COLGATE-PALMOLIVE GROUP COMPANY BINDING CORPORATE RULES

1. SCOPE AND APPLICATION 

1.1 Scope 

These Binding Corporate Rules address the Processing of Personal Data of  employees, customers and suppliers by or on behalf of Colgate-Palmolive and  Colgate-Palmolive’s Affiliates in their roles as Responsible Parties. These Binding  Corporate Rules complies with the privacy objectives and principles housed under  the Protection of Personal Information Act, 4 of 2013 (―POPIA‖) and the European  Union General Data Protection Regulations (―GDPR‖), hereinafter collectively  referred to as the Data Protection Laws.  

1.2 Effective Date 

These Binding Corporate Rules come into effect as of 01 July 2021.  1.3 Application  

These Binding Corporate Rules apply to the Processing of Personal Information by  electronic means and in paper-based filing systems. These Binding Corporate Rules are binding on Colgate-Palmolive and all Colgate-Palmolive’s Affiliates in respect of  their Processing of Personal Information within the Colgate-Palmolive group of  companies. 

2. INTERPRETATION 2.1 Definitions  

The following are the meanings of defined terms used in these Binding Corporate  Rules:  

“Affiliate” means in relation to Colgate-Palmolive, any party which, directly or  indirectly, (i) is Controlled by Colgate-Palmolive, (ii) Controls Colgate-Palmolive, or  (iii) is under common Control with Colgate-Palmolive. For purposes of these Binding  Corporate Rules ―Control‖ means the possession, directly or indirectly, of the power  to direct or cause the direction of the management and policies of Colgate-Palmolive,  whether through the ownership of voting securities, by contract or otherwise; 

"Data Subject" is the individual who is the owner of the Personal Information;  

“Operator” is a person who processes personal information for a Responsible Party  in terms of a contract or mandate, without coming under the direct authority of that  party; 

"Personal Information" is information or data about an identified or identifiable  living, natural person, and where it is applicable, an identifiable, existing juristic  person, including, but not limited to— (a) Information relating to the race, gender,  sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual  orientation, age, physical or mental health, well-being, disability, religion, conscience,  belief, culture, language and birth of the person; (b) Information relating to the  education or the medical, financial, criminal or employment history of the person; (c)  Any identifying number, symbol, e-mail address, physical address, telephone  number, location information, online identifier or other particular assignment to the  person; (d) The biometric information of the person; (e) The personal opinions, views  or preferences of the person; (f) Correspondence sent by the person that is implicitly  or explicitly of a private or confidential nature or further correspondence that would  reveal the contents of the original correspondence; (g) The views or opinions of another individual about the person; and (h) The name of the person if it appears with  other personal information relating to the person or if the disclosure of the name itself  would reveal information about the person, received by the Responsible Party from  any party in any format including, without limitation, electronic, paper, and verbal; 

"Processing" means any operation or activity or any set of operations, whether or  not by automatic means, concerning personal information, including— (a) The  collection, receipt, recording, organisation, collation, storage, updating or  modification, retrieval, alteration, consultation or use; (b) Dissemination by means of  transmission, distribution or making available in any other form; or (c) Merging,  linking, as well as restriction, degradation, erasure or destruction of information.  Processing includes any online and offline processing and includes such activities as  copying, filing, and inputting Personal Information into a database; 

“Responsible Party/ies” means the party who determines the purpose of and  means for processing Personal Information, and shall refer to Colgate-Palmolive and/or Colgate-Palmolive’s Affiliates;

"Special Personal Information" is information or data about an individual that  pertains to racial or ethnic origins, political or religious beliefs, health, or sexual  orientation or preferences, biometric data and data regarding minors. Special Personal Information may not be processed at all unless the individual has given  explicit consent.  

3. DATA PROTECTION PRINCIPLES  

In Processing Personal Information, the Responsible Party shall comply with the data  privacy principles and conditions for the lawful processing of personal information in  terms of the Data Protection Laws (the ―Principles‖).  

Adherence to the Principles may be limited in certain cases to the extent necessary  to meet national security, public interest, or law enforcement requirements. 

The Principles are as follows: 

3.1 Principle 1 – Accountability:  

3.1.1 The party collecting the Personal Information must ensure compliance  with the principles of the Data Protection Laws. 

3.2 Principle 2 – Processing Limitation: 

3.2.1 Personal Information can be collected or stored only if it is necessary  for, or directly related to, a lawful, explicitly defined purpose and does  not intrude on the privacy of the consumer to an unreasonable extent. 

3.2.2 Personal Information must be collected directly from and with the  consent of the consumer. 

3.3 Principle 3 – Purpose Specification: 

3.3.1 Consumers must be informed of the purpose of any such collection  and of the intended recipient of the Personal Information at the time of  collection. 

3.3.2 Personal Information must not be kept for any longer than is necessary  for achieving the purpose for which it was collected. 

3.4 Principle 4 – Further Processing Limitation: 

3.4.1 Personal Information must not be distributed in any way which is incompatible with the purpose for which it was collected.

3.5 Principle 5 – Information Quality: 

3.5.1 Reasonable steps must be taken to ensure that the Personal  Information processed is accurate, up to date and complete. 

3.6 Principle 6 – Openness: 

3.6.1 The Data Subject whose information you are collecting must be aware  that you are collecting and processing their Personal Information. 

3.6.2 They must be notified of the fact either before or as soon as  reasonably possible after collection of the Personal Information, even if  you get it from a third party. 

3.7 Principle 7 – Security Safeguards: 

3.7.1 Appropriate technical and organisation measures have to be taken to  safeguard the consumer against the risk of loss, damage, destruction  of or an authorised access to Personal Information. 

3.8 Principle 8 – Data Subject Participation: 

3.8.1 Consumers are allowed the right to access their Personal Information  and have a right to demand correction of such information should it  turn out to be inaccurate. 

3.9 Personal Information Collected 

3.9.1 The type of Personal Information collected will depend on the purpose for which it is collected and will be processed for that purpose only.  The Personal Information that the Colgate-Palmolive group of  companies collects and processes falls into three broad categories:

3.9.1.1 Human Resources data; 

3.9.1.2 Procurement data; and 

3.9.1.3 Customer/Consumer data.  

3.9.2 Wherever possible, the Responsible Party will inform the Data Subject  what information he/she/it is required to provide to it and what  information is optional.  

3.10 Purpose for Processing Personal Information 

3.10.1 Personal Information shall be collected, used, transferred or otherwise  Processed for one or more of the following purposes: 

3.10.1.1 The conclusion and execution of agreements with  customers and suppliers; 

3.10.1.2 Marketing, sales, and promotions; 

3.10.1.3 Account management; 

3.10.1.4 Customer service; 

3.10.1.5 Finance and accounting; 

3.10.1.6 Procurement; 

3.10.1.7 External communications; 

3.10.1.8 Compliance with a legal obligation.

3.11 How Personal Information Is Used 

3.11.1 Personal Information is only to be used for the purpose for which it  was collected and agreed to be used for. 

3.11.2 The Responsible Party shall notify all identified Data Subjects about  the purposes for which Personal Information is collected and used. In  certain situations, data is aggregated or "made anonymous" so that  the names of the Data Subjects are not known by data processors  within the Colgate-Palmolive group of companies. In these cases, Data  Subjects do not need to be notified.  

3.11.3 The Responsible Party must give each Data Subject the opportunity to  opt out from allowing them to disclose his/her Personal Information to  a third party. Affirmative choice (opt-in) must be given if Special  Personal Information is to be disclosed to a third party. 

3.11.4 A Data Subject must positively agree to the use of his/her/its Personal  Information for a purpose incompatible with the purpose for which it  was originally collected or authorized.  

3.12 Consent 

3.12.1 Whenever Personal Information is collected, the Responsible Party  must ensure that the Data Subject is made aware of: 

3.12.1.1 the information being collected and where the information  is not collected from the Data Subject, the source from  

which it is collected; 

3.12.1.2 the name and address of the Responsible Party;

3.12.1.3 the purpose for which the information is being collected; 

3.12.1.4 whether or not the supply of the information by that Data  Subject is voluntary or mandatory; 

3.12.1.5 the consequences of failure to provide the information; 

3.12.1.6 any particular law authorising or requiring the collection of  the information; 

3.12.1.7 the fact that, where applicable, the Responsible Party  intends to transfer the information to a third country or  international organisation (e.g., for off-shore server  storage) and the level of protection afforded to the  information by that third country or international  organisation; 

3.12.1.8 the recipient or category of recipients of the information; 3.12.1.9 the nature or category of the information; 

3.12.1.10 the existence of the right of access to and the right to  rectify the information collected; 

3.12.1.11 the existence of the right to object to the Processing of  Personal Information; and 

3.12.1.12 the right to lodge a complaint with the Information  Regulator or the equivalent data protection authority in  their country and the contact details of the Information  Regulator/authority.

3.13 Disclosure of Personal Information 

The Responsible Party may transfer information to a third party acting as an  agent for the Responsible Party (such as an outside benefits administrator).  However, prior to any such transfer, the Responsible Party must require the  third party to give its written agreement to provide the same level of protection  required by the Principles. If possible, a Third-Party Operator Agreement shall  be concluded between the Responsible Party and its agent.  

3.14 Direct Marketing 

3.14.1 When Processing Personal Information for the purpose of making  direct marketing communications, the Responsible Party will either: 

3.14.1.1 obtain the prior affirmative consent (―opt-in‖) of the targeted  consumer; or 

3.14.1.2 ensure that it only Processes the Personal Information of  consumers who are customers of the Responsible Party  

who have not previously chosen not to receive such  

communications. 

3.14.2 In every subsequent direct marketing communication that is made to  the individual, the individual shall be offered the opportunity to opt-out  of further marketing communication. 

3.15 Safeguarding Personal Information 

3.15.1 The Responsible Party must take reasonable precautions to protect  Personal Information from loss, misuse, unauthorized access,  disclosure, alteration, and destruction. These precautions include  password protections for online information systems and restricted  access to Personal Information processed by the Responsible Party. 

3.15.2 All inquiries, whether written or verbal, concerning any Personal  Information, are to be referred to the Information Officer/Data  Protection Officer (or the Chief Executive Officer if there is no the  Information Officer or Data Protection Officer) of the Responsible Party  for handling. The Responsible Party will verify the credentials of the  inquirer and obtain the Data Subject’s consent before releasing  information about a Data Subject.  

3.16 Access and Correction of Personal Information 

Upon request, Data Subjects may access Personal Information about  themselves and request that inaccurate or incomplete information be  corrected or amended.  

3.17 Complaints  

The Responsible Party shall implement a complaint management process and  apply consistent incident management procedures from identification through  to resolution. Complaints shall be submitted through the following  mechanisms: 

3.17.1 Online - Complaints must be submitted via the ―Contact Us‖ form on  the Responsible Party’s website.  

3.17.2 Telephone - Complaints can be reported via telephone using the  telephone number provided on the Responsible Party’s website.  Upon receipt of a complaint, the Responsible Party will review the submission  and investigate the complaint. The Responsible Party will acknowledge  receipt of a complaint within ten business days and will respond to all submissions within twenty business days.

3.18 Retention of Personal Information 

3.18.1 Purpose

3.18.1.1 To exercise effective control over the retention of documents  and electronic transactions as prescribed by legislation and  as dictated by business practice. 

3.18.1.2 Documents need to be retained in order to prove the  existence of facts and to exercise any rights that the  Responsible Party may have. They are also necessary for  defending legal action, for establishing what was said or  done in relation to the business of the Responsible Party  and to minimize the Responsible Party’s reputational risks. 

3.18.1.3 To ensure that the Responsible Party’s interests are  protected and that the Responsible Party and the Data  Subjects' rights to privacy and confidentiality are not  breached. 

3.18.1.4 Queries may be referred to the Information Officer or Chief  Executive Officer of the Responsible Party. 

3.18.2 Retention Period

The Responsible Party must strive to keep Personal Information only  for the time necessary for the purposes set out in these Binding  Corporate Rules and in accordance with the law. As a general rule: 

3.18.2.1 The Data Subject’s data will be kept for three years from the  date of collection or after the last contact or the end of the  commercial relationship, unless opposed by the Data  Subject. At the end of this three-year period, the 

Responsible Party may make contact with the Data Subject again in order to find out whether or not the Data Subject wishes for the Responsible Party to continue to retain his/her/its Personal Information. If no clear positive answer is given by the Data Subject, his/her/its data will be deleted or archived in accordance with the Data Protection Laws. 

3.18.2.2 Data that is required to prove a right or a contract or to be kept under compliance with a legal obligation can be archived in accordance with the law. 

3.19 Destruction of records/documents  

3.19.1 Records of Personal Information must be destroyed after the  termination of the retention period. The Information Officer/Data  Protection Officer/Chief Executive Officer of the Responsible Party will  request the party/ies dealing with the Personal Information to attend to  the destruction of its documents and these requests shall be attended  to as soon as possible. 

3.19.2 Each Responsible Party is responsible for attending to the destruction  of its documents, which must be done on a regular basis. Files must  be checked in order to make sure that they may be destroyed and also  to ascertain whether there are important original documents in the file.  Original documents must be returned to the holder thereof, failing  which, they should be retained by the Responsible Party pending such  return. 

3.19.3 After completion of the process in 3.19.2 above, the Information  Officer/Data Protection Officer/Chief Executive Officer of the  Responsible Party shall, in writing, authorise the removal and  destruction of the records/documents. 

3.19.4 Documents/records may also be stored off-site, in storage facilities  approved by the Responsible Party. However, should the off-site  storage be outside the Republic of South Africa, the Data Subject must  have consented to the transfer. 

3.20 Data Integrity 

The Responsible Party shall take reasonable steps to ensure that Personal  Information is accurate, complete, and current. All Data Subjects are asked to  inform the Responsible Party immediately in the event of changes in Personal  Information.  

3.21 Security Breach 

3.21.1 A security breach occurs when the data for which the Responsible  Party is responsible suffers a security incident resulting in a breach of  confidentiality, availability or integrity.  

3.21.2 If a security breach occurs, the following protocol is to be observed: 

3.21.2.1 The Responsible Party’s IT officer is to isolate the incident and  complete a breach report. 

3.21.2.2 The IT officer is to provide the report and notify the Information  Officer/Data Protection Officer/Chief Executive Officer 

together with the Managing Director of the Responsible Party. 

3.21.2.3 The Information Officer of the Responsible Party must notify the Information Regulator in South Africa without undue delay, and at the latest within 72 hours after having become aware of  the security breach.

3.21.3 The notification must: 

3.21.3.1 Describe the nature of the breach; 

3.21.3.2 State the number of the Data Subjects affected by the breach;  3.21.3.3 Describe the likely consequences of the breach; and 

3.21.3.4 Describe the measures taken or proposed to be taken by the  Responsible Party to remedy the breach. 

3.21.4 If it is likely that the breach poses a risk to a Data Subject’s rights, then  the Data Subject should also be informed, unless there are effective  technical and organisational protection measures that have been put in  place, or other measures that ensure that the risk is no longer likely to  materialise or the Data Subject cannot be identified. 

4. COLGATE-PALMOLIVE’S COMMITMENTS 

4.1 Governance  

4.1.1 Colgate-Palmolive’s Information Officer is chartered to ensure  compliance with POPIA and is responsible for overseeing compliance of  its Affiliates with these Binding Corporate Rules. The Information Officer  shall provide regular reports to Colgate-Palmolive’s Board of Directors. 

4.2 Training  

4.2.1 Colgate-Palmolive shall provide general training on POPIA to its Affiliates in order to address the compliance obligations under these Binding  Corporate Rules. 

4.2.2 Depending on business needs, risk assessment outcomes, assurance  processes and other factors, Colgate-Palmolive shall develop and  refresh the training periodically and may develop additional training programs.