APPLICABLE TO THE UNITED STATES AND CANADA
Version: January 3, 2022.
Data Privacy Principles
The Company seeks to observe the following ten (10) principles related to data privacy in the employment context:
The Personal Information the Company Collects
The Company collects Personal Information about you to satisfy its business purposes and interests, or as may otherwise be required or permitted by law. Generally, the Company collects the following types and categories of Personal Information in the employment context:
The Purpose of the Company’s Data Processing
The Company collects and uses Personal Information about, or related to, you and relevant third parties for a broad range of routine legal, business and human resource (“HR”) management purposes, including the following:
Generally, the Company processes Personal Information about you because such processing is necessary for the Company (i) to establish, manage and terminate the employment relationship , (ii) to satisfy its obligations in connection with an employment contract (e.g., salary disbursement and benefits administration), (iiI) to satisfy its legitimate interests (e.g. to protect the security of the Company’s employees, systems, and premises), or (iv) to comply with the Company’s legal or regulatory requirements. In some circumstances, the Company’s data processing is based on the consent of its employees or others. The Company may have multiple reasons to process Personal Information about you and the identification of one such reason does not preclude the applicability of any other.
The Company’s Disclosure of Personal Information
The Company shares Personal Information, among the Company and with external third parties, to satisfy the purposes described above. When appropriate to support the Company’s management, administration or business interests, or to comply with legal or regulatory obligations, the Company may disclose, transfer, or otherwise share Personal Information with authorized third parties, including (but not limited to) regulatory or law enforcement authorities; government entities; credit professionals; distributors, suppliers, and similar business contacts; outside legal counsel, auditors, and other professional advisors. The Company may also disclose Personal Information to third-party service providers, such as the payroll company used to facilitate payment obligations, the administrator of the Company’s group pension plan, brokers who are used to obtain insurance and benefits, private medical and dental-care providers, support services, IT support teams, and other types of service providers. However, the Company seeks to restrict access to special or sensitive categories of Personal Information to the extent required by applicable Data Protection Law.
The Company may also share Personal Information with potential acquirers or investors of the Company. The Company may share Personal Information in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company’s practice or assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by the Company, in any form or format, is among the assets transferred.
The Company’s Location and Data Transfers; Additional Privacy Rights
The Company is headquartered in the United States and has offices and locations in many countries and jurisdictions. The Company may, in its sole discretion, transfer, process, and retain Personal Information outside the jurisdiction in which it is collected or where you reside, and in such circumstances, the relevant Personal Information may be available to government authorities under lawful orders and laws applicable in such foreign jurisdictions. Depending on the jurisdiction in which you reside or where the Company conducts its business activities, additional privacy rights and cross-border notice requirements may find application, and Schedule 1 sets forth those additional privacy rights and requirements.
The Company’s Data Retention
The Company retains employee records in accordance with industry standards and its internal policies, and as long as needed to satisfy its responsibilities to its employees or its own legal or regulatory obligations, or to protect its legal interests and business needs. The Company will destroy all Personal Information and any devices and assets that retain or transmit Personal Information in accordance with industry standards and its internal policies, and the Company may contract with a third-party vendor to perform these data disposal and asset destruction functions on the Company’s behalf. For more information, see the Company’s Records and Information Management Policy, which is accessible at http://rpmpolicies.rpminc.com/rpm-policies/ and the Email Management Policy, which is accessible at https://policies.rpminc.com/legal-compliance-policies/email-management/.
Your Obligation to Safeguard Personal Information
In the event you have access to Personal Information by way of your employment or otherwise in connection with the Company you shall collect and use such data in accordance with all applicable Data Protection Laws and Company policies.
If you have access to a person’s social security number, driver’s license number, or other government identifiers, financial information, or other Personal Information you shall (i) protect its confidentiality, integrity, and availability, (ii) protect it from any unlawful or unauthorized access, use, or disclosure, including compliance with the Password Policy, which can be accessed at https://policies.rpminc.com/data-privacy-policies/password-policy/, and (iii) limit its access and use to the minimum extent necessary and required to perform an authorized business or legal function.
All new or revised data processing activities involving Personal Information must comply with the DPIA Policy, which can be found at https://policies.rpminc.com/data-privacy-policies/dpia/dpia-policy/.
Any employee who becomes aware of, or reasonably suspects, a breach of the foregoing, must immediately notify his/her supervisor and submit a reportable event at https://rpminc.ethicspointvp.com/custom/rpminc/forms/mgr/form_data.asp?land=en in accordance with our Reportable Events Policy, which is accessible at https://policies.rpminc.com/reportable-events-and-hotline-policies/reportable-events/reportable-events-policy/.
Employee Rights and Responsibilities
Depending on the jurisdiction in which you reside, or where the Company conducts its data processing activities, you may be afforded additional rights or privileges under applicable Data Protection Laws. Schedule 1 sets forth those additional data protection rights or privileges.
Without limiting the foregoing, you must, promptly and without delay, notify the Company (preferably in writing to firstname.lastname@example.org or your applicable Human Resources or Group Legal Departments) of any amendments that need to be made to your Personal Information, or to Personal Information you provided the Company concerning a third party, to ensure its accuracy, reliability, and relevancy. If you choose not to provide the Company with the Personal Information identified herein, then the Company may not be able to satisfy its own contractual or legal obligations, and in such circumstances, continued employment with the Company may not be permissible, and you acknowledge and agree that the Company shall not be held liable for any consequence directly resulting from these circumstances.
Any questions, concerns, or comments related to how the Company processes Personal Information, or the rights and privileges described herein, should be directed to your HR representative, your Group Legal Department or to email@example.com. For general information about the Company’s consumer privacy practices, please visit https://www.rpminc.com/privacy-policy.
For purposes of this Policy, the following definitions shall apply:
“Data Protection Law” refers to any U.S. and Canadian data protection laws, statutes, and regulations applicable to the Company in the context of the Company’s collection, processing, retention, dissemination, disclosure, transfer, disposal, or use of Personal Information.
“Personal Information” refers to any information, or a combination of pieces of information, about an individual or that can reasonably identify an individual, and that is subject to, or otherwise afforded protection under, an applicable Data Protection Law.
This Policy does not form, in full or in part, any contract of employment or other agreement to provide services, and nothing herein shall be construed to (in any way) terminate, supersede, undermine, or otherwise modify the status of the employment or professional relationship between you and the Company, pursuant to which the Company may terminate the employment or professional relationship at any time, with or without cause, and with or without notice. The Company may amend or update this Policy from time to time and the Company will, when necessary and appropriate, notify you of such amendments and updates.
JURISDICTION SPECIFIC DATA PROTECTION LAWS
If your Personal Information is subject to, or afforded protection under, any of the following Data Protection Laws, then you are entitled to receive notice of the following:
Based on certain data protection laws in Canada, employees in some Canadian jurisdictions may have a right to request access and request that the Company update or correct the Personal Information in its custody or control, subject to limited exceptions prescribed by law. Such requests should be directed to your supervisor, an HR representative, your group Legal Department or to firstname.lastname@example.org. For more information on Canada’s provincial and territorial privacy laws and who is responsible for their enforcement, please see the following: https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/provincial-and-territorial-privacy-laws-and-oversight/. If you would like (i) information about the Company’s data practices with respect to service providers outside Canada, or how such service providers collect, use, disclose or store Personal Information, or (ii) to file a complaint, or raise concerns about, our data processing activities, please contact the Company at email@example.com.
United States in General
For purposes of DE ST TI 19 § 705, the Company monitors or otherwise intercepts the telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of its employees and of any party accessing the Company’s information technology assets, networks, systems, environment, and resources, and the use of the same constitutes consent to the foregoing.
For purposes of NY CIV RTS § 52–c, Company employees are hereby notified that any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee, by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems, that are owned, leased, or operated by the Company may be subject to interception and monitoring at any and all times and by any lawful means.