PRIVACY SHIELD PRINCIPLES
  1. Notice: The Personal Data We Collect; How And Why We Collect It

ZA receives Personal Data from the EU, Turkey and other countries pertaining to job applicants, employees, potential customers and customers (collectively “data subjects”) to assist its foreign subsidiaries and affiliates in administering the recruitment process, their employment relationship with employees located in the Member States, and their obligations, if any, to former employees, and to facilitate customer relationship management. The Personal Data is stored in ZA’s human resources management system (HRMS) database for human resources data and in the customer relationship management (CRM) system for customer data.

Examples of the purposes for which ZA collects and uses Personal Data include, without limitation, recruitment; workforce management; to administer compensation, payroll, and benefits; to evaluate job performance and engage in succession planning; to administer physical and information systems security as well as help desk support; for emergency contact purposes; to address various legal obligations related to the employment relationship, including obligations in civil discovery; to administer training; to contact potential customers and customers, to manage customer relationships, to administer the Company’s compliance hotline; and to conduct internal audits.

The Personal Data that ZA receives from the EU and Turkey consists largely of information provided by job applicants and employees such as resumes and complete job applications, personal contact information and date of birth. ZA also may receive personal information about an applicant or employee which is created by one of its corporate affiliates, such as interview notes, business contact information, job title, job category, job status, compensation and benefits information, and performance reviews. Personal Data received pertaining to potential customers and customers as provided by these data subjects is generally limited to information on a business card such as name, business title and business postal address, email address and telephone number.

Before processing Personal Data of any employee who resides in an EU Member State, or Turkey, ZA provides the employee with a notice concerning the processing of their Personal Data. ZA will not use or disclose Personal Data transferred from an EU Member State or Turkey to the United States for any purpose that has not previously been disclosed to the employee unless: (a) the employee has received notice and an opportunity to exercise choice, as described below, with respect to such use or disclosure; or (b) applicable law permits the use or disclosure without requiring that ZA first comply with the Notice and Choice Principles.

  1. Choice: How To Opt Out Of Collection Of Your Personal Data By ZA And Transfer To Third Parties

ZA will offer employees or customers in the EU and Turkey whose Personal Data has been transferred to the United States the opportunity to opt out from: (a) the disclosure of Personal Data to a non-agent Third Party; and (b) the use or disclosure of their Personal Data for a purpose other than the purposes for which the information originally was collected or subsequently authorized by the individual or a compatible purpose where required by law. If ZA were to receive “sensitive personal information” (which includes, for example, personal information specifying medical or health conditions, racial or ethnic origin, or trade union membership), ZA will request and obtain affirmative consent before disclosing such information to a non-agent Third Party and before using such information for a purpose other than the purpose originally disclosed or a compatible purpose where required by law. ZA will provide employees or customers with reasonable mechanisms to exercise their choices should such circumstances arise.

  1. Onward Transfer: Third Parties To Whom We May Disclose Your Personal Data

ZA is liable for onward transfers to third parties and will comply with the Notice and Choice Principles before transferring Personal Data to a Third Party who is not an agent of ZA. Before transferring Personal Data to a third-party agent, ZA will obtain assurances from the agent that it will safeguard the data subjects’ Personal Data in a manner consistent with this Policy. Where ZA learns that an agent is using or disclosing Personal Data in a manner contrary to this Policy, ZA will take reasonable steps to prevent such use or disclosure. Disclosures to Third Parties, whether an agent of ZA or not, will be only for the purposes described in this Policy under the section entitled, “Notice,” for a compatible purpose, or for a purpose subsequently authorized by the data subject. ZA may disclose human resource-related information, as described above in Section 1, to third parties who assist ZA in administering employee benefits programs, payroll programs, pension and other retirement programs, and information technology programs and security.

  1. Security For Your Personal Data

ZA strives to protect the Personal Data that it receives from the EU and Turkey. While ZA cannot guarantee the security of the Personal Data that it receives, ZA takes reasonable precautions to protect the Personal Data in the Company’s possession from loss, misappropriation, unauthorized access, disclosure, and destruction. ZA utilizes a combination of online and offline security technologies, procedures and organizational measures to help safeguard Personal Data. For example, facility security is designed to prevent unauthorized access to company computers. Electronic security measures — including, for example, network access controls, passwords, and secure remote access — provide protection from hacking and other unauthorized access. ZA also protects information through the use of firewalls, role-based restrictions, and, where appropriate, encryption technology. ZA limits access to Personal Data to ZA’s employees and agents that have a specific business reason for accessing such Personal Data. Individuals who have been granted access to Personal Data will be made aware of their responsibilities to protect such information and are provided training and instruction on how to do so.

  1. Data Integrity, Accuracy, and Completeness: How We Limit The Collection And Retention Of Your Personal Data

ZA collects only Personal Data that is necessary for the purposes listed in this Policy under the section entitled, “Notice.” ZA will process the Personal Data only in ways that are for, or compatible with, the purposes for which the data was collected or that are subsequently authorized by the data subject. ZA takes reasonable steps to ensure that the information it collects is accurate, complete, current, and reliable for its intended use. ZA will retain Personal Data only for as long as is necessary to accomplish its legitimate business purposes or for as long as may be permitted or required by applicable law.

  1. Access And Correction: How You Can Exercise Your Rights

Upon reasonable request, ZA will grant data subjects reasonable access to their Personal Data and will permit them to correct, amend or delete Personal Data that is inaccurate or incomplete. Data subjects who wish to review or update their Personal Data can do so by contacting ZA’s Global Data Privacy Office at privacy@zapackaging.com. ZA may, in its discretion, charge a reasonable, cost-based fee for access or photocopying. For security purposes, ZA may require verification of identity before providing access to Personal Data.

  1. Enforcement: What To Do If You Have a Complaint

ZA will conduct periodic self-assessments of its relevant practices to verify adherence to this Policy and the Privacy Shield Principles. Any employee who intentionally violates this Policy will be subject to disciplinary action up to and including termination of employment. Any data subject who has a complaint concerning ZA’s processing of his or her Personal Data should contact ZA’s Global Data Privacy Office at privacy@zapackaging.com. ZA will investigate and attempt to resolve such complaints in accordance with the principles contained in this Policy. Any data subject who is not satisfied with the internal resolution of the complaint may seek redress with the national data protection or labor authority in the country where the data subject resides.

SUPPLEMENTAL PRINCIPLES

  1. Sensitive Data

ZA is not required to obtain affirmative express consent with respect to sensitive date where the processing is:

  1. In the vital interests of the data subject or another person;
  2. Necessary for the establishment of legal claims or defenses;
  3. Required to provide medical care or diagnosis;
  4. Carried out in the course of legitimate activities by a foundation, association, or any other non-profit body with a political, philosophical, religious, or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects;
  5. Necessary to carry out the organization’s obligations in the field of employment law; or
  6. Related to data that are manifestly made public by the individual.
  1. Journalistic Exceptions

First Amendment must govern in the event that privacy and constitutional principles conflict. ZA will carefully review any situation in which such a conflict may arise.

  1. Secondary Liability

Internet Service Providers, telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information.

  1. Performing Due Diligence and Conducting Audits

At times, ZA hires auditors and investment bankers which may require personal data to perform certain tasks. Consent or knowledge of the individual is not required in certain circumstances where such auditors or investment bankers perform these duties pursuant to statutory or regulatory requirements, or in performing due diligence relating to a potential merger or acquisition of another organization. Premature disclosure of such activities could impede such negotiations and agreements, and as a result, investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without the knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization.

  1. The Role of the Data Protection Authorities (DPAs)

ZA commits to employ effective mechanisms for assuring compliance with the Privacy Shield Principles. ZA provides the following as it relates to the recourse, enforcement and liability principle:

  1. Recourse for individuals to whom the data relates,
  2. Follow-up procedures for verifying that the attestations and assertions the individuals have made about their privacy practices are true, and
  3. Obligations to remedy problems arising out of failure to comply with the Principles.

ZA will complete the following:

  1. Elects to satisfy the requirements #1 and #2 above;
  2. Cooperate with EU DPAs and the Turkish Data Protection and Information Commissioner (DPIC) (collectively referred to as DPAs) in the investigation and resolution of complaints brought under the EU-US and Turkish-US Privacy Shield Frameworks; and
  3. Comply with any advice given by the DPAs (in regards to customer data and in regards to human resource date transferred from the EU in the context of the employment relationship) where the DPAs take the view that the organization needs to take specific action to comply with the EU-US or Turkish-US Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.
  1. Self-Certification

ZA will comply with all of the Department’s self-certification submission requirements. ZA will ensure compliance with the Privacy Principles and will work its existing commercial relationships with third parties to ensure conformity as soon as possible and within nine months from the date upon which ZA certified to the Privacy Shield.

  1. Verification

ZA will complete a self-assessment approach of its privacy practices to verify compliance with the attestations and assertions made under the Privacy Shield privacy practices.

  1. Access

ZA will adhere to the Access Principle in Practice, which allows individuals to verify the accuracy of information held about them. ZA will also make good faith efforts to provide access. It may deny or limit access to the extent that granting full access would reveal its own confidential commercial information.

  1. Human Resources Data

ZA will transfer personal information about its employees collected in the context of the employment relationship to a parent, affiliate, or unaffiliated service provided in the United States participating in the EU-US and Turkish-US Privacy Shield programs. The collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected, and any conditions for or restrictions on its transfer according to those laws will be respected. ZA will adhere to the Notice and Choice Principles as well as the Access Principle regarding human resources data.

  1. Obligatory Contracts for Onward Transfers

ZA complies with requirements relating to onward transfers of protected data through the use of model or other contractual clauses that comply with European Union and Turkish data transfer standards and requirements. These principles apply to transfers of data within controlled groups of s or entities as well as with third party controllers and processors.

  1. Dispute Resolution and Enforcement

ZA will satisfy the requirement of this Principle through the following:

  1. Compliance with private sector developed privacy programs that incorporate the EU-US and Turkish-US Privacy Shield Principles;
  2. Compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or
  3. Commitment to cooperate with data protection authorities located in the EU, the FDPIC, or their authorized representatives.

Effective Date: October 3, 2017
Updated: March 28, 2019