CPM Photo Contest Privacy Notice

ANNEX I

CPM HOLDINGS, INC. PHOTO CONTEST PRIVACY NOTICE

1. Introduction

This Photo Contest Privacy Notice (“Notice”) describes the steps that CPM Holdings, Inc. (“Company”, “we” or “us”), part of the CPM group of companies (“CPM Group”, “we” or “us”), takes to protect the Personal Data that we Process about our Employees in respect of the CPM Photo Contest (“Photo Contest”). In connection with your involvement with the Photo Contest, either as the photographer or subject of a photograph submitted as part of the Photo Contest, we collect, store, use and otherwise Process Personal Data about you for various marketing purposes set out below. The Company is committed to protect the Personal Data that we Process about you in line with the data protection principles set out in the European Union General Data Protection Regulation (“GDPR”). 

This Notice applies to all Photo Contest Personal Data only, and does not amend or replace the CPM Employee Privacy Notice.

This Notice may be amended from time to time. We will inform you about changes within a reasonable period of time in advance of the effective date of the change.

Capitalized terms used in this Notice are defined in Section 9 of this Notice.

2. Identity of the Data Controller and Privacy Officer

The Company is responsible for Processing your Personal Data and is the Data Controller. Furthermore, the Company has appointed a Privacy Officer, who could be contacted by using the following contact details: 

Name Phone number
Sean M. Callison 319-493-3906

3. Purposes and legal grounds for Processing Personal Data

The Company relies on your consent to Processes your Personal Data submitted in connection with the Photo Contest and for the following purposes:

  • for inclusion in any and all of the Company’s publications, including web-based publications to promote the Company;
  • for use in general Company and specific product advertising campaigns; and
  • for use in office and other workspaces.
  • All of the purposes listed above may be carried out in any of the jurisdictions in which our Company operates globally.

4. Categories and Sources of Personal Data that we Process

The Company will Process the following categories of Personal Data for these purposes:

  • Name
  • Work contact details
  • Personal email address or other non-work contact details to maintain contact beyond the period of your employment with the Company
  • Image 
  • Job title
  • Workplace location   

We will not Process any Special Categories of Personal Data in relation to the Photo Contest, for example, Personal Data relating to your health, sex life or sexual orientation.

Most of the Personal Data we Process we have acquired from you directly. Other Personal Data may be provided by: your managers, HR, an Employee who takes your photograph or others.

5. Your Rights

The GDPR provides you with certain rights in relation to the Processing of your Personal Data, including to:

  • Request to access your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you, and to check whether we are lawfully Processing it.
  • Request to rectification, correction or updating of your Personal Data. This enables you to have any incomplete or inaccurate information we hold about you rectified or updated.
  • Request to data portability (that your Personal Data shall be provided to you in a machine-readable format) to the extent this right is relevant in the employment context.
  • Request to erase (any part of) your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to Process it. You also have the right to ask us to delete or remove Personal Data where you have exercised your right to object to Processing (see below).
  • Request to restriction of the Processing of your Personal Data. This enables you to ask us to suspend the Processing of Personal Data about you (e.g. if you want us to establish its accuracy or the reason for Processing it).
  • Object to the Processing of your Personal Data in certain circumstances. This right may apply where the Processing of your Personal Data is based on the legitimate interests of the Company or where decisions about you are based solely on automated processing, including profiling. 
  • Withdraw your Consent to Processing your Personal Data. We are relying on your consent to Process your Personal Data in connection with this Photo Contest. You have the right to withdraw your consent at any time, at which point we will no longer be able to Process your Personal Data and will need to remove any photographs of you that were submitted as part of the Photo Contest and which we are using for the purposes set out above.

Please be informed that the Processing of your Personal Data is not being applied for automated decision-making (including profiling).  

Also please note that it is not a statutory or contractual obligation to provide your Personal Data or a condition to enter into an agreement with you. However, if you wish to participate in the Photo Contest, there is certain limited information that you will need to provide to us.

Should you wish to exercise the rights accorded by the GDPR, please contact the Legal Department.

You also have the right to lodge a complaint with the competent data protection Supervisory Authority, if you are not happy with how the Company Processes your Personal Data and we could not provide you with a satisfactory resolution to your request.

6. Data Sharing and International Data Transfers: Intra-Group and Third Parties

a) International Data Transfers

When we transfer your personal information to a company of the CPM Group in a country outside the European Economic Area that is not considered by the European Commission as providing an adequate level of protection to your personal data we will only transfer your personal data in case that there are appropriate safeguards to protect your Personal Data. International transfers within the corporate group are governed by EU Commission-approved Standard Contractual Clauses for Controllers and, where relevant, for Processors. 

You can request a copy of the Standard Contractual Clauses from your Legal Department.

b) Third Party Suppliers 

The Company shares Personal Data with external third parties, among which are external marketing and advertising agencies and web management services that we engage to perform services or functions on our behalf and under our instructions. Where these third parties are located within the EU, their Processing of your data will be subject to the GDPR requirements. The Company will also ensure that its contracts with these parties ensure that they only Process Personal Data in accordance with our instructions and in order to provide the agreed services and protect the integrity and confidentiality of the Personal Data entrusted to them, in line with the GDPR requirements.

Some of the third parties that we engage to Process Photo Contest Personal Data are located outside the European Economic Area. When we transfer your personal information to a third party in a country outside the European Economic Area that is not considered by the European Commission as providing an adequate level of protection to your personal data we will only transfer your personal data after having executed Standard Contractual Clauses providing for appropriate or suitable safeguards.

7. Retention of Personal Data

The Company will keep and Process your Personal Data only for as long as is necessary for the purposes for which it was collected in connection with your employment with the Company, unless the Company has a legal right or obligation to retain the data for a longer period, or the data is necessary for the establishment, exercise or defense of legal claims. 

8. Contact Information

If you have any questions about this Notice, please contact the Legal Department.

9. Definitions

The following terms used within this Notice are defined as follows:

CPM Holdings, Inc. is a Delaware corporation. 

CPM Group is the group of companies directly, or indirectly, held and/or controlled by CPM Holdings, Inc., a company with its principal place of business at 9879 Naples St NE. Blaine, MN 55449 USA.

Data Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by national or EU laws or regulations, the controller or the specific criteria for his nomination may be designated by national or EU law.

Data Processor” means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Data Controller.

Employees” means temporary, full-time and part-time contract employees, interns, contingent workers, retirees, and former employees.

CPM Photo Contest” or “Photo Contest” means the photo contest held by the marketing department of the Company, as part of which Employees submit photographs of themselves or other Employees, with the best photographs winning prizes and some of the photographs being used for marketing purposes. 

European Economic Area” or “EEA” means the Member States of the European Union, plus Norway, Iceland and Lichtenstein.  

GDPR” means the EU General Data Protection Regulation 2016/679 including national laws implementing or supplementing the GDPR.

Personal Data” means any information relating to an identified or identifiable natural person (also referred to as ‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Photo Contest Personal Data” means any Personal Data related to Employees submitted as part of the Photo Contest. 

Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  

Privacy Officer” means the person who supervises the application and compliance with the GDPR. The Privacy Officer is not a Data Protection Officer within the meaning of the GDPR.

Special Categories of Personal Data” are Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of identifying an individual, data concerning health or data concerning a natural person’s sex life or sexual orientation.  

Supervisory Authority” means an independent public authority which is established by a Member State pursuant to article 51 of the GDPR (in the Netherlands being the “Autoriteit Persoonsgegevens”).