Kohler
UK Employee Privacy Notice
What does this Privacy Notice Cover?
The purpose of this Privacy Notice is to provide Kohler Co. and its affiliates and subsidiaries (“Kohler”, “we”, “us”, “our”) employees with information about how and why we process their personal data and to tell them about their privacy rights and how the law protects them.
With that in mind, this Privacy Notice is designed to describe:
Who we are and how to contact us
Your rights relating to your personal data
What personal data we collect
Personal data from third-party sources
How we use your personal data and why
Who we share your personal data with
Data transfers
How we keep your personal data secure
How long we store your personal data
No automated decisions
Appendix A - Detailed Processing Information
Appendix B - UK Employing Entities
Important notes:
- It is important you read this Privacy Notice so that you are aware of how and why we are using your personal data, your rights and how the law protects you.
- This Privacy Notice does not form an operative part of your employment contract (even if it is referred to in that contract).
- You should be aware that if you fail to provide certain personal data when requested, we may not be able to perform your employment contract (e.g., by paying you or providing a benefit) (if applicable) or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
We may update this Privacy Notice from time to time. If we do so, we will provide you with and/or make available, a revised Privacy Notice.
Who we are and how to contact us
Who we are.
Kohler Co. is the controller (as defined in the UK’s implementation of the General Data Protection Regulation 2016/679 (“UK GDPR”)) for the purposes of the processing of your personal data described in this Privacy Notice. In addition, your employing entity is also a controller with respect to certain HR processes. The Kohler employing entities in the UK are set out in Appendix B.
Our address is: Kohler Co, 444 Highland Drive, Kohler, WI 53044.
How to contact us.
To contact us, you can either:
Your rights relating to your personal data
Your rights in connection with your personal data
Under certain circumstances, by law you may have the right to:
- Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data. This right exists where we are relying on a Legitimate Interest (defined below) as the legal basis for our processing and there is something about your particular situation, which makes you want to object to processing on this ground.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data. We will provide to you, or a third party you have chosen, your personal data which you have provided to us, in a structured, commonly used, machine-readable format. Note that this right only applies to personal data we process by automated means which you initially provided consent for us to use or where we used the information to perform a contract with you.
How to exercise your rights
If you want to exercise any of the rights described above, please contact us using the contact details shown in the “Who We Are and How to Contact Us” section above.
We may need to request specific information from you to help us confirm your identity and verify your right to access your personal data (or to exercise any of your other rights). This is a security measure designed to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information to assist us in responding to your request.
Please also note that in certain circumstances the rights above will not apply and/or in certain circumstances some categories of personal data will be exempt from the scope of those rights. We will notify you where this is the case.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Complaints
If you would like to make a complaint regarding this Privacy Notice, you can contact us using the contact details shown in the “Who We Are and How to Contact Us” section above. We will reply to your complaint as soon as we can.
If you feel that your complaint has not been adequately resolved, please note that the UK GDPR also gives you the right to make a complaint directly to the UK Information Commissioner’s Office:
Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow - Cheshire SK9 5AF
Telephone: +44 303 123 1113
Website: https://ico.org.uk/make-a-complaint/
What personal data we collect
All the personal data we collect, both from you and from third parties about you, is outlined in the table below.
|
Category of personal data collected
|
What this means
|
|
Contact information
|
Your work and home address, telephone number, email address and social media handles.
|
|
Identification information
|
Your National Insurance number, government-issued identification information (e.g., driver’s license, passport), photographs, or other similar identifiers.
|
|
Immigration status
|
Information that would allow us to verify your employment eligibility.
|
Biographical information |
Your name, gender/gender identity, pronouns, date of birth, professional history, language proficiencies, professional qualifications, references, education details, information in your company biography, social media profiles and activity, and your photo. |
Professional qualifications |
Your professional designations, licensure information, memberships, leadership positions, credentials, professional qualifications and continuing education information. |
General employment information |
Your department, work location, job title, dates of employment, work status (e.g., full-time/part-time), any terms or conditions of employment, work history (current, past, or prospective), timekeeping information, personnel and disciplinary records, training and learning program participation, information necessary to complete background checks, drug and/or alcohol tests, and other screens permitted by law, and other information reasonably necessary to administer the employment relationship with you, including without limitation information related to absence administration, workers’ compensation matters and emergency services. |
Compensation, benefits and payroll information |
Your salary and bonus details, benefits information (including information regarding health insurance, retirement savings), equity award information, bank account information and working time records (e.g., vacation and absence records, sick leave, leave status, and hours worked). |
Performance information |
Your management metrics, performance evaluations, feedback, and promotion history. |
Information about related persons |
Your spouse, domestic/civil partner, dependents, beneficiaries and emergency contacts. |
Credentials, technology, access and system information |
Your company email address, usernames, passwords, and keycard number; information about your use of, as well as content and communications you send and receive through, devices, company communications, IT systems and applications (e.g., time of use, files accessed, search history, web pages viewed, IP address, device ID, device geolocation); and information about your access to and location within offices and facilities (e.g., keycard scans and security camera footage). |
Expenses and travel information |
Information about your business travel and other business expenses. |
Healthcare, welfare, and medical information |
Information related to your or your eligible dependent’s participation in wellness and employee assistance programs, executive physicals and health insurance programs and your body temperature, vaccination status, health symptoms and other screening and tracking information (including travel information, participation in health education programs, and information about your related persons) in connection with the company’s health and safety plans and protocols, including screening required to access company offices/facilities and other measures designed to prevent the transmission of COVID-19 or other infectious diseases; |
Biometric information |
Fingerprint scans and voiceprints may be collected in certain Kohler locations. |
Information needed to evaluate accommodation requests |
Disabilities or other health conditions |
Personal data from third-party sources
In addition to the personal data that we collect from you directly, in certain circumstances, we may also collect personal data from third-party sources. Please see below for a list of the types of third-party sources from which we may collect your personal data (including whether the source of that personal data is publicly available):
- Employment agencies or recruiters.
- Job board websites you may use to apply for a job with us.
- Providers of services that we make available to our employees as part of our benefits program.
- Prior employers, when they provide us with employment references.
- Professional references that you identify on your CV or authorise us to contact.
- Providers of background check, credit check, or other screening services (where required and permitted by law).
- Your social media profiles or other publicly-available sources (information gathered from these sources is publicly-available).
- Your dependents and related persons who communicate with us directly.
We may also collect additional personal data in the course of your employment-related activities throughout the period of your employment and otherwise in relation to your employment at Kohler.
How we use your personal data and why
Most commonly, we will rely on one of the following legal bases:
- Where we need to perform a contract we are about to enter into with you or have entered into with you (“Contractual Necessity”).
- Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
- Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each purpose we use your personal data for is set out in the table below.
The table below shows at a very high-level how we may use your personal data and the relevant legal bases we rely upon for that use.
For more information – see Appendix A to this Privacy Notice. In Appendix A, we have set out in detail the purposes for which we may use your personal data, the legal bases we rely on in respect of each such purpose (including details of any legitimate interests pursued, where applicable), and the categories of personal data typically used for the relevant purpose.
Purpose | Legal basis |
|---|
Contractual performance. We may process your personal data (including sharing it with third parties, where appropriate) to perform, administer and manage any agreements we may have with you (e.g., your employment contract or share option agreement (if applicable) we have with you.
|
Contractual Necessity. |
Talent management. We may process your personal data (including sharing it with third parties, where appropriate) for talent management purposes.
|
Legitimate Interests. |
Business operation and improvement. We may process your personal data (including sharing it with third parties, where appropriate) to operate and improve our products and services and our business more generally.
|
Legitimate Interests. |
Systems and premises management. We may process your personal data (including sharing it with third parties, where appropriate) to operate, manage and secure our IT systems, premises and facilities.
|
Legitimate Interests. |
Compliance and protection. We may process your personal data (including sharing it with third parties, where appropriate) for compliance and protection purposes (including the establishment, exercise or defence of legal claims).
|
Depending on the circumstances: Compliance with Law or Legitimate Interests. |
Data sharing in the context of corporate transactions. We may process and disclose personal data in the context of actual or prospective corporate transactions.
|
Legitimate Interests. |
Privacy Protective Steps. We may create aggregated, de-identified and/or anonymised data from your personal data.
|
Legitimate Interests. |
Further uses. In some cases, we may use your personal data for further uses, in which case we will ask for your consent to such use of your personal data for those further purposes in so far as they are not compatible with the initial purpose for which information was collected.
|
Consent or the original legal basis where the relevant further use is compatible with the initial purpose. |
Where we use any ‘special categories’ of personal data (e.g., your health data), we rely on the following conditions:
- We may need to process that data to carry out our legal obligations or exercise rights in connection with employment and our role as an employer (e.g., dealing with your sickness, sick-pay, accidents at work etc).
- We may need to process that data because it is necessary for reasons of substantial public interest (e.g., for equal opportunities monitoring, preventing or detecting unlawful acts etc).
- We may need to process that data because it is necessary for the establishment, exercise or defence of legal claims (including regulatory, administrative or any out-of-court procedure, and seeking advice).
Who we share your personal data with
As part of our business and in relation to your employment, we may share your personal data with certain third parties – please see the list below for information about the categories of such third-party recipients:
Affiliates. Our group companies, subsidiaries, and other affiliates under the control of the corporate parent. For example, this may occur:
- to enable our group to operate shared infrastructure, systems and technology;
- as part of our reporting activities on performance of the group and its members;
- in the context of a business reorganisation or restructuring exercise; and
- to enable participation in any share plans, pension arrangements or benefits operated or procured by particular group members for the benefit of our employees, so as to enable us to administer those plans, schemes and benefits.
Service providers. Providers of services to Kohler or our group. For example, this may involve sharing of personal data with such providers for the purposes of:
- payroll administration, benefits and wellness;
- human resources, occupational health, performance management, training;
- expense management, travel, transportation and accommodation;
- IT systems and support, information and physical security;
- background checks and other screenings;
- equity award administration;
- corporate banking and credit cards; and
- insurance brokers, claims handlers and loss adjusters, and any necessary third-party administrators, nominees, registrars or trustees appointed in connection with benefits plans or programs.
Employee benefits providers. Providers of services to eligible employees as part of our employee benefits program, who need your information to verify your eligibility and provide you with services. For example, this may include: financial advisors and institutions, pensions providers, insurance providers and intermediaries (such as health insurance providers), and providers of health, fitness, wellness, childcare and concierge services.
Professional advisers. Accountants, auditors, lawyers, insurers, bankers, and other professional advisors.
Our marketing audience, Current and prospective customers and other business contacts with whom we share your Kohler bio, which may be shared on our website or in other publicly available marketing materials and communications as part of our marketing activities.
Customers and business partners. Customers, other companies and individuals with whom Kohler does business or is exploring a business relationship.
Parties involved in corporate transactions. We may disclose personal data in the context of actual or prospective business transactions (e.g., investments in Kohler, financing of Kohler, or the sale, transfer or merger of all or part of our business, assets or shares), for example, we may need to share certain personal data with prospective counterparties and their advisers. We may also disclose your personal data to an acquirer, successor, or assignee of Kohler as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal data is transferred to one or more third parties as one of our business assets. Please note, we would always look to take steps to minimise the amount and sensitivity of any personal data shared in these contexts where possible and appropriate.
Compliance and protection related sharing. We may need to or may have a legitimate interest in, sharing your personal data with entities that regulate or have jurisdiction over us (such as regulatory authorities, public bodies and judicial bodies). We may also share your personal data in the context of protecting our, your or others' rights, privacy, safety or property (including by establishing, making and defending legal claims).
Future employers and their vendors. Future employers and their vendors where you ask that we provide references or where we are otherwise required to provide such references by law.
Other third parties where requested. We may disclose personal data to other third parties who provide additional services to you (e.g. your mortgage provider) where you ask us to do so.
Data transfers
We may share your personal data with third parties who are based outside the UK (including with certain of our Affiliates) in connection with the processing of personal data described in this Privacy Notice.
In such circumstances, their processing of your personal data will involve a transfer of your personal data to countries based outside the UK. Whenever we transfer your personal data outside the UK, we try to ensure a similar degree of protection is afforded to it by making sure that at least one of the following mechanisms is implemented:
- Transfers to territories with an adequacy decision. We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government from time to time.
- Transfers to territories without an adequacy decision. We may transfer your personal data to countries that have not been deemed to provide an adequate level of protection for personal data by the UK Government – provided that, in these cases:
- we may use specific appropriate safeguards, which are designed to give personal data effectively the same protection it has in the UK (e.g., the UK’s International Data Transfer Agreement); or
- in limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your personal data to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – e.g., reliance on your explicit consent to that transfer or because it is necessary for the establishment, exercise or defence of legal claims (including regulatory, administrative or any out-of-court procedure, and seeking advice).
You can contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK. You may have the right to receive a copy of the appropriate safeguards under which your personal data is transferred – you can make a request by contacting us using the contact details shown in the “Who We Are and How to Contact Us” section above.
How we keep your personal data secure
We have put in place security measures designed to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
How long we store your personal data
Kohler’s retention periods for personal data are based on business needs and legal requirements. We retain personal data for as long as is necessary for the processing purpose(s) for which it was collected, as set out in this Privacy Notice, and any other permissible, related purposes. For example, we may retain certain information to comply with regulatory requirements regarding the retention of such data, or in the event a litigation hold is imposed.
When personal data is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the personal data.
No automated decisions
Kohler does not envisage that you will be subject to decisions or profiling that will have a significant impact on you based solely on automated decision-making.
Appendix A
Detailed Processing Information
In the table below, we have set out in detail the purposes for which we may use your personal data, the legal bases we rely on in respect of each such purpose (including details of any legitimate interests pursued, where applicable), and the categories of personal data typically used for the relevant purpose.
Processing activities | Personal data | Legal basis |
|---|
Contractual performance
We may process your personal data (including sharing it with third parties, where appropriate) to perform, administer and manage any agreements we may have with you (e.g., your employment contract), including:
· administering payroll, wages and other compensation;
· granting and administering equity awards, bonuses, commissions and other incentive awards;
· administering and evaluating employee benefits, including healthcare and pensions;
· maintaining contact details of your designated dependents and beneficiaries and communicating with them as necessary in the administration of your employee benefits and awards;
· administering and evaluating vacation, paid time off, sick leave, and other leaves of absence;
· assisting with obtaining an immigration visa or work permit; and
· otherwise administering our employment relationship with you or performing our agreements with you.
|
· Contact information
· Identification information
· Immigration status
· Compensation, benefits and payroll information
· Information about related persons
· Credentials, technology, access and system information
· Expenses and travel information
· Healthcare, welfare, and medical information
· Biometric information
|
Contractual Necessity |
Talent management
We may process your personal data (including sharing it with third parties, where appropriate) for talent management purposes, including:
· improving our application and/or recruitment process, including improving diversity;
· providing training and career development opportunities;
· in connection with performance and compensation evaluation and promotions;
· administering business expense tracking, reimbursements and travel;
· informing you of, or inviting you to participate in, any benefits programmes, share plans or similar operated or procured by us or any other member of the group;
· administering employee transfers, reassignments and secondments;
· conducting employee surveys and soliciting employee feedback;
· performing background, reference, or credit checks, where these are not required by law;
· managing disciplinary matters, grievances and terminations; and
· communicating with you.
|
· Contact information
· Identification information
· Biographical information
· Professional qualifications
· General employment information
· Compensation, benefits and payroll information
· Performance information
· Credentials, technology, access and system information
|
Legitimate Interests. We have a legitimate interest in assessing, managing, incentivising and rewarding our employees. |
Business operation and improvement
We may process your personal data (including sharing it with third parties, where appropriate) to operate and improve our products and services and our business. For example, this may include:
· developing, improving and innovating in respect of present and future products and services, business plans and strategies and associated operations;
· managing and allocating assets and personnel, maintaining internal personnel directories, strategic planning and project management, budgeting, financial management and reporting, recordkeeping and archiving, and for business continuity;
· operating our products and/or services;
· promoting our business; and
· communicating with our vendors and clients.
|
· Contact information
· Biographical information
· General employment information
· Compensation, benefits and payroll information
· Performance information
· Credentials, technology, access and system information
· Expenses and travel information
|
Legitimate Interests. We have a legitimate interest in operating, developing and improving our business and our products and services. |
Systems and premises management
We may process your personal data (including sharing it with third parties, where appropriate) to operate, manage and secure our IT systems, premises and facilities, including:
· providing information technology resources and support;
· operating, maintaining and protecting the security of our network systems and devices;
· monitoring offices and facilities, IT and communications systems, devices, equipment and applications through manual review and automated tools such as security software, website and spam filtering software, and mobile device management software (including for the purposes of monitoring compliance with our policies, procedures and applicable laws (such as the UK GDPR and other applicable privacy laws));
· ensuring physical security, including by controlling access to and monitoring our physical premises (including using security cameras and keycard scans) to help protect the rights, safety and property of Kohler and our group, our staff and representatives, you and others;
· investigating and responding to security and other incidents; and
· for business continuity and disaster recovery.
|
· Contact information
· Information about related persons
· Credentials, technology, access and system information
· Information needed to evaluate accommodation requests
|
Legitimate Interests. We have a legitimate interest in managing and securing our IT systems, premises and facilities, including conducting monitoring and investigations for these purposes. |
Protection of health and vital interests
We may process your personal data (including sharing it with third parties, where appropriate) to protect your vital interests or those of a third party. This may include:
· the processing and disclosure of your data to relevant health authorities and/or health care providers in the event of a medical emergency.
|
Any and all data types relevant in the circumstances. |
Vital Interests. We may need to process and share your personal data where necessary to protect your (or someone else's) vital interests – this typically means matters of life and death. |
Compliance and protection
We may process your personal data (including sharing it with third parties, where appropriate) for compliance and protection purposes, including to:
· comply with applicable laws (including in relation to tax), lawful requests, and legal process, such as to respond to warrants, subpoenas, investigations or requests from government authorities;
· protect our proprietary and confidential information and intellectual property;
· protect our, your or others’ rights, privacy, safety or property (including by establishing, making and defending legal claims);
· audit our internal processes for compliance with legal and contractual requirements or our internal policies;
· look to protect the health and safety, including the personal safety and security of employees, contractors, vendors, clients and other visitors;
· verify identity and eligibility to work;
· conduct criminal background checks where required or appropriate to do so as a result of your role;
· comply with equal opportunities monitoring requirements. Without limitation to the foregoing, we may use your diversity-related personal data (such as race or ethnicity) in order to comply with legal obligations relating to diversity and anti-discrimination.
|
Any and all data types relevant in the circumstances. |
Compliance with Law.
Legitimate Interests. Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We and any relevant third parties may also have a legitimate interest in ensuring the protection, maintenance, and enforcement of our and their rights, property, and/or safety.
|
Data sharing in the context of corporate transactions
We may process and disclose personal data in the context of actual or prospective corporate transactions (for more information – see the details in “Who we share your personal data with” in the main body of the Privacy Notice).
|
Any and all data types relevant in the circumstances. |
Legitimate Interests. We and any relevant third parties have a legitimate interest in providing information to relevant third parties who are involved in an actual or prospective corporate transaction (including to enable them to investigate – and, where relevant, to continue to operate – all or relevant part(s) of our operations). |
Privacy Protective Steps
We may create aggregated, de-identified and/or anonymised data from your personal data and other individuals whose personal data we collect. We make personal data into de-identified and/or anonymised data by removing information that makes the data identifiable to you.
|
Any and all data types relevant in the circumstances. |
Legitimate Interests. Where Compliance with Law is not applicable, we have a legitimate interest, and believe it is also in your interests, that we are able to take these privacy protective steps. |
Further uses
In some cases, we may use your personal data for further uses, in which case we will ask for your consent to use of your personal data for those further purposes if they are not compatible with the initial purpose for which information was collected.
|
Any and all data types relevant in the circumstances. |
Consent, if the relevant further use is not compatible with the initial purpose for which the personal data was collected.
The original legal basis relied upon (which will be as set out in this Privacy Notice) if the relevant further use is compatible with the initial purpose for which the personal data was collected.
|