I. Purpose
The purpose of this Policy is to ensure the effective and internationally uniform protection of privacy with regard to the processing of personal data within the Mativ Holdings, Inc. group of companies (collectively, “Mativ”) on a global basis.
II. Scope
This Policy applies to all Mativ directors, officers and employees, and any agents, consultants or independent contractors (“Mativ Employees”) who process personal data for, or on behalf of, Mativ. This Policy covers any processing of personal data by Mativ irrespective of the location at which the processing of personal data takes place and the nature of personal data processed (e.g., customer, supplier or employee data).
Where the applicable local laws require a higher level of protection for personal data, they will take precedence over this Policy. In such circumstances, the local business unit will advise the Data Privacy Officer in the preparation of local policies or procedures to supplement this Policy in accordance with the applicable local laws.
III. Policy
A. Basic Principles
- Principle of lawfulness and fairness
a. Personal data must be processed fairly and legally, respecting the rights and freedoms of individuals as set out in this Policy. Processing (as defined below) of data will not be fair if the data subject (defined below) has been misled or where any pressure is applied when the data is collected. Information obtained in breach of a contract or in breach of a duty of confidence, will not be data processed legally.
b. In addition, any processing of personal data that gives rise to unlawful or arbitrary discrimination against the data subject shall be deemed unfair. - Purpose specification principle
a. Personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes.
b. Processing of data in a way incompatible with the purposes specified at the collection of the data is against the law and therefore prohibited. For example, personal data collected from a healthcare professional for the purpose of a product evaluation should not at a later date be used for direct marketing unless the specific consent of the healthcare professional has been obtained for this additional purpose. - Proportionality principle
a. Mativ should only collect and retain personal data that it actually needs for a stated purpose and should make reasonable efforts to limit the amount of personal data collected to fit the purpose. - Data quality principle
a. Mativ shall, at all times, make reasonable efforts to ensure that personal data is accurate, complete and kept up to date. Mativ shall limit the period of retention of the personal data to the minimum necessary. Therefore, when personal data is no longer required for the purposes for which it was originally collected, it must be deleted (subject to section C.2.c. of this Policy), or rendered anonymous. - Openness principle
a. Mativ shall provide to the data subjects, as a minimum, information about Mativ’s identity, the intended purpose of processing, the recipients to whom their personal data will be disclosed and how data subjects may exercise the rights provided in this Policy under section C below.
b. When personal data is collected directly from the data subject, the information must be provided on or before the time of collection.
c. When personal data is not collected directly from the data subject, Mativ must also inform the data subject about the source of personal data. This information must be given within a reasonable period of time, unless it is impossible or would require a disproportionate effort by Mativ.
d. All information to be provided to the data subject must be provided using clear and plain language. e. Where personal data is collected on a Mativ website, Mativ must provide the information set out under paragraph A.4 a. above, in a privacy notice which is easy to access.
B. Legitimacy of processing
- General principle of legitimacy
a. As a general rule, personal data may only be processed based on legitimate grounds, which include, by way of example, the following situations:
(i) After obtaining the free, unambiguous and informed consent of the data subject;
(ii) Where a legitimate interest of Mativ justifies the processing (including, without limitation, the transfer of personal data), and the legitimate interests, rights and freedoms of the data subject do not prevail;
(iii) Where the processing is necessary for the establishment or the performance of a legal relationship between Mativ and the data subject;
(iv) Where the processing is necessary for complying with a legal obligation to which Mativ is subject; or
(v) Where there are exceptional situations that threaten the life, health or security of the data subject or of another person.
b. With respect to consent given by data subjects, Mativ shall allow data subjects to withdraw such consent at any time in a simple, fast and efficient way, which does not entail undue delay or cost. In case of such withdrawal, Mativ shall cease further processing of the relevant data subject’s personal data, unless otherwise permitted or required by the applicable local laws. - Sensitive data
a. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership as well as personal data relating to health shall be considered sensitive data. The applicable local laws may provide additional categories of sensitive data and require a higher level of protection for such data. In such circumstances the local law will take precedence over this Policy.
b. Mativ will only process sensitive data with the data subject’s consent, unless otherwise permitted or required by the applicable local laws. - Proportionality principle
a. Mativ should only collect and retain personal data that it actually needs for a stated purpose and should make reasonable efforts to limit the amount of personal data collected to fit the purpose. - Provision of processing services
a. Mativ may carry out processing of personal data through one or more processing service providers, provided that:
(i) Mativ requires that the processing service provider provides, at least, a level of protection consistent with this Policy and the applicable local laws; and
(ii) The relationship between Mativ and the processing service provider is set out in a contract which clearly states the respective obligations of both parties and which requires the processing service provider to comply with this Policy and the applicable local laws. - International transfer
a. Local laws restrict the international transfer of personal data and lay down safeguards to protect the privacy and fundamental rights of the data subjects where such transfers are necessary.
b. As a general rule, international transfers of personal data should be carried out only when the recipient to whom such data is transmitted provides, as a minimum, a level of protection consistent with this Policy.
C. Rights of the Data Subject
- Right of access
a. Each data subject has the right, upon making a request to Mativ, to be informed whether their personal data are being processed by Mativ and if so, the purpose for the processing and the recipients of the data.
b.All information to be provided to the data subject must be provided, using clear and simple language. - Rights to rectify and to delete
a. Each data subject has the right to request from Mativ the deletion or rectification of personal data that is incomplete, inaccurate, unnecessary or excessive.
b. Where justified, Mativ shall carry out the rectification or deletion requested. Mativ shall also notify this fact to third parties to whom personal data had been disclosed, where they are known.
c. Mativ may decline to carry out deletion of personal data in circumstances where the data must be retained by Mativ for compliance with a legal obligation, for example, personal data collected as part of adverse event reporting under relevant medical device legislation. - Right to object
a. Each data subject may object to the processing of his/her personal data where there is a legitimate reason to do so.
b. The exercise of this right to object is not justified where the processing is necessary for the performance of a duty imposed on Mativ by the applicable local laws. 4. Exercise of data subject’s rights a. The rights provided for in sections C.1. to C.3. of this Policy may be exercised:
(i) Directly by the data subject, who must establish his/her identity to Mativ.
(ii) Through a representative of the data subject, who must establish his/her right to represent the data subject to Mativ. b. Mativ shall ensure that data subjects can exercise the rights provided for in sections C.1. to C.3. of this Policy in a simple, fast and efficient way, which does not entail undue delay or cost. c. When Mativ concludes that, pursuant to the applicable local laws, the exercise of rights under this paragraph C is not justified, Mativ shall inform the data subject about the reasons that led to this conclusion.
D. Security
- Security measures
a. Mativ must put in place the appropriate technical and organizational measures to protect personal data against data security breaches. A risk-based approach should be taken such that the level of security adopted is appropriate for the type of personal data processed and a number of other factors, such as the possible consequences to data subjects should a breach occur and the context in which the processing is carried out. Appropriate technical measures may include firewalls and encryption, while appropriate organizational measures may include data security policies and training of employees. - Data breaches
a. Data breaches occur when personal data are unlawfully obtained by third parties (e.g. when a database is hacked) or when data is mislaid or misdirected due to poor controls and procedures either case, data breaches can have serious consequences for Mativ. b. Mativ Employees must inform the Data Privacy Officer or the Compliance Helpline as soon as they become aware, or suspect that a data breach has occurred.
IV. DEFINITIONS Mativ Employee
All Mativ directors, officers and employees (including those of its wholly-owned subsidiaries) and all agents, consultants or independent contractors to Mativ (or any wholly-owned subsidiary of Mativ).Data subject The person whose personal data is subject to processing.
Personal data
Any information relating to an identified person or a person who may be identified by means reasonably likely to be used (each such person, a “data subject”) and which may include a person’s name, email address, telephone number, IP address, postal address, job title, and statements of opinion about a person.
Processing
Any operation or set of operations, automated or not, which is performed on personal data, such as collection, storage, use, transfer, disclosure or deletion.
Processing service provider
Any natural person or entity that carries out processing of personal data on behalf of Mativ.