Transparency > Other Disclosures Data Privacy for Non-U.S. Employee Personal Information
Effective by date: February 2, 2012
Approved date: February 2, 2012
1.0 Overview Section
This Policy shall facilitate Abbott’s participation in the EU-U.S. Safe Harbor Agreement, regulating transfers of Personal Information from the European Union to the United States and the transfer of Personal Information from other jurisdictions that have data privacy legislation such as Argentina and Japan. Abbott will comply with the rules and principles arising under the Safe Harbor Program. This Policy supplements the Abbott Privacy Principles, which establishes general standards for Processing Employee Personal Information within the Company.
This Policy specifically governs the Processing of Employee Personal Information relating to Abbott employees ordinarily resident outside the United States, but who’s Personal Information is processed by Abbott entities within the United States (the “Employees”). The U.S. Employee Personal Data Policy applies to the Company’s Processing of Employee Personal Information relating to employees resident in the United States.
Implementation is in accordance with Effective by Date.
3.0 General Policy
3.1 Notice to Non-U.S. Employees
The Company will inform Employees through appropriate channels about the purposes for which it collects and uses their Employee Personal Information, how to contact Abbott where they have issues or concerns about their Employee Personal Information,the types of third parties with which it shares their Personal Information, and the choice and means Abbott offers employees for limiting the use and disclosure of their Employee Personal Information. This information will be provided as soon as practicable, and, in any event, before Abbott uses the information for a purpose other than that for which it was originally obtained.
Among the reasons that the Company holds and may in the future collect Personal Information about Employees include the following: normal business practices related to your role and function in the company, employee management and administration generally (including both during and after employment), employment verification,administering benefits, administering personal short or long term compensation programs, conducting disciplinary proceedings, addressing labor relations issues,processing health insurance claims, and maintaining and monitoring usage of internal networks and IT systems. The Company may be required under local labor and other laws (e.g., tax, health and safety, anti-discrimination) to maintain records that can include personal information, such as government identifiers, information relating to sickness,maternity or parental leave, pension and retirement.
3.2 Choice for Employees
The Company will not Process Employee Personal Information for purposes incompatible with those given in any formal notice furnished to Employees without first informing Employees and giving them the opportunity to object to such Processing. The Company will not Process Employee Personal Information that qualifies as Sensitive Personal Information for purposes incompatible with those given in any formal notice provided to employees unless the employee in question has explicitly consented to the Processing or the Processing is:
- in the vital interests of the Employee or another person;
- necessary for the establishment of legal claims or defenses;
- required to provide medical care or diagnosis;
- necessary to carry out the Company’s obligations in the field of employment law;or
- related to information that has been made public by the Employee.
3.3 Ensuring Information Integrity
The Company will Process only Employee Personal Information that is relevant taking into account the business purposes for which it is to be processed. The Company will employ reasonable means to keep Employee Personal Information accurate, complete,up-to-date and reliable for their intended use. All employees have a responsibility to assist the Company in keeping the Personal Information the Company maintains about them accurate, complete and current.
3.4 Ensuring Information Access
With limited exceptions, Employees will be permitted to review and, where inaccurate,correct Employee Personal Information that the Company holds about them by contacting a designated contact point. However, the Company may not give Employees the ability to review their Employee Personal Information when the burden or expense of doing so(including locating the Employee Personal Information) is disproportionate to the risks to their privacy in a particular case. Such cases include, but are not limited to, those where disclosure of Employee Personal Information would:
- require the disclosure of confidential commercial information and such confidential information cannot be readily separated from the Employee Person Information;
- interfere with execution or enforcement of the law, including the prevention, investigation or detection of criminal offenses or the right to a fair trial;
- interfere with private causes of action, including the prevention, investigation or detection of legal claims or the right to a fair trial;
- breach a legal or other professional privilege or obligation;
- breach the confidentiality necessary for future or ongoing negotiations, such as those involving the acquisition of companies;
- prejudice employee security investigations or grievance proceedings;
- prejudice the confidentiality necessary, for limited periods, in connection with employee succession planning and corporate re-organizations; or
- prejudice the confidentiality necessary in connection with monitoring, inspection or regulatory functions connected with the Company’s sound economic or financial management.
The Company also may not give Employees the ability to review their Employee Personal Information when doing so would affect the privacy interests of other individuals and the Personal Information of those other individuals cannot be redacted.If the Company does not provide Employees the ability to review their Employee Personal Information, it will indicate the specific reasons why and provide a contact point for further inquiries. Irrespective of the limitations set forth above, the Company will comply with all applicable local regulations and ensure that Employees can review any Personal Information they have a right to access under the law applicable in their country of residence.
3.5 Transfers to Company Affiliates and Third Parties
Employee Personal Information only may be disclosed to other Company affiliates or independent third parties where required by law or legal process (including disclosures to law enforcement authorities in connection with their duties), to protect the interests of the Company and/or its employees, if there is an emergency situation involving the health and safety of an employee, where necessary for the Company to perform a contractual obligation owed to an Employee or for other lawful purposes.
Except where the disclosure is required by local law, regulation or court order or where the transfer is necessary to perform contractual obligations owed to the Employee, an Employee will be entitled to object to having their Employee Personal Information disclosed to other Company affiliates or to independent third parties. If the employee Personal Information qualifies as Sensitive Personal Information, the Company will seek affirmative consent from Employees before making such disclosures, except in cases falling within Section 3.2 of this Policy.
3.6 Transfers to Agents and Contractors
The Company may disclose Employee Personal Information to third party agents or contractors that supply services to the Company that require the Processing of that Personal Information. The Company will only transfer Personal Information where the agent or contractor has provided assurances to the Company that it will protect the Personal Information consistent with this Policy. If the Company has knowledge that an agent or contractor is Processing Personal Information in a manner contrary to this Policy, it will take all reasonable steps to prevent or stop the Processing.
Appropriate administrative, technical, personal and physical measures will be used to safeguard Employee Personal Information against loss, theft, misuse, unauthorized access, modification, disclosure and destruction. The Company will restrict access to Employee Personal Information under its control to those employees, agents and contractors of the Company who have a legitimate business need for such access.
The Company will maintain an active program to ensure compliance with this Policy.Employee and Labor Relations are responsible for implementing and overseeing the administration of this Policy. All Company employees whose responsibilities include the Processing of Employee Personal Information are required to adhere to this Policy and any implementing policies. Failure to do so may be grounds for discipline up to and including termination.
3.9 Complaint Resolution
The Company is committed to assisting employees in protecting their privacy and in providing opportunities to raise concerns about the Processing of their Employee Personal Information. Retaliation against any employee who raises a concern under this Policy is against Company policy and is strictly prohibited. Employees who have concerns about the Processing of their Employee Personal Information are encouraged to notify their local Human Resources. Any submitted complaints will be resolved in accordance with Abbott’s existing formal complaints procedures.
For Abbott employees located in the European Union, if efforts to resolve a concern within Abbott are unsatisfactory, employees may contact the panel of EU data protection authorities established as an independent recourse mechanism under the Safe Harbor Agreement. Abbott will cooperate in the resolution of such inquiries and will comply with the advice given by the panel of EU data protection authorities.
For Abbott employees located in Switzerland, if efforts to resolve a concern within Abbott are unsatisfactory, employees may contact the Swiss Federal Data Protection and Information Commissioner established as an independent recourse mechanism under the Safe Harbor Agreement. Abbott will cooperate in the resolution of such inquiries and will comply with the advice given by the Swiss Federal Data Protection and Information Commissioner.