SAFE HARBOR PRIVACY POLICY

Transcription

1 SAFE HARBOR PRIVACY POLICY Varroc Lighting Systems, Inc. respects individuals privacy, and strives to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it and its subsidiaries do business. This Safe Harbor Privacy Policy (the Policy ) describes the privacy principles as follows with respect to certain personal information transmitted to Varroc in the United States of America (the U.S. ) from countries located within the European Economic Area and Switzerland. SAFE HARBOR OVERVIEW The U.S. Department of Commerce and the European Commission have agreed on a set of data protection principles and associated frequently asked questions to enable U.S. companies to satisfy European Union ( EU ) law requiring that Personal Data transferred from the EU to the U.S. be adequately protected (the U.S.-EU Safe Harbor ). The EEA European Economic Area (the EEA ), which as of the date of this Policy includes all member states of the EU and Iceland, Liechtenstein and Norway) has recognized the U.S.-EU Safe Harbor as providing adequate protection of Personal Data (2001 O.J. (L 45) 47). In addition, the U.S. Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland (the Commissioner ) have agreed on a similar set of data protection principles and frequently asked questions to satisfy the Swiss legal requirement that adequate protection be given to Personal Data transferred from Switzerland to the United States (the U.S.-Swiss Safe Harbor ). Consistent with its commitment to protect personal privacy, Varroc has made a decision to voluntarily adhere to the principles set forth in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor (collectively, the Safe Harbor Principles ). As such, Varroc has certified its compliance with the Safe Harbor Principles with the U.S. Department of Commerce. For more information about the Safe Harbor Principles or to access Varroc s certification statement, please go to Should there be any conflict between the Safe Harbor Principles and this Policy, this Policy shall be interpreted to be consistent with the Safe Harbor Principles. 1

2 SCOPE This Policy applies to all Personal Data received by Varroc in the United States from the EEA and from Switzerland, either directly from individuals or from its affiliates, and in any format whatsoever, including electronic, paper or oral transmission. This Policy also applies to Varroc s Agents (defined below) that process Personal Data received by Varroc in the United States from the EEA and from Switzerland on behalf of Varroc. DEFINITIONS For purpose of this Policy, the following definitions shall apply: Agent means any third party that collects or uses Personal Data provided by Varroc to perform tasks on behalf of Varroc under the instructions of, and solely for, Varroc. Personal Data means any information or set of information relating to an identified or identifiable living natural person that is transferred from the EEA or Switzerland to the U.S. who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Personal Data does not include information relating to an identifiable natural person that is anonymous or aggregated (e.g., statistical information not relating to an identifiable person), other information where a natural person cannot be identified taking account of all the means likely reasonably to be used to identify that individual or publicly available information that has not been combined with non-public Personal Data. Personal Data includes all Sensitive Personal Data (as defined below). Sensitive Personal Data means Personal Data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or that concerns health matters or information specifying the sex life of an individual. For each jurisdiction in the EEA in which Varroc employs individuals, Sensitive Personal Information shall include all other Personal Data about such individuals deemed to be Sensitive Personal Data under the applicable laws and regulations of such jurisdiction. Varroc, we, our or us means Varroc Lighting Systems, Inc. and its successors, assigns and wholly-owned affiliates and subsidiaries and their respective divisions and groups, each of which are located within the U.S. PRIVACY PRINCIPLES FOR PROCESSING OF PERSONAL DATA RECEIVED FROM THE EEA The privacy principles set forth in this Policy have been developed based on the Safe Harbor Principles. 2

3 NOTICE Where Varroc collects Personal Data directly from individuals in the EEA, it will inform those individuals about the purposes for which it collects and uses Personal Data about them; the types of non-agent third parties to which Varroc discloses that information; and the choices and means, if any, Varroc offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Varroc, or as soon as practicable thereafter, and in any event before Varroc uses the information for a purpose other than that for which it was originally collected. Varroc may from time to time process certain Personal Data about customers, business partners, employees and candidates for employment, including information recorded and stored on various types of media, including electronic media. Purposes for which we may collect and use Personal Data from our customers, consumers and other non-employees include: Communicating to individuals about our products, services and related issues. Notifying individuals of, and administering, contests, sweepstakes, promotions and other offers. Evaluating the quality of our products and services. Allowing individuals to register for our websites, online communities and other social networking services, and administering and processing these registrations. Transferring Personal Data in connection with Varroc s legal, regulatory compliance and auditing purposes. Facilitating Varroc s internal administrative purposes, maintaining, administering and complying with Varroc s legal, regulatory compliance and auditing obligations, policies and procedures. Varroc also collects Personal Data concerning its employees and candidates for employment (human resources data) in connection with administration of its human resources programs and functions and for purpose of communicating with its employees. These programs and functions may include: Carrying out human resources functions such as training, implementing career and succession planning, administering employee contracts, evaluating 3

4 employees, implementing employment-related actions and obligations and providing employment benefits and related information. Responding to individual s inquiries, including in connection with prospective employment at Varroc, and administering and processing an individual s employment application to Varroc. Enabling Varroc and its employees to contact one another using an employee s work telephone and fax numbers, address or mailing address. Administering compensation, bonus and benefits plans and other employment matters. Arranging, booking and implementing employees travel plans and arrangements for business related purposes. Enabling Varroc to maintain building security and employee security, health and safety. Transferring Personal Data in connection with Varroc s legal, regulatory compliance and auditing purposes. Facilitating Varroc s internal administrative purposes, such as project staffing, headcount and statistics initiatives. Complying with Varroc s legal obligations, policies and procedures. Human resources data may also be shared with third party vendors acting as our Agents for the exclusive purpose of enabling third party Agent vendors to provide service and/or support to Varroc in connection with these Human Resource programs and functions. Human Resource data is not shared with third parties for non-employment related purposes. All third party Agents receiving Personal Data are required to apply the same level of privacy protection as contained in this Policy. We may share Personal Data within the U.S. family of Varroc companies. Varroc may also share Personal Data with its third party Agents for the sole purpose of, and only to the extent needed to, support Varroc s business needs. We may also disclose Personal Data to our Agents in the U.S. and other third parties when required to do so under law or by legal process. Third Party Agents are required to keep confidential Personal Data received from Varroc and may not use it for any purpose other than originally intended. 4

5 CHOICE Varroc will offer individuals whose Personal Data is collected in the EEA or Switzerland the opportunity to choose (by either opt-out or opt-in) whether their Personal Data can be (a) to be disclosed to a third party that is not an Agent, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Data, Varroc will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to permit Varroc to (a) disclose of their Sensitive Personal Data to a third party who is not an Agent or (b) use Sensitive Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Varroc will provide individuals with clear and conspicuous, readily available and affordable mechanisms to exercise these choices. ONWARD TRANSFER Varroc will obtain assurances from its Agents that they will safeguard Personal Data in a manner consistent with this Policy. Examples of appropriate assurances that may be provided by Agents include: (a) the Agent s certification that they participate in the U.S.-EU Safe Harbor or the U.S.-Swiss Safe Harbor; (b) a written contract obligating the Agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles; or (c) being subject to EU Data Protection Directive (EU Directive 95/46/EC), the Swiss Federal Act on Data Protection or being subject to another European Commission adequacy finding. Where Varroc has knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Policy, Varroc will take reasonable steps to prevent or stop such use or disclosure. ACCESS Upon request and in accordance with the Safe Harbor Principles, Varroc will grant individuals reasonable access to their Personal Data that is held by Varroc. In addition, Varroc will take reasonable steps to permit individuals to correct, amend, or delete their Personal Data that is demonstrated to be inaccurate or incomplete. In accordance with the Safe Harbor Principles, Varroc may limit or deny access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual s privacy, where the legitimate rights of persons other than the individual would be violated or if necessary to safeguard important countervailing public interests (e.g., national security) or in other limited circumstances (e.g., disclosure would breach a legal or other professional privilege). 5

6 SECURITY Varroc will take reasonable precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. DATA INTEGRITY Varroc will use Personal Data only in ways that are compatible with the purposes for which it was originally collected or as subsequently authorized by the individual. Varroc will also take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. ENFORCEMENT Varroc utilizes the self-assessment approach to verify its compliance with this Policy. Varroc periodically verifies that this Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the Safe Harbor Principles. Varroc will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the Safe Harbor Principles. Varroc will also investigate suspected infractions of this Policy. If Varroc determines that any employee of Varroc is in violation of this Policy, such person will be subject to disciplinary action up to and possibly including termination of employment. Varroc encourages interested persons with questions or concerns relating to this Policy to contact us using the contact information below. Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the Vice President, Human Resources at the address set forth below. With respect to any complaints relating to this Policy that cannot be resolved through Varroc s internal processes, (a) for Personal Data received from the EEA, Varroc has agreed to cooperate with the European data protection authorities and to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Safe Harbor Principles and (b) for Personal Data received from Switzerland, Varroc will cooperate with, and comply with any advice given by, the Commissioner in the investigation and resolution of complaints brought under the US.-Swiss Safe Harbor. 6

7 In the event that Varroc or such authorities determines that Varroc failed to comply with this Policy, Varroc will take appropriate steps to address any adverse effects arising directly from such failure and to promote future compliance. LIMITATIONS Varroc s adherence to the Safe Harbor Principles may be limited by any applicable legal, regulatory, ethical or public interest consideration and as expressly permitted or required by any applicable law, rule or regulation. Examples of such limitations include, without limitation, exceptions to the opt-in requirements for Sensitive Personal Data as permitted by Commission Decision 2000/520/EC of 26 July 2000, exceptions to access as permitted by the Safe Harbor Principles, or under applicable EEA member state or Swiss law. Varroc may also sell, transfer or otherwise disclose Personal Data reasonably related to the sale, assignment, transfer or other disposition of all or part of our business, subject to and in accordance with applicable law. CONTACT INFORMATION Questions or comments regarding this Policy or our practices concerning Personal Data should be submitted to Varroc by mail or as follows: Senior Vice President, Human Resources & Communications Varroc Lighting Systems, Inc Halyard Drive Plymouth, Michigan United States of America privacy@varroclighting.com CHANGES TO THIS POLICY This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. Appropriate public notice will be given concerning such amendments. EFFECTIVE DATE Thus Policy is effective as of February 11,