Gates Industrial Corporation plc and its relevant affiliates (“Gates” or the “Company”) are
committed to the highest standards of business conduct across all of the Company’s activities and
operations. As part of this commitment, Gates takes privacy and data protection very seriously.
Gates has, therefore, established these Global Internal Privacy Principles (“Privacy Principles”)
which further detail how personal data will be collected, stored and processed within Gates.
Further, many countries have enacted statutes and other laws that protect certain types of personal
data. If Gates fails to comply with such laws, it may be liable towards data subjects or be subject
to administrative and criminal sanctions. It is therefore important that each person working with
personal data within Gates is aware of and complies with these Privacy Principles, along with the
related policies noted below.
If you have any questions regarding these Privacy Principles, or how they should be applied in
practice, please contact the Gates Law Department. To the extent there is any conflict with or
additional requirements mandated by any local or regional law, Gates will comply with all such
These Privacy Principles are supplemented by a number of Gates policies, including, but not
In these Privacy Principles, “personal data” refers to any information concerning an identified or
identifiable natural person (such as employees, contact persons at customers or suppliers, etc.,
which are referred to as “data subjects”) or as such term is defined by local applicable law.
Fair and lawful processing – Gates processes personal data in a fair and lawful way.
Before implementing a new process that involves personal data processing, Gates will
strive to verify that applicable laws allow such processing; for example, the law may
allow it because Gates has an obligation or right to process such personal data, or
because it is necessary for Gates' legitimate interests to process such data so long as it
does not adversely affect the rights of the data subject. Where required by law, Gates
will use reasonable efforts to obtain the data subject's consent before processing such
person's personal data.
Purpose limitation – Gates will collect and process personal data for specified, explicit
and legitimate purposes only. For example, Gates may collect and use personal data:
(a) in order to perform a contract; (b) where the data subject has provided consent; (c)
where necessary in order for Gates to carry out its legitimate business activities (for
more detail, please see above referenced Related Policies); (d) in order to comply with
its legal obligations; (d) where there is an urgent safety or product recall notice; or (e)
to consider a person’s application for employment with the Company.
Gates will not use personal data collected for a specified purpose in a way incompatible
with such purpose, taking into account the data subject's reasonable expectations and
scope of any necessary consent. Therefore, before engaging in personal data collection,
Gates will assess the purposes for which it intends to use such data, and use reasonable
efforts to communicate such purposes to the data subject in accordance with
transparency requirements. In each case where Gates uses personal data for purposes
other than those for which the data was collected, Gates will inform the data subjects
of such use and, where required, obtain their consent.
Special categories of data – Gates is aware that its processing activities may involve
special categories of data, such as medical data or other sensitive data, and that such
types of data are often granted a more protective status under data protection laws. In
each case where Gates processes such special categories of personal data, Gates will
verify whether its security measures take into account the nature of such data and the
risks, and take additional measures as necessary to ensure fair and lawful processing of
Data quality and minimization – Gates will strive to only process personal data that
is adequate, relevant and proportionate to the purposes for which the personal data is
collected and further processed. When implementing a new personal data processing
activity, Gates will strive to assess whether all data collected from the data subject or a
third party are proportionate for the intended use. Gates will also use reasonable efforts
to regularly update data so as to avoid processing of inaccurate or incomplete data.
Data storage – Once Gates no longer needs personal data for the purposes for which
it was collected, Gates will use reasonable efforts to delete or anonymize such data, in
order to ensure the natural person to which such data relates can no longer be identified.
When implementing a new personal data processing activity, Gates will determine an
appropriate storage term and manage the data accordingly.
Transparency – Gates will inform the data subjects of its intended personal data
processing before commencing such processing, in such manner as is appropriate,
given the way in which the data was collected (such notices may be provided through
example). Gates will strive to inform the data subjects of all relevant details of the
processing activities in a clear and understandable manner. Such details will include
the identification of the Gates entity responsible for the data processing, the purposes
for which data is being processed, the categories of recipients of the data, the data
subject's right to access and rectification, and such other information as may be
appropriate given the circumstances or as required under applicable law (e.g., by GDPR
Access, rectification and deletion – Gates will respond to requests from data subjects
to access their data, to receive a copy or description of the information it possesses
about them, or to have data be updated or deleted, in accordance with any procedural
requirements and time frames as may be imposed by applicable laws, provided Gates
does not have any lawful reason under any applicable law to continue to use and possess
that information. All such requests shall be directed to Privacy@gates.com.
Security – Gates will use reasonable efforts to implement appropriate technical and
organizational measures to protect personal data against accidental or unlawful
destruction or accidental loss, alteration, unauthorized disclosure or access, and against
all other unlawful forms of processing, taking into account applicable law. When
assessing which security measures are appropriate for a specific processing activity,
Gates will take into account industry standards, the cost of implementing data security
measures in relation to the risks represented by the processing, the nature of the specific
types of data to be protected, and any data security measures required by applicable
Confidentiality – Gates will treat all personal data confidentially. When implementing
a new personal data processing activity, Gates will assess which Gates personnel are
required to have access to the personal data, taking into account their responsibilities
and functions within Gates and the purposes for which the data is being processed.
Third party processors – For some personal data processing activities, Gates may
need to involve a third party supplier (for example, IT providers, payroll providers,
etc.). Gates is aware that in such case, it remains responsible for complying with
applicable laws. Gates will therefore require through contractual provisions that such
third party suppliers provide services in accordance with Gates’ privacy and data
protection obligations. Gates will in any case use reasonable efforts to require that such
suppliers only process personal data in accordance with Gates' instructions, and
implement appropriate technical and organizational security measures.
Transfer of data – Gates is aware that different countries have different privacy and
data protection rules, each offering a different level of protection to the data subject.
Gates will use reasonable efforts not to transfer personal data across borders in a
manner that adversely affects the rights of the data subjects (either within the Gates
group or to external parties). More specifically, when transferring personal data from a
country to another country that does not offer the same level of protection as the former,
Gates will take such reasonable measures as are appropriate to continue ensuring an
adequate level of protection for the personal data (e.g. agreed specific contractual
provisions with the recipient of the data).
Gates is aware that in certain countries, certain personal data processing activities must
be notified to and/or authorized by the local regulator. When implementing a new
personal data processing activity, Gates will assess whether such notification or
authorization is required, and act accordingly.
Gates is conscious that certain specific activities involving personal data or affecting
persons' privacy (e.g. CCTV, direct marketing, employee monitoring, etc.) may be
subject to specific additional or different rules and requirements (e.g. specific notice
obligations, works council involvement, etc.). Gates will for each such activity
undertake to identify the relevant rules and requirements, and follow applicable legal
Gates Data Privacy Team