespri, Suppliers must provide Zespri with all reasonable assistance necessary to enable Zespri to notify breaches to relevant authorities and/or affected people, where Zespri is legally required to do so.
Suppliers must immediately investigate any breach and identify, prevent and make reasonable efforts to mitigate the effects of the breach. Suppliers must carry out any recovery action necessary to remedy or mitigate a breach.
Investigations and Enquiries: Suppliers shall cooperate with Zespri and assist in responding to any enquiry made, investigation or assessment of processing initiated by a supervisory authority in respect of any personal information.
Supplier must inform Zespri within five (5) working days of any inquiry, communication, request or complaint received from any governmental, audit, regulatory or supervisory authority relating to personal information.
Termination of Relationship: At the end of a Supplier’s relationship or agreement with Zespri, the Supplier must:
a. only process personal information for so long as is necessary to comply with its legal obligations;
b. not retain any copy, abstract, precis or summary of any personal information; and
c. at Zespri’s instruction, either securely destroy or promptly return to Zespri the personal information and related records and documentation.
Zespri personal information may not be processed by a Supplier following termination or expiry of the relationship or agreement with Zespri unless, and for no longer than is, required by law.