SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

Transcription

1 SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 This Notice sets forth the principles followed by United Technologies Corporation and its operating companies, subsidiaries, divisions or groups (hereinafter UTC ), located in the United States with respect to transfers of Personal Information (as defined below) to the United States from locations within the Member States of the European Economic Area ( EEA ) and Switzerland. Personal Information may relate to data concerning a UTC director, officer, employee, retiree, temporary employee, contractor, leased laborer, contract laborer, customer, supplier, or other third party. Personal Information includes data collected by UTC and by UTC s predecessors that may come into UTC s possession. UTC adheres to the U.S. Department of Commerce s Safe Harbor Principles approved by the European Commission (Decision 520/2000/EC, dated 26 July 2000). UTC complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information from European Union member countries and Switzerland. UTC has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor Principles or to view UTC s certification, go to As used in this Notice: Personal Information means information that, when associated with an individual, can be used to identify him or her. Anonymous aggregate information used for statistical, historic, and scientific or other purposes is excluded. The term also excludes information lawfully obtained from publicly available information, or from government records lawfully made available to the general public. Sensitive Personal Information is Personal Information that constitutes medical records or identifies racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sex life. "Agent" means any third party that uses Personal Information provided by UTC to perform tasks on behalf of and under the instructions of UTC. SCOPE This Notice applies to all transmissions of UTC Personal Information in whatever format (including but not limited to electronic, paper, or verbal) to the United States from locations within the EEA and Switzerland, whether via telecommunications lines, computer lines, or in hard copy, whether provided to UTC, generated by UTC and its operating companies, or otherwise provided by Agents or third parties. Page 1

2 COLLECTION, USE, AND RETENTION OF PERSONAL INFORMATION UTC collects, uses, and retains Personal Information only if such information is necessary and appropriate for legitimate business and legal purposes. When UTC collects Personal Information directly from individuals in the EEA and Switzerland, it will inform them about the purposes for which it collects and uses Personal Information about them, the types of non-agent third parties to which UTC discloses that information, and the choices and means UTC offers for limiting its use and disclosure. Notice will be provided in clear and conspicuous language when individuals are first asked to provide such information to UTC, or as soon as practicable thereafter, and in any event before UTC uses the information for a purpose other than that for which it was originally collected. When UTC receives Personal Information from its subsidiaries, affiliates, Agents and other entities in the EEA and Switzerland, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such information relates. Personal Information is used by and shared among UTC divisions, subsidiaries, and affiliates, Agents (e.g., IT and other professional and nonprofessional services, benefit plan sponsors and administrators, etc.), applicable government organizations and agencies, and third parties as permitted or required by law, regulation, or court order. Depending on the location in which the data subject lives, local laws may require that the data subject provides specific consent for the collection, use and disclosure of Personal Information for some of the purposes listed below. Where required, UTC may ask for such consent by appropriate and permitted means. The examples of uses described below are illustrative and not all-inclusive. Uses by UTC of employee Personal Information include: Management and employee communications and notices; Maintenance of officer and employee biographies, curriculum vitae, and similar information; Emergency contacts; Global enterprise headcount and demographics; Career development, performance feedback, and progression; Staffing planning; Succession planning; Compensation and benefits; Establishment and administration of employee benefits and benefit plans; Rewards and recognition; Travel and expense reimbursement, including travel and/or credit card administration; Training; Relocation; Page 2

3 Tax reporting and withholdings; Payroll administration, including deductions, contributions, etc.; Enterprise Resource Planning (ERP) systems; Industrial relations, including grievance proceedings; Planning and provision of health services, including drug screening, processing of workers compensation or similar health and safety programs; Personal security, including access controls and security for computer and other systems; Reporting and statistical analyses; Related personnel transactions; Legal and regulatory reporting and other requirements, including right-to-work screening, workplace environment, health and safety reporting, and administration; Visas, licenses and other right-to- work authorizations; Management of litigation and related discovery/e-discovery issues; Import, export, and other trade compliance controls, including automated information technology controls; Sanctions screening, including screening of the U.S. Entity List, Specially Designated Nationals and Blocked Persons List, Denied Persons List, and the Unverified List, and similar lists maintained by the U.S. and other countries; Internal and external investigations, including Legal, Global Ethics & Compliance, and International Trade Compliance reviews; Contacts with UTC Ombuds and DIALOG programs; Internet, intranet, , social media, and other electronic screening; Law enforcement and other government inquiries; Business planning, including prosecution of mergers, acquisitions, and divestitures, including acquisition of Personal Information from an acquired company and transfers of Personal Information to a divested company; Identification of persons via photographs or other likenesses, including facial recognition; Location tracking, duration, and other telematics of certain UTC assets; Time collection and allocation; Data mining for internal company management purposes; Biometrics; Forensics analysis; Data supplied to vendors providing benefits; Physical and information technology security monitoring; Data backup and recovery; and Automated information technology threat assessments and response. The types of Personal Information UTC collects (directly from the data subject or from public or third party information sources) and shares depends on the nature of the individual s relationship with UTC and the provisions/restrictions of applicable laws. Examples of this information may include, among other things: Given and Family names, including suffixes; Middle name(s); Preferred name; Page 3

4 Country of birth; Citizenships held (past and present); U.S. and other country permanent resident and/or asylee status; SMTP address; Place of work, including street address, city, state or other subdivision, country, postal code; Work postal address; Work telephone number; Home address (including street, city, state, province, or other subdivision, postal code); Home telephone number; Mobile telephone number; Pager telephone number; Fax number; Supervisor identifier; Job title; Department; Assistant s name; Company name; Company country of incorporation Job function; Job title; Compensation; Training and development; Other data collected to support human resources applications; Dispatching UTC personnel to or from customer sites, including measuring location, time, and services performed; Management reports and data mining (usually anonymized and not containing individually identifying data); Computer asset location & billing data, including computer location; For third parties on UTC sites, identification of persons via photographs or other likenesses, including facial recognition; location tracking, duration, and other telematics; biometric data; forensics analysis; physical and information technology security monitoring; sanctions screening and automated information technology threat assessments and response. Time collection and allocation; message content (end-user controlled); Message attachments (end-user controlled); Public folder content (local administrator supplies folder permissions); Web page address; Instant Messaging address; and Calendar data (meeting and conference room information, including any-user-supplied attachments to calendar entries and meeting notices). Page 4

5 Uses by UTC of Personal Information of third parties, Personal Information collected online, and any information other than employee Personal Information include: Authorizing, granting, administering, monitoring and terminating access to or use of UTC systems, facilities, records, property and infrastructure; Administration of customer and supplier contracts and agreements, joint ventures, and other business combinations; Support of marketing efforts; Budget planning and administration; Invoice processing and payment-related purposes; Training and certification of customer and supplier personnel; Data collected as part of job application and hiring processes; Background checks and sanctions screening; Performance evaluation; Problem resolution, internal investigations, auditing, compliance, risk management and security; Project management; Conflict of interest reporting; Company communications; On-site injury and illness evaluation and reporting, for those who access UTC facilities; Monitoring and surveillance for industrial hygiene, public health and safety; Legal proceedings and government investigations, including preservation of relevant data; and As required or expressly authorized by laws or regulations applicable to our business globally or by government agencies that oversee our business globally. The types of Personal Information UTC collects (directly from the data subject or from public or third party information sources) and shares depends on the nature of the individual s relationship with UTC and the provisions/restrictions of applicable laws. Examples of this information may include, among other things: Contact information (e.g., name, home and business addresses, telephone, fax and pager numbers, addresses); Personal data (e.g., date of birth, day or year of birth, citizenship(s), preferred language); Biographies, curriculum vitae, and similar information; Organizational and institutional affiliations; Professional credentials; The individual s role in or positions held with customers, suppliers, etc.; Agreements, programs, and activities in which the data subject participates(d); Agreements entered into with UTC; Payment-related information, including social security number or tax identification number and bank account number; Communications preferences; Education and training; Industrial hygiene exposure assessment and monitoring information: Page 5

6 Computer or facilities access and authentication information (e.g., identification codes, passwords, address lists, etc.); and Photographs and other visual images of the data subject. CHOICE UTC offers individuals the opportunity to choose (opt-out) whether their Personal Information may be (a) disclosed to a non-agent third party, or (b) used for a purpose other than the purpose for which it was originally collected or subsequently authorized. UTC may occasionally inform individuals of offers available from selected non-agent third parties; however, UTC will not transfer Personal Information to such parties without the individual s consent. For Sensitive Personal Information, UTC gives individuals the opportunity to affirmatively and explicitly consent (opt-in) prior to (a) disclosure of the information to a non-agent third party, or (b) use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized. Individuals who elect to opt-in will be notified of the process to follow in exercising this choice. DATA INTEGRITY UTC will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized. UTC will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current. TRANSFERS TO AGENTS AND OTHER THIRD PARTIES UTC typically shares Personal Information with external partners, outsourced providers, consultants, contractors, and others who are granted routine access to UTC facilities or systems, including Personal Information obtained from companies UTC acquires and transfers to effect the divestiture of companies UTC divests. UTC has implemented reasonable and appropriate security measures to protect Personal Information in accordance with the degree of protection afforded by law and the company s assessment of the sensitivity of the information and the ramifications of the information s loss, misuse, and unauthorized access, disclosure, alteration or destruction. UTC obtains assurances from the transferee(s) that they will safeguard Personal Information consistently with this Notice. Examples of appropriate assurances include: a contract, agreement, or relevant provision obligating the Agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles; Safe Harbor certification by the Agent; or being subject to an adequacy finding by the European Commission or Switzerland. Where UTC has knowledge that a transferee is using or disclosing Personal Information in a manner contrary to this Notice, UTC will take reasonable steps to prevent or stop the use or disclosure, up to and including termination of our contractual or other business relationship with the Agent. Page 6

7 ACCESS AND CORRECTION Upon request, UTC will grant individuals reasonable access to their Personal Information. In addition, UTC will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. SECURITY UTC maintains systems and procedures to assure the security and integrity of Personal Information, whether provided by employees, generated by UTC and its operating companies, or otherwise provided by Agents or third parties. UTC will take reasonable precautions to protect Personal Information in its possession from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Pursuant to UTC Information Technology Security Policies, UTC computer networks and systems, including ESS and its Internet- and Intranet-based applications, are designed to protect Personal Information from unauthorized access, loss, disclosure, or use. Personal Information is made available within UTC only to those persons who possess a business need-to-know. UTC sees the Internet and the use of other technologies as valuable tools for communicating and interacting with employees, customers, business partners, and others. UTC recognizes the importance of maintaining the privacy of information collected online and has created a specific Internet Privacy Policy (the "IPP") governing the treatment of Personal Information collected through web sites that it operates. With respect to Personal Information that is transferred from the EEA and Switzerland, the IPP is subordinate to this Notice. ENFORCEMENT UTC shall conduct assurance reviews in the form of periodic audits and has mechanisms in place for the receipt of confidential reports of violations of this Notice. This is to verify adherence to this Notice and to support annual Safe Harbor compliance certifications to the U.S. Department of Commerce. Any person who violates this Notice is subject to disciplinary action, up to and including termination of employment or a contractual relationship. CONTACT INFORMATION & DISPUTE RESOLUTION Any questions or concerns regarding this Notice and its application should be directed to the UTC Vice President, Global Ethics & Compliance, at the address given below. UTC will investigate and attempt to resolve questions, complaints, and disputes in accordance with the principles contained in this Notice. For complaints that cannot be resolved by UTC, UTC participates in the dispute resolution procedures of the panel established by European data protection authorities to resolve disputes pursuant to the Safe Harbor Principles. UTC will comply with specific actions ordered by the panel when necessary to comply with the Safe Harbor Principles. Page 7

8 Questions or comments regarding this Notice may be submitted to the UTC Vice President, Global Ethics & Compliance by regular mail or as follows: United Technologies Corporation 1 Financial Plaza Hartford, Connecticut United States of America Attention: Global Ethics & Compliance, Mail Stop bpo@corphq.utc.com CHANGES TO THIS NOTICE This Notice may be amended from time to time, as needed to conform to the Safe Harbor Principles or to reflect accurately any changes in UTC s practices and policies. Appropriate public notice will be given concerning such amendments. Page 8