Meritor is committed to providing privacy protection of personal data of its employees, suppliers and customers maintained by the company. It is Meritor’s intention to comply with all local data protection regulations worldwide including the European Union’s Directive on Data Privacy and the Swiss Federal Act on Data Protection. The company will certify annually with the U.S. Department of Commerce that Meritor is in compliance with the Privacy Shield framework approved by the European Commission (EU-U.S. Privacy Shield) and by the Swiss Federal Council (Swiss-U.S. Privacy Shield). Compliance with the Privacy Shield framework demonstrates the adequate privacy protection required by the European Union’s Directive and the Swiss Federal Act on Data Protection.
For purpose of this Policy, the following definitions shall apply:
Personal Data and Personal Information: are data about an identified or identifiable individual that are within the scope of the Directive 95/46/EC, received by an organization in the United States from the European Union, and recorded in any form.
Sensitive Personal Information: personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or where received from a third party data that is treated as sensitive by the third party. Where Swiss individuals are concerned, “Sensitive Personal Information” also includes ideological views or activities and information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
Agent: any third party processor that collects and/or uses personal information provided by Meritor to perform tasks on behalf of and under the instructions of Meritor.
Processing of EEA and/ or Swiss Personal Data: any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
Meritor may from time to time process certain EEA and/ or Swiss Personal Information about customers, suppliers, vendors, service providers, independent contractors, employees and candidates for employment, including information recorded on various media as well as electronic data. Meritor will process these data in conformity with the Privacy Shield principles and will continue to apply the principles to personal data received under the application of the Privacy Shield.
Meritor will use personal information concerning business partners such as suppliers or vendors, service providers, joint inventors, independent contractors and (prospective) customers to provide customers and business partners with information and services and to help Meritor personnel better understand the needs and interests of these business partners and/or customers. Specifically, Meritor uses information to help customers and business partners complete a transaction or order, to facilitate communication, to deliver products/services, to bill or to pay for purchased products/services, to provide ongoing service and support, to evaluate the quality of products and services, to book travel, accommodation and event registration, for business continuity and/or disaster recovery procedures, to select service and personnel, to allow individuals to register for websites and online services, to manage user accounts, to maintain, administer and to comply with Meritor's legal, regulatory compliance and auditing obligations, policies and procedures, for patent tracking, for sales and marketing purposes and to facilitate Meritor’s internal administrative processes. Occasionally Meritor personnel may use personal information to contact customers and business partners to complete surveys that are used for marketing and quality assurance purposes.
Meritor may also share personal information with its service providers (agents) and suppliers for the sole purpose and only to the extent needed to support the customers’ business needs. Service providers and suppliers are required to keep confidential personal information received from Meritor and may not use it for any purpose other than as originally intended. In case of data transfers to non-agent third parties the affected individuals will be informed about the transfer and the underlying purposes respectively.
Meritor abides by the following privacy principles, which are based on the Privacy Shield principles. A detailed description of the Privacy Shield principles can be found at the Privacy Shield website of the U.S. Department of Commerce.
Notice: Where Meritor collects Personal Information directly from individuals in the EEA and/or Switzerland or receives it from its European or Swiss affiliates, it or its European or Swiss affiliates will inform those individuals about the purposes for which they collect and use Personal Information about them; the transfer to Meritor in the U.S., the types or identity of third parties to which Meritor discloses that information; the purposes for which it does so, and the choices and means Meritor offers individuals for limiting the use and disclosure of their Personal Information and to access their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Meritor, or as soon as practicable thereafter, and in any event before Meritor uses the information for a purpose other than that for which it was originally collected.
Choice: Meritor will offer individuals the opportunity to choose (opt-out) whether their Personal Information is (a) to be disclosed to a non-agent third party acting as a controller, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal information, Meritor will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of their Sensitive Personal Information to (a) a non-agent third party acting as a controller or (b) the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Meritor will provide individuals with reasonable (especially clear and conspicuous, readily available and affordable) mechanisms to exercise their choices.
Accountability for Onward Transfer: Meritor will transfer personal data to agents only for limited and specific purposes. Personal data transferred to third parties acting as an agent for Meritor will be required to enter into a written agreement with Meritor requiring the third party to provide at least the same level of privacy protection as is required by the relevant principles. Meritor recognizes its responsibility for onward transfers to agents and potential liability for incorrect transfers. Where Meritor has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy and/or the level of protection as required by the principles, Meritor will take reasonable steps to prevent, remedy or stop the use or disclosure.
If Meritor transfers personal information to non-agent third parties acting as a controller, Meritor will apply the Notice and Choice principles and will obtain contractual assurance from these parties that they will provide the same level of protection as is required under the principles unless a derogation for specific situations under European or Swiss data protection law applies.
Access: Upon request, Meritor will grant individuals reasonable access to Personal Information that it holds about them. In addition, Meritor will take reasonable steps to permit individuals to correct, amend or delete information that is demonstrated to be inaccurate incomplete or processed in violation of the principles. Meritor may limit an individual’s access to Personal Information where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.
Security: Meritor will take reasonable precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
Data Integrity and Purpose Limitation: Personal data maintained by the company will be used for the sole purpose for which it was collected or subsequently authorized by the individual. Meritor includes tasks and procedures to keep personal data accurate, complete, and current. Meritor will adhere to the principles as long as it retains personal information received under its Privacy Shield certification.
Recourse, Enforcement and Liability: Meritor utilizes the self-assessment approach to assure its compliance with this Policy. Meritor periodically verifies that this Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the Privacy Shield principles. Meritor encourages interested persons to raise any concerns with it using the contact information below. Meritor will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this Policy.
With respect to any complaints relating to this Policy that cannot be resolved through Meritor’s internal processes, Meritor has agreed to cooperate with the data protection authorities in the EU and the Swiss Federal Data Protection and Information Commissioner and to participate in the dispute resolution procedures of the Panel established by the EU Data Protection Authorities to resolve disputes pursuant to the EU-U.S. Privacy Shield principles. Meritor is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body under the Privacy Shield.
Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, individuals have a right to invoke binding arbitration under the Privacy Shield Panel as recourse mechanism of ’last resort’. Further information is available on the Privacy Shield website.
In the event that Meritor or such Authorities determines that Meritor did not comply with this Policy, Meritor will take appropriate steps to address any adverse effects and to promote future compliance.
Questions or comments regarding this Policy should be submitted to the Meritor Legal Department by mail or e-mail as follows:
April Miller Boise
Complaints or disputes not relating to Human Resources data which cannot be remedied by the Meritor Legal Department should be forwarded to the Business Standards Compliance Committee located at:
2135 W. Maple Road
Troy, Michigan USA
Changes to this Policy:
This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles. Appropriate public notice will be given concerning such amendments.
Limitations and Exceptions:
Adherence to these principles may be limited: (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, e.g. in the course of lawful requests by public authorities (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.
This Policy is effective as of September 30, 2016 and has last been updated as of December 9, 2017.