Binding Corporate Rules for Hydro

All Hydro BCR Members have a duty to respect the BCR. The BCR is binding on each Hydro BCR Member through the Intragroup Agreement. Pursuant to such agreement, the Hydro BCR Members confirm (i) their legally binding commitment to comply with the BCR, and (ii) their legally binding commitment to respect the rights granted to data subjects, ensuring legal enforceability for data subjects and establishing an external binding effect of the BCR.

The BCR is legally binding on employees of any Hydro BCR Member through a clause in employment contracts, which requires compliance with the Hydro BCR Member’s respective Code of Conduct, incorporating the BCR. Breach of this obligation may result in disciplinary action, up to and including termination of employment.

The Hydro BCR Members further ensures compliance with the BCR through internal data protection policies and mandatory training for employees. Non-compliance with these policies may, pursuant to a clause in employment contracts, similarly result in appropriate disciplinary measures, ensuring enforcement of the BCR across all levels of the organization.

3.1. Third-party beneficiary rights that are enforceable by the data subjects

This BCR confers enforceable rights on data subjects as third-party beneficiaries, enabling them to enforce the following rights against Hydro BCR Members:

• Data protection principles: Rights regarding lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitations, integrity and confidentiality, accountability, rights concerning the lawfulness of processing, as well as security, personal breach notifications, and restrictions on onward transfers (see section 10 – 14).
• Transparency and access: The right to clear information about the BCR, including access to the BCR and associated data processing activities (see section 3.4).
• Data subject rights: The rights to information, access, rectification, erasure, restriction of processing, objection to processing, and the right not to be subject to decisions based solely on automated processing, including profiling (see section 15).
• Government access requests: Rights regarding government requests for data access and local laws impacting compliance with the BCR (see section 18).
• Complaint mechanism: The right to file complaints through Hydro's internal complaint process and with Competent SA(s) (see section 6).
• Cooperation duties: Rights relating to compliance obligations covered by this third-party beneficiary clause (see section 9). 
• Jurisdiction and liability: Rights regarding the centralized responsibility and liability regime (3.3).
• Updates: The right to be informed of any update of the BCR and the list of Hydro BCR Members, by way of publication of a new version without undue delay (see section 3.4 and 21).
• Third-party beneficiary rights: The rights under this present section 3.1.
• Remedies: The right to seek judicial remedies, redress and compensation for breaches of these enforceable provisions (see section 3.2).

These rights are confined to external aspects of the BCR that directly affect data subjects and do not extend to Hydro’s internal management processes, such as training, audits, Hydro Data Privacy Network and mechanism for updating the BCR.

3.2. Right to judicial remedies, redress and compensation for data subjects

The Hydro BCR Members acknowledge and agree that:

• Data subjects have the right to judicial remedies and to obtain redress, including compensation, where appropriate, in the event of a breach of any enforceable element of the BCR as outlined in section 3.1.
• Data subjects may be represented by a not-for-profit body, organization, or association under the conditions set out in Article 80(1) GDPR (see Articles 77–82 GDPR).
• Data subjects have the right to lodge a complaint with direct reference to this BCR: (i) with a Competent SA(s), particularly the authority in their habitual residence, place of work, or the location of the alleged infringement, and (ii) before the competent court of the EEA member state where the Hydro BCR Member is established or where the data subjects have their habitual residence.

3.3. Centralised responsibility and liability regime

Norsk Hydro ASA (the "Liable BCR Member"), as the ultimate parent of the Hydro BCR Group, accepts centralized responsibility for compliance with the BCR and for remedying any breaches by Hydro BCR Members located in a Third Country. This includes taking the necessary actions to address breaches and providing compensation to data subjects for any material or non-material damages resulting from a violation of this BCR.

Liability for breaches: The Liable BCR Member accepts full liability for any breaches of this BCR by any Hydro BCR Member located in a Third Country. Data subjects may seek compensation directly from the Liable BCR Member for any breach of the BCR, regardless of where the breach occurred.

Burden of proof: In the event of a claim by a data subject, the burden of proof lies with the Liable BCR Member to demonstrate that no breach of the BCR occurred, or that the Hydro BCR Member in a Third Country was not responsible for the breach. The Liable BCR Member must provide this proof to discharge its liability.

Sufficient assets: The Liable BCR Member confirms that it maintains sufficient assets to cover any compensation claims arising from a breach of this BCR. This ensures that data subjects can obtain redress for any material or non-material damages caused by a breach of the BCR.

Jurisdiction: In the event of a breach of the BCR by a Hydro BCR Member in a Third Country, the courts or other judicial authorities within the EEA will have jurisdiction. Data subjects will be able to seek remedies against the Liable BCR Member as if the breach occurred within the EEA. The Liable BCR Member agrees to submit to the jurisdiction of these courts.

Cooperation among Hydro BCR Members: All Hydro BCR Members shall cooperate with each other to handle:

• Requests, complaints, or claims made by data subjects; and
• Any lawful investigation or inquiry by a Competent SA(s).

The Hydro BCR Member responsible for the processing to which a request, complaint, or claim relates shall bear the associated costs and shall reimburse the Liable BCR Member for any expenses incurred in handling such matters.

3.4. Easy access to the BCR

Data subjects benefiting from this BCR shall have easy access to all relevant information regarding their third-party beneficiary rights, with regards to the processing of their personal data and the means to exercise those rights. Data subjects will be provided with a full description of the scope of the BCR (sections 1 and 3), liability (section 11), data protection principles (section 15), lawfulness of processing (section 11), security and personal data breach notifications (section 13), restrictions on onward transfers (section 16), data subject rights (section 15.7), and definitions (section 18).

Hydro will provide access to this information by publishing the BCR in full, including Exhibit 1 and 2, however excluding Exhibit 3, on Hydro.com and on Hydro’s intranet. Any updates to the BCR will be reflected in the published version. To enhance transparency, Hydro’s privacy notices (internal and external) will include a link to the BCR.

The transfers in scope of the BCR, as set out in section Error! Reference source not found., involves the processing activities set out in Exhibit 2 – Scope of the data transfers. The described data transfers may take place to all Third Countries in which the Hydro BCR Members are established.

Hydro shall provide appropriate and up-to-date training to employees who have permanent or regular access to personal data, are involved in the collection of personal data, or in the development of tools used for processing personal data or are responsible for decisions concerning the purposes or means of processing personal data. The training program shall apply to all Hydro BCR Members.

This training program, including its materials, shall be appropriate and effective, covering, among other topics, procedures for managing requests for access to personal data by public authorities, as well as aspects related to data protection principles and data subjects' rights.

The training program consists of a global e-learning curriculum and live classroom trainings. The e-learning curriculum is module based, where the generally applicable modules are incorporated into Hydro’s global onboarding program and made mandatory for all white-collar employees. Topic-specific modules are in addition assigned to persons in specialized roles. For critical roles in HR and IT, classroom trainings are held on a regular basis, the frequency of which is decided by the respective Data Privacy Coordinator in consultation with the Head of Data Privacy.

Hydro shall enable data subjects to exercise their rights under Applicable EEA Data Protection Law. If a data subject believes that the processing of personal data within Hydro is not compliant with this BCR or Applicable EEA Data Protection Law, the data subject may lodge a complaint with Hydro.

A complaint may be made anonymously or under full name and can be submitted to any Hydro BCR Member by any means and in any format. Requests will be handled free of charge. Hydro encourages the data subjects to exercise their rights under the BCR, and to submit claims, requests, or complaints regarding any member of the Hydro BCR Group, to any of the following contact points:

• Online: https://www.hydro.com/en/global/sustainability/environmental-social-and-governance/data-privacy/ 
• Email: privacy@hydro.com
• In writing: Norsk Hydro ASA, Postboks 980 Skøyen, NO-0240 Oslo, Norway
• Directly to Hydro Data Privacy Network: The Head of Data Privacy, a Data Privacy Coordinator, a Data Privacy Champion, a Data Protection Officer (if designated).

Hydro, through any of the members of the Hydro Data Privacy Network, shall provide information or take action with respect to a complaint without undue delay, and in any event within four (4) weeks. If, due to the complexity of the complaint and/or the number of complaints, Hydro cannot provide the information or take action within the four (4) week period, Hydro will inform the data subject and provide a reasonable estimate of the time required to respond. The time limit shall not exceed three (3) months from the receipt of the complaint.

If the complaint is deemed justified, Hydro will take appropriate action. In the event of delays, rejection of the complaint, or if the data subject is not satisfied with the response, the data subject may lodge a complaint with the Competent SA(s) or court. This is without prejudice to the data subject’s right to file a complaint with the Competent SA(s) or court or seek judicial remedies, redress, and compensation without having first lodged a complaint with Hydro (see section 3.2).

To ensure compliance with the BCR and Applicable EEA Data Protection Law, Hydro shall perform data protection audits, on the basis on the following: Independence commitment: Hydro guarantees that those deciding the audit program and those performing audits are independent in their duties, ensuring objectivity and impartiality in assessing compliance with the BCR.

Entity deciding the audit program: Group Internal Audit & Investigations (GIA&I) decides the audit program. The Head of Data Privacy or Data Protection Officers (DPOs) shall not be in charge of auditing compliance to avoid conflicts of interest.

Audit frequency: Hydro shall on average perform at least one audit annually. The scope of each audit shall be based on an assessment of the risks associated with the processing activities. Additionally, Hydro shall conduct audits when there are indications of non-compliance with the BCR or Applicable EEA Data Protection Law. The Head of Privacy, or other members of the Hydro Data Privacy Network, may also request specific audits outside the regular audit program.

Audit program: The audit program covers all aspects of the BCR, including onward transfers, IT systems, applications, databases, compliance with national laws that conflict with the BCR, and review of contractual terms used for transfers to controllers or processors outside Hydro. The audit program includes methods and action plans to ensure prompt implementation of corrective actions identified during audits.

Audit execution: The audits will be conducted by internal or external auditors. If audits will be carried out by external auditors, Hydro shall ensure that they are independent, accredited and appropriately qualified.

Audit reporting: The audit results shall be communicated to the Head of Data Privacy. The Head of Data Privacy shall submit annual reports to the Chief Compliance Officer on the results of data protection audits, data protection risks, and other relevant issues. Moreover, the audit results shall be communicated to the board of the Liable BCR Member through the annual compliance report.

Availability of audit results: Audit results shall be made available to the Competent SA(s) upon request.

8.1. Overview

This section provides a high-level description of the roles and responsibilities of Hydro staff dedicated to overseeing compliance with this BCR (the "Hydro Data Privacy Network").

The Head of Data Privacy, Data Privacy Coordinators, and Data Privacy Champions, as appropriate, shall contribute to the Hydro Data Privacy Network to support the maintenance and continuous improvement of the Hydro Data Privacy framework.

Hydro BCR Members shall ensure that dedicated resources are appointed to represent them in Hydro’s Data Privacy Network. Such dedicated resources shall monitor and coordinate data privacy activities, including facilitation of appropriate staff training and implementation of routines for internal control, risk assessment and risk management, to ensure compliance within the relevant Group Function, Business Area or in Global Business Services (“GBS”).

8.2. Head of Data Privacy

The Head of Data Privacy shall supervise overall compliance with the BCR and chair the Hydro Data Privacy Network. The Head of Data Privacy:

• Advises the highest management level at Hydro and may inform such level if any questions or problems arise during the performance of its duties.
• Coordinates and manages investigations and inquiries from Competent SA(s).
• Monitors compliance with the BCR and submits annual reports to senior management on global compliance.
• Can be directly contacted by data subjects and Competent SA(s). Hydro commits to publishing the contact details of the Head of Data Privacy on its website and in relevant privacy notices to ensure easy access. 8.3. Data Privacy Coordinators

Within a Group Function, Business Area or GBS, the dedicated Data Privacy Coordinator shall monitor and coordinate data privacy risk and activities within their area to ensure compliance with this BCR.

The Data Privacy Coordinator shall contribute to Hydro’s Data Privacy Network and acts as representative for BCR Members within their line organization. Data Privacy Coordinators shall ensure relevant information from the network is communicated to stakeholders in their organization, and that relevant information from their organization is communicated to the Head of Data Privacy.

8.4. Data Privacy Champions

Data Privacy Champions are dedicated resources with assigned data privacy tasks that support the Data Privacy Coordinators with ensuring compliance in their respective area. As appropriate, Data Privacy Coordinators can appoint Data Privacy Champions from their line organization and delegate tasks and responsibilities to them.

8.5. Data Protection Officer(s)

Any Hydro BCR Member is committed to designate a data protection officer where required in line with Article 37 GDPR. If such designation is made, the relevant Hydro BCR Member shall ensure that a data protection officer's role and responsibilities, including its independence, complies with Applicable EEA Data Protection Law.

All Hydro BCR Members undertake to cooperate with the Competent SA(s). These authorities may conduct audits, including on-site inspections where necessary, to verify compliance with this BCR. Hydro agrees to take into account advice from and abide by decisions of the Competent SA(s) on any issue related to the BCR, and to provide such authorities with any information regarding the processing operations covered by the BCR.

The Head of Data Privacy will serve as the primary contact for the Norwegian Data Protection Authority on matters related to this BCR or the processing of personal data within Hydro. Locally, the contact person will be the Managing Director of the relevant Hydro BCR Member, supported by the Head of Data Privacy and the relevant Data Privacy Coordinator.

Hydro BCR Members accept that any disputes related to the Competent SA(s)'s exercise of supervision over BCR compliance will be resolved by the courts of the member state where the authority is based, in accordance with that member state's procedural law. Hydro BCR Members agree to submit to the jurisdiction of these courts in such matters.

The Hydro BCR Members shall adhere to the data protection principles of Applicable EEA Data Protection Law, including those outlined below. Further details and guidelines regarding these data protection principles shall be established in sub-procedures to this BCR. Such sub-procedures shall not impose any limitations on the principles, except to the extent permitted by Applicable EEA Data Protection Law.

Transparency, fairness, and lawfulness. Personal data shall be processed fairly, lawfully, and in a transparent manner in accordance with the principles stipulated in this BCR. This means that personal data shall be processed in compliance with Applicable EEA Data Protection Law, taking into account the legitimate interests of the data subject. This includes, among other things, providing appropriate information in a privacy notice, as detailed in section 14.8.

Purpose limitation. Personal data shall be collected and processed for specified, explicit, and legitimate purposes as set out in section 3, and shall not be further processed in a manner incompatible with those purposes.

Data minimisation and accuracy. Personal data shall be:

• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are collected and/or further processed ("data minimisation"); 
• Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which are inaccurate, with regard to the purposes for which they were collected or further processed, are erased or rectified without delay ("accuracy").

Storage limitation. Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data were collected or further processed ("storage limitation"). Hydro BCR Members shall establish and follow routines for data retention and deletion.

Security. Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical and organizational measures, as further detailed in section 14.7.

Onward transfer. Personal data transferred under the BCR shall only be onward transferred in accordance with section 14.9.

The Hydro BCR Members rely on the legal bases for processing of personal data, subject to the BCR, as described in Exhibit 2.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, Hydro is committed to implementing and maintaining appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Such measures include, among other things, the following:

Technical measures. The technical security shall include, as appropriate:

• Encryption of personal data at rest and/or in transit 
• Pseudonymization techniques
• Robust access controls and authentication mechanisms
• Network security measures, including firewalls and intrusion detection systems
• Appropriate physical security measures
• Backup and recovery procedures

Organizational measures. The organizational security measures shall include, as appropriate:

• Employee training on data protection
• Involvement of the Hydro Data Privacy Network in data protection matters, which shall also include coordination and cooperation with staff responsible for information security and related processes
• Incident response planning
• Rigorous third-party processor management

Risk assessment. Hydro shall conduct risk assessments considering the nature, scope, context, and purposes of our data processing activities, as well as potential impacts on data subjects' rights and freedoms, and – based on these assessments – implement and maintain measures to ensure security commensurate with identified risks.

Continuous improvement. Hydro shall test, assess, and evaluate the effectiveness of the technical and organizational security measures, staying informed about state-of-the-art practices.

In the event of a personal data breach, the relevant Hydro BCR Member shall, without undue delay, notify the Liable BCR Member and the relevant Data Privacy Coordinator (see section 6), as well as the Hydro BCR Member acting as a controller when the breach is identified by a Hydro BCR Member acting as a processor.

The relevant Hydro BCR Member acting as controller shall, without undue delay and, where feasible, no later than 72 hours after becoming aware of the personal data breach, notify the Competent SA(s), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the Competent SA(s) is not made within 72 hours, the relevant Hydro BCR Member shall provide reasons for the delay.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the relevant Hydro BCR Member shall communicate the breach to the affected data subjects without undue delay. This communication shall describe, in clear and plain language, the nature of the breach and include, at a minimum, the information and measures referred to in points (b), (c), and (d) of Article 33(3) GDPR.

All personal data breaches shall be documented, including the facts surrounding the breach, its effects, and the remedial action taken. This documentation shall be made available to the Competent SA(s) upon request.

Personal data transferred under the BCR may only be onward transferred to other controllers or processors not bound by the BCR if the conditions for transfers set out in Articles 44 to 46 GDPR are met, ensuring that the level of protection for natural persons guaranteed by the GDPR is not undermined. Additionally, onward transfers may exceptionally occur if a derogation applies, in accordance with Article 49 GDPR.

15.1. General

To the extent required by Applicable EEA Data Protection Law, any Hydro BCR Member shall respect the rights of the data subjects, as follows:

15.2. Right to information

In cases of collection of personal data from a data subject, the data subject shall be provided with the information:

• The identity and contact details of the controller and of their representative, if any.
• The contact details of the data protection officer, where applicable.
• The purposes of the processing and legal basis for such processing.
• Which legitimate purposes are pursued when the processing is based on Article 6(1)(f) GDPR.
• The recipients or categories of recipients of the personal data, if any.
• When relevant, the fact that the controller intends to transfer the personal data to a Third Country and the legal basis for making such Transfer lawful.

In addition, when required by Applicable EEA Data Protection Law and if necessary to ensure fair and transparent processing, the data subject shall be provided the following further information: 

• The period for which the personal data will be stored, or the criteria used to determine that period. 
• The existence of the right to request access to, correction, deletion, or restriction of processing, or to object to processing, as well as the right to data portability.
• Where the processing is based on the data subject's consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• The right to lodge a complaint with a data protection authority.
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide such data.
• The existence of automated decision-making, including profiling, referred to in section 15.10, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where the personal data have not been collected from the data subject, the data subject shall be provided with the following information:

• The identity and contact details of the controller and of their representative, if any.
• The contact details of the data protection officer, where applicable.
• The purposes of the processing and legal basis for such processing.
• The categories of personal data concerned.
• The recipients or categories of recipients of the personal data, if any.
• When relevant, the fact that the controller intends to transfer the personal data to a Third Country and the legal basis for making such Transfer lawful.
• In addition, when required by Applicable EEA Data Protection Law and if necessary to ensure fair and transparent processing, the data subject shall be provided the following further information:
• The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
• Which legitimate purposes are pursued when the processing is based on Article 6(1)(f) GDPR.
• The existence of the right to request access to, correction, deletion, or restriction of processing concerning the data subject, or to object to processing, as well as the right to data portability.
• Where the processing is based on the data subject's consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• The right to lodge a complaint with a data protection authority.
• From which source the personal data originate, and, if applicable, whether it came from publicly accessible sources.
• The existence of automated decision-making, including profiling, referred to in section 15.10, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Individual.

Information mentioned above shall be provided within a reasonable time, however no later than one month after the personal data are obtained or, where relevant, at the latest at the time of the first communication with the data subject by use of said data or at the time of first disclosure of the data. Derogations may apply if the data subject already has the relevant information, or where the provision of such information proves impossible, would involve disproportionate effort, or is likely to seriously impair the achievement of objectives, as permitted by applicable law.

15.3. Data subject's right of access

Data subjects shall have the right to: 

• Confirm whether their personal data is processed and, if so, access that data.
• Information about the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the data are disclosed, particularly those located in countries outside the EEA. If such countries are not recognized by the EU Commission as ensuring an adequate level of protection, the data subject has the right to be informed of the appropriate safeguards.
• Information about the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
• Information about the right to request rectification, erasure, restriction of and objection to the processing of their Personal, or to object to the processing.
• Information about the right to lodge a complaint with the Competent SA(s).
• Where the personal data have not been collected from the data subject, any available information as to their source.
• Information about any automated decision-making, including profiling, referred to in section 15.10, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing.

15.4. Data subject's right of rectification

Data subjects shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject shall also have the right to have incomplete personal data completed, including by means of a supplementary statement.

15.5. Data subject's right of erasure

Data subjects can request the erasure of personal data concerning them without undue delay when one of the grounds set out below applies:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• The data subject withdraws their consent to the processing, and there is no other legal basis for the processing.
• The data subject, on grounds relating to his or her particular situation, objects to the processing of the processing of data concerning him or her, which is based on Article 6(e) or (f) GDPR, including profiling based on those provisions, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes.
• The personal data have been unlawfully processed.
• The personal data must be erased to comply with a legal obligation under applicable law in the EEA to which the controller is subject.

Exceptions apply where the processing is necessary for exercising the right of freedom of expression and information, compliance with a legal obligation that requires processing under applicable law in the EEA or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or the establishment, exercise, or defense of legal claims. 

15.6. Data subject's right of restriction of processing

Data subjects shall have the right to obtain from the controller restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.
• The data subject has objected to the processing pending verification of whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EEA or the EEA country where the controller is established. The controller shall inform the data subject who has obtained restriction of processing before lifting the restriction.

15.7. Notification regarding rectification or erasure of personal data or restriction of processing 

The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Where required by Applicable EEA Data Protection Law, the controller shall inform the data subject about those recipients if the data subject so requests.

15.8. Data subject's right of data portability

Data subjects shall have the right to data portability, meaning the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance.

15.9. Data subject's right to object to the processing

Data subjects shall have the right to object at any time, on grounds relating to their particular situation, to the processing of data concerning them, which is based on Article 6(e) or (f) GDPR, including profiling based on those provisions. If a data subject objects to the processing, the controller shall no longer process the personal data unless:

• The controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject; or
• The processing is necessary for the establishment, exercise, or defense of legal claims.

Data subjects shall, where personal data are processed for the purposes of direct marketing, have the right to object at any time to processing of personal data concerning them for such marketing. This includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

The right to object shall be explicitly brought to the data subject's attention in a clear way and separately from any other information, at the latest at the time of the first communication with the data subject. 

15.10. Data subject's right not to be subject to automated decisions

Data subjects shall have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them, unless the decision:

• Is necessary for entering into, or the performance of, a contract between the Individual and the Hydro BCR Member;
• Is authorized by applicable local law to which the Hydro BCR Member is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests; or
• Is based on the data subject's explicit consent.

In the cases referred to in (a) and (c) above, the Hydro BCR Member shall implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests, including the right to obtain human intervention from the Hydro BCR Member, to express their point of view, and to contest the decision.

Automated decisions referred to in this section shall not be based on special categories of personal data unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests are in place.

16.1. Demonstrating compliance

Every Hydro BCR Member acting as controller shall be responsible for and able to demonstrate compliance with the BCR.

16.2. Data processing agreement

When a Hydro BCR Member acting as a controller engages an internal or external processor, a data processing agreement must be executed. Such data processing agreement shall, at a minimum, comply with Article 28(3) GDPR by including the following:

• The subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of data subjects, and the obligations and rights of the controller.
• The processor:
• Processes the personal data only on documented instructions from the controller, including regarding transfers of personal data to a Third Country, unless required to do so by Union or Member State law. In such a case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
• Ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Takes all measures required pursuant to Article 32 GDPR.
• Respects the conditions referred to in Article 28(2) and 28(4) GDPR for engaging another processor.
• Assists the controller by appropriate technical and organizational measures, as far as possible, for fulfilling the controller’s obligation to respond to requests for exercising data subjects' rights as laid down in Chapter III GDPR.
• Assists the controller in ensuring compliance with Articles 32 to 36 GDPR, considering the nature of processing and the information available to the processor.
• At the choice of the controller, deletes or returns all personal data after the end of the provision of services related to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data.
• Makes available to the controller all information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

16.3. Record of processing activities

Hydro BCR Members shall maintain a record of processing activities containing at least all categories of processing activities carried out on personal data transferred under the BCR. The record shall be maintained in electronic form and made available to the Competent SA(s) upon request.

For Hydro BCR Members acting as controllers, the record shall include at least:

• The name and contact details of the controller, joint controller (where applicable), the controller's representative, and the data protection officer (if any).
• The purposes of the processing.
• A description of the categories of data subjects and the categories of personal data.
• The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations.
• Where applicable, transfers of personal data to a Third Country, including the identification of the Third Country and the legal basis for the transfer.
• Where possible, the envisaged time limits for the erasure of the different categories of data.
• Where possible, a general description of the technical and organizational security measures implemented by the Hydro BCR Member.

For Hydro BCR Members acting as processors, the record shall include at least:

• The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer (if any).
• The categories of processing carried out on behalf of each controller.
• Where applicable, transfers of personal data to a Third Country, including the identification of that Third Country and, in the case of transfers referred to in the second subparagraph of Article 49(1) GDPR, the documentation of suitable safeguards.
• Where possible, a general description of the technical and organisational security measures

16.4. Data protection impact assessments

Where a processing operation on personal data transferred under the BCR is likely to result in a high risk to the rights and freedoms of natural persons, the Hydro BCR Member acting as controller shall, prior to processing, carry out a data protection impact assessment. If the assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the Hydro BCR Member acting as controller shall, prior to processing, consult the Competent SA(s).

16.5. Data protection by design and by default

Where required by Applicable EEA Data Protection Law, the Hydro BCR Member acting as controller shall, both at the time of determining the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, designed to implement data protection principles (e.g., data minimization) effectively and integrate the necessary safeguards into the processing to meet the requirements of the BCR and protect data subjects' rights. The controller shall also implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed.

17.1. General

Hydro BCR Members commit to using the BCR as a tool for transferring personal data to third countries only after assessing that the laws and practices of the Third Country applicable to the processing of personal data, including any requirements for disclosure or access by public authorities, do not prevent the Data Importer from fulfilling its obligations under the BCR.

This assessment will be based on the understanding that laws and practices that respect the essence of fundamental rights and freedoms, and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the BCR.

17.2. Transfer impact assessment

Hydro BCR Members commit to considering the following elements when assessing the laws and practices of the Third Country that may affect compliance with the BCR:

Specific circumstances of the transfers or set of transfers, including:

• Purposes for which the data are transferred and processed (e.g., marketing, HR, storage, IT support).
• Types of entities involved in the processing, such as the Data Importer and any onward recipients, including whether the Data Importer is a public or private entity.
• Economic sector in which the transfer or set of transfers occurs.
• Categories and format of the personal data transferred (e.g., employee data, customer data, etc.).
• Location of the processing, including where the data is stored and where it will be accessed or processed.
• Transmission channels used, whether physical (e.g., courier services) or electronic (e.g., email, secure file transfer protocols).

Laws and practices of the Third Country of destination, particularly:

• Laws and practices that require disclosure of personal data to public authorities or grant such authorities access, including during transit.
• Limitations and safeguards provided by the Third Country’s laws, specifically regarding access by public authorities.
• The practical experience of entities within the Third Country with respect to the rule of law, human rights, and the availability of effective judicial remedies.

Supplementary measures:

Relevant contractual, technical, or organizational safeguards that supplement the BCR protections, including measures applied during both transmission and processing of the personal data in the Third Country. These may include:

• Technical measures such as encryption or pseudonymization before transfer.
• Contractual clauses ensuring the Data Importer complies with BCR requirements, including obligations to notify the Data Exporter of any access requests from public authorities.
• Organizational measures such as detailed internal policies limiting access to personal data and providing oversight.

17.3. Management of transfers

Hydro BCR Members also commit to the following:

Involvement: When assessing the need for supplementary safeguards beyond those provided under the BCR, Head of Data Privacy and the Liable BCR Member will be informed and involved in the assessment process.

Documentation and transparency: Hydro BCR Members are obliged to document the assessment of third-country laws and practices, including any supplementary measures implemented. This documentation shall be made available to the Competent SA(s) upon request.

Notification to Data Exporters: If a Data Importer becomes subject to laws or practices that may prevent it from fulfilling its obligations under the BCR—such as through changes in law or government measures (e.g., disclosure requests)—the Data Importer will promptly notify the Data Exporter and the Liable BCR Member. The notification shall also include information on any changes in circumstances that could affect the original assessment.

Identification of supplementary measures: Upon receiving such a notification, the Data Exporter, in collaboration with the Data Importer, the Liable BCR Member and the Head of Privacy, will promptly identify supplementary measures to be adopted by the Data Exporter and/or Data Importer. These may include additional technical or organizational measures to ensure the security and confidentiality of the personal data, to continue fulfilling the obligations under the BCR. This also applies if a Data Exporter has reasons to believe that a Data Importer can no longer fulfil its obligations under the BCR.

Suspension of transfers: If the Data Exporter, along with the Liable BCR Member and the Head of Privacy, concludes that the BCR, even with supplementary measures, cannot be complied with for a particular transfer or set of transfers—or if instructed by a Competent SA(s)—the Data Exporter commits to suspending the transfer or set of transfers. This suspension will also apply to any other transfers where a similar assessment leads to the same conclusion. The suspension shall be maintained until compliance is again ensured, or the transfer is terminated (see paragraph below).

Termination of transfers: If compliance with the BCR cannot be restored within one month of suspension, the Data Exporter commits to ending the transfer or set of transfers. In such cases, any personal data that have already been transferred, along with any copies, will either be returned to the Data Exporter or destroyed in their entirety, based on the Data Exporter’s choice.

Communication of findings: The Liable BCR Member and the Head of Privacy will inform all other Hydro BCR Members of the assessments conducted and their results. This communication will ensure that any supplementary measures identified are applied consistently across similar transfers by other Hydro BCR Members. If effective supplementary measures cannot be implemented, those transfers will be suspended or terminated.

Ongoing monitoring: Data exporters, in collaboration with Data Importers, have a duty to continuously monitor developments in the third countries to which personal data have been transferred. This ongoing monitoring will focus on any changes in laws or practices that could impact the original assessment of the adequacy of protection, as well as decisions regarding whether the transfers should continue, be modified, or be suspended.

Without prejudice to the obligation of the Data Importer to inform the Data Exporter of its inability to comply with the commitments contained in the BCR (as set out in section 21), Hydro BCR Members commit to the following:

The Data Importer will promptly notify the Data Exporter and, where possible, the data subject (with the assistance of the Data Exporter, if necessary) if it:

• Receives a legally binding request from a public authority, under the laws of the country of destination or another third country, for the disclosure of personal data transferred under the BCR. This notification will include details about the personal data requested, the requesting authority, the legal basis for the request, and the response provided. Becomes aware of any direct access by public authorities to personal data transferred under the BCR pursuant to the laws of the country of destination. Such notification will include all available information about the access.

If the Data Importer is prohibited from notifying the Data Exporter and/or the data subject due to a legal requirement, the Data Importer will:

• Use its best efforts to obtain a waiver of the prohibition, aiming to communicate as much information as possible and as soon as possible. • Document these best efforts to demonstrate them upon request by the Data Exporter or Competent SA(s).

The Data Importer will provide the Data Exporter with as much relevant information as possible at regular intervals regarding the requests received, including:

• The number of requests,
• The types of data requested,
• The requesting authority,
• Whether the requests were challenged, and the outcomes of such challenges.

If the Data Importer is or becomes partly or completely prohibited from providing this information, it will inform the Data Exporter without undue delay. The Data Importer will preserve the aforementioned information for as long as the personal data are subject to the safeguards provided by the BCR and will make this information available to the Competent SA(s) upon request.

The Data Importer will review the legality of any request for disclosure, particularly verifying whether the request falls within the powers of the requesting public authority. If, after careful assessment, the importer concludes that there are reasonable grounds to believe the request is unlawful under the laws of the country of destination, international law obligations, or principles of international comity, the Data Importer will challenge the request.

The Data Importer will pursue possibilities of appeal and, where applicable, seek interim measures to suspend the effect of the request until a competent judicial authority has ruled on the matter. The Data Importer will not disclose the personal data requested unless required to do so under applicable procedural rules.

The Data Importer will document its legal assessment and any challenge to the request for disclosure and will, to the extent permitted by the laws of the country of destination, make this documentation available to the Data Exporter. The Data Importer will also make such documentation available to Competent SA(s) upon request.

The Data Importer will only provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

Finally, Hydro BCR Members commit that any transfer of personal data to a public authority under such requests will not be conducted in a manner that is massive, disproportionate, or indiscriminate, exceeding what is necessary in a democratic society.

Upon the termination of a Hydro BCR Member's commitment to the BCR, the Data Importer may retain the personal data received under the BCR. The Data Importer will ensure that such retained personal data continues to be protected in accordance with the requirements of Chapter V of the GDPR. This means that Data Importer will maintain appropriate security measures to protect the personal data from unauthorized or unlawful processing and from accidental loss, destruction, or damage.

Transfer only to bound Hydro BCR Members: No personal data shall be transferred to a Hydro BCR Member under this BCR unless that Hydro BCR Member is effectively bound by the BCR and can ensure full compliance with the commitments outlined herein.

Notification of inability to comply: The Data Importer will promptly notify the Data Exporter if, for any reason, it is unable to comply with the obligations set out in these BCR. This includes situations where local laws prevent compliance or where any breach has occurred (as described in Section 21).

Suspension of transfers: In the event that the Data Importer is in breach of these BCR or unable to comply with its obligations, the Data Exporter will immediately suspend the transfer of personal data until the breach is remedied or compliance is restored.

Return or deletion of personal data: At the choice of the Data Exporter, the Data Importer will immediately return or delete all personal data that has been transferred under these BCR, along with any copies, if:

• The Data Exporter has suspended the transfer, and compliance with the BCR is not restored within a reasonable time, and in any event, within one month of the suspension.
• The Data Importer is in substantial or persistent breach of the BCR.
• The Data Importer fails to comply with a binding decision of a competent court or Competent SA(s) regarding its obligations under the BCR.

Certification of deletion: If the data is deleted, the Data Importer will provide certification to the confirming that all personal data, and any copies thereof, have been deleted.

Ensuring compliance until return or deletion: Until the personal data is either returned or deleted, the Data Importer will continue to ensure compliance with the BCR, maintaining the appropriate level of protection for the data.

Local law exceptions: If the local laws applicable to the Data Importer prohibit the return or deletion of the personal data, the Data Importer will ensure that it continues to comply with the BCR. The data will only be processed to the extent and for as long as required by the local laws, while continuing to provide the appropriate safeguards for the personal data.

Duty to keep the BCR up-to-date: The Liable BCR Member commits to keeping the BCR up-to-date to reflect any changes in the regulatory environment, EDPB Recommendations, or changes to the scope of the BCR. Any updates will be made without undue delay to ensure the BCR remains fully compliant with GDPR requirements and continues to provide the necessary protections for data subjects.

Reporting changes: Any changes to the BCR, including updates to the list of Hydro BCR Members, must be reported without undue delay to all Hydro BCR Members.

Person or department responsible for updates: Hydro will appoint a specific person, team, or department responsible for maintaining an updated list of Hydro BCR Members, recording any updates to the BCR, and providing necessary information to data subjects and, upon request, to the Competent SA(s).

Notification of detrimental changes: If any modification to the BCR could potentially lower the level of protection offered or significantly affect the BCR (such as changes to the binding nature of the BCR or changes in the Liable BCR Member), Hydro will communicate such changes in advance to the Competent SA(s) via the Lead SA, along with an explanation of the reasons for the updates. The Competent SA(s) will assess whether these changes require new approval.

Annual notification to Competent SA(s): Once a year, Hydro will notify the Competent SA(s), via the Lead SA, of any changes to the BCR or the list of Hydro BCR Members, along with an explanation of the reasons for those changes. This includes any changes made to align the BCR with updated EDPB recommendations. If no changes have been made during the year, Hydro will still notify the Competent SA(s), via the Lead SA, of this fact.

Renewal of asset confirmation: As part of the annual update or notification, Hydro will renew its confirmation regarding the sufficiency of assets (as described in Section 1.5 of the BCR) to ensure that liability and compensation obligations can be met.

Responsibility for compliance: Hydro remains responsible for ensuring that the BCR is kept up-to-date and remains compliant with Article 47 GDPR and the EDPB Recommendations.

When terms defined in Article 4 GDPR are used in the BCR, the meaning ascribed to them in the GDPR shall apply. Moreover, the following terms shall have the following meanings:

Applicable EEA Data Protection Law: GDPR and any national law in the EEA implementing such regulation.

BCR: This Hydro Binding Corporate Rules for controllers (BCR-C), including any of its appendices.

Business Area: A division of operations in Hydro with common core business activities as described on Hydro’s website. The Business Areas are divided into business units when applicable and may represent one or more Hydro BCR Members established in one or more countries

Code of Conduct: Set of rules outlining the norms, rules and responsibilities for proper conduct within a Hydro BCR Member company.

Competent SA(s): The data protection authority or authorities responsible for overseeing and ensuring compliance with Applicable EEA Data Protection Law within their respective jurisdictions that apply to any Data Exporter.

Data Exporter: Any Hydro BCR Member established in the EEA that transfers personal data to any Hydro BCR Member established in a Third Country.

Data Importer: Any Hydro BCR Member established in a Third Country that receives personal data from any Hydro BCR Member established in the EEA.

Data Privacy Champion: Shall have the meaning as defined in section 8.4.

Data Privacy Coordinator: Shall have the meaning as defined in section 8.3.

EEA: The European Economic Area, meaning the EU member states together with the EFTA countries (Liechtenstein, Iceland and Norway).

Global Business Services (‘GBS’): Hydro’s shared services organization.

GDPR: EU Regulation 2016/679 (General Data Protection Regulation)

Group Function: A department at corporate level in Hydro with group-wide governance responsibility within a specific area of expertise.

Head of Data Privacy: The person who shall supervise implementation of the BCR and who is responsible for overall monitoring data privacy compliance in Hydro.

Hydro (Hydro BCR Group): Norsk Hydro ASA (the Liable BCR Member) and all Hydro BCR Members, individually or jointly, as the case may be.

Hydro BCR Member: Norsk Hydro ASA, any fully owned subsidiary of Norsk Hydro ASA, and any other legal entities where Hydro directly or indirectly controls more than 50% of the voting rights and that (i) adheres to Required Hydro Governance Documents, and (ii) that is party to the Intragroup Agreement. Exhibit 1 to the BCR lists the current Hydro BCR Members.

Hydro Data Privacy Network: Shall have the meaning as defined in section 8.1

Intragroup Data Agreement: The Hydro Intragroup Data Agreement to which this BCR is appended.

Lead SA: The Norwegian Supervisory Authority (Datatilsynet)

Liable BCR Member: Norsk Hydro ASA, as described in section 3.3.

Required Hydro Goverance Documents: Those governance documents in Hydro relevant for data protection (including privacy, data security, and audits) as listed in Exhibit 3, as amended or replaced from time to time.

Third Country: Any country outside the EEA, with the exception of those countries approved on the basis of an adequacy decision pursuant to Article 45(3) GDPR, and any international organisation.

* Depending on the circumstances