Global Internal Privacy Principles

Gates Industrial Corporation plc

Gates Industrial Corporation plc and its relevant affiliates (“Gates” or the “Company”) are

committed to the highest standards of business conduct across all of the Company’s activities and

operations. As part of this commitment, Gates takes privacy and data protection very seriously.

Gates has, therefore, established these Global Internal Privacy Principles (“Privacy Principles”)

which further detail how personal data will be collected, stored and processed within Gates.

 

Further, many countries have enacted statutes and other laws that protect certain types of personal

data. If Gates fails to comply with such laws, it may be liable towards data subjects or be subject

to administrative and criminal sanctions. It is therefore important that each person working with

personal data within Gates is aware of and complies with these Privacy Principles, along with the

related policies noted below.

 

If you have any questions regarding these Privacy Principles, or how they should be applied in

practice, please contact the Gates Law Department. To the extent there is any conflict with or

additional requirements mandated by any local or regional law, Gates will comply with all such

legal requirements.

RELATED POLICIES

These Privacy Principles are supplemented by a number of Gates policies, including, but not

limited to:

 

DEFINITIONS

In these Privacy Principles, “personal data” refers to any information concerning an identified or

identifiable natural person (such as employees, contact persons at customers or suppliers, etc.,

which are referred to as “data subjects”) or as such term is defined by local applicable law.

GENERAL REQUIREMENTS

Data Uses

 

  • Fair and lawful processing – Gates processes personal data in a fair and lawful way.

    Before implementing a new process that involves personal data processing, Gates will

    strive to verify that applicable laws allow such processing; for example, the law may

    allow it because Gates has an obligation or right to process such personal data, or

    because it is necessary for Gates' legitimate interests to process such data so long as it

    does not adversely affect the rights of the data subject. Where required by law, Gates

    will use reasonable efforts to obtain the data subject's consent before processing such

    person's personal data.

  •  

  • Purpose limitation – Gates will collect and process personal data for specified, explicit

    and legitimate purposes only. For example, Gates may collect and use personal data:

    (a) in order to perform a contract; (b) where the data subject has provided consent; (c)

    where necessary in order for Gates to carry out its legitimate business activities (for

    more detail, please see above referenced Related Policies); (d) in order to comply with

    its legal obligations; (d) where there is an urgent safety or product recall notice; or (e)

    to consider a person’s application for employment with the Company.

     

    Gates will not use personal data collected for a specified purpose in a way incompatible

    with such purpose, taking into account the data subject's reasonable expectations and

    scope of any necessary consent. Therefore, before engaging in personal data collection,

    Gates will assess the purposes for which it intends to use such data, and use reasonable

    efforts to communicate such purposes to the data subject in accordance with

    transparency requirements. In each case where Gates uses personal data for purposes

    other than those for which the data was collected, Gates will inform the data subjects

    of such use and, where required, obtain their consent.

  •  

  • Special categories of data – Gates is aware that its processing activities may involve

    special categories of data, such as medical data or other sensitive data, and that such

    types of data are often granted a more protective status under data protection laws. In

    each case where Gates processes such special categories of personal data, Gates will

    verify whether its security measures take into account the nature of such data and the

    risks, and take additional measures as necessary to ensure fair and lawful processing of

    such data.

  •  

  • Data quality and minimization – Gates will strive to only process personal data that

    is adequate, relevant and proportionate to the purposes for which the personal data is

    collected and further processed. When implementing a new personal data processing

    activity, Gates will strive to assess whether all data collected from the data subject or a

    third party are proportionate for the intended use. Gates will also use reasonable efforts

    to regularly update data so as to avoid processing of inaccurate or incomplete data.

  •  

  • Data storage – Once Gates no longer needs personal data for the purposes for which

    it was collected, Gates will use reasonable efforts to delete or anonymize such data, in

    order to ensure the natural person to which such data relates can no longer be identified.

    When implementing a new personal data processing activity, Gates will determine an

    appropriate storage term and manage the data accordingly.

Data Subject Rights

  • Transparency – Gates will inform the data subjects of its intended personal data

    processing before commencing such processing, in such manner as is appropriate,

    given the way in which the data was collected (such notices may be provided through

    a privacy policy, privacy clauses, privacy statements or information notice, for

    example). Gates will strive to inform the data subjects of all relevant details of the

    processing activities in a clear and understandable manner. Such details will include

    the identification of the Gates entity responsible for the data processing, the purposes

    for which data is being processed, the categories of recipients of the data, the data

    subject's right to access and rectification, and such other information as may be

    appropriate given the circumstances or as required under applicable law (e.g., by GDPR

    or LGPD).

  •  

  • Access, rectification and deletion – Gates will respond to requests from data subjects

    to access their data, to receive a copy or description of the information it possesses

    about them, or to have data be updated or deleted, in accordance with any procedural

    requirements and time frames as may be imposed by applicable laws, provided Gates

    does not have any lawful reason under any applicable law to continue to use and possess

    that information. All such requests shall be directed to [email protected].

Security and Confidentiality

  • Security – Gates will use reasonable efforts to implement appropriate technical and

    organizational measures to protect personal data against accidental or unlawful

    destruction or accidental loss, alteration, unauthorized disclosure or access, and against

    all other unlawful forms of processing, taking into account applicable law. When

    assessing which security measures are appropriate for a specific processing activity,

    Gates will take into account industry standards, the cost of implementing data security

    measures in relation to the risks represented by the processing, the nature of the specific

    types of data to be protected, and any data security measures required by applicable

    law.

  •  

  • Confidentiality – Gates will treat all personal data confidentially. When implementing

    a new personal data processing activity, Gates will assess which Gates personnel are

    required to have access to the personal data, taking into account their responsibilities

    and functions within Gates and the purposes for which the data is being processed.

Third Party Processing and Data Transfer

  • Third party processors – For some personal data processing activities, Gates may

    need to involve a third party supplier (for example, IT providers, payroll providers,

    etc.). Gates is aware that in such case, it remains responsible for complying with

    applicable laws. Gates will therefore require through contractual provisions that such

    third party suppliers provide services in accordance with Gates’ privacy and data

    protection obligations. Gates will in any case use reasonable efforts to require that such

    suppliers only process personal data in accordance with Gates' instructions, and

    implement appropriate technical and organizational security measures.

  •  

  • Transfer of data – Gates is aware that different countries have different privacy and

    data protection rules, each offering a different level of protection to the data subject.

    Gates will use reasonable efforts not to transfer personal data across borders in a

    manner that adversely affects the rights of the data subjects (either within the Gates

    group or to external parties). More specifically, when transferring personal data from a

    country to another country that does not offer the same level of protection as the former,

    Gates will take such reasonable measures as are appropriate to continue ensuring an

    adequate level of protection for the personal data (e.g. agreed specific contractual

    provisions with the recipient of the data).

Regulator Notification and Authorization

  • Gates is aware that in certain countries, certain personal data processing activities must

    be notified to and/or authorized by the local regulator. When implementing a new

    personal data processing activity, Gates will assess whether such notification or

    authorization is required, and act accordingly.

Specific Processing Activities

  • Gates is conscious that certain specific activities involving personal data or affecting

    persons' privacy (e.g. CCTV, direct marketing, employee monitoring, etc.) may be

    subject to specific additional or different rules and requirements (e.g. specific notice

    obligations, works council involvement, etc.). Gates will for each such activity

    undertake to identify the relevant rules and requirements, and follow applicable legal

    requirements.

WHO TO CONTACT:

Gates Data Privacy Team

Email: [email protected]

 

Available in Other Languages:  

中文

Português

ไทย

Español - Argentina

Español - Mexico