TIMKEN HELPLINE DATA PRIVACY NOTICE
The data privacy regulations of some countries require that a person who makes a report containing personal information be notified of certain collection, retention, and processing practices regarding such information. Most of this notice applies globally, but some portions apply only where specifically required by local law, for example, the General Data Protection Regulation 2016/679 (“GDPR”), a regulation of the European Union on data protection and privacy for all individuals within the European Economic Area. Those portions will be identified as only applying as required.
About the Timken Helpline. Use of the Timken Helpline is entirely voluntary. If you are an employee of Timken, you are encouraged to report possible violations or concerns directly to your supervisor or manager, or to a representative of Human Resources, the Legal Department, or the Ethics and Compliance Office, depending on the nature of the possible violation. If you feel that you are unable to do so, you may use the Timken Helpline to make your report.
Please be aware that the information you supply about yourself, your colleagues, or any aspect of Timken’s operations may result in decisions that affect others. Therefore, we ask that you only provide information that you believe is true. You will not be subject to retaliation from Timken for any report of a suspected violation or concern that is made in good faith, even if it later turns out to be factually incorrect. Please be aware, however, that knowingly providing false or misleading information will not be tolerated.
In certain countries, Timken may only accept reports through the Timken Helpline that relate to certain matters, such as financial, accounting, auditing, and bribery. If your concern pertains to a matter that, under local law, may not be accepted by Timken through the Timken Helpline, you may report the matter to your supervisor or local management or to a representative of Human Resources, the Legal Department, or the Ethics and Compliance Office.
Who collects the information? The Timken Helpline is a confidential telephone and online reporting system provided by The Timken Company and its affiliates (“Timken”) to allow reporting of suspected violations of laws, regulations, or company policies. The Timken Company is the controller for purposes of data privacy laws. The Timken Helpline is operated on a platform owned by NAVEX, Inc. (“NAVEX”), 5500 Meadows Road, Suite 500, Lake Oswego, OR 97035, USA.
What information is collected? The Timken Helpline captures the following information that you provide when using the system: (i) your name and contact details (unless you report anonymously) and whether you are employed by Timken; (ii) the name and other personal information of the persons you name in your report if you provide such information, such as description of such persons’ job functions and contact details; and (iii) your description of the alleged misconduct or description of the circumstances of the incident.
Who will have access to the information? The information you provide will be stored in a database located on servers hosted and operated in the United States by NAVEX. NAVEX has entered into contractual commitments with Timken to secure the personal information you provide in accordance with applicable law. NAVEX is committed to maintaining stringent privacy and security practices including those related to notice, choice, onward transfer, security, data integrity, access, and enforcement. You may want to review NAVEX’s Privacy Notice.
Timken will evaluate the information you provide, may conduct investigations, and may take corrective actions where appropriate. The personal information you provide may be accessed, processed, and used by the relevant personnel of Timken involved in such evaluations, investigations and actions, including Human Resources, Finance, Internal Audit, Legal, and Ethics and Compliance, and management, by external advisors (e.g. legal advisors), and in limited circumstances by technical staff at NAVEX. We make every reasonable effort to safeguard the confidentiality of your information. However, in some cases, we may determine that it is necessary to disclose your report (other than your identity) to a person identified in the report. The individuals listed above may be located in the United States, the United Kingdom, or elsewhere. Some of these countries, such as the United States, have not been determined by the European Commission to provide an adequate level of data protection, whether by the country’s domestic legislation or by the international commitments it has entered into.
The information you provide will be treated confidentially except in cases where this is not possible because of legal requirements or in order to conduct the investigation, in which case the information will be handled sensitively. While you may choose to remain anonymous if local law allows, we encourage you to identify yourself in order for us to follow up with questions we may have. Even if you choose to report anonymously, however, the circumstances of the incident that we investigate could possibly identify you, although we take every reasonable effort to avoid that.
Personal information you provide may also be disclosed to police and other enforcement or regulatory authorities. The relevant bodies that receive and process personal information could be located in the United States or in another country.
What is the legal basis for our processing of the information? There can be several legal bases for our use of the personal information you provide. Initially, our use may be based on your consent. You may revoke your consent, but if you do, our legitimate interests (investigating allegations of wrongdoing) or legal requirements could allow or require us to continue to use that information for certain purposes.
How do we protect the information? Timken has implemented an information security program that includes physical, technical and organizational measures designed to protect your personal information from unauthorized disclosure or access, unlawful processing, and accidental or unlawful loss, destruction or alteration. This includes technical and organizational measures, such as policies, designed to limit access to the information.
The personal information you provide will be kept as long as necessary to process your report, or, if applicable, as long as necessary to initiate sanctions or to meet Timken’s legal or financial needs.
What are your rights under the GDPR? This part of the Notice applies where GDPR applies. You have a number of rights, which are subject to certain conditions and exemptions under the GDPR and its local implementing laws. These rights include the right to:
You also have the right to object, on grounds relating to your particular situation, to the processing of your personal information if we are relying on legitimate interests (ours or those of a third party), subject to the conditions of the GDPR.
You will not usually have to pay a fee to access your personal information or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise any of these rights, please use the contact details set out below.
We strive to process your personal information in accordance with the applicable legal obligations, but if you have a complaint in that regard, please address your complaint using the contact details set out below.
If you are a data subject under GDPR, you also have the right to lodge a complaint with a supervisory authority if you are dissatisfied with how we handle your personal information and we could not provide you with a satisfactory resolution to your request.
How can you contact us? You may contact the Timken Ethics and Compliance Office at ethics@timken.com with any questions relating to the Timken Helpline. If you have any questions about this notice, or if you want to make any request relating to the access, use, transfer, correction, or deletion of any of your personal information stored by this service, or to revoke consent prospectively to continued processing, you may contact Timken’s Data Privacy Office using this information:
The Timken Company
Data Privacy Office/Legal
4500 Mount Pleasant Street NW
North Canton, Ohio 44720 USA
+1 234.262.2207