The UK Data Privacy Standards (the "Standards")

1.                  PURPOSE

 

1.1          About us:  Flex is a socially responsible and leading electronics manufacturing services provider delivering design, engineering and manufacturing services to aerospace and defense, automotive, computing, consumer, industrial, infrastructure, medical, energy and mobile original equipment manufacturers.  Flex helps customers design, build, ship and service electronics and other products through a network of international facilities. 通过遍布全球的业务,提供与核心电子制造和物流服务相结合的设计和工程解决方案。

1.2          Our commitment to data privacy:  These Standards set out our approach to and the commitment of the Flex Group and its Executive Management and Board of Directors to maintaining the highest standards of data privacy.  These Standards for processing of Personal Data relate to the Personal Data of employees, contractors and business contacts or other individuals and must be followed by all members and employees of the Flex Group, and the Executive Management and Board of Directors will enforce such compliance.  Failure to comply with these Standards, will lead to appropriate corrective and disciplinary actions.

1.3          Objective of these Standards:  We shall handle all Personal Data in accordance with Data Protection Laws and all other Applicable Law.  Our compliance with these Standards will provide you with the protection required to enable us to process certain Personal Data within the Flex Group, including the transfer of that Personal Data outside of the United Kingdom.

2.                  DEFINITIONS AND ABBREVIATIONS

Applicable Law means all applicable local data protection and privacy laws and regulations including, but not limited to, the Data Protection Laws.

业务联系人数据是指与 Flex 集团的客户和供应商的业务联系人相关的个人数据;

数据控制者是指单独或与他人共同确定处理个人数据的目的和方式的自然人或法人;

数据隐私是指《数据保护法》所颁布的数据保护;

数据处理人是指代表数据控制者处理个人数据的自然人或法人;

Data Protection Laws means UK Data Protection Laws.

数据主体是指已确认或可确认的自然人;

员工个人数据是指与以下人员有关的个人数据:(a) 现雇员、前雇员和潜在雇员;(b) 现承包商、前承包商和潜在的个体承包商;(c) 志愿者;(d) 代理商;(e) 临时工和散工;(f)伟创力集团的 (a) 至 (e) 中所列数据主体的受赡养者、亲戚、监护人和同伴;

Flex Group means Flex Ltd. incorporated in Singapore and located at 2 Changi South Lane, Singapore and any of its subsidiaries bound by these Standards;

Global Data Privacy Officer shall be the Data Protection Officer as defined by UK Data Protection Laws;

Global Data Subject Rights Policy means the policy attached under Annex C of these Standards;

Global Procedure for Raising and Handling Data Privacy Complaints means the policy attached under Annex D of these Standards;

个人数据是指可从该信息直接或间接识别的、与已确认或可确认自然人有关的任何信息,包括但不限于员工个人数据、业务联系人数据和第三方数据;

Regulation  / GDPR means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any law which implements, supplements, relates to or replaces it.

Processing shall have the meaning set out in UK Data Protection Laws and process and processes shall be construed accordingly.

特殊类别数据是指任何揭示数据主体种族或血统;政治见解;宗教或哲学信仰;工会会员身份;遗传数据;为唯一识别自然人而处理的生物特征数据的个人数据;有关健康、性生活或性取向的数据,就本标准而言,应包括与刑事定罪和犯罪有关的数据;

Supervisory Authority means the Information Commissioner’s Office.

标准是指本文档中列出的条款;

第三方数据是指与第三方有关的个人数据,例如其他个人有关的详细联系方式、投诉信息和闭路电视图像;

UK means the United Kingdom;

UK Data Protection Laws means data protection and privacy laws in the UK (including the Regulation as amended by any legislation arising out of the withdrawal of the UK from the European Union (“UK GDPR”) and the Data Protection Act 2018) as amended, supplemented, substituted or replaced from time to time;

我们和/或我们的是指伟创力集团及其员工;以及

你们表示其个人数据由伟创力集团处理的数据主体。

3.                  BACKGROUND

3.1          What is Data Privacy law?

《数据隐私法》(也称为“数据保护”)要求公司根据某些良好实践原则来处理个人数据。它还授予个人某些权利(例如访问和更正其信息)。《数据隐私法》管理伟创力收集、存储和使用有关员工、承包商、业务联系人和其他个人的个人数据的方式。 

3.2          How does Data Privacy law impact Flex internationally?

Data Protection Laws do  not permit the international transfer of Personal Data to countries  outside the UK unless they ensure an adequate level of data privacy.  Flex has taken proper steps to ensure that any transfer of Personal Data to countries outside the UK is lawful.  These Standards create a binding corporate rules framework to comply with rules contained in the Data Protection Laws and provide an adequate level of protection for Personal Data transferred to Flex Group companies outside the UK in accordance with Data Protection Laws (in particular the mechanism set out in UK Data Protection Laws for the approval of binding corporate rules).   Flextronics Global Services (Manchester) Limited is the member of the Flex Group with delegated Data Privacy responsibilities and will be responsible for compliance with these Standards.

4.                  SCOPE

4.1          Data covered by these Standards:  These Standards apply to our processing and the transfer by us of Personal Data which is subject to the Data Protection Laws for which we are a Data Controller and to:

(a)           the processing of this Personal Data by a member of the Flex Group within the UK;

(b)           the processing of this Personal Data in the UK by a member of the Flex Group located outside the UK in: (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018;

(c)           the transfer of this Personal Data from within the UK to outside the UK in: (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018, in each case by a member of the Flex Group to another member of the Flex Group and the subsequent processing or onward transfer of this Personal Data by that member to other members of the Flex Group.

(d)           The processing we carry out may be manual or automated. 我们处理的个人数据类型为员工个人数据、业务联系数据和其他个人数据。

4.2          The tables appended at Annex B of these Standards contain a general description of the Personal Data which is undergoing the transfers under these Standards.

4.3          The Standards apply to all processing of Personal Data within the Flex Group where such Personal Data are subject to the Data Protection Laws and Paragraph 4.1 of the Standards.

5.                  PRINCIPLES

如伟创力作为数据控制者,则应遵循以下原则:

5.1          We process Personal Data lawfully, fairly and in a transparent manner ("lawfulness, fairness and transparency"): We will process Personal Data fairly and lawfully.  One or more of the conditions set out in Annex A or under Data Protection Laws, which should be relied on in order to legitimise data processing, will always be met. We will make sure that it is clear to you how Personal Data concerning you are collected, used, consulted or otherwise processed and to what extent the  Personal Data are or will be processed. We will also provide information as required by Data Protection Laws including information to explain how we may disclose and/or transfer Personal Data as well as the legal basis for Processing, legitimate interests, categories of recipients and available rights. 任何与处理您的个人数据有关的信息及通讯将可轻松获取且易于理解。

5.2          We shall keep you informed regarding our processing of your Personal Data and provide the information regarding your rights under these Standards: 这些标准将在伟创力公共网站上以及伟创力内部数据隐私门户网站上公开提供,并可向全球数据隐私官提出书面请求索取。在处理您的个人数据之前,我们将让您知晓作为数据控制者的伟创力集团成员公司的身份,并向您提供《数据保护法》和本标准所要求的所有信息;

5.3          We shall ensure that Personal Data will only be processed for specified, explicit and legitimate purposes ("purpose limitation"): 我们将确保我们持有的关于您的个人数据将被用于特定、明确、合法的目的,这些目的在个人数据收集之时就已决定,而不会出于与收集个人数据的最初目的不相符的任何其他目的做进一步处理;

5.4          We shall ensure that we comply with principles of data minimisation in relation to Personal Data ("data minimisation"): 我们将确保我们的数据处理操作所处理的个人数据是充分、相关的,并仅限于我们处理个人数据的目的所需的数据。我们将确保个人数据的存储时间严格限制在最低限度。We will not keep Personal Data for longer than is necessary for the purposes for which it is collected and processed unless it is required to be kept longer under applicable law.  Personal Data will only be processed if the purposes of the processing could not be fulfilled by other means.  We will limit access to Personal Data to those employees who need access to fulfil their duties.  We require our vendors and suppliers to follow a similar approach to Personal Data they access in providing services to Flex.

5.5          We ensure that Personal Data is accurate and, where necessary, kept up to date ("accuracy"): 我们将确保个人数据保持最新且准确无误。Flex provides individuals with various methods to update and correct their Personal Data including online,  using self-service systems and by contacting the HR Global Business Services or the appropriate person.  We will ensure that we take every reasonable step in order to ensure that Personal Data which are inaccurate are rectified or deleted without delay.

5.6          We will ensure that Personal Data is kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the Personal Data are processed ("storage limitation"): 我们将确保根据包括《数据保护法》在内的适用法律,为删除或定期审查个人数据设定时间限制。

5.7          We use appropriate security and confidentiality safeguards to protect your Personal Data ("integrity and confidentiality"): We use appropriate technical, organisational, administrative and physical security measures to protect your Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Taking into account the state of the art, the cost of implementation of these measures and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, we impose security appropriate to the risks represented by the processing and nature of the data to be protected. In addition, in the event of a data security breach Flex will notify the Supervisory Authority unless the data security breach is unlikely to result in a risk to the rights and freedoms of Data Subjects, and notify Data Subjects if the data security breach is likely to result in a high risk to the rights and freedoms of the Data Subjects.

5.8          We shall provide you with rights of access, rectification, erasure, restriction, portability and objection to processing in accordance with the Data Protection Laws: 您有权要求获得关于您的所有个人数据的副本。We will provide you with access to such data as required by Data Protection Laws, unless we are permitted by Data Protection Laws to refuse or only partially comply with the request (e.g. where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character). 在数据保护法允许的情况下,我们可能会为此收取费用。如果您的个人数据不准确,您有权请求我们更正您的个人数据,包括如果个人数据不完整,以补充声明的方式予以更正。在某些情况下,您有权要求删除您的个人数据、要求限制处理您的个人数据,或以与您的特定情况有关的理由反对个人数据的处理或任何直接营销。在某些情况下,您有权请求我们以结构化、常用且机器可读的格式将您的个人数据传送给您或第三方。如果您希望行使这些权利中的任何一项,您应与数据隐私联络官、全球数据隐私官联系,或者如果您是伟创力的员工,则与 HR 全球共享服务中心联系。Further information and procedure is set out in the Global Data Subject Rights Policy which is attached at Annex C.

5.9          We recognise your right to object to direct marketing: If we use your Personal Data for direct marketing, we will only do so if we have collected your consent for such marketing or if otherwise permitted in accordance with Data Protection Laws.  If you object to our use of your Personal Data for direct marketing, you should contact the Global Data Privacy Officer, HR Global Business Services or using such other method as may be set out in the applicable marketing communication.

5.10        We only make limited use of automated decision making: There are requirements under the Data Protection Laws to ensure that no evaluation of, or decision about, an individual which produces legal effects or similarly significantly affects them can be based solely on automated processing of Personal Data except in limited circumstances.  For example, we make use of automated decision making in certain recruitment processes to test the aptitude of a particular candidate.  However, this process will usually be used in conjunction with other recruitment processes such as interviews and so are not conducted on a solely automated basis.  If Flex makes significant decisions on a solely automated basis, it will, as required by Data Protection Laws, implement safeguards such as rights for individuals to obtain human intervention, express his or her point of view and contest the decision. 

5.11        We take careful precautions with respect to the processing of Special Category Data and data relating to criminal convictions and offences:  We will only process your Special Category Data and data relating to criminal convictions and offences in accordance with Data Protection Laws, including relying on at least one of the conditions set forth under UK Data Protection Laws which is required to process such data. 这可能包括在必要时对此类特殊类别数据以及与刑事定罪和犯罪有关的数据使用加强的保障措施。 

5.12        We take appropriate measures with respect to our use of Data Processors: 数据处理者可以包括伟创力集团的成员或代表伟创力集团的成员处理个人数据的外部供应商。我们将确保在使用任何内部或外部数据处理者时:

(a)           we will have a written contract in place with that Data Processor;

(b)           the written contract will contain all the clauses that are mandatory under UK Data Protection Laws and otherwise under Data Protection Laws;

(c)           the written contract will state that the Data Processor, amongst other things:

(i)                will only act on the instructions of the Data Controller; and

(ii)               has a duty to notify Flex without undue delay of any personal data breaches. 如果个人数据泄露可能会给数据主体的权利和自由造成较高风险,则可能有通知数据主体的义务。数据处理者有责任记录任何个人数据泄露事件,包括与个人数据泄露事件有关的事实、后果和采取的补救措施。应根据要求将文件提供给监管机构。

我们还制定了全面的审核计划,以确保数据处理者遵守上述措施(请参阅下面的第 6.2 段)。

5.13        We shall restrict the transfer of Personal Data: In principle, international transfers of Personal Data from the UK to a country or territory which has inadequate Data Privacy laws are not allowed unless adequate safeguards are in place in accordance with Data Protection Laws, for example, by a member of the Flex Group (based outside the UK) entering into these Standards or by putting in place contractual clauses (such as the Standard Contractual Clauses as recognised under UK Data Protection Laws) which protect the Personal Data being transferred.  We will only transfer Personal Data where such safeguards are in place in accordance with Data Protection Laws, provided that adequate protection is provided as required under UK Data Protection Laws. We will ensure that all transfers of Personal Data to external vendors based outside the UK respect the rules relating to processors (as set out in Paragraph 5.12 above) in addition to the rules on transfers outside of the UK.

6.                  HOW WE COMPLY WITH AND ENFORCE THE STANDARDS

6.1          Our privacy officers: 我们在整个伟创力集团内建立了完整的隐私官队伍,他们负责各自国家、地区或部门的数据隐私,包括对本标准的遵守情况。Each Data Privacy Liaison Officer reports into the relevant Regional Data Privacy Officer and, ultimately, to the Global Data Privacy Officer who directly reports to the Executive Board.  The Flex Board comprises the Head of Legal, the Chief Financial Officer and Chief HR Officer and it reports to the Chief Executive. The Global Data Privacy Officer shall be the Data Protection Officer as defined by UK Data Protection Laws and is ultimately responsible for the network of Regional Data Privacy Officers and Data Privacy Liaison Officers, the development and implementation of these Standards responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority and monitoring and reporting annually on compliance to the Executive Board. The Regional Data Privacy Officers and Data Privacy Liaison Officers are responsible for handling local complaints from Data Subjects, reporting Data Privacy issues to the Global Data Privacy Officer, monitoring training and compliance at a local level and assisting with responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority.

6.2          Audit and compliance: In addition, we have in place a comprehensive audit programme which includes regular internal privacy assessments covering all aspects of these Standards.  The results of such privacy assessments are provided to the Global Data Privacy Officer and the Executive Board of Flex Ltd. If we identify any gaps in compliance with our Data Privacy requirements (including these Standards) work plans are put in place to rectify any gaps.  Where such assessment relates to these Standards they will be provided to the Supervisory Authority upon request.

6.3          Training Programme: 我们非常重视数据隐私,这体现在我们向所有可永久或定期访问个人数据、参与收集个人数据或开发个人数据处理工具以履行其职责的员工提供强制性数据隐私培训。除此之外,所有员工都必须遵守包括这些标准在内的所有伟创力政策和规程,还必须确认对伟创力行为守则的认可,该行为守则阐明了伟创力集团对数据隐私和机密性的承诺。

6.4          Accountability: 每个充当数据控制者的伟创力集团成员均应负责并能够证明在处理标准第 4.1 段中描述的个人数据时遵守这些标准。In order to demonstrate compliance, Flex Group members will document categories of processing activities carried out in line with the requirements as set out in UK Data Protection Laws. 该记录应以书面形式(包括电子形式)保留,并应按要求提供给监管部门。

6.5          Data Protection Impact Assessments: 为了加强合规性,伟创力集团成员应在需要时与全球数据隐私官协商进行数据保护影响评估,以处理可能对自然人的权利和自由造成高风险的操作。如果数据保护影响评估的结果表明,处理将导致高风险,而伟创力集团成员又未能采取缓解风险的措施,则应在处理之前咨询监管部门。

6.6          Privacy by Design and Default: Appropriate technical and organisational measures should be implemented by Flex Group members which are designed to implement the data protection principles under the UK Data Protection Law and to facilitate compliance with the requirements set up by these Standards.

6.7          National legislation and these Standards: We will ensure that if applicable data protection and privacy laws provide less protection than these Standards, these Standards will apply to our processing of Personal Data.  However, if applicable data protection and privacy laws provide a higher protection, we will ensure that we will comply with the higher standard. Additionally, if a member of the Flex Group believes that a conflict with applicable data protection and privacy laws prevents it from fulfilling its duties under these Standards (including following the advice of the Supervisory Authority) that member entity will promptly notify the Global Data Privacy Officer or applicable Data Privacy Liaison Officer who will (in consultation with the Legal Department or the Supervisory Authority, where necessary) responsibly decide what action to take.

在有理由认为适用于它的立法阻止其履行本标准下的义务,或对其遵守这些标准的能力产生重大影响的情况下,伟创力将确保立即将委派的数据保护责任通知伟创力集团成员以及全球数据隐私官,除非执法机构另行禁止,例如根据刑法禁止维护执法调查的机密性。

Where any legal requirement Flex is subject to in a non-UK country is likely to have a substantial adverse effect on the protection afforded by these Standards, the problem should be reported to the Supervisory Authority.  This includes any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body.  The Supervisory Authority should be clearly informed about the request, including information about the data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). 在这些情况下,伟创力成员将尽最大努力获得免除该禁令的权利,以便尽其所能尽早地传达尽可能多的信息,并能够证明其已经这样做。如果在上述情况下,尽管已经尽到最大努力,伟创力成员仍无法通知监管部门,则伟创力必须每年将关于其收到的要求的一般信息提供给监管部门(例如,申请披露的数量、请求的数据类型、请求者(如果可能)等)。在任何情况下,伟创力集团成员向任何公共主管部门传输个人数据的方式都不能超出民主社会的必要范围而成为大规模、不成比例和不加区别的。

7.                  RELATIONSHIP WITH THE SUPERVISORY AUTHORITY

7.1          Co-operation with the Supervisory Authority:  The members of the Flex Group will co-operate with the Supervisory Authority and will provide assistance to each other in order to do so and to handle any request or complaint from a Data Subject or an investigation or inquiry.  Any questions about our compliance with Data Protection Laws should be addressed to the Global Data Privacy Officer using the contact details set out at the end of these Standards who will consult with the Supervisory Authority, where applicable.  Members of the Flex Group will abide by the advice of the Supervisory Authority on any issues regarding the interpretation of these Standards in accordance with the Data Protection Laws.  The Supervisory Authority is authorised to audit any member of the Flex Group who is bound by these Standards and advise on all matters related to these Standards. Such members of the Flex Group must respect the decisions of the Supervisory Authority to the extent consistent with Data Protection Laws and due process and without waiving any defences or rights of appeal.

 

 

8.                  YOUR RIGHTS UNDER THESE STANDARDS

8.1          Our liability to you:  The policies and procedures described in these Standards are in addition to any other remedies available under applicable data protection and privacy laws or provided under our other policies and procedures. 

Flextronics Global Services (Manchester) Limited has been nominated by the Flex Group as the company within the UK with delegated responsibility for these Standards in the context of UK Data Protection Laws.  Flextronics Global Services (Manchester) Limited will be responsible for and will take any action necessary to remedy any breach by a member of the Flex Group outside the UK bound by these Standards and has sufficient assets to pay compensation for any damages resulting from a breach of these Standards.  This will include any sanction imposed or other remedy available under applicable data protection and privacy laws including the requirement to pay compensation for any material or non-material damages resulting from the breach of the Standards by members of the Flex Group outside the UK. If a member of Flex Group outside the UK breaches these Standards, the Courts or Supervisory Authority in England & Wales will have jurisdiction and Flextronics Global Services (Manchester) Limited shall be liable to you as if the breach had been caused by them in England & Wales instead of the Flex Group member outside the UK.  Flextronics Global Services (Manchester) Limited shall not be liable if it is able to show that the member of the Flex Group which is alleged to be in breach is not liable for the breach giving rise to damages or that no such breach took place. The burden of proof will lie with Flextronics Global Services (Manchester) Limited in order to demonstrate that the Flex Group member outside the UK which is alleged to be in breach is not liable for any breach of the Standards which has resulted in the claim for damages. In each case identified above, if it is held that these Standards have been breached, it shall be the responsibility of the claimant to demonstrate that he or she has suffered damage and establish facts which show it is likely that the damage has occurred as a result of such breach.

8.2          Your rights under these Standards: If you believe a member of the Flex Group is in breach of these Standards, you may raise a complaint by contacting HR Global Business Services or the Global Data Privacy Officer (please see Paragraph 10 below).   Please also refer to the Global Procedure for Raising and Handling Data Privacy Complaints (a copy of which can be found on the Flex Data Privacy Portal and can be found at Annex D to these Standards) which sets out further detail regarding the complaints handling process. You can enforce the  rights as set out in these Standards (including those set out in Paragraphs 5, 6.4, 6.7, 7, 8.1, 8.2, 8.3 and 9.1) as a third party beneficiary, in relation to transfers of Personal Data made by a member of the Flex Group or a Data Processor appointed by a member of the Flex Group located within the UK to a country outside the UK in (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, in a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018. This can be done by (a) raising and bringing the issue of breach before the Supervisory Authority or bringing the issue of breach before the Courts in the jurisdiction of England and Wales. The rights contained in this paragraph are in addition to and shall not prejudice any other rights or remedies that you may otherwise have at law including the right to compensation, if appropriate. 在不影响第 8.2 节中规定的前提下,如果伟创力在这种情况下遵守了适当的注意标准或按照数据保护法采取了其他措施,则不会被视为违反了这些标准。

8.3          All data subjects who benefit from these rights as a third party beneficiary shall be provided with information as required by UK Data Protection Laws (Articles 13 and 14 of the Regulation and, at such time as the Regulation no longer applies in the UK, the UK GDPR). The Standards contain the required information on their third party beneficiary rights with regard to the processing of their Personal Data and on the means to exercise those rights, in the clause relating to liability and the clauses relating to the data protection principles. 这些标准可在伟创力网站上获得,在所有适用的隐私声明中均已提及,并可向全球数据隐私官索取。

9.                  GENERAL

9.1          Updates to these Standards: From time to time we may amend these Standards (including to take account of modifications to the regulatory environment or the company structure).  Additional members of the Flex Group may become bound by the Standards and certain members of the Flex Group may no longer be bound by these Standards. Therefore we will ensure that a fully updated list of members of the Flex Group is available from the Global Data Privacy Officer and will provide this information to Data Subjects and the Supervisory Authority on request. The Global Data Privacy Officer will keep track of and record any updates to the StandardsIn addition, all amendments to the Standards will be subject to the approval of the Global Data Privacy Officer and reported without undue delay to all Flex Group members and to the Supervisory Authority.

Any changes to the Standards or to the list of Flex Group members should be reported to the Supervisory Authority at least annually with a brief explanation of the reasons justifying the update.  Significant changes, such as those which would possibly affect the level of protection offered by the Standards or significantly affect the Standards must be promptly communicated to the Supervisory Authority and where necessary, the approval of the Supervisory Authority will be sought. 

一旦对标准的任何修订获得批准,这些修订将被传达给所有受这些标准约束的伟创力集团成员,并发布在伟创力公共网站和伟创力集团内部网的数据隐私门户上。对标准的任何修订均应包含修订日期。在这些成员受这些标准约束并能够实现合规性之前,我们不会将这些标准所涵盖的个人数据转移给伟创力集团的成员。

9.2          Effective Date: 30 June 2015

更新生效日: 22 December 2020

10.              CONTACT INFORMATION

Contacts:  If you have any questions about these Standards, your rights under these Standards or any other privacy issues you can contact us using following email address: dataprotection@flex.com


附件 A – 伟创力在处理个人数据之前须满足的条件

 

伟创力集团在处理这些标准的第 4.1 段中描述的个人数据之前,必须至少满足以下条件之一:

 

  • 数据主体表示同意;
  • 该处理对于履行数据主体为一方的合约或在订立合约之前根据数据主体的请求采取步骤是必要的;
  • 该处理对于履行伟创力的法律义务(合约义务除外)是必要的;
  • 该处理对于保护数据主体或其他自然人的切身利益是必要的;
  • 该处理对于出于公共利益或行使赋予控制方的官方权力而执行任务是必要的;
  • 该处理对于追求伟创力或第三方的合法利益是必要的,除非这些利益被需要保护个人数据的数据主体的利益或基本权利和自由所取代,特别是在数据主体为儿童的情况下。

 

在处理这些标准的第 4.1 段所述的个人数据(伟创力集团的特殊类别数据)之前,必须至少满足以下条件之一:

 

  • 数据主体已明确表示同意;
  • The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or UK law or, at the time the Regulation no longer applies in the UK, only UK law or a collective agreement pursuant to Member State law or, at the time the Regulation no longer applies in the UK, only UK law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • 该处理对于保护数据主体或另一自然人的切身利益是必要的,因为该数据主体在身体上或法律上无法给予同意;
  • 基金会、协会或任何其他具有政治、哲学、宗教或工会宗旨的非营利组织在采取适当保障措施的情况下,在其合法活动过程中进行处理,但前提是该处理仅涉及该机构的成员或前成员,或者与该机构有与其宗旨相关的定期联系的人员,并且未经数据主体的同意,不得在该机构之外披露个人数据;
  • 该处理涉及显然由数据主体公开的个人数据;
  • The processing is necessary for the establishment, exercise or defence of legal claims;
  • The processing is necessary for reasons of substantial public interest, on the basis of Union or UK law or, at the time the Regulation no longer applies in the UK, only UK law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or UK or, at the time the Regulation no longer applies in the UK, only UK law or pursuant to contract with a health professional;
  • The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or UK law or, at the time the Regulation no longer applies in the UK, only UK law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  • The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation based on Union or UK law and, at such time as the Regulation no longer applies in the UK, Article 89(1) of the UK GDPR based on UK law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

 

伟创力集团对与刑事定罪和犯罪相关的数据进行的所有处理均应基于数据保护法中的条件。

 

 


附件 B – 对于标准实质范围的说明

 

伟创力集团对个人数据的转移

 

1              Transfer of Employee Data

 

 

进出口目的

·         招聘,包括整个 伟创力集团的招聘战略的规划和实施以及人员配备

·         招聘和人员管理

·         工资和员工福利管理,包括休假管理、薪酬管理、重点审核、绩效审核和员工关怀服务

·         职业和专业发展与人才管理

·         养老金,如养老金缴款

·         库存管理,包括员工库存购买计划的管理、归档和报告

·         纪律和申诉规程

·         在美国的平等机会管理

·         绩效管理和评估

·         人事记录和查询支持的管理,包括与请假、缺勤、薪酬和福利有关的支持

·         维护目录并简化业务通知和/或与员工和承包商的通讯记录

·         培训管理

·         用于防止欺诈或调查,或者其他风险管理用途

·         根据数据主体的书面请求(在适当的情况下)

·         安全,包括为工人的赔偿要求和在危及人员健康或安全的紧急情况下提供的支持信息

·         商务旅行

·         遵守合同、法律和法规义务以及处理法律索赔和争议

·         法律或法规要求或允许的与数据主体有关的其他人员事务。

·         与近亲联系

·         授权控制和数据安全

·         备份和业务连续性

·         保护知识产权、机密信息和资产

·         管理预测和规划集团架构的更改

数据主体的类型

员工包括:

·         现有、以前和未来的员工

·         现任、前任和潜在承包商

·         志愿者

·         代理商

·         临时工和散工

·         上述数据主体的受抚养人、亲戚、监护人和同事。

个人数据类别

·         个人详情,包括姓名、出生日期、家庭住址、国家税号、社会安全号码、驾照号码、护照号码和个人电子邮件地址

·         家庭、生活方式和社交环境,其中可能包括婚姻状况、伴侣的详情、孩子的详情和母亲的姓名

·         教育和培训详情,包括资质、学历、学校、培训记录和行业专长

·         雇用详情,包括雇用状态、职位、雇用日期、工作地点、离职日期、状态、评估详情和组织详情,例如受雇的公司、办公地址、工作电话号码、个人照片、部门和主管、成本中心、员工类型以及是全职还是兼职、工作电子邮件地址、内部网用户登录名、主管详情、HR 顾问详情、其他电子邮件地址、职位描述、代码和员工 ID

·         财务详情,包括福利详情、股票所有权、工资、费用、支票信息和银行帐户信息、奖金目标和退休金信息

·         商品和服务详情,包括数据主体出售的交易或产品的详情

特殊类别数据的类型或与刑事定罪或犯罪有关的数据

·         种族或民族血统

·         宗教或其他具有相似性质的信仰

·         工会会员身份

·         身体或精神健康或状况

·         犯罪(包括任何指称犯罪)

可访问个人数据的人员类型

出于上述目的,员工数据由人力资源部门、相关员工经理和 HR 全球共享服务中心成员处理。某些“员工数据”也可能发送到:

·         数据主体本身

·         亲戚、监护人或与数据主体有关联的其他人

·         数据主体的当前、过去或未来的雇主

·         教育、培训机构和考试机构

·         业务伙伴和其他专业顾问

·         其他 Flextronics 实体

·         Flextronics 的员工和代理商

·         商品和服务的供应商和/或提供商

·         金融组织和顾问

·         信用咨询机构

·         贸易、雇主协会和专业团体

·         法律要求的政府机构和执法机构

·         就业和招聘机构

·         养老基金管理人

·         受 Flextronics 指示处理数据的某些数据处理方

·         与出售任何伟创力业务或资产有关的潜在收购方或购买方

个人数据出口所自的国家/地区

Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine and the USA.

个人数据出口所至的国家/地区

Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine and the USA.

继续转移的依据

基于遵守数据隐私标准附件 A 中的一个或多个条件。

 


业务联系信息的转移

 

进出口目的

·         维护和发展客户与供应商关系

·         业务规划

·         To fulfil a transaction initiated by a Data Subject

·         To fulfil a transaction initiated by a member of the Flex Group such as the purchase of supplies or equipment

·         To fulfil a transaction with, or for, Flex customers

·         保存与伟创力开展的任何业务或其他活动相关的帐户信息

·         决定是否接受某人作为客户或供应商

·         保存采购、销售或其他交易记录,以确保必要的付款和/或已完成的交付或已提供的服务

·         完成客户满意度调查

·         研发

·         业务拓展

·         活动管理

·         数据库管理

·         开展竞争

·         安全性

·         用于防止欺诈与盗窃,调查或其他风险管理用途

·         遵守合同、法律或监管义务

·         根据数据主体的书面请求(在适当的情况下)

数据主体的类型

伟创力客户(包括我们客户的客户)、业务联系人和供应商

个人数据类别

·         个人资料,包括姓名、家庭住址、雇主、办公地址、个人与工作电话号码,以及家庭和工作电子邮件地址

·         财务资料,包括付款和收款信息,以及增值税/营业税信息

·         提供或购买的商品或服务

特殊类别数据的类型或与刑事定罪或犯罪有关的数据

·         无

可访问个人数据的人员类型

Business Contact Data is used primarily by Flex employees as is necessary to fulfil their job requirements.  However, Business Contact Data customer information may also be sent to:

·         业务伙伴和其他专业顾问

·         Flextronics 的其他员工、代理商和承包商

·         商品和服务的供应商和/或提供商

·         第三方,包括出于活动管理目的

·         法律要求的政府机构、法院和执法机构

·         申索人、受益人、受托人和收款人

·         与出售任何伟创力业务或资产有关的潜在收购方或购买方

个人数据出口所自的国家/地区

Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands,  Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine and the USA.

个人数据出口所至的国家/地区

全球范围,包括奥地利、巴西、加拿大、中国大陆、捷克共和国、丹麦、芬兰、法国、德国、香港、匈牙利、印度、印度尼西亚、爱尔兰、以色列、意大利、日本、马来西亚、毛里求斯、墨西哥、荷兰、菲律宾、波兰、罗马尼亚、俄罗斯、瑞士、瑞典、英国、新加坡、韩国、台湾、土耳其、乌克兰和美国。

继续转移的依据

基于遵守数据隐私标准附件 A 中的一个或多个条件。

 


2              Transfer of other Personal Data

 

 

a.   Crime prevention and prosecution

 

进出口目的

·         预防犯罪,并协助有关当局和机构侦查、逮捕和起诉罪犯

·         监视和收集可视图像,以维护相关伟创力场所的安全性

·         响应法院或政府机构的合法请求,或者以其他方式遵守适用的法律或强制性程序

数据主体的类型

·         伟创力顾客和客户(包括我们客户的客户)、业务联系人和供应商

·         顾问、咨询师和其他专业专家

·         公众人士

·         伟创力员工,包括志愿者、代理、临时工和散工

·         被监控区域内部、进入此区域或区域附近的人员

个人数据类别

·         个人详情

·         家庭、生活方式和社会环境

·         教育和就业细节

·         财务详情

·         提供的商品或服务

·         声音和/或视觉图像

特殊类别数据的类型或与刑事定罪或犯罪有关的数据

·         犯罪,包括涉嫌犯罪

·         刑事诉讼、结果和判决

可访问个人数据的人员类型

·         数据主体本身

·         业务伙伴和其他专业顾问

·         伟创力的其他员工和代理

·         伟创力集团的其他公司

·         Persons making an enquiry or complaint

·         法律要求的政府机构、法院和执法机构

·         商品和服务的供应商和/或提供商

·         提供供应商和安全服务的第三方

个人数据出口所自的国家/地区

Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Korea, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine and the USA.

个人数据出口所至的国家/地区

Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg, Malaysia, Mauritius, Mexico, the Netherlands, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey, Ukraine and the USA.

继续转移的依据

基于遵守数据隐私标准附件 A 中的一个或多个条件。

 


b.   Managing Shareholdings

 

进出口目的

·         决定是否接受任何人作为股东

·         保留记录并管理股票购买或其他相关交易

·         用于防止欺诈或调查,或者其他风险管理用途

·         致潜在购买者并保护伟创力的合法权利或资产,以促进伟创力业务的收购或处置

·         应政府机构、法院和执法机构的合法请求,以及以其他方式遵守适用法律或强制性程序

数据主体的类型

·         股东和股东联系方式

个人数据类别

·         个人详细信息,包括联系方式

·         财务详情

特殊类别数据的类型或与刑事定罪或犯罪有关的数据

可访问个人数据的人员类型

个人数据主要由伟创力员工使用,以满足他们的工作要求和管理股东福利。然而,个人数据也可能被发送给:

·         数据主体本身

·         业务伙伴和其他专业顾问

·         伟创力的其他员工和代理

·         伟创力集团的其他公司

·         与处理任何伟创力业务或资产有关的潜在收购方或购买方

·         法律要求的政府机构、法院或执法机构

·         调查官和监管机构

个人数据出口所自的国家/地区

Worldwide including Australia, Austria, Bermuda, Brazil, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg,  Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey and Ukraine and the USA.

个人数据出口所至的国家/地区

Worldwide including Australia, Austria, Bermuda, Brazil, British Virgin Islands, Canada, Cayman Islands, Chile, China, Costa Rica, Curacao, Czech Republic, Denmark, Finland, France, Germany, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Labuan, Luxembourg,  Malaysia, Mauritius, Mexico, the Netherlands, New Zealand, Philippines, Poland, Romania, Switzerland, Sweden, UK, Singapore, Spain, South Korea, Taiwan, Turkey and Ukraine and the USA.

继续转移的依据

基于遵守数据隐私标准附件 A 中的一个或多个条件。

 

 

 

 

 

 

 

 

 

 

 

 

 


ANNEX C - Global Data Subject Rights Policy

 

 

1              Introduction

1.1          Purpose of this Global Data Subject Rights Policy

(a)           Flextronics (Flex) is committed to privacy and respecting the rights of those whose personal data Flex collect and use. 支持隐私要求我们所有人都了解个人对于我们收集或持有的属于他们的数据所享有的权利。

(b)           Every individual whose personal data we hold and use has rights in respect of that data. 这包括员工、业务联系人和网站用户。该政策旨在使我们能够按照我们的数据隐私标准尊重这些权利。

(c)           The individual rights contained in this Policy reflect those rights outlined in the Data Privacy Standards and at Section 7 of the Flex Global Privacy Policy and Rules.

(d)           Flex support the entitlement of individuals to exercise their rights to protect and verify the correct use of their personal data. 如果有人向我们询问有关伟创力所持有之关于他们的个人数据的问题,伟创力将会快速回应以提供帮助。伟创力将为个人行使这些权利提供便利,并在可行的情况下提供电子方式以便行使这些权利。

(e)           Individuals may contact Flex verbally or in writing to request that Flex take some action in connection with their personal data. Requests should be referred to the local Data Privacy Liaison Officer for your jurisdiction in the first instance, or to the Global Data Privacy Officer, who is the Data Protection Officer for the purposes of UK data protection laws and can be contacted on: dataprotection@flex.com or +43 1 602 4100 1737.

(f)            This policy explains how Flex identify and respond to requests from individuals concerning their data.

(g)           In general, Flex must respond to queries within one month from the receipt of the request, so it is important that requests are identified and handed to the correct people within Flex as soon as possible.

(h)           Our key objectives when handling requests from individuals are to:

(i)            identify the nature of the request at the earliest opportunity;

(ii)           respond to the individual making the request in a timely manner;

(iii)          work with the individual making the request to understand their request, their concerns and how we can assist; and

(iv)          maintain clear records regarding each request we receive and our response.

1.2          What rights do individuals have? 

(a)           Individuals have the right to make the following types of request regarding the personal data Flex holds about them: 

(i)            Right of access (subject access requests) – the right to request a copy of the personal data that Flex have concerning the individual and supporting information explaining how the personal data is used.

(ii)           Right of rectification – the right to request that we rectify inaccurate personal data concerning the individual.

(iii)          Right of erasure (right to be forgotten) – the right, in some situations, to request that Flex erase all personal data concerning the individual.

(iv)          Right to restrict processing – the right, in some situations, to request that Flex do not use the individual's personal data they have provided (e.g. if they believe it to be inaccurate).

(v)           Right to data portability – the right, in some situations, to request that Flex port the individual's data to that individual or their new provider in machine readable format.

(vi)          Right to object – the right to object to certain processing of their personal data (unless Flex have overriding compelling grounds to continue the processing) and the right to object to direct marketing/profiling.

(vii)         Rights relating to automated decision making – the right not to be subject to automated decision making that significantly affects an individual (e.g. certain profiling).

(b)           Flex will respond to requests listed in 1.2(a) above in accordance with Annex C 1.1(g). However, in certain circumstances that period may be extended by a further two months, taking into account the complexity of the request(s) and the number of requests made.  If applicable, the GDPO, in consultation with the Legal Team, will take this decision and notify the Data Subject within one month of the receipt of the request, together with the reasons for the delay. Where the Data Subject has made the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.

2              Roles and Responsibilities

角色

责任

数据主体

有权提出个人权利请求/数据主体权利请求的个人。

数据隐私联络官 (DPLO)

在其职责范围内负责上报个人权利请求,以及伟创力全球隐私声明​和规则第 6 节中规定的任务。向其相关的区域数据隐私官汇报。

区域数据隐私官 (RDPO)

负责执行伟创力全球隐私声明​和规则第 6 节中规定的任务,以及遵守数据隐私标准。向全球数据隐私官汇报。

全球数据隐私官(GDPO 或 DPO)

The Data Protection Officer for the purposes of UK data protection laws. Responsible for tasks as set out in Section 6 of the Flex Global Privacy Policy and Rules and responsible for the network of Regional Data Privacy Officers, Data Privacy Liaison Officers, the development and implementation of the Data Privacy Standards, responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority. 可以将本声明中的任务委托给 RDPO。

 

 

3              Identifying individual rights requests

(a)           Identifying requests from individuals regarding their personal data is crucial and requires the support of everyone within Flex.

(b)           It is essential that we identify and notify the relevant people within Flex once we receive a request from an individual.

(c)           Flex are required to respond to, and address, requests within one month of receiving them. 因此,伟创力必须迅速有效地采取行动。

3.1          Identifying the individual rights request

(a)           Requests relating to personal data may not always be completely obvious or clear. Requests may refer to data protection law but requests do not need to refer to any law to be valid.

(b)           Listen and look for key words and phrases to identify whether a particular communication is a request concerning personal data. 以下关键词和短语不是指标的详尽列表:

(i)            Can you please give me / provide me with / send me all the personal information Flex holds about me.

(ii)           Are you using my data / why are you using my data / how are you using my data / who are you sharing my data with?

(iii)          You have the wrong [address, date of birth, surname, sex etc.] for me, please change it to…

(iv)          Delete / remove / purge all information you have about me.

(v)           Stop using my information, it is against the law for you to use it in this way / it is inaccurate / you do not need to use it any more / I don't want you to use it for…."

(vi)          "Give me all my data to…. ”

(c)           Flex, through its Global Business Services (GBS) maintains a dedicated email address for subjects to submit individual rights requests. 电子邮件地址是 dataprivacy@flextronics.com。然而,可以通过任何方式提出权利要求,例如面对面打电话、发送电子邮件信件或传真。在同一通信中也可以接收多种形式的权利请求。

(d)           If you identify a request as one which does, or which may, concern personal data, immediately inform the Data Privacy Liaison Officer (DPLO).

(e)           If you cannot be certain that the request is legitimate or that the person making the request is who they say they are, then take common sense steps to check.  For example, call a number provided by the individual to check they have made the request or ask them to send an email from a recognised account. If you are still not certain about the identity of the person making the request, liaise with the Global Data Privacy Officer (GDPO) to determine what further steps should be taken.

4              Reporting and responding to requests from individuals

(a)           When you receive something that looks like it is, or may be, a request concerning personal data, please notify the DPLO immediately. 如果您不知道数据隐私联络官是谁或他们没有空,请与您的直线经理或法务团队联系。

(b)           The GDPO will work with the DPLO to request all information from the reporting individual as may be necessary to identify the nature of the request, for example requesting a copy of the individual's passport, and/or a recent utility bill.

(c)           The GDPO will determine whether or not the request is a valid request regarding personal data and ensure that Flex has acknowledged receipt of the request to the relevant individual.

(d)           It is also possible that individual rights requests can also be made via a third party. 通常,这将是代表个人行事的律师。In these cases, Flex will validate that the third party has been authorised to make a request on behalf of the individual. The third party will need to provide evidence of this authorisation. 证据可以书面形式提供,以授权第三方提出此请求,也可以是一般授权书。  

(e)           The GDPO will identify the category of the request and respond in accordance with the relevant process set out below and Flex obligations under data protection law. 在回应请求时,GDPO 将在数据隐私联络官、RDPO、您的直线经理、IT 和法务团队的支持下工作。

(f)            The GDPO shall periodically review the total number of requests that are received and whether such requests have been dealt with in accordance with this policy and, where appropriate, shall review any underlying issues giving rise to requests.

(g)           Once a request from an individual has been identified, the GDPO shall follow the relevant process outlined below.


 

4.2          Right of Access (subject access request)

(a)           You will work with the GDPO and the IT team to progress an access request by arranging a search of all our relevant systems for the appropriate personal data (including local storage such as shared and personal drives), email servers, back-up locations and third party applications on which personal data is stored on our behalf, and under our instruction, of (e.g. HR systems, CRM platforms, accounting programs etc.). 如果可能,请让个人填写个人权利请求表。表格的副本将在门户网站上提供。

(b)           The search process shall be started as soon as possible as it can be a detailed and time consuming exercise.

(c)           All relevant teams/departments should be contacted to ensure that all relevant file, folders (whether electronic or paper) and third party applications are searched.

(d)           Where a general request is made for "all information held by Flex", the search criteria should be as broad as possible in the first instance to identify all possible documents relating to the individual. 应使用个人的姓名、地址、首字母缩写、别名等搜索条件作为辅助。该个人的个人数据可能会出现在信件、备忘录、电子邮件、文件注释、电子通讯录等中,以及出现在我们的客户或 HR 数据库和客户资料中。

(e)           Upon completion of the search you will work with the GDPO (and the Legal team, if necessary) to prepare and respond to the individual, providing copies of the relevant personal data and associated information that the individual is legally entitled to receive.

(f)            All responses must be signed off by the GDPO, and contain the following information:

(i)            the purposes of the processing;

(ii)           the categories of personal data concerned;

(iii)          the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in non-UK countries or international organisations (and information on the appropriate safeguards used for international transfers, if relevant);

(iv)          where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(v)           the existence of the right to request from Flex rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(vi)          the right to lodge a complaint with the Supervisory Authority (the UK's Information Commissioner (ICO));

(vii)         where the personal data are not collected from the data subject, any available information as to their source (such as from third party partners); and

(viii)        the existence of any automated decision-making, including profiling, applied to any of their data, information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject. Disclosure of information about profiling is only necessary where the profiling produces a legal effect or otherwise will significant affect the relevant individual e.g. determines whether an individual gets a job or promotion; or determines the price at which any product or service is offered to them or targets vulnerable groups of people.

(g)           If the subject access request is made in electronic form (e.g. by email), the information should be provided in a commonly used electronic form, for example, in PDF, Word or Excel (unless the data subject requests otherwise).

(h)           Exemptions:

(i)            Flex should not provide data to the individual if to do so adversely affects the rights of others (data concerning the individual that does not affect others must still be provided, such as where the data discloses information about third parties which could adversely affect them).

(ii)           If Flex hold a large quantity of data concerning the individual, Flex can ask the individual to specify the information or use of data that their request relates to – but Flex must still respond to the request once we identify the information.

(iii)          Flex should not provide information which is subject to legal privilege.

(i)            If the GDPO believes an exemption may apply, the GDPO will notify the Legal team and a decision must be made jointly between the GDPO and Legal team.

(j)            Timing

(i)            Flex must provide this information to an individual without undue delay and within one month of receiving the request, at the latest.

(ii)           If the GDPO, working with the Legal team where necessary, determines that an exemption applies, the GDPO shall notify the individual making the request without undue delay and within once month with an explanation of the reasons why Flex will not comply with their request.

(k)           Record Keeping

(i)            The HR Global Business Services team will maintain complete records of the process and response for each request.




 

 

4.3          Right of rectification

(a)           You will work with the GDPO and IT team to locate the data the individual claims to be incorrect and, if the circumstances are as the individual described, correct the data on all our files and systems where it is stored.

(b)           If the individual asks for incomplete data to be completed you will work with the GDPO and IT team to complete the data. 这包括让个人提供补充声明以完成数据。

(c)           You will work with the GDPO to inform the individual that the information has been corrected / completed as soon as possible.

(d)           Time period

(i)            Flex must rectify / complete the information in question without undue delay and within one month of receiving the request, at the latest.

(e)           Record Keeping

(i)            The HR Global Business Services team will maintain complete records of the process and response for each request.


 

 

4.4          Right of Erasure (the right to be forgotten)

(a)           This right is only available in certain circumstances (set out below). 在与 HR 信息系统团队联系以进行删除之前,GDPO 将首先评估个人是否真正拥有这项权利。

(b)           This right only applies when:

(i)            the data is no longer necessary for the purpose for which they were collected or processed;

(ii)           the individual withdraws consent to processing (and there is no other justification for processing);

(iii)          the individual objects to Flex's use of their data and Flex cannot demonstrate that there are overriding legitimate grounds for processing;

(iv)          Flex have used their data unlawfully; or

(v)           the data must be deleted to comply with law.

(c)           If the GDPO concludes that this right applies, this conclusion will be referred to the Legal team for review. 如果法务团队和 GDPO 同意适用该权利,则 IT 团队将协助从我们的系统(以及存储个人数据的任何第三方系统,例如 IT 托管提供商、数据库提供商等)中删除相关数据。

(d)           If the data has been made public by Flex, it is also necessary to inform others who may be using that data (e.g. partners, linked social media sites, etc.) that the individual has requested their data is to be deleted. 伟创力将采取合理的步骤来做到这一点(考虑到可用的技术和实施成本)。GDPO 将在必要时与法务团队合作,决定这些合理步骤是什么。

(e)           Exemptions

(i)            Flex are not required to comply with a request to erase data if processing the data is necessary:

(A)          to exercise freedom of expression and information;

(B)          to comply with law;

(C)          for public health reasons;

(D)          for archiving purposes in the public interest

(E)          scientific or historical research purposes or statistical purposes; or

(F)           if required in connection with legal claims;

(ii)           Flex are also not required to comply if the request is manifestly unfounded or excessive (in particular where the same individual has made the same request on multiple occasions).

(iii)          If the GDPO believes an exemption may apply, the GDPO will notify the Legal team and a decision will be made jointly between the GDPO and the Legal team.

(f)            Time period

(i)            Flex must erase this information without undue delay and within one month of receiving the request, at the latest.

(ii)           If the GDPO, working with the Legal team where necessary, determine that an exemption applies, the GDPO shall notify the individual making the request without undue delay and within once month with an explanation of the reasons why Flex will not comply with their request.

(g)           Record Keeping

(i)            The HR Global Business Services team will maintain complete records of the process and response for each request.

 


 

4.5          Right to restrict processing

(a)           An individual may request that Flex restrict the processing of their personal data in certain circumstances.

(b)           This right only applies when:

(i)            the individual disputes the accuracy of the data Flex hold;

(ii)           the individual objects to the processing and Flex are determining whether there are legitimate grounds on which to continue processing their personal data;

(iii)          the processing is unlawful but the individual objects to erasure and requests restriction instead;

(iv)          Flex have no further need for the data but the individual requires it in connection with a legal claim.

(c)           In each of the scenarios outlined above, Flex can be required to restrict use of the data until the situation is resolved; however, Flex may continue to store the data.  This right is intended as a temporary measure only.

(d)           When data is restricted, Flex may only store the data. 除非有以下情况,否则不得使用:

(i)            the individual consents;

(ii)           its use is necessary in connection with a legal claim; or

(iii)          it is required for public interest reasons.

(e)           The GDPO shall assess whether the right applies, and if it does, shall work with the IT team to restrict the processing of the relevant data.

(f)            Where the data in question is ordinarily processed automatically, the GDPO shall instruct the IT team to put measures in place to isolate or block the data in question.

(g)           The GDPO shall work with the Business Unit that process the personal data to ensure that all relevant staff are aware of the restrictions in place.

(h)           The GDPO, working with the Legal team where necessary, may determine that the restriction no longer applies as the requirements above can no longer be met. 在取消对处理数据的限制之前,GDPO 必须首先通知相关个人。

(i)            Time period

(i)            Flex must respond to a request to restrict processing without undue delay and in any event within one month of receiving the request.

(j)            Record Keeping

(i)            The HR Global Business Services team will maintain complete records of the process and response for each request.

4.6          Right to data portability

(a)           An individual may request that we transfer certain data held about them to the individual or to another entity.

(b)           This right only applies:

(i)            to data which the individual has provided to Flex (and therefore does not apply to data which Flex have created about the individual). 然而,有关个人如何使用产品、服务或设备的信息将被视为由个人“提供”;

(ii)           where the processing of the relevant data was based on the individual's consent or a contract with the individual; and

(iii)          the processing is carried out by automated means.

(c)           If the right applies, Flex must provide the relevant data to the individual in a structured, commonly used and machine readable form. 这意味着 Excel 电子表格、Word 文档或其他常见文本文件。

(d)           The purpose of this right is to enable the information to be used by a third party provider, so this goes further than the right to access.

(e)           If the individual requests that their data is transferred directly to another entity, Flex must do this where it is technically feasible.

(f)            Exemption

(i)            Flex do not have to port the data if to do so would adversely affect the rights of other individuals. 如果要“移植”的信息包含有关第三方个人的信息(如果该信息将用于不同的目的),则适用此规定;

(ii)           Flex do not have to port the data if it would result in our intellectual property rights being infringed or our trade secrets being revealed. 然而,如果可以在不影响这些权利的情况下发布信息,则应以这种方式发布。

(g)           If the GDPO believes an exemption may apply, the GDPO will notify the Legal team and a decision will be made jointly between the GDPO and the Legal team.

(h)           Time period

(i)            Flex must port this information to an individual or another company without undue delay and within one month of receiving the request, at the latest.

(ii)           If the DPO, working with the Legal team where necessary, determine that an exemption applies, the GDPO shall notify the individual making the request without undue delay and within once month with an explanation of the reasons why Flex will not comply with their request.

(i)            Record Keeping

(i)            The HR Global Business Services team will maintain complete records of the process and response for each request.

4.7          Right to object (including to direct marketing)

(a)           An individual may inform us that he/she objects to our processing their personal data.

(b)           This right only applies where Flex are processing the individual's personal data on the basis of its or a third party's legitimate interests (rather than having obtained consent for such processing or such processing being required to provide requested products or services to the individual) and Flex cannot demonstrate that such legitimate interests override the individual's own rights, or that the processing is necessary for Flex's legal rights.

(c)           The GDPO, together with the Legal team (if required), shall assess whether Flex (or a relevant third party) have any continuing legitimate interests which overrides the rights and freedoms of the individual, taking into consideration any specific circumstances, which Flex are aware of, relating to that individual.

(d)           If the GDPO and the Legal team determine that Flex (or the third party) has no continuing overriding legitimate interests, Flex shall cease to process that individual's personal data.  The personal data shall be deleted from the Flex  systems (and third party systems).

(e)           Separately, an individual may request that Flex cease to use their personal data for direct marketing, including for any profiling that Flex undertake in connection with such marketing.

(f)            Upon receipt of a request to cease using personal data for direct marketing, the GDPO shall inform the relevant operational and marketing teams who shall cease using the individual's personal data for marketing as soon as possible and shall cease sending any marketing to that individual. 与营销相关的对该个人进行的所有分析也必须停止。 

(g)           Time period

(i)            We must respond to such requests and, where applicable, cease the relevant processing without undue delay and within one month of receipt of the request.

(h)           Record Keeping

(i)            The HR Global Business Services team will maintain complete records of the process and response for each request.

4.8          Rights where automated decision making takes place

(a)           This right applies where Flex use solely automated means to make a decision that significantly affects an individual. 这可能包括仅基于能力测验或引入的心理测验做出招聘或晋升方面的决定。它也可能适用于我们向用户生成针对性消息的情况,这些消息会为个人调整价格或专门针对弱势群体。

(b)           An individual may inform Flex that he or she objects to a significant decision being made about him or her by us based solely on automated processing.

(c)           Where such a request is received the GDPO, together with the Legal team, shall assess whether an exemption applies.

(d)           Exemptions

(i)            The automated decision is required to enter into, or perform, a contract with the individual.

(ii)           The automated decision is authorised by UK law.

(iii)          Flex have the explicit consent of the individual to make such a decision.

(e)           If such an exemption does not apply, Flex shall not make such a decision based solely on automated means.  Instead, any such decision shall be re-considered by an appropriate member of the relevant team/Business Unit.

(f)            Where an exemption does apply, Flex may continue with such decision but shall:

(i)            ensure the information used to make such information is accurate and up-to-date;

(ii)           consider whether it is reasonable to make the decision without using automated means;

(iii)          allow human intervention into the decision-making process where requested by the individual; and

(iv)          consider any objections to the decision raised by the individual as soon as reasonably possible and, ideally, within the same one month period in which the initial response is required.

(g)           Time period

我们必须在收到请求后一个月内做出答复,并在适用的情况下停止相关处理而不得无故拖延

(h)           Record Keeping

(i)            The HR Global Business Services team will maintain complete records of the process and response for each request.

 


 

ANNEX D - Global Procedure of Raising and Handling Data Privacy Complaints

 

介绍、目的和定义

1.1          Introduction

(a)           Flextronics (Flex) is committed to data privacy and the fair processing of Personal Data, including enabling individuals to exercise the rights in respect of their Personal Data to which they are entitled under our Data Privacy Standards and applicable local data privacy laws.

(b)           Many privacy regimes (including privacy laws of the UK) often grant individuals certain rights in respect of the collection and processing of their Personal Data by organisations. 伟创力致力于尊重和使个人能够行使我们的数据隐私标准和全球数据主体权利政策所规定的这些权利。

(c)           A Data Subject has a right to raise a Data Privacy Complaint relating to any processing of their Personal Data by Flex or a Flex entity.

1.2          Purpose of the Policy

(a)           The purpose of this policy is to set out the procedure which is to be followed by:

(i)            Individuals (Data Subjects) who submit a Data Privacy Complaint; and

(ii)           Flex when a Data Privacy Complaint is received. 

1.3          Definitions

(a)           Data Privacy Complaints: 针对个人或实体的有关数据隐私事务的投诉或担忧,包括有关伟创力或特定伟创力实体不遵守数据隐私标准、任何与数据隐私有关的伟创力政策或适用的数据隐私法律的投诉。

(b)           Business Contact: 任何客户、潜在投资者、股东、供应商、合作伙伴或供应商的业务联系人。

(c)           Data Subject: 由一个或多个伟创力实体处理其个人数据的所有个人,包括现任和前员工、业务联系人和任何其他数据主体。数据主体有权提出与伟创力或伟创力实体对其个人数据的任何处理有关的数据隐私投诉。

(d)           Personal Data: 与被识别或可识别的个人有关的信息,这些个人可以直接或间接地被识别,尤其是通过参考诸如姓名、身份证号码、位置数据、在线标识符之类的标识符,或者参考该自然人的身体、生理、遗传、心理、经济、文化或社会身份所特有的一个或多个因素。示例包括但不限于:

(i)            name, address, Tax Identification Number, Social Security Number, National Identity number, date of birth, personal account numbers, credit/debit card numbers, online banking user names (whether or not used together with passwords);

(ii)           data revealing racial or ethnic origin, political opinions, religious beliefs, union membership status, physical or mental health or condition, sexual life and criminal history.

2              Roles and Responsibilities

角色

责任

数据主体

有权提出数据隐私投诉的个人。

数据隐私联络官 (DPLO)

负责将所有数据隐私投诉上报至 GDPO,以及第 6 节中规定的任务至伟创力全球隐私声明​和规则。向其相关的区域数据隐私官汇报。

区域数据隐私官 (RDPO)

负责执行伟创力全球隐私声明​和规则第 6 节中规定的任务,以及遵守数据隐私标准。向全球数据隐私官汇报。

全球数据隐私官(GDPO 或 DPO)

The Data Protection Officer for the purposes of UK data protection laws. Responsible for tasks as set out in Section 6 of the Flex Global Privacy Policy and Rules and responsible for the network of Regional Data Privacy Officers, Data Privacy Liaison Officers, the development and implementation of the Data Privacy Standards, responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority. 可以将本声明中的任务委托给 RDPO。

 

3              Receipt of a Data Privacy Complaint

3.1          A Data Subject may submit a Data Privacy Complaint by contacting HR Global Business Services (GBS) and  the Global Data Privacy Officer through the following email address: data protection@flex.com.

3.2          Flex, through its Global Business Services (GBS) maintains the above dedicated email address for subjects to submit Data Privacy Complaints. 然而,可以通过任何方式(例如亲自、通过电话、电子邮件、信件或传真)进行数据隐私投诉。伟创力将提供模板投诉表格以协助数据主体,表格副本将在伟创力网站和数据隐私门户上提供。

3.3          Notwithstanding the above, if a Data Subject submits a Data Privacy Complaint through any other written or verbal means, a member of staff who receives such a Data Privacy Complaint will immediately forward that Data Privacy Complaint to the Global Data Privacy Officer using the above email address.

 

4              Complaint Handling Timelines

以下时间段将适用于根据本规程处理的数据隐私投诉。

名称

时间段

描述

确认收到投诉

七 (7) 天内

伟创力将在收到后七 (7) 天内通过电子邮件确认收到各条数据隐私投诉。

索取更多信息

十四 (14) 天内

如果数据主体未能提供足够的信息,则全球数据隐私官可以在收到数据隐私投诉后的十四 (14) 天内要求提供有关投诉的更多信息。

做出决定

不得无故拖延,且无论如何应在一 (1) 个月内做出决定

全球数据隐私官将考虑数据隐私投诉和提供的任何补充信息。GDPO 不得无故拖延,且无论如何应在收到投诉后的一 (1) 个月内做出决定。

如果预期的响应时间有任何延迟,则 GDPO 将在整个过程的所有阶段随时通知数据主体。

如果投诉非常复杂或者数量太多

三 (3) 个月内

考虑到数据隐私投诉的复杂性和数量,做出决定的一个月规定时间最多可以再延长两个月。不得无故拖延做出决定,且无论如何应在收到投诉之日起三 (3) 个月内做出。

GDPO 应在收到投诉后一 (1) 个月内以书面形式通知数据主体。

 

4.1          The Global Data Privacy Officer's decision will be in writing.

4.2          The decision of the Global Data Privacy Officer will contain at least the following information:

(a)           a description of the Data Privacy Complaint,

(b)           a description of the respondent’s response(s), if any, to the Data Privacy Complaint;

(c)           and a statement of the Global Data Privacy Officer's findings and conclusions.

4.3          The Global Data Privacy Officer shall arrange for a copy of the decision to be mailed to the complainant within three business days of the date of the decision.

5              Consequences of the Decision

5.1          In the event that the Data Privacy Complaint is upheld, the Global Data Privacy Officer will make arrangements for appropriate steps to be taken in consultation with the Legal Team, including any compensation to be paid to the Data Subject for material or non-material damages, where appropriate.

5.2          In the event that the Data Privacy Complaint is rejected, or the Data Privacy Complaint is upheld but the Data Subject is not satisfied with the proposed response, the Data Subject will have a right to any of the following:

(a)           raise the issue before the Information Commissioner’s Office;

(b)           raise the issue before the Courts in the jurisdiction of England and Wales. 

6              Complaint Escalation

6.1          When it is determined that a Data Privacy Complaint could pose a risk to Flex or is otherwise significant, it may require escalation to the Chief Compliance Officer.

7              Record Keeping

7.1          All relevant documentation in relation to this procedure must be recorded and maintained by GBS.

7.2          Data Privacy Complaint records shall include a copy of the Data Privacy Complaint and all communications and responses should be retained.

8              Compliance and Audit

8.1          This procedure is subject to periodic risk-based monitoring by the Flex data privacy network and compliance team to ensure that it is effective and remains fit for purpose.  Additionally, it may also be subject to an independent review by the Flex internal audit team.

9              Effect of other Applicable Laws

9.1          If the Data Privacy Complaint concerns the behaviour or conduct of another specifically-identified individual, the Data Privacy Complaint will be handled in accordance with any rights that such individual may have under applicable local law, including (if applicable) the right of that individual to submit a response to the Data Privacy Complaint.

10           Training

10.1        Regional Data Privacy Officers and Data Privacy Liaison Officers will provide training to relevant staff on the procedures set out in this document. 区域数据隐私官和数据隐私联络官可以就识别与处理数据隐私投诉有关的常见问题,对事业部或 GBS 部门进行培训。

11           Administrative Information

(a)           Any questions relating to the interpretation and application of this policy should be addressed to the Global Data Privacy Officer at dataprotection@flex.com

(b)           In the event of any inconsistency between the guidance provided in this policy and the Data Privacy Standards or any other standard, policy or procedure, please consult with the Global Data Privacy Officer.

 


 


 

! function(o, t, e, a) { o._aoForms = o._aoForms || [], o._aoForms.push(a); var n = function() { var o = t.createElement(e); o.src = ("https:" == t.location.protocol ? "https://" : "http://") + "cn-support.flex.com/acton/content/form_embed.js", o.async = !0; for (var a = t.getElementsByTagName(e)[0], n = a.parentNode, c = document.getElementsByTagName("script"), r = !1, s = 0; s < c.length; s++) { if (c[s].getAttribute("src") == o.getAttribute("src")) r = !0; } r ? typeof(_aoFormLoader) != "undefined" ? _aoFormLoader.load({ id: "482592df-d182-4ff0-be56-eebb313261fa:d-0001", accountId: "39314", domain: "cn-support.flex.com", isTemp: false, noStyle: false, prefill: false }) : "" : n.insertBefore(o, a) }; window.attachEvent ? window.attachEvent("onload", n) : window.addEventListener("load", n, !1), n() }(window, document, "script", { id: "482592df-d182-4ff0-be56-eebb313261fa", accountId: "39314", domain: "cn-support.flex.com", isTemp: false, noStyle: false, prefill: false });

您可以点击此处详细了解我们使用 Cookie 的状况和您的选择。单击此页面上的任何链接或单击“好的,我同意”即表示您同意我们设置 Cookie。