This policy applies to Hexcel’s undertakings with regard to the privacy of individual’s personal information transferred from the European Union to the United States in connection with our business activities. This policy is applicable to all Hexcel Group Companies in the United States including Hexcel Reinforcements Holding Corporation, Hexcel Pottsville Corporation, Hexcel Reinforcements Corp. and the Hexcel Foundation.
We collect and process information that can identify an individual (Personal Information) about our customers, clients, business partners, suppliers, and agents. We collect Personal Information in a number of ways:
In order to:
We offer individuals a clear, conspicuous, and readily available mechanism to choose (opt out) whether their Personal Information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of Hexcel) or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.
Additionally, we will not (i) disclose, or (ii) use for a purpose other than those for which it was originally collected or subsequently authorized by you, any Personal Information that reveals details about your health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation, unless you have given us express permission to do so or unless permitted by law.
We may transfer Personal Information to third parties acting as data controllers, such as other Hexcel Group companies, or data processors, who may also be other Hexcel Group companies or third parties who assist with (i) the administration of business programs and services, (ii) compliance with our obligations to regulators, and/or (iii) maintenance of our systems, networks and processes.
When we transfer Personal Information to third party agents, we will comply with the Privacy Shield notice principle, ascertain that the third party agent is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield principles, and enter into a contract with the third party agent that provides that: (1) the third party agent will process the Personal Information only for limited and specified purposes, (2) the third party agent will provide at least the same level of privacy protection as is required by the Privacy Shield principles; (3) Hexcel will take reasonable and appropriate steps to ensure that the third party agent effectively processes the Personal Information pursuant to the Privacy Shield privacy principles; (4) the third party agent will notify us if the third party agent can no longer provide the same level of privacy protection as required by the Privacy Shield principles; and, (5) upon such notice by the third party agent, we will take steps to stop and remediate any unauthorized processing.
When we transfer Personal Information to third party controllers, we will comply with the Privacy Shield notice and choice principles and enter into a contract with the third party controller that provides that (1) such Personal Information may be processed only for limited and specified purposes consistent with the consent provided by the individual; (2) the third party controller will provide the same level of protections as the Privacy Shield principles; (3) the third party controller will notify us if the third party can no longer meet its obligation to provide the same level of protection for the Personal Information as required by the Privacy Shield principles; and (4) upon such notice by the third party controller, the third party controller will cease processing the Personal Information and/or take reasonable and appropriate steps to remediate any unauthorized processing.
In the context of an onward transfer of Personal Information, we have responsibility for the processing of Personal Information we receive under the Privacy Shield and subsequently transfer to a third party agent. We will remain liable under the Privacy Shield principles if our third party agent processes such Personal Information in a manner inconsistent with the Privacy Shield principles, unless we prove that we are not responsible for the event giving rise to the damage.
Please be aware that we may be required to disclose Personal Information in response to lawful requests by public authorities to comply with national security or law enforcement requirements.
You have a right to access Personal Information we collect and process about you by emailing us or calling at the email address or telephone number listed in the Recourse, Enforcement and Liability section of this Policy. Additionally, you may request that we correct, amend, or delete Personal Information that is inaccurate or improperly processed. Before making any change to Personal Information, for security purposes and to protect Personal Information from unauthorized access, we may ask for information sufficient to verify the authenticity of an access request. We may limit or deny such requests if it would be unduly burdensome or expensive or where doing so might adversely affect another person's privacy rights, compromise confidential commercial information, interfere with the execution or enforcement of the law or with private causes of action, or breach a legal or other professional privilege or obligation.
We may charge a reasonable fee for access to Personal Information where, for example, the request for access is manifestly excessive or repetitive. Additionally, we may set reasonable limitations on the number of times within a given time period that access requests from a particular individual will be met.
We will take reasonable measures to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration or destruction.
Personal Information will be limited and relevant for the purposes for which it is to be processed. Personal Information will not be processed in a way that is incompatible with or materially different from the purposes for which it has been collected or subsequently authorized by the individual. Reasonable steps will be taken to ensure that Personal Information is reliable for its intended use, accurate, complete and current. Further, Personal Information will be retained only for as long as it is serves the purposes for which it was collected or subsequently authorized by the individual. Finally, we will adhere to the Privacy Shield principles for as long as it retains the Personal Information.
We have verified and will verify annually through self-assessment that the attestations and assertions made about our Privacy Shield privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the Privacy Shield principles.
Questions and complaints about our privacy practices can be submitted to us by emailing DataPrivacy@Hexcel.com or contacting the Compliance Line at 1-888-203-9066. We will respond to your inquiry or complaint within 45 days.
If a complaint remains unresolved, you should contact the state or national Data Protection Authority (DPA) or labor authority in the jurisdiction where you reside for resolution. Information regarding the applicable DPA is located here. We will cooperate with the competent DPAs and comply with the advice of such DPAs. In the event that the DPAs determine that we did not comply with this Policy or Privacy Shield principles, we will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPAs, take specific remedial or compensatory measures to correct any non-compliance with this Policy or the Privacy Shield principles, and provide the DPAs with written confirmation that such action has been taken.
We are also subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
Under certain conditions specified by the Principles, you may also be able to invoke binding arbitration to resolve your complaint. For more information on binding arbitration, see U.S. Department of Commerce's Privacy Shield Framework: Annex 1 (Binding Arbitration).
This Policy is effective September 1, 2016 and may be amended from time to time in compliance with the requirements of the Privacy Shield Principles. If we do so, we will post an updated version on our website.To the extent there is any conflict between the Privacy Shield privacy principles and this Policy, the Privacy Shield privacy principles shall take precedence.
(1) If you are calling from outside the U.S., please access the Compliance Line number by first dialing the AT&T Direct Access number for the country from which you are calling