Global Privacy Statement
Definitions
Company means Zetec, Inc. and its subsidiary and affiliated operating companies.
Contractor means all third-party workers who process Personal Information as part of their respective duties or responsibilities.
Data Protection Legislation means GDPR and/or any corresponding or equivalent national laws or regulations and any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority;
Employee means an employee, or former employee of Company.
GDPR means the General Data Protection Regulation ((EU) 2016/679)
Personal Information means any information that alone, or when used in combination with other information, can be used to identify an individual.
Primary Purpose means the purpose for which Personal Information was originally collected.
Privacy Impact Assessment means a process used to identify and document risks associated with the Processing of Personal Information.
Processing means any operation that is performed on Personal Information, whether or not by automatic means, such as collection, recording, storage, organization, alteration, use, disclosure (including the granting of remote access), transmission or deletion of Personal Information.
Sensitive Information means Personal Information that receives heightened protection under privacy laws, because it:
- Reveals an individual’s racial or ethnic origin, political opinions or membership in political parties or similar organizations, religious or philosophical beliefs, membership in a professional or trade organization or union;
- Relates to physical or mental health including any opinion thereof, disabilities, genetic code, addictions, sex life, criminal offences, criminal records or proceedings or unlawful behavior;
- Service Provider means any third-party entity which the Company uses to provide certain services, such as hosting, software maintenance, database maintenance, address verification, order fulfillment, credit card processing, training, or HR management.
- Supplier means any individual or individuals associated with an entity, which provides goods or services to the Company (such as an agent, consultant or vendor).
1. INTRODUCTION
The Company holds Personal Information about Employees and Contractors for a variety of business purposes. The Company is committed to protecting the Personal Information of our Employees and Contractors.
This Privacy Policy (“Policy”) is based on various global legal requirements and internationally recognized standards, principles and practices relating to the handling of Personal Information, establishes a high-level framework and indicates how this commitment is met by the Company. The Policy also sets forth how the Company seeks to protect personal data in its possession and ensures staff understand the rules governing their use of personal data to which they have access in the course of their work.
This Policy supplements the Company’s other policies relating to information security or document management. The Company may supplement or amend this Policy by additional policies and guidelines from time to time.
The Human Resources Department is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments please contact Zetec’s Vice President of Human Resources, Ava Doman (adoman@zetec.com), or Zetec’s Corporate Counsel, Jeff Liu (jliu@zetec.com).
2. PURPOSE OF POLICY
This Policy addresses the processing of Personal Information of Employees, Contractors, temporary and agency workers, interns, volunteers, and other individuals with whom the Company has business interactions. This Policy aims to ensure compliance with the Data Protection Legislation and has, in particular, been updated to comply with the requirement of the GDPR.
All Company Employees, Contractors, Suppliers, Service Providers, and other third parties who receive or have access to Personal Information subject to this Policy must comply with this Policy.
All Employees, Contractors, suppliers, service providers, and other third parties working with the Company must be familiar with this Policy and comply with its terms.
3. DATA PROCESSING PRINCIPLE
The Company will observe the following principles in respect of the processing of Personal Information:
• to process Personal Information fairly and lawfully in line with individuals’ rights;
• to collect Personal Information only for specified, explicit and legitimate purposes and to not further process them in a manner that is incompatible with those purposes;
• to make sure that any Personal Information processed for a specific purpose is adequate, relevant and not excessive for that purpose;
• to keep Personal Information accurate and up to date;
• to keep Personal Information for no longer than is necessary; and
• to keep Personal Information data secure against loss or misuse
4. PROCESSING OF PERSONAL INFORMATION
The Company only processes Personal Information that is relevant and useful for the purposes for which it is collected. Personal Information is only collected and processed if the Company has a legal basis for such purposes.
Processing of Personal Information includes:
Activities necessary to the Company’s business operations, including:
• Marketing, sales, and other promotional activities;
• Client relationship and account management;
• External communications;
Internal operations and personnel management, including:
• Finance and accounting;
• Purchasing, order, and event management;
• HR, personnel, and employee related management and training activities;
• To prevent, detect, investigate, and address violations of law or Company policy;
Compliance, including:
• Compliance with Data Protection Legislation and other legal and regulatory obligations to which the Company is subject; and
As otherwise required or permitted by law. The Company takes commercially reasonable steps to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, or destruction.
5. PROCESSING OF SENSITIVE INFORMATION
The nature of the Company’s business requires the Processing of Sensitive Information in certain instances, in particular, for HR, personnel, and employee related management and training activities. The Company will process Sensitive Information only in strict compliance with Data Protection Legislation, in particular Art. 9(2) of the GDPR. The Company will take additional care to safeguard Sensitive Information.
6. INFORMING THE INDIVIDUAL
As the Company deems appropriate or as required by Data Protection Legislation, the Company will inform individuals through privacy notices about:
• The purposes for which their Personal Information is processed;
• Categories of Personal Information being Processed;
• Location of Personal Information processing activities;
• Information regarding transfer of the individual’s Personal Information to other countries with laws that may provide less protection than the individual’s own country;
• How the individual can contact the Company with enquiries related to the processing of their Personal Information; and
• Other relevant information related to handling or processing of Personal Information as may be required by Data Protection Legislation.
7. RISK ASSESSMENTS
Where the Company considers it necessary, or as required by Data Protection Legislation, new initiatives or activities that involve or affect the Processing of Personal Information will undergo appropriate risk assessments (Privacy Impact Assessments) to evaluate, report, mitigate, and monitor risks associated with the envisioned information Processing.
8. ACCESS TO PERSONAL INFORMATION
Where required, the Company provides individuals the opportunity to access their Personal Information and the Company will comply with appropriate requests by the individual to correct, amend, and rectify their Personal Information and to obtain copies of the Personal Information which the Company holds about them.
If the individual’s request for information regarding their Personal Information processed by the Company or their request to correct, amend or rectify Personal Information processed by the Company does not contain sufficient detail to allow the Company to respond, the Company will request additional information from the individual in an effort to fulfill the request. Before denying a request to access, rectify, delete, or object to processing of Personal Information, the Employee responsible must seek the advice of the Company’s Data Protection Officer if applicable, or legal counsel.
9. PERSONAL INFORMATION RETENTION
Personal Information will not be retained for any longer than necessary but will be stored as described for as long as the information is required to fulfill our legitimate business needs or the purposes for which the information was collected, or for as long as is required by law.
Upon the ending of the applicable retention period, Personal Information must be:
• Securely deleted or destroyed;
• Anonymized; or
• Archived securely, where allowed or required by local applicable law or applicable information retention policy.
10. SECURITY
The Company shall implement commercially reasonable steps to protect Personal Information transmitted to the Company and to protect such information from loss, misuse, unauthorized access, disclosure, alteration, or destruction.
Employees are expected to adhere to the Company’s respective security protocols and procedures, in particular to the Company’s policy relating to information security.
Where Employees use passwords, ID numbers, or other special access Personal Information, it is their responsibility to safeguard them.
11. CONFIDENTIALITY
Employees of the Company will only access Personal Information as necessary and to the extent required to perform their assigned job functions, and to serve the purpose(s) for which the Personal Information was collected.
Employees of the Company will not share, transfer or otherwise disclose Personal Information in a manner inconsistent with this Policy, and the Company will ensure appropriate contractual and other controls are imposed on Suppliers and Service Providers.
All Employees and Contractors are required to adhere to the confidentiality obligations as set out in their contracts of employment or other contractual agreements and with applicable Company policies.
Employees and Contractors have an obligation to report actual or potential data protection compliance failures to a Data Protection Officer if applicable, the Human Resources Department or to the Companies Management. This allows the Company to investigate the failure and take remedial steps, if necessary, and make any applicable notifications.
12. DATA BREACHES
As the Company is obliged to notify the relevant authorities of data breaches within strict time limits, you are required to be vigilant about such matters and to report them immediately if you become aware of any security incident or threat to our IT systems.
13. TRANSFER OF PERSONAL INFORMATION TO THIRD PARTIES
Transfers of Personal Information to third parties can occur via actual physical or technical transfer, or by providing remote access to Personal Information. The Company will transfer Personal Information to third parties:
• To the extent necessary to fulfill the purpose for which the Personal Information are processed;
• For purposes to which the individual has provided consent; or
• As required by applicable law.
The Company will only allow processing of Personal Information by third-party data processors which have agreed to appropriate contractual obligations regarding the processing of Personal Information, including:
• Processing Personal Information only at the direction of and for the specific purposes authorized by the Company;
• Protecting the confidentiality, integrity, and availability of the Personal Information;
• Implementing commercially reasonable steps to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, or destruction;
• Prohibiting sub-contractors/sub-processors from Processing the Personal Information without prior written consent from the Company;
• Providing the Company with the right to review security measures or perform vendor risk assessments and submit processing facilities to inspection or audit by the Company or independent auditor;
• Promptly notifying the Company of any information security incident involving Personal Information.
14. INTERNATIONAL DATA TRANSFERS
Many countries have limitations and restrictions on the extent and type of Personal Information that may be transferred or processed outside of the country of origin. The Company takes care to ensure that any Personal Information processing occurs in compliance with Data Protection Legislation.
15. CONSEQUENCES OF FAILING TO COMPLY
The Company takes compliance with this Policy very seriously. Failure to comply puts both Employees and the Company at risk. The importance of this Policy means that failure to comply with any requirement may lead to disciplinary action, which may result in dismissal.
Employees with any questions or concerns about anything in this policy should not hesitate to discuss these with the Company’s Human Resources or Legal Department.
16. GOVERNANCE ROLES AND RESPONSIBILITIES
Employees are expected to carry out operations in compliance with this Policy, and all applicable privacy laws, regulations, contractual obligations, and other applicable requirements.
The Company is responsible for:
• Overseeing compliance with this Policy and Data Protection Legislation;
• Providing periodic reports, as appropriate or requested, to the members of the Company’s Executive Management;
• Coordinating investigations and inquiries into the processing of Personal Information; and
• Establishing the Company’s Privacy Compliance Framework, including:
• the development of policies, procedures, and processes, as necessary and appropriate;
• planning privacy training and awareness programs;
• monitoring and reporting on compliance with this Policy;
• collecting, investigating, and resolving privacy inquiries, complaints and concerns; and
• advising Employees of the requirements deriving from this Policy.
17. POLICIES AND PROCEDURES
The Company may develop and implement procedures, sub-policies, and processes aimed at ensuring compliance to this Policy.
Accordingly, any such procedure, sub-policy, process, guidance, or the like, must be consistent with the requirements and principles set forth in this Policy.
18. TRAINING
The Company shall provide training on this Policy and other Data Protection Legislation to those Employees and Contractors who have access to Personal Information or who have responsibilities associated with Personal Information management.
19. COMPLIANCE MONITORING AND AUDITS
The Company will perform periodic audits on Company business processes that involve the processing of Personal Information in the regular course of the Company’s audit activities.
20. CHANGES TO THIS STATEMENT
Any change to this Policy requires review by the Company’s Data Protection Officer if applicable, or by the Roper Technologies, Inc. legal department.