1. Overview

1.1 PURPOSE

The Albaugh (hereinafter, referred to as “the Company”) DSR (“Data Subject Request”) & Cookies and Consent Management Policy governs Albaugh’s receipt, evaluation, response, and record keeping in relation to DSRs. DSRs can be made to Albaugh under a number of Applicable Laws, and this policy is in place to govern the intake and response process for such requests in compliance with Applicable Laws. Additionally, this policy provides guidelines surrounding when consent must be obtained, the language that must be used, and how documentation must be maintained.

1.2 SCOPE

This policy applies to all members of Albaugh’s workforce, that includes contracted workers, consultants. Albaugh will require that all third parties that utilize Albaugh managed and owned hardware, software, networks, applications, data, intellectual property, and any associated resources comply with applicable legal standards. This policy applies to Albaugh and its Affiliates.

2. Definitions

Applicable Law(s) - Any state, federal or foreign law(s), rule(s) or regulation(s) applicable to the Processing of Personal Information.

Controller - The entity which determines the purposes and means of the processing of Personal Information. Controller may be referred to as “Business” under Applicable Laws.

Data Subject – An identified or identifiable person to whom Personal Information relates.

Data Subject Request (“DSR”) – The means by which data subjects request that the organization discloses what Personal Information it holds on them and how the organization uses or intends to use it.

Personal Information (“PI”) - Any information related to a natural person or ‘Data Subject’, that can be used to directly, or indirectly, identify the person. Personal Information may include information referred to as “Personal Data” or “Personally Identifiable Information” (PII) in some jurisdictions.

Processing - Any operation or set of operations which is performed upon the Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adatation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

Processor – An entity that processes Personal Information on behalf of the Controller. Processor may be referred to as “Service Provider” under Applicable Laws.

3. Data Subject Requests 

3.1 REQUESTS IN-SCOPE

Depending on the Applicable Law where data subjects (e.g. clients, consumers, employees, etc.) reside, data subjects may be able to assert the following rights related to PI:

• Access and Portability: The right to request that Albaugh provide a report of PI held by the company. Report could include:

• The categories of PI Albaugh has collected about that consumer; 

• The categories of sources from which the PI is collected;

• The business or commercial purpose for collecting or selling PI; 

• The categories of third parties with whom Albaugh shares PI; 

• The specific pieces of PI Albaugh has collected about that consumer.

• Rectification: The right to request that Albaugh rectify incorrect or incomplete PI.

• Erasure: The right to request that Albaugh delete or erase PI.

• For example, requests may be denied if retaining PI is required under certain circumstances, including, but not limited to: 

• complying with a legal obligation; 

• establishing, exercising or defending legal claims; or 

• performing a task in the public interest or in the exercise of official authority;

• Withdraw consent: The right to withdraw consent to Albaugh processing PI (see “Cookies and Consent Management” section below).

• Marketing Communications: The right to opt-out of receiving marketing communications from Albaugh.

• Objection: The right for Data Subjects to object to the processing of PI that concerns them. 

• Restriction of Processing: The right to restrict or object to Albaugh processing or transferring PI under certain circumstances.

• Automated Individual Decision-Making: The right not to be subject to a decision based solely on automated processing PI, including profiling.

• Non-Discrimination: The right to not face discrimination for asserting the above rights. Albaugh will not take retaliatory or discriminatory actions against any consumer who chooses to exercise any of the above rights. Thus, Albaugh cannot deny individuals its services and products. Applicable Law could prohibit any practices that are usurious, coercive, or unjust in this regard. 

3.2 DSR REQUIREMENTS

Regardless of the regulation under which a DSR is made, common elements of Albaugh’s DSR response program exist; where applicable by law, these shall be carried out by Albaugh as follows: 

1. Intake 

The process by which DSRs may be submitted by individuals to Albaugh is outlined in and provided to individuals through Albaugh’s public-facing Privacy Notices.

2. Documentation and Monitoring of Received Requests

Albaugh shall ensure all received DSRs are documented for the purposes of internally acknowledging their receipt. Albaugh shall ensure the status of completion is then monitored (i.e., from receipt to rejection or fulfilment) for each request to ensure a satisfactory response is issued in line with regulatory requirements and deadlines. 

3. Training and Awareness

Albaugh ensures that all individuals responsible for handling inbound DSRs and external inquiries (i.e., requests where third party cooperation is required) are informed of all applicable regulatory requirements and Albaugh internal procedures.

4. Response and Acknowledgment Timeframes

Albaugh will respond to requests in accordance with the relevant regulatory timeframes. This may include acknowledgment of receipt of requests before a determination about acceptance or rejection of the request is made and before the request is fulfilled.

5. Evaluation of Legal Basis 

As part of the DSR response process, Albaugh will accept or reject DSRs based upon an evaluation of the request’s legal basis under Applicable Laws. Upon denial of a DSR, 

Albaugh will communicate back to the data subject as to why there is no legal obligation to complete the request.

6. Identity Verification 

The determination of the legal basis of the request, and any subsequent response to the requester, will include, as deemed required in accordance with applicable law an identity verification procedure before any information is disclosed. 

7. Third Party Request Legal Evaluation and Identity Verification

When a data subject uses an agent to submit a DSR, Albaugh may require that the data subject follow additional steps to maintain compliance.

8. Rejecting a request 

Albaugh ensures that all information in connection with the decision to reject the request, and that is required to be provided under Applicable Laws, is provided to the requesting party, and is retained in accordance with regulatory requirements. Instances where Albaugh may reject the request, include, but are not limited to, the inability to validate the identity of the Data Subject and other limitations with respect to compliance with other Applicable Laws (such as EU Union or Member State laws, US Federal Laws, etc.).

9. Request Fulfillment

Albaugh, in order to ensure fulfillment of the DSR process, has policies and procedures that require that the appropriate reporting (or the appropriate modification) of PI is made in the organization. Albaugh also ensures that its systems, and any applicable third parties correctly execute and meet the obligations of the DSR process that has been approved by Albaugh. 

10. Anti-discrimination

Albaugh does not discriminate against individuals exercising any of the rights afforded to them under applicable regulations under all circumstances. This anti-discrimination includes, but is not limited to not denying goods or services to the requester; not charging different prices or rates for goods or services, including through use of discounts or other benefits or imposing penalties, and not providing a different level or quality of goods or services to individual requesters, nor suggesting that individuals will receive a different price or rate for goods or services or a different level or quality of goods or services as a result of exercising their rights.

Additionally, regional IT and Compliance Officers will work with Group IT and the Group Compliance Officer to address specific requirements of any applicable local law in each region.

4. Cookies and Consent

4.1 REGULATORY MATTERS

The term “consent” appears in almost every data protection regulation in effect around the world. Most countries, with the exception of the United States, requires “opt-in” consent freely given by the data subject from whom Albaugh is collecting information. Applicable Laws typically defines “consent” as “any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her”. 

Applicable Laws dictate legal bases that an organization can claim when collecting and processing PI; this includes “consent”. Albaugh must ensure that if it claims “consent” as the legal basis for a particular data processing activity, the reasoning be consistent throughout the process and cannot be changed for another legal basis later (however multiple legal bases can be cited initially). 

Applicable Laws provide the following conditions regarding “consent”:

• Freely Given:

• The fulfillment of a provision or service shall not require consent to process PI that is not necessary to fulfill that particular provision or service.

• Genuine or free choice must be offered to Data Subject.

• Specific: 

• If consent is captured in the context of a written declaration which concerns other matters, the consent section must be clearly distinguishable from the rest.

• Data Subjects must consent to each data processing activity separately. 

• Informed: 

• Data Subjects must be made aware, in plain language, who is processing their data, what processing activities will occur, and the purpose of the data processing; this must be expressed before consent is initially captured.

• Unambiguous:

• Data Subject’s consent to processing their PI must be demonstrable.

• Silence or inactivity would not be acceptable, a Data Subject must consciously “opt-in” by clearly ticking a box, choosing a technical setting, or providing a clear statement of consent. 

• Can Be Revoked:

• Data Subject must always be afforded the right to easily withdraw their consent (i.e., opt-out) at any time; this right must be expressed before consent is initially captured. 

4.2 “SALE” OF PERSONAL INFORMATION

“Sale” refers to the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means of PI that the consumer did not intentionally direct to be shared with a third party. PI transfers to third parties, regardless of monetary consideration, may be classified as a “sale” under Applicable Laws. Therefore, a “sale” of personal information requires consent.

4.2.1 Do Not Sell Rule

Under certain Applicable Laws, Consumers possess the right to tell businesses not to “sell” their PI. The specific requirements of the Do Not Sell Rule include the following:

• All websites must have a page called “Do Not Sell My Personal Information” which allows consumers to opt-out of the “sale” of their PI.

• “Do Not Sell My Personal Information” page link must be present on website homepage (also best practice to make link visible on all webpages).

• Consumers must be able to opt-out without making an account on the website.

• Website privacy policy must include language describing consumer rights and a link to “Do Not Sell My Personal Information” page.

• After a consumer opts-put, they cannot be solicited to have their PI “sold” for 12 months.

Albaugh does not engage in the sale of PI. If any Albaugh website collects PI to sell to a third party, the website must include a “Do Not Sell My Personal Information” page.

4.2.2 Minors and the Sale of Personal Information

Albaugh must not knowingly “sell” the PI of consumers under 16 years old. Consumers between the ages of 13 and 16 or parents/guardians (for consumers under 13 years of age) must specifically “opt-in” or “consent” to the “sale” of their (or their children’s) PI.

Albaugh services and products are not intended for individuals under the age of eighteen (18). Albaugh does not knowingly collect and use PI related to minors.

4.3 POLICY REQUIREMENTS

Albaugh is required to obtain consent from Data Subjects in accordance with Applicable Laws. Where consent is required, the following must be in place:

• Ability to demonstrate that the Data Subject has given explicit consent to the processing of their PI.

• Ability to demonstrate that the Data Subject has consented to the processing of their PI for one or more specific purposes.

• Consent is easily distinguishable from any other matter relating the Data Subject.

• Consent is in an intelligible and easily accessible form, using clear and plain language. 

• The Data Subject has been informed of their right to withdraw consent before having given it.

• Processing of data is limited to the contract bound by the explicit consent given by the Data Subject.

• Records of consent are retained, where applicable, in accordance with internal data retention policies and regulatory obligations.

Additionally, regional IT and the regional Compliance Officer will check Albaugh consent procedures against any further applicable local laws and regulations.

4.4 EXCEPTIONS

Any exception to the policy must be approved by  General Counsel.

4.5 POLICY ENFORCEMENT

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination.

5. Document Revision History and Approval