Stefanini, Inc. (U.S.-based Entity) participates in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks. To learn more see: Stefanini, the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks

From time to time, the Employee (also referred to as the “Data Subject(s)”) will provide to its employing Stefanini entity (hereinafter referred to as the "Company") and/or to its parent company or affiliated entities (altogether with Stefanini International Holdings, Ltd. hereinafter referred to as the "Stefanini Group") and the Company and/or the Stefanini Group will collect, generate and process Personal Data relating to the Data Subject, subject to the following.

This Employee Privacy Notice describes how and for what purposes Personal Data relating to the Data Subject are processed in the context of the Stefanini Group. It supplements – but does not replace and is without prejudice to – any specific local notices, policies or procedures that have been distributed to or agreed on by the Data Subject, if any, or that may be implemented in the future.

This privacy notice covers the following entities of the Stefanini group, and employees attached to those entities.  Where approriate, the entity would act as Data Controller as defined by the applicable regulation:

What is a Data Controller? Under the General Data Protection Regulation (GDPR), a data controller is defined as the organization that determines the purposes and means of processing personal data. This entity decides how and why data is processed, making it responsible for ensuring that all processing activities comply with the law.

Stefanini as Data Controller: The employing entity within Stefanini acts as the data controller for the personal data of its employees. This means that Stefanini determines how your personal data is used in the context of your employment, from hiring and payroll processing to performance management and regulatory compliance.

Responsibilities as Data Controller: As the data controller, Stefanini is committed to protecting the privacy and security of its employees' personal data. We ensure that data processing is:

• Lawful, fair, and transparent.
• Collected for specified, explicit, and legitimate purposes.
• Limited to what is necessary in relation to the purposes for which it is processed.
• Accurate and kept up to date.
• Stored securely and protected against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Stefanini’s role as your data controller includes not only adhering to these principles but also facilitating your rights under various privacy regulations, including EU GDPR, Brazil's LGPD, and similar. These rights include accessing your data, correcting inaccuracies, and in some cases, requesting the deletion of data that is no longer necessary for the purposes for which it was collected.

To the extent permitted and legitimate under applicable law, Personal Data may include, among others, data relating to the Data Subject's name; birth date and place; address; home and professional contact details; e-mail address and other electronic identification details (e.g. IP-address, cookies, etc.); biometrical identification data; gender; family; bank details; fiscal and social security data; citizenship, passport, visa data; military status; driving license; photographs; video and audio records; business expenses; systems and facility security data; education; training; membership(s); relevant dates (e.g. entry, seniority dates, exit); position; job responsibilities; status (e.g. temporary, full-time, part-time, etc.); privileges; competency and performance evaluation; preferences and/or dislikes (e.g. possible jobs, locations, etc.); potential rating; wages; benefits; insurances; stocks options; social security or equivalent number; business travels; work product; performance; tasks; work schedule; absence details (e.g. sickness, holiday leave, maternity leave, parental leave, etc.); attendances; overtime; substitutions; availability; company identification number; user name and password; use of the Company's assets, facilities, properties and systems, notably computer and telecommunication systems, including, to the extent not prohibited by the applicable law, the logs and contents generated by such use; any professional data, files, documents or communications, whether electronic or not, created, sent, received, accessed or stored by the Data Subject in such capacity; information collected in the frame of internal reporting procedures or investigations (as the case may arise); as well as, as the case may arise, the history of all those data as of the date of entry.

Personal Data may also include, to the extent permitted by applicable law, sensitive data such as health-related data, trade union membership and judicial data.

The Company will not collect neither process any Personal Data, and particularly sensitive data, in a manner prohibited by local law.

Personal information about dependents and related persons

If a Data Subject provides the Company or the Stefanini Group with Personal Data about dependents and/or related persons (e.g., for benefits administration and/or emergency contact purposes), it is that Data Subject's responsibility to inform such individuals about the processing of their data by the Company and/or the Stefanini Group for the purposes and in the manner described in this Notice, about their rights of access, rectification and deletion in accordance with applicable law, as well as to obtain their consent, where necessary, to the processing (including the transfer to countries that may not adduce the same level of protection of Personal Data as in their home country) of their Personal Data as set out in this Data Subject Data Protection Information Notice.

The Company collects, uses, discloses, and otherwise processes the Data Subject's Personal Data for the following purposes, to the extent permitted and legitimate under applicable law:

1. To provide human resource management reports and information to the Company and/or the Stefanini Group's local, regional and global management, including any relevant information to potential acquirers, partners, and/or investors with respect to whole or part of the Stefanini Group;
2. To better meet the Company and/or the Stefanini Group's human resource needs and to enhance the Company and/or the Stefanini Group's human resource planning;
3. To administer and analyze in a consistent manner compensation and reward mechanisms (including administration, evaluating and awarding options);
4. To design, evaluate, and administer compensation, benefits, and other human resources programs (such as salary, bonuses, stock options, pensions, medical benefits, insurance policies, expense reimbursements, travel expenses and reimbursement, vacation and leave of absence or other leave entitlements); this may include the processing of data related to past Data Subjects, as well as dependents, relatives, or others as appropriate for benefit plans, insurance policies, or emergency contact details;
5. To facilitate leave entitlements;
6. To provide payroll, tax and social security systems with data necessary to generate payments to Data Subjects and to ensure accurate compliance with governmental reporting requirements;
7. To track Data Subjects' performance, skills and competencies in order to better develop the Company and/or the Stefanini Group's workforce;
8. To monitor the use by Data Subjects of the Company's and/or Stefanini Group's assets, facilities, systems and properties, as well as to monitor other activities, to the fullest extent permitted by applicable law;
9. To record, review and use the Data Subject's work products;
10. To support any claim or defense before any jurisdictional, police, and/or administrative authority, arbitration or mediation panel as well as to track and deter moral and sexual harassment, discrimination and criminal offences ;
11. To support any claim or defense that the Company or any entity of the Stefanini Group could face before any jurisdictional, and/or administrative authority, arbitration or mediation panel and to cooperate with – or to inform – law enforcement or regulatory authorities to the extent required by law or justified by the Company's or the Stefanini Group's interests;
12. For efficient attorney review discovery in case of any claim or dispute involving the Company or the Stefanini Group;
13. To establish and publish internal and external registers, as well as any publications, including of a promotional nature, such as who's who registers and directories, to develop good working relationship ;
14. To design, evaluate, and implement employment-related education and training programs;
15. To maintain or improve workplace and Data Subject safety, health, and security, including ensuring a safe workplace environment (e.g., controlling access, deterring harassment, and improving premises security and overall safety);
16. To conduct auditing, accounting, financial, and economic analyses;
17. To facilitate business communications, negotiations, transactions, conferences, travel (including travel planning), and compliance with contractual and legal obligations;
18. To facilitate and provide services for the relocation and movement of Data Subjects and family members, locally and internationally;
19. To facilitate, monitor, and improve compliance with diversity objectives and requirements in accordance with applicable law;
20. To protect company assets (including information systems support, firewall monitoring and anti- spam and virus protection) and confirming compliance with company policies and procedures, including in connection with internal reporting procedures and investigations, through, notably,
    1. the monitoring or review of professional e-mails, communications, or information on company systems to the extent permitted by applicable law and applicable company policies and procedures,
    2. the back-up or storage of information on company laptops or other company systems,
    3. the authentication of the identity of Data Subjects and the implementation of security measures and
    4. the implementation of internal reporting procedures in accordance with applicable law;
21. To conduct internal investigations and to take disciplinary actions and other remedies, as the case may arise;
22. To prepare for, facilitate, execute, or otherwise support any transaction or potential transaction involving all or a portion of the business of the Company or the Stefanini Group;
23. To facilitate the Company's and/or the Group's compliance with their legal obligations; and
24. To implement human resources solutions at the Company's or the Stefanini Group's level in order to achieve all the above-listed purposes.

More in detail the following purposes are described:

Recruitment

1. Recruitment by the Employer, through internal, as well as external procedures, by collaborating with specialized recruitment companies, respectively by accessing social networks specialized in the creation of professional profiles.
2. Stefanini is integrating employee data from NA, APAC, and EMEA into the Vitrine system, enhancing our internal relocation process. This includes details like name, position, contact information, work modality, and employment status.   Data access is limited to Stefanini's technical team, Business Partners, Managers, Platform Administrators, and Recruiters. Access is role-dependent, with:
   1. Business Partners and Managers managing employee relocation data,
   2. Platform Administrators overseeing platform access,
   3. Recruiters using data to facilitate internal relocations.

Performance of the Contract

1. The fulfillment by the Employer of all administrative, fiscal and organizational processes related to the conclusion, performance or cessation of an Employment Contract, if one has been used.
2. The fulfillment by the Employer of its obligations to pay any amounts owed to the Employee, including any tax obligations under the applicable law
3. The management of the operations of payment of any amounts owed to the Employee, in particular the performance of the obligations related to the payment of the salary, of any benefits, bonuses, premiums, compensations, awards, compensation, including the organization and performance of payment operations, as well as of the amounts owed by the Employee to third parties (public authorities or private individuals, such as in case of garnishments);
4. The conclusion of confidentiality agreements or of any agreements subsequent to the conclusion of the Employment Contract, if one has been used.

Management of the employment relationships

1. Organizing and managing the Employee's business trips, including making arrangements for transportation and accommodation;
2. Disclosure of the Employee's personal data to third parties for the purpose of carrying out the object of activity of the Employer, including transfer to other entities in the group of companies to which the Employer belongs. For purposes of the EU General Data Protection Regulation, this may include transfers outside the European Union/European Economic Area,
3. Managing and organizing the internal and/or corporate events of the Employer;
4. Managing the internal systems of the Employer, such as information requested by clients or personnel reward systems;
5. Providing tools and/or facilities that enable or facilitate the performance of work-related tasks, including the supply of professional training sessions, access to any electronic devices, software, applications and accounts developed by the Employer;
6. Administrative and support processes related to the processing of claims for reimbursement and expenses, medical insurance, access to sports facilities;
7. Managing corporate social responsibility projects;
8. Networking in order to maintain the relationship with clients.

Professional assessment

1. Ongoing professional assessment of the Employee (providing feedback, managing professional development opportunities, performance assessment, creating a common vision of career advancement, consultancy on any aspect of human resource management);
2. Assessment of the Employee for disciplinary actions as a result of ethics violations by the Employer, if and when applicable, in the cases provided for by the Employment Contract, if one has been used, and the applicable law;
3. Organization of training sessions, seminars, conferences, courses and traineeships for the personnel, including by co-opting external suppliers;
4. Filling-in Employer's internal questionnaires on job satisfaction;
5. Conducting analyses and researches for the planning and management of human resources, conducting the review, development, optimization and improvement of work-related practices, of the environment and of productivity;
6. Recording professional conversations received and performed through specialized applications for the client interface, applications to which the Employee connects by means of user ID and password, according to his/her duties, subject to local restrictions;
7. Monitoring Information and Communication Technologies (ICT) applications and services in order to determine the method of using the Employer's applications and to comply with performance and discipline indicators applicable for the client interface, applications to which the Employee connects by means of user ID and password, according to his/her duties.

Security

1. Issuing to the Employee access cards at the Employer's headquarters and premises;
2. Ensuring the Employee's secure access to applications, databases, confidential information, client's personal data, trade secrets, know-how;
3. Monitoring the ICT security events captured by the Employer's devices required in order to protect and secure the Employer's activity and the personal data processed by it, strictly with regard to the professional content of those devices, in relation to which the Employee is at the same time reminded that there should be no [such data] on devices considered as working tools, which belong solely to the Employer (until any transfer into the Employee's personal property) – e.g. the laptop or desktop system provided by the Employer, the company car and the GPS system mounted on it (only during work hours, during service);
4. For security reasons, filming the Employee by means of a video surveillance system (CCTV) installed in the Employer's premises, respectively in the access and entrance areas of the premises belonging to the Employer, with the exclusion of any areas where the installation of such devices is prohibited by law (e.g. changing rooms, shower rooms, toilets, etc.);
5. Checking and/or monitoring any software and/or hardware installed by the Employee without authorization from the Employer on the devices made available to the Employee, for reasons of protection, security and compliance with intellectual property legislation;
6. Protecting the property of the Employer and of the Employer's clients.

Surveillance

1. Accessing mail from the professional e-mail, its use for any personal purposes being prohibited, according to the company's internal policies, if and when applicable, in order to ensure the continuity of activity (in case of leaving the company or of periods of absence of the persons managing the clients' projects or portfolios, whose history is preserved and regarding whom the account management requirements impose the analysis of the correspondence and its transfer from one account manager to another.) This means that there will not be an active and ongoing monitoring of the correspondence by e-mail, but only a punctual one (e.g. in the case of claims, complaints, notifications), strictly with regard to the professional content of such correspondence, in relation to which the Employee is at the same time reminded that there should be no [personal data] in professional e-mails.

Sharing and Processing of Professional Personal Data with customers, in service delivery systems, in AI and in the course of audits.  

At Stefanini, we may share professional personal data of our employees with clients for contractual, quality, analytics or audit purposes. This includes details necessary to fulfill our contractual obligations and to demonstrate compliance with client requirements during audits. Such sharing is based on the legitimate interests of Stefanini to maintain trusted business relationships and ensure high-quality service delivery.

1. Agent Data Sharing and Processing: In addition to employees, information about our agents' work for clients may be shared for contractual reasons, to ensure quality, and for audit purposes. This helps us meet client expectations and adhere to quality standards, aligning with Stefanini’s legitimate interests.
2. Data Usage in Systems and Tools: Professional data of agents may also be processed in various operational systems. This includes:
   1. Telephony Systems: Where calls are managed and routed.
   2. Service Management Services: For handling and resolving client tickets and requests.
   3. AI Tools: Used for enhancing customer service through automated responses and support.
   4. Ticket Analysis: To improve service delivery and client satisfaction.
3. Purpose and Compliance: The use of these systems and tools is crucial for providing efficient and effective services to our clients. All data processing activities are conducted in compliance with applicable data protection laws, ensuring the security and integrity of personal data while supporting Stefanini's operational needs.  

By using this data in a controlled and lawful manner, Stefanini aims to enhance service quality, fulfill contractual obligations, and achieve compliance with client and regulatory requirements, all of which constitute our legitimate interests. Employees and agents are informed of these practices, which are detailed further in our internal privacy policies and procedures.

Monitoring of office presence

In our efforts to ensure a secure, safe, and compliant work environment, we process personal data as follows:

1. Monitoring Company Assets and Facilities: We monitor the use by Data Subjects of the Company's and/or Stefanini Group's assets, facilities, systems, and properties to the fullest extent permitted by applicable law. This includes:
   1. Access Control Monitoring: We track the usage of building access cards to manage office presence, which helps in maintaining workplace safety and security. This monitoring is crucial for:
   2. Ensuring that only authorized personnel access specific premises and facilities.
   3. Protecting against unauthorized access that could lead to harm or loss to company assets or jeopardize the safety of our employees.
   4. Supporting administrative and safety procedures in case of emergencies or security incidents.
2. Workplace Safety and Security: We maintain or improve workplace and Data Subject safety, health, and security, including ensuring a safe workplace environment. This involves:
   1. Controlling access to ensure that only authorized individuals enter secure areas, thereby deterring harassment and other security threats.
   2. Implementing measures to improve the security of premises and overall safety for all employees and visitors.
3. Compliance and Policy Enforcement: We protect company assets and confirm compliance with company policies and procedures, including in connection with internal reporting procedures and investigations. This is carried out through:
   1. Monitoring or review of professional emails, communications, or information on company systems to the extent permitted by applicable law and company policies.
   2. The back-up or storage of information on company laptops or other company systems.
   3. Authentication of the identity of Data Subjects and implementation of security measures.
   4. The execution of internal reporting procedures in accordance with applicable laws.

Compliance with mandatory legal requirements

1. Conducting internal investigations concerning any notifications and complaints related to possible acts of fraud, theft or destruction committed in the Employer's premises, and respectively, informing the competent authorities about the outcome of such investigations;
2. Compliance with any applicable rules, laws and regulations, codes or practices or directives or assistance in law enforcement or in the investigations carried out by the relevant authorities (regulatory bodies, tax and financial authorities, carrying out audit, surveillance and investigation activities).

The Employer shall not process the Employee’s Personal Data in any other form, unless such processing is necessary

1. for the performance of the Contract,
2. in order to ensure compliance with the legal requirements and regulations applicable to employment relationships, or
3. in order to protect the legitimate interests of the Employer by complying with the provisions of this Employee Privacy Notice .

Except for the case mentioned at (9) above, the enumeration in the paragraph above is not limitative but exemplary, but the Employee shall be informed about the new purposes for which processing is required.

At Stefanini, we employ artificial intelligence (AI) technologies to enhance our operational efficiency and decision-making processes. AI helps us streamline various internal functions, ensuring that our employees benefit from improved and personalized services. This section outlines how we use AI to process employee data for legitimate business purposes:

1. Talent Management and Development: AI algorithms analyze employee performance data and training needs to recommend personalized career development plans and identify potential candidates for internal promotions or relocations.
2. Workforce Optimization: By predicting staffing needs and analyzing work patterns, AI supports us in optimizing workforce allocations and improving workload management across departments.
3. HR Analytics: AI is used to analyze trends in employee engagement, satisfaction levels, and retention rates, helping us improve HR policies and create a better workplace environment.
4. Employee Assistance Programs: AI-driven platforms provide support for mental health, work-life balance, and other personal issues, offering timely interventions based on the analysis of employee inputs and feedback.
5. Recruitment Processes: AI enhances our recruitment efforts by automating the screening of applications to match job seekers with suitable positions, based on their skills and experience.
6. Compliance Monitoring: We use AI to ensure compliance with labor laws and company policies by continuously monitoring and analyzing employee data to detect any deviations or potential issues that require attention.  

The Employee's Personal Data will be processed by the Employer, as appropriate, on the basis of:

The Employer's legitimate interests for the purposes indicated in points. A balancing test has been conducted to ensure that the interests of the data subjects do not override the legitimate interests pursued by the company:

• Recruitment
• Management of the employment relationships
• Professional assessment
• Security
• Monitoring of office presence - The processing activities for monitoring building access are based on the legitimate interests of the company to ensure security and operational continuity, as per Article 6(1)(f) of the GDPR.

The need to perform the Employment Contract, if one has been used, as agreed by the Parties at the date of its conclusion for the purposes indicated in points:

• Performance of the Contract
• Management of the employment relationships
• Professional assessment
• Surveillance

A legal obligation, for the purposes indicated in points:

• Compliance with mandatory legal requirements.

Data relating to the Data Subject's health, Data Subject's trade union membership, as well as the Data Subject's social security, national registry or equivalent number shall be exclusively processed as necessary for the purpose of carrying out the Company's specific obligations and rights in the field of employment law or as otherwise authorized by applicable law. Judicial data shall only be processed as necessary for the management of the Company's own litigations.

The Data Subject will be entitled to object at any time and free of charge against the use of their Personal Data for direct marketing purpose, as the case may arise.

For the purposes listed above or where required by law, the Company may need to make the Data Subject's Personal Data available to

1. its parent company, affiliated entities, branches, or the Stefanini Group in general;
2. advisors, health plan advisors; attorneys; accountants; banks; insurance companies; travel agencies;
3. payroll administrators or other external data processors;
4. potential or existing investors and acquirers; 
5. administrative authorities, courts, law enforcement and/or regulatory authorities, arbitrators, experts, adverse parties and/or their advisors;

For purposes of the EU General Data Protection Regulation, this may include recipients located inside or outside the European Economic Area ("EEA"), including in countries which do not adduce the same level of protection of Personal Data as in the EEA.

The Data Subjects' Personal Data may notably be transferred to – and further processed by –Stefanini and its subsidiaries for the following purposes:

• Workflow management, such as assigning, managing, and administering operational tasks and projects;
• Human resources administration and planning;
• Compensation, including stock plan administration, compensation analysis, and benchmarking;
• Payroll processing;
• Conduct day-to-day business operations;
• Managing and accessing the Active Directory; including providing directories and tools facilitating and improving communications within the Stefanini group;
• IT helpdesk and support services; and
• Compliance with applicable legislations, and, to the extent permitted by law, Stefanini's internal policies.

As necessary in connection with these purposes, limited members of the Human Resources department, the Finance department, the ICT department, and senior executive company managers may access and otherwise process the Data Subject's Personal Data in connection with their job responsibilities. Stefanini takes appropriate steps to ensure that such personnel are bound to duties of confidentiality with respect to the Data Subject's Personal Data.

Additionally, Data Subject's Personal Data may be gathered in a global database (such as a HR management system or software solution) accessible by the Company and/or relevant affiliates of the Group, again for the purposes listed above.

In order to allow and facilitate communication and interaction between Data Subjects by e-mail, fax, phone or other electronic communication means, Stefanini and all affiliates of the Group process and transfer Data Subject's name, title and contact details and picture (where permitted by applicable law) in global directories accessible by all Data Subjects worldwide.

With respect to the EU General Data Protection Regulation and EU Data Subjects:

• Since the United States of America and other non-EEA countries where Stefanini entities are located do not provide the same level of protection of Personal Data as in the European Economic Area (EEA), in order to provide adequate protection for such data transfers, the Company has either:
  • Entered into a data transfer agreement conforming to the EU Commission Standard Contractual Clauses for the transfer of Personal Data to third countries (as per EU Commission Decision 2004/915/EC) with Stefanini U.S. and other non-EEA Stefanini entities in countries not recognized as providing the same level of protection of Personal Data as in the EEA.
  • Established Binding Corporate Rules between the entities of Stefanini.
  • Conformed to the adequacy agreements established between the European Union and various countries to ensure the adequacy of protection (e.g. EU-US Data Privacy Framework).

The Company may also disclose Data Subjects' Personal Data to third party service providers, notably in connection with finance, accounting or other administrative functions (e.g., human resources and payroll- related tasks), information technology support (e.g., software maintenance and data hosting) and human resources support (e.g., benefits, training). Some such third party service providers may be located in territories outside of the EEA that do not provide a level of protection to personal information equivalent to that provided in the Data Subject's home country.

The Company will

1. exercise appropriate due diligence in the selection of such third party service providers, and
2. require via appropriate contractual measures that such third party service providers maintain adequate technical and organizational security measures to safeguard the Data Subject's personal information, and process the Data Subject's personal information only as instructed by the Company and/or the Stefanini Group and for no other purposes.

With respect to the EU General Data Protection Regulation and EU Data Subjects:

Any transfer of Personal Data to one of the above recipients located in a country outside the EEA not recognized as providing the same level of protection of Personal Data as in the EEA, will be made on the basis of a data transfer agreement conforming to the EU Commission Standard Contractual Clauses for the transfer of data to third countries, or (iii) another data transfer mechanism in accordance with applicable data protection laws.

Lastly, the Company cannot exclude that in case the Company has the legal obligation or the legitimate interest to disclose personal information of the Data Subject to any court, administrative, police, law enforcement or regulatory authority, the decision of the said authorities refer to or include Personal Data of the Data Subject and be made publicly available.

The Employee's Personal Data will be transferred by the Employer to the Affiliates. For strictly determined purposes, justified by legal obligations (e.g. in the case of certain delegations or assignments of the Employee), or by the need to carry out the Employer's activity. 

In addition, the Employee's Personal Data will be transferred for the purpose of rendering services exclusively related to the performance of the Employment Contract, if one is used, to the following sub-processors and/or recipients:

• Payment and financial institutions for the provision of banking and payment services;
• Companies specializing in personnel management for the provision of recruitment and payroll services;
• Licensed insurance companies or medical service providers for the provision of medical services;
• Licensed travel and transport service providers, including taxi services, for the provision of travel and accommodation services;
• Companies specialized in organizing events for the provision of services related to the organization of corporate events;
• Licensed trainers for the provision of courses and trainings;
• Developers of technologies and software applications to provide working tools for employees;
• Public authorities with competencies in fulfilling reporting and investigation obligations under the law;
• Labor or social inspection organized by the government or any other inspection by a governmental authority for reporting purposes;
• Law courts or criminal investigation bodies in judicial or extrajudicial proceedings for the investigation or settlement of complaints or disputes directly related to the status of Employees, even after the cessation thereof, within the prescription periods of such procedures, or disputes that might arise in connection with such status;
• The business partners of the Employer or its clients (including prospective ones), in the relationships with them that are directly managed by the Employee as an account manager/contact person and in whose favor the Employee provides any kind of activity/service, based on his labor contract concluded with the Employer etc.;
• Providers of services relating to occupational safety;
• Providers of consultancy services for the recovery of social contributions and taxes;
• Public authorities with competencies in the field of employment relations and of occupational health and safety.
• Service providers which provide postal, courier or logistics services for the distribution of goods or communications in the contract of the employment relationship

For a list of common sub-processors, please see the Sub-Processor tab.

The Data Subject and his/her dependents and/or related persons whose Personal Data are held by Stefanini, if the case arises, are entitled to access the Personal Data held about him/her or them, to have inaccurate data corrected or removed, and to object against the use of his/her or their Personal Data for legitimate reasons (including, as the case may arise, the right to object, at any time and for free, to the processing of their data for direct marketing purposes). To that effect, the Data Subject and his/her dependents, if the case arises, may contact the HR Department of the Company.

With respect to the Data Subjects of the European Union, the United Kingdom (and Gibraltar), or Switzerland:

• The provisions of this Privacy Notice shall take into account the Personal Data Protection Laws and Regulations of the country in which you reside. Throughout the duration of the Employee Privacy Notice, any amendment to the Personal Data Protection Laws and Regulations shall apply as of the date of entry into force of the statutory provision, without regard to any prior notice between the Parties.

Employee's rights. If you are a citizen or resident of the European Union, the United Kingdom (and Gibraltar), or Switzerland, Personal Data Protection Laws and Regulations apply, providing you the following rights:

• The right of access, i.e. the Employee's right to obtain from the Employer the confirmation that the Personal Data belonging to him/her are being processed or not and information regarding the purpose of the processing, the categories of Personal Data concerned, the recipients and the categories of recipients to whom the Personal Data and guarantees related to such disclosure have been or will be disclosed, in particular in the case of recipients from third-party countries or international organizations, the period provided for the storage of the Personal Data, information regarding the rectification, deletion, restriction and objections related to the Personal Data belonging to him/her and the existence of an automatic decision-making mechanism, including the making of the profile;
• The right to rectification, if the Personal Data are inaccurate or incomplete;
• The right of opposition, for cases where the processing is based on the Employee's consent;
• The right to erasure ("right to be forgotten") if the Personal Data are no longer necessary for the purposes it was collected, the Employee withdraws his/her consent (for those areas using consent) and there are no other legal grounds for processing, the Employee opposes the processing and there are no other legitimate reasons for processing, the Personal Data have been processed illegally or must be erased in order to comply with a legal obligation of the Employee;
• The right to restrict the processing if the accuracy of the Personal Data is challenged by the Employee, the processing of Personal Data is illegal and the Employee opposes the erasure of the Personal Data, the Employer no longer needs the Personal Data for the purposes of collection, but they are requested by the Employee for the establishment, exercise or defense of a legal claim, the Employee opposes the processing while waiting for the response if the Employer's legitimate interest is superior to the Employee's interest;
• The right of portability, i.e., the right to receive the Employee's Personal Data or Personal Data which the Employee provided to the Employer in a structured manner, which is used ordinarily and can be accessed by automated means, in an electronic format, as well as and the right to send such data to another controller;
• The right to object to the processing unless the Employer demonstrates compelling legitimate reasons for the processing of the Employee's Personal Data that exceed the Employee's interests, rights and freedoms, or for the establishment, exercise or defense of legal claims;
• The right not to be the subject of a decision solely based on automated processing, including profiling, which would have a legal effect on the Employee, or similarly affect the Employee, unless such processing is necessary for the performance of the Contract, is permitted by law or is based on the explicit consent of the Employee.

The Employee can exercise such rights by transmitting a written notice to the Employer, using the contact information below. The Employer will provide the Employee with the requested information within 30 days of receipt of the request. However, that period may be extended by a further 60 days if the Employee is notified of that extension within 30 days of receipt of that request. Please refer to How to Contact Us to execute your rights.

Confidentiality. Stefanini shall ensure the confidentiality of the Employee's Personal Data by putting in place internal procedures to do so. In addition, the Employer shall ensure that the personnel, the Affiliates and Sub-processors involved in the processing of the Employee's Personal Data for the purposes of this Employee Data Protection Information Notice are informed of the confidential nature of the Personal Data, that they have been properly trained in terms of their tasks and that they have signed written privacy agreements regarding the use of Personal Data.

Limitation of access. Stefanini shall ensure that access to Personal Data is limited to the employees, Affiliates and Sub-processors who provide services in accordance with the Contract.

Data Protection Officer. For Stefanini Germany GmbH, The data protection officer can be reached at the following address: Stefanini Germany GmbH, Attn: Data Protection, Im Zollhafen 24, 50678 Cologne, Germany.

Data Protection Committee. For all other entites, Stefanini has appointed a Data Protection Committee which can be contacted directly via Privacy@Stefanini.com.

Appropriate technical measures. Stefanini documents the implementation of the necessary technical measures in accordance with the requirements of the various personal data protection laws and regulations it is subject to, including the EU Personal Data Protection Laws and Regulations.

Appropriate security measures. Stefanini agrees and guarantees that it has implemented appropriate security measures in order to protect Personal Data against accidental or unlawful destruction or unauthorized loss, alteration, disclosure or access and against all other forms of illegal processing, and that those measures ensure a level of security appropriate to the risks posed by the processing and the nature of the Personal Data to be protected, taking into account the state of the art and the cost of their implementation.

Management and reporting of incidents related to Personal Data. Stefanini shall maintain policies and procedures for the management of security incidents and shall inform the Employee about any accidental or unlawful loss, alteration or unauthorized disclosure or access of the personal data transmitted, stored or otherwise processed by the Employer and/or the Sub-processors ("Personal Data Incident") if the incident is likely to result in a high risk for the Employee. The Employer will make reasonable efforts to discover the cause of such a Personal Data Incident and will take all necessary and reasonable measures to remedy the cause of such a Personal Data Incident.

Assessment of the impact on the protection of Personal Data. Stefanini will perform impact assessments regarding Personal Data if new technologies and/or procedures are implemented as part of the normal activity of the Employer and in relation to the activities performed by the Employee in accordance with the Contract. Such assessments will be conducted in order to ensure appropriate protection for the Employee's Personal Data.

Other obligations of the Employer. The Employee shall not be subjected by the Employer to an automated decision-making process, including profiling, without this being necessary for the performance of the Contract. For automated decisions that produce legal effects on the Employee, the Employer shall inform the Employee and allow him/her to oppose and obtain human intervention in the decision-making process.

Compliance Audit. Stefanini will conduct annual compliance audits of its relevant privacy practices to verify adherence to this statement, EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks Principles. The audit will be conducted under the direction of the Data Protection Committee. Any employee that the Company determines is in violation of this privacy statement will be subject to disciplinary action up to and including termination of employment. Any Agent or Third Party that violates this privacy statement shall be in material breach of all agreements with Stefanini and shall defend and indemnify Stefanini from claims related to such violations.

Personal data collected by Stefanini may be stored and processed in your region, in the United States or in any other country where Stefanini or its affiliates, subsidiaries or service providers maintain facilities. We take steps to ensure that the data we collect under this privacy statement is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located.

When we transfer personal data from the European Economic Area to other countries, we use a variety of legal mechanisms, including contracts, to help ensure your rights and protections travel with your data. Stefanini adheres to the principles of the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks, regarding the collection, use, and retention of data from the European Economic Area and Switzerland. To learn more about our adherence to these programs, please see: Stefanini, the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks

The Employee's Personal Data will be processed by the Employer for a period equal to the period set by the legal requirements applicable in the field of labor law, tax/financial legislation, as well as other laws, regulations and/or other provisions specific to the standards applicable to the sector in which the Employer operates. In addition, the Employer is entitled to process the Employee's Personal Data by observing the prescription periods in accordance with the procedural rules imposed by country civil and/or criminal legislation. Please refer to the following link to see retention periods for your area:  Retention

When personal data is deleted, it is removed from live systems, but may remain in a backup format for up to one year. Data, whether in live or backup format, will be protected following the Security mechanisms described above.

We will update this privacy statement when necessary to reflect customer feedback and changes in our processes. When we post changes to this statement, we will revise the “last updated” date at the top of the statement. If there are material changes to the statement or in how Stefanini will use your personal data, we will notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this privacy statement to learn how Stefanini is protecting your information.

If you have a privacy concern or a question for the Privacy Officer of Stefanini, please contact us by using the following contact information. We will respond to questions or concerns within 30 days. For Data Subject Access Requests, please complete the Privacy Requests Form at the top of the page.

• Name: Privacy
• Address: 27100 W. 11 Mile Road, Southfield, MI 48034 USA
• Phone: +1 (248) 263-5678
• Fax: +1 (248) 386-4644
• EmailI privacy@stefanini.com

You may also send a letter to the registered seat of the Stefanini entity that you engage or are employed with.

For Germany, the data protection officer can be reached at the following address: Stefanini Germany GmbH, Attn: Data Protection, Im Zollhafen 24, 50678 Cologne, Germany.

For Brazil, the data protection officer and additional information is published on Stefanini's Brazil Website. The Brazil data protection officer can be reached at the following address: Avenida Jaguary, 164, Centro, Jaguariúna, 013910-039, São Paulo, Brazil. Phone: (19) 3867-8800. Email: dpo@stefanini.com

Unless otherwise stated, Stefanini is a data controller for personal data we collect through the products or services subject to this statement.

Stefanini, Inc. ("Stefanini") complies with the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom (and Gibraltar), and Switzerland to the United States. Stefanini, Inc. has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles. If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Stefanini’s participation in the Data Privacy Framework applies to all personal data that is subject to this Privacy Notice and is received from the European Union, European Economic Area, United Kingdom (and Gibraltar), and Switzerland. Stefanini will comply with the Data Privacy Framework Principles in respect of such personal data.

Stefanini's accountability for personal data that it receives under the Data Privacy Framework and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Stefanini, remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Stefanini proves that it is not responsible for the event giving rise to the damage.

We encourage you to contact us should you have a Data Privacy Framework-related (or general privacy-related) complaint. Questions or complaints regarding this Policy and any privacy-related issue should be submitted by mail or email to the Data Protection Committe, as indicated below:

• Name: Privacy
• Address: 27100 W. 11 Mile Road, Southfield, MI 48034 USA
• Phone: +1 (248) 263-5678
• Fax: +1 (248) 386-4644
• Email privacy@stefanini.com

Any questions or concerns regarding the use or disclosure of Personal Information or Stefanini’s participation in the DPF Frameworks, should be directed to the Privacy Officer. Stefanini will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in the privacy statement. 

For complaints that cannot be resolved between Stefanini and the complainant, Stefanini will cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, the UK Information Commissioner (for UK individuals), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) for resolving disputes with Swiss individuals. 

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Stefanini, Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to International Centre for Dispute Resolution / American Arbitration Association (“ICDR/AAA”), an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint.  The services of International Centre for Dispute Resolution / American Arbitration Association (“ICDR/AAA”) are provided at no cost to you.

As further explained in the DPF Principles, binding arbitration is available to address residual complaints not resolved by other means. All decisions of the arbitration panel shall be final and binding on the parties, which waive any right to further appeal the arbitration award, to the extent an appeal may be lawfully waived. 

Stefanini will use the European Data Protection Authorities (DPA) as its independent recourse mechanism with respect to European Union human resources data. Stefanini will use the UK Information Commissioner as its independent recourse mechanism with respect to United Kingdom (and Gibralter) human resources data. Stefanini will use the Swiss Federal Data Protection and Information Commissioner as its independent recourse mechanism with respect to Switzerland human resources data.

Stefanini is also subject to the jurisdiction of the US Federal Trade Commission. The Federal Trade Commission may be contacted at the following address:

Federal Trade Commission

Attn: Consumer Response Center

600 Pennsylvania Avenue NW

Washington, DC 20580  USA

• consumerline@ftc.gov
• www.ftc.gov