Run: Privacy Notice Employee Policy

This Employee Privacy Notice explains how the company collects, uses, discloses, stores, and retains personal data relating to employees, contractors, temporary workers, and, where applicable, job applicants. It also describes the rights available to individuals under the **CCPA**, **CPRA**, and **GDPR**, and the safeguards we use to protect employee information. This notice is intended to support transparent HR data practices and should be read together with any local notices, consent forms, employment agreements, and data retention schedules.

This policy applies to all personnel records and employee-related data processed by the company, including data collected during recruitment, onboarding, employment, leave administration, performance management, payroll, benefits administration, workplace safety, investigations, IT access management, and offboarding. **California employees:** additional disclosures may apply under the CCPA and CPRA. **EU/UK employees:** processing is also subject to GDPR lawful-basis and transparency requirements. This policy does not replace mandatory notices required by local labor, tax, benefits, or workplace monitoring laws.

For purposes of this policy: - **Personal data / personal information** means information that identifies, relates to, describes, or could reasonably be linked to an employee or other covered individual. - **Sensitive personal information** includes government identifiers, financial account details, precise geolocation, health information, biometric data, and other data classified as sensitive under applicable law. - **Processing** means collecting, using, storing, disclosing, analyzing, or otherwise handling personal data. - **Recipient** means a person or entity that receives personal data, including service providers, vendors, affiliates, and government authorities. - **Retention period** means the length of time data is kept before deletion, anonymization, or archival in accordance with law and business need. - **Data subject rights** means the rights available to individuals under applicable privacy law, including access, correction, deletion, portability, restriction, and objection where applicable.

The company will collect and process employee personal data only for legitimate business, legal, and employment-related purposes, and only to the extent reasonably necessary for those purposes. We will provide notice of the categories of personal data collected, the purposes for which the data is used, the categories of recipients, and the retention criteria used to determine how long data is kept. We will not sell employee personal data in the ordinary course of business. If any disclosure is considered a sale, sharing for cross-context behavioral advertising, or otherwise subject to opt-out rights under the **CCPA/CPRA**, the company will provide the required notice and choice mechanisms. We will maintain appropriate administrative, technical, and physical safeguards to protect employee data against unauthorized access, disclosure, alteration, or destruction.

The company may collect and process the following categories of employee data: 1. **Identity and contact data** — name, address, phone number, email address, emergency contacts, and government-issued identifiers where required by law. 2. **Employment and payroll data** — job title, department, manager, compensation, tax forms, timekeeping records, attendance, overtime, and benefits enrollment information. 3. **Recruitment and onboarding data** — application materials, interview notes, background check results where permitted, eligibility-to-work documentation, and offer-related records. 4. **Performance and workplace data** — performance reviews, disciplinary records, documented warnings, PIPs, training records, and policy acknowledgements. 5. **IT and security data** — system credentials, access logs, device identifiers, network activity, and security monitoring data. 6. **Health, leave, and accommodation data** — leave requests, FMLA records, ADA accommodation requests, workers’ compensation information, and related medical documentation where permitted. 7. **Compliance and investigation data** — ethics reports, whistleblower reports, audit records, and investigation materials. Common recipients may include HR personnel, payroll providers, benefits administrators, IT and security vendors, legal counsel, auditors, insurers, government agencies, and affiliated entities that support employment administration. Recipients are limited to those with a business need to know, and service providers are required to use the data only for authorized purposes.

Employee data will be retained only for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, enforce agreements, and support legitimate business operations. Retention periods may vary by record type, including payroll, tax, benefits, leave, safety, and disciplinary records. Where a specific legal retention period applies, the company will follow that requirement. Where no fixed period applies, the company will use documented retention criteria based on business need and risk. At the end of the retention period, records will be securely deleted, destroyed, anonymized, or archived in accordance with the company’s records management procedures.

Subject to applicable law, employees may have the right to: - request access to personal data we hold about them; - request correction of inaccurate information; - request deletion of certain information, where permitted; - request information about categories of data collected, used, disclosed, or retained; - request portability of certain data; - object to or restrict certain processing, where applicable; - withdraw consent where processing is based on consent; - appeal a denied request where required by law. **California employees:** rights may include notice at collection, access, correction, deletion, and information about categories of personal information collected, used, disclosed, or retained under the **CCPA/CPRA**. **EU/UK employees:** rights may include access, rectification, erasure, restriction, portability, and objection under the **GDPR**. Requests should be submitted to HR or the designated privacy contact. The company will verify identity before responding and will respond within the timeframes required by applicable law.

**HR** is responsible for collecting and maintaining employee records, coordinating responses to privacy requests, and ensuring retention schedules are followed. **Legal / Compliance** is responsible for interpreting applicable privacy obligations, reviewing disclosures, and handling escalations. **IT / Security** is responsible for access controls, logging, monitoring, and technical safeguards. **Managers** must collect only the minimum employee information needed for legitimate business purposes and must not share employee data outside approved channels. **Employees** must protect confidential employee information they access and report suspected privacy incidents promptly.

Failure to follow this policy may result in access restrictions, corrective action, up to and including termination of employment, and other remedies permitted by law. Exceptions to this policy must be approved in writing by Legal or Compliance and documented with the business justification and duration of the exception. Nothing in this policy limits rights protected by law, including rights under the **NLRA** for protected concerted activity, wage and hour recordkeeping obligations under the **FLSA**, or anti-discrimination and accommodation obligations under the **EEOC**, **Title VII**, **ADA**, and **FMLA**.

This policy will be reviewed at least annually and updated when laws, business practices, or data processing activities change. The policy holder is responsible for ensuring the notice remains accurate, jurisdiction-specific carve-outs are maintained, and any material changes are communicated to affected personnel. Version history should be retained with the policy record.