1 Office of Responsibility
Senior Vice President, Global Risk & Compliance.
2 Purpose
As stated in the Information Security Program Charter of Exela Technologies Inc. (“the Company”), the Company and its affiliates shall follow a risk management approach to develop and implement information security policies, standards, guidelines, and procedures. The Information Security Program will protect information assets by establishing policies to identify, classify, define protection and management objectives, and define acceptable use of Company information assets.
This Privacy Policy defines Company objectives for securing and protecting personally identifiable information and other information.
3 Scope
This Policy applies to all Exela Technologies and its subsidiaries staff both temporary and permanent, contractors, consultants, third parties, and other people (referred to as ‘Employees’) working on behalf of the Company and shall be displayed on the Company website as stated below.
If you are a European Economic Area or United Kingdom resident, for Exela Technologies, Inc.’s Privacy notice. Note: see the GDPR Privacy Notice Standard.
If you are a resident of Canada, for Exela Technologies, Inc.’s Canada Supplemental Privacy Statement. NOTE: See the Canada Personal Information Protection and Electronic Documents Act Standard.
Please click here, if you are a resident of India, for Exela Technologies, Inc.’s India’s Supplemental Privacy Statement. NOTE: See the India Digital Personal Data Protection Act Standard.
Note: The Company, as a service provider (data processor), processes personnel data on behalf of our customers (data controllers). As such, the Company is not the data owner nor the system of record for the information it is handling. The Company carries out the processing operations with the appropriate technical and organizational measures as dictated and instructed by the data controller.
4 Policy
4.1 OBJECTIVES
4.1.1 The Company shall adhere to applicable global and local legal, regulatory and customer privacy requirements.
4.1.2 The Company may or shall collect personally identifiable information (names, addresses, email addresses, phone numbers, birthdates, social security, tax identification, financial account, national insurance numbers, and company information) submitted by our customers in connection with the services being provided. The information provided shall be used to fulfill specific services unless given permission to use it in another manner.
- Cookies. When a visitor views Company websites, a cookie is sent out to the viewer's computer that will identify the visitor's browser. These cookies enable the website to recognize the visitor's computer the next time the visitor views the Company website. These cookies will be used exclusively to collect information concerning the use of the website. Cookies contain no personally identifiable data, so the visitor's personally identifiable information is not collected or retained.
- Affiliated Websites. Personal information that a visitor may provide to websites affiliated with the Company may be sent to the Company in order to deliver services to the Company or other entities affiliated which the Company provides. The Company processes such information in accordance with this Policy
The Company reserves the right to collect and process personal information in the course of providing services to our customers, without the knowledge of the individuals involved.
4.1.3 As a general rule, the Company shall not disclose personally identifiable information except when the Company is required or permitted per customer agreement, law (including pursuant to national security or law enforcement requirements) or otherwise, such as when the Company believes in good faith that the law requires disclosure or other circumstances outlined in this Privacy Policy require or permit disclosure.
4.1.4 The Company may share information with governmental agencies or other companies assisting in fraud prevention or investigation. The Company may do so when:
- permitted or required by law,
- trying to protect against or prevent actual or potential fraud or unauthorized transactions, or
- investigating fraud which has already taken place
This information, however, is not provided to these companies for marketing purposes.
4.1.5 The Company shall take reasonable steps to protect personally identifiable information. To prevent unauthorized access or disclosure of personally identifiable information, maintain data accuracy, and support the appropriate use and confidentiality of personally identifiable information, either for its own purposes or on behalf of our clients, the Company shall put in place appropriate physical, technical, and managerial procedures to safeguard and secure the personally identifiable information and data the Company possesses.
4.1.6 The Company shall collect and maintain personally identifiable information in a manner that is compatible with the purpose for which it was collected and maintained or as subsequently authorized by an individual or client. To the extent necessary for such purposes, the Company shall take reasonable steps to confirm that personal information is accurate and complete with regard to its intended use.
4.1.7 Whenever the Company shall process personal data, it shall take reasonable steps to keep personal data accurate and up-to-date for the purposes for which they were collected in order to provide services to our customers.
4.1.8 The Company shall utilize a self-assessment approach to support compliance with this Privacy Policy.
- The Company shall periodically verify that related policies are accurate, comprehensive for the information intended to be covered, prominently displayed, implemented, and are in conformity with the principles of this Privacy Policy.
- The Company shall encourage interested persons to raise any concerns with the Company. The Company shall investigate and attempt to resolve complaints and disputes regarding the use and disclosure of personal information in accordance with the principles contained in this Privacy Policy.
- If the Company determines an employee is in violation of this Privacy Policy, that employee shall be subject to the Company's disciplinary process.
4.1.9 In the event that the Company merges, is acquired by, or sells its assets to a third party, the Company may disclose personally identifiable information as is reasonably necessary in connection with any such merger, acquisition, or sale. Any such party with whom the Company merges or who acquires some of all of the assets of the Company may not have the same or similar privacy guidelines as set forth in this Privacy Policy and may use personally identifiable information in a manner other than as set forth herein.
4.1.10 This Privacy Policy shall be reviewed annually and updated as necessary to comply with applicable regulations.
4.1.11 The Company shall post any revised Privacy Policy on its website, or a similar website that replaces that website.
4.1.12 Information obtained from or relating to customers or former customers is further subject to the terms of any privacy notice provided to the client, any contract or other agreement with the client, and application enforcement laws.
4.1.13 The Company shall cooperate with the appropriate regulatory authorities, including local data protection regulatory authorities, to resolve any comp.
4.1.14 The Company shall be responsible for handling information and ensuring awareness of the data protection principals. The Company shall ensure that information is used fairly, lawfully, transparently, and for specified, explicit purposes.
4.1.15 The Company shall be responsible for protecting information by implementing technical security controls – including access controls, special authentication requirements, and monitoring.
5 Related Policies
- Information Security Program Charter
- GDPR Privacy Notice Standard
- Canada Personal Information Protection and Electronic Documents Act Standard
- India Digital Personal Data Protection Act Standard
6 Policy Compliance
6.1 RESPONSIBILITIES
6.1.1 The Chief Technology Officer is the approval authority for the Privacy Policy.
6.1.2 The Senior Vice President of Global Risk & Compliance is responsible for the development, implementation, and maintenance of the Privacy Policy.
6.1.3 Company management is accountable for ensuring that the Privacy Policy and associated standards and guidelines are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving, and implementing procedures in its organizational units and confirming their consistency with the Privacy Policy and associated standards and guidelines.
6.1.4 All individuals, groups, or organizations identified in the scope of this policy are responsible for familiarizing themselves and complying with the Privacy Policy and associated standards and guidelines.
6.2 COMPLIANCE MEASUREMENT
The Global Risk & Compliance team shall require and verify compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
6.3 ENFORCEMENT
Failure to comply with these policies and associated standards, guidelines, and procedures shall result in disciplinary actions up to and including termination of employment.
7 Review and Revision
The Company Information Security policies and standards shall be reviewed under the supervision of the Senior Vice President of Global Risk & Compliance, at least annually or upon significant changes to the operating or business environment, to assess their adequacy and appropriateness.