Global Internal Privacy Principles

Gates Industrial Corporation plc

Gates Industrial Corporation plc and its relevant affiliates (“Gates” or the “Company”) are committed to the highest standards of business conduct across all of the Company’s activities and operations. As part of this commitment, Gates takes privacy and data protection very seriously. Gates has, therefore, established these Global Internal Privacy Principles (“Privacy Principles”) which further detail how personal data will be collected, stored and processed within Gates.

Further, many countries have enacted statutes and other laws that protect certain types of personal data. If Gates fails to comply with such laws, it may be liable towards data subjects or be subject to administrative and criminal sanctions. It is therefore important that each person working with personal data within Gates is aware of and complies with these Privacy Principles, along with the related policies noted below.
If you have any questions regarding these Privacy Principles, or how they should be applied in practice, please contact the Gates Law Department. To the extent there is any conflict with or additional requirements mandated by any local or regional law, Gates will comply with all such legal requirements.

RELATED POLICIES

These Privacy Principles are supplemented by a number of Gates policies, including, but not limited to:

  • Gates Europe BVBA/SPRL Privacy Policy (hereinafter, the “Gates Europe Privacy Policy”)
  • Gates Cookie Policy
  • Gates Information Security Policy
  • Gates Electronic Communication Retention Policy
  • Gates Records Retention Policy and accompanying Retention Schedules
  • Gates Job Applicants Privacy Statement

DEFINITIONS

In these Privacy Principles, “personal data” refers to any information concerning an identified
or identifiable natural person (such as employees, contact persons at customers or suppliers, etc.,
which are referred to as “data subjects”) or as such term is defined by local applicable law.

 

GENERAL REQUIREMENTS

Data Uses

  •  Fair and lawful processing – Gates processes personal data in a fair and lawful way. Before implementing a new process that involves personal data processing, Gates will strive to verify that applicable laws allow such processing; for example, the law may allow it because Gates has an obligation or right to process such personal data, or because it is necessary for Gates' legitimate interests to process such data so long as it does not adversely affect the rights of the data subject. Where required by law, Gates will use reasonable efforts to obtain the data subject's consent before processing such person's personal data.
  •  Purpose limitation – Gates will collect and process personal data for specified, explicit and legitimate purposes only. For example, Gates may collect and use personal data: (a) in order to perform a contract; (b) where the data subject has provided consent; (c) where necessary in order for Gates to carry out its legitimate business activities (for more detail, please see the Gates Europe Privacy Policy); (d) in order to comply with its legal obligations; (d) where there is an urgent safety or product recall notice; or (e) to consider a person’s application for employment with the Company.

Gates will not use personal data collected for a specified purpose in a way incompatible with such purpose, taking into account the data subject's reasonable expectations and scope of any necessary consent. Therefore, before engaging in personal data collection, Gates will assess the purposes for which it intends to use such data, and use reasonable efforts to communicate such purposes to the data subject in accordance with transparency requirements. In each case where Gates uses personal data for purposes other than those for which the data was collected, Gates will inform the data subjects of such use and, where required, obtain their consent.

  • Special categories of data – Gates is aware that its processing activities may involve special categories of data, such as medical data or other sensitive data, and that such types of data are often granted a more protective status under data protection laws. In each case where Gates processes such special categories of personal data, Gates will verify whether its security measures take into account the nature of such data and the risks, and take additional measures as necessary to ensure fair and lawful processing of such data.
  • Data quality – Gates will strive to only process personal data that is adequate, relevant and proportionate to the purposes for which the personal data is collected and further processed. When implementing a new personal data processing activity, Gates will strive to assess whether all data collected from the data subject or a third party are proportionate for the intended use. Gates will also use reasonable efforts to regularly update data so as to avoid processing of inaccurate or incomplete data.
  • Data storage – Once Gates no longer needs personal data for the purposes for which it was collected, Gates will use reasonable efforts to delete or anonymize such data, in order to ensure the natural person to which such data relates can no longer be identified. When implementing a new personal data processing activity, Gates will determine an appropriate storage term and manage the data accordingly.

 

Data Subject Rights

  • Transparency – Gates will inform the data subjects of its intended personal data processing before commencing such processing, in such manner as is appropriate, given the way in which the data was collected (such notices may be provided through a privacy policy, privacy clauses, privacy statements or information notice, for example). Gates will strive to inform the data subjects of all relevant details of the processing activities in a clear and understandable manner. Such details will include the identification of the Gates entity responsible for the data processing, the purposes for which data is being processed, the categories of recipients of the data, the data subject's right to access and rectification, and such other information as may be appropriate given the circumstances.
  • Access, rectification and deletion – Gates will respond to requests from data subjects to access their data, to receive a copy or description of the information it possesses about them, or to have data be updated or deleted, in accordance with any procedural requirements and time frames as may be imposed by applicable laws, provided Gates does not have any lawful reason under any applicable law to continue to use and possess that information. All such requests shall be directed to[email protected]

 

Security and Confidentiality 

  • Security – Gates will use reasonable efforts to implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing, taking into account applicable law. When assessing which security measures are appropriate for a specific processing activity, Gates will take into account industry standards, the cost of implementing data security measures in relation to the risks represented by the processing, the nature of the specific types of data to be protected, and any data security measures required by applicable law.
  • Confidentiality– Gates will treat all personal data confidentially. When implementing a new personal data processing activity, Gates will assess which Gates personnel are required to have access to the personal data, taking into account their responsibilities and functions within Gates and the purposes for which the data is being processed.

 

Third Party Processing and Data Transfer

  • Third party processors – For some personal data processing activities, Gates may need to involve a third party supplier (for example, IT providers, payroll providers,etc.). Gates is aware that in such case, it remains responsible for complying with applicable laws. Gates will therefore require through contractual provisions that such third party suppliers provide services in accordance with Gates’ privacy and data protection obligations. Gates will in any case use reasonable efforts to require that such suppliers only process personal data in accordance with Gates' instructions, and implement appropriate technical and organizational security measures.
  • Transfer of data – Gates is aware that different countries have different privacy and data protection rules, each offering a different level of protection to the data subject. Gates will use reasonable efforts not to transfer personal data across borders in a manner that adversely affects the rights of the data subjects (either within the Gates group or to external parties). More specifically, when transferring personal data from a country to another country that does not offer the same level of protection as the  former, Gates will take such reasonable measures as are appropriate to continue ensuring an adequate level of protection for the personal data (e.g. agreed specific contractual provisions with the recipient of the data).

 

Regulator Notification and Authorization

  •  Gates is aware that in certain countries, certain personal data processing activities must be notified to and/or authorized by the local regulator. When implementing a new personal data processing activity, Gates will assess whether such notification or authorization is required, and act accordingly.

 

Specific Processing Activities 

  • Gates is conscious that certain specific activities involving personal data or affecting persons' privacy (e.g. CCTV, direct marketing, employee monitoring, etc.) may be subject to specific additional or different rules and requirements (e.g. specific notice obligations, works council involvement, etc.). Gates will for each such activity undertake to identify the relevant rules and requirements, and follow applicable legal requirements.

 

Who to contact:

Gates Data Privacy Team
Email: [email protected]