This Policy applies to all personal information received by Graco in any format, including electronic, paper or verbal. For purposes of this Policy, “personal information” means any information or set of information that identifies or could be used by or on behalf of Graco to identify an individual. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.
If we indicate in this Policy or on our websites that personal information is being collected, maintained, used or disclosed, it may be collected, maintained, used or disclosed by Graco through its employees, agents or duly authorized representatives.
II. Safe Harbor
The United States Department of Commerce and the European Commission have developed a “safe harbor” framework of data protection principles (the “U.S. – EU Safe Harbor Framework”). The U.S. - EU Safe Harbor Framework is designed to provide U.S. companies with a means to satisfy the European Union’s legal requirement that an adequate level of privacy protection be afforded to personally identifiable information transferred from the European Union to the United States.
The United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland have developed a similar safe harbor framework of data protection principles (the “U.S. – Swiss Safe Harbor Framework”) to enable U.S. companies to satisfy Switzerland’s legal requirement that an adequate level of privacy protection be afforded to personally identifiable information transferred from Switzerland to the United States.
As part of Graco’s commitment to respecting and protecting personal privacy, Graco adheres to the U.S. – EU Safe Harbor Framework and the U.S. – Swiss Safe Harbor Framework (together, the “Frameworks”), and follows the safe harbor principles set forth in the Frameworks.
Graco may collect and use personal information from job applicants, employees and former employees in connection with the management and administration of human resource functions and other employment-related matters, including but not limited to: recruiting, job application and hiring activities; payroll administration; training; succession planning; performance management; employee directories; organization charts; security badges; monitoring the use of company resources; emergency contacts; temporary/contingent workforce planning and staffing; administration and operations of benefits and compensation programs; meeting governmental reporting requirements; security, health and safety management; business travel; access to Graco facilities and computer networks; record keeping; and other employment-related purposes. Graco may also collect and use personal information from prospective, current and former distributors, suppliers, vendors, business partners, end-user customers and others for legitimate business purposes, including but not limited to: completing transactions or orders; customer service; product, warranty and claims administration; maintenance of accounts payable and receivable records; internal marketing research and supporting our marketing promotions; safety and performance management; financial and sales data; meeting governmental reporting and records requirements; and contact information. When Graco collects personal information from an individual, Graco will inform the individual of the purposes for which Graco is collecting and using the information at the time of collection or as soon as practicable thereafter, but in any event before Graco uses the information for a purpose other than that for which it was originally collected. Graco will also inform the individual about how to contact Graco with any inquiries or complaints, the types of third parties to which Graco may disclose the information, and the choices and means Graco offers individuals for limiting the use and disclosure of their information.
Graco will offer individuals the opportunity to choose (opt-out) whether their personal information is to be: (1) disclosed to a third party (other than a third party that is acting as an agent to perform a task on behalf of and under the instruction of Graco); or (2) used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual. For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), Graco will offer individuals the opportunity to affirmatively and explicitly choose (opt-in) whether such information is to be: (1) disclosed to a third party (other than a third party that is acting as an agent to perform a task on behalf of and under the instruction of Graco); or (2) used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual. Affirmative and explicit choice (opt-in) is not required when necessary for the establishment of legal claims or defenses, to provide medical care or diagnosis, or to carry out Graco’s obligations in the field of employment law. Graco will offer individuals reasonable mechanisms to exercise these choices.
C. Onward Transfer (Transfers to Third Parties)
Graco is a company with operations around the world. Accordingly, personal information received by Graco may be used globally in connection with employment or business operations within Graco. Personal information may be transferred between Graco entities located in North America, South America, Europe, Asia-Pacific and elsewhere. Personal information may also be transferred to third parties acting as agents and performing tasks on behalf of and under the instructions of Graco. Graco will transfer personal information to a third party agent only if Graco first ascertains that the third party agent subscribes to the safe harbor principles, is subject to the European Commission’s Directive on Data Protection or another adequacy finding, or agrees in writing to provide at least the same level of privacy protection as is required by the safe harbor principles. Graco may also disclose personal information: (a) to the extent required by applicable law, regulation or a valid order by a court or other governmental body; (b) to the extent necessary, in Graco’s good faith judgment, to protect the rights, safety or property of Graco, its employees, customers or the public; or (c) in connection with a merger, joint venture, sale or transfer of all or a portion of Graco’s assets or stock, or other similar corporate transactions, subject to applicable law.
Graco will provide individuals with access to their personal information and the ability to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. Employees who wish to review, update, correct or delete their personal data may do so by utilizing the self-service function available on the applicable information technology system or by contacting their local Human Resources representative. Non-employees who wish to correct, amend or delete their personal information may contact Graco at the address or e-mail address provided in the “Enforcement” section below.
Graco will take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. These precautions may include the use of physical, electronic and organizational security measures. Physical security measures are intended to prevent unauthorized access to database equipment and hard copies of sensitive personal information. Electronic security measures, such as firewalls, restricted access and/or encryption, are intended to monitor access to Graco’s servers and protect against hacking and other unauthorized access from remote locations. Organizational security measures are intended to limit access to personal information to only those employees and agents of Graco who have a specific human resources or business purpose for maintaining, using and processing such information. Graco employees who have access to personal information will be trained regarding this Policy and the safe harbor principles contained in it, and will be advised that they are responsible for complying with this Policy and that violation of this Policy will result in appropriate disciplinary action up to and including termination.
F. Data Integrity
Personal information must be relevant for the purposes for which it is to be used. Graco will not process personal information in a way that is inconsistent with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, Graco will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.
Graco uses a self-assessment approach to verify that the attestations and assertions it makes about its safe harbor privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the safe harbor principles set forth in the Frameworks. The verification will be signed by a corporate officer or other authorized representative of Graco at least once per year and is available upon request or in the context of an investigation or a complaint about non-compliance. The verification will indicate that: (1) this Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible; (2) this Policy conforms to the safe harbor principles set forth in the Frameworks; (3) individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; (4) Graco has in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it; and (5) Graco has in place internal procedures for periodically conducting objective reviews of compliance with the above.
Employees who have questions or concerns regarding the use or disclosure of their personal information should contact their local Human Resources representative. If the questions or concerns cannot be resolved locally, the matter should be directed to the Vice President of Human Resources. If the matter cannot be resolved by the Vice President of Human Resources, Graco will cooperate with the competent European Union Data Protection Authorities (“DPAs”) or the Federal Data Protection and Information Commissioner of Switzerland as applicable in the investigation and resolution of complaints brought under the Frameworks. Graco will comply with any advice given by the DPAs or the Commissioner as applicable in the event the DPAs or the Commissioner determine Graco needs to take specific action to comply with the safe harbor principles set forth in the Frameworks.
Non-employees who have questions or concerns regarding the use or disclosure of their personal information should contact Graco at:
88 – 11th Ave N.E.
Minneapolis, MN, 55413 USA
If the questions or concerns cannot be resolved by Graco, the matter should be directed to TRUSTe. Graco has agreed to TRUSTe dispute resolution for disputes relating to Graco’s compliance with the safe harbor principles set forth in the Frameworks.
TRUSTe may be contacted by Internet here, fax to 415-520-3420, or mail to:
Attn: Watchdog Complaint
55 2nd Street, 2nd Floor
San Francisco, CA, 94105 USA
You must include the following information if you are faxing or mailing TRUSTe to lodge a complaint: the name of company; the alleged privacy violation; your contact information; and whether you would like the particulars of your complaint shared with the company. For more information about TRUSTe or the operation of TRUSTe’s dispute resolution process, click here or request this information from TRUSTe at the address or fax number listed above. The TRUSTe dispute resolution process will be conducted in English.
IV. Internet Privacy
Information automatically collected upon visiting Graco websites includes the internet protocol (IP) address of the user, the date and time of visit, what pages were visited, what page the user visited immediately before visiting the Graco website, and whether the user is a return visitor. This information is used to measure the number of visitors to different sections within the Graco websites, to provide the user with a more customized experience, and to help drive improvements for the Graco websites. “Cookies,” which are small data files that are stored on a user’s computer for record keeping purposes, are used in public areas of the Graco websites. Most web browsers are set to accept cookies by default. If users prefer, they can usually choose to set their browsers to remove and reject cookies. In some cases, removing or rejecting cookies may affect certain features or services on the Graco websites. Cookies are enabled in the Graco Extranet Distributor Information (GEDI), Customer Inquiry System (CIS) and Sales Inquiry System (SIS) areas of the websites and may be required in order to use certain password protected portions of the websites. Additional information is available in the GEDI, CIS and SIS policies.
Individuals may choose to send Graco personally identifiable information (such as their name, address, e-mail address and telephone number) when requesting information on-line from Graco. This personal information is used in order to assist Graco in gathering the information requested and responding to the request. Information provided in this manner may be viewed by various individuals, depending on the nature of the request. In limited circumstances, including requests via subpoena, Graco may be required by law to disclose this personal information. If you do not want this information collected, please do not submit it to Graco. If you have already submitted this information on-line and have changed your mind, please contact Graco at the address or e-mail address provided in the section entitled “Enforcement” above.
Graco websites may contain links to third party websites or third party websites may have linked to Graco websites. Graco has no control over third party websites and assumes no responsibility for the content or the privacy policies and practices on those websites. This Policy will not apply to those websites. Therefore, Graco encourages all users to read the privacy statements of those websites as their privacy practices may differ from those of Graco.
Graco’s websites are not directed at children, and Graco has no intention of collecting any personal information from individuals under eighteen years of age. If a child has provided Graco with personally-identifiable information, a parent or guardian of that child may contact us at the address or e-mail address provided in the section entitled “Enforcement” above to request that this information be deleted from our records.
Graco reserves the right to amend this Policy from time to time consistent with the safe harbor principles in the Frameworks, so please review this Policy periodically, and especially before providing personal information to Graco. If we make a material change to this policy, we will notify you here or by posting a notice on our homepage.
Last Updated: 4 October 2011