This Global Data Protection Policy forms part of Hydro’s Data Privacy program and sets out the fundamental principles to be applied to all processing of Personal Data in Hydro globally.
Hydro’s Binding Corporate Rules
Hydro has adopted EU Binding Corporate Rules (BCR) to ensure compliance with the specific limitations for transferring EEA-Personal Data to third countries. The BCR contains more detailed rules for how to process Personal Data and is binding for all Hydro legal entities that have signed the Hydro Intragroup Data Agreement.
The Hydro BCR is an annex to this Policy and is available here.
Principles for Processing Personal Data in Hydro
Hydro shall process Personal Data in accordance with the fundamental data privacy principles as listed below.
1. Fair, Lawful and Transparent Processing
Personal Data shall be processed fairly, lawfully, and in a transparent manner in accordance with the principles stipulated herein. This means that Personal Data shall be processed in compliance with applicable law, and that the legitimate interests of the individual data subject shall be considered.
Hydro shall only process Personal Data if there is a legal basis established in applicable data protection law. Hydro shall ensure data processing activities are necessary, proportionate and predictable for the data subjects. The processing activity shall be performed in a transparent manner, and the data subject shall be provided with adequate information about the activity.
2. Purpose Limitation
Hydro shall only process Personal Data for specified, explicit and legitimate purposes. The purpose shall be established before the processing starts.
Further processing of data for other purposes may only take place if the new purpose is compatible with the original purpose.
3. Data Minimization and Accuracy
Hydro shall only process Personal Data to the extent necessary to fulfill the purpose of the processing. Data shall be adequate, relevant, and limited to what is necessary in relation to the specified purposes.
Hydro shall only collect and process Personal Data that is accurate. Routines shall be established to capture incorrect data and ensure that it is either corrected or deleted without delay.
4. Storage Limitation
Hydro shall only retain Personal Data for as long as necessary to fulfill the purpose of the processing. Once the Personal Data is no longer needed it shall be deleted or anonymized to the extent that identification of individuals is no longer possible by any means.
5. Integrity and Confidentiality
Hydro shall ensure an adequate level of protection of Personal Data processed. Adequate technical and organizational measures shall be implemented based on the risk associated with the processing. Such measures shall ensure protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
Access to Personal Data shall be limited to those that have a legitimate need. Employees have a legitimate need when they need access in order to perform their duties. All employees and external parties with access to Personal Data shall commit to confidentiality.
6. Data Transfer and Exchange
Hydro shall ensure that Personal Data transfers across national borders comply with applicable laws in the relevant jurisdictions, and that contractual safeguards are in place as appropriate.
Hydro shall only transfer or exchange Personal Data between legal entities in the Hydro Group to the extent necessary for the processing activity at hand. This includes ensuring appropriate role- and location-based access controls are in place for common IT platforms.
7. Accountability and Documentation
Hydro shall be able to demonstrate compliance with the above principles, this Policy and applicable data protection laws through documented processes.
Effective date: January 1st, 2026.
Aggiornato: 23 gennaio 2026