Introduction

Ball Corporation, Ball Metal Beverage Container Corp., Ball Aerosol and Specialty Container, LLC, and Ball Packaging LLC (“Ball” or “the Company”) comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Ball has certified the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF, and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). If there is any conflict between this policy and the DPF Principles, the DPF Principles shall govern. To learn more about Ball’s DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Data Privacy Framework Principles

1. Notice: The Personal Data We Collect; How And Why We Collect It

Ball receives Personal Data from the EU, UK, and Switzerland (collectively, the “DPF Countries”) pertaining to job applicants, employees, former employees, potential customers, and customers (collectively “Data Subjects”) to assist its foreign subsidiaries and affiliates in administering the recruitment process, their employment relationship with employees located in the DPF Countries, their obligations (e.g., retirement plan obligations) to former employees, and to facilitate customer relationship management. The Personal Data is stored in Ball’s human resources management system (HRMS) database for human resources data and in the customer relationship management (CRM) system for customer data. 
 
Examples of the purposes for which Ball collects and uses Personal Data include, without limitation, recruitment; workforce management; to administer compensation, payroll, and benefits; to evaluate job performance and engage in succession planning; to administer retirement benefits; to administer physical and information systems security as well as help desk support; for emergency contact purposes; to address various legal obligations related to the employment relationship, including obligations in civil discovery; to administer training; to contact potential customers and customers, to manage customer relationships, to administer the Company’s compliance hotline; and to conduct internal audits and investigations. 
 
The Personal Data that Ball receives from the DPF Countries consists largely of information provided by job applicants, employees and former employees such as resumes and complete job applications, personal contact information and date of birth. Ball also may receive personal information about applicants, employees, or former employees which is created by one of its corporate affiliates, such as interview notes, business contact information, job title, job category, job status, compensation and benefits information, employee files, retirement benefit information, and performance reviews. Personal Data received pertaining to potential customers and customers as provided by these data subjects is generally limited to information on a business card such as name, business title and business postal address, email address, and telephone number. 
 
Before processing Personal Data of any employee who resides in the DPF Countries, Ball provides the employee with a notice concerning the processing of their Personal Data. Ball will not use or disclose Personal Data transferred from the DPF Countries to the United States for any purpose that has not previously been disclosed to the employee unless: (a) the applicant, employee, and former employee has received notice and an opportunity to exercise choice, as described below, with respect to such use or disclosure; or (b) applicable law permits the use or disclosure without requiring that Ball first comply with the Notice and Choice Principles.

2. Choice: How To Opt Out Of Collection Of Your Personal Data By Ball And Transfer To Third Parties

Ball will offer applicants, employees, former employees, or customers in DPF Countries whose Personal Data has been transferred to the United States the opportunity to opt out from: (a) the disclosure of Personal Data to a non-agent Third Party; and (b) the use or disclosure of their Personal Data for a purpose other than the purposes for which the information originally was collected or subsequently authorized by the individual or a compatible purpose where required by law. If Ball were to receive “sensitive personal information” (which includes, for example, personal information specifying medical or health conditions, racial or ethnic origin, or trade union membership), Ball will request and obtain affirmative consent before disclosing such information to a non-agent Third Party and before using such information for a purpose other than the purpose originally disclosed or a compatible purpose where required by law. Ball will provide applicants, employees, former employees, or customers with reasonable mechanisms to exercise their choices should such circumstances arise. Applicants, employees, former employees, and customers may submit inquiries relating to personal data via a web-based form found on www.ball.com by selecting Contact Us, General Inquiry Form, select your region, and “Personal Data Inquiry.”

3. Onward Transfer: Third Parties To Whom We May Disclose Your Personal Data

Ball is liable for onward transfers to third parties and will comply with the Notice and Choice Principles before transferring Personal Data to a Third Party who is not an agent of Ball. Before transferring Personal Data to a third-party agent, Ball will obtain assurances from the agent that it will safeguard the data subjects’ Personal Data in a manner consistent with this Policy. Where Ball learns that an agent is using or disclosing Personal Data in a manner contrary to this Policy, Ball will take reasonable steps to prevent such use or disclosure. Disclosures to Third Parties, whether an agent of Ball or not, will be for the purposes described in this Policy under the section entitled “Notice,” for a compatible purpose, or for a purpose subsequently authorized by the data subject. Ball may disclose human resource-related information, as described above in Section 1, to third parties who assist Ball in administering employee benefits programs, payroll programs, pension and other retirement programs, and information technology programs and security.

4. Security For Your Personal Data

Ball strives to protect the Personal Data that it receives from the DPF Countries. While Ball cannot guarantee the security of the Personal Data that it receives, Ball takes reasonable precautions to protect the Personal Data in the Company’s possession from loss, misappropriation, unauthorized access, disclosure, and destruction. Ball utilizes a combination of online and offline security technologies, procedures, and organizational measures to help safeguard Personal Data. For example, facility security is designed to prevent unauthorized access to company computers. Electronic security measures like network access controls, passwords, and secure remote access provide protection from hacking and other unauthorized access. Ball also protects information through the use of firewalls, role-based restrictions, and, where appropriate, encryption technology. Ball limits access to Personal Data to Ball’s employees and agents that have a specific business reason for accessing such Personal Data. Individuals who have been granted access to Personal Data will be made aware of their responsibilities to protect such information and are provided training and instruction on how to do so.

5. Data Integrity, Accuracy, and Completeness: How We Limit The Collection And Retention Of Your Personal Data

Ball collects Personal Data that is necessary for the purposes listed in this Policy under the section entitled “Notice.” Ball will process the Personal Data in ways that are for the purposes described in this Policy under the section entitled “Notice,” for a compatible purpose, or for a purpose subsequently authorized by the data subject. Ball takes reasonable steps to ensure that the information it collects is accurate, complete, current, and reliable for its intended use. Ball will retain Personal Data only for as long as is necessary to accomplish its legitimate business purposes or for as long as may be permitted or required by applicable law.

6. Access And Correction: How You Can Exercise Your Rights

Upon reasonable request, Ball will grant data subjects reasonable access to their Personal Data and will permit them to correct, amend or delete Personal Data that is inaccurate or incomplete. Data subjects who wish to review or update their Personal Data can do so by submitting inquiries relating to personal data via a web-based form found on www.ball.com by selecting Contact Us, General Inquiry Form, select your region, and “Personal Data Inquiry,” or by contacting Ball’s Critical Data Protection team at privacy@ball.com. Ball may, in its discretion, charge a reasonable, cost-based fee for access or photocopying. For security purposes, Ball may require verification of identity before providing access to Personal Data.

7. Enforcement: What To Do If You Have a Complaint

Ball will conduct periodic self-assessments of its relevant practices to verify adherence to this Policy and the DPF Principles. Any employee who intentionally violates this Policy will be subject to disciplinary action up to and including termination of employment. Any data subject who has a complaint concerning Ball’s processing of his or her Personal Data may submit the complaint via a web-based form found on www.ball.com by selecting Contact Us, General Inquiry Form, select your region, and “Personal Data Inquiry,” or by contacting Ball’s Critical Data Protection team at privacy@ball.com. Ball will investigate and attempt to resolve such complaints in accordance with the principles contained in this Policy. Any data subject who is not satisfied with the internal resolution of the complaint may seek redress with the applicable national data protection or labor authority in the country where the data subject resides.

SUPPLEMENTAL PRINCIPLES

1. Sensitive Data

Ball Corporation is not required to obtain affirmative express consent with respect to sensitive date where the processing is:
a. In the vital interests of the data subject or another person;
b. Necessary for the establishment of legal claims or defenses;
c. Required to provide medical care or diagnosis;
d. Carried out in the course of legitimate activities by a foundation, association, or any other non-profit body with a political, philosophical, religious, or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects;
e. Necessary to carry out the organization’s obligations in the field of employment law; or
f. Related to data that are manifestly made public by the individual.

2. Journalistic Exceptions

First Amendment must govern in the event that privacy and constitutional principles conflict. Ball Corporation will carefully review any situation in which such a conflict may arise.

3. Secondary Liability

Internet Service Providers, telecommunications carriers, and other organizations are not liable under the DPF Principles when on behalf of another organization they merely transmit, route, switch, or cache information.

4. Performing Due Diligence and Conducting Audits

At times, Ball Corporation hires auditors and investment bankers which may require personal data to perform certain tasks. Consent or knowledge of the individual is not required in certain circumstances where such auditors or investment bankers perform these duties pursuant to statutory or regulatory requirements, or in performing due diligence relating to a potential merger or acquisition of another organization. Premature disclosure of such activities, particularly in the context of a public company, could impede such negotiations and agreements, and as a result, investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without the knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of the DPF Principles would prejudice the legitimate interests of the organization or violate the law.

5. The Role of the Data Protection Authorities (DPAs)

Ball Corporation commits to employ effective mechanisms for assuring compliance with the the DPF Principles. Ball Corporation provides the following as it relates to the recourse, enforcement and liability principle:
a. Recourse for individuals to whom the data relates,
b. Follow-up procedures for verifying that the attestations and assertions the individuals have made about their privacy practices are true, and
c. Obligations to remedy problems arising out of failure to comply with the Principles.

Ball Corporation will complete the following:
a. Elects to satisfy the requirements #1 and #2 above;
b. Cooperate with EU DPAs, UK Information Commissioner’s Office, and the Swiss Federal Data Protection and Information Commissioner (FDPIC) (collectively, the "DPAs") in the investigation and resolution of complaints brought under the Frameworks; and
c. Comply with any advice given by the DPAs (in regards to customer data and in regards to human resource data transferred from the DPF Countries in the context of the employment relationship) where the DPAs take the view that the organization needs to take specific action to comply with the DPF Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the DPF Principles, and will provide the DPAs with written confirmation that such action has been taken.

6. Self-Certification

Ball Corporation will comply with all of the Department’s self-certification submission requirements. Ball will ensure compliance with the Privacy Principles and will work its existing commercial relationships with third parties to ensure conformity as soon as possible and within three months from the date upon which Ball Corporation certified to the DPF Principles.

7. Verification

Ball Corporation will complete a self-assessment approach of its privacy practices to verify compliance with the attestations and assertions made under the EU-U.S. DPF and Swiss-U.S. DPF privacy practices.

8. Access

Ball Corporation will adhere to the Access Principle in Practice, which allows individuals to verify the accuracy of information held about them. Ball Corporation will also make good faith efforts to provide access. It may deny or limit access to the extent that granting full access would reveal its own confidential commercial information.

9. Human Resources Data

Ball Corporation will transfer personal information about its employees collected in the context of the employment relationship to a parent, affiliate, or unaffiliated service provided in the United States participating in the EU-U.S. DPF or Swiss-U.S. DPF. The collection of the information and its processing prior to transfer will have been subject to the national laws of the DPF Country where it was collected, and any conditions for or restrictions on its transfer according to those laws will be respected. Ball Corporation will adhere to the Notice and Choice Principles as well as the Access Principle regarding human resources data to the extent required by law.

10. Obligatory Contracts for Onward Transfers

Ball Corporation complies with requirements relating to onward transfers of protected data through the use of model or other contractual clauses that comply with data transfer standards and requirements of the DPF Countries. These principles apply to transfers of data within controlled groups of corporations or entities as well as with third party controllers and processors.

11. Dispute Resolution and Enforcement

Ball Corporation will satisfy the requirement of this Principle through the following:
a. Compliance with private sector developed privacy programs that incorporate the DPF Principles;
b. Compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or
c. Commitment to cooperate with data protection authorities located in the DPF Countries, or their authorized representatives.

In compliance with the DPF Principles, Ball commits to resolve complaints about the collection or use of your personal information. Individuals from DPF Countries may submit inquiries or complaints:
1. Via a web-based form found on www.ball.com by selecting Contact Us, General Inquiry Form, select your region, and “Personal Data Inquiry,” or by contacting Ball’s Critical Data Protection team at privacy@ball.com; or
2. Via letter, fax, or email to:

Ball Critical Data Protection Team 
9300 W.108th Circle 
Broomfield, Colorado 80021-2510 USA 
Fax: +1-303-460-2691 
Email: privacy@ball.com

Ball has further committed to refer unresolved Data Privacy Framework complaints to the International Centre for Dispute Resolution – American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement for your complaint from Ball, or if Ball has not addressed your complaint to your satisfaction, please contact or visit ICDR-AAA at https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR-AAA are provided at no cost to you. In regards to personal data relating to customers, individual customers may, in certain circumstances, invoke binding arbitration.

12. Choice-Timing of Opt Out

Ball Corporation data that is subject to the DPF Principles is primarily human resource data. Consumer data in Ball Corporation’s possession, if any, is primarily related to business contacts as Ball Corporation and its affiliates do not generally sell to end consumers. As a result, opt out policies are generally not applicable to Ball Corporation activities and data. To the extent that any opt out policies or requirements are or may become applicable, Ball Corporation agrees to comply with such requirements.

13. Travel Information

Ball Corporation understands there are certain circumstances where travel information such as frequent flyer or hotel reservation information and special handling needs may be transferred to organizations located outside the DPF Countries in several different circumstances.

14. Pharmaceutical and Medical Products

Ball Corporation does not possess data relating to pharmaceutical or medical products and data relating to this industry.

15. Public Record and Publicly Available Information

Information that is available through public records, or is otherwise generally publicly available, is not subject to the Notice, Choice, and Accountability for Onward Transfer Principles in some circumstances, provided that such information is not combined with non-public information. In addition, the Access Principle is not applicable to such information except where such information is combined with non-public information.

16. Access Requests by Public Authorities

Ball may be required to disclose your personal information in response to lawful requests from public authorities, including to meet national security or law enforcement requirements. Where permitted by law, Ball Corporation has the option to issue reports relating to data privacy inquiries.

ADDITIONAL INFORMATION

Additional Questions

In compliance with the Frameworks, Ball commits to resolve complaints about the collection or use of your personal information. 
 
Individuals from the DPF Countries may submit inquiries or complaints:
1. Via a web-based form found on www.ball.com by selecting Contact Us, General Inquiry Form, select your region, and “Personal Data Inquiry,” or by contacting Ball’s Critical Data Protection team at privacy@ball.com; or
2. Via letter, fax, or email to:

Ball Critical Data Protection Team 
9300 W. 108th Circle 
Westminster, Colorado 80021 USA 
Fax: +1-303-460-2691 
Email: privacy@ball.com

Please include your name, address, and e-mail address in all communications and state clearly the nature of your request. Ball may revise and change this Privacy Policy at any time as may be required by the DPF Principles or changes made to Ball’s compliance program. If Ball decides to materially change this Policy, we will post the revised policy at this location. If, at any point, we decide to make any material changes in the way we process your Personal Data, we will make that information available by posting a notice on this site, and we will provide data subjects with choice as to whether or not we process their information in this different manner if it is incompatible with the purposes described in the section entitled “Notice” above.

Effective Date: September 30, 2016

Updated: February 29, 2024