By Simone Pelkmans and Iris Tasevski
We spoke with Simone Pelkmans – General Counsel of Unilever Benelux, and Iris Tasevski – Unilever’s Data Protection Advisor.
Question 1) Unilever is a global corporation in fast moving consumer goods, can you describe to me how a company like Unilever interacts with personal data and privacy?
As a fast moving consumer goods company, Unilever group companies collect and use personal data to enable them to provide goods and services to consumers, customers and other stakeholders and collaborate with third parties. Furthermore, Unilever holds personal data of thousands of employees. Although Unilever does not (yet) interact with consumers on a large scale, we do interact with them, mainly for marketing purposes.
At Unilever, we respect the privacy of all individuals (consumers, employees, customers, suppliers). As such, our aim is to collect, use and protect personal data not only in accordance with applicable laws but in line with our own values (integrity, respect, transparency, and responsibility) and the expectations of individuals. By bringing this to life in all decisions we make regarding personal data processing, we can create a trusted relationship with each type of individual. One of these fundamental values at the heart of Unilever’s privacy governance is a desire to solidify consumer trust in our brands by ensuring individuals feel in control of the decisions they make around our use of their personal data, and that Unilever feels confident that it has the permission to use it for current and future (marketing) purposes. Underpinning our marketing activities with a consent driven approach that is transparent to the consumer means that we will not rely on legitimate interest as a legal basis to process personal data. This unlocks the opportunity to provide our consumers with a truly personalized marketing experience.
“Being such a large company, it does surely bring forth challenges in terms of privacy and data governance.”
Question 2) How do you deal with the data processing of consumers, customers and the thousands of employees who work for the company? Is it more difficult for a large company like Unilever to keep track and control of data and privacy than for a smaller company? How exactly does this control of data and privacy look like?
Being such a large company, it does surely bring forth challenges in terms of privacy and data governance. However, not all processing activities happen on a central level and such large scale, which enables Unilever group companies to maintain overview of their own activities. Unilever has a robust network of privacy professionals worldwide, consisting of a global privacy team and local data protection advisors, the latter are each responsible for their own markets and regions. This enables us to keep track and to control data processing activities easier than when it is only managed on a central level, thus without local presence and visibility. Furthermore, in the Benelux we have ensured all our lawyers have sufficient basic knowledge of Privacy and we have appointed privacy champions, who are spread across different teams and functions. They function as the first line of defense for the business in case of any privacy related questions. The privacy champions are trained regularly by the local data protection advisor.
Question 3) Do you maintain specific internal rules relating to the processing of data involving third parties?
In case of a new vendor, supplier or other type of third party that we will share, exchange or transfer personal data with (either as (joint) controller or as processor), we will conduct a due diligence to make sure the third party meets our privacy and security standards. This due diligence consists of different types of assessments from both a privacy and security perspective. This also allows us to make sure to put the right agreement with such party in place and keep track of the third parties we cooperate with in terms of data processing.
Question 4) Do you use any form of automated decision-making in processing personal data and other sensitive information? How do these activities look like and how do we know they are safe?
At the moment, Unilever does only use automated decision-making in the field of HR, and more specifically in a certain phase of the recruitment process. These activities however are limited and monitored closely. As mentioned earlier, we do process consumer data but it’s not at such an advanced level that we directly interact with the consumer on a significant scale, so the use of automated decision-making tools and systems isn’t in scope of our activities currently.
Question 5) Unilever has a good reputation on product innovation and highlights this reputation. How do you deploy data in the process of product innovation?
We certainly deploy data in our innovation process, but when it comes to personal data in relation to innovation this is a different topic and we mainly use anonymized personal data which we inter alia obtain from consumer insights that our Research & Development and Marketing teams gather.
Question 6) Does Unilever have any insight in future developments regarding data and privacy that Unilever will deal with? What is Unilever’s future perspective on this?
As it already is one of the fundamental privacy principles of Unilever, we believe that transparency will become even more important in the future. Over the last couple of years already, there has been an increase of the awareness amongst individuals regarding data privacy and their rights; companies can no longer hide their data processing activities. Transparency is always important, but especially in situations where individuals have a choice whether they want to enter into a relationship with us. If individuals are being informed from the start about what we will be using their personal for, they can decide whether or not to engage with us. For a company like Unilever, without direct to consumer contact on a large scale and where data processing does not lie at the core of its business activities, it is imperative that trust is gained and the consumer decides to let us handle their personal data. Since transparency is fundamentally linked to fairness, meaning that an organization should only process personal data in manners that individuals would and could reasonably expect, this becomes even more important.
“Companies can no longer hide their data processing activities.”
Another future development that will have impact on Unilever is the pending discussions around third party cookies, such as Google announcing to phase out third party cookies in the coming years, joining Safari and Firefox in restricting third party cookies in its web browser.
Internally, we believe that privacy governance will need to become even more a company-wide responsibility instead of it being managed by a global privacy team or local data protection advisors. Privacy governance is a responsibility of all and privacy by design needs to get embedded into the DNA of each and every employee, especially of those working on consumer facing propositions and other data processing activities.
About the authors
Simone Pelkmans is General Counsel of the Benelux operating companies of Unilever. Before she worked in various other local, regional and global Legal roles within Unilever. Simone started her career at Nauta Dutilh Amsterdam.
Iris Tasevski is the Data Protection Advisor for Unilever Benelux. She determines the privacy course for the Benelux marketing & business organization and advises and guides the local business when processing personal data. She also develops new initiatives and guidance to support privacy compliance, provides training and facilitates awareness.