The European Commission's Directive on Data Protection (October 1998) prohibits the transfer of Personal Data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. In order to bridge these different privacy approaches and provide a streamlined means for US organizations to comply with the Directive, the US Department of Commerce, in consultation with the European Commission, developed a "Safe Harbor" framework. The Safe Harbor - approved by the EU in July 2000 - is a way for US companies to avoid experiencing difficulties with their dealings with the EU or potentially facing prosecution by EU authorities under European privacy laws.
3. Safe Harbor Privacy Statement
4. Compliance with Safe Harbor
The US Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the "Safe Harbor Principles") to enable US companies to satisfy the "adequacy standard" requirement under EU law that protection be given to Personal Data transferred from the EU to the US. Company commits to adhere to the privacy principles of the Safe Harbor Program administered by the U.S. Department of Commerce. Information on the Safe Harbor Program can be found at the program's website http://export.gov/safeharbor. Consistent with its commitment to protect personal privacy, Company adheres to the following Safe Harbor
"Company" means Company Enterprises, Inc. and its divisions but excluding all subsidiaries and affiliates.
"Agent" or "Vendor" means any third party that collects or processes or otherwise uses Personal Data or "Sensitive Personal Data" solely on behalf or under the instruction of Company.
"Personal Data" means any information or set of information that identifies or can reasonably be used to identify an individual. Personal Data does not include data that is encoded, encrypted or made anonymous in part or in whole, or publicly available information that has not been combined with non-public "Personal Data."
"Sensitive Personal Data" means Personal Data that reveals race, ethnic origin, political opinions, religious or that concerns an individual's physical or mental health, marital status, family status or sexual orientation. Information is treated as "Sensitive Personal Data" when it is received from a user or third party that treats and identifies it as sensitive.
4.2 The Information Collected and How it is Used
The following privacy principles apply to the collection, use, and disclosure of Personal Data by Company.
4.2.1 Web Related
Aggregate and Statistical Data Company collects certain aggregate data from employees for the purpose of complying with US federal and state government reporting requirements.
Company also collects certain aggregate data for general statistical information each time a Company web site is visited.
This information is collected through the server web logs and may consist of dates and times of visits to our web site(s); the IP addresses of visitors to our web site(s); the operating system and browser version of the computers of visitors to our web site(s).
This data is not used individually to identify users of our web site(s).
This data is used to analyze system performance, usage, peak usage and usage trends.
Company's web sites employ the use of "cookies."
Cookies are small data files (text) that are transferred from a standard web server to a user's browser.
Cookies contain information that can be read by the Web server for record-keeping purposes.
The information stored in cookies is not used to personally identify an individual and does not contain "Personal" or "Sensitive Personal" data.
Cookies may be rejected if a user's browser is set to reject or deny cookies; if a user has a third-party program installed that interferes or prevents cookies (i.e., certain firewalls, anti-virus or anti-spyware programs) or notifies the user whenever a cookie is sent to the user's computer.
Cookies sent by Company that are rejected may limit access to Company's web sites or the web site may no longer function as intended or be accessible to the user.
4.2.2 Personal Data Submitted to Company
All personally identifiable information received by Company is voluntarily submitted by employees or by others on the employees' behalf with their explicit or implicit consent.
Those providing the information may include individuals providing references; third parties responding to authorized background checks; workplace monitoring mechanisms; third parties sending email, mail or other deliveries to employees; other employees completing performance appraisals, and colleagues providing comments with respect to an employee's performance; where appropriate, from medical professionals; individuals conducting investigations in support of allegations of unlawful or inappropriate activity; and otherwise as required or permitted by law.
4.2.3 Use of Personal Data by Company
The purposes for which we may use employee personal data it are specified in greater detail below in Appendix A.
5. Company Safe Harbor Privacy Principles
The privacy principles in this policy are based on the Safe Harbor Principles:
Where Company collects Personal Data directly from employees, it will inform them about the type of Personal Data collected, the purposes for which it collects and uses the "Personal Data," and the types of third parties to which Company discloses or may disclose that information, and the choices and means, if any, Company offers individuals for limiting the use and disclosure of their "Personal Data." Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Company, or as soon as practicable thereafter, and in any event before Company uses or discloses the information for a purpose other than that for which it was originally collected.
Company will offer individuals the opportunity to choose ("opt out") whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For "Sensitive Personal Data," Company will give individuals the opportunity to affirmatively and explicitly consent ("opt in") to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Company will provide individuals with reasonable mechanisms to exercise their choices.
5.3 Transfers to Vendor Partners
On occasion, Company will provide information stored on our servers to vendor partners, for the purpose of integrating with that vendor's product or service offerings, e.g., to providers of insurance products that Company employees have voluntary requested and agreed to purchase via payroll deduction. This integration is performed at the request of our vendor partner to further their business needs and to provide services or to improve those services. Data that is shared may include name, e-mail address, employee ID, address, Social Security Number, date of birth and other information; but Company only transmits to these vendors data that is essential to the fulfillment of the product or service that the employee has voluntarily agreed to purchase. Contractual agreements are made between Company and the vendor to whom the data is being transferred. Company's vendor partners are assumed to hold similar privacy standards as Company. If Company becomes aware that a vendor is using or disclosing Personal Data or "Sensitive Personal Data" in a manner that is improper or that is contrary to this Safe Harbor Policy, Company will take commercially reasonable measures to stop or prevent the use or disclosure of such data.
5.4 Access and Correction
Information that is stored about the users of Company's web site(s) is accessible and editable directly from within Company's intranet site(s). Company permits users to edit, correct, or delete any information that they feel is inaccurate or incomplete. Should an individual not be able to access or correct this information, the individual should contact the Payroll department at 757.989.2980 to obtain information about how to access and edit Personal Data or Sensitive Personal Data within the site.
5.5 Integrity of Data
Company will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Company will take commercially reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current.
5.6 Security of Information
Company will take all reasonable precautions to protect all "Personal" and "Sensitive Personal" data in its possession from unauthorized access, loss, or misuse. This includes, but is not limited to, the use of 128-bit encryption technology, regularly scheduled backups of data, secured storage of all Sensitive Personal information and access limitations and restrictions to the servers and computers that contain such data.
5.7 Enforcement of Policy
5.8 Resolution of Disputes
Any questions or concerns regarding the use or disclosure of Personal Data should be directed to Company's Safe Harbor Officer at the address given below. Company will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this policy. For complaints that cannot be resolved between Company and the complainant, Company has agreed to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities to resolve disputes pursuant to the Safe Harbor Principles.
5.9 Limitations on Application
Company's adherence to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule, or regulation. Web sites created by Company may contain links to other Web sites. Please be aware that Company is not responsible for the privacy practices of these web sites. Company does not endorse them or make any representations about them or any information, services, products, or materials found on them. Users are strongly encouraged to read the privacy policies of any third-party sites accessed through links.
6. Contact Information
Questions, comments or concerns regarding the Safe Harbor Policy may be directed to: Ferguson Enterprises, Inc.
John Allen Waldrop, III
Assistant General Counsel
12500 Jefferson Avenue
Newport News, VA 23602
The practices described in this Policy are current as of March 25, 2008. Company reserves the right to modify or amend this policy at any time consistent with the requirements of the Safe Harbor Principles. Appropriate public notice will be given concerning such amendments. This policy may be changed periodically in accordance with the requirements of the Safe Harbor Principles. Changes to the Safe Harbor policy will be posted on Company's corporate web site - www.ferguson.com - or concerned parties may request notification of updates via e-mail.
8. Effective Date
This policy takes effect on August 1, 2007.