1. PURPOSE
1.1 About us
Flex is a socially responsible and leading electronics manufacturing services provider delivering design, engineering, and manufacturing services to aerospace and defense, automotive, computing, consumer, industrial, infrastructure, medical, energy, and mobile original equipment manufacturers. Flex helps customers design, build, ship, and service electronics and other products through a network of international facilities. 通过遍布全球的业务,提供与核心电子制造和物流服务相结合的设计和工程解决方案。
1.2 Our commitment to data privacy
These Standards set out our approach to and the commitment of the Flex Group and its Executive Management and Board of Directors to maintaining the highest standards of data privacy. These Standards for processing of Personal Data relate to the Personal Data of employees, contractors and business contacts, or other individuals and must be followed by all members and employees of the Flex Group, and the Executive Management and Board of Directors will enforce such compliance. Failure to comply with these Standards will lead to appropriate corrective and disciplinary actions.
1.3 Objective of these Standards
We shall handle all Personal Data in accordance with Data Protection Laws and all other Applicable Law. Our compliance with these Standards will provide you with the protection required to enable us to process certain Personal Data within the Flex Group, including the transfer of that Personal Data outside of the United Kingdom.
2. DEFINITIONS AND ABBREVIATIONS
Applicable Law means all applicable local data protection and privacy laws and regulations including, but not limited to, the Data Protection Laws.
Business Contact Data means Personal Data relating to the business contacts at Flex Group’s customers and suppliers;
Data Controller means the natural or legal person who alone or jointly with others determines the purposes and means of processing Personal Data;
Data Privacy means data protection as promulgated by Data Protection Laws;
Data Processor means the natural or legal person which processes Personal Data on behalf of the Data Controller;
Data Protection Laws means UK Data Protection Laws;
Data Subject means an identified or identifiable natural person;
Employee Personal Data means Personal Data relating to: (a) current, former and prospective employees; (b) current, former and prospective individual contractors; (c) volunteers; (d) agents; (e) temporary and casual workers; and (f) dependents, relatives, guardians, and associates of the Data Subjects set out in (a) to (e) of the Flex Group;
Flex Group means Flex Ltd. incorporated in Singapore and located at 2 Changi South Lane, Singapore and any of its subsidiaries bound by these Standards;
Global Data Privacy Officer shall be the Data Protection Officer as defined by UK Data Protection Laws;
Global Data Subject Rights Policy means the policy attached under Annex C of these Standards;
Global Procedure for Raising and Handling Data Privacy Complaints means the policy attached under Annex D of these Standards;
Personal Data means any information relating to an identified or identifiable natural person who can be identified directly or indirectly from that information, including but not limited to Employee Personal Data, Business Contact Data, and Third Party Data;
Regulation / GDPR means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any law which implements, supplements, relates to, or replaces it.
Processing shall have the meaning set out in UK Data Protection Laws and process and processes shall be construed accordingly.
Special Category Data means any Personal Data revealing a Data Subject’s racial or ethical origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data processed for the purposes of uniquely identifying a natural person; data about health, sex life, or sexual orientation; and shall for the purposes of these Standards include data relating to criminal convictions and offenses;
Supervisory Authority means the Information Commissioner’s Office;
Standards means the terms set out in this document;
Third Party Data means Personal Data relating to third parties such as contact details about other individuals, information about complaints, and CCTV images;
UK means the United Kingdom;
UK Data Protection Laws means data protection and privacy laws in the UK (including the Regulation as amended by any legislation arising out of the withdrawal of the UK from the European Union (“UK GDPR”) and the Data Protection Act 2018 as amended, supplemented, substituted, or replaced from time to time;
We, our, and/or us means the Flex Group and its employees; and
You means a Data Subject whose Personal Data is processed by the Flex Group.
3. BACKGROUND
3.1 What is Data Privacy law?
Data Privacy (also known as “data protection”) requires companies to process Personal Data in accordance with certain good practice principles. It also grants certain rights to individuals (for example, to access and correct their information). Data Privacy law governs the way in which Flex collects, stores and uses Personal Data about employees, contractors, business contacts, and other individuals.
3.2 How does Data Privacy law impact Flex internationally?
Data Protection Laws do not permit the international transfer of Personal Data to countries outside the UK unless they ensure an adequate level of data privacy. Flex has taken proper steps to ensure that any transfer of Personal Data to countries outside the UK is lawful. These Standards create a binding corporate rules framework to comply with rules contained in the Data Protection Laws and provide an adequate level of protection for Personal Data transferred to Flex Group companies outside the UK in accordance with Data Protection Laws (in particular the mechanism set out in UK Data Protection Laws for the approval of binding corporate rules). Flextronics Global Services (Manchester) Limited is the member of the Flex Group with delegated Data Privacy responsibilities and will be responsible for compliance with these Standards.
4. SCOPE
4.1 Data covered by these Standards
这些标准适用于我们处理和由我们进行的个人数据转移,这受我们作为数据控制者的数据保护法的约束,并且适用于:
(a) the processing of this Personal Data by a member of the Flex Group within the UK;
(b) the processing of this Personal Data in the UK by a member of the Flex Group located outside the UK in: (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018;
(c) the transfer of this Personal Data from within the UK to outside the UK in: (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018, in each case by a member of the Flex Group to another member of the Flex Group and the subsequent processing or onward transfer of this Personal Data by that member to other members of the Flex Group.
(d) The processing we carry out may be manual or automated. 我们处理的个人数据类型为员工个人数据、业务联系数据和其他个人数据。
4.2 The tables appended at Annex B of these Standards contain a general description of the Personal Data which is undergoing the transfers under these Standards.
4.3 The Standards apply to all processing of Personal Data within the Flex Group where such Personal Data are subject to the Data Protection Laws and Paragraph 4.1 of the Standards.
5. PRINCIPLES
如伟创力作为数据控制者,则应遵循以下原则:
5.1 We process Personal Data lawfully, fairly, and in a transparent manner (“lawfulness, fairness, and transparency”)
我们将公平合法地处理个人数据。One or more of the conditions set out in Annex A or under Data Protection Laws, which should be relied on in order to legitimise data processing, will always be met. 我们将确保您清楚了解与您有关的个人数据如何被收集、使用、咨询或以其他方式处理,以及这些个人数据已被或将会在何种程度上被处理。We will also provide information as required by Data Protection Laws including information to explain how we may disclose and/or transfer Personal Data as well as the legal basis for Processing, legitimate interests, categories of recipients, and available rights. Any information and communication relating to the processing of your Personal Data will be easily accessible and easy to understand.
5.2 We shall keep you informed regarding our processing of your Personal Data and provide the information regarding your rights under these Standards
这些标准将在伟创力公共网站上以及伟创力内部数据隐私门户网站上公开提供,并可向全球数据隐私官提出书面请求索取。Before your Personal Data is processed, we will let you know the identity of the Flex Group company that is the Data Controller and provide you with all of the information which is required under Data Protection Laws and under these Standards.
5.3 We shall ensure that Personal Data will only be processed for specified, explicit, and legitimate purposes (“purpose limitation”)
We will ensure that the Personal Data we hold on you will be processed for specific, explicit, and legitimate purposes which were determined at the time of the collection of the Personal Data and not further processed for any additional purposes which are incompatible with the initial purposes for which the Personal Data were collected.
5.4 We shall ensure that we comply with principles of data minimisation in relation to Personal Data (“data minimisation”)
我们将确保我们的数据处理操作所处理的个人数据是充分、相关的,并仅限于我们处理个人数据的目的所需的数据。我们将确保个人数据的存储时间严格限制在最低限度。We will not keep Personal Data for longer than is necessary for the purposes for which it is collected and processed unless it is required to be kept longer under applicable law. Personal Data will only be processed if the purposes of the processing could not be fulfilled by other means. We will limit access to Personal Data to those employees who need access to fulfil their duties. We require our vendors and suppliers to follow a similar approach to Personal Data they access in providing services to Flex.
5.5 We ensure that Personal Data is accurate and, where necessary, kept up to date (“accuracy”)
我们将确保个人数据保持最新且准确无误。Flex provides individuals with various methods to update and correct their Personal Data including online, using self-service systems and by contacting the HR Global Business Services or the appropriate person. We will ensure that we take every reasonable step in order to ensure that Personal Data which are inaccurate are rectified or deleted without delay.
5.6 We will ensure that Personal Data is kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the Personal Data are processed (“storage limitation”)
我们将确保根据包括《数据保护法》在内的适用法律,为删除或定期审查个人数据设定时间限制。
5.7 We use appropriate security and confidentiality safeguards to protect your Personal Data (“integrity and confidentiality”)
We use appropriate technical, organisational, administrative, and physical security measures to protect your Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Taking into account the state of the art, the cost of implementation of these measures, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, we impose security appropriate to the risks represented by the processing and nature of the data to be protected. In addition, in the event of a data security breach Flex will notify the Supervisory Authority unless the data security breach is unlikely to result in a risk to the rights and freedoms of Data Subjects, and notify Data Subjects if the data security breach is likely to result in a high risk to the rights and freedoms of the Data Subjects.
5.8 We shall provide you with rights of access, rectification, erasure, restriction, portability, and objection to processing in accordance with the Data Protection Laws
您有权要求获得关于您的所有个人数据的副本。We will provide you with access to such data as required by Data Protection Laws, unless we are permitted by Data Protection Laws to refuse or only partially comply with the request (e.g. where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character). 在数据保护法允许的情况下,我们可能会为此收取费用。
如果您的个人数据不准确,您有权请求我们更正您的个人数据,包括如果个人数据不完整,以补充声明的方式予以更正。
在某些情况下,您有权要求删除您的个人数据、要求限制处理您的个人数据,或以与您的特定情况有关的理由反对个人数据的处理或任何直接营销。
You shall have the right, in certain circumstances, to request that we port your Personal Data to you or a third party in a structured, commonly-used, and machine readable format.
If you wish to exercise any of these rights you should do so by contacting the Data Privacy Liaison Officer, Global Data Privacy Officer, or if you are an employee of Flex, HR Global Business Services. Further information and procedure is set out in the Global Data Subject Rights Policy which is attached at Annex C.
5.9 We recognise your right to object to direct marketing
如果我们使用您的个人数据进行直接营销,则只有在我们已经征得您的同意进行此类营销或根据数据保护法获得其他许可的情况下,我们才会这样做。If you object to our use of your Personal Data for direct marketing, you should contact the Global Data Privacy Officer, HR Global Business Services, or using such other method as may be set out in the applicable marketing communication.
5.10 We only make limited use of automated decision making
There are requirements under the Data Protection Laws to ensure that no evaluation of, or decision about, an individual which produces legal effects or similarly significantly affects them can be based solely on automated processing of Personal Data except in limited circumstances. For example, we make use of automated decision making in certain recruitment processes to test the aptitude of a particular candidate. However, this process will usually be used in conjunction with other recruitment processes such as interviews and so are not conducted on a solely automated basis. If Flex makes significant decisions on a solely automated basis, it will, as required by Data Protection Laws, implement safeguards such as rights for individuals to obtain human intervention, express his or her point of view, and contest the decision.
5.11 We take careful precautions with respect to the processing of Special Category Data and data relating to criminal convictions and offences
We will only process your Special Category Data and data relating to criminal convictions and offences in accordance with Data Protection Laws, including relying on at least one of the conditions set forth under UK Data Protection Laws which is required to process such data. 这可能包括在必要时对此类特殊类别数据以及与刑事定罪和犯罪有关的数据使用加强的保障措施。
5.12 We take appropriate measures with respect to our use of Data Processors
数据处理者可以包括伟创力集团的成员或代表伟创力集团的成员处理个人数据的外部供应商。我们将确保在使用任何内部或外部数据处理者时:
(a) we will have a written contract in place with that Data Processor;
(b) the written contract will contain all the clauses that are mandatory under UK Data Protection Laws and otherwise under Data Protection Laws;
(c) the written contract will state that the Data Processor, amongst other things:
(i) will only act on the instructions of the Data Controller; and
(ii) has a duty to notify Flex without undue delay of any personal data breaches. 如果个人数据泄露可能会给数据主体的权利和自由造成较高风险,则可能有通知数据主体的义务。数据处理者有责任记录任何个人数据泄露事件,包括与个人数据泄露事件有关的事实、后果和采取的补救措施。应根据要求将文件提供给监管机构。
We also have in place a comprehensive audit program to ensure Data Processors comply with the above measures (see Paragraph 6.2 below).
5.13 We shall restrict the transfer of Personal Data
In principle, international transfers of Personal Data from the UK to a country or territory which has inadequate Data Privacy laws are not allowed unless adequate safeguards are in place in accordance with Data Protection Laws, for example, by a member of the Flex Group (based outside the UK) entering into these Standards or by putting in place contractual clauses (such as the Standard Contractual Clauses as recognised under UK Data Protection Laws) which protect the Personal Data being transferred. We will only transfer Personal Data where such safeguards are in place in accordance with Data Protection Laws, provided that adequate protection is provided as required under UK Data Protection Laws. We will ensure that all transfers of Personal Data to external vendors based outside the UK respect the rules relating to processors (as set out in Paragraph 5.12 above) in addition to the rules on transfers outside of the UK.
6. HOW WE COMPLY WITH AND ENFORCE THE STANDARDS
6.1 Our privacy officers
我们在整个伟创力集团内建立了完整的隐私官队伍,他们负责各自国家、地区或部门的数据隐私,包括对本标准的遵守情况。Each Data Privacy Liaison Officer reports into the relevant Regional Data Privacy Officer and, ultimately, to the Global Data Privacy Officer who directly reports to the Executive Board. The Flex Board comprises the Head of Legal, the Chief Financial Officer, and Chief HR Officer, and it reports to the Chief Executive. The Global Data Privacy Officer shall be the Data Protection Officer as defined by UK Data Protection Laws and is ultimately responsible for the network of Regional Data Privacy Officers and Data Privacy Liaison Officers, the development and implementation of these Standards responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority and monitoring and reporting annually on compliance to the Executive Board. The Regional Data Privacy Officers and Data Privacy Liaison Officers are responsible for handling local complaints from Data Subjects, reporting Data Privacy issues to the Global Data Privacy Officer, monitoring training and compliance at a local level, and assisting with responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority.
6.2 Audit and compliance
In addition, we have in place a comprehensive audit programme which includes regular internal privacy assessments covering all aspects of these Standards. The results of such privacy assessments are provided to the Global Data Privacy Officer and the Executive Board of Flex Ltd. If we identify any gaps in compliance with our Data Privacy requirements (including these Standards) work plans are put in place to rectify any gaps. Where such assessment relates to these Standards, they will be provided to the Supervisory Authority upon request.
6.3 Training programme
我们非常重视数据隐私,这体现在我们向所有可永久或定期访问个人数据、参与收集个人数据或开发个人数据处理工具以履行其职责的员工提供强制性数据隐私培训。除此之外,所有员工都必须遵守包括这些标准在内的所有伟创力政策和规程,还必须确认对伟创力行为守则的认可,该行为守则阐明了伟创力集团对数据隐私和机密性的承诺。
6.4 Accountability
每个充当数据控制者的伟创力集团成员均应负责并能够证明在处理标准第 4.1 段中描述的个人数据时遵守这些标准。In order to demonstrate compliance, Flex Group members will document categories of processing activities carried out in line with the requirements as set out in UK Data Protection Laws. 该记录应以书面形式(包括电子形式)保留,并应按要求提供给监管部门。
6.5 Data Protection Impact assessments
为了加强合规性,伟创力集团成员应在需要时与全球数据隐私官协商进行数据保护影响评估,以处理可能对自然人的权利和自由造成高风险的操作。如果数据保护影响评估的结果表明,处理将导致高风险,而伟创力集团成员又未能采取缓解风险的措施,则应在处理之前咨询监管部门。
6.6 Privacy by design and default
Appropriate technical and organisational measures should be implemented by Flex Group members which are designed to implement the data protection principles under the UK Data Protection Law and to facilitate compliance with the requirements set up by these Standards.
6.7 National legislation and these Standards
如果适用的数据保护和隐私法律提供的保护少于这些标准,我们将确保这些标准将适用于我们对个人数据的处理。然而,如果适用的数据保护和隐私法律提供了更高的保护,我们将确保我们遵守更高的标准。Additionally, if a member of the Flex Group believes that a conflict with applicable data protection and privacy laws prevents it from fulfilling its duties under these Standards (including following the advice of the Supervisory Authority) that member entity will promptly notify the Global Data Privacy Officer or applicable Data Privacy Liaison Officer who will (in consultation with the Legal Department or the Supervisory Authority, where necessary) responsibly decide what action to take.
在有理由认为适用于它的立法阻止其履行本标准下的义务,或对其遵守这些标准的能力产生重大影响的情况下,伟创力将确保立即将委派的数据保护责任通知伟创力集团成员以及全球数据隐私官,除非执法机构另行禁止,例如根据刑法禁止维护执法调查的机密性。
Where any legal requirement Flex is subject to in a non-UK country is likely to have a substantial adverse effect on the protection afforded by these Standards, the problem should be reported to the Supervisory Authority. This includes any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body. The Supervisory Authority should be clearly informed about the request, including information about the data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). In these cases, the Flex member will use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so. 如果在上述情况下,尽管已经尽到最大努力,伟创力成员仍无法通知监管部门,则伟创力必须每年将关于其收到的要求的一般信息提供给监管部门(例如,申请披露的数量、请求的数据类型、请求者(如果可能)等)。In any case, the transfers of Personal Data by a Flex member of the group to any public authority cannot be massive, disproportionate, and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
7. RELATIONSHIP WITH THE SUPERVISORY AUTHORITY
7.1 Co-operation with the Supervisory Authority
The members of the Flex Group will co-operate with the Supervisory Authority and will provide assistance to each other in order to do so and to handle any request or complaint from a Data Subject or an investigation or inquiry. Any questions about our compliance with Data Protection Laws should be addressed to the Global Data Privacy Officer using the contact details set out at the end of these Standards who will consult with the Supervisory Authority, where applicable.
Members of the Flex Group will abide by the advice of the Supervisory Authority on any issues regarding the interpretation of these Standards in accordance with the Data Protection Laws. The Supervisory Authority is authorised to audit any member of the Flex Group who is bound by these Standards and advise on all matters related to these Standards. Such members of the Flex Group must respect the decisions of the Supervisory Authority to the extent consistent with Data Protection Laws and due process and without waiving any defences or rights of appeal.
8. YOUR RIGHTS UNDER THESE STANDARDS
8.1 Our liability to you
The policies and procedures described in these Standards are in addition to any other remedies available under applicable data protection and privacy laws or provided under our other policies and procedures.
Flextronics Global Services (Manchester) Limited has been nominated by the Flex Group as the company within the UK with delegated responsibility for these Standards in the context of UK Data Protection Laws. Flextronics Global Services (Manchester) Limited will be responsible for and will take any action necessary to remedy any breach by a member of the Flex Group outside the UK bound by these Standards and has sufficient assets to pay compensation for any damages resulting from a breach of these Standards. This will include any sanction imposed or other remedy available under applicable data protection and privacy laws including the requirement to pay compensation for any material or non-material damages resulting from the breach of the Standards by members of the Flex Group outside the UK. If a member of Flex Group outside the UK breaches these Standards, the Courts or Supervisory Authority in England & Wales will have jurisdiction and Flextronics Global Services (Manchester) Limited shall be liable to you as if the breach had been caused by them in England & Wales instead of the Flex Group member outside the UK. Flextronics Global Services (Manchester) Limited shall not be liable if it is able to show that the member of the Flex Group which is alleged to be in breach is not liable for the breach giving rise to damages or that no such breach took place. The burden of proof will lie with Flextronics Global Services (Manchester) Limited in order to demonstrate that the Flex Group member outside the UK which is alleged to be in breach is not liable for any breach of the Standards which has resulted in the claim for damages. In each case identified above, if it is held that these Standards have been breached, it shall be the responsibility of the claimant to demonstrate that he or she has suffered damage and establish facts which show it is likely that the damage has occurred as a result of such breach.
8.2 Your rights under these Standards
If you believe a member of the Flex Group is in breach of these Standards, you may raise a complaint by contacting HR Global Business Services or the Global Data Privacy Officer (please see Paragraph 10 below). Please also refer to the Global Procedure for Raising and Handling Data Privacy Complaints (a copy of which can be found on the Flex Data Privacy Portal and can be found at Annex D to these Standards) which sets out further detail regarding the complaints handling process.
You can enforce the rights as set out in these Standards (including those set out in Paragraphs 5, 6.4, 6.7, 7, 8.1, 8.2, 8.3, and 9.1) as a third party beneficiary, in relation to transfers of Personal Data made by a member of the Flex Group or a Data Processor appointed by a member of the Flex Group located within the UK to a country outside the UK in (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, in a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018. This can be done by (a) raising and bringing the issue of breach before the Supervisory Authority or bringing the issue of breach before the Courts in the jurisdiction of England and Wales. The rights contained in this paragraph are in addition to and shall not prejudice any other rights or remedies that you may otherwise have at law including the right to compensation, if appropriate. 在不影响第 8.2 节中规定的前提下,如果伟创力在这种情况下遵守了适当的注意标准或按照数据保护法采取了其他措施,则不会被视为违反了这些标准。
8.3 All data subjects who benefit from these rights as a third party beneficiary shall be provided with information as required by UK Data Protection Laws (Articles 13 and 14 of the Regulation and, at such time as the Regulation no longer applies in the UK, the UK GDPR). The Standards contain the required information on their third party beneficiary rights with regard to the processing of their Personal Data and on the means to exercise those rights, in the clause relating to liability and the clauses relating to the data protection principles. 这些标准可在伟创力网站上获得,在所有适用的隐私声明中均已提及,并可向全球数据隐私官索取。
9. GENERAL
9.1 Updates to these Standards
From time to time we may amend these Standards (including to take account of modifications to the regulatory environment or the company structure). Additional members of the Flex Group may become bound by the Standards and certain members of the Flex Group may no longer be bound by these Standards. Therefore we will ensure that a fully updated list of members of the Flex Group is available from the Global Data Privacy Officerand will provide this information to Data Subjects and the Supervisory Authority on request. The Global Data Privacy Officer will keep track of and record any updates to the Standards. In addition, all amendments to the Standards will be subject to the approval of the Global Data Privacy Officerand reported without undue delay to all Flex Group members and to the Supervisory Authority.
Any changes to the Standards or to the list of Flex Group members should be reported to the Supervisory Authority at least annually with a brief explanation of the reasons justifying the update. Significant changes, such as those which would possibly affect the level of protection offered by the Standards or significantly affect the Standards must be promptly communicated to the Supervisory Authority and where necessary, the approval of the Supervisory Authority will be sought.
Once any amendments to the Standards are approved these will be communicated to all members of the Flex Group bound by these Standards and posted on the Flex public website and Data Privacy Portal on the Flex Group’s intranet. Any revisions to the Standards shall include the date of the revision. We shall not make transfers of Personal Data covered by these Standards to a member of the Flex Group until such member is bound by these Standards and can deliver compliance.
9.2 Effective Date
6 月 9 日e 2015
Date of update effective from: 22 December 2020
10. CONTACT INFORMATION
If you have any questions about these Standards, your rights under these Standards or any other privacy issues you can contact us using following email address: dataprotection@flex.com。
伟创力集团在处理这些标准的第 4.1 段中描述的个人数据之前,必须至少满足以下条件之一:
在处理这些标准的第 4.1 段所述的个人数据(伟创力集团的特殊类别数据)之前,必须至少满足以下条件之一:
伟创力集团对与刑事定罪和犯罪相关的数据进行的所有处理均应基于数据保护法中的条件。
员工包括:
Employee Data is processed by members of the human resources department, relevant employee managers, and members of the HR Global Business Services for the purposes set out above. Certain of this Employee Data may also be sent to:
Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine, and the USA.
Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine, and the USA.
基于遵守数据隐私标准附件 A 中的一个或多个条件。
伟创力客户(包括我们客户的客户)、业务联系人和供应商
无
Business Contact Data is used primarily by Flex employees as is necessary to fulfil their job requirements. However, Business Contact Data customer information may also be sent to:
Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine, and the USA.
Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine, and the USA.
基于遵守数据隐私标准附件 A 中的一个或多个条件。
Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine, and the USA.
Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine, and the USA.
基于遵守数据隐私标准附件 A 中的一个或多个条件。
Shareholders and contacts of shareholders
无
个人数据主要由伟创力员工使用,以满足他们的工作要求和管理股东福利。However, personal data may also be sent to:
Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine, and the USA.
Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine, and the USA.
基于遵守数据隐私标准附件 A 中的一个或多个条件。
1. INTRODUCTION
1.1 Purpose of this Global Data Subject Rights Policy
(a) Flextronics (Flex) is committed to privacy and respecting the rights of those whose personal data Flex collect and use. 支持隐私要求我们所有人都了解个人对于我们收集或持有的属于他们的数据所享有的权利。
(b) Every individual whose personal data we hold and use has rights in respect of that data. 这包括员工、业务联系人和网站用户。该政策旨在使我们能够按照我们的数据隐私标准尊重这些权利。
(c) The individual rights contained in this Policy reflect those rights outlined in the Data Privacy Standards and at Section 7 of the Flex Global Privacy Policy and Rules.
(d) Flex support the entitlement of individuals to exercise their rights to protect and verify the correct use of their personal data. 如果有人向我们询问有关伟创力所持有之关于他们的个人数据的问题,伟创力将会快速回应以提供帮助。伟创力将为个人行使这些权利提供便利,并在可行的情况下提供电子方式以便行使这些权利。
(e) Individuals may contact Flex verbally or in writing to request that Flex take some action in connection with their personal data. Requests should be referred to the local Data Privacy Liaison Officer for your jurisdiction in the first instance, or to the Global Data Privacy Officer, who is the Data Protection Officer for the purposes of UK data protection laws and can be contacted on: dataprotection@flex.com or +43 1 602 4100 1737.
(f) This policy explains how Flex identify and respond to requests from individuals concerning their data.
(g) In general, Flex must respond to queries within one month from the receipt of the request, so it is important that requests are identified and handed to the correct people within Flex as soon as possible.
(h) Our key objectives when handling requests from individuals are to:
(i) identify the nature of the request at the earliest opportunity;
(ii) respond to the individual making the request in a timely manner;
(iii) work with the individual making the request to understand their request, their concerns and how we can assist; and
(iv) maintain clear records regarding each request we receive and our response.
1.2 What rights do individuals have?
(a) Individuals have the right to make the following types of request regarding the personal data Flex holds about them:
(i) Right of access (subject access requests) — the right to request a copy of the personal data that Flex have concerning the individual and supporting information explaining how the personal data is used.
(ii) Right of rectification — the right to request that we rectify inaccurate personal data concerning the individual.
(iii) Right of erasure (right to be forgotten) — the right, in some situations, to request that Flex erase all personal data concerning the individual.
(iv) Right to restrict processing — the right, in some situations, to request that Flex do not use the individual’s personal data they have provided (e.g. if they believe it to be inaccurate).
(v) Right to data portability — the right, in some situations, to request that Flex port the individual’s data to that individual or their new provider in machine readable format.
(vi) Right to object — the right to object to certain processing of their personal data (unless Flex have overriding compelling grounds to continue the processing) and the right to object to direct marketing/profiling.
(vii) Rights relating to automated decision making — the right not to be subject to automated decision making that significantly affects an individual (e.g. certain profiling).
(b) Flex will respond to requests listed in 1.2(a) above in accordance with Annex C 1.1(g). However, in certain circumstances that period may be extended by a further two months, taking into account the complexity of the request(s) and the number of requests made. If applicable, the GDPO, in consultation with the Legal Team, will take this decision and notify the Data Subject within one month of the receipt of the request, together with the reasons for the delay. Where the Data Subject has made the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.
2. ROLES AND RESPONSIBILITIES
数据主体: 有权提出个人权利请求/数据主体权利请求的个人。
数据隐私联络官 (DPLO): 在其职责范围内负责上报个人权利请求,以及伟创力全球隐私声明和规则第 6 节中规定的任务。向其相关的区域数据隐私官汇报。
区域数据隐私官 (RDPO): 负责执行伟创力全球隐私声明和规则第 6 节中规定的任务,以及遵守数据隐私标准。向全球数据隐私官汇报。
Global Data Privacy Officer (GDPO): Also known as the Data Protection Officer (DPO) for the purposes of UK data protection laws. Responsible for tasks as set out in Section 6 of the Flex Global Privacy Policy and Rules and responsible for the network of Regional Data Privacy Officers, Data Privacy Liaison Officers, the development and implementation of the Data Privacy Standards, responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority. 可以将本声明中的任务委托给 RDPO。
3. IDENTIFYING INDIVIDUAL RIGHTS REQUESTS
(a) Identifying requests from individuals regarding their personal data is crucial and requires the support of everyone within Flex.
(b) It is essential that we identify and notify the relevant people within Flex once we receive a request from an individual.
(c) Flex are required to respond to, and address, requests within one month of receiving them. 因此,伟创力必须迅速有效地采取行动。
3.1 Identifying the individual rights request
(a) Requests relating to personal data may not always be completely obvious or clear. Requests may refer to data protection law but requests do not need to refer to any law to be valid.
(b) Listen and look for key words and phrases to identify whether a particular communication is a request concerning personal data. 以下关键词和短语不是指标的详尽列表:
(i) Can you please give me / provide me with / send me all the personal information Flex holds about me.
(ii) Are you using my data / why are you using my data / how are you using my data / who are you sharing my data with?
(iii) You have the wrong [address, date of birth, surname, sex etc.] for me, please change it to…
(iv) Delete / remove / purge all information you have about me.
(v) Stop using my information, it is against the law for you to use it in this way / it is inaccurate / you do not need to use it any more / I don’t want you to use it for….”
(vi) “Give me all my data to…. “
(c) Flex, through its Global Business Services (GBS) maintains a dedicated email address for subjects to submit individual rights requests. 电子邮件地址是 dataprivacy@flextronics.com。However rights requests can be made by any means, e.g. in person, on the phone, by email, letter, or fax. 在同一通信中也可以接收多种形式的权利请求。
(d) If you identify a request as one which does, or which may, concern personal data, immediately inform the Data Privacy Liaison Officer (DPLO).
(e) If you cannot be certain that the request is legitimate or that the person making the request is who they say they are, then take common sense steps to check. For example, call a number provided by the individual to check they have made the request or ask them to send an email from a recognised account. If you are still not certain about the identity of the person making the request, liaise with the Global Data Privacy Officer (GDPO) to determine what further steps should be taken.
4. REPORTING AND RESPONDING TO REQUESTS FROM INDIVIDUALS
(a) When you receive something that looks like it is, or may be, a request concerning personal data, please notify the DPLO immediately. 如果您不知道数据隐私联络官是谁或他们没有空,请与您的直线经理或法务团队联系。
(b) The GDPO will work with the DPLO to request all information from the reporting individual as may be necessary to identify the nature of the request, for example requesting a copy of the individual’s passport, and/or a recent utility bill.
(c) The GDPO will determine whether or not the request is a valid request regarding personal data and ensure that Flex has acknowledged receipt of the request to the relevant individual.
(d) It is also possible that individual rights requests can also be made via a third party. 通常,这将是代表个人行事的律师。In these cases, Flex will validate that the third party has been authorised to make a request on behalf of the individual. The third party will need to provide evidence of this authorisation. 证据可以书面形式提供,以授权第三方提出此请求,也可以是一般授权书。
(e) The GDPO will identify the category of the request and respond in accordance with the relevant process set out below and Flex obligations under data protection law. 在回应请求时,GDPO 将在数据隐私联络官、RDPO、您的直线经理、IT 和法务团队的支持下工作。
(f) The GDPO shall periodically review the total number of requests that are received and whether such requests have been dealt with in accordance with this policy and, where appropriate, shall review any underlying issues giving rise to requests.
(g) Once a request from an individual has been identified, the GDPO shall follow the relevant process outlined below.
4.2 Right of Access (subject access request)
(a) You will work with the GDPO and the IT team to progress an access request by arranging a search of all our relevant systems for the appropriate personal data (including local storage such as shared and personal drives), email servers, back-up locations and third party applications on which personal data is stored on our behalf, and under our instruction, of (e.g. HR systems, CRM platforms, accounting programs etc.). 如果可能,请让个人填写个人权利请求表。表格的副本将在门户网站上提供。
(b) The search process shall be started as soon as possible as it can be a detailed and time consuming exercise.
(c) All relevant teams/departments should be contacted to ensure that all relevant file, folders (whether electronic or paper) and third party applications are searched.
(d) Where a general request is made for “all information held by Flex”, the search criteria should be as broad as possible in the first instance to identify all possible documents relating to the individual. Search criteria such as the individual’s name, address, initials, alias etc. should be used to assist. The individual’s personal data may appear in letters, memos, e-mails, file notes, electronic address books etc. as well as in our customer or HR database and in customer profiles.
(e) Upon completion of the search you will work with the GDPO (and the Legal team, if necessary) to prepare and respond to the individual, providing copies of the relevant personal data and associated information that the individual is legally entitled to receive.
(f) All responses must be signed off by the GDPO, and contain the following information:
(i) the purposes of the processing;
(ii) the categories of personal data concerned;
(iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in non-UK countries or international organisations (and information on the appropriate safeguards used for international transfers, if relevant);
(iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(v) the existence of the right to request from Flex rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(vi) the right to lodge a complaint with the Supervisory Authority (the UK’s Information Commissioner (ICO));
(vii) where the personal data are not collected from the data subject, any available information as to their source (such as from third party partners); and
(viii) the existence of any automated decision-making, including profiling, applied to any of their data, information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject. Disclosure of information about profiling is only necessary where the profiling produces a legal effect or otherwise will significant affect the relevant individual e.g. determines whether an individual gets a job or promotion; or determines the price at which any product or service is offered to them or targets vulnerable groups of people.
(g) If the subject access request is made in electronic form (e.g. by email), the information should be provided in a commonly used electronic form, for example, in PDF, Word or Excel (unless the data subject requests otherwise).
(h) Exemptions:
(i) Flex should not provide data to the individual if to do so adversely affects the rights of others (data concerning the individual that does not affect others must still be provided, such as where the data discloses information about third parties which could adversely affect them).
(ii) If Flex hold a large quantity of data concerning the individual, Flex can ask the individual to specify the information or use of data that their request relates to — but Flex must still respond to the request once we identify the information.
(iii) Flex should not provide information which is subject to legal privilege.
(i) If the GDPO believes an exemption may apply, the GDPO will notify the Legal team and a decision must be made jointly between the GDPO and Legal team.
(j) Timing
(i) Flex must provide this information to an individual without undue delay and within one month of receiving the request, at the latest.
(ii) If the GDPO, working with the Legal team where necessary, determines that an exemption applies, the GDPO shall notify the individual making the request without undue delay and within once month with an explanation of the reasons why Flex will not comply with their request.
(k) Record Keeping
(i) The HR Global Business Services team will maintain complete records of the process and response for each request.
4.3 Right of rectification
(a) You will work with the GDPO and IT team to locate the data the individual claims to be incorrect and, if the circumstances are as the individual described, correct the data on all our files and systems where it is stored.
(b) If the individual asks for incomplete data to be completed you will work with the GDPO and IT team to complete the data. 这包括让个人提供补充声明以完成数据。
(c) You will work with the GDPO to inform the individual that the information has been corrected / completed as soon as possible.
(d) Time period
(i) Flex must rectify / complete the information in question without undue delay and within one month of receiving the request, at the latest.
(e) Record Keeping
(i) The HR Global Business Services team will maintain complete records of the process and response for each request.
4.4 Right of Erasure (the right to be forgotten)
(a) This right is only available in certain circumstances (set out below). 在与 HR 信息系统团队联系以进行删除之前,GDPO 将首先评估个人是否真正拥有这项权利。
(b) This right only applies when:
(i) the data is no longer necessary for the purpose for which they were collected or processed;
(ii) the individual withdraws consent to processing (and there is no other justification for processing);
(iii) the individual objects to Flex’s use of their data and Flex cannot demonstrate that there are overriding legitimate grounds for processing;
(iv) Flex have used their data unlawfully; or
(v) the data must be deleted to comply with law.
(c) If the GDPO concludes that this right applies, this conclusion will be referred to the Legal team for review. If the Legal team and the GDPO agree that the right applies, the IT team will assist in deleting the relevant data from our systems (and any third party systems on which the individual’s data is stored (e.g.IT hosting providers, database providers, etc.)
(d) If the data has been made public by Flex, it is also necessary to inform others who may be using that data (e.g. partners, linked social media sites, etc.) that the individual has requested their data is to be deleted. 伟创力将采取合理的步骤来做到这一点(考虑到可用的技术和实施成本)。GDPO 将在必要时与法务团队合作,决定这些合理步骤是什么。
(e) Exemptions
(i) Flex are not required to comply with a request to erase data if processing the data is necessary:
(A) to exercise freedom of expression and information;
(B) to comply with law;
(C) for public health reasons;
(D) for archiving purposes in the public interest
(E) scientific or historical research purposes or statistical purposes; or
(F) if required in connection with legal claims;
(ii) Flex are also not required to comply if the request is manifestly unfounded or excessive (in particular where the same individual has made the same request on multiple occasions).
(iii) If the GDPO believes an exemption may apply, the GDPO will notify the Legal team and a decision will be made jointly between the GDPO and the Legal team.
(f) Time period
(i) Flex must erase this information without undue delay and within one month of receiving the request, at the latest.
(ii) If the GDPO, working with the Legal team where necessary, determine that an exemption applies, the GDPO shall notify the individual making the request without undue delay and within once month with an explanation of the reasons why Flex will not comply with their request.
(g) Record Keeping
(i) The HR Global Business Services team will maintain complete records of the process and response for each request.
4.5 Right to restrict processing
(a) An individual may request that Flex restrict the processing of their personal data in certain circumstances.
(b) This right only applies when:
(i) the individual disputes the accuracy of the data Flex hold;
(ii) the individual objects to the processing and Flex are determining whether there are legitimate grounds on which to continue processing their personal data;
(iii) the processing is unlawful but the individual objects to erasure and requests restriction instead;
(iv) Flex have no further need for the data but the individual requires it in connection with a legal claim.
(c) In each of the scenarios outlined above, Flex can be required to restrict use of the data until the situation is resolved; however, Flex may continue to store the data. This right is intended as a temporary measure only.
(d) When data is restricted, Flex may only store the data. 除非有以下情况,否则不得使用:
(i) the individual consents;
(ii) its use is necessary in connection with a legal claim; or
(iii) it is required for public interest reasons.
(e) The GDPO shall assess whether the right applies, and if it does, shall work with the IT team to restrict the processing of the relevant data.
(f) Where the data in question is ordinarily processed automatically, the GDPO shall instruct the IT team to put measures in place to isolate or block the data in question.
(g) The GDPO shall work with the Business Unit that process the personal data to ensure that all relevant staff are aware of the restrictions in place.
(h) The GDPO, working with the Legal team where necessary, may determine that the restriction no longer applies as the requirements above can no longer be met. 在取消对处理数据的限制之前,GDPO 必须首先通知相关个人。
(i) Time period
(i) Flex must respond to a request to restrict processing without undue delay and in any event within one month of receiving the request.
(j) Record Keeping
(i) The HR Global Business Services team will maintain complete records of the process and response for each request.
4.6 Right to data portability
(a) An individual may request that we transfer certain data held about them to the individual or to another entity.
(b) This right only applies:
(i) to data which the individual has provided to Flex (and therefore does not apply to data which Flex have created about the individual). However, information about how an individual uses a product or service or device will be considered as “provided by” the individual;
(ii) where the processing of the relevant data was based on the individual’s consent or a contract with the individual; and
(iii) the processing is carried out by automated means.
(c) If the right applies, Flex must provide the relevant data to the individual in a structured, commonly used and machine readable form. 这意味着 Excel 电子表格、Word 文档或其他常见文本文件。
(d) The purpose of this right is to enable the information to be used by a third party provider, so this goes further than the right to access.
(e) If the individual requests that their data is transferred directly to another entity, Flex must do this where it is technically feasible.
(f) Exemption
(i) Flex do not have to port the data if to do so would adversely affect the rights of other individuals. This would apply where the information to be “ported” includes information about third party individuals if that information will be used for different purposes;
(ii) Flex do not have to port the data if it would result in our intellectual property rights being infringed or our trade secrets being revealed. 然而,如果可以在不影响这些权利的情况下发布信息,则应以这种方式发布。
(g) If the GDPO believes an exemption may apply, the GDPO will notify the Legal team and a decision will be made jointly between the GDPO and the Legal team.
(h) Time period
(i) Flex must port this information to an individual or another company without undue delay and within one month of receiving the request, at the latest.
(ii) If the DPO, working with the Legal team where necessary, determine that an exemption applies, the GDPO shall notify the individual making the request without undue delay and within once month with an explanation of the reasons why Flex will not comply with their request.
(j) Record Keeping
(i) The HR Global Business Services team will maintain complete records of the process and response for each request.
4.7 Right to object (including to direct marketing)
(a) An individual may inform us that he/she objects to our processing their personal data.
(b) This right only applies where Flex are processing the individual’s personal data on the basis of its or a third party’s legitimate interests (rather than having obtained consent for such processing or such processing being required to provide requested products or services to the individual) and Flex cannot demonstrate that such legitimate interests override the individual’s own rights, or that the processing is necessary for Flex’s legal rights.
(c) The GDPO, together with the Legal team (if required), shall assess whether Flex (or a relevant third party) have any continuing legitimate interests which overrides the rights and freedoms of the individual, taking into consideration any specific circumstances, which Flex are aware of, relating to that individual.
(d) If the GDPO and the Legal team determine that Flex (or the third party) has no continuing overriding legitimate interests, Flex shall cease to process that individual’s personal data. The personal data shall be deleted from the Flex systems (and third party systems).
(e) Separately, an individual may request that Flex cease to use their personal data for direct marketing, including for any profiling that Flex undertake in connection with such marketing.
(f) Upon receipt of a request to cease using personal data for direct marketing, the GDPO shall inform the relevant operational and marketing teams who shall cease using the individual’s personal data for marketing as soon as possible and shall cease sending any marketing to that individual. 与营销相关的对该个人进行的所有分析也必须停止。
(g) Time period
(i) We must respond to such requests and, where applicable, cease the relevant processing without undue delay and within one month of receipt of the request.
(h) Record Keeping
(i) The HR Global Business Services team will maintain complete records of the process and response for each request.
4.8 Rights where automated decision making takes place
(a) This right applies where Flex use solely automated means to make a decision that significantly affects an individual. 这可能包括仅基于能力测验或引入的心理测验做出招聘或晋升方面的决定。它也可能适用于我们向用户生成针对性消息的情况,这些消息会为个人调整价格或专门针对弱势群体。
(b) An individual may inform Flex that he or she objects to a significant decision being made about him or her by us based solely on automated processing.
(c) Where such a request is received the GDPO, together with the Legal team, shall assess whether an exemption applies.
(d) Exemptions
(i) The automated decision is required to enter into, or perform, a contract with the individual.
(ii) The automated decision is authorised by UK law.
(iii) Flex have the explicit consent of the individual to make such a decision.
(e) If such an exemption does not apply, Flex shall not make such a decision based solely on automated means. Instead, any such decision shall be re-considered by an appropriate member of the relevant team/Business Unit.
(f) Where an exemption does apply, Flex may continue with such decision but shall:
(i) ensure the information used to make such information is accurate and up-to-date;
(ii) consider whether it is reasonable to make the decision without using automated means;
(iii) allow human intervention into the decision-making process where requested by the individual; and
(iv) consider any objections to the decision raised by the individual as soon as reasonably possible and, ideally, within the same one month period in which the initial response is required.
(g) Time period
(i) We must respond to such requests and, where applicable, cease the relevant processing without undue delay and within one month of receipt of the request.
(h) Record Keeping
(i) The HR Global Business Services team will maintain complete records of the process and response for each request.
1. INTRODUCTION, PURPOSE, AND DEFINITIONS
1.1 Introduction
(a) Flextronics (Flex) is committed to data privacy and the fair processing of Personal Data, including enabling individuals to exercise the rights in respect of their Personal Data to which they are entitled under our Data Privacy Standards and applicable local data privacy laws.
(b) Many privacy regimes (including privacy laws of the UK) often grant individuals certain rights in respect of the collection and processing of their Personal Data by organisations. 伟创力致力于尊重和使个人能够行使我们的数据隐私标准和全球数据主体权利政策所规定的这些权利。
(c) A Data Subject has a right to raise a Data Privacy Complaint relating to any processing of their Personal Data by Flex or a Flex entity.
1.2 Purpose of the Policy
(a) The purpose of this policy is to set out the procedure which is to be followed by:
(i) Individuals (Data Subjects) who submit a Data Privacy Complaint; and
(ii) Flex when a Data Privacy Complaint is received.
1.3 Definitions
(a) Data Privacy Complaints: A complaint or concern about data privacy matters made against a person or entity, including a complaint that Flex or a specific Flex entity is not complying with the Data Privacy Standards, any Flex policies relating to data privacy or applicable data privacy laws.
(b) Business Contact: A business contact at any clients, underlying investors, shareholders, suppliers, partners or vendors.
(c) Data Subject: All individuals whose Personal Data is processed by one or more Flex entities, including current and former employees, Business Contacts and any other data subjects. 数据主体有权提出与伟创力或伟创力实体对其个人数据的任何处理有关的数据隐私投诉。
(d) Personal Data: Information relating to an identified or identifiable individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. 示例包括但不限于:
(i) name, address, Tax Identification Number, Social Security Number, National Identity number, date of birth, personal account numbers, credit/debit card numbers, online banking user names (whether or not used together with passwords);
(ii) data revealing racial or ethnic origin, political opinions, religious beliefs, union membership status, physical or mental health or condition, sexual life, and criminal history.
2. ROLES AND RESPONSIBILITIES
数据主体: 有权提出数据隐私投诉的个人。
数据隐私联络官 (DPLO): 负责将所有数据隐私投诉上报至 GDPO,以及第 6 节中规定的任务至伟创力全球隐私声明和规则。向其相关的区域数据隐私官汇报。
区域数据隐私官 (RDPO): 负责执行伟创力全球隐私声明和规则第 6 节中规定的任务,以及遵守数据隐私标准。向全球数据隐私官汇报。
Global Data Privacy Officer (GDPO): The Data Protection Officer (DPO) for the purposes of UK data protection laws. Responsible for tasks as set out in Section 6 of the Flex Global Privacy Policy and Rules and responsible for the network of Regional Data Privacy Officers, Data Privacy Liaison Officers, the development and implementation of the Data Privacy Standards, responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority. 可以将本声明中的任务委托给 RDPO。
3. RECEIPT OF A DATA PRIVACY COMPLAINT
3.1 A Data Subject may submit a Data Privacy Complaint by contacting HR Global Business Services (GBS) and the Global Data Privacy Officer through the following email address: dataprotection@flex.com。
3.2 Flex, through its Global Business Services (GBS) maintains the above dedicated email address for subjects to submit Data Privacy Complaints. However Data Privacy Complaints can be made by any means, e.g. in person, on the phone, by email, letter, or fax. 伟创力将提供模板投诉表格以协助数据主体,表格副本将在伟创力网站和数据隐私门户上提供。
3.3 Notwithstanding the above, if a Data Subject submits a Data Privacy Complaint through any other written or verbal means, a member of staff who receives such a Data Privacy Complaint will immediately forward that Data Privacy Complaint to the Global Data Privacy Officer using the above email address.
4. COMPLAINT HANDLING TIMELINES
以下时间段将适用于根据本规程处理的数据隐私投诉。
名称
时间段
描述
确认收到投诉
七 (7) 天内
伟创力将在收到后七 (7) 天内通过电子邮件确认收到各条数据隐私投诉。
索取更多信息
十四 (14) 天内
如果数据主体未能提供足够的信息,则全球数据隐私官可以在收到数据隐私投诉后的十四 (14) 天内要求提供有关投诉的更多信息。
做出决定
不得无故拖延,且无论如何应在一 (1) 个月内做出决定
全球数据隐私官将考虑数据隐私投诉和提供的任何补充信息。GDPO 不得无故拖延,且无论如何应在收到投诉后的一 (1) 个月内做出决定。
如果预期的响应时间有任何延迟,则 GDPO 将在整个过程的所有阶段随时通知数据主体。
如果投诉非常复杂或者数量太多
三 (3) 个月内
考虑到数据隐私投诉的复杂性和数量,做出决定的一个月规定时间最多可以再延长两个月。不得无故拖延做出决定,且无论如何应在收到投诉之日起三 (3) 个月内做出。
GDPO 应在收到投诉后一 (1) 个月内以书面形式通知数据主体。
如果预期的响应时间有任何延迟,则 GDPO 将在整个过程的所有阶段随时通知数据主体。
4.1 The Global Data Privacy Officer’s decision will be in writing.
4.2 The decision of the Global Data Privacy Officer will contain at least the following information:
(a) a description of the Data Privacy Complaint,
(b) a description of the respondent’s response(s), if any, to the Data Privacy Complaint;
(c) and a statement of the Global Data Privacy Officer’s findings and conclusions.
4.3 The Global Data Privacy Officer shall arrange for a copy of the decision to be mailed to the complainant within three business days of the date of the decision.
5. CONSEQUENCES OF THE DECISION
5.1 In the event that the Data Privacy Complaint is upheld, the Global Data Privacy Officer will make arrangements for appropriate steps to be taken in consultation with the Legal Team, including any compensation to be paid to the Data Subject for material or non-material damages, where appropriate.
5.2 In the event that the Data Privacy Complaint is rejected, or the Data Privacy Complaint is upheld but the Data Subject is not satisfied with the proposed response, the Data Subject will have a right to any of the following:
(a) raise the issue before the Information Commissioner’s Office;
(b) raise the issue before the Courts in the jurisdiction of England and Wales.
6. COMPLAINT ESCALATION
6.1 When it is determined that a Data Privacy Complaint could pose a risk to Flex or is otherwise significant, it may require escalation to the Chief Compliance Officer.
7. RECORD KEEPING
7.1 All relevant documentation in relation to this procedure must be recorded and maintained by GBS.
7.2 Data Privacy Complaint records shall include a copy of the Data Privacy Complaint and all communications and responses should be retained.
8. COMPLIANCE AND AUDIT
8.1 This procedure is subject to periodic risk-based monitoring by the Flex data privacy network and compliance team to ensure that it is effective and remains fit for purpose. Additionally, it may also be subject to an independent review by the Flex internal audit team.
9. EFFECT OF OTHER APPLICABLE LAWS
9.1 If the Data Privacy Complaint concerns the behaviour or conduct of another specifically-identified individual, the Data Privacy Complaint will be handled in accordance with any rights that such individual may have under applicable local law, including (if applicable) the right of that individual to submit a response to the Data Privacy Complaint.
10. TRAINING
10.1 Regional Data Privacy Officers and Data Privacy Liaison Officers will provide training to relevant staff on the procedures set out in this document. 区域数据隐私官和数据隐私联络官可以就识别与处理数据隐私投诉有关的常见问题,对事业部或 GBS 部门进行培训。
11. ADMINISTRATIVE INFORMATION
(a) Any questions relating to the interpretation and application of this policy should be addressed to the Global Data Privacy Officer at dataprotection@flex.com.
(b) In the event of any inconsistency between the guidance provided in this policy and the Data Privacy Standards or any other standard, policy, or procedure, please consult with the Global Data Privacy Officer.
