Mexico Data Privacy Policy

1. DEFINITIONS.

For purposes of this Policy, the following terms are defined as:

1. EnerSys Group: Any of the following companies (either jointly or individually):
   1. EnerSys de Mexico, S de R.L. de C.V., EnerSys de Mexico II, S. de R.L. de C.V., Baterias Hawker de Mexico S. de R.L. de C.V., and EH Europe GMBH S. de R.L. with offices at Avenida Lopez Mateos number 4210, Colonia Casa Blanca, San Nicolás de los Garza, State of Nuevo León, México, 66475; and
   2. Power-Sonic, S. de R.L. de C.V.; with offices at Blvd. Pacifico #14553, Parque Industrial Pacifico, Tijuana, State of Baja California, México, 22643.
2. Data Responsible: EnerSys Group, respectively each company, as the one that gathers and manages treatment of Personal Data;
3. Data Subject: Owner of the Personal Data;
4. Data Privacy Notice: A physical, electronic or any other format document generated by the Data Responsible that is provided to the Data Subject prior collecting and processing the latter’s Personal Data.
5. Personal Data: Any information concerning an identified or identifiable individual;
6. Sensitive Data: Personal Data that affect the most intimate scope of its owner, or whose improper use may give rise to or entail a serious risk for the owner, such as, racial or ethnic origin; health status (past, present and future); genetic information; religious, philosophical and moral beliefs; union membership; political opinions and sexual preference;
7. Law: Federal Law for the Protection of Personal Data Held by Private Parties;
8. Personnel: Any individual, who has an employment relationship with their respective employer referred to in the definition of EnerSys Group.

 

2. OBJECTIVE.

Outline EnerSys Group’s practices in connection with collecting, using and disclosing Personal Data in its possession.

 

3. GENERAL DISPOSITIONS.

3.1 Applicability.
This policy is applicable to all individuals who have granted Personal Data to EnerSys Group, including but not limited to customers, suppliers, visitors and other third parties that have voluntarily shared their Personal Data with EnerSys Group, including employees who have an employment relationship exclusively with their respective employer referred to in the definition of “EneSys Group”.

3.2 Validity Period.
The Policy will be valid indefinitely until it is substituted or updated, which will be promptly notified to the employees.

 

4. GENERAL GUIDELINES.

4.1 Principles under which EnerSys Group process Personal Data.

1. Legality and Loyalty: EnerSys Group seeks to process Personal Data in compliance with Mexican Laws; as well as International dispositions and is obliged to always obtain Personal Data through legal means and without implementing unlawful means.
2. Consent: EnerSys Group will obtain Data Subject’s consent where required under the Law in either explicit format when processing financial or economic or sensitive data and implied format when processing other categories of Personal Data.
1. Exceptions: Under the Law, EnerSys may also process Personal Data without explicit or implicit consent, where an exception applies, including data processing is provided for in another law; Personal Data is contained in publicly available sources; anonymized; processed for the purpose of fulfilling obligations under a legal relationship between the data subject and the data controller; required in any emergency that could potentially result in personal injury or property damage; essential for medical attention, prevention, diagnosis, healthcare delivery, medical treatment, or health services management, and where the personal data must be disclosed pursuant to a court order or the resolution of a competent authority.
3. Information: EnerSys Group will inform Data Subject through a Privacy Notice, the purpose(s) for which Personal Data will be collected, used and/or disclosed.
4. Proportionality: EnerSys Group will collect only the Personal Data that is (i) necessary, (ii) adequate and (iii) relevant to accomplish the purposes for which the information was collected.
5. Purpose specification: As referred in section c) EnerSys Group will specify Data Subjects the purpose for which its Personal Data is being collected.
6. Data quality: EnerSys Group will make the most reasonable effort to ensure that the Personal Data collected is: (i) exact, (ii) complete, (iii) pertinent, (iv) updated and (v) correct.
7. Accountability: EnerSys Group is committed to implement appropriate technical and organizational measures in order to ensure Personal Data is protected and processed in accordance with the Law.

4.2 Why EnerSys Group process Data Subject’s Personal Data?

EnerSys Group processes Personal Data when (i) a Data Subject uses its products or services, (ii) a business customer provides the Personal Data, (iii) there is an employment relationship; (iv) where a business supplier or vendor provides Personal Data (v) where a visitor provides Personal Data, or (vi) such other circumstances where a third party provides Personal Data to us voluntarily through our website or in response to a marketing or promotional event.

In connection with the above-referred purposes, generally, EnerSys Group process Data Subjects’ Personal Data for the following purposes:

• Providing products or services to a customer;
• Receive products or services from a vendor or supplier;
• To enable third parties to partake in a prize draw, competition or complete a survey;
• For marketing purposes, including relationships and experiences;
• To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
• Performing obligations and exercising rights related to an agreement executed with a customer, employee, or Data Subject, respectively, including performing related activities and functions;
• Complying with mandatory obligations to which EnerSys Group is subject;
• Evaluating, supporting, and enhancing the performance, efficiency, and security of our products or services;
• Performing a contract to which the Data Subject is a party;
• Legitimate interests pursued by EnerSys Group, such as performing its contract obligations to, or exercising its legal or contractual rights or for improving services, products, and operations.

In limited circumstances, EnerSys Group may process Personal and/or Sensitive Data for the following purposes:

• Protecting the life, physical safety, or health of the Data Subject or another natural person;
• Complying with mandatory obligations or obligations set forth in an agreement;
• To protect the workplace as well as to comply with employer related obligations;
• Performing a task carried out in the public interest.

EnerSys Group will comply at all times with the obligations set forth in the Law regarding Sensitive Data by establishing a referral of it and requesting for the Data Subject’s consent within the Data Privacy Notice.

 

4.3 Who has access to the Data Subjects’ Personal Data?

Data Subjects’ Personal Data will be disclosed to the extent required for complying with the purposes detailed on section 4.2.

EnerSys Group may disclose Personal Data if compelled to do so by a court of law or lawfully requested to do so by a relevant governmental authority using the appropriate means of request. Further, EnerSys Group may disclose Personal Data if it determines it is necessary or appropriate to comply with an agreement or with the law, as well as to protect or defend EnerSys Group’s interests, rights, property, or employees.

 

4.4 Where is the Data Subject’s Personal Data processed?

EnerSys Group’s business is centralized with the purpose of being an efficient and a successful global business. EnerSys has regional headquarters where Personal Data may be transferred for the centralized administration of our business; such locations are in the following countries: United States, Switzerland and Singapore. Said centralization will likely result in the international transfer of Personal Data to countries outside Mexico.

Once a Data Privacy Notice is provided to any Data Subject, international or national transfer of Personal Data may be made without the Data Subject’s consent as long as it complies with the rules set forth in article 37 of the Law, such as when:

• The transfer is mandated by a Law or Treaty to which Mexico is part of;
• The transfer is made to controlling companies, subsidiaries or affiliates under the common control of the responsible party, or to a parent company or to any company of the same group, as EnerSys Group, of the responsible party that operates under the same internal processes and policies;
• The transfer is necessary by an agreement entered into or to be entered into in the interest of the Data Responsible, by the Data Responsible and a third party;
• The transfer is necessary for the maintenance or fulfillment of a legal relationship between the Data Responsible and the Data Responsible.

In case any of the above-referred situations are met, EnerSys Group will grant a Data Privacy Notice, which will enclose data transfer as well as will require the Data Subject’s consent.

 

4.5 What rights does a Data Subject has in connection with providing Personal Data?

Data Subjects are entitled to the right of accessing, ratifying, updating, cancelling and/or opposing (well known as “ARCO” rights) to the collection of their Personal Data and Sensitive Data, as well as to oppose the processing thereof, or to revoke the consent granted for such purpose, through the procedure implemented.

In order to enforce ARCO rights, Data Subjects must contact the area responsible for the management and administration of Personal Data, at the e-mail address privacy@enersys.com; or by mail to the Data Responsible domicile at the addresses provided for the relevant EnerSys Group, including name, address, identification document, and detail of the Personal or Sensitive Data that will be accessed, rectified, canceled or opposed for treatment.

 

4.6 Privacy Notice.

To legally process Personal Data, EnerSys Group has a Privacy Notice in place, which is provided to Data Subjects prior processing the Personal or Sensitive Data. The referred Privacy Notice may be provided to Data Subjects in printed, digital, visual or audio formats; nonetheless, for processing Sensitive Data, Data Subjects must grant their explicit consent, ether by wet-signature or electronically.

The Privacy Notice as well as the present Policy can be modified or updated due to new legal requirements; as well as due to EnerSys Group needs based on the services offered, data privacy’s best practices and/or any other applicable situation.

 

4.7 EnerSys Group compliance with the Law.

EnerSys Group is extremely committed to comply with the obligations of Confidentiality and Security referred to in the Law, therefore EnerSys Group implements the following actions in connection with each obligation:

4.7.1 Confidentiality.

1. EnerSys Group stablishes procedures in order to avoid leak or unauthorized access to Personal Data;
2. EnerSys Group trains its Personnel on regards obligations related to treatment of Personal Data.

4.7.2 Security.

1. EnerSys Group stablishes and maintains administrative, physical and technical security measures;
2. EnerSys Group does not implement security measures that are less strict that the ones implemented in order to protect its own information;
3. EnerSys Group updates the measures that has already implemented when applicable;
4. EnerSys Group has the commitment to notify Data Subjects in case its security has been compromised.
5. EnerSys Group has the commitment to implement corrective actions when applicable.

 

4.8 For how long will EnerSys Group retain Personal Data?

EnerSys Group will process Personal Data for as long as necessary to fulfil the purposes specified in the Privacy Notice and for a period equal to the statute of limitations of the actions that could arise as a result of, or in connection with, data processing; such as legal, administrative, and/or tax obligations.