Privacy policy of Leviat GmbH

This privacy policy (the “privacy policy”) provides details of the way in which Leviat (“the company”,) processes personal data when you work for the company or when you do business with the company.

Personal data is processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and other applicable national and European privacy legislation and regulations (together the “data protection law”).

This privacy policy applies to all personal data we process as a data controller.

To the extent the company decides why and how personal data is processed, the company is a data controller of such personal data.
The company may process personal data of, for example, employees, former employees, and their family members, temporary workers, self-employed persons, job applicants, contractors, supplier contacts, customers, and visitors.

The purpose of this privacy policy is to explain what personal data we process and how and why we process it. In addition, this privacy policy outlines our duties and responsibilities regarding its protection.
This privacy policy is not an exhaustive statement of our data protection practices, we will give you notice of variations to the extent practical.

1.1 Employees and Contractors
The company collects and processes personal data in relation to our employees, candidates for employment and contractors, as well as our former employees and former contractors. This personal data includes: personal details such as name, date of birth, social security number, bank account details, next of kin, details of social media accounts, visa / passport data; contact details such as address and phone number(s); personnel file details including, for example, terms and conditions of employment, training, performance evaluations, promotions, personal development plans, conduct and disciplinary data, work location, salary information, bank account details and tax and social security numbers, security clearances; employment history/application details such as educational history and employment history; editorial or journalistic content such as links to works e.g. links to video files or audio files; medical information such as medical certificates and sick notes; family details such as names and dates of birth of children (e.g. Relevant if an individual is applying for parental leave); details required for pension; details regarding trade union membership; and performance related data such as performance management ratings for managers and annual incremental salary reviews of employees, psychometric testing, etc. The above list is not exhaustive but covers the most commonly collected, used and otherwise processed personal data.

1.2 Suppliers and Customers
The company collects and processes personal data in relation to individuals who are, and/or are working with, our suppliers and customers. This personal data may include: personal details such as name, title, position, work identification numbers, department, business unit (including contact data collected for training / verification); and contact details such as email address, telephone number(s) and work location; and tax information such as vat / tax numbers.

1.3 Special Categories of Personal Data
The types of special categories of personal data that the company may process includes, without limitation, health data, information on criminal convictions and biometric data. The company processes all personal data in accordance with data protection law, and, in particular, any special categories of personal data.

The company processes personal data for the purpose(s) for which the personal data has been obtained.
Common examples of the reasons why the company processes personal data include: payroll and benefit administration; HR, performance and talent management; marketing and PR; improvement of business products and services; research and statistical analysis; business strategy; internal audits or investigations; prevention and detection of unlawful and/or criminal behaviour towards us or our customers and employees; and/or fulfilling legal obligations. We may process personal data for other reasons from time to time. The company tries to ensure individuals are informed about the purpose(s) for processing their personal data at the time the company collects consent. Where this is not possible or practical, the company tries to inform you as soon as possible after the processing of personal data. Individuals have the right to withdraw consent at any time.

The company may process the personal data of various individuals (for example, employees, contractors and candidates for employment) for talent management and workforce evaluation (to potentially include attendance and performance analysis).
The company engages in such processing where: (a) expressly authorised by national law (including for fraud and tax-evasion monitoring); (b) necessary for the entering into or performance of a contract; or (c) the individual has given appropriate consent.

Individuals have certain rights under data protection law.

4.1 Inspection and Access: you can request from us a summary and a copy of your personal data which we process or which is processed on our behalf;

4.2 Correction/Addition/Removal: where you believe your personal data is inaccurate or incomplete, you are entitled to request us to correct, amend or delete your personal data;

4.3 Objection: you may object to us processing your personal data based on our legitimate reasons for processing (see section Error! Reference source not found. above);

4.4 Restriction: you may request that we restrict the processing of your personal data where the accuracy of your personal data is contested, our processing is unlawful, you believe we no longer need the personal data or you have objected to processing; and

4.5 Automated Decision Making: where the company undertakes automated decision making (including profiling), which significantly affects you, you are entitled to object to such decision-making.

5.1 Security Measures
The company has technical and organisational measures in place to protect personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.
Personal data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, and various IT measures.
For more information on the company’s security measures, please see the Information Security Policy.

5.2 Personal Data Breach
The company will manage a data breach in accordance with the personal data breach reporting procedure. For guidance on how to identify and report a data breach please refer to our Personal Data Breach Procedure.

From time to time, the company may disclose personal data to third parties, or allow third parties to access personal data which we process (for example where a law enforcement agency or regulatory authority submits a valid request for access to personal data).
The company may also share personal data: (a) with another member of the CRH Group (including our subsidiaries, our ultimate holding company and its subsidiaries); (b) with selected third parties including business partners, suppliers and sub-contractors; (c) with third parties when we sell or buy any business or assets; or (d) if the company is under a legal obligation to disclose personal data. This includes exchanging information with other companies and organisations for the purposes of fraud prevention.
Where the company enters into agreements with third parties to processes personal data on our behalf it will ensure that the appropriate contractual protections are in place to safeguard it. Examples include communications providers, payroll service providers, occupational health providers, marketing or recruitment agencies, operators of data centers used by the company, etc.

The company keep personal data only for as long as the retention of such personal data is deemed necessary for the purposes for which that personal data are processed. Personal data is retained in accordance with relevant laws and company guidelines.

From time to time the company may need to transfer the personal data outside the EEA. This transfer will occur in accordance with applicable data protection law. The company takes reasonable steps to ensure that the personal data is treated securely and in accordance with this privacy policy when transferred outside the EEA.

The company is responsible for the processing of personal data. The company’s managing director has overall responsibility for the company’s compliance with this privacy policy and will designate a primary point of contact in relation to (i) the processing of personal data of the company’s current and former employees and contractors; (ii) the processing of personal data of business contacts; and (iii) the preservation of the security and integrity of the personal data processed by the company.
Legal and Compliance shall provide support to the company by providing legal advice and guidance in interpreting the data protection law and this privacy policy on a local level.
All company employees must comply with the most up-to-date version of this privacy policy, as published from time to time. If employees are found to have intentionally violated this privacy policy, they may be subject to disciplinary processes, up to and including dismissal.

You can ask a question or make a complaint about this privacy policy and/or the processing of your personal data by contacting the HR/ Legal department, General Management or Data security officer. While you may make a complaint in respect of our compliance with data protection law to the relevant data protection regulator, we request that you contact the internal data security officer in the first instance to give us the opportunity to address any concerns that you may have.

Status 31.12.2021