GLOBAL PRIVACY AND DATA PROTECTION POLICY
PolyOne respects individual privacy and values the confidence of its employees, associates, customers, vendors, contractors, and business partners. PolyOne strives to collect, use, and disclose Personal Information in a manner consistent with the Safe Harbor Agreements between the United States on the one hand, and the European Union and Switzerland on the other hands, and the laws respecting data protection and privacy of the countries in which it does business.
There are a number of laws and regulations with which PolyOne must comply. Each of these regulations has specific requirements relating to information privacy and data protection with which PolyOne must comply. Failure to comply with these regulations may lead to criminal and civil sanctions, monetary loss, and damage to PolyOne’s hard earned reputation. Having a strong and clear privacy and data protection policy addresses these and other legal requirements and business needs applicable in specific jurisdictions or in particular circumstances.
This Policy sets out guiding principles to be applied to the collection, use, retention, and disclosure of Personal Information, including those relating to PolyOne’s current, past and prospective employees, customers, suppliers, vendors, contractors, and business associates. This includes all processing of files in an electronic form (including electronic mail and documents created with word Processing software), information held in manual files structured with reference to individuals, and information shared with third parties.
Definitions of key terms are provided in Appendix A.
COMMITMENT OF POLYONE AND ITS SUBSIDIARIES
PolyOne Corporation will govern itself in accordance with this policy, will comply with its terms and principles, and to the extent possible will ensure compliance with this policy by other entities within the company’s control. In addition to complying with this policy and applicable law, PolyOne’s subsidiaries will process Personal Information in full compliance with local law, regulation and policy.
Collection and Processing
PolyOne will only obtain Personal Information by lawful and fair means and, where appropriate, with the knowledge and consent of the individual concerned. Personal Information will be processed in accordance with applicable law, regulation and policy, and in accordance with the legal rights of the individual. The collection of personal information is limited to that necessary for the purposes identified in PolyOne's notice or communication with affected individuals.
PolyOne may collect and use the personal information for: i) various human resource purposes, including but not limited to, job applications, recruiting and hiring activities, evaluation, implementation and administration of human resource, compensation and benefits functions, programs and activities, performance appraisals, training, business travel, employee directories, human resources recordkeeping, succession planning, compliance with legal requirements and other employment related purposes; ii) access to PolyOne’s facilities; and iii) access to and use of PolyOne’s information processing infrastructure, including computers, communication devices, electronic devices, computer and communications networks, external networks, cloud applications, the internet, and services accessed by users of PolyOne’s information processing infrastructure and the internet while using PolyOne’s computers and information processing infrastructure.
PolyOne will, when required by the Safe Harbor principles, applicable law, regulation or policy, or where the company considers that it is reasonably practical and appropriate to do so, provide individuals with information as to the purposes of collecting and use of the personal information, the sources of the information, the categories of information collected and stored, the identity of the Data Controller (PolyOne Corporation), the types of agent and non-agent third parties to which PolyOne discloses or may disclose that information, and the choices and means, if any, PolyOne offers for limiting the use and disclosure of individuals’ Personal Information. This notice will be provided in clear and conspicuous language at or before the time the personal information is collected, before the entity changes its privacy policies and procedures, or before personal information is used for new purposes not previously identified.
Choice and Consent
PolyOne will, when required by the Safe Harbor principles or applicable law, regulation or policy, secure the consent of the individual prior to collection, use or disclosure of Personal Information. PolyOne, in a clear and concise manner, will endeavor to offer individuals the opportunity to choose (opt-out) whether their Personal Information is (a) to be disclosed to a non-Agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. In certain circumstances, where applicable law, regulation or policy requires that PolyOne collect certain items of information, or use certain items of information in a particular manner, the provision of such information may constitute a requirement for continued employment.
Use and Retention
PolyOne will process, store, and disclose Personal Information only for legal and customary business-related purposes, and at all times consistently with the values of PolyOne with respect for the privacy of the individual and the protection of Personal Information in accordance with applicable law, regulation and policy. PolyOne will use the personal information for the purposes identified in the notice, retained for no longer than necessary to fulfill the stated purpose, and will be disposed in a manner that prevents, loss, theft, misuse, or unauthorized access.
Safeguarding Personal Information
PolyOne will establish safeguards to reasonably and appropriately protect Personal Information from unauthorized use, disclosure, destruction, and alteration according to the risks presented by processing the information.
Processing Sensitive Information
PolyOne will adopt additional measures for particular types of Personal Information defined by local law, regulation or policy as Sensitive Information or otherwise requiring additional protections. In addition, PolyOne may adopt additional measures to address local custom or social expectation over the Processing of Sensitive Information.
PolyOne will put reasonable measures in place to ensure that Personal Information that it holds and processes is accurate, complete, current, and otherwise reliable to the best of its knowledge in relation to the purposes for which the information is being used. It is recognized that it is the responsibility of the individual to provide Personal Information with these characteristics to PolyOne. PolyOne will only use Personal Information that PolyOne believes is adequate and relevant to the purposes for which it is to be used. Individuals will be informed about how they may obtain access to their personal information to review, update, and correct the information. Reasonable steps shall also be taken to accommodate employee privacy preferences, such as restricting access to the personal information to those who have a legitimate business need to know the information, making certain information anonymous, or assigning codes or pseudonyms when the actual names are not required for the business purpose at hand.
Upon request and where required or otherwise appropriate, PolyOne will endeavor to grant individuals reasonable access to Personal Information that it holds about them. Notwithstanding, such access may be denied by PolyOne where (i) such access could potentially disclose Personal Information of another person, and therefore, violate his/her privacy rights; (ii) such access could potentially disclose information relating to any ongoing PolyOne investigation; (iii) such access could potentially disclose PolyOne’s confidential information; (iv) the cost of such access would be significantly disproportionate to the benefits derived or to the to the risks to the individual's privacy in the case in question; (v) PolyOne has a reasonable good faith belief that the request is not to correct data but to hide or alter data that could adversely affect the associate requesting the correction; and (vi) at any point it becomes clear that the frequency of any individual's access requests are unjustified and harassing in nature.
In the event a request is denied, PolyOne will notify the individual regarding the reasons for denial in writing. In addition, the Company will endeavor to take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.
Disclosures to Third Parties
Prior to disclosing Personal Information to a third party, PolyOne will notify the associate of the disclosure and apply the choice principles noted above. PolyOne will disclose Personal Information to third parties only for legal and customary business-related purposes, and only when PolyOne has assurances that the information will be processed and protected appropriately and in compliance with applicable laws and regulations. PolyOne Management will take appropriate steps to confirm that the third parties from whom personal information is collected are reliable sources that collect information fairly and lawfully and agree in writing to provide an adequate level of protection.
International Transfers of Personal Information
PolyOne will transfer Personal Information to or allow access by entities in other countries only for legal and customary business-related purposes (including but not limited to those indicated in the Use and Retention section of this policy), and only when PolyOne has assurances that the information will be processed and protected appropriately and in compliance with the Safe Harbor principles and applicable law, regulation and policy. PolyOne will routinely review its requirements under local law, regulation and policy for the Processing and protection of Personal Information to validate that its obligations and the obligations of the recipients in the other countries are met for the Processing and protection of the information.
Monitoring and Enforcement
PolyOne will make its employees who process Personal Information (including but not limited to human resources staff, information technology workers, employee managers and supervisors, customer service representatives, marketing personnel, sales force personnel) aware of and comply with the contents of this policy. PolyOne will be responsible for providing its personnel with appropriate training with respect to this policy. Noncompliance with the policy may result in disciplinary action up to and including discharge.
In the event of questions concerning the application or enforcement of this policy, the matter should be brought to the attention of the appropriate HR Representative for resolution.
Incident and Breach Management
In the event of a potential privacy incident or breach, the matter should be immediately reported to the regional Human Resources Director for resolution. If a complaint or report is unable to be resolved, PolyOne (or the Regional Human Resources Director) will cooperate with the applicable data protection authorities in resolving the complaint.
Questions or comments about this Policy may be submitted to:
The Corporate Privacy Officer
33587 Walker Road
Avon Lake, Ohio 44012
This Policy may be amended from time to time in compliance with the requirements of the Safe Harbor principles and applicable law. Appropriate notice will be given concerning such amendments. To the extent there is any conflict between the Safe Harbor or applicable law and this policy, the Safe Harbor principles or applicable law shall take precedence.
APPENDIX A: DEFINITIONS
In this policy, the following definitions are used:
• Data Controller. A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer systems or in manual files. Data controllers can be either individuals or "legal persons" such as companies, governmental departments/agencies and voluntary organizations. Examples of cases where the data controller is an individual include general practitioners, pharmacists, politicians and sole traders, where such individual keeps personal information about their patients, clients, constituents etc.
• Personal Information. Personal Information is defined as any information relating to an identified, or in some jurisdictions an identifiable, natural person. An identifiable person is a person who can be identified, directly or indirectly, by reference to an identification number or factors specific to his or her physical, physiological, mental, economic, financial, cultural, or social identity, sometimes referred to as Personally Identifiable Information (PII). However, the broader definition of Personal Information sometimes includes information about individuals that is not identifiable, such as aggregate, statistical, or de-identified data.
• Processing. Processing of Personal Information (or simply Processing) refers to any operation or set of operations that are performed upon Personally Identifiable Information, whether done by automatic means or otherwise. This includes the collection, recording, organization, storage, updating or modification, retrieval, consultation, review, use, disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure or destruction of Personal Information.
• Sensitive Information. Sensitive Information is a special designation of Personal Information that warrants additional protection. Although the definition can vary by country, Sensitive Information is often described as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, personal relationships, personal activities, and data relating to offenses, criminal convictions or security measures.