. SAFE HARBOR PRIVACY POLICY Amended and Restated as of July 20, 2012 I. OBJECTIVES The objective of this policy is to comply with applicable laws and regulations and document the processes and procedures of Kronos for the protection of Kronos employee s Personal Information and to define Kronos policy for data protection under the Safe Harbor Privacy Principles. II. DEFINITIONS Agent - any person or third-party that collects or uses Personal Information or Sensitive Personal Information under the instructions of, and solely for, Kronos or to whom Kronos discloses Personal Information or Sensitive Personal Information for use on Kronos behalf. EEA - the European Economic Area, which includes, among other members, the members of the EU and Norway. EU - the European Union. HR Offices - the local Human Resource administrative office for each respective employee. Kronos Kronos Worldwide, Inc., its successors, subsidiaries, affiliates, divisions and groups. Kronos Network all data processing, information and/or communication systems maintained by Kronos in the U.S. and the EEA. Personal Information data or information relating to an identified or identifiable individual who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Privacy Officer - the individual responsible for the internal audit of processes and procedures to safeguard Personal Information and Sensitive Personal Information and responsible for ensuring that transfers are consistent with applicable laws and regulations. Privacy Offices locations where questions or comments regarding this policy may be submitted. Privacy Offices are identified in the Contact Information section of this policy. Safe Harbor Privacy Principles the U.S.-EU Safe Harbor Privacy Principles and related frequently asked questions published by the U.S. Department of Commerce. Sensitive Personal Information Personal Information that reveals medical or health conditions, race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual preference or practices. For each jurisdiction in the EEA for which w:\teams\team_legal\working\kronos worldwide\policies\data privacy\kro-eu-data-privacy-security-policy-120720-fin.docx Page 1 of 5.
Kronos employs individuals, Sensitive Personal Information shall include all other Personal Information about such individuals deemed sensitive by applicable laws and regulations of such jurisdiction. In addition, Kronos will treat as Sensitive Personal Information any information received from its EEA operations or a third-party about an individual where the EEA operation or the third-party treats and identifies the information as Sensitive Personal Information. U.S. the United States of America. III. RESPONSIBILITIES The U.S. Department of Commerce and the European Commission have agreed on the Safe Harbor Principles to enable U.S. companies to satisfy the requirements under EU law that adequate protection will be given to Personal Information transferred between the EU and the U.S. The EEA also has recognized the Safe Harbor Principles as providing adequate data protection (OJ L 45, 15.2.2001, p.47). Consistent with its commitment to protect personal privacy, Kronos adheres to the Safe Harbor Principles. IV. SAFE HARBOR PRIVACY POLICY General Kronos respects individual privacy and values the confidence of its employees, business partners and others. Kronos strives to collect, use and disclose Personal Information in a manner consistent with the laws of the countries in which it does business. This policy sets forth the privacy principles that Kronos follows with respect to Personal Information about its EEA employees transferred to the U.S. in any format including electronic, verbal or paper. Privacy Principles Notice The privacy principles in this policy are based upon the Safe Harbor Principles. Kronos collects and uses Personal Information about individuals solely for Kronos business purposes, including decisions related to employment, promotion, payment of compensation, extension of employee benefits, performance assessment and other similar business purposes common to business and understood by employees. Beyond these purposes, where Kronos collects Personal Information directly from individuals, it will inform the individuals about further purposes for which it collects and uses Personal Information about them. When required by applicable law or regulation or law enforcement agencies, Kronos will provide notice to employees before disclosure of Personal Information for a purpose other than that for which it was originally collected or to a non-agent third-party. Some examples of non- Agent third-parties include, but are not limited to, trade unions that represent Kronos employees, government authorities that require information and other third-parties that have not contracted with Kronos for services. w:\teams\team_legal\working\kronos worldwide\policies\data privacy\kro-eu-data-privacy-security-policy-120720-fin.docx Page 2 of 5.
Choice Kronos will offer individuals the opportunity to refuse to permit a transfer of Personal Information when and if their Personal Information is (a) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized or (b) to be disclosed to a non-agent third-party. In the case of Sensitive Personal Information, employees have the right to make a free and affirmative (or explicit) choice before a transfer is made to a non-agent thirdparty or for a use incompatible with previously stated purposes. Data Integrity Kronos will use Personal Information only in ways that are in compliance with applicable laws and regulations and compatible with the purposes for which it was collected or subsequently authorized by the individual. As required by applicable laws and regulations, Kronos will take reasonable steps to ensure that Personal Information is accurate, complete and current (to the extent that the individual keeps Kronos updated on such information) and is relevant to its intended use. In this vein, employees will have the responsibility to update Kronos about their Personal Information from time-to-time. Kronos has appointed the Benefits Manager of Kronos (US), Inc. as the Privacy Officer for the U.S. who has the responsibility to monitor compliance with the Safe Harbor Principles. The Vice President, General Counsel in Europe will serve as the Privacy Officer for the EEA, and the HR Offices will serve as the contact point for employees to bring forth any questions or concerns. Transfers Outside Kronos Network If Kronos transfers data outside the Kronos Network, it will obtain assurances from its third-party Agents that they will safeguard Personal Information in accordance with this policy. Examples of appropriate assurances that may be provided by third-party Agents include: a contract that obligates the third-party Agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles; the Agent is subject to the EU Directive 95/46/EC (the EU Data Protection Directive); or the Agent has self-certified to the U.S. Department of Commerce its adherence to the Safe Harbor Principles in accordance with the guidance provided by the U.S. Department of Commerce. Where Kronos has knowledge that an Agent is using or disclosing Personal Information in a manner contrary to this policy, Kronos will take reasonable steps to stop the use or disclosure of such information. Access and Correction Upon request, Kronos will grant individuals reasonable access to Personal Information that it holds about them. In addition, Kronos will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. Any individual that reviews Personal Information and believes it is inaccurate or incomplete, may w:\teams\team_legal\working\kronos worldwide\policies\data privacy\kro-eu-data-privacy-security-policy-120720-fin.docx Page 3 of 5.
submit a written request to the Privacy Officer in Europe to identify items needing correction. For this purpose, an email or other electronic request via Kronos systems is acceptable. The Privacy Officer will be responsible for reviewing requests for data correction and ensuring the data on file is accurate and complete based on facts presented. Security Kronos will take reasonable precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. Training Kronos will provide the appropriate training on data protection to any staff member who will have access to Personal Information or Sensitive Personal Information as part of his or her job duties. Such training will, to the extent needed by the staff member, educate him or her on the applicable requirements related to data privacy use, protection, storage and destruction of Personal Information and Sensitive Personal Information. Enforcement Kronos will conduct a compliance audit of its relevant privacy practices on an annual basis. The audit will be conducted by the U.S. and European Privacy Officers, or their designees, and is designed to verify adherence to this policy. Any employee that Kronos determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Dispute Resolution Any questions or concerns regarding the use or disclosure of Personal Information should be directed to the Privacy Office, attention European Vice President, General Counsel, at the address given below. Any individual having a question or concern about Personal Information or Sensitive Personal Information must submit a written request providing sufficient details of the issue to the applicable HR Office to allow for an effective evaluation of the issue. The Human Resources staff will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this policy. For complaints that cannot be resolved between Kronos and the complainant, Kronos has agreed to participate in the dispute resolution procedures of the home country of the employee and to utilize the panel established by the European data protection authorities to resolve disputes pursuant to the Safe Harbor Principles. V. LIMITATION ON APPLICATION OF PRINCIPLES Adherence by Kronos to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation (for example, a national security requirement); and (b) to the extent expressly permitted or required by an applicable law or regulation. w:\teams\team_legal\working\kronos worldwide\policies\data privacy\kro-eu-data-privacy-security-policy-120720-fin.docx Page 4 of 5.
VI. DATA PRIVACY AND TECHNOLOGY Kronos views the internet and the use of other technologies as valuable tools for communicating and interacting with consumers, employees, healthcare professionals, business partners and others. Kronos recognizes the importance of maintaining the privacy of information collected online and has created specific policies and procedures governing the treatment of Personal Information and Sensitive Personal Information collected through web sites that it operates. Each employee shall utilize Kronos information technology systems and data on such systems as required by Kronos Electronic Data Policy, this policy and any other applicable Kronos policy. With respect to Personal Information or Sensitive Personal Information that is transferred from the EEA to the U.S., this policy incorporates any applicable future additional or amended safe harbor principles published by the U.S. Department of Commerce regarding requirements and standards with respect to personal data exchanges from the EEA to the U.S. VII. CONTACT INFORMATION Questions or comments regarding this policy should be submitted to the applicable Kronos Privacy Office in writing by mail as follows: Kronos Privacy Office (Europe) Kronos Privacy Office (United States) Kronos International, Inc. Kronos (US), Inc. Vice President, General Counsel Benefits Manager Peschstrasse 5 5430 LBJ Freeway, Suite 1700 D-51373 Leverkusen Germany Dallas, Texas 75240 VIII. CHANGES TO DATA PRIVACY POLICY This policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. A notice will be posted on the Kronos intranet and/or bulletin boards at Kronos worksites for 60 days whenever this policy is changed in a material way. IX. AFFIRMATIVE STATEMENT OF COMPLIANCE Kronos complies with the Safe Harbor Principles regarding the collection, use and retention of Personal Information from EEA member countries. Kronos has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access and enforcement. To learn more about the Safe Harbor program, and to view the Kronos certification, please visit www.export.gov/safeharbor. w:\teams\team_legal\working\kronos worldwide\policies\data privacy\kro-eu-data-privacy-security-policy-120720-fin.docx Page 5 of 5.