Home/About Us/Our Responsibility/Group Policies and Governance Documents/Group Data Protection PolicyGroup Data Protection Policy

Group Data Protection Policy

Revision 4 – April 2020

CONTENTS

1 INTRODUCTION
2 WHAT IS PERSONAL DATA?
3 WHAT IS PROCESSING?
4 THE RULES FOR PROCESSING PERSONAL DATA
4.1 Use of Personal Data must be Fair and Lawful
4.2 Personal Data must Only be Used for Specified Lawful Purposes
4.3 The Use of Personal Data must be Justified
4.4 Personal Data must be Accurate
4.5 Meggitt must Adhere to its Data Retention Policy
4.6 Appropriate Security must be Applied to all Personal Data
4.7 Personal Data must be Processed in Accordance with Individuals’ Rights
4.8 Transfers outside the European Economic Area
4.9 Direct marketing
5 DATA PROTECTION FOR EMPLOYEES
6 CONCLUSION
7 CONTACT INFORMATION

1. INTRODUCTION

The aim of this policy is to set out the obligations of Meggitt (“Meggitt” means Meggitt PLC and any entity controlled by Meggitt PLC directly or indirectly) and its employees when processing personal information (or personal data) about individuals. It is important that all Meggitt employees understand the rules about personal data.

Meggitt is a global organisation operating in a number of different countries. Each country has its own laws governing data privacy. This policy sets out the minimum requirements for the processing of personal information but a country’s laws may impose different requirements so employees should seek advice from their local Ethics Coordinator if unsure. Country-specific supplements to this policy will be published over time setting out the additional requirements of a particular country’s privacy laws and these should be followed where available.

Meggitt collects, processes, and stores personal information for various purposes the main ones being:

  • recruitment
  • determining, evaluating, and implementing employment-related actions and obligations
  • designing, evaluating, and administering compensation, benefits, and other human resources programs
  • payroll, fund management and accounting
  • designing, evaluating, and implementing employment-related education and training programs
  • monitoring and evaluating employee conduct and performance, performance management and professional development
  • maintaining plant and employee security (including the capture of images through CCTV), and health and safety
  • collecting and storing customer information (i.e. personal information about individual contacts at customer companies)
  • making individuals’ names, images, and other items of business-contact information available by means of website posting, business cards, brochures, and other promotional media to Meggitt’s present and potential customers, suppliers, contractors, joint venture partners, other business associates, and employees
  • maintaining business records relating to past, present, and potential customers, suppliers, contractors, joint venture partners, other business associates, and employees
  • conducting auditing, accounting, financial, and economic analyses
  • facilitating business communications, negotiations, transactions, conferences, and compliance with contractual and legal obligations
  • research and development
  • technology infrastructure and support and facilities management
  • travel management
  • knowledge management
  • planning and delivery of business integration capabilities
  • business and market development and building and managing external relationships.

2. WHAT IS PERSONAL DATA?

Personal data is information which relates to a living individual (not companies although information about a named individual of a company will be personal data) who can be identified from that information, whether or not in conjunction with any other information. Common examples of personal data which may be used by Meggitt in its day to day business include names, addresses, telephone numbers and other contact details, resumés/CVs, performance reviews, salaries and statements of opinion or intention regarding individuals.

3. WHAT IS PROCESSING?

Meggitt will be processing personal data if it holds personal data and/or carries out any operation relating to that information such as altering or deleting it, accessing, downloading, reviewing or transferring it.

It is irrelevant whether the information is stored as a manual record or is automatically processed (i.e. computer or word processed).

4. THE RULES FOR PROCESSING PERSONAL DATA

Disclosure and use of personal data held by Meggitt is governed by the following rules in order to ensure compliance with data privacy legislation and in the interests of privacy, employee and customer confidence and good employee and customer relations.

4.1 Use of Personal Data must be Fair and Lawful

Meggitt must ensure that:

  • wherever possible individuals are advised of the personal data which has been obtained or retained, its source and the purposes for which the personal data may be used or disclosed; and
  • in most cases, that the individual has consented to the use of their information.

If the details about the intended processing are known to the individual at the time the personal information is collected then, in the main, the individual will be deemed to have given consent when they gave their information. If the information is not received directly from the individual then Meggitt must ensure that the individual is given the relevant information above and Meggitt has authority to use this information.

If the purposes for which the data may be used or disclosed change, then the individual must be notified at that point.

Occasionally, specific business needs, can justify processing without consent. (See Section 4.1.2.1 below).

4.1.1 Sensitive Personal Data

Some information in some countries (particularly those within Europe) is considered to be sensitive personal data (“Sensitive Personal Data”). This includes information relating to:

  • race or ethnic origin;
  • political opinions;
  • religious or similar beliefs;
  • trade union membership;
  • physical or mental health or conditions;
  • sexual orientation/behaviour; or
  • relating to the commission or alleged commission of any offence and any related court proceedings, including the disposal of or sentence in those proceedings.

Meggitt will not generally seek to collect such data unless it has the explicit consent of the individual to process Sensitive Personal Data and in this circumstance consent cannot be deemed. If there is no explicit consent or the information has not been received directly from the individual, Meggitt will not process Sensitive Personal Data unless it obtains the relevant consents or is otherwise lawfully entitled to do so. Meggitt may in some exceptional circumstances rely on consent given on behalf of an individual, for example by a Meggitt employee on behalf of a family member.

Some countries may have additional rules about using Sensitive Personal Data. Employees should check with their local Ethics Coordinator if unsure or refer to the appropriate supplement for their country (if available).

4.1.2 Consent

4.1.2.1 When is Consent not Required?

Provided that the processing is for one of the purposes set out in section 4.2 below and the individual concerned has been notified in writing that the data may be processed by Meggitt for that purpose (see Section 4.1), then personal data (but not Sensitive Personal Data) may be processed without consent from the individual concerned as follows:

  • Where the processing is necessary for the performance of a contract with the person to whom the data relates. This includes administration of pay and benefits for employees.
  • Where the processing is necessary to comply with any legal obligation (other than an obligation imposed by a contract). This covers processing and disclosing information in relation to employees to the relevant tax authorities. It also includes disclosures to the law enforcement agencies.
  • Where the processing is necessary to protect the vital interests of the person to whom the data relates (a “life or death” situation).
  • Where the processing is necessary for the purposes of legitimate interests pursued by Meggitt or by any third party to whom the data is disclosed – but not where it would prejudice the rights and freedoms or the legitimate interests of the person to whom the data relates. This provision would include where personal information is processed as part of a litigation matter. Meggitt employees must not rely on this “legitimate interests” exemption without express authority from the Group Ethics and Business Conduct Manager

4.2 Personal Data must Only be Used for Specified Lawful Purposes

Meggitt will only use personal data for the purposes for which it was obtained, which should be the purposes specified in this policy or notified to the individual when the information was first obtained.

Provided that individuals cannot be identified, aggregate or statistical information may be used to respond to any legitimate internal or external requests for data, i.e. surveys, manpower figures.

4.3 The Use of Personal Data must be Justified

The personal data processed by Meggitt will be adequate, relevant and not excessive for Meggitt’s legitimate business purposes. Methods of data capture will:

  • be specific to the particular processing purpose;
  • obtain only that personal information which is necessary on which to base any decision that is to be taken for the processing purpose;
  • not collect personal data that is simply “nice to have”, which is otherwise not necessary for the processing purpose for which the individual has provided his or her details, or which is to be used for another purpose (i.e. marketing) about which the individual has not been informed. If information about other family members, interests and hobbies are not strictly relevant to any purpose about which the individual has been informed, then this information should not be collected; and
  • ensure that the individual is informed at the time the information was collected of the processing purpose or that consent is subsequently obtained.

4.4 Personal Data must be Accurate

The best way to ensure that the information is accurate is to check this with the individual at the time it is collected. Some personal information collected may change from time to time, such as address and contact details, bank accounts and employment. If Meggitt takes a decision based on inaccurate information or forwards information to the wrong address it is conceivable that this may cause some harm to the individual. It is therefore important that, where necessary, information is kept up to date. Individuals whose personal data is being processed should be requested to inform Meggitt of any changes to the personal information they provided.

Regular reviews of the information by Meggitt shall be carried out to ensure its accuracy. If a large volume of personal information or number of individuals is likely to be affected, the most cost effective method will be adopted by Meggitt to update this information.

4.5 Meggitt must Adhere to its Data Retention Policy

Meggitt will observe retention policies and procedures designed so that Meggitt deletes personal information after a reasonable time and does not keep personal information for longer than is necessary for the purpose for which it is being held (except where the nature of that purpose is such that it is necessary to keep it indefinitely or the law requires the information to be kept for a certain time).

When Meggitt no longer needs to keep such personal information for such purposes it will take all reasonably steps to destroy or erase such information as soon as reasonably practicable.

4.6 Appropriate Security must be Applied to all Personal Data

Meggitt will have in place appropriate technical and organisational security measures to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal information. It will ensure that these measures are appropriate to the risks represented by the processing it carries out of those personal data.

Meggitt recognises the importance of appropriate security arrangements where any personal information is passed to third parties who process that information on behalf of Meggitt. Where Meggitt establishes such arrangements Meggitt will ensure that such service providers are bound by written contracts under which they agree to act only on Meggitt’s instructions and to have appropriate security arrangements in place to protect personal information. Note that third parties in this context include Meggitt Affiliates as well as outside service providers.

Personal information released to a third party for processing for that party’s own purposes, must only be released with the individual’s consent.

Personal data must only be disclosed to those authorised to see it.

Information must not be released about an individual to any person requesting this information by e-mail, phone, fax or post, unless Meggitt is sure of the identity of the person making the request and that they are entitled to receive the information requested. Please note that parents (unless in relation to children under 16), spouses, partners and children are not entitled to information about another individual.

4.7 Personal Data must be Processed in Accordance with Individuals’ Rights

Individuals whose personal data is being held in a country in the European Union have rights in relation to information processed about them.

These include the right to:

  • have information made available on request (see section 4.7.1 for details);
  • request that Meggitt does not process information which will or is likely to cause substantial and unwarranted damage or distress to the individual;
  • request that Meggitt correct personal information which it holds about them. If Meggitt agrees that the information is incorrect it will delete or correct the information. If it does not agree that the information is incorrect it will, nonetheless, record in the relevant file(s) the fact that the individual considers the data to be incorrect.

4.7.1 Access to Information

If a request for access to personal information is made by a person resident in the European Union, Meggitt will:

  • advise the individual making the request whether Meggitt holds any personal data concerning them;
  • if so, give the individual a description of that personal data, the purposes for which that data is being processed and the categories of person to whom it is or may be disclosed;
  • provide the individual with a hard copy of the information contained in that personal data and its source; and
  • advise the individual of what criteria are applied where a decision relating to or significantly affecting the individual is made by automatic means.

If, in order to comply with a disclosure request, Meggitt would need to disclose personal information relating to an identifiable third party then disclosure of that third party information is not permitted unless the third party has consented or it is reasonable to comply with the request without such consent. Failing these options, the data must be edited by Meggitt prior to disclosure so that the identity of third parties is not discernible.

Any requests received by employees for personal data must be passed immediately to the local Meggitt human resources manager, whether the request is from employees or external sources.

For Meggitt customers and suppliers wishing to make a personal information access request, please see Section 7 for relevant contact details.

Any personal data access request may be subject to a reasonable fee.

4.8 Transfers outside the European Economic Area and Switzerland

Where personal information is being handled by Meggitt within the European Union, Meggitt will not transfer that personal information outside the EEA or Switzerland (other than merely for processing on Meggitt’s behalf) unless:

  • it has first obtained consent from the individual; or
  • where the transfer is to a country which has not been deemed adequate by the European Commission,1 Meggitt has taken necessary steps to ensure that the information transferred is kept protected; or
  • the transfer is necessary to protect the vital interests of the individual;

or

  • the transfer is necessary to perform a contract with the individual. Meggitt respects individual privacy and values the confidence of its customers, employees, business partners and others. Not only does Meggitt strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices.

4.9 Direct marketing

Meggitt will not send unsolicited marketing communications by email, post or fax or telephone to any individuals (including business partnerships and named individuals in companies) unless it has obtained the prior consent of those individuals. This consent can be obtained at the time the information is provided by the individual.

Meggitt will comply with any request by an individual not to receive direct marketing information.

1 The countries currently deemed adequate include USA (those companies who have signed up to the EU Privacy Shield or Swiss U.S. Privacy Shield Framework only), Argentina, Switzerland, Canada, Guernsey and the Isle of Man.

5. DATA PROTECTION FOR EMPLOYEES

Initial personal information relating to employees is ordinarily obtained from job application forms submitted to Meggitt and thereafter principally from employees themselves by way of annual appraisal. A copy of this policy should be issued to any employee who wishes to receive more in-depth information regarding the use for which the data is being collected.

  • Requests for data concerning employees by external sources which may be authorised by Meggitt are:
  • Requests from agents authorised by the employee who is the data subject, e.g. mortgage requests, references. However, confirmation should be sought from the employee that the information is to be released and if possible, the employee’s written consent should be obtained.
  • Requests made for the purposes of law enforcement (e.g. for the prevention or detection of crime, the assessment or collection of any tax or duty). Disclosure is only allowed where failure to make disclosure would be likely to prejudice one of those purposes. In all cases written evidence should be obtained from the relevant authority as to the purpose of the request.
  • Requests for any other compulsory legal processes.
  • Requests, if urgently required, for the prevention of injury and damage to health.
  • Requests required by authorised officials or representatives of recognised trade unions. However, confirmation should be sought from the employee that the information is to be released and if possible, the employee’s written consent should be obtained.
  • Requests required by specifically identified external sources e.g. pension administrators, in order to administer internal company benefit schemes.

All staff should endeavour to restrict disclosures requested from outside Meggitt to those required by law as much as possible.

Employees are entitled to have access to personal data held upon them which is not excluded data (see below). They are also entitled to be informed of the purpose for which the data is being or is intended to be used and the likely recipients (or class of recipients). The following information is excluded from this right to access:

  • Confidential references given by Meggitt. References received by Meggitt are not automatically excluded under this exemption but may be similarly protected as disclosing information relating to identifiable third parties as set out below.
  • Personal data processed for the purposes of management forecasting or management planning to the extent that disclosure would be likely to prejudice the conduct of that business or activity only.
  • Personal data which consists of records of the intentions of Meggitt relating to any negotiations with the employee to the extent that disclosure would be likely to prejudice those negotiations only.
  • If, in order to comply with a disclosure request, Meggitt would need to disclose information relating to an identifiable third party then disclosure is not required unless the third party has consented or it is reasonable to comply with the request without such third party consent. Failing these options, the data must be edited prior to disclosure so that the identity of third parties is not discernible.

6. CONCLUSION

Meggitt will process personal data in accordance with data protection legislation and principles. All Meggitt employees, temporary workers, visitors, voluntary and agency workers and third party suppliers are required to comply with this Group Data Protection Policy.

7. CONTACT INFORMATION

If you:

(a) have any questions relating to your personal data or our Data Protection Policy;
(b) would like to withdraw your consent to any use of your personal data as set out in this Data Protection Policy; or
(c) would like to obtain access and make corrections to your personal data records,

please contact our Data Protection Officer at dpo@meggitt.com, telephone 02476 826900 or write to the Data Protection Officer, Meggitt PLC, Pilot Way, Ansty Business Park, Coventry, CV7 9JU.

Print Friendly, PDF & Email