Harmonic Group Data Protection Policy

Harmonic Group Data Protection Policy

Harmonic Group Data Protection Policy

PURPOSE
Regulation (EU) 2016/679 passed by the European Union and effective 25 May 2018 (the "Data Protection Legislation") affects each operating entity of Harmonic Group which controls or processes Personal Data (as defined below) in the course of its business ("Harmonic"). Harmonic is categorized under the Data Protection Legislation as Data Processor (as defined below) in certain circumstances and Data Controller (as defined below) in other circumstances, which are as set out in "Scope" below. Where Harmonic controls Personal Data, Harmonic Group is required to have in place a policy to ensure Harmonic meets its obligations under the Data Protection Legislation to ensure the rights of Data Subjects (as defined below), with regard to the way in which their Personal Data is handled.

References in this Policy to "Article" means an Article of the Data Protection Legislation.

SCOPE
This policy applies to Harmonic when acting as Data Controller under the Data Protection Legislation. Harmonic acts as Data Controller in relation to the Personal Data of Data Subjects which are (i) employees; (ii) independent contractors; and (iii) vendors of Harmonic. Each of (i), (ii) and (iii) shall be referred to in this Policy as a "Relevant Person". The contractual relationship between Harmonic and each Relevant Person shall be referred to in this Policy as the "Business Relationship" and the legal agreement between Harmonic and the Relevant Person shall be referred to in this Policy as the "Business Contract". For the purposes of this Policy Relevant Persons are Data Subjects.

INTRODUCTION
In the usual course of Harmonic’s business, by virtue of its Business Relationship with the Relevant Person and Harmonic’s associated interactions with the Relevant Person (including the recording of electronic communications or phone calls where applicable) or by virtue of the Relevant Person otherwise providing Harmonic with personal information on individuals connected with the Relevant Person (for example directors, trustees, employees, representatives, shareholders, investors, clients, beneficial owners or agents), the Relevant Person provides Harmonic with certain personal information which constitutes Personal Data. This includes, but is not restricted to, data such as name, residential address, email address, telephone number, place of birth, date of birth, passport number, social security number, tax ID number, bank account details, personal details required to complete background checks and personal details required to complete anti-money laundering and anti-terrorist financing checks (including but not limited to identification verification information).

Further, in the usual course of business Harmonic and its agents, delegates and affiliates may from time to time use Personal Data for other activities that meet the legitimate interest grounds for processing under the Data Protection Legislation.

1. ADDITIONAL DEFINITIONS
1.1 Data Controller - means any natural or legal person, which, alone or jointly with others, determine the purposes and means of the processing of Personal Data.
1.2 Data Processor - means a natural or legal person who processes Personal Data on behalf of the Data Controller.
1.3 Data Subject - means an individual who is the subject of Personal Data.
1.4 EEA - means the European Economic Area, the current members at the date hereof being the European Union Member States, Iceland, Liechtenstein and Norway.
1.5 Personal Data - means any information relating to a Data Subject, who can be identified, directly or indirectly.
1.6 Processing - performing any operation or set of operations on the Personal Data, whether or not by automatic means, including collecting, recording, organising, storing, amending, using, retrieving, disclosing erasing or destroying it. The rules around the processing of Personal Data applies whether the activity takes place in the European Union ("EU") or not, where the processing activities are related to:
  • The offering of goods and services to Data Subjects that are in the EU;
  • The monitoring of their behaviour which takes place within the EU.
2. HARMONIC AS DATA CONTROLLER
In relation to the Relevant Persons and Harmonic’s use of their Personal Data Harmonic is a Data Controller and agrees to comply with its obligations as such under the Data Protection Legislation.

3. DATA PROTECTION PRINCIPLES
3.1 Personal Data Shall Be:
  1. Processed fairly, lawfully and transparently;
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. Limited to what is required for the stated purpose or purposes;
  4. Accurate, complete and up to date;
  5. Retained for not longer than is necessary for the stated purpose or purposes;
  6. Kept safe and secure;
  7. Provided to a Data Subject on request (please see Section 4); and
  8. Not transferred to people or organisations situated in countries without adequate protection.
3.2 Fair and Transparent Processing
Fairly obtained Personal Data requires that Harmonic, at the time the Personal Data is collected, make the Data Subject aware of the following:
  1. the identity and contact details of Harmonic;
  2. the purpose in collecting the Personal Data as well as the legal basis for processing;
  3. the legitimate interests of Harmonic or third party and an explanation of those interest (where processing is based on this ground);
  4. the persons or categories to whom the Personal Data may be disclosed;
  5. details of any transfers out of the EEA, safeguards in place and the means by which to obtain a copy of them;
  6. the period for which the Personal Data will be stored;
  7. the Data Subject’s right to rectify Personal Data if inaccurate;
  8. the Data Subject’s right to the portability of their Personal Data;
  9. the Data Subject’s right to withdraw consent; and
  10. the Data Subject’s right to lodge a complaint with the applicable local supervisory authority for data protection matters.
Harmonic generally meets these requirements through a Disclosure Notice contained in Harmonic’s Staff Member Manual (in the case of employees and independent contractors of Harmonic) and a summarised disclosure contained in the relevant services agreement (in the case of vendors of Harmonic) or by means of the Disclosure Notice on Harmonic’s website. The Disclosure Notice has been circulated to all Relevant Persons prior to the Data Protection Legislation taking effect.

Harmonic will ensure that all information and communications relating to the processing of Personal Data will be clear, concise, transparent, intelligible, easily accessible and easy to understand using clear and plain language. Harmonic will ensure that these transparency requirements are adhered to at all stages of the collection and processing of Personal Data.

3.3 Lawful Processing
Pursuant to Article 6, Harmonic can process Personal Data lawfully to the extent that at least one of the following applies:
  1. where the Data Subject has given consent to the processing;
  2. where this is necessary for the performance of the Business Contract;
  3. where this is necessary in order to protect the vital interests of the Data Subject or another natural person;
  4. where this is necessary for the performance of a task carried out in the interest or in the exercise of official authority vested in Harmonic;
  5. where this is necessary for compliance with a legal obligation to which Harmonic is subject (such as the anti-money laundering and anti-terrorist financing obligation to verify identity and retain copies of materials in respect thereof for such period after the relationship terminates as may be required by applicable law); and/or
  6. where this is necessary for the purposes of the legitimate interests of Harmonic or a third party and such legitimate interests are not overridden by the Data Subject's interests, fundamental rights or freedoms.
3.4 Purpose Limitation
Harmonic will only collect and process Personal Data for purposes that are specific, explicit and for legitimate purposes. Harmonic will process data for the following purposes:
  1. where this is necessary for the performance of the Business Contract;
  2. where this is necessary for compliance with a legal obligation to which Harmonic is subject (such as the anti-money laundering obligation to verify identity or the prevention of fraud); and/or
  3. where this is necessary for the purposes of the legitimate interests of Harmonic or a third party (such as direct marketing and analysing personal data for quality control, business and statistical analysis, tracking fees and costs, training and related purposes). Such legitimate interests are not overridden by the Data Subject’s interests, fundamental rights or freedoms.
Harmonic will not process Personal Data in a manner that is incompatible with the manner communicated to Data Subjects.

3.5 Data Minimisation
The Personal Data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is being processed.

3.6 Keep It Accurate and Up-To-Date
Harmonic will ensure that the Personal Data held is accurate and kept up to date. The accuracy of any Personal Data will be checked at the time of collection and at regular intervals or triggers thereafter. Harmonic will take all reasonable steps to amend inaccurate or out-of-date Personal Data without delay.

3.7 Storage Limitation
Harmonic will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Subject to compliance with local retention laws Harmonic will take all reasonable steps to erase all Personal Data which is no longer required. Harmonic will be clear when informing the Data Subject about the length of time for which Personal Data will be kept and the reason why the information is being retained. Harmonic is aware of any required statutory retention periods where an obligation exists to retain a Data Subject's Personal Data for fixed periods and ensure that Personal Data is retained in line with such statutory requirement(s) and that the Data Subject is aware of this retention period.

3.8 Kept Safe and Secure
Processing will be conducted in a manner that ensures appropriate security and confidentiality of the Personal Data. Harmonic takes all commercially reasonable steps to secure the Personal Data from unauthorised access by third parties, alteration, disclosure, accidental loss, destruction or any form of computer corruption. Harmonic has implemented the following information security measures:
  1. Access to IT servers is restricted in a secure location to a limited number of staff;
  2. Access to systems is password protected;
  3. A back up procedure is in operation;
  4. Manual files containing Personal Data, financial information or confidential information are kept in a secure locked location with restricted access to staff; and
  5. A strong emphasis is placed on the security of Personal Data when it is held on portable devices.
3.9 Access Provided to a Data Subject on Request
Under the Data Protection Legislation, the Data Subject shall have the right to obtain from Harmonic access to any Personal Data concerning him or her. However, this right is limited to certain circumstances (please see Section 4).

3.10 Transferring Personal Data to a Country Outside the EEA
Aside from an adequacy decision, which allows the free flow of Personal Data from the EU without Harmonic having to implement any additional safeguards or being subject to further conditions, the Data Protection Legislation allows a transfer if the Data Controller or Data Processor has provided appropriate safeguards.

These safeguards may be provided for by:
  1. Standard data protection clauses: the Commission has adopted three sets of model clauses which are available on the Commission’s website (https://ec.europa.eu/info/law/law-topic/data-protection_en);
  2. Binding corporate rules: legally binding data protection rules approved by the competent data protection authority which apply within a corporate group;
  3. Approved codes of conduct together with binding and enforceable commitments of the Data Controller or Data Processor in the third country;
  4. Approved certification mechanisms together with binding and enforceable commitments of the Data Controller or Data Processor in the third country.
In the absence of an adequacy decision or of appropriate safeguards a transfer or a set of transfers may take place on the basis of so-called "derogations" which allow transfers in specific cases, such as based on consent, for the performance of a contract, for the exercise of legal claims or for important reasons of public interest.

In the normal course of business (for back-up or servicing purposes) it may be necessary for Harmonic to transfer Personal Data for processing to the following: (i) certain third parties whose involvement is necessary to carry out all or part of Harmonic's duties and obligations contemplated under the Business Contract and in accordance with Harmonic’s internal procedures. Examples of such third parties would be in the case of the Personal Data of an employee/independent contractor transferred by Harmonic to a payroll services provider; (ii) an agent, delegate, subcontractor or other representative of Harmonic (which may or may not be an affiliate of Harmonic) appointed by Harmonic pursuant to authority contained in the Business Contract. Any such entity in (i) or (ii) shall be a "Permitted Processor". As part of normal business dealings between Harmonic and the Permitted Processor Harmonic will transmit Personal Data to such Permitted Processor. Certain Permitted Processors may be located outside the EEA and so Personal Data may be stored on servers outside the EEA. Any transmission of data by Harmonic outside the EEA shall be in accordance with the conditions of the Data Protection Legislation. Subject to applicable provisions of the Data Protection Legislation, the Personal Data shall not be shared by Harmonic with third-parties other than Permitted Processors.

In certain circumstances Harmonic and/or Permitted Processors may be legally obliged to share Personal Data and other financial information with respect to the Business Contract with their local regulatory or governmental authorities (including but not limited to tax authorities) or courts (each an "Authority") and the local receiving Authority may, in turn, exchange this information (through automatic reporting, information exchange or otherwise in accordance with applicable laws and regulations) with foreign Authorities including Authorities located outside the EEA.


4. DATA SUBJECT RIGHTS
4.1 Right to Access
The Data Subject shall have the right to obtain confirmation from Harmonic as to whether or not Personal Data concerning them is being processed.

Where Harmonic is processing their Personal Data the Data Subject will have the right to access such Personal Data and the following information:
  1. the purpose of the processing;
  2. the categories of Personal Data concerned;
  3. the persons or categories of persons to whom the Personal Data may be disclosed, in particular recipients in third countries or international organisations;
  4. the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from Harmonic rectification or erasure of the Personal Data or restriction of processing of Personal Data concerning the Data Subject or to object to such processing;
  6. the right to lodge a complaint with the applicable local supervisory authority for data protection matters;
  7. where the Personal Data is not collected for the Data Subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
Where Personal Data is transferred to a third country or an international organisation, the Data Subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

The right to obtain a copy of the Personal Data undergoing processing will not adversely affect the rights and freedoms of others.

Harmonic will not charge a fee for complying with the Data Subject’s access request unless it can be demonstrated that the cost will be excessive, in which case the fee must be reasonable.

The information must be provided without delay and within one month, but where requests are complex Harmonic will be able to extend the deadline for providing the information to three months. However, Harmonic must still respond to the request within a month, explaining why the extension is necessary.

A request to Harmonic may be made in electronic format as well as by written request.

4.2 Right to be Forgotten
The Data Subject shall have the right for Personal Data to be erased without undue delay in certain contexts to include, but not be limited to; where the Personal Data has been processed unlawfully or where the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise.

Given the specific nature for which Harmonic uses the Personal Data it collects, this is not likely to be applicable to the Data Subjects of Harmonic.

4.3 Right to the Restriction of Processing
Data Subjects have the right to require that Harmonic restrict processing of Personal Data in certain circumstances, including, but not limited to, where the Personal Data is inaccurate, the Personal Data is no longer required in light of the purposes of the processing or the Data Subject has exercised their right to object (pending verification of any legitimate grounds of Harmonic which overrides those of the Data Subject).

Where processing has been restricted, such Personal Data shall, with the exception of storage, only be processed with the Data Subject's consent. Harmonic will inform the Data Subject before the restriction of processing is lifted.

4.4 Right to Object
The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of Personal Data concerning them where the processing is based on the legitimate interests pursued by Harmonic.

Harmonic shall no longer process the Personal Data unless Harmonic demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Data Subjects shall have the right to object to the processing of Personal Data for direct marketing purposes at any time. Where the Data Subject objects to processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes.

5. CO-OPERATION WITH SUPERVISORY AUTHORITIES
5.1 The Data Controller and the Data Processor and, where applicable, their representatives, shall cooperate, on request, with the relevant supervisory authority in the performance of its tasks.

5.2 In the case of Harmonic Group the Lead Supervisory Authority is the Commission Nationale pour la protection de données – CNPD in Luxembourg (the "Lead Supervisory Authority").

6. KEEPING RECORDS OF ALL PROCESSING
6.1 Harmonic should maintain records of all its processing activities. This requires that Harmonic determine what Personal Data it holds, where it came from and who it shares it with. This should all be documented, which will assist in complying with the legislation's "accountability principle".

6.2 Harmonic will retain Personal Data for a period of up to seven years following the point from when the Data Subject’s Business Relationship with Harmonic has ceased, subject to applicable retention laws. Harmonic and its duly authorised agents/delegates will refrain from collecting any further Personal Data and after expiry of the retention period (subject to applicable retention laws) shall take appropriate steps to dispose of any records containing the Data Subject’s Personal Data, to the extent this is operationally feasible and proportionate.

7. REPORTING OF DATA BREACHES
7.1 If Harmonic detects and records a data breach it shall notify the Lead Supervisory Authority without delay, and in any case not later than 72 hours, unless the breach is unlikely to result in a risk to the rights of the Data Subject. The notification form is available on the Lead Supervisory Authority’s website and is accessible via this link: https://cnpd.public.lu/fr/actualites/national/2018/02/formulaire-violation-donnees.html

7.2 Each Data Processor shall notify Harmonic without undue delay after becoming aware of a Personal Data breach.

7.3 The Data Subject must also be notified if the data breach is likely to result in a high risk to their rights and freedoms. The notification shall describe in clear and plain language the nature of the breach, the name of the contact point where more information can be obtained, the likely consequences and measures taken to mitigate or address the breach.

8. TRAINING
All Harmonic staff must receive regular training to ensure they are aware of:
  1. The provisions of the Data Protection Legislation;
  2. The approach Harmonic takes to ensure compliance with its obligations; and
  3. Recent developments and guidance in the area.

9. DESIGNATION OF RESPONSIBLE PERSON FOR DATA PROTECTION QUERIES AND REGULATORY COMMUNICATIONS
As Harmonic does not control or process Personal Data on a large scale, Harmonic Group is not required to designate a data protection officer either Group-wide or per operating entity. However, a member of staff has been designated as Responsible Person Group-wide for each of (i) the receipt of any queries relating to data protection or in the event a Data Subject wishes to discuss his/her data protection rights with Harmonic (“General Queries”), and (ii) communicating with the Lead Supervisory Authority or other relevant supervisory authorities (“Regulatory Communications”). As at the date of this Policy the Responsible Persons for Harmonic Group are:

General Queries: GDPR-Queries@harmonic.ky

ADDITIONAL LEGAL AND REGULATORY DISCLOSURES
For additional legal/regulatory disclosures, please consult: http://harmonicfundservices.com/legal/