Effective from: 18th October 2019

Yara has committed itself to the protection of Personal Data of Yara Customers, Suppliers and Business Partners by implementing the Yara Data Privacy Directive for Customer, Supplier and Business Partner Data (the “Directive”), which together with the Yara Data Privacy Directive for Employee Data, constitutes Yara’s Binding Corporate Rules (“BCRs”) for the Processing and transfer of Personal Data within Yara.

The purpose of these Binding Corporate Rules is to ensure an adequate level of protection for Processing of Personal Data within Yara. Binding Corporate Rules enable Yara to make intra-group transfers of Personal Data across borders, provided that the rules set out herein are complied with. The BCRs have been approved by the competent Data Protection Authorities and are binding on Yara International ASA and its Group Companies.

Under European data protection legislation, transfer of Personal Data to countries outside the EEA that do not provide an adequate level of protection require a legal basis. The objective of Yara’s Binding Corporate Rules is to establish such legal basis for transfers of Personal Data from Group Companies established within the EEA to Group Companies established outside the EEA. The objective is also to establish an internal control system containing legally binding data protection principles for how Personal Data shall be processed within Yara, in accordance with the EU Data Protection Directive 95/46/EC, and from 25 May 2018, the EU General Data Protection Regulation 2016/679 (GDPR).

This document is a public excerpt and summary of Yara’s Data Privacy Directive for Customer, Supplier and Business Partner Data and contains the material provisions and the data protection principles set out in Yara’s BCRs. It further explains Data Subjects’ rights and how to exercise those rights. For a full version of the Directive, please contact the Head of Data Privacy as set out in Article 23.

An overview of Group Companies bound by the BCR is available at the bottom of the page.

Capitalized terms have the meaning set out in Annex 1 (Definitions).

1.1 Scope
The Directive addresses the Processing of Personal Data of Customers, Suppliers and Business Partners by Yara or a Third Party on behalf of Yara. The Directive does not address the Processing of Personal Data relating to Employees by Yara.

1.2 Electronic and Paper-based Processing
The Directive applies to the Processing of Personal Data by electronic means and in systematically accessible paper-based filing systems.

1.3 Applicability of Local Law and Directive
Nothing in the Directive will be construed to take away any rights and remedies that Individuals may have under applicable local law. The Directive provides supplemental rights and remedies to Individuals only. Individuals shall benefit from the rights set out in the Directive and have the right to enforce those rights as set out in Article 17.

1.4 Sub-policies and Notices
Yara may supplement the Directive through sub-policies or notices that are consistent with the Directive.

1.5 Accountability
The Directive is binding on Yara. The Country Legal Responsible is accountable for his or her Group Companies’ compliance with the Directive. Staff must comply with the Directive.

1.6 Third party Beneficiary Rights
All Individuals shall benefit from the rights in this Directive relevant to them, and may enforce these rights by filing a complaint and claim damages in accordance with Articles 17 and 18.

1.7 Directive Supersedes Prior Policies
The Directive supersedes all Yara privacy policies and notices that exist on the Effective Date to the extent they are in contradiction with the Directive.

1.8 Implementation
This Directive shall be implemented in the Yara organization based on the timeframes specified in Article 21.

2.1 Legitimate Business Purposes
Personal Data shall only be collected, used or otherwise Processed for specified, explicit and legitimate purposes objectively justified by the activities of Yara (Business Purposes).

Yara's Processing of Personal Data includes but is not limited to Processing for the following Business Purposes:

(i) Development and improvement of products and/or services: this purpose includes Processing of Personal Data that is necessary for the development and improvement of Yara products and/or services, research and development;

(ii) Performance of Customer Services: this purpose addresses the Processing of Personal Data necessary for the performance of Customer Services;

(iii) Conclusion and execution of agreements with Customers, Suppliers and Business Partners: this purpose addresses the Processing of Personal Data necessary to conclude and execute agreements with Customers, Suppliers and Business Partners, including required screening activities (e.g., for access to Yara’s premises or systems) and to record and financially settle delivered services, products and materials to and from Yara;

(iv) Relationship management and marketing: this purpose addresses activities such as maintaining and promoting contact with Customers, Suppliers and Business Partners, account management, customer service, recalls, collection of Personal Data through Yara websites and the development, execution and analysis of market surveys and marketing strategies;

(v) Business process execution, internal management and management reporting: this purpose addresses activities such as managing company assets, ethics hotline/whistleblowing, conducting internal audits and investigations, integrity due diligence (IDD), capital value process (CVP), finance and accounting, implementing business controls, provision of central Processing facilities for efficiency purposes, managing mergers, acquisitions and divestitures, and management reporting and analysis;

(vi) Health, safety, security and integrity, including the safeguarding of the security and integrity of the business sector in which Yara operates: this purpose addresses activities such as those involving health and safety, the protection of Yara and Employee assets, and the authentication of Customer, Supplier or Business Partner status and access rights (such as required screening activities for access to Yara’s premises or systems); and

(vii) Compliance with legal obligations: this purpose addresses the Processing of Personal Data necessary for the performance of a task carried out to comply with a legal obligation to which Yara is subject.

2.2 Use of Data for Secondary Purposes

Generally, Personal Data shall be used only for the Business Purposes for which they were originally collected (Original Purpose). Personal Data may be Processed for a legitimate Business Purpose of Yara different from the Original Purpose (Secondary Purpose) only if the Original Purpose and Secondary Purpose are closely related. Depending on the sensitivity of the relevant Personal Data and whether use of the Data for the Secondary Purpose has potential negative consequences for the Individual, the secondary use may require additional measures such as:

(i) limiting access to the Data;
(ii) imposing additional confidentiality requirements;
(iii) taking additional security measures;
(iv) informing the Individual about the Secondary Purpose;
(v) providing an opt-out opportunity; or
(vi) obtaining an Individual’s Consent in accordance with Article 3.4.

2.3 Generally Permitted Uses of Data for Secondary Purposes
It is generally permissible to use Personal Data for the following Secondary Purposes provided appropriate additional measures are taken in accordance with Article 2.2:

(i) transfer of the Data to an Archive;
(ii) internal audits or investigations;
(iii) implementation of business controls;
(iv) IT systems and infrastructure related Processing such as for maintenance, support, life-cycle management and security (including resilience and incident management);
(v) statistical, historical or scientific research;
(vi) preparing for or engaging in dispute resolution;
(vii) legal or business consulting; or
(viii) insurance purposes.

2.4 Consultation
Where there is a question whether a Processing of Personal Data can be based on a Business Purpose or a Secondary Purpose listed above, it is necessary to seek the advice of the appropriate Regional Data Privacy Coordinator before the Processing takes place.

3.1 Legal Basis for Processing of Personal Data

Yara shall make sure that all Processing of Personal Data only takes place for legitimate Business Purposes and has legal basis.

Personal Data may be processed by Yara for legitimate Business Purposes on the following legal basis:

(i) the Individual has given his or her Consent. In order to rely on Consent, Yara must follow the procedure set forth in Article 3.4 below;
(ii) the Processing is necessary for the performance of an agreement between the Individual and Yara, or in order to take steps at the request of the Individual prior to entering into such an agreement;
(iii) the Processing is necessary for compliance with a legal obligation to which Yara is subject;
(iv) the Processing is necessary in order to protect the vital interests of the Individual or of another natural person;
(v) the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Yara; or
(vi) the Processing is necessary for legitimate Business Purposes pursued by Yara or by a Third Party to whom the Personal Data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the Individual.

3.2 Legal Basis for Processing of Sensitive Data

As a starting point Processing of Sensitive Data is prohibited. Yara can, however, for legitimate Business Purposes, Process Sensitive Data on the following legal basis:

(i) the Individual has given his or her explicit Consent. In order to rely on Consent, Yara must follow the procedure set forth in Article 3.4 below;
(ii) the Processing is necessary for the purposes of carrying out the obligations and specific rights of Yara in the field of employment, social security and social protection law in so far as it is authorized by applicable law providing for adequate safeguards;
(iii) the Processing is necessary to protect the vital interests of the Individual or of another person;
(iv) the Processing relates to Sensitive Data which are manifestly made public by the Individual;
(v) the Processing of Sensitive Data is necessary for the establishment, exercise or defense of legal claims (including for dispute resolution) or Processing is necessary for compliance with a legal obligation to which Yara is subject;
(vi) the Processing is necessary for the performance of a task for reasons of substantial public interest;
(vii) the Processing of Sensitive Data is required for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the Individual, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, and the Personal Data are Processed by a health professional subject to applicable law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy;
(viii) the Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health; or
(ix) the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

3.3 Personal Data relating to criminal convictions and offences

Yara shall establish internal procedures for the Processing of Personal Data relating to criminal convictions and offences in compliance with applicable law.

3.4 Consent

If Consent is allowed or required under applicable law for Processing of Personal Data or Sensitive Data, the following conditions apply:
(i) When seeking Consent, Yara must inform the Individual of:
• the identity and contact details of the Group Company being the Controller for the Processing;
• the Business Purposes for which his or her Data are Processed;
• the categories of Third Parties to which the Data are disclosed (if any).
• other relevant information provided in Article 6.1, if necessary to ensure that the Individual’s Consent is informed.

(ii) Yara must be able to demonstrate that the Individual has consented to Processing of his or her Personal Data. This may be done by documenting the Consent via a written declaration. Where Processing is undertaken at the request of an Individual (e.g., he or she subscribes to a service or seeks a benefit), he or she is deemed to have provided Consent to the Processing.

If the Individual’s Consent is given in the context of a written declaration which also concerns other matters, the request for Consent shall, if applicable law so requires, be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

3.5 Denial or Withdrawal of Consent

The Individual may both deny Consent and withdraw Consent at any time. The withdrawal of Consent shall not affect the lawfulness of the Processing based on such Consent before its withdrawal.

Prior to giving Consent, the Individual shall be informed of its right to withdraw his or her Consent. It shall be as easy to withdraw as to give Consent.

3.6 Consultation

If it is doubtful whether Processing has legal basis in accordance with this Article 3 the appropriate Regional Data Privacy Coordinator shall be consulted before any Processing starts.

4.1 Categories of Personal Data

Yara's Processing includes but is not limited to the following categories of Personal Data:

(i) General contact information: this includes but is not limited to name, address, email address, phone number, picture and date of birth;
(ii) Sub-contractor's information: this includes but is not limited to name, address, email, address, phone number and picture;
(iii) IT-related information: this includes but is not limited to user profile/account information, electronic logs regarding a person's use of IT resources and information from Yara websites (cookie information); and
(iv) Information necessary to administer the Supplier/Customer/ Business Partner relationship: this includes but is not limited to information related to the use and purchase of Yara's products and services.

4.2 Categories of Sensitive Data

Yara's Processing includes but is not limited to the following categories of Sensitive Data:

(i) Racial or ethnic data: this includes but is not limited to photos and video images of Individuals which qualify as racial or ethnic data in certain countries;
(ii) Health data: this includes but is not limited to data relating to health and safety issues relating to Yara's products and services;
(iii) Religion or beliefs Personal Data: this includes but is not limited to data necessary to accommodate specific products or services (such as dietary requirements or religious holidays);
(iv) Biometric Personal Data (e.g., fingerprints): this includes but is not limited to data necessary for e.g., access control etc.

4.3 Categories of Personal Data relating to criminal convictions and offences

Yara’s Processing may include the following categories of Personal Data relating to criminal convictions and offences:

Criminal data: this includes but is not limited to data relating to criminal behavior, criminal records or proceedings regarding criminal or unlawful behavior, including but not limited to the Processing of such data in relation to ethics hotline/whistleblowing, integrity due diligence (IDD), capital value process (CVP) and required screening activities (e.g., for access to Yara’s premises or systems).

5.1 No Excessive Data

Yara shall restrict the Processing of Personal Data to Data that are reasonably adequate for and relevant to the applicable Business Purpose. Yara shall take reasonable steps to delete Personal Data that are not required for the applicable Business Purpose.

5.2 Storage Period

Yara generally shall retain Personal Data only for the period required to serve the applicable Business Purpose, to the extent reasonably necessary to comply with an applicable legal requirement or as advisable in light of an applicable statute of limitations. Yara may specify (e.g., in a sub-policy, notice or records retention schedule) a time period for which certain categories of Personal Data may be kept.

Promptly after the applicable storage period has ended, the Data shall be:

(i) securely deleted or destroyed;
(ii) anonymized; or
(iii) transferred to an Archive (unless this is prohibited by law or an applicable records retention schedule).

5.3 Quality of Data

Personal Data should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Business Purpose.

5.4 Accurate, Complete and Up-to-date Data

It is the responsibility of Individuals and Yara to ensure that Individuals’ Personal Data is accurate, complete and up-to-date. Individuals shall inform Yara regarding any changes to their Personal Data in accordance with Article 7.

6.1 Information Requirements where Personal Data are collected from the Individual

At the time when Personal Data are collected from the Individual, Yara shall inform Individuals e.g., through a published data privacy policy, or by other means about:

(i) the identity and the contact details of the Group Company being the Controller for the Processing;
(ii) contact information for sending enquiries or filing complaints;
(iii) the Business Purposes for which their Personal Data are Processed and the legal basis for the Processing;
(iv) which legitimate Business Purposes are pursued when the Processing is based on 3.1 (vi);
(v) the recipients or categories of recipients to which the Personal Data are disclosed (if any);
(vi) whether the recipient is located in a country outside the EEA and about the existence or absence of an Adequacy Decision. In the absence of an Adequacy Decision, a reference to the applicable transfer mechanism shall be provided, cf. Article 11.6.

In addition, when required by applicable law and if necessary to ensure fair and transparent Processing, Yara shall provide the Individual with the following further information:

(i) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
(ii) how Individuals can exercise their rights pursuant to Articles 3.5 and 7;
(iii) where the Processing is based on Consent, the existence of the right to withdraw Consent at any time as described in 3.5;
(iv) the right to lodge a complaint with a DPA;
(v) whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the Individual is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
(vi) the existence of automated decision-making, including profiling, referred to in Article 10 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Individual.

This Article 6.1 shall not apply where and insofar as the Individual already has the information.

6.2 Personal Data not Obtained from the Individual

Where the Personal Data have not been collected from the Individual, Yara shall inform Individuals e.g., through a published data privacy policy, or by other means about:

(i) the identity and the contact details of the Group Company being the Controller for the Processing;
(ii) contact information for sending enquiries or filing complaints;
(iii) the Business Purposes for which their Personal Data are Processed and the legal basis for the Processing;
(iv) the categories of Personal Data concerned;
(v) the recipients or categories of recipients of the Personal Data (if any);
(vi) whether the recipient is located in a country outside the EEA and about the existence or absence of an Adequacy Decision. In the absence of an Adequacy Decision, a reference to the applicable transfer mechanism shall be provided, cf. Article 11.6.

In addition, when necessary to ensure fair and transparent Processing, Yara shall provide the Individual with the following further information:

(i) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
(ii) which legitimate Business Purposes are pursued when the Processing is based on Article 3.1 (vi);
(iii) the existence of the right to request from Yara, access to and rectification or erasure of Personal Data or restriction of Processing concerning the Individual or to object to Processing as well as the right to data portability;
(iv) where Processing is based on Consent, the existence of the right to withdraw Consent at any time as described in 3.5;
(v) the right to lodge a complaint with a DPA;
(vi) from which source the Personal Data originate, and if applicable, whether it came from publicly accessible sources;
(vii) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Individual.

Yara shall provide the Individual with the information set out in this Article 6.2:
(i) within a reasonable time after obtaining the Personal Data, at the latest within one month from obtaining the Personal Data;
(ii) if the Personal Data are used for communication with the Individual, at the latest at the time of the first communication to the Individual;
(iii) if a disclosure to another recipient is envisaged, at the latest when the Personal Data are first disclosed.

This Article 6.2 shall not apply where:

(i) the Individual already has the information;
(ii) providing such information proves impossible or would involve a disproportionate effort;
(iii) obtaining or disclosure is expressly laid down by applicable law and which provides appropriate measures to protect the Individual's legitimate interests; or
(iv) where the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by applicable law, including a statutory obligation of secrecy.

6.3 Information related to use for Secondary Purposes

Where Yara intends to further Process the Personal Data for a Secondary Purpose, Yara shall, if applicable law so requires, provide the Individual prior to the further Processing with information on the Secondary Purpose and any relevant information as set out in Article 6.1.

7.1 Right of Access

Every Individual has the right to know whether or not Personal Data concerning him or her are being Processed by Yara, and where that is the case, access to the Personal Data and the following information:

(i) for which purpose(s) the Personal Data are Processed;
(ii) the categories of the Personal Data concerned;
(iii) the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organizations;
(iv) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
(v) the existence of the right to request from Yara rectification or erasure of Personal Data, or restriction of Processing concerning the Individual or to object to such Processing;
(vi) the right to lodge a complaint with a supervisory authority;
(vii) where the Personal Data are not collected from the Individual, any available information as to their source;
(viii) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Individual;
(ix) where the Personal Data are transferred to a third country, information about the appropriate safeguards relating to the transfer.

The Individual shall upon a request for access be provided with a copy of the Personal Data Processed. For any further copies requested by the Individual, Yara may charge a reasonable fee based on administrative costs.

The right to obtain a copy shall not adversely affect the rights and freedoms of others, cf. the GDPR article 15(4). The right to obtain a copy may be restricted under applicable law pursuant to GDPR article 23.

7.2 Right to Rectification

An Individual shall have the right to obtain from Yara without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the Processing, the Individual shall also have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

7.3 Right to Erasure

The Individual may request from Yara the erasure of Personal Data concerning him or her. Yara shall erase Personal Data without undue delay where one of the following grounds applies:

(i) the Personal Data are no longer necessary in relation to the Business Purposes for which they were collected or otherwise Processed;
(ii) the Individual withdraws Consent on which the Processing is based and where there is no other legal basis? for the Processing;
(iii) the Individual objects to the Processing in accordance with Article 7.5 and there are no Overriding Interests for the Processing, cf. Article 12;
(iv) the Personal Data have been unlawfully Processed;
(v) the Personal Data have to be erased for compliance with a legal obligation in applicable law to which the Controller is subject;
(vi) the Personal Data have been collected in relation to the offer of information society services referred to in the GDPR article 8(1).

Where Yara has made the Personal Data public and is obliged to erase such Data, Yara, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other Controllers which are Processing the Personal Data that the Individual has requested the erasure by such Controllers of any links to, or copy or replication of, those Personal Data.

This Article 7.3 shall not apply to the extent that Processing is necessary:

(i) for exercising the right of freedom of expression and information;
(ii) for compliance with a legal obligation set out in applicable law to which the Controller is subject, and which requires Processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
(iii) for reasons of public interest in the area of public health in accordance with GDPR article 9(2) and (3);
(iv) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the GDPR article 89(1) in so far as the right referred to in the first paragraph of this Article 7.3 is likely to render impossible or seriously impair the achievement of the objectives of that Processing; or
(v) for the establishment, exercise or defence of legal claims.

7.4 Right to Restrict Processing

The Individual has the right to obtain from Yara restriction of Processing where one of the following applies:

(i) the accuracy of the Personal Data is contested by the Individual, for a period enabling Yara to verify the accuracy of the Personal Data;
(ii) the Processing is unlawful and the Individual opposes the erasure of the Personal Data and requests the restriction of their use instead;
(iii) Yara no longer needs the Personal Data for the purposes of the Processing, but the Data are required by the Individual for the establishment, exercise or defence of legal claims;
(iv) the Individual has objected to Processing pursuant to the GDPR article 21(1), cf. Article 7.5 of this Directive, pending the verification whether the legitimate grounds of the Controller override those of the Individual (cf. Article 12).

Where Processing has been restricted subject to the above, such Personal Data shall, with the exception of storage, only be Processed with the Individual's Consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

Yara shall inform an Individual who has obtained restriction of Processing pursuant to the above before the restriction of Processing is lifted.

7.5 Right to Object

An Individual has the right to object, on grounds relating to his or her particular situation, at any time to Processing of Personal Data concerning him or her which is based on Article 3.1 (v) or (vi), including profiling based on those Articles.

Yara shall no longer Process the Personal Data unless it can demonstrate Overriding Interests in accordance with Article 12 or if it is necessary for the establishment, exercise or defence of legal claims.

Where Personal Data are Processed for direct marketing, the Individual shall have the right to object at any time to Processing as set out in Article 9 of this Directive. If an Individual objects to Processing for direct marketing purposes, the Personal Data shall no longer be Processed for such purposes.

In the context of the use of information society services (as defined in the GDPR article 4(25)), the Individual may exercise his or her right to object by automated means using technical specifications.

Where Personal Data are Processed for scientific or historical research purposes or statistical purposes pursuant to the GDPR article 89(1), the Individual, on grounds relating to his or her particular situation, shall have the right to object to Processing of Personal Data concerning him or her, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.

7.6 Right to Data Portability

An Individual may request from Yara to receive the Personal Data concerning him or her, which he or she has provided to Yara, in a structured, commonly used and machine-readable format and have the right to transmit those Data to another Controller without hindrance from Yara, where:

(i) the Processing is based on Consent or on a contract pursuant to point (ii) of Article 3.1; and
(ii) the Processing is carried out by automated means.

If technically feasible, Yara shall transmit the Personal Data directly to the other Controller.

The right referred to in this Article shall not adversely affect the rights and freedoms of other Individuals.

7.7 Procedure

The Individual should send his or her request to the contact person or contact point indicated in the relevant privacy policy or online portal made available by Yara. If no contact person or contact point is indicated, the Individual may send his or her request through dataprivacy@yara.com.

Yara may fulfill the Individual's rights by providing self service solutions which, e.g. allows the Individual to access, update, correct, delete and otherwise manage his or her Personal Data.

Prior to fulfilling the request of the Individual, Yara may require the Individual to:
(i) specify the categories of Personal Data to which he or she is seeking access;
(ii) specify, to the extent reasonably possible, the data system in which the Data are likely to be stored;
(iii) specify the circumstances in which Yara obtained the Personal Data;
(iv) show proof of his or her identity; and
(v) in the case of a request for rectification, deletion or blockage, specify the reasons why the Personal Data are incorrect, incomplete or not Processed in accordance with applicable law or the Directive.

7.8 Response Period

Within four weeks of receiving the request, Yara shall inform the Individual in writing or electronically either (i) of Yara's position with regard to the request and any action Yara has taken or will take in response, or (ii) the ultimate date on which he or she will be informed of Yara's position. Provided that the requirements relating to requests in Article 7.7 have been fulfilled, such ultimate date shall be no later than eight weeks after the communication was sent to the Individual.

7.9 Complaint

An Individual may file a complaint in accordance with Article 17 if:

(i) the response to the request is unsatisfactory to the Individual (e.g., the request is denied);
(ii) the Individual has not received a response as required by Article 7.8; or
(iii) the time period provided to the Individual in accordance with Article 7.8 is, in light of the relevant circumstances, unreasonably long and the Individual has objected but has not been provided with a shorter, more reasonable time period, in which he or she will receive a response.

7.10 Denial of Requests

Yara may deny an Individual’s request if:
(i) the request does not meet the requirements of the above Articles 7.1- 7.7;
(ii) the request is not sufficiently specific;
(iii) the identity of the relevant Individual cannot be established by reasonable means; or
(iv) the request is made within an unreasonable time interval of a prior request or otherwise constitutes an abuse of rights. A time interval between requests of six months or less shall generally be deemed to be an unreasonable time interval.

8.1 Data Security

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Individuals posed by the Processing, Yara shall take appropriate commercially reasonable technical, physical and organizational measures to protect Personal Data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition or access.

Yara has developed and implemented the Yara IT Operating Standards and other policies and procedures relating to the protection of Personal Data.

8.2 Staff Access

Yara shall provide Staff with access to Personal Data only to the extent necessary to serve the applicable Business Purpose and to perform their job.

8.3 Confidentiality Obligations

Yara shall impose confidentiality obligations on Staff with access to Personal Data.

8.4 Data Security Breach Notification to Data Protection Authorities

If a Data Security Breach has occurred or is suspected to have occurred, the person who has become aware of or suspects the Data Security Breach, shall immediately notify the Head of Data Privacy or the appropriate Regional Data Privacy Coordinator who shall forward the notification to the Head of Data Privacy.

Yara shall follow internal procedures and applicable data protection law for handling such suspected or actual Data Security Breaches in an appropriate and timely manner and notify the competent Data Protection Authority when required.

Yara shall document any Data Security Breaches, comprising the facts relating to the Data Security Breach, its effects and the remedial action taken. That documentation shall be available to the competent Data Protection Authority upon request.

8.5 Data Security Breach Notification to Individuals

If required under applicable law, Yara shall notify the Individual of a Data Security Breach without undue delay following discovery of such breach, if the Data Security Breach is likely to result in a high risk to the rights and freedoms of the Individual. This applies unless one or more of the following conditions are met:

(i) Yara has implemented and applied appropriate technical and organizational protection measures (such as encryption) to the Personal Data affected by the Data Security Breach;
(ii) Yara has taken subsequent measures which ensure that the high risk to the rights and freedoms of Individuals is no longer likely to materialize; or
(iii) Notifying the Individual would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby Individuals are informed in an equally effective manner.

The Data Security Breach notification to the Individuals shall describe in clear and plain language the nature of the Data Security Breach and shall at least contain the information and measures required according to the GDPR.

9.1 Direct Marketing

This Article sets forth requirements concerning the Processing of Personal Data for direct marketing purposes (e.g., contacting the Individual by email, fax, phone, SMS or otherwise, with a view of solicitation for commercial or charitable purposes).

9.2 Consent for Direct Marketing (opt-in)

If applicable law so requires, Yara shall only send to Individuals unsolicited commercial communication by fax, email, SMS and MMS with the prior Consent of the Individual ("opt-in"). If applicable law does not require prior Consent of the Individual, Yara shall in any event offer the Individual the opportunity to opt-out of such unsolicited commercial communication.

9.3 Exception

Prior Consent of the Individual for sending unsolicited commercial communication by fax, email, SMS and MMS is not required if:

(i) an Individual has provided his or her electronic contact details to a Group Company in the context of a sale of a product or service of such Group Company; and
(ii) such contact details are used for direct marketing of such Group Company's own similar products or services; and
(iii) the Individual clearly and distinctly has been given the opportunity to object free of charge, and in an easy manner, to such use of his or her electronic contact details when they are collected by the Group Company (“opt-out").

9.4 Information to be Provided in Each Communication

In every direct marketing communication that is made to the Individual, the Individual shall be offered the opportunity to opt-out of further direct marketing communications.

9.5 Objection to Direct Marketing

If an Individual objects to receiving marketing communications from Yara, or withdraws his or her Consent to receive such communications, Yara will take steps to refrain from sending further marketing communications as specifically requested by the Individual. Yara will do so within the time period required by applicable law.

9.6 Third Parties and Direct Marketing

No Personal Data shall be provided to, or used on behalf of, Third Parties for the Third Parties’ own direct marketing purposes without the prior Consent of the Individual.

9.7 Personal Data of Children

Yara shall not use any Personal Data of Children for direct marketing, without the prior Consent of their parent or custodian.

9.8 Direct Marketing Records

Yara shall keep a record of Individuals that used their "opt-in" or "opt-out" right and will regularly check the public opt-out registers in accordance with applicable law.

10.1 Automated Decisions, including Profiling

Individuals shall have the right not to be subject to a decision based solely on automated Processing, including profiling, if it produces legal effects for the Individual or similarly affects the Individual. This restriction does not apply if the decision:

(i) is necessary for entering into, or performance of, a contract between the Individual and Yara;
(ii) is authorized by applicable law and which also lays down suitable measures to safeguard the Individual's rights and freedoms and legitimate interests; or
(iii) is based on the Individual's explicit Consent.

In the cases referred to in (i) and (iii) above, Yara shall implement suitable measures to safeguard the Individual's rights and freedoms and legitimate interests, at least the right to obtain human intervention, to express his or her point of view and to contest the decision.

Decisions referred to in (i)-(iii) above shall not be based on Sensitive Data, unless Article 3.2 (i) or 3.2 (vi) applies and suitable measures to safeguard the Individual's rights and freedoms and legitimate interest are in place.

11.1 Transfer to Third Parties

This Article sets forth requirements concerning the transfer of Personal Data from Yara to a Third Party. Note that a transfer of Personal Data includes situations in which Yara discloses Personal Data to Third Parties (e.g., in the context of corporate due diligence) or where Yara provides remote access to Personal Data to a Third Party.

11.2 Third Party Controllers and Third Party Processors

There are two categories of Third Parties:

(i) Third Party Processors: these are Third Parties that Process Personal Data solely on behalf of Yara and at its direction (e.g., Third Parties that Process online registrations made by Customers);
(ii) Third Party Controllers: these are Third Parties that Process Personal Data and determine the purposes and means of the Processing (e.g., Yara Business Partners that provide their own goods or services directly to Customers).

11.3 Transfer for Applicable Business Purposes Only

Yara shall transfer Personal Data to a Third Party to the extent necessary to serve the applicable Business Purpose (including Secondary Purposes as per Article 2 or purposes for which the Individual has provided Consent in accordance with Article 3.4).
11.4 Third Party Controller Contracts

Third Party Controllers (other than government agencies) may Process Personal Data transferred by Yara only if they have a written or electronic contract with Yara. In the contract, Yara shall seek to contractually safeguard the data protection interests of its Individuals when Personal Data is Processed by Third Party Controllers. Individual Business Contact Data may be transferred to a Third Party Controller without a contract if it is reasonably expected that such Business Contact Data will be used by the Third Party Controller to contact the Individual for legitimate Business Purposes related to the Individual's job responsibilities.

11.5 Third Party Processor Contracts

Third Party Processors may Process Personal Data transferred by Yara only if they have a written or electronic contract with Yara (Data Processing Agreement). The contract with a Third Party Processor must include the following provisions:

(i) the Third Party Processor shall Process Personal Data only in accordance with Yara's instructions and for the purposes authorized by Yara;
(ii) the Third Party Processor shall keep the Personal Data confidential;
(iii) the Third Party Processor shall take appropriate technical, physical and organizational security measures to protect the Personal Data;
(iv) the Third Party Processor shall not permit subcontractors to Process Personal Data in connection with its obligations to Yara without the prior written Consent of Yara;
(v) Yara has the right to review the security measures taken by the Third Party Processor (a) by an obligation of the Third Party Processor to submit its relevant data Processing facilities to audits and inspections by Yara, a Third Party on behalf of Yara or any relevant government authority; or (b) by means of a statement issued by a qualified independent Third Party assessor on behalf of the Third Party Processor certifying that the data Processing facilities of the Third Party Processor used for the Processing of the Personal Data comply with the requirements of the Data Processing Agreement;
(vi) the Third Party Processor shall promptly inform Yara of any actual or suspected Data Security Breach involving Personal Data; and
(vii) the Third Party Processor shall take adequate remedial measures as soon as possible and shall promptly provide Yara with all relevant information and assistance as requested by Yara regarding the Data Security Breach.

11.6 Transfer of Data to Third Parties Located Outside the EEA that are not Covered by Adequacy Decisions

This Article sets forth additional rules for Personal Data that is (a) collected originally in connection with activities of a Group Company located in the EEA; and (b) transferred to a Third Party located in a country, territory or sector outside the EEA that is not covered by an Adequacy Decision. Personal Data may be transferred to such Third Party if there is a legal basis for the transfer in accordance with the GDPR Chapter V, such as one of the following alternatives:

(i) the Third Party has implemented Binding Corporate Rules or a similar transfer mechanism that provides appropriate safeguards under applicable law;
(ii) Yara and the Third Party have provided appropriate safeguards by entering into EU Standard Contractual Clauses (model contract);
(iii) Yara and the Third Party have provided appropriate safeguards by entering into Standard Data Protection Clauses adopted by the EU Commission or a DPA;
(iv) the Third Party has been certified under the EU-US Privacy Shield or any other similar program that is covered by an Adequacy Decision; or
(v) an approved code of conduct or an approved certification mechanism pursuant to Article 46(1)(e) and (f) of the General Data Protection Regulation (GDPR) are provided for.

In specific situations where a transfer cannot be based on (i) to (v) above, transfer may take place on one or more of the following conditions:

(vi) the transfer is necessary for the performance of a contract between Yara and the Individual or to take necessary steps at the request of the Individual prior to entering into a contract, e.g., for Processing orders;
(vii) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Individual between Yara and a Third Party (e.g., in case of recalls);
(viii) the transfer is necessary for important reasons of public interest;
(ix) the transfer is necessary for the establishment, exercise or defense of a legal claim;
(x) the transfer is necessary to protect a vital interest of the Individual; or
(xi) the transfer is required by any law to which the relevant Group Company is subject.

Items (vii) and (x) above require the prior approval of the Head of Data Privacy.

11.7 Consent for Transfer

If none of the grounds listed in Article 11.6 exist or if applicable local law so requires Yara shall (also) seek the explicit Consent from the Individual for the transfer to a Third Party located in a country outside the EEA that is not covered by an Adequacy Decision.

Prior to requesting Consent, the Individual shall be informed of the possible risks of the transfer due to the absence of an Adequacy Decision and appropriate safeguards. When requesting Consent, the procedure set out in Article 3.4 shall be followed. The requirements set out in Article 3.5 apply to the granting, denial or withdrawal of Individual Consent.

11.8 Transfers Between Group Companies Located in Countries not Covered by an Adequacy Decision

This Article sets forth additional rules for transfers of Personal Data that were collected in connection with the activities of a Group Company located in a country outside the EEA that is not covered by an Adequacy Decision to a Third Party also located in a country outside the EEA that is not covered by an Adequacy Decision. In addition to the grounds listed in Article 11.6, these transfers are permitted if they are:

(i) necessary for compliance with a legal obligation to which the relevant Group Company is subject;
(ii) necessary to serve the public interest; or
(iii) necessary to satisfy a Business Purpose of Yara.

12.1 Overriding Interests

Some of the obligations of Yara or rights of Individuals as specified in Articles 12.2 and 12.3 may be overridden if, under the specific circumstances at issue, a pressing need exists that outweighs the interest of the Individual (Overriding Interest). An Overriding Interest exists if there is a need to:

(i) Protect the legitimate business interests of Yara including

(a) the health, security or safety of Employees or Individuals;
(b) Yara's intellectual property rights, trade secrets or reputation;
(c) the continuity of Yara's business operations;
(d) the preservation of confidentiality in a proposed sale, merger or acquisition of a business; or
(e) the involvement of trusted advisors or consultants for business, legal, tax, or insurance purposes;

(ii) Prevent or investigate (including cooperating with law enforcement) suspected or actual violations of law; or
(iii) Otherwise protect or defend the rights or freedoms of Yara, its Employees or other persons.

12.2 Exceptions in the Event of Overriding Interests

If an Overriding Interest exists, one or more of the following obligations of Yara or rights of the Individual may be set aside:

(i) Article 2.2 (the requirement to Process Personal Data for closely related purposes);
(ii) Article 6.1 and 6.2 (information provided to Individuals, Personal Data not obtained from the Individuals);
(iii) Article 7 (rights of Individuals);
(iv) Articles 8.2 and 8.3 (Staff access limitations and confidentiality requirements); and
(v) Articles 11.5 and 11.6 (ii) (contracts with Third Parties).

12.3 Sensitive Data

The requirements of Article 3.2 (Sensitive Data) may be set aside only for the Overriding Interests listed in Article 12.1 (i) (a), (b), (c) and (e), (ii) and (iii).

12.4 Consultation with Head of Data Privacy

Setting aside obligations of Yara or rights of Individuals based on an Overriding Interest requires prior consultation of the Head of Data Privacy. The Head of Data Privacy shall document his or her advice.

12.5 Information to Individual

Upon request of the Individual, Yara shall inform the Individual of the Overriding Interest for which obligations of Yara or rights of the Individual have been set aside, unless the particular Overriding Interest sets aside the requirements of Articles 6.1 or 7.1, in which case the request shall be denied.

13.1 Head of Data Privacy

Yara International ASA shall appoint a Head of Data Privacy who shall, inter alia, inform and advise Yara of its obligations pursuant to the Directive and monitor compliance with the Directive in Yara, including the assignment of responsibilities, awareness-raising and training of Staff involved in Processing operations, complaint handling and audits.

13.2 Regional Data Privacy Coordinator

The Head of Data Privacy shall appoint Regional Data Privacy Coordinators who shall, inter alia, inform and advise the Group Companies within a defined region of their obligations pursuant to the Directive and monitor compliance with the Directive in the defined region, including handling Individuals’ requests and complaints as described in Article 7.

14.1 Policies and Procedures

Yara shall develop and implement sub-policies and procedures to comply with the Directive.

14.2 System information

Yara shall maintain information regarding the structure and functioning of systems and processes that Process Personal Data.

15.1 Staff Training

Yara shall provide training on the obligations and principles laid down in the Directive, related confidentiality and other privacy and data security obligations to Staff members who have access to or responsibilities associated with managing Personal Data.

16.1 Audits

Yara shall regularly carry out internal audits related to compliance with the Directive as set forth in the corporate audit programme. Upon specific request, a copy of the data privacy audit results will be provided by the Head of Data Privacy to the Norwegian Data Protection Authority and a Data Protection Authority competent to audit, according to Yara internal procedures.

16.2 Mitigation

Yara shall, if so indicated, ensure that adequate steps are taken to address breaches of the Directive identified during the monitoring and auditing of compliance.

17.1 Filing a Complaint

Individuals may file a complaint regarding compliance with the Directive or violations of their rights under applicable local law to the contact person or contact point indicated in the relevant privacy policy. If no contact person or contact point is indicated, the Individual may file his or her complaint through dataprivacy@yara.com.

17.2 Reply to Individuals

Within four weeks of Yara receiving a complaint, Yara shall inform the Individual in writing or electronically either (i) of Yara’s position with regard to the complaint and any action Yara has taken or will take in response or (ii) the ultimate date on which he or she will be informed of Yara's position. Provided that Yara has all relevant information to handle the complaint, cf. Article 7.7, such ultimate date shall be no later than eight weeks after the communication was sent to the Individual.

18.1 Complaints Procedure

Individuals are encouraged to first follow the complaints procedure set forth in Article 17 of the Directive before filing any complaint or claim with the competent DPAs or the courts.

18.2 Local Law and Jurisdiction

The rights contained in this Article are in addition to, and shall not prejudice, any other rights or remedies that an Individual may otherwise have by law.

In case of a violation of the Directive, the Individual may, at his or her choice, submit a complaint or a claim to the DPA or the courts:

(i) in the EEA country at the origin of the Personal Data transfer, against the Group Company in such country of origin responsible for the relevant data transfer;
(ii) in Norway, against Yara International ASA; or
(iii) in the EEA country where the Individual resides or has its place of work, against the Group company being the Controller of the relevant Personal Data.

The DPAs and courts shall apply their own substantive and procedural laws to the dispute. Any choice made by the Individual will not prejudice the substantive or procedural rights he or she may have under applicable law.

18.3 Liability

Yara International ASA is responsible for and agrees to take the necessary action to remedy the acts of Group Companies established outside the EEA and to pay compensation in accordance with applicable EU/EEA law, for any damages resulting from the violation of the Directive by Group Companies established outside the EEA.

18.4 Right to Claim Damages and Burden of Proof

In case an Individual brings a claim for damages under Article 18.3, such Individual shall be entitled to compensation of damages to the extent provided by applicable EU/EEA law, provided that he or she has suffered actual damages and can establish facts which show that it is plausible that the damage has occurred because of a violation of the Directive.

To the extent permitted by applicable law, the compensation shall be limited to direct damages which exclude, without limitation, lost profits or revenue, lost turnover, cost of capital and downtime cost. It will subsequently be for Yara International ASA to prove that the damages suffered by the Individual due to a violation of the Directive are not attributable to any Group Company established outside the EEA in order to avoid liability.

18.5 Mutual Assistance and Redress

All Group Companies shall co-operate and assist each other to the extent reasonably possible to handle:

(i) a request, complaint or claim made by an Individual; or
(ii) a lawful audit, investigation or inquiry by a competent government authority.

The Group Company which receives a request, complaint or claim from an Individual is responsible for handling any communication with the Individual regarding his or her request, complaint or claim except where circumstances dictate otherwise.

The Group Company that is responsible for the Processing to which the request, complaint or claim relates, shall bear all costs involved and reimburse Yara International ASA.

18.6 Advice of the Lead DPA

Yara shall abide by the advice of the Norwegian Data Protection Authority issued on the interpretation and application of the Directive, and further abide by binding decisions of DPAs competent pursuant to Article 18.2. DPAs competent pursuant to Article 18.2 may conduct audits in order to ascertain Yara's compliance with the Directive.

18.7 Mitigation

Yara International ASA shall ensure that adequate steps are taken to address violations of the Directive by a Group Company.

18.8 Law Applicable to the Directive

The Directive shall be governed by and interpreted in accordance with Norwegian law.

Yara shall notify the Norwegian Data Protection Authority if a legal requirement a Group Company is subject to outside the EEA is likely to have a substantial adverse effect on the guarantees provided by the Directive.

The requirement to notify the Norwegian Data protection Authority applies also to any legally binding request for disclosure of Personal Data by a law enforcement authority or a state security body outside the EEA.

If such notification is prohibited, e.g. due to a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, Yara shall use its best efforts to obtain the right to waive the prohibition in order to communicate as much information as it can and as soon as possible.

If Yara is not able to notify the competent Data Protection Authority, despite using best efforts, Yara shall annually provide general information on the requests it received to the Norwegian Data Protection Authority, including the number of applications for disclosure, type of data requested and requesting entity if possible.

20.1 Changes without Consent

The Directive may be changed by Yara International ASA without an Individual's Consent even though an amendment may relate to a benefit conferred on Individuals.

20.2 Effective Date of Amendments

Any amendment shall enter into force and take immediate effect after it has been approved in accordance with the procedure for updating the BCRs and once it has been published on the Yara company website in this public version of the Directive and the Yara Intranet (Pulse).

20.3 Governance of Inquiries

Any request, complaint or claim of an Individual involving the Directive shall be judged against the version of the Directive as it is in force at the time the request, complaint or claim is made.

21.1 General Transition Period

Except as indicated below, there shall be a two-year transition period for compliance with the Directive. Accordingly, except as otherwise indicated, within two years of the Effective Date, all Processing of Personal Data shall be undertaken in compliance with the Directive. During the transition period, any transfer of Personal Data to a Group Company under the Directive as a transfer mechanism may only take place to the extent that the Group Company receiving such Personal Data is:

(i) compliant with the Directive, or
(ii) there is a legal basis for the transfer in accordance with the GDPR Chapter V.

21.2 Transition Period for New Group Companies

Any entity that becomes a Group Company after the Effective Date shall comply with the Directive within two years of becoming a Group Company.

21.3 Transition Period for Divested Entities

A Divested Entity may remain covered by the Directive after its divestment for such period as may be required by Yara to disentangle the Processing of Personal Data relating to such Divested Entity.

21.4 Transition Period for IT Systems

Where implementation of the Directive requires updates or changes to information technology systems (including replacement of systems), the transition period shall be three years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.

21.5 Transition Period for Existing Agreements

Where there are existing agreements with Third Parties that are affected by the Directive, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.

21.6 Transitional Period for Local-for-local Systems

Processing of Personal Data that were collected in connection with activities of a Group Company located in a country outside the EEA that is not covered by an Adequacy Decision shall be brought into compliance with the Directive within five years of the Effective Date.

21.7 Effective Date

The Directive was adopted for the first time by the Head of Legal of Yara International ASA on November 16th 2017 (Effective Date).

The Head of Data Privacy may be contacted through e-mail to dataprivacy@yara.com or by sending a mail to:

Head of Data Privacy
c/o Yara International ASA
Drammensveien 131
0277 Oslo
Norway
Tel: +47 2415 7000

Adequacy Decision

ADEQUACY DECISION shall mean a decision issued by the European Commission under Article 45 of the EU General Data Protection Regulation that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of data protection.

Archive

ARCHIVE shall mean a collection of Personal Data that are no longer necessary to achieve the purposes for which the Personal Data originally were collected or that are no longer used for general business activities, but are used only for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes. An Archive includes any data set that can no longer be accessed by any Staff other than the system administrator.

Article

ARTICLE shall mean an article in the Directive.

Binding Corporate Rules

BINDING CORPORATE RULES shall mean Personal Data protection policies according to the General Data Protection Regulation Article 47 which are adhered to by a Controller or Processor established on the territory of a EEA member state for transfers or a set of transfers of Personal Data to a Controller or Processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

Business Contact Data

BUSINESS CONTACT DATA shall mean any data typically found on a business card and used by the Individual in his or her contact with Yara.

Business Partner

BUSINESS PARTNER shall mean any Third Party, other than a Customer or Supplier, that has or has had a business relationship or strategic alliance with Yara (e.g., joint marketing partner, joint venture or joint development partner).

Business Purpose

BUSINESS PURPOSE shall mean a purpose for Processing Personal Data and Sensitive Data as specified in Article 2.

Children

CHILDREN shall mean Individuals under the age of thirteen (13) years.

Consent

CONSENT shall mean any freely given, specific, informed and unambiguous indication of the Individual’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Controller

CONTROLLER shall mean the Group Company which alone or jointly with others determines the purposes and means of the Processing of Personal Data.

Country Legal Responsible

COUNTRY LEGAL RESPONSIBLE (CLR) shall mean the formal legal responsible for the Yara legal entities within a country, as described in the functional description in the Yara steering system: “Country Legal Responsible- Role responsibilities and mandate”.

Customer

CUSTOMER shall mean any Third Party that purchases, may purchase or has purchased a Yara product or service.

Customer Services

CUSTOMER SERVICES shall mean the services provided by Yara to Customers to support Yara products and services offered to or in use with their employees or customers. These services may include maintenance, upgrade, replacement, inspection and related support activities aimed at facilitating continued and sustained use of Yara products and services.

Data Privacy Coordinator

DATA PRIVACY COORDINATOR shall mean a Regional Data Privacy Coordinator referred to in Article 13.2.

Data Processing Agreement

DATA PROCESSING AGREEMENT shall mean the contract referred to in Article 11.5.

Data Protection Authority or DPA

DATA PROTECTION AUTHORITY or DPA shall mean any data protection authority of one of the countries of the EEA.

Data Security Breach

DATA SECURITY BREACH shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Directive

DIRECTIVE shall mean the full version of the Data Privacy Directive for Customer, Supplier and Business Partner Data.

Divested Entity

DIVESTED ENTITY shall mean the divestment by Yara of a Group Company or business by means of:

(i) a sale of shares that result in the divested Group company no longer qualifying as a Group Company; and/or
(ii) a demerger, sale of assets, or any other manner or form.

EEA

EEA or EUROPEAN ECONOMIC AREA shall mean all Member States of the European Union, plus Norway, Iceland and Liechtenstein.

Effective Date

EFFECTIVE DATE shall mean the date on which the Directive originally became effective as set forth in Article 21.7.

Employee

EMPLOYEE shall mean the following persons:

(i) an employee, job applicant or former employee of Yara. This term does not include people working at Yara as consultants or employees of Third Parties providing services to Yara; or
(ii) a (former) executive or non-executive director of Yara or (former) member of the supervisory board or similar body to Yara.

General Data Protection Regulation (GDPR)

GENERAL DATA PROTECTION REGULATION shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

Group Company

GROUP COMPANY shall mean Yara International ASA and all subsidiaries bound by the BCR. This includes any directly or indirectly wholly owned subsidiary of Yara International ASA and other subsidiaries as listed in the document “Overview of Group Companies bound by BCR”, which is available on this page.

Head of Data Privacy

HEAD OF DATA PRIVACY shall mean the Head of Data Privacy as referred to in Article 13.1.

Head of Legal

HEAD OF LEGAL shall mean the Head of Legal of Yara International ASA.

Individual

INDIVIDUAL shall mean any (employee of or any person working for) Customer, Supplier or Business Partner.

Original Purpose

ORIGINAL PURPOSE shall mean the purpose for which Personal Data was originally collected.

Overriding Interest

OVERRIDING INTEREST shall mean the pressing interests set forth in Article 12.1 based on which the obligations of Yara or rights of Individuals set forth in Articles 12.2 and 12.3 may, under specific circumstances, be overridden if this pressing interest outweighs the interest of the Individual.

Personal Data or Data

PERSONAL DATA shall mean any information relating to an identified or identifiable Individual.

Processing

PROCESSING shall mean any operation that is performed on Personal Data, whether or not by automatic means, such as collection, recording, storage, organization, alteration, use, disclosure (including the granting of remote access), transmission or deletion of Personal Data.

Secondary Purpose

SECONDARY PURPOSE shall mean any purpose other than the Original Purpose for which Personal Data is further Processed.

Sensitive Data

SENSITIVE DATA shall mean Personal Data revealing an Individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for uniquely identifying an Individual), health, sex life or sexual orientation

Staff

STAFF shall mean all Employees and other persons who Process Personal Data as part of their respective duties or responsibilities as Employees or individuals under the direct authority of Yara using Yara information technology systems or working primarily from Yara's premises.

Supplier

SUPPLIER shall mean any Third Party that provides goods or services to Yara (e.g., an agent, consultant or vendor).

Third Party

THIRD PARTY shall mean any person, private organization, entity or government body outside Yara.

Third Party Controller

THIRD PARTY CONTROLLER shall mean a Third Party that Processes Personal Data and determines the purposes and means of the Processing.

Third Party Processor

THIRD PARTY PROCESSOR shall mean a Third Party that Processes Personal Data on behalf of Yara that is not under the direct authority of Yara.

Yara

YARA shall mean Yara International ASA and its Group Companies.

Yara International ASA

YARA INTERNATIONAL ASA shall mean Yara International ASA, having its registered seat in Norway.

Interpretation of the directive:

(i) Unless the context requires otherwise, all references to a particular Article or Annex are references to that Article or Annex in or to this document, as they may be amended from time to time;
(ii) headings are included for convenience only and are not to be used in construing any provision of the Directive;
(iii) if a word or phrase is defined, its other grammatical forms have a corresponding meaning;
(iv) the words "include", "includes" and "including" and any words following them shall be construed without limitation to the generality of any preceding words or concepts and vice versa;
(v) a reference to a document (including, without limitation, a reference to the Directive) is to the document as amended, varied, supplemented or replaced, except to the extent prohibited by the Directive or that other document; and
vi) a reference to law or a legal obligation includes any regulatory requirement, sectorial guidance and best practice issued by relevant national and international supervisory authorities or other bodies.

Overview of Group Companies bound by BCR

Subsidiaries Address Country
Battaille S.A. Zevenmanshaven Oost 67, 3133 CA, NL-3130 AB, Vlaardingen  Belgium
Extran Limited Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Fertilizer Holdings AS Postboks 343 Skøyen, N-0213, Oslo Norway
Flex Gødning A/S Masnedøvej 63, DK-4760, Vordingborg Denmark
GEORGE HADFIELD & COMPANY LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Herøya Land Logistics AS Hydrovegen 55, N-3936 Porsgrunn Norway
Herøya Nett AS Hydrovegen 55, N-3936 Porsgrunn Norway
KEMIRA GROWHOW LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Landcrop Laboratories Ltd. Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Marine Global Holding AS Postboks 78 Skøyen, N-0212 Oslo Norway
Megalab.Net Ltd. Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
MV Birkeland AS Hydrovegen 55, N-3936 Porsgrunn Norway
OFD Holding S. de RL Postboks 343 Skøyen, N-0213 Oslo Norway
Phosyn Chemicals Ltd Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Skogens Gödslings AB P.O.Box: 4505, S-203 20 Malmö Sweden
Société de Gestion d'Actifs S.A. Rue de la Carbo 10, B-7333 Tertre Belgium
Yara AB P.O.Box: 4505, S-203 20 Malmö Sweden
Yara Agri Czech Republic s.r.o. Dusni 10, 110 00 Praha 1 Czech Republic
YARA AGRI LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara AS Postboks 343 Skøyen, N-0213 Oslo Norway
Yara Belgium S.A./N.V. Corporate village, Aramis Building, Da Vincilaan 1, B-1930 Zaventem Belgium
Yara Besitz GmbH P.O. BOX 10 20 21, D-18003 Rostock Germany
Yara Birkeland AS Hydrovegen 55, N-3936 Porsgrunn Norway
Yara Brunsbüttel GmbH P.O. BOX 1268, D-25541 Brunsbüttel Germany
Yara Bulgaria EOOD City of Varna, Osmi Primorski Polk Blvd 115, 9000 Varna Bulgaria
YARA CHAFER LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara Crop Nutrition Romania SRL Str Zambilelor nr 19, Varsatura, Chiscani, jud Brăila 817027 Romania
Yara Danmark A/S Vesterballevej 27, DK-7000 Fredericia Denmark
Yara Digital Farming Solutions AS Postboks 343 Skøyen, N-0213 Oslo Norway
Yara Eesti OÜ Silla keskus, Papiniidu 5, 80042 Pärnu Estonia
Yara Environmental Technologies AB P.O. BOX 24066, S-400 22 Göteborg Sweden
Yara Environmental Technologies AS Postboks 343 Skøyen, N-0213 Oslo Norway
Yara Environmental Technologies GmbH P.O.Box: 1464, D-48235 Dülmen Germany
Yara Environmental Technologies GmbH, Austria Guglgasse 6, Agsometer A, Stiege 4, 2. Stock, 1210 Wien Austria
YARA FERTILIZERS LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara France SAS Tour Opus 12, 77 esplanade du Général de Gaulle, 4 place des Pyramides, F-92914 Paris La Defense France
YARA GAS AND CHEMICALS LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara GmbH & Co. KG P.O.Box: 1464, D-48235 Dülmen Germany
Yara Hellas S.A. 143, Syngrou Avenue, 171 21 Nea Smyrni - Athens Greece
Yara Holding Netherlands B.V. Industrieweg 10, NL-4540 AA Sluiskil The Netherlands
Yara Hungaria Gyarto es Kereskedelmi KFT Szabadság tér 4, 8200 Veszprém Hungary
Yara Iberian S.A.U. C/Infanta Mercedes, 31 - 2nd floor, 2ªPlanta, 28020 Madrid Spain
YARA INDUSTRIAL LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara Insurance DAC Elm Park, Merrion Road, Dublin 4 Ireland
YARA INTERNATIONAL LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara Investment GmbH P.O.Box: 1464, D-48235 Dülmen Germany
Yara Investments Germany SE Hanninghof 35, D-48249 Dülmen Germany
Yara Italia S.p.A. P.O. BOX 10052, 20159 Milan Italy
Yara Latvija SIA Vienības gatve 109, LV-1058 Rīga Latvia
Yara Lietuva, UAB Senasis Ukmergės kel.4, LT-14302 Užubaliai, Vilnius Lithuania
YARA LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara LPG Shipping AS Postboks 343 Skøyen, N-0213 Oslo Norway
Yara Marine Technologies AB Ringögatan 3, 417 07 Göteborg Sweden
Yara Marine Technologies AS Postboks 78 Skøyen, N-0212 Oslo Norway
Yara Nederland B.V. Industrieweg 10, NL-4540 AA Sluiskil The Netherlands
Yara Norge AS Postboks 343 Skøyen, N-0213 Oslo Norway
Yara Overseas Ltd. Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara Phosphates Oy Kemirantie 1, P.O. BOX 74, 67101 Kokkola Finland
Yara Phosyn Ltd Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
YARA POCKLINGTON LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara Poland Sp. z o.o. ul. Malczewskiego 26, Szczecin 71-612 Szczecin Poland
YARA RESERVE 5 LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara S.A. Corporate village, Aramis Building, Da Vincilaan 1, B-1930 Zaventem Belgium
Yara Sluiskil B.V. Industrieweg 10, NL-4540 AA Sluiskil The Netherlands
Yara South America Investments B.V. Industrieweg 10, NL-4540 AA Sluiskil The Netherlands
Yara Suomi Oy Bertel Jungin aukio 9, 02600 Espoo Finland
Yara Technology B.V. Industrieweg 10, NL-4540 AA Sluiskil The Netherlands
Yara Tertre S.A. Rue de la Carbo 10, B-7333 Tertre Belgium
Yara UK Ltd. Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Yara Verwaltungs GmbH P.O.Box: 1464, D-48235 Dülmen Germany
Yara Vlaardingen B.V. Zevenmanshaven Oost 67, 3133 CA, NL-3130 AB, Vlaardingen The Netherlands
Yara ZIM Plant Technology GmbH Neuendorfstr. 19, 16761 Henningsdorft Germany
YARAVITA LIMITED Harvest House, Europarc, Grimsby, N E Lincolnshire United Kingdom
Hydro Agri Rus Ltd. Postboks 343 Skøyen, N-0213 Oslo Norway
Subsidiaries Address Country
Agronomic Technology Corp. 100 North Tampa Street, Suite 3200, 33602 Tampa, FL United States
Amoniasul Serviços de Refrigeração Industrial Ltda. Av. Alm. Maximiano Fonseca, S/N, Zona Portuária, CEP-96204-040 Rio Grande - RS Brazil
AO Yara Rjazanskij prospekt, Dom 10, stroenie 18, 8th floor, office 8.11, 109428 Moscow Russian Federation
Balderton Fertilisers S.A Route de Florissant 13, CH-1206 Geneva Switzerland
Chemical Holdings Pty Ltd. Level 1, 6 Holt Street, 2060, McMahons Point NSW Australia
Fertillanos S.A.S. Zona Industrial Mamonal Km 11, Cartagena, Bolivar, Cartagena Colombia
Freeport Ammonia LLC 100 North Tampa Street, Suite 3200, 33602 Tampa, FL United States
Galvani Indústria, Comércio e Serviços S/A Av. Prof. Benedicto Montenegro, 1300 Betel, Paulinia Brazil
Karratha Tan Pte Ltd. 1 Harbourfront Place #09-01/04, Harbourfront Tower One, 98633 Singapore Singapore
Le Vang Trading Services Ltd. Empress Tower 14th Floor, 138-142 Hai Ba Trung Street District 1, Ho Chi Minh City Vietnam
LLC Yara Ukraine Kyiv, 03037, Prospect V. Lobanovskogo 6A, office 142, UA-03037 Kyiv Ukraine
Nutrientes y Nitratos Quetzales, S.A. Calzada Roosevelt 33-86 Zona 7, Edificio Ilumina, Nivel 11, Oficina 1102, 1007 Guatemala City Guatemala
Operaciones BPT Avenida Americas 1545 Piso 24, Colonia Providencia 1A 2A Y 3A Sección, 44630 Guadalajara, Jalisco Mexico
P.T. Yara Indonesia Wisma 46-Kota BNI - 20th Floor Suite 20.08 - Jln. Jend. Sudirman Kav. 1, Kelurahan Karet Tengsin, Kecamatan Tanah Abang Jakarta Pusat, 10220 Jakarta Indonesia
Pataba Holdings Inc. Unit 1605 One Global Place Building, 5th Ave, cor. 25th Street, Global City, Taguig City Philippines
Profesionistas AAL, S. de R.L. de C.V. Colonia Providencia 1A 2A Y 3A Sección, Colonia Providencia, 44630, Guadalajara, Jalisco Mexico
Qingdao Yara Trading Co. Ltd. Unit D, 18F, Sunshine building B, 61 Central Hong Kong Road, 266071 Qingdao China
Yara (Thailand) Ltd. Bhiraj Tower at EmQuartier, 689 Unit 2709 - 2713, 27th Floor Sukhumvit Road, Klongton Nuea Vadhana Bangkok, 10110 Klongton Nuea, Vadhana, Bangkok Thailand
Yara Africa Fertilizers (Pty) Ltd. Postnet Suite 1077, Private Bag X10, 2086 Fourways North South Africa
Yara Animal Nutrition South Africa (Pty) Ltd. P.O. BOX 449, ZA-4120 Umbogintwini South Africa
Yara Argentina S.A. Av. Libertador 498, 16th floor, C1001 ABR, Ciudad Autónoma de Buenos Aires Argentina
Yara Asia Pte Ltd. 1 Harbourfront Place #09-01/04, Harbourfront Tower One, 98633 Singapore Singapore
Yara Australia Pty Ltd. Level 1, 6 Holt Street, 2060, McMahons Point NSW Australia
Yara Barbados Inc. Wildey Road, Parker House, Wildey Business Park, St. Michael Barbados
Yara Belle Plaine Inc. 2 Kalium Rd, S0G 0G0 Belle Plaine, Saskachewan Canada
Yara Bolivia Fertilizantes S.R.L. Avenida San Martin #1800, building, Tacuaral floor 5 office No501 Santa Cruz Bolivia
Yara Brasil Fertilizantes S.A. Av. Carlos Gomes, 1672, Auxiliadora, CEP-90480-002 Porto Alegre - RS Brazil
Yara Canada Holding Inc. 2 Kalium Rd, S0G 0G0 Belle Plaine, Saskachewan Canada
Yara Canada Inc. 1874 Scarth Street, Suite 1800, SK S4P 4B3, Regina, Saskatchewan Canada
Yara Caribbean Ltd. P.O. BOX 952, Port of Spain Trinidad and Tobago
Yara Chile Fertilizantes Ltda. Pedro de Valdivia 1215 of 309, 7500914 Santiago de Chile Chile
Yara China Ltd. Unit 1304 Shun Tak Centre West Wing, 168-200 Connaught Road Central Hong Kong, Hong Kong China
Yara Colombia S.A. Zona Industrial Mamonal Km 11, Cartagena, Bolivar, Carrera 3 # 8-104 Floor 4, Bocagrande, Cartagena, Colombia, Barranquilla Colombia
Yara Côte d'Ivoire S.A. 07 BP 61 Abidjan 07, ABIDJAN Ivory Coast (Cote D'Ivoire)
Yara East Africa Ltd. P.O. BOX 50949, 50949-00200 Nairobi Kenya
Yara Environmental Protection (Qingdao) Co. Ltd. Unit D, 18F, Building B, Sunny Tower, 61 Xiang Gang Zhong Lu, 266071 Qingdao China
Yara Environmental Technologies Pvt. Ltd. (former Talec) 312, Gemstar Commercial Complex, Kanchpada Malad West, 400064 Mumbai India
Yara Fertilisers India Pvt. Ltd. #402, Suyog Fusion, Dhole Patil Road, Sangamwadi, 411001 Pune India
Yara Fertilizer Zambia Ltd. P. O. Box 353900, Lusaka Zambia
Yara Fertilizers (NZ) Ltd. 43 Plassey Street, Havelock North 4130, 4157 Havelock North New Zealand
Yara Fertilizers Malaysia Sdn Bhd Lot 3.02, Level 3, 1 First Avenue, Bandar Utama, 47800 Petaling Jaya, Selangor Darul Ehsan Malaysia
Yara Fertilizers Philippines Inc. Unit 1605 One Global Place Building, 5th Avenue, corner 25th Street, Bonifacio Global City, Taguig City Philippines
Yara Ghana Ltd. P. O. BOX CT 5258, Accra Ghana
Yara Guatemala S.A. Calzada Roosevelt 33-86 Zona 7, Edificio Ilumina, Nivel 11, Oficina 1102, 1007 Guatemala City Guatemala
Yara IEC AG c/o Fineac Management AG, P.O. BOX Postrasse 30, 6300 Zug. Swtizerland
Yara Industrial Colombia S.A.S. Carrera 11 Nro. 94A - 34. Piso 3, Bogotá Colombia
Yara Korea Ltd. 34, 200beon-gil, Hwangsaeul-ro, Bundang-gu, Seongnam-si, Gyeonggi-Do 13595, Korea (#1107, Kofomo Building, Sunae-Dong), 13595 Se Korea
Yara Malawi Ltd. P.O. BOX 30582, Lilongwe Malawi
Yara Marine Technologies (Shanghai) Co. Ltd. Unit 2168 Sino-Ocean Tower Phase II, 21st Floor, No. 618 East Yan An Road, 200001 Shanghai China
Yara Mexico S. de R.L. de C.V. Avenida Americas 1545 Piso 24, Colonia Providencia 1A 2A Y 3A Sección, 44630 Guadalajara, Jalisco Mexico
Yara Mozambique Lda. Urbano 1, Mungassa, Estrada Nacional No. 6, Bairro do Inhamizua, Beira Mozambique
Yara Myanmar Ltd. Bairro do Inhamizua, Beira, Mozambique, Kyauktada Township, Yangon Myanmar
Yara Nipro Pty Ltd. Level 1, 6 Holt Street, 2060, McMahons Point NSW Australia
Yara North America Inc. 100 North Tampa Street, Suite 3200, 33602 Tampa, FL United States
Yara Panama S. de R.L. Design Plaza, vìa Boquete, Frente a Jorón Zebede Panama
Yara Peru S.A Calle Monterrey No 355 Dpto. 601, Urb. Chacarilla del Estanque, Lima 33, Santiago de Surco. Lima Peru
Yara Pilbara Fertilisers Pty Ltd. Level 5, 182 St Georges Terrace, Perth, Western Australia 6000 Australia
Yara Rwanda Ltd. P.O. BOX 3390, Kigali Rwanda
Yara Switzerland Ltd. Route de Florissant 13, CH-1206 Geneva Switzerland
Yara Tanzania Ltd. P.O.BOX 40230, 0255 Dar es Salaam Tanzania
Yara Trade Misr. Ltd. Building B3, Tibba Buildings, Second floor, Zahraa EL Maadi, 11435 Cairo Egypt
Yara Trading (Shanghai) Co. Ltd. Unit 1905-1906 Raffles City Changning Office Tower 1, No. 1133 Changning Road Shanghai 200051 PRC, Shanghai China
Yara Trinidad Ltd. P.O. BOX 952, Port of Spain Trinidad and Tobago
Yara Turkey Tarımsal Gübre Ürünleri Anonim Şirketi Esentepe Mahallesi Büyükdere Cad. No: 199/6, Şişli, Istanbul Turkey
Yara Vietnam Co. Ltd. Empress Tower 14th Floor Vietnam
Yara West Sacramento Terminal LLC 100 North Tampa Street, Suite 3200, 33602 Tampa, FL United States
Yarecuador Cia. Ltda. Km 1.5 Via Samborondon, Sector Los Arcos, Mz. CC3 Solar 120, Edificio Del Portal Piso 1 Oficinas 105, 106, 107, 092303 Samborondon, Guayaquil Ecuador
挪威海德鲁有限公司 Unit 1304 Shun Tak Centre West Wing, 168-200 Connaught Road Central Hong Kong, Hong Kong China
雅苒亞洲有限公司 Unit 1304 Shun Tak Centre West Wing, 168-200 Connaught Road Central Hong Kong, Hong Kong China
雅苒国际有限公司 Unit 1304 Shun Tak Centre West Wing, 168-200 Connaught Road Central Hong Kong, Hong Kong China