I. STATEMENT AND PURPOSE
- Applicable Laws impose a number of obligations with respect to the Processing of Personal Data. PureNet Cable respects individual privacy and is committed to comply with the legal standards imposed by Applicable Laws in our business practices involving the Processing of Personal Data.
- We are accountable for and committed to comply with the key data protection principles and core requirements set out in Applicable Laws.
- This Policy describes the key data protection principles we follow and reflects our approach with respect to the respect for the privacy of individuals and the protection of Personal Data.
- This Policy applies to all PureNet Cable establishments in the EU, as well as all other PureNet Cable establishments to the extent they receive any Personal Data from the EU, or are otherwise subject to the Applicable Laws.
- The Personal Data shall be Processed in accordance with this Policy and Applicable Laws.
- This Policy should be read in conjunction with PureNet Cable’s other policies as listed in Section XIII of this Policy. PureNet Cable may implement additional policies, procedures or practices as may be required to comply with this Policy or with Applicable Laws.
- Data Protection is the shared responsibility of all PureNet Cable employees and business units and all employees and business units are expected to be familiar with and adhere to the principles and requirements set forth in this Policy.
- In addition to the words defined elsewhere in this Policy, the following words used herein have the meanings set forth below:
- “Affiliate” means any entity, which is partially or wholly controlled by, controls or is in common control with the respective entity.
- “Applicable Laws” means the GDPR and any national laws implementing the GDPR in the EEA countries.
- “Automated Decision-Making” means the process of making a decision based solely on automated Processing, including Profiling, of Personal Data, which produces legal effects concerning a Data Subject.
- “Controller” means any natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purpose(s) and means of the Processing of Personal Data.
- “Data Subject” means identified or identifiable natural person to whom the Personal Data relates. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “EEA” means the European Economic Area, which includes all EU Member States as well as Iceland, Liechtenstein and Norway.
- “Effective Date” means May 25, 2018.
- “Employees” means full-time employees, part-time employees, temporary employees, reinstated employees, rehired employees and retired and former employees, interns and trainees.
- “Establishment” implies the effective and real exercise of activity through stable arrangements; the legal form of such arrangements, whether through a branch or a subsidiary with legal personality, is irrelevant.
- “EU” means the European Union.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to a Data Subject. Personal Data includes Special Categories of Personal Data.
- “Privacy Officer” means the person designated under Section XII below.
- “Profiling” means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by an entity’s systems.
- “Special Categories Personal Data” includes Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data Processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- “PureNet Cable”, “we”, “our”, “us” means PureNetCable.
IV. KEY DATA PROTECTION PRINCIPLES
- When Processing Personal Data, we will apply the following key data protection principles:
- We will Process the Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject (hereinafter, the “Lawfulness, Fairness and Transparency Principle”);
- We will only collect the Personal Data for specified, explicit and legitimate purpose(s) and we will not further Process them in a manner that is incompatible with those purposes (hereinafter, the “Purpose Limitation Principle”);
- We will ensure that Personal Data are adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are Processed (hereinafter, the “Data Minimization Principle”);
- We will ensure that the Personal Data are accurate and, where necessary, kept up to date and that every reasonable step is taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are Processed, are erased or rectified without delay (hereinafter, the “Accuracy Principle”);
- We will not keep the Personal Data in a form that permits identification of Data Subjects for longer than necessary for the purpose(s) for which the Personal Data are Processed (hereinafter, the “Storage Limitation Principle”);
- We will Process the Personal Data in line with the Data Subjects’ rights (hereinafter, the “Data Subjects’ Rights”); and
- We will ensure that appropriate technical, organizational and security measures are put in place to protect the Personal Data when Processed, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage (hereinafter, the “Integrity, Confidentiality and Security Principle”).
A. The Purpose Limitation Principle
- In the course of our business, we collect and Process different types of Personal Data from different categories of Data Subjects for a variety of purposes. We will identify specific, explicit and legitimate purposes in advance and we will document them in our Records of Processing Activities (see Section VIII). We will inform the Data Subjects of these purposes when we first collect the Personal Data or as soon as possible thereafter (see the next sub-section B), unless a relevant exception applies.
- We will not Process Personal Data that had been collected for a specific purpose, for a different incompatible purpose, unless permitted by Applicable Laws.
- If you intend to Process Personal Data for a different purpose than the one initially identified, please speak to the Privacy Officer prior to commencing the Processing activity.
B. The Lawfulness, Fairness and Transparency Principle
- 1. Lawfulness and Fairness
- Processing of Personal Data is only lawful if it is permitted by Applicable Laws.
- We will only Process Personal Data based on one of the permissible legal grounds listed in the Applicable Laws. The legal grounds for Personal Data Processing we most typically rely upon include, but are not limited to the following:
- The necessity to perform a contract to which the Data Subject is party;
- The necessity to comply with an EU-originated legal obligation to which we are subject;
- The necessity for the purposes of legitimate interests pursued by us as a Controller or by a third party; and/or
- The consent given by the Data Subjects.
- We aim to minimize the amount of Special Categories of Personal Data that we Process. We will only Process Special Categories of Personal Data, if permissible under Applicable Laws, for example, when we are legally obliged to do so or with the explicit consent of the Data Subjects.
- We will identify the appropriate legal basis in advance and document them in our Records of Processing Activities (see Section VIII below).
- 2. Transparency
- In accordance with Applicable Laws, before we Process the Personal Data, we will provide a so-called data protection notice to the individuals in which we describe, at a minimum, in a manner easy to understand for the addressees, the following:
- The identity and contact details of PureNet Cable entity/ies, which is/are the relevant Controller(s);
- The categories of Personal Data we Process;
- The purposes for which we Process the Personal Data and legal bases to do so;
- To whom we disclose the Personal Data;
- Whether we transfer the Personal Data outside of the EEA (including the country of destination and the transfer mechanisms used);
- The period for which we store the Personal Data (or, if that is not possible, criteria we used to determine that period);
- The rights Data Subjects can exercise with respect to the Processing of their Personal Data;
- Whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subjects are obliged to provide the Personal Data and of the possible consequences of failure to provide such data; and
- The existence of Automated Decision-Making, including Profiling and in cases required by the GDPR, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.
C. The Data Minimization Principle
We will implement reasonable technical and organizational measures to ensure that any Personal Data we Process are adequate, relevant and limited to what is necessary for the purpose(s) for which we Process them.
D. The Accuracy Principle
We will implement reasonable technical and organizational measures to ensure that any Personal Data we Process are accurate and kept up-to-date. We will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
E. The Storage Limitation Principle
We will implement reasonable technical and organizational measures so we do not keep Personal Data longer than necessary for the purpose(s) for which they were collected or as otherwise required or permitted by Applicable Laws and in accordance with PureNet Cable Records Retention Policy. We take all reasonable steps to securely destroy, or erase from our systems and records, all Personal Data that are no longer required.
F. The Data Subjects’ Rights
We respect the rights afforded to Data Subjects under Applicable Laws, in particular:
- Right of access: the Data Subject may request information about their Personal Data for which we are responsible and request a copy of that data.
- Right to rectification: the Data Subject may request the rectification of inaccurate Personal Data and to have incomplete data completed.
- Right to erasure: the Data Subject may request erasure of their Personal Data, if the data are inaccurate or Processed in a way which is incompatible with the purpose(s) pursued by us.
- Right to data portability: if we Process Personal Data on the basis of a contract with the Data Subject or based on his/her consent, the Data Subject may request to receive his/her Personal Data in a structured, commonly used and machine-readable format, and ask us to transfer such data to a third party, where technically feasible.
- Right to restriction: the Data Subject may request to limit the Processing of his/her Personal Data.
- Right to objection: the Data Subject may object or oppose to the Processing of his/her Personal Data.
- Right to lodge a complaint: the Data Subject may lodge a complaint with a competent supervisory authority in the EU situated at their habitual residence, place of work, or place of alleged infringement.
- Right to refuse or withdraw consent: the Data Subject may refuse to give consent to Processing of their Personal Data and can withdraw the consent at any time without any adverse negative consequences.
- Right not to be subject to decisions based solely on automated Processing: the Data Subject shall have the right not to be subject to a decision based solely on automated Processing (i.e., Automated Decision-Making), including Profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, subject to exceptions provided by the GDPR.
Applicable Laws impose a limited timeframe within which we must respond to valid Data Subjects’ requests. Any request from a Data Subject must be immediately forwarded to the Privacy Officer, (see Section XII).
G. The Integrity, Confidentiality and Security Principle
- To protect the Personal Data we Process, we will implement reasonable technical and organizational measures against unauthorized or unlawful Processing of Personal Data and against accidental loss, destruction or damage of Personal Data.
- Such measures shall include as appropriate:
- The pseudonymization and encryption of the Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
V. DATA PROTECTION BY DESIGN AND BY DEFAULT
- We will make reasonable efforts, both at the time of the determination of the means for Processing and at the time of the Processing itself, to implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement the key data protection principles set out in Section III of this Policy in an effective manner and to integrate the necessary safeguards into the Processing in order to meet the requirements of the Applicable Laws.
- We will take reasonable steps to implement appropriate technical and organizational measures so that, by default, only Personal Data which are necessary for each specific purpose of the Processing are Processed.
- Some of the Processing that we carry out make result in risks to privacy and the rights and freedoms of individuals and, where required by the Applicable Laws, we will carry out a data protection impact assessment to assess the impact of the envisaged Processing operations on the protection of Personal Data, the necessity and proportionality of the Processing operations in relation to the purposes and of the risks to the rights and freedoms of the individuals concerned as well as the measures envisaged to address the risks.
VI. PERSONAL DATA DISCLOSURE PRACTICES
We will take reasonable precautions to allow access to Personal Data only to those who have a legitimate purpose for access and who require such access to perform their job duties and, where applicable, subject to appropriate safeguards.
When we share Personal Data within the PureNet Cable, we will take reasonable steps to ensure compliance with the key data protection principles listed in Section IV of this Policy. For this purpose, we have put in place the Global Intra-Group Data Processing and Transfer Agreement.
B. Third Parties
When we share Personal Data with third parties, we will take reasonable steps to conduct due diligence, where appropriate, and to put in place appropriate contractual or other safeguards, which, among other things, contain provisions to ensure the protection of the integrity, availability and confidentiality of the Personal Data.
VII. INTERNATIONAL DATA TRANSFER PRACTICES
When we transfer Personal Data to another country or territory, we will take reasonable steps to ensure that the protection afforded to the Personal Data in the country of origin applies to the Personal Data so transferred and that the transfer will take place in accordance with Applicable Laws.
- We transfer Personal Data to PureNet Cable entities established outside the EEA, in accordance with the Global Intra-Group Data Processing and Transfer Agreement we have concluded based on the standard contractual clauses of the European Commission. Occasionally, transfers may take place using alternative data transfer mechanisms, such as the EU Standard Contractual Clauses, or on the basis of permissible statutory derogations.
B. Third Parties
Transfers to third parties established outside the EEA shall only take place if the third country ensures an adequate level of protection or using an acceptable data transfer mechanism, such as the EU-U.S. Privacy Shield for transfers to self-certified U.S. organizations, the European Commission’s standard contractual clauses, Binding Corporate Rules, approved Codes of Conduct and Certifications or in exceptional circumstances on the basis of permissible statutory derogations.
VII. INTERNATIONAL DATA TRANSFER PRACTICES
We will keep up-to-date records of all the Processing activities in accordance with Applicable Laws. These Records must contain as a minimum:
- The name and contact details of the Controller;
- The purposes and the legal basis of the Processing;
- A description of the categories of Data Subjects and of the categories of Personal Data;
- The categories of recipients to whom the Personal Data have been or will be disclosed including recipients in third countries or international organizations;
- The transfer mechanism used to internationally transfer Personal Data and the country/international organization they were transferred to;
- The envisaged time limits for erasure of the different categories of Personal Data; and
- A general description of the technical and organizational security measures to protect the Personal Data.
We will train our employees regarding our data protection policies and procedures.
We will develop and maintain self-assessment procedures and audit compliance with this and related policies to mitigate and remedy any non-compliance.
XI. QUESTIONS AND COMPLAINTS
- Any questions with respect to this Policy can be addressed to Privacy Officer. Any person, including a Data Subject, who believes that this Policy has been violated, may submit a complaint to the Privacy Officer
- If You have any questions, concerns or comments about this Privacy Statement, please send an email to [email protected] or contact us at 260-461-4065. You can send written comments to: [email protected]
XII. DATA PROTECTION NETWORK
We allocate responsibilities for compliance with Applicable Laws at senior management level, across business units, functional groups and geographies. Any request, question, or complaint relating to this Policy, related data protection policies or Applicable Laws can also be addressed to the Vice President, Global Human Resources as appropriate. The Vice President, Global Human Resources, may consult with the designated Privacy Officer for the PureNet Cable entity to which the request, question, or complaint relates.
XIII. RELATED POLICIES, STANDARDS, GUIDELINES AND REFERENCES
We will make any related policies, standards, guidelines and references available via the intranet.
Violations of this Policy leading to the unauthorized use or disclosure of Personal Data may result in disciplinary action up to and including termination. Additionally, individuals may face civil, contractual or criminal liabilities.
XV. CHANGES TO THIS POLICY
We reserve the right to modify this Policy as needed to reflect changes in laws, our practices and procedures, or requirements imposed by supervisory authorities.