Privacy and Transparency Policy for Individuals' Data
Planned Packaging of Illinois Corp. | Version 2.0 | January 1, 2026
Privacy and Transparency Policy for Individuals' Data
Version 2.0
| Document Property | Details |
|---|---|
| Organization | Planned Packaging of Illinois Corp. |
| Location | Nashville, Tennessee |
| Industry | Manufacturing (Packaging Plant) |
| Policy Owner | Clarence Simms, CIO/DPO |
| Revision Number | 2.0 |
| Revision Date | January 1, 2026 |
| Next Review Date | January 1, 2027 |
| Compliance Standards | NIST Privacy Framework (Communicate-P), NIST 800-53 PT/TR, CCPA §1798.100-130, GDPR Art. 12-22 |
| Approved By | Jason Robertson, CEO |
1. Executive Summary
This Privacy and Transparency Policy demonstrates Planned Packaging of Illinois Corp.'s (PPOIC) commitment to implementing industry best practices for privacy and ensuring individuals are informed about how their personal data is processed. This policy establishes clear procedures for individuals to exercise their privacy rights including access, correction, deletion, and portability of their personal data.
Key Highlights:
- Transparent communication about personal data processing
- Clear procedures for individuals to exercise their rights
- Designated Data Protection Officer (DPO) oversight
- Ready-to-use request forms and response templates
- CCPA and GDPR-aligned individual rights framework
2. Purpose and Scope
2.1 Purpose
The purpose of this policy is to:
- Ensure transparency in personal data processing activities
- Enable individuals to exercise their privacy rights effectively
- Establish clear, accessible procedures for rights requests
- Comply with CCPA, GDPR best practices, and privacy regulations
- Build trust through open communication about data practices
2.2 Scope
This policy applies to:
- All individuals whose personal data is processed by PPOIC (employees, customers, vendors, visitors)
- All PPOIC personnel who handle individual rights requests
- All forms of personal data processing (collection, storage, use, disclosure, deletion)
- Privacy notices, communications, and individual rights request procedures
3. Privacy Principles and Commitments
3.1 Core Privacy Principles
PPOIC adheres to the following privacy principles:
| Principle | PPOIC Commitment |
|---|---|
| Transparency | We are open and clear about what personal data we collect, why we collect it, and how we use it |
| Purpose Limitation | We collect personal data only for specific, legitimate purposes and do not use it in ways incompatible with those purposes |
| Data Minimization | We collect only the personal data that is necessary for our stated purposes |
| Accuracy | We take reasonable steps to ensure personal data is accurate and up-to-date |
| Storage Limitation | We retain personal data only as long as necessary for the purposes for which it was collected |
| Security | We implement appropriate technical and organizational measures to protect personal data |
| Accountability | We take responsibility for personal data in our control and demonstrate compliance with privacy principles |
3.2 Individual Rights Framework
PPOIC respects and facilitates the following individual rights:
Transparent privacy notices
Request copy of personal data
Rectify inaccurate data
Request erasure of data
Receive data in structured format
Opt-out of data sales/sharing
4. Transparency and Privacy Notices
4.1 Privacy Notice Requirements
PPOIC provides clear, accessible privacy notices that explain:
| Notice Element | Content |
|---|---|
| Identity and Contact | Who is collecting personal data (PPOIC) and how to contact us |
| Data Protection Officer | Name and contact information for Clarence Simms, CIO/DPO |
| Types of Personal Data | Categories of personal data collected |
| Purpose of Processing | Why we collect and use personal data |
| Legal Basis | Legal justification for processing (consent, contract, legitimate interest, legal obligation) |
| Recipients | Who may receive personal data (service providers, business partners, legal authorities) |
| Retention Periods | How long personal data will be retained |
| Individual Rights | Rights individuals have and how to exercise them |
| Right to Withdraw Consent | How to withdraw consent (where consent is the legal basis) |
| Right to Lodge Complaint | How to file a complaint with regulatory authority |
4.2 When Privacy Notices Are Provided
- At Collection: Privacy notices provided at or before personal data collection
- Employment: Privacy notice provided to job applicants and employees
- Customer Onboarding: Privacy notice included in contracts or provided at first interaction
- Website: Privacy policy prominently posted on PPOIC website
- Material Changes: Updated privacy notices when practices significantly change
4.3 Accessibility of Privacy Notices
- Written in clear, plain language (avoiding legal jargon)
- Available in multiple formats (online, printed, large print upon request)
- Prominently displayed and easy to find
- Provided free of charge
- Available in Spanish and other languages upon request for significant populations
5. Individual Rights Procedures
5.1 Right to Access (Data Subject Access Request)
What Individuals Can Request:
- Confirmation of whether PPOIC processes their personal data
- Copy of personal data in PPOIC's possession
- Information about how personal data is used
- Categories of personal data collected
- Sources from which personal data was obtained
- Third parties to whom personal data was disclosed
How to Request:
- Email: privacy@ppoic.com
- Mail: Data Protection Officer, PPOIC, [Address], Nashville, TN [ZIP]
- Online Form: Available on PPOIC website
- In-Person: Submit written request to HR (employees) or customer service
Verification Process:
To protect privacy, PPOIC verifies the identity of requesters by:
- Matching name and contact information to records
- Requesting additional identifying information (date of birth, last 4 of SSN, account number)
- For high-risk requests involving sensitive data: multi-factor verification
Response Timeline:
CCPA Standard: 45 days (with 45-day extension if complex, with notice to individual)
PPOIC Target: 30 days for standard requests
Response Format:
PPOIC provides data in:
- Structured, commonly used electronic format (PDF, CSV, JSON)
- Human-readable format
- Secure delivery method (encrypted email, secure portal, registered mail)
5.2 Right to Correction (Rectification)
What Individuals Can Request:
- Correction of inaccurate personal data
- Completion of incomplete personal data
- Update of out-of-date personal data
PPOIC Process:
- Individual submits correction request with specific inaccuracies identified
- DPO reviews request and verifies identity
- If correction is warranted: update personal data within 45 days
- Notify individual of correction
- If personal data was disclosed to third parties: inform them of correction (where feasible)
- If correction is denied: provide explanation and inform individual of right to appeal
Situations Where Correction May Be Declined:
- Request seeks to change factual records (e.g., historical transaction data)
- Request seeks to alter data required for legal/compliance purposes
- Data is demonstrably accurate and individual disagrees with accurate data
5.3 Right to Deletion (Erasure)
What Individuals Can Request:
- Deletion of personal data PPOIC holds about them
- Erasure from all systems including backups (within reasonable timeframe)
When Deletion Must Be Honored (CCPA):
- Personal data is no longer necessary for the purpose for which it was collected
- Individual withdraws consent (if consent was the basis for processing)
- Individual objects to processing and no overriding legitimate grounds exist
- Personal data was unlawfully processed
- Deletion is required by law
Exceptions (When Deletion May Be Denied):
- Necessary to complete transaction or provide requested goods/services
- Required to detect/prevent security incidents or fraud
- Necessary to comply with legal obligations
- Required to defend against legal claims
- Subject to legal hold or ongoing investigation
- Needed for internal uses reasonably aligned with individual's expectations
PPOIC Deletion Process:
- Receive and verify deletion request
- Assess whether exceptions apply (consult Legal if needed)
- If deletion granted: erase personal data from all systems per Data Retention Policy
- Confirm deletion to individual within 45 days
- If deletion denied: provide detailed explanation and inform individual of right to appeal
5.4 Right to Data Portability
What Individuals Can Request:
- Receive personal data in structured, machine-readable format
- Transmit personal data to another controller (where technically feasible)
Scope of Portability Right:
Applies to personal data that:
- Was directly provided by the individual (not inferred or derived)
- Is processed by automated means (digital data)
- Processing is based on consent or contract
Data Formats Provided:
- CSV: For structured tabular data
- JSON: For complex structured data
- XML: For data with hierarchical structure
- PDF: For human-readable copy (in addition to machine-readable format)
PPOIC Portability Process:
- Receive portability request
- Verify identity and assess scope
- Extract relevant personal data in structured format
- Provide data securely to individual within 45 days
- If individual requests direct transmission to another organization: facilitate if technically feasible
5.5 Right to Opt-Out of Sales/Sharing
PPOIC Position on Data Sales:
PPOIC does not sell personal information.
If PPOIC's practices change in the future, we will:
- Provide clear notice to individuals
- Offer opt-out mechanism (online "Do Not Sell My Personal Information" link)
- Honor opt-out requests within 15 days
- Not discriminate against individuals who opt-out
5.6 Right to Non-Discrimination
PPOIC will not discriminate against individuals for exercising their privacy rights. We will not:
- Deny goods or services
- Charge different prices or rates
- Provide different level or quality of goods/services
- Suggest individual will receive different price or quality
Exception: PPOIC may offer financial incentives for collection/retention of personal data (with individual consent) if the difference is reasonably related to the value provided by the individual's data.
6. Roles and Responsibilities
6.1 Data Protection Officer (DPO)
Position: Clarence Simms, CIO/DPO
Responsibilities:
- Serve as primary point of contact for individual rights requests
- Oversee processing of access, correction, deletion, and portability requests
- Ensure compliance with CCPA and privacy regulations
- Coordinate with departments to fulfill requests
- Maintain records of rights requests and responses
- Provide training on individual rights procedures
- Serve as escalation point for complex or disputed requests
- Interface with regulators on privacy matters
6.2 Department Responsibilities
| Department | Responsibilities |
|---|---|
| HR | Process employee/applicant rights requests; provide employment data; coordinate with DPO |
| Customer Service | Receive customer requests; forward to DPO; assist with verification; communicate responses |
| IT | Extract personal data from systems; facilitate data portability; execute deletion requests; technical support |
| Legal | Advise on complex requests; assess exceptions; handle disputes; regulatory coordination |
| Marketing | Process opt-out requests; update communication preferences; manage consent records |
6.3 All Employees
All PPOIC employees must:
- Forward any individual rights requests to DPO immediately
- Not attempt to fulfill requests without DPO coordination
- Respect individual privacy rights
- Maintain confidentiality of rights requests
7. Request Processing Procedures
7.1 Standard Request Workflow
Email, mail, online form, in-person
DPO creates ticket in tracking system
Confirm requester is data subject
Determine what data/action is requested
IT, HR, Customer Service provide data
Legal review if denial considered
Provide data, make corrections, execute deletion
Send confirmation within 45 days
Record request and response for compliance
7.2 Response Timelines
| Request Type | Target Response | Maximum (CCPA) |
|---|---|---|
| Simple Access Request | 21 days | 45 days |
| Complex Access Request | 45 days | 90 days (with extension notice) |
| Correction Request | 30 days | 45 days |
| Deletion Request | 30 days | 45 days |
| Portability Request | 30 days | 45 days |
| Opt-Out Request | Immediate (marketing) 15 days (sales) |
15 days |
7.3 Extensions and Complex Requests
If request is complex and requires more time:
- Notify individual within initial 45-day period
- Explain reason for extension
- Provide date by which response will be provided (max 90 days total)
- Keep individual updated on progress
8. Training and Awareness
| Training Type | Audience | Frequency |
|---|---|---|
| General Privacy Awareness | All employees | Annually |
| Individual Rights Training | Customer service, HR, IT | Annually + when policy updates |
| DPO Specialized Training | Clarence Simms (DPO) | Ongoing as laws evolve |
9. Monitoring and Metrics
9.1 Key Performance Indicators
| Metric | Target | Purpose |
|---|---|---|
| Average Response Time (Access Requests) | ≤ 30 days | Ensure timely fulfillment |
| Requests Completed Within 45 Days | 100% | CCPA compliance |
| Deletion Requests Completed | 100% | Compliance and effectiveness |
| Individual Satisfaction (Survey) | ≥ 80% satisfied | Service quality |
| Training Completion Rate | 100% | Awareness and competency |
9.2 Reporting
DPO provides quarterly reports to executive management including:
- Number of rights requests received (by type)
- Average response times
- Requests granted vs. denied (with reasons)
- Escalations and complaints
- Trends and recommendations
Appendix A: Data Subject Access Request Form
DATA SUBJECT ACCESS REQUEST FORM
Your Information:
Name: _______________________________________________
Email: _______________________________________________
Phone: _______________________________________________
Address: _____________________________________________
Relationship to PPOIC:
☐ Employee/Former Employee ☐ Customer ☐ Vendor ☐ Other: _________
What Are You Requesting? (Check all that apply)
☐ Access: Copy of my personal data
☐ Correction: Correct inaccurate data (specify below)
☐ Deletion: Delete my personal data
☐ Portability: Provide data in machine-readable format
☐ Opt-Out: Opt-out of marketing communications
☐ Information: How my data is used
Specific Details (if applicable):
_______________________________________________________________
_______________________________________________________________
Identity Verification:
Date of Birth: _________________
Last 4 of SSN (if applicable): __________
Account/Employee Number: _______________
Preferred Response Method:
☐ Email ☐ Mail ☐ Secure Portal ☐ In-Person Pickup
Signature: ________________________________ Date: __________
Submit to:
Data Protection Officer
Email: privacy@ppoic.com
Mail: Planned Packaging of Illinois Corp., Attn: DPO, [Address], Nashville, TN [ZIP]
Appendix B: Response Templates
Template 1: Access Request Fulfillment
[Date]
Dear [Name],
Thank you for your request to access your personal data. We have completed our review and are providing the requested information.
Personal Data We Hold About You:
[Attach PDF or provide secure link to data package]
How We Use Your Data:
[Brief summary of processing activities]
If you have questions or need clarification, please contact us at privacy@ppoic.com.
Sincerely,
Clarence Simms
Data Protection Officer
Template 2: Deletion Request Confirmation
[Date]
Dear [Name],
We have processed your request to delete your personal data. Your information has been permanently removed from our systems as of [Date].
Data Deleted:
- [List categories deleted]
Note: Some information may remain in backup systems for up to 90 days before being permanently purged.
If you have questions, please contact privacy@ppoic.com.
Sincerely,
Clarence Simms
Data Protection Officer
Document Approval
Policy Owner:
_____________________________________ Date: ___________
Clarence Simms, CIO/DPO
Executive Approval:
_____________________________________ Date: ___________
Jason Robertson, CEO
Revision History
| Version | Date | Changes |
|---|---|---|
| 1.0 | Jan 1, 2025 | Initial policy creation |
| 2.0 | Jan 1, 2026 | Comprehensive revision for CyberVadis audit; enhanced CCPA compliance; added request forms and templates |