ENERSYS LGPD PRIVACY NOTICE
Lei Geral de Proteção de Dados No. 13.709/2018 or General Data Protection Law (LGPD)
This Notice explains EnerSys and its affiliates or subsidiaries (collectively, the “Company”) and our commitment to compliance with LGPD and how LGPD affects you as a user, customer, employee or data subject. This Notice defines key terms and answers important questions, such as who is covered by LGPD, what LGPD requires, and how the Company operates within those requirements.
Definitions Term Meaning
- Data Subject: An identified or identifiable individual authorized by the company, employed by the company, or a business customer interacting with the company
- Controller: An entity that determines the purposes and means of the processing of personal data.
- Personal data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation(s) performed on personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction
- Sensitive personal data: Personal data revealing racial or ethnic origin, religious belief, political opinion, trade union or religious,philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person
Who is covered by this Notice?
This LGPD Privacy Notice applies when:
1. A Data Subject creates personal data through use of services, products, or employmentin Brazil in connection with the Data Subject’s relationship with the Companyin Brazil;
2. Such Data Subject and its relationshipare within the scope of LGPD; and
3. When processing the personal data of such DataSubject.
What personal data about Data Subjects does the Companyprocess?
The Companygenerally processes the following categories of data, which may include personal data of Data Subjects:
• Contact Data: Data for general contact or administration purposes, which may include name, job title, employer, address, phone number, email address, instant messaging username, and similar data.
• Device Identification Data: Data that identifies a device from which (or to which) electronic communications are sent (or received); may include Internet Protocol IP) address, Media Access Control (MAC) address, International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number, Serial Number, and Unique Device Identifier (UDID).
• Electronic Communications Data: Data processed in an electronic communications network for the purposes of transmitting, distributing, or exchanging electronic communications content (but not including electronic communications content); includes data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration, and type of communication.
• Authentication Data:Username, password, personal identification number, password hints, and similar data to authenticate users in connection with use of the services or accessto information related to products orservices.
• Employment Data: resume or CV, status of employment, performance ratings,competencies, succession information, work time/utilization records and forecasts, training records, evaluations, absences, holiday orannual leave arrangements, terms of labor contract, details of any disciplinary actions, health and safety data.
• Financial Data: bank account details, direct deposit/credit arrangements, salary, pension payment and stock option information, bonus,additional pay, variable compensation awards, tax data, flexible spending enrolments, grant valuation information, paid time off and credit card details.
• Report Data: identity, responsibilities and contact information of whistle-blower; identity, responsibilities and contact information of the employees mentioned in the report; identity, responsibilities and contact information of the persons who are involved in receiving or processing the report; facts reported; information gathered in connection with the verification of the reported facts.
Why does the Company process personal data about Data Subjects?
The Company processes personal data when a Data Subject uses its products or services or when a business customer provides the personal data or when there is an employment relationship. In connection with these purposes, the Companywill generally process personal data of Data Subjects for the purposes of:
• Providing products or services to a customer;
• Performing obligations and exercising rights with respect to acontract with the customer,employee, or Data Subjectincluding performing related activities and functions;
• Complying with legal obligations; and/or
• Evaluating, supporting, and enhancing the performance, efficiency, and security of our products or services.
The Companyprocesses personal data of Data Subjectonly pursuant to appropriate lawful bases for processing as necessary for:
• Performing acontract to which the Data Subject is a party;
• Complying with a legal obligation(s) to which the Companyis subject; and/or
• Legitimate interests pursued by the Company, such as performing its contract obligations to, or exercising its legal or contract rights or for improving services, products,and operations.
In limited circumstances, the Company may process personal data as necessary for:
• Protecting the life, physical safety, or health of the Data Subject or another natural person; and/or
• Performing a task carried out in the public interest.
The Company will not process “sensitive personal data” about Data Subjects unless specifically authorized by law, for example where the Data Subject has given explicit consent; as necessary for carrying out obligations and exercising specific rights in the field of employment and social security and social protection law; and/or as necessary for the establishment, exercise, or defense of legal claims.
Who has access to personal data about Data Subjects?
Personal data about Data Subjects will be disclosed, to the extent required for service or product delivery, to appropriate and authorized recipients. Recipients may include: Company personnel; suppliers, vendors, and subcontractors; and/or other third parties performing services for any of the EnerSys companies. Personal data may also be provided to the business customer and its agents.
Third parties given access to personal data about Data Subjects will be required to use appropriate security measuresconsistent with LGPD requirements when processing personal data and, where the third party is processing such personal data on behalf of the Company, to do so only pursuant to the Company’s instructions.
The Company may disclose personal data if compelled to do so by a court of law or lawfully requested to do so by a relevant governmental authority using the appropriate means of request. The Company may disclose personal data if it determines it is necessary or appropriate to comply with the law or to protect or defend the Company’s rights, property, or employees.
Where is personal data about Data Subjects processed?
The Companyhas centralized business activities to better managea global business. That centralization may result in the transfer of personal data to countries outside of Brazil. For example, a Data Subject’s personal data may be transferred for processing in the United States of America, by the Companyand/or third party service providers.
The Companygenerally transfers personal data about Data Subjects between ouraffiliates on the basis of our Intra-CompanyData TransferAgreement, which is based on the EU’s standard contractual clauses for export of personal data to third countries with additional customizations to comply with Brazilian law. A Data Subject may request to access or review the safeguards the Companyuses for cross border transfers.
The Companymay additionally rely on other approved mechanisms for export of personal data, such as a determination by Brazil’s national authority that the recipient country offers adequate protection of personal data or pursuantto established derogations for specific situations.
Wherever personal data is processed, the Companyuses appropriate security measures consistent with LGPD requirements.
When is personal data about Data Subjects deleted?
Personal data will be retainedas needed for business administration, tax, or legal purposes and as consistent with applicable law, including LGPD. In many cases, this will require retention through the period of the contract between the Companyand the customer, or through the period of the relationship between the Companyand the Data Subject. After that, personal data will be destroyed by making it unreadable or undecipherable. While personal data is retained, the Companyimplements appropriate technical and organizational measures designed to make the personal data collected secure. Such measures include:
• Maintaining and protecting the security of computer storage and network equipment and using security procedures that require usernames and passwords to access sensitive data;
• Applying encryption or other appropriate security controls to protect personal data when stored or transmitted; and
• Limiting access to personal data to only those with jobs requiring such access.
What rights does a Data Subject have to manage processing of personal data?
LGPD grants the Data Subject certain rights regarding processing of personal data. The Companyis committed to honoring these rights and has established effective and transparent policies and procedures to do so. A Data Subject’s rights with respect to his or her own personal data include:
• Right to Notice. The Companyprovides this LGPD Privacy Notice, detailing how personal data is processed, including the entities with which the Companyhas shared the Data Subjects’ data.
• Right to Revoke Consent. Data Subjects may withdraw their grants of consent at any time and the Companywill stop processing and delete their data, subject to the Company’sright to retain the data as allowed for lawful purposes, including to comply with its egal obligations and to use it exclusively on an anonymized basis.
• Right of Access. Data Subjects may obtain from the Companyconfirmation as to whether personal data is being processed and, if it is, access to the personal data and additional information about the processing of that data.
• Right to Correction/Rectification. Data Subjects may have inaccurate personal data corrected and have incomplete personal data made complete.
• Right to Deletion. Data Subjects may have personal data deleted in certain circumstances.
• Right to Restriction of Processing. Data Subjects may have additional processing of personal data temporarily prohibited while the accuracy or processing of the personal data is contested.
• Right to Data Portability. Data Subjects may be able to receive personal data for the purpose of providing that personal data to another controller, either through you as our business customer or directly by the Company.
• Right to Object. Data Subjects may object, at any time and on grounds relating to their particular situation, that processing of personal data is unnecessary or excessive.
• Right to Avoid Automated Individual Decision-Making. Data Subjects may not be subjected to a decision based solely on automated processing, including profiling, that has legal or similar affect
Whether and how a right applies will depend upon the lawful basis pursuant to which the data is processed, the nature of the personal data, and the Company’sability to determine that it holds responsive personal data. As the personal data is processed as part of the Company’s contract obligations to a customer, for authentication purposes the Companywill coordinate responses to requests of Data Subjects. The Companytherefore recommends the Data Subject directly contact thebusiness to initiate a rights request. The Companywill work with the Data Subjectto determine the appropriate response to a request. Provision of personal data in response to a Data Subject’s request shall not adversely affect the rights and freedoms ofothers.
A Data Subject may file a complaint with the national authority, also known as the National Data Protection Authority or ANPD. A Data Subject may additionally or alternatively seek judicial redress for alleged infringements of applicable law by the Company.Questions on this LGPD Privacy Notice may be sent to:firstname.lastname@example.org. Please include “data subject question” in the email’s subject line.You can also contact us at: 1-855-472-2459