The Sherwin-Williams Company, and its subsidiaries and affiliates (collectively, “Sherwin-Williams”) are committed to protecting the privacy and security of personal information and/or personal data (as described below). Due to the global nature of its business, Sherwin-Williams must share certain personal information and/or personal data across national boundaries. Sherwin-Williams has certified that it abides by the Safe Harbor Agreement between the United States and the European Union with respect to personal information and/or personal data processed as part of our human resources activities, including the Safe Harbor privacy principles established thereunder.
Sherwin-Williams receives personal information in connection with the management and administration of human resource functions relating to pre-employment, employment and postemployment matters. Sherwin-Williams may collect and use the personal information for various human resource purposes, including but not limited to, job applications, recruiting and hiring activities, evaluation, implementation and administration of human resource, compensation and benefits functions, programs and activities, performance appraisals, training, business travel, access to Sherwin-Williams’ facilities and computer networks, employee directories, human resources recordkeeping, succession planning, compliance with legal requirements and other employment related purposes.
To the extent required by the Safe Harbor privacy principles, Sherwin-Williams will offer individuals the opportunity to choose (opt out) when their personal information is (a) to be disclosed to a third party (other than a third party acting as an agent to perform task(s) on behalf of and under the instruction of Sherwin-Williams) or (b) to be used for a purpose that is incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.
Special requirements apply to sensitive information, defined as “personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.” For such sensitive information, to the extent required by the Safe Harbor principles, individuals must give affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other those for which it was originally collected or subsequently authorized by the individual through the exercise of the opt in choice. Explicit (opt in) choice is not required when necessary for the establishment of legal claims or defenses; when required to provide medical care or diagnosis; and when necessary to carry out the organization’s obligations in the field of employment law.
When personal information is disclosed to a third party acting as an agent to perform task(s) on behalf of and under Sherwin-Williams’ instructions, Sherwin-Williams will transfer the information only if Sherwin-Williams first ascertains that the third party subscribes to the Safe Harbor principles or is subject to the Directive or another adequacy finding or enters into a written agreement with the third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Safe Harbor principles.
Sherwin-Williams shall ensure that reasonable precautions are taken to protect personal information from loss, misuse and unauthorized access, disclosure, alteration or destruction. Such measures may include the use of password protection and restricting access to personal information to those with a legitimate human resource purpose in receiving the information.
Employees who have access to such personal information shall be trained regarding this Policy and the Safe Harbor principles embodied in it, advised that they are responsible for fully complying with the privacy principles articulated in this Policy and instructed that violations of these principles shall result in appropriate discipline up to and including termination.
Personal information must be relevant for the purposes for which it is to be used. Personal information shall not be processed in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, reasonable steps shall be taken to ensure that the personal information is reliable for its intended use, accurate, complete and current. Reasonable steps shall also be taken to accommodate employee privacy preferences, such as restricting access to the personal information to those who have a legitimate business need to know the information, anonymizing certain information, or assigning codes or pseudonyms when the actual names are not required for the business purpose at hand.
Sherwin-Williams will provide individuals with access to their personal information and the ability to correct, amend or delete that information when it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in question, or where the rights of persons other than the individual would be violated. Access may be limited or denied when granting such access would prejudice employee security investigations or grievance proceedings or prejudice the confidentiality that may be necessary for limited periods in connection with employee succession planning or corporate re-organizations. If an individual becomes aware that the information Sherwin-Williams maintains on him or her is inaccurate, the individual may contact the individuals listed in the Verification and Enforcement section of this policy.
VERIFICATION AND ENFORCEMENT
Sherwin-Williams has verified and will verify annually that the attestations and assertions made about its Safe Harbor privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the Safe Harbor principles. This verification has been and will be signed by corporate officer or other authorized representative of the Sherwin-Williams at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes the following:
That Sherwin-Williams’ published Policy is accurate, comprehensive, prominently displayed,
completely implemented and accessible;
That the Policy conforms to the Safe Harbor Principles;
That individuals are informed of any in-house arrangements for handling complaints and of
the independent mechanisms through which they may pursue complaints;
That it has in place procedures for training employees in its implementation and disciplining
them for failure to follow it;
That it has in place internal procedures for periodically conducting objective reviews of
compliance with the above.
Inquiries or complaints regarding this policy should be directed to the local Human Resources representative. If the inquiry cannot be answered or the complaint resolved locally, the matter should be directed to Diane K. Hupp, Vice-President – Employee Relations, 101 Prospect Ave., Cleveland, Ohio 44115; phone (216) 566-2504; fax (216) 566-3266; e-mail firstname.lastname@example.org. If a complaint remains unresolved, Sherwin-Williams will cooperate with the competent European Union information protection authorities and comply with the advice of such authorities. In the event that Sherwin-Williams or the authorities determine that Sherwin-Williams did not comply with this policy, Sherwin-Williams will take appropriate steps to address any adverse effects and to promote future compliance.
* * * * * * * * * * * * *
This Policy may be amended from time to time in compliance with the requirements of the Safe Harbor Principles. Appropriate notice will be given concerning such amendments. To the extent there is any conflict between the Safe Harbor privacy principles and this policy, the Safe Harbor privacy principles shall take precedence.