ANNEX I

CPM HOLDINGS, INC. PHOTO CONTEST PRIVACY NOTICE

1. Introduction

This Photo Contest Privacy Notice (“Notice”) describes the steps that CPM Holdings, Inc. (“Company”, “we” or “us”), part of the CPM group of companies (“CPM Group”, “we” or “us”), takes to protect the Personal Data that we Process about our Employees in respect of the CPM Photo Contest (“Photo Contest”). In connection with your involvement with the Photo Contest, either as the photographer or subject of a photograph submitted as part of the Photo Contest, we collect, store, use and otherwise Process Personal Data about you for various marketing purposes set out below. The Company is committed to protect the Personal Data that we Process about you in line with the data protection principles set out in the European Union General Data Protection Regulation (“GDPR”). 

This Notice applies to all Photo Contest Personal Data only, and does not amend or replace the CPM Employee Privacy Notice.

This Notice may be amended from time to time. We will inform you about changes within a reasonable period of time in advance of the effective date of the change.

Capitalized terms used in this Notice are defined in Section 9 of this Notice.

2. Identity of the Data Controller and Privacy Officer

The Company is responsible for Processing your Personal Data and is the Data Controller. Furthermore, the Company has appointed a Privacy Officer, who could be contacted by using the following contact details: 

NamePhone number
Sean M. Callison319-493-3906

3. Purposes and legal grounds for Processing Personal Data

The Company relies on your consent to Processes your Personal Data submitted in connection with the Photo Contest and for the following purposes:

4. Categories and Sources of Personal Data that we Process

The Company will Process the following categories of Personal Data for these purposes:

We will not Process any Special Categories of Personal Data in relation to the Photo Contest, for example, Personal Data relating to your health, sex life or sexual orientation.

Most of the Personal Data we Process we have acquired from you directly. Other Personal Data may be provided by: your managers, HR, an Employee who takes your photograph or others.

5. Your Rights

The GDPR provides you with certain rights in relation to the Processing of your Personal Data, including to:

Please be informed that the Processing of your Personal Data is not being applied for automated decision-making (including profiling).  

Also please note that it is not a statutory or contractual obligation to provide your Personal Data or a condition to enter into an agreement with you. However, if you wish to participate in the Photo Contest, there is certain limited information that you will need to provide to us.

Should you wish to exercise the rights accorded by the GDPR, please contact the Legal Department.

You also have the right to lodge a complaint with the competent data protection Supervisory Authority, if you are not happy with how the Company Processes your Personal Data and we could not provide you with a satisfactory resolution to your request.

6. Data Sharing and International Data Transfers: Intra-Group and Third Parties

a) International Data Transfers

When we transfer your personal information to a company of the CPM Group in a country outside the European Economic Area that is not considered by the European Commission as providing an adequate level of protection to your personal data we will only transfer your personal data in case that there are appropriate safeguards to protect your Personal Data. International transfers within the corporate group are governed by EU Commission-approved Standard Contractual Clauses for Controllers and, where relevant, for Processors.

You can request a copy of the Standard Contractual Clauses from your Legal Department.

b) Third Party Suppliers 

The Company shares Personal Data with external third parties, among which are external marketing and advertising agencies and web management services that we engage to perform services or functions on our behalf and under our instructions. Where these third parties are located within the EU, their Processing of your data will be subject to the GDPR requirements. The Company will also ensure that its contracts with these parties ensure that they only Process Personal Data in accordance with our instructions and in order to provide the agreed services and protect the integrity and confidentiality of the Personal Data entrusted to them, in line with the GDPR requirements.

Some of the third parties that we engage to Process Photo Contest Personal Data are located outside the European Economic Area. When we transfer your personal information to a third party in a country outside the European Economic Area that is not considered by the European Commission as providing an adequate level of protection to your personal data we will only transfer your personal data after having executed Standard Contractual Clauses providing for appropriate or suitable safeguards.

7. Retention of Personal Data

The Company will keep and Process your Personal Data only for as long as is necessary for the purposes for which it was collected in connection with your employment with the Company, unless the Company has a legal right or obligation to retain the data for a longer period, or the data is necessary for the establishment, exercise or defense of legal claims. 

8. Contact Information

If you have any questions about this Notice, please contact the Legal Department.

9. Definitions

The following terms used within this Notice are defined as follows:

CPM Holdings, Inc.” is a Delaware corporation. 

CPM Group” is the group of companies directly, or indirectly, held and/or controlled by CPM Holdings, Inc., a company with its principal place of business at 9879 Naples St NE. Blaine, MN 55449 USA.

Data Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by national or EU laws or regulations, the controller or the specific criteria for his nomination may be designated by national or EU law.

Data Processor” means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Data Controller.

Employees” means temporary, full-time and part-time contract employees, interns, contingent workers, retirees, and former employees.

CPM Photo Contest” or “Photo Contest” means the photo contest held by the marketing department of the Company, as part of which Employees submit photographs of themselves or other Employees, with the best photographs winning prizes and some of the photographs being used for marketing purposes. 

European Economic Area” or “EEA” means the Member States of the European Union, plus Norway, Iceland and Lichtenstein.  

GDPR” means the EU General Data Protection Regulation 2016/679 including national laws implementing or supplementing the GDPR.

Personal Data” means any information relating to an identified or identifiable natural person (also referred to as ‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Photo Contest Personal Data” means any Personal Data related to Employees submitted as part of the Photo Contest. 

Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  

Privacy Officer” means the person who supervises the application and compliance with the GDPR. The Privacy Officer is not a Data Protection Officer within the meaning of the GDPR.

Special Categories of Personal Data” are Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of identifying an individual, data concerning health or data concerning a natural person’s sex life or sexual orientation.  

Supervisory Authority” means an independent public authority which is established by a Member State pursuant to article 51 of the GDPR (in the Netherlands being the “Autoriteit Persoonsgegevens”).