Applicable Laws impose a
number of obligations with respect to the Processing of Personal Data.
Superior Essex Group respects individual privacy and is committed to comply
with the legal standards imposed by
Applicable Laws in our
business practices involving the Processing of Personal Data. We are
accountable for and committed to comply with the key data protection
principles and core requirements set out in Applicable Laws.
This
Policy describes the key data protection principles we follow and reflects
our approach with respect to the respect for the privacy of individuals and
the protection of Personal Data.
SCOPE
This Policy applies to all Superior Essex
Group establishments in the EU, as well as all other Superior Essex Group
establishments to the extent they receive any Personal Data from the EU, or
are otherwise subject to the Applicable Laws.
The Personal Data
shall be Processed in accordance with this Policy and Applicable Laws.
This
Policy should be read in conjunction with Superior Essex Group’s other
policies as listed in Section XIII of this Policy. Superior Essex Group may
implement additional policies, procedures or practices as may be required to
comply with this Policy or with Applicable Laws.
Data Protection
is the shared responsibility of all Superior Essex Group employees and
business units and all employees and business units are expected to be
familiar with and adhere to the principles and requirements set forth in
this Policy.
DEFINITIONS
In addition to the words defined
elsewhere in this Policy, the following words used herein have the meanings
set forth below:
“Affiliate” means any entity, which is partially or wholly controlled
by, controls or is in common control with the respective entity.
“Applicable Laws” means the GDPR and any national laws implementing the
GDPR in the EEA countries.
“Automated Decision-Making” means the process of making a decision based
solely on automated Processing, including Profiling, of Personal Data,
which produces legal effects concerning a Data Subject.
“Controller” means any natural or legal person, public authority, agency
or other body, which, alone or jointly with others, determines the
purpose(s) and means of the Processing of Personal Data.
“Data Subject” means identified or identifiable natural person to whom
the Personal Data relates. An identifiable person is one who can be
identified, directly or indirectly, in particular by reference to an
identifier such as a name, identification number, location data, an
online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of
that natural person.
“EEA” means the European Economic Area, which includes all EU Member
States as well as Iceland, Liechtenstein and Norway.
“Effective Date” means May 25, 2018.
“Employees” means full-time employees, part-time employees, temporary
employees, reinstated employees, rehired employees and retired and
former employees, interns and trainees.
“Establishment” implies the effective and real exercise of activity
through stable arrangements; the legal form of such arrangements,
whether through a branch or a subsidiary with legal personality, is
irrelevant.
“EU” means the European Union.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of
the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection
Regulation).
“Personal Data” means any information relating to a Data Subject.
Personal Data includes Special Categories of Personal Data.
“Policy” means this General Privacy Policy.
“Privacy Officer” means the person designated under Section XII below.
“Profiling” means any form of automated Processing of Personal Data
consisting of the use of Personal Data to evaluate certain personal
aspects relating to a natural person, in particular to analyze or
predict aspects concerning that natural person's performance at work,
economic situation, health, personal preferences, interests,
reliability, behavior, location or movements.
“Processing” means any operation or set of operations which is performed
on Personal Data or on sets of Personal Data, whether or not by
automated means, such as collection, recording, organization,
structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or
destruction.
“Personal Data Breach” means a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, Personal Data transmitted, stored or
otherwise Processed by an entity’s systems.
“Special Categories Personal Data” includes Personal Data revealing
racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership, and genetic data, biometric data
Processed for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person's sex life or
sexual orientation.
“Superior Essex Group”, “we”, “our”, “us” means Superior Essex Inc., a
Delaware corporation, registered at Corporation Service Company, 251
Little Falls Drive, Wilmington, DE 19808, Essex Group, Inc., a Michigan
corporation, registered at CSC-Lawyers Incorporating Service (Company),
601 Abbot Road, East Lansing, MI 48823, Superior Essex International LP,
a Delaware limited partnership, registered at Corporation Service
Company, 251 Little Falls Drive, Wilmington, DE 19808, and their
respective Affiliates.
KEY DATA PROTECTION PRINCIPLES When Processing
Personal Data, we will apply the following key data protection principles:
We will Process the Personal Data lawfully, fairly and in a transparent
manner in relation to the Data Subject (hereinafter, the “Lawfulness, Fairness and Transparency Principle”);
We will only collect the Personal Data for specified, explicit and
legitimate purpose(s) and we will not further Process them in a manner
that is incompatible with those purposes (hereinafter, the “Purpose Limitation Principle”);
We will ensure that Personal Data are adequate, relevant and limited to
what is necessary in relation to the purpose(s) for which they are
Processed (hereinafter, the “Data Minimization Principle”);
We will ensure that the Personal Data are accurate and, where necessary,
kept up to date and that every reasonable step is taken to ensure that
Personal Data that are inaccurate, having regard to the purposes for
which they are Processed, are erased or rectified without delay
(hereinafter, the “Accuracy Principle”);
We will not keep the Personal Data in a form that permits identification
of Data Subjects for longer than necessary for the purpose(s) for which
the Personal Data are Processed (hereinafter, the “Storage Limitation Principle”);
We will Process the Personal Data in line with the Data Subjects’ rights
(hereinafter, the “Data Subjects’ Rights”); and
We will ensure that appropriate technical, organizational and security
measures are put in place to protect the Personal Data when Processed,
including protection against unauthorized or unlawful Processing and
against accidental loss, destruction or damage (hereinafter, the
“Integrity, Confidentiality and Security Principle”).
The Purpose Limitation Principle
In the course
of our business, we collect and Process different types of Personal Data
from different categories of Data Subjects for a variety of purposes. We
will identify specific, explicit and legitimate purposes in advance and we
will document them in our Records of Processing Activities (see Section
VIII). We will inform the Data Subjects of these purposes when we first
collect the Personal Data or as soon as possible thereafter (see the next
sub-section B), unless a relevant exception applies.
We will not
Process Personal Data that had been collected for a specific purpose, for a
different incompatible purpose, unless permitted by Applicable Laws.
If
you intend to Process Personal Data for a different purpose than the one
initially identified, please speak to the Privacy Officer prior to
commencing the Processing activity.
The Lawfulness, Fairness and Transparency Principle
1. Lawfulness and Fairness Processing of Personal Data is
only lawful if it is permitted by Applicable Laws.
We will only
Process Personal Data based on one of the permissible legal grounds listed
in the Applicable Laws. The legal grounds for Personal Data Processing we
most typically rely upon include, but are not limited to the following:
The necessity to perform a contract to which the Data Subject is party;
The necessity to comply with an EU-originated legal obligation to which
we are subject;
The necessity for the purposes of legitimate interests pursued by us as
a Controller or by a third party; and/or
The consent given by the Data Subjects.
We aim to minimize the amount of Special Categories of Personal Data
that we Process. We will only Process Special Categories of Personal Data,
if permissible under Applicable Laws, for example, when we are legally
obliged to do so or with the explicit consent of the Data Subjects.
We
will identify the appropriate legal basis in advance and document them in
our Records of Processing Activities (see Section VIII below).
Transparency
In accordance with Applicable Laws,
before we Process the Personal Data, we will provide a so-called data
protection notice to the individuals in which we describe, at a minimum, in
a manner easy to understand for the addressees, the following:
The identity and contact details of Superior Essex Group entity/ies,
which is/are the relevant Controller(s);
The categories of Personal Data we Process;
The purposes for which we Process the Personal Data and legal bases to
do so;
To whom we disclose the Personal Data;
Whether we transfer the Personal Data outside of the EEA (including the
country of destination and the transfer mechanisms used);
The period for which we store the Personal Data (or, if that is not
possible, criteria we used to determine that period);
The rights Data Subjects can exercise with respect to the Processing of
their Personal Data;
Whether the provision of Personal Data is a statutory or contractual
requirement, or a requirement necessary to enter into a contract, as
well as whether the Data Subjects are obliged to provide the Personal
Data and of the possible consequences of failure to provide such data;
and
The existence of Automated Decision-Making, including Profiling and in
cases required by the GDPR, meaningful information about the logic
involved, as well as the significance and the envisaged consequences of
such Processing for the Data Subject.
The Data Minimization Principle
We will
implement reasonable technical and organizational measures to ensure that
any Personal Data we Process are adequate, relevant and limited to what is
necessary for the purpose(s) for which we Process them.
The Accuracy Principle
We will implement
reasonable technical and organizational measures to ensure that any Personal
Data we Process are accurate and kept up-to-date. We will check the accuracy
of any Personal Data at the point of collection and at regular intervals
afterwards. We will take all reasonable steps to destroy or amend inaccurate
or out-of-date data.
The Storage Limitation Principle
We will
implement reasonable technical and organizational measures so we do not keep
Personal Data longer than necessary for the purpose(s) for which they were
collected or as otherwise required or permitted by Applicable Laws and in
accordance with Superior Essex Group Records Retention Policy. We take all
reasonable steps to securely destroy, or erase from our systems and records,
all Personal Data that are no longer required.
The Data Subjects’ Rights
We respect the rights
afforded to Data Subjects under Applicable Laws, in particular:
Right of access: the Data Subject may request information about their
Personal Data for which we are responsible and request a copy of that
data.
Right to rectification: the Data Subject may request the rectification
of inaccurate Personal Data and to have incomplete data completed.
Right to erasure: the Data Subject may request erasure of their Personal
Data, if the data are inaccurate or Processed in a way which is
incompatible with the purpose(s) pursued by us.
Right to data portability: if we Process Personal Data on the basis of a
contract with the Data Subject or based on his/her consent, the Data
Subject may request to receive his/her Personal Data in a structured,
commonly used and machine-readable format, and ask us to transfer such
data to a third party, where technically feasible.
Right to restriction: the Data Subject may request to limit the
Processing of his/her Personal Data.
Right to objection: the Data Subject may object or oppose to the
Processing of his/her Personal Data.
Right to lodge a complaint: the Data Subject may lodge a complaint with
a competent supervisory authority in the EU situated at their habitual
residence, place of work, or place of alleged infringement.
Right to refuse or withdraw consent: the Data Subject may refuse to give
consent to Processing of their Personal Data and can withdraw the
consent at any time without any adverse negative consequences.
Right not to be subject to decisions based solely on automated
Processing: the Data Subject shall have the right not to be subject to a
decision based solely on automated Processing (i.e., Automated
Decision-Making), including Profiling, which produces legal effects
concerning him or her or similarly significantly affects him or her,
subject to exceptions provided by the GDPR.
Applicable Laws impose a limited timeframe within which we must
respond to valid Data Subjects’ requests. Any request from a Data Subject
must be immediately forwarded to the Privacy Officer, (see Section XII).
The Integrity, Confidentiality and Security Principle
To protect the Personal Data we Process, we will implement
reasonable technical and organizational measures against unauthorized or
unlawful Processing of Personal Data and against accidental loss,
destruction or damage of Personal Data.
Such measures shall
include as appropriate:
The pseudonymization and encryption of the Personal Data;
The ability to ensure the ongoing confidentiality, integrity,
availability and resilience of Processing systems and services;
The ability to restore the availability and access to Personal Data in a
timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing and evaluating the
effectiveness of technical and organizational measures for ensuring the
security of the Processing.
DATA PROTECTION BY DESIGN AND BY DEFAULT
We will
make reasonable efforts, both at the time of the determination of the means
for Processing and at the time of the Processing itself, to implement
appropriate technical and organizational measures, such as pseudonymization,
which are designed to implement the key data protection principles set out
in Section III of this Policy in an effective manner and to integrate the
necessary safeguards into the Processing in order to meet the requirements
of the Applicable Laws.
We will take reasonable steps to
implement appropriate technical and organizational measures so that, by
default, only Personal Data which are necessary for each specific purpose of
the Processing are Processed.
Some of the Processing that we
carry out make result in risks to privacy and the rights and freedoms of
individuals and, where required by the Applicable Laws, we will carry out a
data protection impact assessment to assess the impact of the envisaged
Processing operations on the protection of Personal Data, the necessity and
proportionality of the Processing operations in relation to the purposes and
of the risks to the rights and freedoms of the individuals concerned as well
as the measures envisaged to address the risks.
PERSONAL DATA DISCLOSURE PRACTICES
We will take
reasonable precautions to allow access to Personal Data only to those who
have a legitimate purpose for access and who require such access to perform
their job duties and, where applicable, subject to appropriate safeguards.
Intra-Group
When we share Personal Data within
the Superior Essex Group, we will take reasonable steps to ensure compliance
with the key data protection principles listed in Section IV of this Policy.
For this purpose, we have put in place the Global Intra-Group Data
Processing and Transfer Agreement.
Third Parties
When we share Personal Data with
third parties, we will take reasonable steps to conduct due diligence, where
appropriate, and to put in place appropriate contractual or other
safeguards, which, among other things, contain provisions to ensure the
protection of the integrity, availability and confidentiality of the
Personal Data.
INTERNATIONAL DATA TRANSFER PRACTICES
When we
transfer Personal Data to another country or territory, we will take
reasonable steps to ensure that the protection afforded to the Personal Data
in the country of origin applies to the Personal Data so transferred and
that the transfer will take place in accordance with Applicable Laws.
Intra-Group
We transfer Personal Data to
Superior Essex Group entities established outside the EEA, in accordance
with the Global Intra-Group Data Processing and Transfer Agreement we have
concluded based on the standard contractual clauses of the European
Commission. Occasionally, transfers may take place using alternative data
transfer mechanisms, such as the EU Standard Contractual Clauses, or on the
basis of permissible statutory derogations.
Third Parties
Transfers to third parties
established outside the EEA shall only take place if the third country
ensures an adequate level of protection or using an acceptable data transfer
mechanism, such as the EU-U.S. Privacy Shield for transfers to
self-certified U.S. organizations, the European Commission’s standard
contractual clauses, Binding Corporate Rules, approved Codes of Conduct and
Certifications or in exceptional circumstances on the basis of permissible
statutory derogations.
RECORDS OF PROCESSING
We will keep up-to-date
records of all the Processing activities in accordance with Applicable Laws.
These Records must contain as a minimum:
The name and contact details of the Controller;
The purposes and the legal basis of the Processing;
A description of the categories of Data Subjects and of the categories
of Personal Data;
The categories of recipients to whom the Personal Data have been or will
be disclosed including recipients in third countries or international
organizations;
The transfer mechanism used to internationally transfer Personal Data
and the country/international organization they were transferred to;
The envisaged time limits for erasure of the different categories of
Personal Data; and
A general description of the technical and organizational security
measures to protect the Personal Data.
TRAINING
We will train our employees regarding
our data protection policies and procedures.
AUDIT
We will develop and maintain self-assessment procedures and audit compliance with this and related policies to mitigate and remedy any non-compliance.
QUESTIONS AND COMPLAINTS
Any questions with respect to this Policy can be addressed to Privacy Officer.
Any person, including a Data Subject, who believes that this Policy has been violated, may submit a complaint to the Privacy Officer.
DATA PROTECTION NETWORK
We allocate responsibilities for compliance with Applicable Laws at senior management level, across business units, functional groups and geographies. Any request, question, or complaint relating to this Policy, related data protection policies or Applicable Laws can also be addressed to the Vice President, Global Human Resources as appropriate. The Vice President, Global Human Resources, may consult with the designated Privacy Officer for the Superior Essex Group entity to which the request, question, or complaint relates.
RELATED POLICIES, STANDARDS, GUIDELINES AND REFERENCES
We will make any related policies, standards, guidelines and references available via the intranet.
NON-COMPLIANCE
Violations of this Policy leading to the unauthorized use or disclosure of Personal Data may result in disciplinary action up to and including termination. Additionally, individuals may face civil, contractual or criminal liabilities.
CHANGES TO THIS POLICY
We reserve the right to modify this Policy as needed to reflect changes in laws, our practices and procedures, or requirements imposed by supervisory authorities.