Personal Data Privacy and Security Policy
This Policy is in effect for all Thor companies (“Thor”) and covers Personal Data which is Controlled or Processed by or on behalf of any Thor company.
Personal Data Security and Privacy Protection
It is the policy of Thor to Control and Process the Personal Data of those Individuals with whom Thor has a relationship (including current, prospective and past employees, customers, dealers, and users) in a manner which safeguards Personal Data and Individual privacy and in accordance with: Thor’s data protection standards, policies, and procedures; Thor’s Privacy Notice (or the Privacy Notice specific to a Thor company, product, or service); and applicable contract requirements, industry standards, laws and regulations. Personal Data may be in any form (electronic, on paper, or otherwise).
This Policy is based on the Generally Accepted Privacy Principles (“GAPP”). Nevertheless, specific implementation requirements may vary by location of the Data Subject and/or nature of the relationship with Thor due to variations in requirements specified in applicable law, including, for example, the General Data Protection Regulation (“GDPR”).
Definitions
Appendix A contains definitions of key terms capitalized in this Policy.
Application
This Policy applies to all Personal Data Controlled or Processed by or on behalf of any Thor companies and their personnel, agents, and vendors.
A. All third parties Processing Personal Data for Thor must agree, in writing, to data protection terms sufficient to comply with this policy and applicable laws and regulations.
B. This Policy is integrated with other applicable Thor policies and procedures, including those addressing IT, security, privacy, data protection, record retention, and employee records, all to protect the confidentiality, integrity, and availability of Personal Data. In the event of a conflict between the policies, Thor will in any event comply with all applicable laws and regulations.
Basic Principles
The Policy adheres to the GAPP privacy principles based on internationally known fair information practices included in many privacy laws and regulations under which Thor may operate. The GAPP principles are as follows:
| Principle | Description |
|---|---|
| Management | Thor will define, document, communicate, and assign accountability for its privacy policies and procedures. |
| Notice | Thor will provide Individuals with required notice in a timely manner where required and identify the purposes for which Personal Data is Controlled or Processed. |
| Choice and consent | Thor will provide Individuals with any required choices regarding the Processing of their Personal Data. |
| Collection | Thor will collect Personal Data only for legitimate business purposes. |
| Use, retention, and disposal | Thor will limit the use of Personal Data to the purposes identified in the notice and for which the Individual has provided implicit or explicit consent, as required by law. Thor will only retain Personal Data for as long as necessary to fulfill the stated purposes as required by law or regulation and thereafter appropriately dispose of such Personal Data. |
| Access | Thor will provide a mechanism to allow Individuals to access and correct their Personal Data. |
| Disclosure to third parties | Thor will disclose Personal Data to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the Individual in accordance with regulatory requirements. |
| Safeguarding | Thor will protect Personal Data which Thor Processes from unauthorized access (both logical and physical). |
| Quality | Thor will maintain accurate, complete, and relevant Personal Data for the purposes identified in the notice. |
| Monitoring and enforcement | Thor will monitor compliance with its privacy policies and procedures and have procedures to address privacy-related complaints and disputes. |
Privacy Breach Response
Any Security Incident, Data Breach or other incident involving the security of Personal Data or the Privacy of any Data Subject must be immediately reported in accordance with Thor Policy IT-14 (Security Incident Response) to ensure such incident will be evaluated against legal and regulatory requirements for notification to regulators and/or impacted Individuals. As part of this Policy, the Thor Corporate Legal Department will evaluate whether an incident is notifiable and will ensure that notification requirements and other legal requirements are met.
Lawfulness of Processing Personal Data
Thor will only Process Personal Data on the legal grounds permitted by applicable law and regulation. Those legal grounds include the following. (Consult the Thor Corporate Legal Department before attempting to Process Personal Data on any grounds not identified below).
A. Consent. Consent is generally a legal ground for Processing Personal Data, but the requirements for legally effective consent vary, depending on the jurisdiction, the Data Subject, and the type of Personal Data involved. In most jurisdictions, such as the U.S., Thor may rely on implied consent (e.g. notification in a Privacy Statement, or opt-out) to Process Personal Data. In others, however, express consent may be required. For example, to Process Personal Data originating from the EEA on the basis of consent, Thor must obtain freely given, specific, informed, and unambiguous consent from the Individual. This typically requires an accurate disclosure of the specific purposes for which Thor will use the Personal Data and a clear showing of consent (such as opt-in). (Note: additional restrictions may apply when attempting to obtain consent from persons under the age of 18.)
B. Other Legal Grounds for Processing. In addition to consent, Thor may Process Personal Data on one or more of the following legal grounds:
B.1. The Processing activity is necessary for the performance or preparation of a contract to which Thor and the Individual are parties (such as a warranty registration, or a contract for services with Thor).
B.2. The Processing activity is necessary for Thor’s compliance with a legal obligation to which Thor is subject.
B.3. The Processing activity is necessary to protect the vital interests of the Individual (only if Processing cannot be based on other grounds).
B.4. The Processing activity is necessary for the “Legitimate Interests” pursued by Thor, unless such interests are overridden by the Individual’s Interests or fundamental rights and freedoms which require the protection of his/her Personal Data (collectively, “Individual’s Interests”) (see below).
C. Legitimate Interests. Thor may Process Personal Data for the purposes that fall within the following categories of Legitimate Interests, as long as Thor’s interests are not outweighed by the Individual’s Interests:
C.1. Detecting and preventing the loss or theft of Thor’s business equipment and property, Personal Data, or Thor’s Intellectual Property;
C.2. Detecting and preventing any fraudulent or illegal activities;
C.3. Ensuring the security of Thor’s networks and information systems and containing, eradicating, and mitigating the effects of any incidents that may affect the security of Thor’s confidential information, Intellectual Property, or Personal Data;
C.4. Allowing Individuals to exercise and enjoy their rights and benefits related to products and services provided by Thor; and
C.5. Processing job applicant information for recruiting.
D. Processing Sensitive Personal Data. Thor is permitted to Process Sensitive Personal Data only when it is authorized to do so by applicable law or a collective bargaining agreement. Should Thor inadvertently receive Sensitive Personal Data when it is not authorized to receive such data, the person receiving such data must notify the Thor Corporate Legal Department, and Thor will take reasonable steps to delete the data as soon as practicable.
E. Analysis and Documentation of Processing Activities. Thor will periodically, and at least annually, review and analyze each of its Processing activities and thoroughly document the results of each analysis. Further, Thor will use the results of each analysis to guide its decision as to whether to continue, cease, or modify the respective Processing activity. Thor will review and analyze at least the following factors with respect to each of its Processing activities:
E.1. Whether the Processing activity continues to be necessary, and if so, whether there continues to be legal grounds for the Processing activity;
E.2. If the Processing activity is based on a Legitimate Interest, whether Thor continues to have a Legitimate Interest that serves as the basis for the Processing activity;
E.3. If applicable, whether the identified Legitimate Interest continues to outweigh the Individual’s Interests, including, but not limited to, interests in privacy;
E.4. Whether the Processing activity continues to be fair to the Individual;
E.5. Whether the Personal Data involved in the Processing activity is proportionate to the intended purpose of the activity; and
E.6. Whether there is an alternative means to accomplish the intended purpose of the Processing activity that has lesser impact on the Individual’s Interests.
F. Introduction of New Processing Activities. Before initiating a new Processing activity or introducing a material change to an existing Processing activity, including transfer of Personal Data to a third party, Thor will perform the following actions:
F.1. Thor will determine if the proposed Processing activity triggers the need for a Data Protection Impact Assessment and if so, perform such assessment; and
F.2. If the proposed Processing activity does not trigger the need for a Data Protection Impact Assessment, then Thor will nevertheless review and analyze the proposed Processing activity and thoroughly document the results of the analysis. Thor will use the results of the analysis to guide its decision as to whether to adopt or modify the proposed Processing activity.
G. Data Protection Impact Assessment. A Data Protection Impact Assessment (“DPIA”) is required before engaging in any new Processing activity that is likely to result in a high risk to Individuals’ rights and freedoms. Processing activities involving new technologies must be particularly scrutinized. If required, in the opinion of the Thor Corporate Legal Department, the DPIA will include at least:
G.1. A systematic description of the proposed Processing activity and the purposes of the Processing, including, if applicable, the Legitimate Interest for the activity;
G.2. An assessment of the necessity and proportionality of the proposed Processing activity in relation to the intended purposes of the activity; and
G.3. A description of the measures that will be used to address the risk(s) associated with the Processing activity, including privacy and security safeguards, taking into account the Individual’s Interests.
Notice
Prior to the Processing of Personal Data, Thor shall provide notice about its privacy practices and identify the purposes for which Personal Data is collected, used, retained, and disclosed, as required by law (a “Privacy Notice”). Notice will be provided by an online Privacy Notice and by any other means required by applicable law or regulation. All Thor products and services that collect Personal Data shall prominently refer to an appropriate Privacy Notice. Any Thor website that collects Personal Data will include a prominent link to the relevant online Privacy Notice.
A. A Thor company may adopt the Thor Corporate Privacy Notice or adopt a Privacy Notice specific to its company or a product or service, provided that it is consistent with the standards set forth in the Thor Corporate Privacy Notice.
B. If Thor privacy practices materially change, Thor will promptly post a revised Privacy Notice and will provide other notification required by applicable law and regulation.
C. The Privacy Notice will meet local legal requirements and may include the following information:
C.1. The categories of Personal Data that Thor collects. For example, information obtained from the client, including from user computer systems e.g. cookies, information about the client’s transactions, or information obtained from third parties;
C.2. The purposes for which Thor Processes Personal Data;
C.3. The categories of Personal Data Thor may disclose;
C.4. The categories of affiliates and non-affiliated third parties to whom Personal Data may be disclosed;
C.5. A statement of the policies of Thor with respect to protecting the confidentiality and security of Personal Data; and
C.6. Other disclosures required by applicable law or regulation.
D. All Thor Privacy Notices will be reviewed at least once annually, or as relevant regulatory changes are made.
Collection
Thor shall collect the minimum amount of Personal Data necessary for the business purposes for which the data is to be Processed. Process and/or system owners should implement procedures to monitor that the collection of Personal Data is limited to that which is necessary for the purposes identified in the Privacy Notice and that all optional data requested from the Individual is identified as such.
Disclosure to Third Parties
Thor must disclose Personal Data to third parties only for the purposes identified in the notice provided to the Individual. No Personal Data will otherwise be shared with unaffiliated third parties other than as required by law, for the purposes of completing agreed services, or as directed by Thor customers. Thor will require Processors with which it contracts to employ measures to safeguard the security of Personal Data and protect the privacy of Individuals which are equivalent or better than those required per this Policy in addition to measures which may be required by applicable law or regulation.
Quality
Thor must maintain accurate, complete, and relevant Personal Data for the purposes identified in the notice provided to the applicable Individual. Third party service providers should be contractually obligated to provide an acceptable level of data quality commensurate with the sensitivity of Thor information in their custody.
Retention Period; Disposal
Thor will retain Personal Data consistent with applicable law and regulation, industry standards, and Thor’s Record Retention Policy. Unless the Personal Data is required to be maintained for a longer period, such as in the case of a “litigation hold” under the Record Retention Policy:
A. Thor will not store Personal Data for longer than is necessary to achieve the intended purposes of a Processing activity;
B. Thor will delete Personal Data when it is no longer relevant (such as when it is no longer necessary to perform a Processing activity or an Individual no longer receives services from Thor); and
C. In any case (except for information subject to litigation hold), Thor will delete Personal Data upon expiration of the maximum storage term of the type of Personal Data as set forth by the applicable local law or Thor’s Record Retention Policy.
Security of Personal Data
Thor will apply commercially reasonable security measures to ensure that Processing activities occur in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing, and against accidental loss, destruction, or damage. Specifically, Thor will use the technical and organizational measures outlined in Thor’s Information Technology policies and procedures to protect the confidentiality, availability, and integrity of Personal Data.
Individual’s Rights with Respect to Personal Data
XIII. Where required by law, Thor will afford Individuals the following rights with respect to Personal Data about them. All such requests must be immediately transmitted to the IT Manager of the respective Thor company, who will promptly review and act upon the request if necessary. The IT Manager will consult with Thor Legal as needed. To the extent feasible, Thor will notify any recipient of Personal Data about the rectification or erasure of such data that occurred pursuant to an Individual’s request.
A. Right to Access Personal Data. An Individual may request Thor to provide confirmation as to whether certain Personal Data about him or her are being Processed. An Individual may also request to access copies of, or inspect, of the Personal Data about him or her that is undergoing Processing. Thor may use reasonable methods to verify the identity of the Individual request access to the data before fulfilling the request. Thor may charge a reasonable fee based on administrative costs for copies of additional Personal Data maintained about him or her. The Individual’s access right should not adversely affect the rights or freedoms of others, including intellectual property rights, but any potential adverse effect should not result in a refusal to provide the Individual with access to any Personal Data about him or her. Additionally, Thor will provide an Individual with the following information:
A.1. The purposes of the Processing and categories of Personal Data being Processed;
A.2. The recipients or categories of recipients to whom the Personal Data has or will be disclosed, including third parties and entities in other countries;
A.3. The time period during which the Personal Data will be stored or the criteria that Thor will use to determine that time period;
A.4. The existence of the right to request rectification or erasure of Personal Data;
A.5. The existence of the right to request a restriction on the Processing of Personal Data or to object to the Processing;
A.6. The right to file a complaint with a Supervisory Authority;
A.7. Information about the source(s) of the Personal Data, if the Personal Data was not collected directly from the Individual; and
A.8. A description of any automated decision-making using the Personal Data, including profiling the Individual.
B. Right to Rectification of Personal Data. An Individual may request Thor to rectify inaccurate Personal Data about him or her. Thor will fulfill such a request without undue delay. An Individual also has the right to request Thor to complete any incomplete Personal Data about him or her, such as by allowing the Individual to submit a written statement to supplement the incomplete Personal Data. To the extent practicable, Thor will permit Individuals to log into applications storing electronic Personal Data about him or her and directly amend such data.
C. Right to Erasure of Personal Data. An Individual may request Thor to delete Personal Data about him or her. Thor will fulfill such a request without undue delay and irrespective of the relevant document retention period outlined in Thor’s Record Retention Policy.
D. Right to Data Portability. An Individual may request Thor to provide Personal Data about him or her in a commonly used and machine-readable format so that the Individual can transmit the Personal Data to another Data Controller, such as a different employer. An Individual may also request Thor to transmit the Personal Data directly to another Data Controller. An Individual’s right to data portability applies only with respect to Personal Data that Thor is Processing in connection with the performance of a contract, such as an employment contract, to which the Individual is a party. The right to data portability does not apply to Personal Data that is Processing for a Legitimate Interest, compliance with a legal obligation, the exercise or defense of legal claims, or the performance of tasks carried out in the public interest (such as public health activities).
Appendix: Definitions
| Term | Description |
|---|---|
| Controller | An individual, legal entity (such as a corporation), agency, or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data. In the context of our operations, this typically refers to Thor (or a Thor subsidiary), but it may also include entities that jointly control Personal Data with Thor. |
| Controlling | Determining the purpose and means of the Processing of Personal Data. |
| Data Breach | Defined in Thor Policy IT-14 (Security Incident Response). |
| Data Subject | An Individual which is the subject of Personal Data. |
| EEA | European Economic Area, which includes the 28 EU member states plus Iceland, Liechtenstein, and Norway. |
| GDPR | The General Data Protection Regulation. This is a European privacy regulation which applies to Controllers and Processors of Personal Data of residents of the EEA. |
| Individual | A natural, living person for whom the Personal Data is describing or identifying. Individuals can include prospective, current, and former customers, website users, employees, and others with whom Thor has a relationship. |
| Intellectual Property | All forms of intellectual property, including trade secrets, proprietary information, and customer information. |
| Personal Data | Information relating to an Individual that includes data that can be used to directly or indirectly identify or describe an Individual. This definition includes a wide range of personal identifiers, including name, identification number, location data, or online identifier (such as an IP address or device identifier). |
| Processing | Any operation performed on Personal Data, whether or not by automated means, including collection, use, recording, storage, disposal, transfer, etc. |
| Processor | A natural or legal person, public authority, agency or any other body which Processes Personal Data on behalf of the Controller. |
| Security Incident | Defined in Thor Policy IT-14 (Security Incident Response). |
| Sensitive Personal Data | Personal Data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. |