Ball

EU/Swiss Safe Harbor Privacy Policy

Introduction
Ball Corporation (“Ball” or “the Company”) complies with the U.S. – EU/Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries.  Ball has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and certification. Please visit http://www.export.gov/safeharbor/ for our certification of compliance.

To provide an adequate level of protection for Personal Data received from the European Union, Ball adheres to the seven Safe Harbor Principles developed by the United States Department of Commerce, and the European Commission.  This Safe Harbor Privacy Policy (the “Policy”) sets forth the privacy principles that Ball follows when processing Personal Data received from the E.U. The privacy principles in this Policy are based on the seven Safe Harbor Principles referenced below.

1. Notice:  The Personal Data We Collect; How And Why We Collect It

Ball receives Personal Data from the E.U. pertaining to job applicants, employees, potential customers and customers (collectively “data subjects”) to assist its foreign subsidiaries and affiliates in administering the recruitment process, their employment relationship with employees located in the Member States, and their obligations, if any, to former employees, and to facilitate customer relationship management.  The Personal Data is stored in Ball’s human resources management system (HRMS) database for human resources data and in the customer relationship management (CRM) system for customer data.

Examples of the purposes for which Ball collects and uses Personal Data include, without limitation, recruitment; workforce management; to administer compensation, payroll, and benefits; to evaluate job performance and engage in succession planning; to administer physical and information systems security as well as help desk support; for emergency contact purposes; to address various legal obligations related to the employment relationship, including obligations in civil discovery; to administer training; to contact potential customers and customers, to manage customer relationships, to administer the Company’s compliance hotline; and to conduct internal audits.

The Personal Data that Ball receives from the E.U. consists largely of information provided by job applicants and employees such as resumes and complete job applications, personal contact information and date of birth.  Ball also may receive personal information about an applicant or employee which is created by one of its corporate affiliates, such as interview notes, business contact information, job title, job category, job status, compensation and benefits information, and performance reviews. Personal Data received pertaining to potential customers and customers as provided by these data subjects is generally limited to information on a business card such as name, business title and business postal address, email address and telephone number.

Before processing Personal Data of any employee who resides in an E.U. Member State, Ball provides the employee with a notice concerning the processing of their Personal Data.  Ball will not use or disclose Personal Data transferred from an E.U. Member State to the United States for any purpose that has not previously been disclosed to the employee unless: (a) the employee has received notice and an opportunity to exercise choice, as described below, with respect to such use or disclosure; or (b) applicable law permits the use or disclosure without requiring that Ball first comply with the Notice and Choice Principles.

2.  Choice:  How To Opt Out Of Collection Of Your Personal Data By Ball And Transfer To Third Parties

Ball will offer employees in the E.U. whose Personal Data has been transferred to the United States the opportunity to opt out from: (a) the disclosure of Personal Data to a non-agent Third Party; and (b) the use or disclosure of their Personal Data for a purpose other than the purposes for which the information originally was collected or subsequently authorized by the individual or a compatible purpose. If Ball were to receive “sensitive personal information” (which includes, for example, personal information specifying medical or health conditions, racial or ethnic origin, or trade union membership), Ball will request and obtain affirmative consent before disclosing such information to a non-agent Third Party and before using such information for a purpose other than the purpose originally disclosed or a compatible purpose.  Ball will provide employees with reasonable mechanisms to exercise their choices should such circumstances arise.

3. Onward Transfer:  Third Parties To Whom We May Disclose Your Personal Data

Ball will comply with the Notice and Choice Principles before transferring Personal Data to a Third Party who is not an agent of Ball.  Before transferring Personal Data to a third-party agent, Ball will obtain assurances from the agent that it will safeguard the data subjects’ Personal Data in a manner consistent with this Policy.  Where Ball learns that an agent is using or disclosing Personal Data in a manner contrary to this Policy, Ball will take reasonable steps to prevent such use or disclosure.

Disclosures to Third Parties, whether an agent of Ball or not, will be only for the purposes described in this Policy under the section entitled, “Notice,” for a compatible purpose, or for a purpose subsequently authorized by the data subject.  

4. Security For Your Personal Data

Ball strives to protect the Personal Data that it receives from the E.U.  While Ball cannot guarantee the security of the Personal Data that it receives, Ball takes reasonable precautions to protect the Personal Data in the Company’s possession from loss, misappropriation, unauthorized access, disclosure and destruction.

Ball utilizes a combination of online and offline security technologies, procedures and organizational measures to help safeguard Personal Data.  For example, facility security is designed to prevent unauthorized access to company computers.  Electronic security measures — including, for example, network access controls, passwords, and secure remote access — provide protection from hacking and other unauthorized access.   Ball also protects information through the use of firewalls, role-based restrictions, and, where appropriate, encryption technology.  Ball limits access to Personal Data to Ball’s employees and agents that have a specific business reason for accessing such Personal Data.  Individuals who have been granted access to Personal Data will be made aware of their responsibilities to protect such information and are provided training and instruction on how to do so.

5. Data Integrity, Accuracy, and Completeness:  How We Limit The Collection And Retention Of  Your Personal Data 

Ball collects only Personal Data that is necessary for the purposes listed in this Policy under the section entitled, “Notice.”  Ball will process the Personal Data only in ways that are for, or compatible with, the purposes for which the data was collected or that are subsequently authorized by the data subject.  Ball takes reasonable steps to ensure that the information it collects is accurate, complete, current, and reliable for its intended use.  Ball will retain Personal Data only for as long as is necessary to accomplish its legitimate business purposes or for as long as may be permitted or required by applicable law.

6. Access And Correction:  How You Can Exercise Your Rights

Upon reasonable request, Ball will grant data subjects reasonable access to their Personal Data and will permit them to correct, amend or delete Personal Data that is inaccurate or incomplete.  Data subjects who wish to review or update their Personal Data can do so by contacting Ball’s Global Data Privacy Office at privacy@ball.com. Ball may, in its discretion, charge a reasonable, cost-based fee for access or photocopying.  For security purposes, Ball may require verification of identity before providing access to Personal Data.

7. Enforcement:  What To Do If You Have a Complaint 

Ball will conduct periodic self-assessments of its relevant practices to verify adherence to this Policy and the Safe Harbor Principles.  Any employee who intentionally violates this Policy will be subject to disciplinary action up to and including termination of employment.  Any data subject who has a complaint concerning Ball’s processing of his or her Personal Data should contact Ball’s Global Data Privacy Office at
privacy@ball.com. Ball will investigate and attempt to resolve such complaints in accordance with the principles contained in this Policy. Any data subject who is not satisfied with the internal resolution of the complaint may seek redress with the national data protection or labor authority in the country where the data subject resides. 

You may address all communications to the Ball Global Data Privacy Office at 10 Longs Peak Drive, Broomfield, Colorado, 80021-2510 USA, or fax to +1-303-484-6041, or send an email to privacy@ball.com.  Please include your name, address and e-mail address in all communications and state clearly the nature of your request.

Changes to this Privacy Policy
Ball may revise this Policy at any time.  If we decide to materially change this Policy, we will post the revised policy at this location.  If, at any point, we decide to make any material changes in the way we process your Personal Data, we will make that information available by posting a notice on this site, and we will provide data subjects with choice as to whether or not we process their information in this different manner if it is incompatible with the purposes described in the section entitled, “Notice,” above.

Effective Date:  September 26, 2013