EFFECTIVE: May 21, 2018
1.0 PURPOSE OF THIS POLICY
1.1 Gerber Technology (“the Company”) will follow the principles in this Policy regarding the collection, use, storage, transfer, and destruction of “Personal Information” by the Company or its agents (as defined below). The Company will adhere to legal and contractual requirements for protecting Personal Information.
2.0 SCOPE OF THIS POLICY
2.1 This Policy applies to Gerber Technology as well as all of its operating companies, employees, agents and contractors working on its behalf worldwide. The Company will extend this Policy to third parties that access and/or process Personal Information on its behalf.
2.2 For Personal Information collected in the European Union (“EU), this Policy is intended to address compliance with the EU’s General Data Protection Regulation (“GDPR”), effective May 25, 2018.
2.3 In accordance with the law of the State of California, U.S.A., California residents may request and obtain information (if any) that the Company shared within the prior calendar year with other businesses for direct marketing use (as defined by California’s “Shine the Light Law”), using the contact information provided in this Policy.
2.4 In accordance with Connecticut, U.S.A. law, Gerber Technology protects the confidentiality of, prohibits unlawful disclosure of, and limits access to Social Security numbers (“SSNs”). The Company does not intentionally communicate SSNs to the general public, print SSNs on any document required for an individual to access products or services, require an individual to transmit SSNs over an unencrypted electronic connection, or require an individual to use SSNs to access a Gerber Technology Internet or Intranet web site unless a password or other unique identifier is also required.
3.0. TERMS USED IN THIS POLICY
3.1 "Agent" means any third party that controls or processes Personal Information to perform tasks on behalf of and under the instructions of Gerber Technology.
3.2 “Data Breach(es)” is any set of circumstances that involves actual or a reasonable possibility of unauthorized access to or possession of, or the loss or destruction of Personal Information. The circumstances contributing to a breach may be unintentional or accidental and the access, loss, or destruction may be confirmed or only suspected. Personal Information can be lost or destroyed in many ways, such as by stolen computer hardware (e.g., laptops), physical destruction or compromise due to natural disaster or accidents (e.g., flood of an office, destroying the only copy of certain records); and inability to access the only copy of data on a server if there is no anticipated resolution or the inability to access lasts for more than a week. Data Breaches can include unauthorized access, possession or denial of service at a third party.
3.3 “Personal Information” means information relating to an identified or identifiable natural person, regardless of the medium in which the information is collected, processed, or transferred. The term includes Sensitive Personal Information. The term includes information about a Gerber Technology director, employee, contractor, contract laborer, customer, supplier, or other third party. Anonymous, pseudonymized, or aggregate information used for statistical, historic, and scientific or other purposes is excluded. The term includes information collected, processed, and/or transferred in any format, including but not limited to hard copy, electronic, video recording, and audio recording.
3.4 “Sensitive Personal Information” is a subset of Personal Information and means information relating to an identified or identifiable person that involves racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; sexual preference; sex life; or the commission or alleged commission of any crime.
4.0 GERBER'S PRIVACY COMMITMENTS
4.1. Compliance with Laws and Regulations: Gerber Technology complies with laws and regulations applicable to its operating units worldwide that relate to the protection of Personal Information. Local laws, regulations, and other pertinent restrictions will apply to the extent of any conflicts with this Policy. The GDPR shall govern in the event of any conflict with this Policy.
4.2 Collection, Use, and Retention of Personal Information:
4.2.1 Gerber Technology collects, uses, and retains Personal Information only as necessary and appropriate for legitimate business and legal purposes, ensuring that the collection, processing, and transfer of Personal Information are adequate, relevant, and not excessive in relation to the purpose or purposes for which the information is processed.
4.2.2 Collection and uses by the Company of the Personal Information of directors, employees and third parties include the collection and use of Personal Information described in detail in Exhibit 1. In some cases, such as with human resources data, the data are necessary in order for Gerber Technology to manage employment relationships and contractual agreements regarding pay and benefits.
4.2.3 The Company does not keep Personal Information for longer than needed for the purpose(s) for which it was collected, unless otherwise required by law or with the data subject's consent;
4.3.1 When Gerber Technology collects Personal Information directly from individuals, it informs them about the purposes for which it collects and uses Personal Information about them, the types of agents to which the Company discloses that information, and the choices and means it offers for limiting its use and disclosure. The Company identifies the purposes for which it is collecting Personal Information and does not process the Personal Information for any incompatible purpose(s) unless supported by consent of the individual data subject, a legal obligation, a threat of physical harm, or another legitimate interest recognized by law.
4.3.2 Notice is provided in clear and conspicuous language when individuals are first asked to provide such information to Gerber Technology, or as soon as practicable thereafter, and in any event before the Company uses the information for a purpose other than that for which it was originally collected. Privacy notices shall be accessible to data subjects and posted online, whenever practicable;
4.3.3 Gerber Technology provides appropriate notices regarding individuals’ rights of access, correction, and updating. The Company ensures that an individual is given the chance to discuss the results of any automated decision-making (such as employee background checks) before any negative action is taken based on that decision-making;
4.3.5 Each privacy notice is reviewed by the system owner at least once every three years to ensure that it is current and accurate. Where required by law, Gerber Technology ensures that Sensitive Personal Information is collected online only with an individual’s explicit consent, via a meaningful opt-in approach, and is appropriately protected against improper use.
4.4.1 Depending on the location in which the data subject lives, local laws may require that the data subject give specific consent for the collection, use and disclosure of Personal Information for some of the purposes described in Exhibit 1. Individuals who opt-in are notified of the process to follow in exercising this choice.
4.4.2 Where required, Gerber Technology asks for consent by appropriate and permitted means. The Company offers individuals the opportunity to opt-out of providing Personal Information if it is to be (1) disclosed to an Agent, or (2) used for a purpose other than the purpose for which it was originally collected or subsequently authorized. It may occasionally inform individuals of offers available from selected non-agent third parties. For Sensitive Personal Information, it gives individuals the opportunity to affirmatively and explicitly opt-in prior to (1) disclosing the information to a non-agent third party, or (2) using the information for a purpose other than the purpose for which it was originally collected or subsequently authorized. The Company offers appropriate opportunities to opt-out when using Personal Information for direct marketing;
4.5 Access & Correction:
4.5.1 Gerber Technology takes reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current.
4.5.2 As described in Exhibit 2, Gerber Technology grants individuals reasonable access to their Personal Information. In addition, the Company takes reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. In addition, the data subject has the right to object to the data processing as well as the right to data portability. If explicit consent has been provided for the processing of data, then the data subject has the right to withdraw that consent at any time.
4.6 Data Security:
4.6.1 Gerber Technology takes reasonable precautions to protect Personal Information in its possession from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. The Company’s computer networks and systems, including Internet and Intranet-based applications, are designed to protect Personal Information from unauthorized access, loss, disclosure, or use. Personal Information is made available within the Company only to those persons who possess a business need-to-know.
4.6.2 Gerber Technology maintains systems and procedures to assure the security and integrity of Personal Information, whether provided by employees, generated by the Company and its operating companies, or otherwise provided by agents or third parties. These measures include reasonable restrictions upon physical access to hard copy records containing Personal information and the storage of such records in locked facilities, storage areas, or containers.
4.6.3 The security program identifies and assesses reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any records containing Personal information, and evaluates and improves, where necessary, the effectiveness of the current safeguards for limiting such risks. The program includes:
4.6.4 Gerber Technology periodically reevaluates these measures to ensure they remain current, reasonable, and appropriate.
4.6.5 Gerber Technology does not transfer Personal Information from one country to another or from one legal entity to another unless properly supported by law and under appropriate security measures for the data while in transit and in storage;
4.6.6 Gerber Technology ensures that handling of employees’ and third parties’ Personal Information is consistent with the relevant Privacy Notice for the information in question, subject to local supplement or amendment to ensure compliance with local law.
4.6.7 Gerber Technology takes proper care of personal government-issued identification numbers by protecting the confidentiality, limiting collection, ensuring access on a need-to-know basis, implementing appropriate safeguards, including but not limited to encryption, and ensuring proper disposal in accordance with Gerber Technology’s document and data retention policies and practices;
4.7 Data Breaches:
4.7.1 Gerber Technology maintains and implements a Data Breach response plan to respond to and remediate any actual data breaches, and discloses breaches involving Personal Information, as appropriate and as legally required.
4.8 Transfers of Personal Information To Third Parties:
4.8.1 Personal Information is used by and shared among Gerber Technology entities, agents (e.g., IT and other professional and nonprofessional services, benefit plan sponsors and administrators, etc.), applicable government organizations and agencies, and third parties as permitted or required by law, regulation, or court order. Gerber Technology shares Personal Information with companies Gerber Technology acquires and transfers and to effect the divestiture of companies Gerber Technology divests.
4.8.3 Gerber Technology and its operating units execute and maintain the model clauses (also called the standard contractual clauses) adopted by the European Commission as an authorization for the transfer of Personal Information from the EEA to the U.S. Gerber Technology and its operating units comply with the requirements of the model clauses for intra-company transfers.
4.8.4 Where Gerber Technology has knowledge that a transferee is using or disclosing Personal Information in a manner contrary to this Policy, Gerber Technology takes reasonable steps to prevent or stop the use or disclosure, up to and including termination of our contractual or other business relationship with the agent.
4.9 Privacy Risk Assessment:
4.9.1 Gerber Technology maintains an effective privacy risk assessment process to evaluate Company-wide risks and to develop appropriate mitigation plans. The Privacy Risk Assessment process reviews Gerber Technology’s overall collection, processing (including storage and destruction), and transfer of Personal Information and is updated as needed.
4.9.2 Whenever Gerber Technology or an operating unit seeks to implement a new or modified system, or use a new or modify the use of a third party to collect, process, or transfer Personal Information, a written Privacy Impact Assessment is completed before adoption of the new or modified process or new or modified use of the third party. A Privacy Impact Assessment must be completed only for systems or service providers that collect, process, or transfer Personal Information and for the launch of a new system or service provider or substantial modification of a system or use of the service provider involving Personal Information.
4.10 Governance & Training:
4.10.1 Gerber Technology ensures that individuals who in any material way are involved in the collection, use, and storage of Personal Information, including designing, modifying, or managing automated systems, are trained to identify privacy concerns, to receive privacy complaints, and to forward both to the appropriate resources for review and resolution. Gerber Technology's privacy compliance governance is exercised as described in Exhibit 3.
4.10.2Gerber Technology ensures that all professional staff and employees who handle Personal Information as an integral part of their responsibilities receive periodic training on data privacy and security.
4.10.3Education and training are provided to all employees on the proper use of the computer security systems and the importance of information security, e.g., limiting collection and storage of unneeded information; use of encryption; restricting access to drives, folders, and files; recognizing risks to information security posed by file sharing programs.
4.10.4 Gerber Technology has a strategic communications plan to raise awareness and educate employees and third parties, as appropriate, regarding data privacy and security.
4.10.6Gerber Technology enforces this Policy and any implementing procedures. Failure to adhere to this Policy or its implementing procedures may lead to disciplinary action for employees, up to and including dismissal, and termination of its contractual relationship with Gerber Technology for third parties.
5.0 QUESTIONS & DISPUTES
5.1 Questions or concerns from persons regarding a particular website or system should be addressed to the contact listed in the privacy notice provided on that website or system.
5.2 Requests for access or correction from employees should be addressed to their local Human Resources representative, in accordance with Exhibit 2.
5.3 Complaints or questions regarding compliance with this Policy should be directed to:
SVP, Global Human Resources
Gerber Technology, LLC
24 Industrial Park Road West
Tolland, CT 06084 USA
6.0 CHANGES TO THIS POLICY
Exhibit 1 - Types of Personal Information We Collect & Use
The types of Personal Information Gerber Technology collects and shares depend on the nature of the individual’s relationship with Gerber Technology (e.g., officer, employee, applicant for employment, website visitor, customer, supplier, other third party) and the provisions/restrictions of applicable laws. Examples of this information and its uses include:
Exhibit 2 - Accessing & Correcting Your Personal Data
For Gerber Technology employees and third parties who are subject to the European Union’s General Data Protection Regulation, normally within one month (subject to certain exceptions) after receipt from you (or from a competent legal representative you designate), Gerber Technology is committed to providing you with the following:
You may request a copy of your personal data that are being processed. Copies will be provided in a structured, commonly used, machine-readable format that supports reasonable re-use in commonly-available IT systems and applications. Upon reasonable request, Gerber Technology will transfer your personal data from one data controller to another, store your personal data for further personal use on a private device, and/or have your personal data transmitted directly from Gerber Technology to another controller without hindrance. This is not applicable to personal data you did not provide to Gerber Technology directly, and Gerber Technology is not obligated to retain your personal data for longer than is otherwise necessary or if no longer legally available.
Normally, Gerber Technology does not charge any costs or fees for the above. However, as provided by law, we reserve the right to charge a reasonable fee for repetitive, excessive, or unfounded requests, and for additional copies.
Gerber Technology takes all reasonable measures to ensure that inaccurate or incomplete personal data are erased or rectified. You have the right to inform Gerber Technology of any discrepancies or inaccuracies and to rectification of inaccurate personal data.
You have the right to restrict the continued processing of your personal data if:
If Gerber Technology has disclosed your personal data to any third parties, and you subsequently exercise any of the rights described above, Gerber Technology will notify those third parties unless it is impossible or would require disproportionate effort. You may request the identity of those third parties. In exceptional cases where Gerber Technology has made your data public, Gerber Technology will take reasonable steps (taking costs into account) to inform relevant third parties.
Questions regarding implementation of these requirements should be addressed as described elsewhere in this Policy.
The Information Security and Privacy Subcommittee of Gerber Technology's Ethics & Compliance Committee is charged with evaluating Gerber Technology's information security and privacy policies, procedures, and operations to set the strategic direction for the Company's information privacy and security programs. The subcommittee consists of senior executives from each of the following organizations: Information Technology, Human Resources, Finance, and Marketing, supported as needed by other subject matter experts when necessary.
The Subcommittee is responsible for:
Gerber Technology has elected not to appoint a Data Protection Officer ("DPO") having the duties and responsibilities delineated in Articles 37-39 of the GDPR. Gerber Technology does not fall within the standards of the GDPR for mandatory appointment of a DPO. A privately-held company such as Gerber Technology is not required under the GDPR to have a formal DPO. Our core business activities do not involve monitoring data subjects, do not infringe on those data subjects’ rights, and involve no collection or processing of "special category" personal information. We are neither a consumer products company nor one heavily reliant on personal information collected from our employees, customers, or suppliers. We manage mainly internal employee data, mostly within the US and the EU, most of which are required for legal compliance reasons (e.g., tax, pensions, etc.). Data obtained from customers and suppliers is narrowly framed to support our business contacts and contractual relationships and not for intrusion into the personal details of third parties or other purposes not directly related to our business with our customers and suppliers. Therefore, after careful review, we determined that a DPO in Gerber Technology would neither be gainfully occupied nor represent a significant risk mitigation.
Questions regarding our program should be addressed as provided elsewhere in this Policy.
EXHIBIT 4 – Legal Entity Listing
AIP CF VI AIV Gerber (Cayman) LP
AG US Funding LLC
AG Holding (Cayman) LP
AIP G (Cayman) Ltd
Knife Holding Corporation
AG JV (Cayman) LP
AG Guarantor LLC
AG Finco LLC
AG UK Acquireco Ltd.
Gerber Scientific LLC
Gerber Technology NV
Virtek Vision International ULC
Gerber Technology SrL
Gerber Technology S.L.
Gerber Technology Sp.z.o.o.
Gerber Technology Pty Ltd.
Gerber Technology SAS
Gerber Technology LLC
Yunique Solution LLC
Gerber Scientific (Shanghai) Co Ltd.
Gerber Technology S. de R.L de C.V.
AG Holding Mexico LLC
Gerber Technology GmbH
Gerber Scientific International LDA
Gerber Coburn Optical UK
Gerber Scientific International Ltd.
Gerber Technology Ltd.
Gerber Scientific UK Ltd.
Gamma Computer Tech Co., Ltd.
Ultramark Adhesive Products Ltd.
Gerber Scientific International (Cambodia) Co. Ltd
Gerber Scientific International
Gerbertec Maroc SARL
Gerber Scientific International (Vietnam) Co., Ltd
Vector (Gerber) Lux 2, s.a.r.l.
 See Exhibit 4 for legal entity listing