IDEX Group Data Protection Policy
POLICIES & PROCEDURES
Subject:
IDEX Data Protection Policy
Number:
LGL-10-100
Scope:
All IDEX Business Units
Effective Date:
April 22, 2022
Administration:
This document is maintained and updated by the IDEX Corporate Compliance Department. Inquiries regarding interpretation of, or revisions to, the Policy should be made to the Chief Compliance Officer.
POLICY CONTENTS:
1.0 Applicability and Policy Definitions 1
2.0 General Rules of Data Protection 4
3.0 Scope and Implications of this Policy 5
4.0 Data Protection Concerns Everyone 5
5.0 Principles Relating to the Processing of Personal Data 6
6.0 Specific Required Data Protection Measures and Processes 8
7.0 Data Breaches Involving Personal Data 9
8.0 Cooperation with Third Parties 9
9.0 Data Subject Rights 10
11.0 Jurisdiction-Specific Addenda 11
European Union: GDPR 11
United Kingdom: UK GDPR 13
California: CCPA/CPRA 15
POLICY:
• Applicability and Policy Definitions
“IDEX Corporation” refers to all IDEX’s subsidiaries, affiliates and Business Units (“BU” or “BUs”) around the world (collectively, “the Company” or “IDEX”). Local laws governing data protection may vary depending on country; should there be a conflict between this Policy and local law, then local law applies.
The IDEX Data Protection Policy (the “Policy”) refers to the Company’s commitment to treat information of employees, customers, and other interested parties with the utmost care and confidentiality. Although this Policy is intended to address general data privacy and data protection laws around the world, it most specifically addresses obligations set forth under the General Data Protection Regulation (“GDPR”) (EU 2016/679); the United Kingdom (UK) GDPR (the Data Protection Act 2018 (“DPA”), as amended by the Data Protection, Privacy, and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019; the California Consumer Privacy Act (“CCPA”) (Cal. Civ. Code §§ 1798.100 et seq. (effective Jan. 1, 2020), and its associated regulations, 11 CCR §§ 999.300 et seq.); the California Privacy Rights Act (“CPRA”) (Cal. Civ. Code §§ 1798.100 et seq.) (when effective after January 1, 2023); the Colorado Privacy Act (“CPA”) (Colo. Rev. Stat. § 6-1-1301 et seq.) (when effective after July 1, 2023); the Virginia Consumer Data Protection Act (“CPA”) (Va. Code Ann. § 59.1-575 et seq.) (when effective after January 1, 2023); and the Personal Information Protection Law of the People’s Republic of China (“PIPL”) (effective November 1, 2021)
The Policy specifically applies when IDEX processes personal data as described in the European Union, UK, California, Colorado, Virginia, and China Jurisdiction-Specific Addenda attached to this Policy.
Below are definitions under the relevant privacy laws:
| Term | Definition |
| Anonymize | To “anonymize” or “de-identify” data as defined under the relevant Data Protection Laws, such that information can no longer reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual, taking into account the means likely reasonably to be used by IDEX or any other third-party to identify the individual. |
| Consent | Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the specific processing of his/her Personal Data. It has to be a clear affirmative act (“Opt-In”). Silence or inactivity are not sufficient. Consent may be withdrawn at any time with effect for the future. |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, as may be further defined under applicable Data Protection Laws, including state breach notification laws in the United States, as applicable. |
| Data Controller | Either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the party that, alone or jointly with others, determines the means and purpose of the processing of Personal Data. Without limiting the foregoing, the term “Controller” includes a “business” under the CCPA or CPRA, and the term “Data Controller” includes “Personal Information Handler” under the PIPL. |
| Data Processing | Either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third-parties. The terms “Process,” “Processing,” “Processes,” and “Processed” have a correlative meaning. |
| Data Processor | Either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the Party that Processes the Personal Data on behalf of the Controller. Without limiting the foregoing, the term “Processor” includes a “service provider” or a “contractor” under the CCPA or CPRA, and “entrusted handler” under the PIPL. |
| Data Protection Impact Assessment (“DPIA”) | A risk assessment for a data processing activity only for certain high-risk processing activities or as otherwise required under applicable Data Protection Laws. This may include a description of: (a) the envisaged processing operation along with the purpose of the processing; (b) the legitimate interest pursued by the controller; (c) an assessment of the necessity and proportionality; (d) an assessment of risks to the rights and freedoms of Data Subjects; and (e) the measures envisaged to address the risks to ensure the protection of Personal Data and to demonstrate compliance with the applicable Data Protection Law. |
| Data Protection Procedures | Any IDEX or local BU internal policies/procedures supplementing this Policy. |
| Data Protection Laws | All applicable law relating to Personal Data or collection, use, storage, disclosure, transfer, or other processing of Personal Data of or by any government, or any authority, department, or agency thereof, or self-regulatory organization, including, without limitation: (a) GDPR; (b) UK GDPR; (c) CCPA; (d) CPRA (when in effect); (e) CPA (when in effect); (f) VCDPA (when in effect); and (g) PIPL. |
| Data Subject | Either: (a) the meaning set forth in the relevant Data Protection Laws; or (b) absent such a definition, the individual who is the subject of Personal Data that the Provider Processes for Customer. Without limiting the foregoing, the term “Data Subject” includes a “consumer” as defined under the CCPA or CPRA. |
| Joint Controller | With respect to the GDPR, UK GDPR and PIPL, two or more Data Controllers who jointly determine the purposes and means of the Data Processing. |
| Personal Data | Either: (a) information that the relevant Data Protection Laws otherwise define as “personal information” or “personal data”; or (b) in absence of such a definition in the relevant Data Protection Laws, such information that identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the provider’s possession or control or that the provider is likely to have access to. Without limiting the foregoing, the term “Personal Data” includes any “personal data” as defined under the GDPR, UK GDPR, CPA, and VCDPA and any “personal information” as defined under the CCPA, the CPRA and the PIPL. Without limiting the foregoing, this includes any information relating to an identified or identifiable natural person or as further described in Section 3 of this Policy. |
| Records of Processing Activities (“ROPA”) | A document with inventory and analysis purposes, which must reflect data processing tools and procedures and which precisely identifies: (a) the actors involved (Controller, Processors, representative, Joint Controller, etc.) in the Data Processing; (b) the categories of data processed; (c) the purpose of the processing; (d) who has access to and who are the recipients of the Personal Data; (e) how long the Personal Data is retained; and (f) the technical and organizational security measures implemented. |
| Responsible Person | The person responsible for the compliance of a particular processing activity with Data Protection Law as determined by the Data Protection Procedures. |
| Sensitive Data | Either: (a) information that the relevant Data Protection Laws define as “sensitive data,” “sensitive personal information,” or “special categories of personal data”; or (b) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Please see the Jurisdiction-Specific Addenda attached to this Policy for further detail. |
| Supervisory Authority | With respect to the GDPR and UK GDPR, an independent public authority, which is established by a European Union Member State or any other public authority which is responsible for monitoring the application of Data Protection Law. Supervisory authority also includes the California Privacy Protection Agency (CPPA) under the CPRA, or other regulatory body specifically responsible for promulgating regulations and enforcing the applicable Data Protection Laws. |
| Third Party/Parties | Any legal entity (whether an IDEX BU or not) that is different from the party processing the Personal Data as further described in Section 8 of this Policy. |
• General Rules of Data Protection
This Policy represents a component of a comprehensive data protection compliance strategy and establishes a framework for the lawful handling of Personal Data. The Policy is designed to ensure that all processing of Personal Data at IDEX is in compliance with relevant Data Protection Laws.
The general rules for data protection for employees to follow are:
- Data protection concerns every IDEX employee.
- Data Protection Laws may apply to all Personal Data, including Sensitive Personal Data, concerning natural persons, including employees, applicants, and business partners in the EU, UK, California, Colorado, Virginia, China and other jurisdictions.
- Any use of the Personal Data without one or more lawful basis described in the applicable Data Protection Law (which may include the consent of the Data subject) and for the specific predetermined purpose for which it was required is prohibited.
- Use caution with regard to Sensitive Data as it may only be processed pursuant to the applicable Data Protection Laws under limited conditions.
- New or modified Data Processing activities must be consistent with Data Protection Law and may need to be included in the ROPAs under the applicable Data Protection Law.
- The Global Privacy and Data Protection Team (as defined below) must be notified immediately of any potential or actual Data Breach.
- Exercise caution in data exchanges with third parties as tests and/or documentation may be necessary and special contracts/addendums to existing contracts will likely need to be put in place. Remember, even accidental access to the data may be considered a breach so consider any interaction with a third party to validate that personal data is not accessible to them through the course of their engagement with IDEX.
A negligent or deliberate violation of this Policy or Data Protection Law may result in discipline, up to and including termination of employment, with or without notice. In addition, employees may be personally liable under local laws, civil, criminal or Data Protection Law for damages to Data Subjects.
• Scope and Implications of this Policy
Relevant Data
This Policy applies solely to the handling of Personal Data, as defined above. Some examples of information that constitutes Personal Data because it directly identifies a person include their name and email address. However, Personal Data also includes information that may be indirectly linked to an individual, including a telephone number, an address, or a personnel number. For example, the information that five employees with the personnel numbers 9375, 9376, 9377, 9378 and 9379 were involved in workplace accidents is Personal Data because the Company can easily identify the employees.
In comparison, information or data which has been Anonymized is no longer subject to Data Protection Law and, therefore, this Policy does not apply (e.g., if the personnel numbers are deleted in the previous example, or replaced with “Subject A,” “Subject B,” “Subject C,” etc. the remaining information that five employees were involved in an accident cannot be linked to an identifiable person anymore).
This Policy does not relate to information about companies or entities generally. For example, IDEX may possess or receive certain information from or about other companies that may be considered confidential information, but not Personal Data. This would also include the name of the company, such as “XYX Corp” as a customer, vendor, or other relationship. While this Policy does not apply to those situations, our Code of Business Conduct and Ethics may apply regarding the handling of confidential or sensitive business information.
Publication of this Data Protection Policy and Updates
This Policy should be made available to all employees, including new employees upon hire. This Policy will be reviewed regularly by the Corporate Compliance Department and employees will be informed in a timely and appropriate manner of any substantive changes.
• Data Protection Concerns Everyone
Employees Must Observe Data Protection
All employees who have access to Personal Data may only process Personal Data as authorized and in accordance with the instructions of the respective Responsible Person. All areas must comply with Data Protection Law; however, in particular, employees in Marketing, Human Resources (HR), and Information Technology (IT) should be especially aware of data protection requirements as they more regularly handle Personal Data and Sensitive Data.
Privacy and Data Protection Governance Structure
IDEX maintains a governance program led by the Global Privacy and Data Protection Team comprised of members of multiple corporate functions. Each IDEX BU has a named local Privacy Lead, who is an extension of the Team. Additionally, certain BUs have appointed Data Protection Officers, as may be required under applicable laws, including applicable Data Protection Laws. Each of their roles are described in more detail below.
| Role | Description |
| Global Privacy and Data Protection Team (“Team”) | The Team that directs activities relating to data protection broadly, not only those related to the Data Protection Laws. The Team is responsible for ensuring overall Data Protection Law compliance at an enterprise-wide level and will work with the local Privacy Leads regarding key activities related to privacy governance and program management, policies and procedures, privacy regulatory compliance, business enablement, privacy breach and incident response, and communication and training. The Team can be contacted directly or also via a dedicated email address at: LFOPrivacy@idexcorp.com.
Additionally, the Team acts as the point of contact for regulators during inquiries and general communications. By contrast, the local Privacy Leads remain the first point of contact for local employees, except in matters of urgency or great importance. |
| Privacy Lead | Personnel situated locally at each IDEX BU, whose responsibilities include supporting data protection initiatives in their respective local BUs. The Privacy Leads are the local coordinators for all data protection matters and also serve as the point of contact for the Team. They also manage all data protection documents for an IDEX BU, e.g., policies, procedures, templates and data protection statements. |
| Data Protection Officer (“DPO”) | Only certain IDEX BUs (only if required by law) will appoint a Data Protection Officer in accordance with the applicable Data Protection Law. His/her tasks will include at a minimum to inform and advise on and monitor compliance with the applicable Data Protection Laws and internal policies and procedures on data protection. A DPO may have certain requirements and other obligations pursuant to applicable Data Protection Laws. Before any BU appoints a DPO, please contact the Team. |
Notification of Privacy and Data Protection Issues
Questions regarding this Policy, or the correct handling of Personal Data in general, should be communicated to the local Privacy Lead and/or the Team. If employees have questions regarding compliance with relevant Data Protection Law during the execution of their duties, they should consult with the Responsible Person for the individual Data Processing, the BU Privacy Lead and/or the Team. In addition, employees should also immediately report any actual or suspected violations of this Policy or Data Protection Law to the Responsible Person for the specific Data Processing, the BU Privacy Lead and/or the Team.
• Principles Relating to the Processing of Personal Data
Below are the general guidelines relating to Data Processing for which IDEX and the BUs are individually responsible.
The Processing of Personal Data Must Comply with the Applicable Data Protection Law
The processing of Personal Data is lawful only if it complies with the statutory requirements under the applicable Data Protection Law. Please see the Jurisdiction-Specific Addenda attached to this Policy for a description of the legal bases for Data Processing under each applicable Data Protection Law.
Principles of Purpose Limitation, Data Minimization and Storage Limitation
Personal Data must be processed for a specific purpose. Before any Data Processing occurs, it must be determined, whether and to what extent, the Data Processing is necessary in order to achieve the purpose for which it is undertaken (e.g., if a special contact form is used for job applicants, the hiring company will require the applicant to provide certain data needed to process and/or respond to the job application, such as e-mail address, telephone number or postal address).
If such purpose is changed, special legal requirements apply, meaning that the Data Subject must consent or Data Protection Law must allow such change of purpose (e.g., business contact sends an e-mail regarding certain product information; the e-mail address is collected to respond and take steps to enter into a contract – the e-mail address may not be used for other non-related purposes, such as a marketing newsletter).
IDEX must only collect he minimum amount of Personal Data in order to achieve the stated particular purpose. In addition, Personal Data must be deleted once it is no longer necessary for the purpose for which it was collected, unless otherwise required by law. The time that each type of data is retained is described in each BU’s data retention policy. The Responsible Person for that particular data procedure is responsible for deleting the data. If Personal Data is stored with external Data Processors, IDEX must take steps to ensure that data is also irrevocably deleted (in partnership with local IT).
Principle of Transparency
Data Subjects must be informed about how their Personal Data is being handled. The relevant Data Protection Laws require that Data Controllers provide specific information to the Data Subjects. Every Responsible Person ensures that Data Subjects are informed adequately and in a timely manner (usually at or shortly before the time when the Personal Data is collected).
As an example, a user visits the IDEX website. The Website Data Protection Statement must be made available to the user by inserting a direct link on the homepage. This Data Protection Statement must inform the website user about the specific Data Processing, about the identity of the Data Controller, the data categories, the purpose(s) of Data Processing and about to whom the Personal Data might be disclosed to. The types of additional information that may be required under certain Data Protection Laws include the name and contact information of the DPO, how long information must be retained for, and information about how the Data Subject my exercise his or her rights under the applicable Data Protection Law.
Principle of Factual Accuracy and Currency
The Responsible Person for the Data Processing has to take all reasonable steps to remove, supplement or update Personal Data that is inaccurate or incomplete. The Data Subject has the right to request erroneous data about him/her be deleted or rectified in a short timeframe (e.g., an employee gets married and changes his or her last name, he/she has the right to request the employer change the last name in the Company database).
Principle of Data Integrity, Confidentiality and Accountability
The security of all data must be appropriately maintained at all times. Reasonable and appropriate security measures must be implemented designed to keep Personal Data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage. Technical and organizational measures must be taken to ensure a level of protection appropriate to the risk of processing. While this may vary by risk, such measures often include measures of access control (e.g., limiting the access of certain Personal Data to only personnel in certain roles, such as limiting access to certain data about employees to human resources personnel who need to access that information to perform their job), securing the physical location of places where Personal Data may be stored (including on paper) (e.g., locking data centers so they may only be accessed by a badge or keycode, locking draws, and the use of safes for highly sensitive data), network firewalls and intrusion prevention systems, encryption in transmission and encryption at rest (e.g., encrypting data on disk drives, particularly mobile devices, and using VPN or other encrypted communication systems to transmit the data over the internet). In addition, these security controls should be regularly tested to ensure that they continue to function as designed, and newly discovered critical vulnerabilities are promptly addressed.
- Specific Required Data Protection Measures and Processes
The following data protection measures and processes are required. However, this Policy also may be supplemented by more specific local BU Data Protection Procedures. In case of inconsistencies between this IDEX Data Protection Policy and any local policies and procedures, the more protective requirements prevail.
Data Protection By Design and By Default
Data protection principles (as stated in Section 5.0) are required to be implemented by the appropriate technical and organizational measures into all processing of Personal Data. And, when introducing new procedures for processing Personal Data, the Responsible Person must ensure this procedure is permissible under Data Protection Law. The review should take place as early as possible, and before the respective Processing of Personal Data starts. The legal basis under all applicable Data Protection Laws must be documented and retained with local BU program documents, if applicable. The type and scope of these measures depend on the: (i) state of the technology; (ii) implementation costs; (iii) type, scope, circumstances and purposes of Data Processing; and (iv) probability of occurrence and severity of the risk for the rights and freedoms of natural persons.
As an example, data protection-friendly technologies (e.g., designing a customer contact form) and data protection-friendly pre-settings (e.g., a new Customer Relationship System is set up and IT ensures that the checkbox for receiving the newsletter is not pre-selected) shall be implemented from the design phase, when processing Personal Data.
Record of Processing Activities
IDEX must document and retain a ROPA relating to Personal Data as and when required under applicable Data Protection Laws. Such record is the central tool to the management of data processing activities. Every data processing activity in which Personal Data is processed must be listed in the ROPA and ensure all information is correct and complete before implementing the new processing activity. The same applies if a data processing activity is changed as new data categories are processed or new software is used.
Data Protection Impact Assessment
If a planned Data Processing involves Sensitive Data or is likely to entail a high or heightened risk of harm to the Data Subjects, the Responsible Person in each case shall contact the Privacy Lead and the Team to determine whether a DPIA is necessary before the Data Processing is put into operation. Please see the Jurisdiction-Specific Addenda attached to this Policy for a description of when a DPIA is required under each applicable Data Protection Law.
- Data Breaches Involving Personal Data
A Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. Data Breaches may, in particular, include:
- Improper transmission of Personal Data to third parties (e.g., e-mails containing Personal Data were sent to the wrong recipients);
- Improper access by third parties to Personal Data (e.g., access controls in the HR-systems failed and employees had access to personnel files);
- Improper destruction or disposal of Personal Data (.e.g., disposal of documents containing Personal Data without shredding);
- Loss of Personal Data (e.g., notebooks or a storage device were lost); and/or
- Unavailability or loss of Personal Data (e.g., due to a ransomware incident).
- However, a Data Breach does NOT occur simply as a result of unsuccessful attempts or probes of the IT systems (e.g., such as by probing or scanning IDEX systems or network, unsuccessful phishing attempts, etc.).
If a Data Breach has occurred or is reasonably suspected, the Team must be informed immediately pursuant to the IDEX Incident Response Policy and Procedures. Communication with the parties concerned or the Supervisory Authority/relevant government authority will be done as a joint effort between the Team and the local IDEX BU, individuals that are not specifically authorized to communicate with Supervisory Authorities/relevant government authorities must not communicate with them and refer any questions to the Team. The Team shall be contacted before any contact is made with the Supervisory Authority or relevant government authority. The Team and the BU will partner to determine whether notification to Data Subjects is required under the applicable Data Protection Law. Please see the IDEX Incident Response Policy for further details on the notification requirements under applicable Data Protection Laws.
- Cooperation with Third Parties
IDEX Corporation, or an IDEX BU, may choose, or may be contractually required, to provide Personal Data to Third Parties. In this case, legal requirements apply to the lawfulness of the Data Processing. They apply even if only the possibility exists that a Third Party may access the Personal Data. Importantly, such legal requirements include special data protection contracts, as well as certain technical and organizational measures, to document the Third Party’s compliance with Data Protection Law. Please see the Jurisdiction-Specific Addenda attached to this Policy for a description of what is required under each Data Protection Law.
- Data Subject Rights
Data Subjects have certain rights with respect to their Personal Data under Data Protection Law. The specific rights and limitations on each right varies under each Data Protection Law. Additional information about each of these rights and the applicable limitations under each Data Protection law can be found in the Jurisdiction-Specific Addenda attached to this Policy. Privacy Leads and employees are required to report requests by Data Subjects to exercise these rights to the Team immediately. Please see the IDEX SOP: Data Subject Rights Requests under EU Data Protection Laws and U.S. Privacy Laws, which you can access here. The Team will work with the local IDEX BU for handling and appropriate responses.
- Jurisdiction-Specific Addenda
European Union: GDPR
Applicability: The GDPR and this addendum specifically apply when IDEX processes Personal Data: (i) at an IDEX BU within the European Union (“EU”) and/or the European Economic Area (“EEA”) and/or (ii) at an IDEX BU outside the EU or EEA where such processing is connected to the business of an IDEX BU within the EU and/or EEA. The GDPR also applies when the Personal Data processed is related to Data Subjects who are residents within the EU and/or EEA and where the processing activities are related to either: (a) the offering of goods or services to such Data Subjects; or (b) the monitoring of behaviour that takes place within the EU and/or EEA.
The Processing of Personal Data: The processing of Personal Data is lawful only if an explicit legal basis applies. Such legal basis can either be: (i) a statutory permission to process the data; or (ii) Consent by the Data Subject. The accepted statutory permissions are:
Performance of or taking steps to enter a contract: When the Data Processing is necessary to fulfill a contract with the Data Subject or a contract requested by the Data Subject (e.g., the Human Resources Department collects bank details of employees for salary payment).
Compliance with legal obligations: When a certain Data Processing is requested by law (e.g., a court orders the release of certain information for legal proceedings).
Legitimate interest: When the Data Processing is in the legitimate interest of IDEX or a third party and the interests and rights of the Data Subject do not take precedence.
If there is no statutory permission for Data Processing, then Consent must be obtained from the Data Subject. The law places high demands on the effectiveness of such Consent; it must be affirmative (e.g., the Data Subject must check a box to show they consent, silence cannot be used to show consent and so pre-checked boxes and check boxes and the like that must be clicked to show a refusal of consent are not permitted), declared freely, for the specific case, in an informed manner and unequivocally. Consents may be withdrawn at any time by the Data Subject with effect for the future. However, consents can generally not be used for processing personal data of Data Subjects who are employees of IDEX, because the European Union has determined that employees generally cannot freely give (or refuse) consent. Also note that Consent is generally required for the processing of Sensitive Data.
For the processing of employment data or Sensitive Data, please contact your Responsible Person. Such Responsible Person must ensure the Consents used meet the applicable legal requirements.
“Sensitive Data”: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.
Data Protection Impact Assessment: If a planned Data Processing is likely to entail a high risk to the rights or freedoms of the Data Subjects, the Responsible Person in each case shall contact the Privacy Lead and the Team to determine whether a DPIA is necessary before the Data Processing is put into operation. A high risk to the freedoms or rights of a Data Subject exists when Sensitive Data is processed on a large scale, publicly accessible areas are monitored on a large scale and/or when personal aspects of people are systematically and extensively evaluated with a significant effect on the Data Subject.
Cooperation with Third Parties: In principle, the GDPR establishes three types of contractual relationships:
Data Processing: When a Third-Party processes Personal Data on behalf of the Data Controller (i.e., only following the Data Controller’s instruction), such entity is a Data Processor. If IDEX Corporation itself or an IDEX BU is the Data Controller, it is responsible for the Personal Data. However, a contract, or an addendum to an existing contract, fulfilling the requirements set out in Article 28 GDPR must be put in place.
Independent Controller-to-Controller Transfer: Personal Data could be transferred to a Third Party who will independently process such Personal Data (for purposes determined by the latter entity). In this case, the Third Party itself becomes the Data Controller and, thus, responsible for the Data Processing. In such a case, the transfer of data must be allowed under Data Protection Law either by Consent or a statutory permission.
Joint Controllership: A Third Party and IDEX Corporation or an IDEX BU may jointly determine the purposes and means of Data Processing. In this case, IDEX Corporation or the IDEX BU and the Third Party are Joint Controllers. Also, in this case, a special data protection contract fulfilling the requirements of Article 26 GDPR is required.
Transfer of Data from the EU/EEA to Third Countries: Additional restrictions exist for data transfers out of the EU and/or EEA to recipients in third countries. In the event that Personal Data is planned to be transferred to such a third country (whether to a Data Processor, another Data Controller or a Joint Controller), the Responsible Person must ensure the appropriate contractual terms are in place.
IDEX Corporation, or the IDEX BU, must ensure that the recipient of the Personal Data outside the EU and/or the EEA has an adequate level of data protection within the meaning of Article 45 GDPR or that there are suitable guarantees within the meaning of Article 46 GDPR. This may require an investigation as to the privacy protections and surveillance laws in the country receiving the Personal Data.
Data Subject Rights:
Right of Access: Every Data Subject has the right to receive information regarding the data stored about him/her; the information shall be complete as specified by Article 14 GDPR and in a form and language comprehensible to the person concerned.
Right to Portable Data: The Data Subject has the right to receive the Personal Data concerning him/her in a structured, current and machine-readable format or to be transferred to another location directly.
Right to Rectification and Erasure: Personal Data must be factually correct and incorrect data must be rectified at the request of the Data Subject; irrespective of this, Personal Data are to be regularly checked for their correctness and necessity and deleted if the data are no longer required to fulfil the purpose pursued in each case. Personal Data must also be erased at the request of the Data Subject as specified by Article 17 GDPR.
Right to Restriction of Processing: In certain cases, Data Subjects have the right to obtain a restriction on the Data Processing of their Personal Data; the data concerned shall be blocked for further Data Processing.
Right to Object: In certain circumstances, such as direct marketing or profiling as defined by the GPDR, the Data Subject may have a right to object to the processing of his/her Personal Data (Article 21 GDPR). In this case, the Data Processing may not be continued. Data subjects also have the right not to be subject to a decision based solely on automated processing under Article 22 GDPR.
Applicability: The UK GDPR and this addendum specifically apply when IDEX processes Personal Data: (i) at an IDEX BU within the UK and/or (ii) at an IDEX BU outside the UK where such processing is connected to the business of an IDEX BU within the UK. The UK GDPR also applies when the Personal Data processed is related to Data Subjects who are residents within the UK and where the processing activities are related to either: (a) the offering of goods or services to such Data Subjects; or (b) the monitoring of behaviour that takes place within the UK. While the UK GDPR substantially overlaps the GDPR, it is a separate legal framework and, in some cases, may require efforts that duplicate those of the GDPR.
The Processing of Personal Data: The processing of Personal Data is lawful only if an explicit legal basis applies. Such legal basis can either be: (i) a statutory permission to process the data; or (ii) Consent by the Data Subject. The accepted statutory permissions are:
Performance of or taking steps to enter a contract: When the Data Processing is necessary to fulfill a contract with the Data Subject or a contract requested by the Data Subject (e.g., the Human Resources Department collects bank details of employees for salary payment).
Compliance with legal obligations: When a certain Data Processing is requested by law (e.g., a court orders the release of certain information for legal proceedings).
Legitimate interest: When the Data Processing is in the legitimate interest of IDEX or a third party and the interests and rights of the Data Subject do not take precedence.
If there is no statutory permission for Data Processing, then Consent must be obtained from the Data Subject. The law places high demands on the effectiveness of such Consent; it must be affirmative (e.g., the Data Subject must check a box to show they consent, silence cannot be used to show consent and so pre-checked boxes and check boxes and the like that must be clicked to show a refusal of consent are not permitted), declared freely, for the specific case, in an informed manner and unequivocally (e.g., a business contact agrees to the subscription of a newsletter by clicking “subscribe now”). Consents may be withdrawn at any time by the Data Subject with effect for the future. However, consents can generally not be used for processing personal data of Data Subjects who are employees of IDEX, because the UK has determined that employees generally cannot freely give (or refuse) consent. Also note that Consent is generally required for the processing of Sensitive Data.
For the processing of employment data or Sensitive Data, please contact your Responsible Person. Such Responsible Person must ensure the Consents used meet the applicable legal requirements.
“Sensitive Data”: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.
Data Protection Impact Assessment: If a planned Data Processing is likely to entail a high risk to the rights or freedoms of the Data Subjects, the Responsible Person in each case shall contact the Privacy Lead and the Team to determine whether a DPIA is necessary before the Data Processing is put into operation. A high risk to the freedoms or rights of a Data Subject exists when Sensitive Data is processed on a large scale, publicly accessible areas are monitored on a large scale and/or when personal aspects of people are systematically and extensively evaluated with a significant effect on the Data Subject.
Cooperation with Third Parties: In principle, the UK GDPR establishes three types of contractual relationships:
Data Processing: When a Third-Party processes Personal Data on behalf of the Data Controller (i.e., only following the Data Controller’s instruction), such entity is a Data Processor. If IDEX Corporation itself or an IDEX BU is the Data Controller, it is responsible for the Personal Data. However, a contract, or an addendum to an existing contract, fulfilling the requirements set out in Article 28 UK GDPR must be put in place.
Independent Controller-to-Controller Transfer: Personal Data could be transferred to a Third Party who will independently process such Personal Data (for purposes determined by the latter entity). In this case, the Third Party itself becomes the Data Controller and, thus, responsible for the Data Processing. In such a case, the transfer of data must be allowed under Data Protection Law either by Consent or a statutory permission.
Joint Controllership: A Third Party and IDEX Corporation or an IDEX BU may jointly determine the purposes and means of Data Processing. In this case, IDEX Corporation or the IDEX BU and the Third Party are Joint Controllers. Also, in this case, a special data protection contract fulfilling the requirements of Article 26 UK GDPR is required.
Transfer of Data from the UK to Third Countries: Additional restrictions exist for data transfers out of the UK to recipients in third countries. In the event that Personal Data is planned to be transferred to such a third country (whether to a Data Processor, another Data Controller or a Joint Controller), the Responsible Person must ensure the appropriate contractual terms are in place.
IDEX Corporation, or the IDEX BU, must ensure that the recipient of the Personal Data outside the UK has an adequate level of data protection within the meaning of Article 45 UK GDPR or that there are suitable guarantees within the meaning of Article 46 UK GDPR. This may require an investigation as to the privacy protections and surveillance laws in the country receiving the Personal Data.
Data Subject Rights:
Right of Access: Every Data Subject has the right to receive information regarding the data stored about him/her; the information shall be complete as specified by Article 14 UK GDPR and in a form and language comprehensible to the person concerned.
Right to Portable Data: The Data Subject has the right to receive the Personal Data concerning him/her in a structured, current and machine-readable format or to be transferred to another location directly.
Right to Rectification and Erasure: Personal Data must be factually correct and incorrect data must be rectified at the request of the Data Subject; irrespective of this, Personal Data are to be regularly checked for their correctness and necessity and deleted if the data are no longer required to fulfil the purpose pursued in each case. Personal Data must also be erased at the request of the Data Subject as specified by Article 17 UK GDPR.
Right to Restriction of Processing: In certain cases, Data Subjects have the right to obtain a restriction on the Data Processing of their Personal Data; the data concerned shall be blocked for further Data Processing.
Right to Object: In certain circumstances, such as direct marketing or profiling as defined by the UK GPDR, the Data Subject may have a right to object to the processing of his/her Personal Data (Article 21 UK GDPR). In this case, the Data Processing may not be continued. Data subjects also have the right not to be subject to a decision based solely on automated processing under Article 22 UK GDPR.
China: PIPL
Applicability: The PIPL and this addendum specifically apply when (i) IDEX processes Personal Data within the People’s Republic of China (“China”, which, solely for the purposes herein, is exclusive of Taiwan, Hong Kong and Macau); and (ii) IDEX processes Personal Data outside China provided that the Personal Data processed is related to Data Subjects who reside in China and where the processing activities are related to either: (a) the offering of goods or services to such Data Subjects; or (b) analysing or evaluating the behaviours of such Data Subjects.
The Processing of Personal Data: The processing of Personal Data is lawful only if an explicit legal basis applies. Such legal basis can either be: (i) a statutory permission to process the data; or (ii) Consent by the Data Subject. The accepted statutory permissions include but are not limited to:
Performance of or taking steps to enter a contract: When the Data Processing is necessary to fulfill a contract with the Data Subject or a contract requested by the Data Subject or necessary to conduct human resources management in accordance with lawfully formulated labor rules and regulations and lawfully concluded contracts (e.g., the Human Resources Department collects bank details of employees for salary payment).
Compliance with legal or regulatory obligations: When a certain Data Processing is requested by law (e.g., a court orders the release of certain information for legal proceedings).
If there is no statutory permission for Data Processing, then Consent must be obtained from the Data Subject. The law places high demands on the effectiveness of such Consent; it must be affirmative (e.g., the Data Subject must check a box to show they consent, silence cannot be used to show consent and so pre-checked boxes and check boxes and the like that must be clicked to show a refusal of consent are not permitted), declared freely, for the specific case, and in an informed manner. Consents may be withdrawn at any time by the Data Subject with effect for the future. Also note that special Consent may be required for the processing of Sensitive Data.
For the processing of Sensitive Data, please contact your Responsible Person. Such Responsible Person must ensure the Consents used meet the applicable legal requirements.
“Sensitive Data”: Personal Data that, once leaked or illegally used, is likely to infringe the human dignity of individuals or endanger personal and property safety, including biometric information (e.g. fingerprint or facial recognition), religious beliefs, specially-designated status, health status, financial accounts (e.g. bank accounts, deposit and payment information), individual location tracking (e.g. whereabouts, lodging information), etc., as well as the Personal Data of minors under the age of 14.
Data Protection Impact Assessment: If a planned Data Processing is likely to entail a high risk to the rights of the Data Subjects, the Responsible Person in each case shall contact the Privacy Lead and the Team to determine whether a DPIA is necessary before the Data Processing is put into operation. A high risk to the rights of a Data Subject exists in the following circumstances: (i) processing Sensitive Data; (ii) using Personal Data to conduct automated decision-making; (iii) entrusting Data Processing to a third party, providing Personal Data to another Data Controller, or disclosing Personal Data publicly; (iv) transferring Personal Data cross-border; and (v) other Data Processing activities that may have a major influence on individuals.
Cooperation with Third Parties: In principle, the PIPL establishes three types of contractual relationships:
Data Processing: When a Third-Party processes Personal Data on behalf of the Data Controller (i.e., only following the Data Controller’s instruction), such entity is a Data Processor. If IDEX Corporation itself or an IDEX BU is the Data Controller, it is responsible for the Personal Data. However, a contract, or an addendum to an existing contract, fulfilling the requirements set out in the PIPL, must be in place.
Independent Controller-to-Controller Transfer: Personal Data could be transferred to a Third Party who will independently process such Personal Data (for purposes determined by the latter entity). In this case, the Third Party itself becomes the Data Controller and, thus, responsible for the Data Processing. In such a case, the transfer of data must be allowed under the PIPL either by Consent or a statutory permission.
Joint Controllership: A Third Party and IDEX Corporation or an IDEX BU may jointly determine the purposes and means of Data Processing. In this case, IDEX Corporation or the IDEX BU and the Third Party are Joint Controllers. Also, in this case, a special data protection contract fulfilling the requirements of the PIPL is required.
International Data Transfers: To the extent permitted by the PIPL, we may transfer your Personal Data outside of China to companies and/or branches within our group or to third parties as described in this Statement, and we will ensure the recipient is bound by applicable laws in its jurisdiction to provide a standard of protection for your Personal Data that is equivalent to that under this Statement.
Data Subject Rights: The PIPL provides you with certain rights in relation to the processing of your Personal Data. Besides the rights listed below, you also have the right to request us to interpret this Statement for you. Those rights include:
Right of Access: Every Data Subject has the right to receive information regarding the data stored about him/her and to check that we are lawfully processing it.
Right to Portable Data: Every Data Subject has the right to receive the Personal Data concerning him/her in a structured, current and machine-readable format or to be transferred to another location directly.
Right to Rectification and Erasure: Personal Data must be factually correct and incorrect data must be rectified at the request of the Data Subject; irrespective of this, Personal Data are to be regularly checked for their correctness and necessity and deleted if the data are no longer required to fulfil the purpose pursued in each case. Personal Data must also be erased at the request of the Data Subject. Please note that there may be circumstances where IDEX is legally entitled to retain Personal Data regardless of any such request.
Right to Restriction of Processing: In certain cases, Data Subjects have the right to obtain a restriction on the Data Processing of their Personal Data; the data concerned shall be blocked for further Data Processing.
Right to Object: In certain circumstances, such as direct marketing based on automated processing as defined by the PIPL, the Data Subject may have a right to object to the processing of his/her Personal Data. In this case, the Data Processing may not be continued. Data subjects also have the right not to be subject to a decision with a major influence on his/her rights and interests based solely on automated processing.
California: CCPA/CPRA
Applicability: The CCPA specifically applies when IDEX (i) conducts business in California; and (ii) either (a) has over $25 million in gross annual revenue (no matter where that revenue comes from, including all other BUs that the consumer would understand are affiliates); or (b) annually buys, receives, sells, or shares the Personal Data of at least fifty thousand (50,000) California residents, households, or devices; or (c) derives 50% or more of its annual revenues from selling California residents’ Personal Data.
Starting in 2023, the CPRA will apply (and the CCPA will no longer be valid) when IDEX (i) conducts business in California; and (ii) either (a) had over $25 million in gross annual revenue in the preceding calendar year (no matter where that revenue comes from, including all other BUs that the consumer would understand are affiliates); or (b) annually buys, sells, or shares the Personal Data of at least one hundred thousand (100,000) California residents or households; or (c) derives 50% or more of its annual revenues from selling or sharing California residents’ Personal Data. For the purposes of the CPRA only, the term “sharing” means disclosing Personal Data for the purpose of cross-contextual behavioral advertising. It does not apply to sharing or disclosures in other contacts.
The Processing of Personal Data: Under both the CCPA and CPRA, IDEX must inform the Data Subjects of the categories of Personal Data to be collected and the purposes for which the Personal Data is Processed. The Processing of Personal Data must be compatible with the disclosed purpose(s) given at collection.
Under the CCPA and CPRA, Consent is only required for the sale of Personal Data of minors under the age of 16 (although consent is required under COPPA for collection of Personal Data from a child under 13 for any purpose) for monetary or other valuable consideration and for the sale of Personal Data for monetary or other valuable consideration of someone who previously opted-out of the sale of their Personal Data. The Responsible Persons must ensure the Consents used meet the applicable legal requirements. IDEX generally does not sell Personal Data for any purpose, and generally does not collect information from children under the age of 13, but if there is any concern that this may be occurring, contact the Responsible Person.
Under the CPRA, Consent is also required for sharing Personal Data for sharing Personal Data (as defined above) for minors under the age of 16 and for sharing Personal Data of someone who previously opted-out of the sharing of Personal Data. The Responsible Persons must ensure the Consents used meet the applicable legal requirements. IDEX generally does not share Personal Data of children under 16, but may share Personal Data of individuals over 16 under certain conditions.
California consumers will also have the right to opt out pf certain uses and disclosures of Sensitive Data under the CPRA. Because this is an opt-out, IDEX may process this information without obtaining consent, but must comply with any request to opt-out of this use by California consumers.
“Sensitive Data”: Sensitive Data includes a Data Subject’s social security, driver’s license, state identification card, or passport number; account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; genetic data; and the contents of a Data Subject’s mail, email and text messages, unless the business is the intended recipient of the communication. It also includes biometric information Processed for the purpose of uniquely identifying a Data Subject; Personal Data collected and analyzed concerning a Data Subject’s health; or Personal Data collected and analyzed concerning a Data Subject’s sex life or sexual orientation.
Data Protection Impact Assessment: The CCPA does not contain a DPIA requirement. However, DPIAs will be required under the CPRA. Starting in 2023, if a planned Data Processing presents a “significant risk” to California Data Subjects’ privacy or security, the Responsible Person in each case shall contact the Privacy Lead and the Team to determine whether a DPIA is necessary before the Data Processing is put into operation. A “significant risk” is not yet defined under the CPRA, but the California Privacy Protection Agency (CPPA) is charged with defining it through the rulemaking process. The final CPRA regulations should be published by July 1, 2022.
Cooperation with Third Parties: the CCPA and CPRA establish two types of contractual relationships:
Data Processing by “Service Providers”: When a (non-IDEX) Third-Party processes Personal Data strictly on behalf of the Data Controller (i.e., only following the Data Controller’s instruction), such entity is a “service provider” as defined by the CCPA or CPRA. If IDEX Corporation itself or an IDEX BU is the Data Controller, it is responsible for the Personal Data. However, a contract, or an addendum to an existing contract, fulfilling the requirements set out in CCPA § 1798.140(v) or CPRA § 1798.140(ag) must be put in place with the service provider.
Data Processing by non-third parties (under the CCPA) and “Contractors” (under the CPRA): When a Data Controller makes Personal Data available to a (non-IDEX) Third-Party for business purposes, such entity is a not a “third party” defined by the CCPA or a “contractor” as defined under the CPRA. If IDEX Corporation itself or an IDEX BU is the Data Controller, it is responsible for the Personal Data. However, a contract, or an addendum to an existing contract, fulfilling the requirements set out in CCPA § 1798.140(w)(2) or CPRA § 1798.140(j) must be put in place with the contractor.
Data Subject Rights:
Right of Access: Every Data Subject has the right to receive information regarding the data stored about him/her; the information shall be complete as specified by the CCPA/CPRA and in a form and language comprehensible to the person concerned.
Right to Portable Data: The Data Subject has the right to receive the Personal Data concerning him/her in a structured, current and machine-readable format or to be transferred to another location directly.
Right to Erasure: Personal Data must be erased at the request of the Data Subject as specified by the CCPA/CPRA.
Right to Rectification: Under the CPRA, incorrect Personal Data must be rectified at the request of the Data Subject.
Right to Restriction of Processing: Under the CPRA, Data Subjects will have the right to restrict the Data Processing of their Sensitive Data; the data concerned shall be blocked for further Data Processing.
Right to Opt-Out of Sale of Personal Data: Under the CCPA and CPRA, Data Subjects can opt-out of the “sale” of their Personal Data, to the extent IDEX sells such Personal Data as defined under the CCPA/CPRA.
Right to Opt-Out of “Sharing”: Under the CPRA, Data Subjects will have the right to opt-out of the “sharing” of their Personal Data, which means disclosing the Personal Data to third parties for “cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
Right to Opt-Out of Automated Decision Making: Under the CPRA, Data Subjects will have the right to opt-out of “automated decision-making technology, including profiling.”