Data Protection & Privacy Notice
1. General
This Service is a web and phone-based system provided by Primo Water Corporation (“Primo Water”, “we” or “us”) to our Personnel, and the Personnel of our business partners (together, “Reporters” or “you”) for reporting suspected violations of laws or regulations, or company policies related to financial, accounting, auditing and bribery matters.
2. Legal basis for Processing
Use of this service is entirely voluntary. You are encouraged to report possible violations directly to your supervisor or manager and/or a representative from the Human Resources, Legal, or Compliance departments, depending on the nature of the possible violation. If you feel that you are unable to do so, you may use this Service to make your report.
In Processing your Personal Data in connection with the purposes set out in this Notice, we may rely on one or more of the following legal bases:
- the Processing is required by applicable law;
- the Processing is required in order to establish, exercise or defend legal rights;
- the Processing is necessary to protect the vital interests of any individual, to the extent applicable; or
- we have a legitimate interest in carrying out the Processing, which is not overridden by the interests, fundamental rights, or freedoms of any individual. Where we rely on this legal basis, our legitimate interests are: (i) accounting (including internal accounting controls); (ii) auditing and reporting; and (iii) combatting bribery, banking and financial crime or, insider trading.
3. Use of This Service
Use of this Service is entirely voluntary. You are encouraged to report possible violations directly to your supervisor or manager and/or a representative from the Human Resources, Legal, or Compliance departments, depending on the nature of the possible violation. If you feel that you are unable to do so, you may use this Service to make your report.
4. Categories of Personal Data
This Service captures the following Personal Data and other information that may be shared by you: (i) your name and your contact details, when provided, and whether you are employed or engaged by us, by any of our subsidiaries, or by a business partner; (ii) the name and other Personal Data of the persons you name in your report if you provide such information (i.e., a description of functions and contact details); and (iii) a description of the alleged misconduct as well as a description of the circumstances of the relevant incident(s). Note that depending upon the laws of the country in which you work, it may not be possible to make the report anonymously; however, your personal information will be treated confidentially and will only be disclosed as set out below.
5. Collection and storage of Personal Data
The Personal Data and other information you provide are stored in a database which is located on servers hosted and operated by NAVEX in the United States. Our contracts with NAVEX legally oblige NAVEX to ensure that any Personal Data or other information transferred from any country to the United States is protected to the standards expected under all applicable privacy laws. Further details of international transfers of Personal Data are set out in Section 6 below.
6. Disclosure and international transfer of Personal Data
The Personal Data and other information you provide may also be disclosed to: (i) law enforcement and/or other enforcement or regulatory authorities if required by law; and (ii) third party investigators, advisors, and service providers, subject to suitable contractual safeguards in accordance with applicable law.
The third parties to whom we may disclose such Personal Data may be located in the US or in another country that may not provide a level of data protection as available in your country. We will ensure that any personal information transferred from any country to the United States is protected to the standards expected under applicable privacy laws. When we transfer Personal Data out of the European Economic Area we will make those transfers on the basis of [EU Standard Contractual Clauses]. A copy can be requested using the contact details provided in Section 10 below.
7. Data retention
The Personal Data and other information you provide will be kept as long as necessary to: (i) process your report and complete any necessary internal investigations; (ii) apply any appropriate disciplinary measures; (iii) satisfy our legal obligations under applicable law; (iv) participate in any legal or regulatory investigations and/or legal or regulatory proceedings; and (v) establish, exercise and defend legal rights, including retaining Personal Data for the duration of the applicable retention period. Once these periods have all expired, the Personal Data and/or information you provide will be deleted within a limited timeframe, in accordance with applicable law.
8. Rights of Report Subjects and Reporters
Primo Water will promptly notify any person who is the subject matter of a report to this Service, where required by applicable law, except where such notice needs to be delayed to ensure preservation of relevant information, or to satisfy our obligations under applicable law.
9. Special Country Regulations
In many countries, reports can only be made relating to bribery, financial, accounting, auditing, or similar issues. Further, some countries restrict reports such that only Personnel in key roles or management functions may be reported upon.
In some countries, anonymous reports may not be permitted under the law save under extremely restrictive circumstances.
If you work in a country that has these restrictions, you will be limited to reporting only allowable issue types and/or prevented from anonymous reporting. If you are located in a country that limits who you may report upon, you will be presented with a reminder of this fact.
10. Contact details
If you have any comments, questions or concerns about any of the information in this Notice, or any other issues relating to the Processing of Personal Data by Primo Water, please email the Compliance Director at internalaudit@primowater.com and include your contact details.
11. Definitions
‘Controller’ means the entity that decides how and why Personal Data is Processed. In many situations, the Controller has primary responsibility for complying with applicable data protection laws.
‘Primo Water’ means Primo Water Corporation, together with its subsidiaries and affiliates.
‘Data Protection Authority’ means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
‘Personal Data’ means information that is about any individual, or from which any individual is identifiable.
‘Personnel’ means any current, former or prospective employee, consultant, temporary worker, intern, other non-permanent employee, contractor, secondee, or other personnel.
‘Process’, ‘Processing’ or ‘Processed’ means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
‘Processor’ means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller).
‘Service’ means the web and phone-based reporting service provided by NAVEX, to which this Notice relates.