PURPOSE:
To set forth the policy of Managedstorage International, LLC dba Presilient, LLC. (“Company”) in regard to its compliance with the Safe Harbor Principles of the U.S. Department of Commerce for the protection of employee data transferred from the Company’s locations in the European Union (“EU”) to the United States (“U.S.”), as required by the EU Directive on Data Protection.
SCOPE:
This Employee Data Privacy Policy (the “Policy”) applies to the Company in the processing of employee data received from the Company’s locations in the EU. Customer Data: Managedstorage International, LLC does not collect personal data from customers. The company processes information solely for business purposes. As a provider of selected backup and storage management services, all data is stored in resident country backup and storage devices or secure off site facilities. Personal information is not used, sold or retransmitted other than for its original purpose.
POLICY:
Managedstorage International, LLC is a U.S.-based company with locations in the EU. The EU’s comprehensive privacy legislation, the Directive on Data Protection (the “Directive”), requires that transfers of personal data take place only: (1) where a relevant basis exists upon which a transfer may be made; or (2) to non-EU countries that provide an “adequate” level of privacy protection for such data.
The U.S. has not been recognized by the EU as a country that provides adequate protection for personal data. Nonetheless, the U.S. Department of Commerce (“DoC”), in consultation with the EU, has developed a “safe harbor” framework to assist U.S. companies in complying with the Directive. The safe harbor framework consists of seven “Safe Harbor Principles” with which the Company must comply if it wishes to self-certify under and enjoy the benefits of the DoC’s safe harbor. (Extensive materials regarding the Safe Harbor Principles can be found online at www.export.gov/safeharbor.)
This Policy sets forth the Company’s procedures for complying with the Safe Harbor Principles in regard to employee data that is transferred to the United States from EU locations. This Policy, including the procedures discussed below, shall be communicated to all employees of the Company’s EU locations and to all Company employees in the U.S. that process or otherwise have access to the “Employee Data” discussed below.
Compliance with this Policy is mandatory, and any employee failing to comply will
be subject to disciplinary action, up to and including termination of employment, as may be permitted by applicable law.
PROCEDURES:
Notice
From time to time, the Company collects and uses personal data regarding the employees of its EU subsidiaries and locations (“Employee Data”) for the following purposes:
(a) to facilitate the performance of certain administrative tasks and functions relating to general employment, such as, providing compensation, benefits and related services, updating organizational information, making employment-related decisions and providing employee training; and
(b) processing and investigating reports under the Company’s Code of Conduct (the “Code”), or, one or more Company policies (“Policies”).
Employee Data could include one or more of the following: name, address, job title and other job information, location, compensation information, identification number (including, in some cases, national insurance number), employment history, and copy of employment agreement. Additionally, in the case of reports under the Company’s Code of Conduct, Policies, or Employee Handbook, the Company may receive information about an employee’s actions or inactions relative to a legal requirement or other legal or ethical issue covered by Company’s Code of Conduct, Policies or Employee Handbook.
Employee Data is only used and/or disclosed to third parties for the purposes described above. In no case does the Company use and/or disclose to third parties Employee Data for any purpose(s) incompatible with the above stated purposes without first notifying the data subject and providing the data subject with an opportunity to affirmatively opt-out or object to such use or disclosure. Further, except in limited and permissible circumstances, the Company does not use or transfer to third parties Employee Data deemed “sensitive” under the Directive without first providing the data subject with an opportunity to affirmatively opt-in and explicitly agree such use or disclosure.
Examples of circumstances in which the transfer of sensitive Employee Data is permissible include where the transfer is:
(a) in the vital interests of the data subject or another person;
(b) necessary for the establishment of legal claims or defenses;
(c) required to provide medical care or diagnosis;
(d) necessary to carry out the Company’s obligations in the field of employment law;
(e) expressly permitted by an employee for a specific purpose; or
(f) data that is or has been manifestly made public by the data subject.
Any employee in an EU location of the Company may contact the Company’s Director, Human Resources with inquires or complaints regarding the Company’s processing of Employee Data, or, to “opt out” of the transfer of Employee Data as described in Section 2 (“Choice”) below.
Choice
Any employee whose Employee Data is to be transferred to third parties or used for purposes incompatible with the purposes described above may choose not to have his or her data so used or transferred. The employee must communicate his or her desire to “opt out” by the means described in the last paragraph of Section 1 (“Notice”) above. An employee may not opt out of the transfer of his or her Employee Data which is transferred by the Company to a third party for the purpose of (1) meeting applicable legal requirements or (2) protecting the legitimate interests of the Company in making employment-related decisions.
Onward transfer
In addition to the limitations on the transfer of Employee Data discussed above, the Company transfers Employee Data only to those third parties who: (a) have
agreed, in writing, to provide at least the same level of privacy protection to the Employee Data as is required under the Directive or the Safe Harbor Principles;
and/or (b) adhere to the Safe Harbor Principles. Exceptions to this limitation on onward transfer include where an employee has granted the Company express
permission to transfer his or her data to the third party, or, where such transfer is necessary for the purpose of meeting an applicable legal requirement.
Security
The Company takes reasonable precautions to protect Employee Data from loss, misuse, or, unauthorized access, disclosure, alteration or destruction. Employee Data is maintained in secure electronic and manual files at the Company’s and/or its subsidiaries’ locations and access to these files is limited to those employees for whom access is necessary to properly process the Employee Data, consistent with the purposes stated in Section 1 (“Notice”) above. Employee Data that is transferred to third parties is done so by methods designed to reasonably reduce the risk that the Employee Data is lost, stolen, or, inadvertently sent to a person or organization other than the intended recipient. The Company retains Employee Data only for as long as is necessary for its intended use, after which time the Data is deleted or destroyed.
Data Integrity
The Company’s personnel coordinate with personnel from Company’s EU locations to ensure that Employee Data is up-to-date, accurate, complete and reliable for its intended use.
Access
An employee whose Employee Data is processed by the Company may request access to his or her Employee Data processed by the Company for the purpose of correcting, amending, or, deleting data that is inaccurate. The Company may deny an employee’s request to access his or her Employee Data where the burden or expense of providing such access would be disproportionate to the risks to the requesting employee’s privacy or where the rights of persons other than the requesting employee would be violated.
Enforcement
a. Recourse and Remedies
As stated in the last paragraph of Section 1 (“Notice”) above, employees in the EU whose Employee Data is processed by the Company should report any complaint(s) about such processing to the Company’s Director, Human Resources. The Company will treat the complaint as a report under the Employee Handbook guidelines and the Director, Human Resources will initiate all of the procedures specified therein to investigate and resolve the complaint. If the complaint is not resolved through this internal process, employees may report complaints to the EU Data Protection Authority (“DPA”) or the American Arbitration Association (AAA). By voluntarily certifying that it will comply with the Safe Harbor Principles, the Company has made itself subject to the dispute resolution, enforcement, and sanctioning powers of the DPA or AAA and has agreed to cooperate and comply with the applicable DPA or AAA in regard to the Company’s processing of Employee Data.
b. Verification
To verify its compliance with the Safe Harbor Principles, the Company, through its Internal audit processes, periodically (i.e., at least once a year) conducts a self-assessment to ensure that: (a) this EU Employee Data Privacy Policy is accurate, comprehensive, accessible, prominently displayed, completely implemented and conforms to the Safe Harbor Principles; (b) employees are informed of the internal arrangements for handling complaints and the independent mechanisms through which they may pursue complaints (see Section 7a. above); and (c) the Company has in place procedures for training the appropriate employees on the implementation of this Policy and disciplining those who fail to comply (see Section 4 above).
Managedstorage International, LLC reserves the right to revise or amend this Policy at any time. Any changes to this Policy will be communicated to all appropriate employees.
First Issued: 11/19/2009
Reissued: 07/14/2010
We self-certify compliance with:
