EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Policy
Zebra Technologies Corporation, and its U.S. subsidiaries, (“Zebra”) has chosen to voluntarily participate in Privacy Shield, and certify its adherence to and compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) and its Principles, including the Supplemental Principles (collectively, the “Principles”), as set forth by the U.S. Department of Commerce. If there is any conflict between the terms of this policy (“Privacy Shield Policy”) and the Principles, the Principles shall govern. Zebra is eligible to participate in Privacy Shield because it falls under the jurisdiction of the Federal Trade Commission (“FTC”). To learn more about the Privacy Shield program, the Principles and to view Zebra’s certification, please visit www.privacyshield.gov.
This Privacy Shield Policy outlines Zebra’s general policy and practices for implementing the Principles, including: (a) the types of Personal Data Zebra receives from its customers, end users, partners, suppliers, and employees (applicant, current and former); (b) how that Personal Data is collected, used and retained; and (c) affected individuals’ choices regarding the accuracy, retention and use of their Personal Data. In implementing this Privacy Shield Policy, Zebra has agreed to subject its compliance to the full breadth of regulatory enforcement of the FTC or any other statutory body empowered to enforce compliance with the Principles. Zebra will only display its EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certification marks or make other references to its compliance when it is in compliance with the Principles. Evidence of Zebra’s participation can be found at: https://www.privacyshield.gov/list.
Zebra collects, uses, discloses, transfers, and otherwise processes data, including Personal Data, in several ways. Zebra uses the Personal Data collected for three basic purposes: (1) to process transactions for the sale and support of Zebra’s products and/or services, (2) to operate Zebra’s business, and to provide and support the products and services Zebra offers (including improving and personalizing), and (3) to send certain communications, including promotional communications. Zebra also collects, uses, and processes human resources data in the context of an employment relationship with its current employees, applicants and former employees; as further described herein.
Zebra shares Personal Data with consent or as necessary to complete any transaction or provide any product or service requested or authorized. Zebra also shares Personal Data with partners, suppliers, or third party agents working with Zebra or on Zebra’s behalf.
This Privacy Shield Policy supplements, but does not replace, all other policies, practices, and procedures at Zebra, including any confidentiality agreements, privacy notices, or other agreements, as well as applicable laws. Zebra affirms that while it understands that certification to Privacy Shield is voluntary, effective compliance is compulsory. The Principles apply to Zebra immediately upon certification.
Zebra remains responsible and liable under the Principles if third party agents that it engages to process Personal Data on its behalf do so in a manner inconsistent with the Principles, unless Zebra proves that it is not responsible for the event giving rise to the damage.
“Personal Data” means information that is: (a) within the scope of the EU Data Protection Directive (95/46/EC) or General Data Protection Regulation as applicable as to data subjects covered thereunder, (b) within the scope of the Swiss Federal Act on Data Protection as to Swiss data subjects (c) received in the U.S. from the EU, EEA or Switzerland, and (d) recorded in any form.
“Sensitive Information” means Personal Data that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or other information about an individual’s health and additionally under the Swiss-U.S Privacy Shield ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions.
Application of the Privacy Shield Principles
Zebra collects a variety of information, including Personal Data, which Zebra maintains in accordance with the Principles as described below.
Zebra shall provide clear and conspicuous notice to inform individuals of the types of Personal Data it collects, uses and retains, and the types of third parties to which Zebra may disclose that Personal Data.
Zebra shall provide the individual with the choice and means for limiting the use and disclosure of their Personal Data. Subject to the limitations in the Principles and Supplemental Principles, individuals have the right to choose (opt out) whether their Personal Data is: (a) to be disclosed to a third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized. Individuals may send opt out requests to firstname.lastname@example.org.
Zebra does not disclose Personal Data to third parties except in accordance with the Principles, including as required by law, compelled by tribunals, courts, or government agencies, or as otherwise required, including to meet national security or law enforcement requirements. Zebra may use Personal Data for certain purposes in the manner described in Zebra’s Privacy Statement.
Zebra shall ensure that any third party for which Personal Data may be disclosed subscribes to the Principles or is subject to law providing the same level of privacy protection as is required by the Principles and agrees in writing to provide an adequate level of privacy protection.
In cases of onward transfer of Personal Data to third parties, Zebra is potentially liable for the acts or omissions of its third-party processors or sub-processors.
Zebra shall take reasonable steps to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Zebra has implemented appropriate physical, electronic and administrative procedures to safeguard and secure Personal Data. Zebra employs industry standard encryption for transmitting and storing data, as appropriate; however, Zebra cannot guarantee the security of information on or transmitted via the Internet.
Purpose Limitation & Data Integrity
Zebra agrees to process Personal Data consistent with the purposes for which it was collected or authorized by an individual. To the extent practical, Zebra will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. If an individual would like to access or update Personal Data, the individual may contact Zebra using the contact information below. Individuals will be required to sufficiently verify their identity.
Individuals may access their Personal Data to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual, is required to be unaltered and/or retained for legitimate employment-related purposes, or as otherwise restricted by law. Individuals may contact Zebra using the contact information below.
Recourse, Accountability, and Enforcement
Zebra provides mechanisms for assuring its’ compliance with the Principles. Zebra uses a self-assessment approach and, at least once a year, will certify that this Privacy Shield Policy is accurate, comprehensive, prominently displayed, implemented, and in conformity with the Principles.
Zebra will monitor adherence to the Principles and address questions and concerns regarding its adherence. Personnel who violate Zebra’s privacy policies could be subject to a disciplinary process.
Individuals may raise any complaints by contacting Zebra using the contact information below. Zebra will respond to an individual complaint within 45 days. If an issue cannot be resolved by Zebra’s internal dispute resolution mechanism, Zebra has chosen JAMS to be its independent recourse mechanism for Privacy Shield and the Swiss Federal Act of Data Protection. Zebra agrees to be bound by any decision of JAMS. Individuals may contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield to address complaints. More information about JAMS is available at http://www.jamsadr.com. In the event that Zebra or JAMS determines that Zebra did not comply with this Privacy Shield Policy, Zebra will take appropriate steps to address any adverse effects and to promote future compliance. Under certain circumstances, individuals may invoke binding arbitration before the Privacy Shield Panel for residual claims not otherwise resolved. In the event Zebra becomes subject to an order for non-compliance with the Principles, Zebra shall make public any relevant sanctions or other findings. Any human resources data complaints can be addressed to the relevant EU DPA or Swiss Federal Data Protection and Information Commissioner directly. Zebra will cooperate with EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner (“DPAs”) and comply with any decision of a DPA. Please contact Zebra (see contact information below) to be directed to the relevant DPA.
Limitation of the Application of the Principles
Adherence by Zebra to the Principles (and this Privacy Shield Policy) will be limited as explicitly permitted by the Principles: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; or (b) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, Zebra’s non-adherence is limited to the extent necessary to meet the overriding legitimate interests. Where the option is allowable under the Principles and/or U.S. law, Zebra will opt for the higher protection where reasonably possible.
Adherence to the Supplemental Principles
Zebra will adhere to the Supplemental Principles:
1. Sensitive Data. Zebra may obtain Sensitive Information such as medical or health information, religious beliefs, or ethnic information. Certain portions of the Sensitive Information may not require affirmative consent because the processing is necessary: (a) to carry out Zebra’s employment law obligations, (b) because it is in the vital interest of the individual or another person, (c) for the defense of legal claims, or (d) manifestly made public by the individual.
2. Journalistic Exceptions. Zebra does not engage in journalistic activity.
3. Secondary Liability. Zebra may, on behalf of others, transmit, route, switch or cache information such that the secondary liability exception applies.
4. Performing Due Diligence and Conducting Audits. Zebra may conduct due diligence, investigations, or audits on its behalf and such activities may require the processing of Personal Data without knowledge of the individual, to the extent required for legitimate interests of Zebra. If Zebra sells or divests all or part of its business, makes a transfer of assets, or otherwise becomes involved in a change of control transaction, or in the unlikely event of bankruptcy, Zebra may transfer Personal Data covered by this Privacy Shield Policy to one or more third parties as part of the transaction including the due diligence process.
5. The Rule of Data Protection Authorities. In connection with both human resources and non-human resources Personal Data, Zebra has committed to adhere to the Principles. Zebra shall cooperate with DPAs as the recourse mechanism for complaints related to human resources data.
6. Self-Certification. Zebra will self-certify its Privacy Shield compliance in accordance with the U.S. Department of Commerce’s protocols.
7. Verification. Zebra will verify its Privacy Shield compliance through self-assessment. Further, Zebra will audit its compliance with Privacy Shield. Zebra will provide training regarding this policy to its personnel who may have access to Personal Data. Zebra will retain its records on the implementation of Privacy Shield and make them available as required.
8. Access. Zebra understands that the right of access is fundamental to privacy protection. Zebra provides adequate mechanisms for access as stated herein.
9. Human Resources Data. Zebra collects, uses, and processes human resources data in the context of an employment relationship with its current employees, applicants and former employees. Zebra will respect the national laws of Switzerland or the EU country where the information was collected or processed prior to transfer and will further respect any conditions for or restrictions pertaining to transfer.
10. Obligatory Contracts for Onward Transfers. Zebra shall ensure that a contract is in place between it and any third party entity or agent that participates in an onward transfer of Personal Data. The contracts will specify that such Personal Data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as stated in the Principles.
11. Dispute Resolution and Enforcement. Zebra meets its obligations for dispute resolution and enforcement by enrolling with JAMS and by cooperating with the FTC and the U.S. Department of Commerce.
12. Choice – Timing of Opt-Out. Zebra will comply with the choice Principle as set forth above.
13. Travel Information. Zebra may collect, use and retain travel information including Personal Data for individuals traveling on behalf of Zebra. Zebra will comply with any special conditions for the handling of Sensitive Information.
14. Pharmaceutical and Medical Products. This Principle does not apply to Zebra because Zebra is not engaged in any processing with respect to pharmaceutical or medical products or services.
15. Public Record and Publically Available Information. Zebra will apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability, to Personal Data collected from publicly available sources and public records.
16. Access Requests by Public Authorities. Zebra will comply with lawful requests for information from law enforcement and national security agencies.
Swiss-U.S. Privacy Shield
Zebra complies with the Swiss-U.S Privacy shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from Switzerland. Zebra has certified that it adheres to the Swiss-U.S. Privacy Shield Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. For Swiss citizens and residents, if there is any conflict between this Privacy Shield Policy and the Swiss-U.S. Privacy Shield Privacy Principles, the Swiss-U.S. Privacy Shield Privacy Principles shall govern. Swiss citizens and residents with inquiries or complaints regarding this Privacy Shield Policy should first contact Zebra using the contact information below. To learn more about the Swiss-U.S Privacy Shield and to view Zebra’s certification page, please visit www.privacyshield.gov
Zebra Contact Information
Any questions, inquiries, or complaints regarding this Policy or Zebra’s participation and compliance with Privacy Shield may be directed to:
Complaints about Zebra’s adherence to the Principles may also be directed to the FTC.
V2 Date: June 28, 2017