ATPI Data Protection Policy

1. Purpose

1.1 This Policy defines requirements to ensure compliance with laws and regulations applicable to the ATPI’s collection, use, Processing, and transfer of Personal Data throughout the world.

2. Scope

2.1 ATPI is committed to complying with the applicable Data privacy and Protection requirements in the countries in which it (the “Company”) operates. Because of differences among these jurisdictions the Company has adopted a Data Protection policy which creates a common core of values, policies and procedures intended to achieve generic compliance, supplemented (where applicable) with additional instructions and guidance applicable in those jurisdictions with unique requirements.

2.2 This policy is based upon the UK Data Protection Act 1998 and the EU Data Protection Directive 95/46/EC, and in compliance with the U.S. Department of Commerce “Safe Harbor” system (see Safe Harbor statement below), which provide a robust generic model for global Data Protection and privacy compliance. The Company has also committed to establishing international Binding Corporate Rules (BCR) agreements, to be authorised for worldwide acceptance by the UK’s Information Commissioner’s Office, and which govern the transfer, and subsequent sub-Processing, of Data throughout its entire global network of group companies.

2.3 This Policy applies to all Company full and part time employees, agency employees, and all suppliers and clients who receive Personal Data from the Company, have access to Personal Data collected or processed by the Company, or who provide information to the Company, regardless of geographic location.

2.4 As a policy commitment the Company will not process Personal Data without notification to the Data Protection authorities in jurisdictions which require such notification. To ensure compliance with the regulations the Company will correctly establish its status for all Data Processing as either a Data Controller, or Data Processor acting for another Data Controller.

3. Group Compliance

3.1 The Company’s data compliance program will be overseen by the Head of Group Compliance (HGC) assisted by locally appointed compliance staff and internal auditors. Responsibilities may be delegated by the HGC.

3.2 The HGC will implement the company’s international Data Protection procedures and BCR agreements, as well as any duties required by applicable law, including:

3.2.1 Determining whether notification to one or more Data Protection authorities is required as a result of the Company’s Data Processing activities, then making any required notifications, and keeping such notifications current.

3.2.2 Designing and implementing ongoing programs for training employees in Data Protection rules and procedures.

3.2.3 Establishing (with the involvement of the IT and legal departments) procedures and standard contractual provisions for obtaining compliance with this Policy by group companies, clients, suppliers, and third parties who receive Personal Data from the Company, have access to Personal Data collected or processed by the Company, or who provide information to the Company, regardless of geographic location.

3.2.4 Establishing mechanisms for periodic audits of compliance with this Policy, implementing procedures, and applicable law.

3.2.5 Establishing, maintaining, and operating a system for prompt and appropriate responses to Data Subject requests to exercise their rights.

3.2.6 Establishing, maintaining, and operating a system for the prompt and appropriate automatic disclosure to the relevant authorities and Data Subjects of any loss of Personal Data.

3.2.7 Informing senior managers, officers, and directors of the Company of the potential corporate and Personal civil and criminal penalties which may be assessed against the Company and/or its employees for violation of applicable Data Protection laws.

3.2.8 Ensuring that the risk management plans in relation to Data Protection are implemented effectively and promptly.

3.2.9 Ensuring that adequate assurance regarding the effectiveness of Data Protection procedures and audits is provided to the Board, management and other stakeholders.

4. Data Protection Principles

4.1 The Company has adopted the following principles to govern its use, collection, and transmittal of Personal Data, except as specifically provided by this Policy or as required by applicable laws:

4.1.1 Personal Data shall only be processed fairly and lawfully.

4.1.2 Personal Data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.

4.1.3 Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or processed.

4.1.4 Personal Data shall not be collected or processed unless one or more of the following apply:

4.1.5 The Data Subject has provided Consent (See definition of Consent in Appendix A);

4.1.6 Processing is necessary for the performance of a contract directly with the Data Subject, or to which the Data Subject is an employee of a party;

4.1.7 Processing is necessary for compliance with a Company legal obligation;

4.1.8 Processing is necessary in order to protect the vital interests of the Data Subject;

4.1.9 Processing is necessary for legitimate interests of the Company or by the third party or parties to whom the Data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject.

4.2 Appropriate physical, technical, and procedural measures shall be taken to:

4.2.1 prevent and/or to identify unauthorised or unlawful collection, Processing, and transmittal of Personal Data; and

4.2.2 prevent accidental loss or destruction of, or damage to, Personal Data.

5. Transfers to Third Parties

5.1 Personal Data shall not be transferred to another entity, country or territory, unless reasonable and appropriate steps have been taken to establish and maintain the required level of Data Security.

5.2 Personal Data may be communicated to third persons only for reasons consistent with the purposes for which the Data were originally collected or other purposes authorised by law.

5.3 All transfers of Personal Data to third parties for further Processing shall be Subject to written agreements, or under the Company’s BCR agreements for internal Data transfers.

5.4 EU Personal Data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless the transfer is made to a country or territory recognised by the EU as having an adequate level of Data Security, or is made in compliance with the U.S. Department of Commerce “Safe Harbor” system.

5.5 Subject to the provisions of the above, Personal Data may be transferred where any of the following apply:

5.5.1 The Data Subject has given Consent to the proposed transfer;

5.5.2 The transfer is necessary for the performance of a contract between the Data Subject (Personally or via his employing company as an the Company client) and the Company;

5.5.3 The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Company and a Third Party;

5.5.4 The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise, or defence of legal claims;

5.5.5 The transfer is required by law;

5.5.6 The transfer is necessary in order to protect the vital interests of the Data Subject.

6. Prevention of Non-Complying IT Systems

6.1 The Company’s Head of ICT shall establish a procedure for assessing the impact of any new or existing Technology on the privacy and security of Personal Data.

6.2 No new system or new version of an existing system shall be made available for use until the HGC has obtained written confirmation from the Head of ICT there would be no breach of any Data Protection of other legal requirement or regulation.

7. Sources of Personal Data

7.1 Personal Data shall be collected only from the Data Subject unless the nature of the business purpose necessitates collection of the Data from other persons or bodies.

7.2 If Personal Data are collected from someone other than the Data Subject, the business unit collecting the Data must have confirmation, in writing, from the supplier of the Data that the Data Subject has provided Consent to the transfer to the Company.

8. Data Subject Rights

8.1 Data Subjects shall be entitled to obtain the information about their own Personal Data upon a request made in writing to the HGC who will establish a system for logging each request under this Section as it is received and noting the response date

8.2 The request should be made in writing to; 

Data Protection Officer
Rivercastle House
10 Leake Street
London SE1 7NN
UK

Or by email: dpa-requests@atpi.com

8.3 The Company shall provide its response to a request above within 40 days from the date of the written request.

8.4 Data Subjects shall have the right to require the Company to correct or supplement erroneous, misleading, outdated, or incomplete Personal Data.

8.5 The Company may establish reasonable fees to cover the cost of responding to requests from non-employee Data Subjects.

9. Sensitive Data

9.1 Sensitive Personal Data should not be processed unless:

9.1.1 Such Processing is specifically authorised or required by law.

9.1.2 The Data Subject expressly and unambiguously Consents.

9.1.3 Where the Data Subject is physically or legally incapable of giving Consent, but the Processing is necessary to protect a vital interest of the Data Subject. This exemption may apply, for example, where emergency medical care is needed.

9.1.4 Data relating to criminal offenses may be processed only by or under the control of the Legal Department.

10. Data Quality Assurance

10.1 Personal Data must be kept only for the period necessary for permitted uses. The Company has established local Record Retention Policies which determine applicable timescales for Data deletion.

10.2 Personal Data shall be erased if their storage violates any Data Protection rules or if knowledge of the Data is no longer required by the Company, or at the request of the Data Subject.

11. Intra-Group Processing

11.1 Where the Company relies on another group company to assist in its Processing activities, the Company will enter into a Data Transfer Agreement with that other group company in order to ensure that responsibility for the data are clearly identified, as both parties may be considered as Data Controllers.

11.2 Where the other group company is located abroad, the group companies involved in the Processing shall be known as a Data Exporter and a Data Importer respectively, although there may be more than one Data Importer involved in the Processing.

12. Third Party Processors

12.1 Similarly where the Company relies on third parties to assist in its Processing activities, the Company will choose a Data Processor who provides sufficient security measures and take reasonable steps to ensure compliance with those measures.

13. Written Contracts for Third Party Processors

13.1 Therefore, the Company shall enter into a written contract with each Data Processor requiring it to comply with Data privacy and security requirements imposed on the Company under local legislation.

14. Audits of Third Party Data Processors

14.1 As part of the Company’s internal Data auditing process, the Company shall conduct periodic checks on processing by third party Data Processors, and in particular relating to the hand-off procedures for the Data especially in respect of security measures.

15. Notice to Directors, Managers, and Officers of Potential Sanctions for Non-Compliance

15.1 The HGC shall notify directors, managers, and other officers of the Company that:

15.1.1 failure to comply with relevant Data Protection legislation may trigger criminal and civil liability, including fines, imprisonment, and damage awards; and

15.1.2 they can be Personally liable where an offence is committed by the Company with their Consent or connivance, or is attributable to any neglect on their part.

16. Data Security

16.1 The Company has a Data Security Management policy, under which it shall adopt physical, technical, and organisational measures to ensure the security of Personal Data, including the prevention of their alteration, loss, damage, unauthorised Processing or access, having regard to the nature of the Data, and the risks to which they are exposed by virtue of human action or the physical or natural environment. These measures will be documented within the Data Security Policy, which will be reviewed at least annually, or when necessary to reflect significant changes to security arrangements.

16.2 Adequate security measures should include all of the following:

16.2.1 Prevention of unauthorised persons from gaining access to Data Processing systems in which Personal Data are processed.

16.2.2 Preventing persons entitled to use a Data Processing system from accessing Data beyond their needs and authorisations.

16.2.3 Ensuring that Personal Data in the course of electronic transmission during transport or during storage on a Data carrier cannot be read, copied, modified or removed without authorisation.

16.2.4 Ensuring that Personal Data are protected against undesired destruction or loss.

16.2.5 Ensuring that Data collected for different purposes can and will be processed separately.

16.2.6 Ensuring that Data are not kept longer than stipulated in the Data Retention Policy, including by requiring that Data transferred to third persons be returned or destroyed.

17. Compliance Measurement

17.1 The HGC shall establish a schedule for and implement a Data Protection compliance audit for all business units. The HGC, in cooperation with the business units, shall devise a plan and schedule for correcting any identified deficiencies within a fixed, reasonable time.

17.2 Each Company business unit shall review annually its Data collection, Processing, and Security practices and shall determine what Personal Data the business unit is collecting including that held in manual systems that constitute “Relevant Filing Systems”

17.3 The information collected in this annual review shall be delivered to the HGC for review and appropriate action including, without limitation, the following:

17.3.1 Making recommendations for improvement to policies and procedures in order to improve compliance with this Policy and applicable law.

17.3.2 Satisfying the requirements for self-certifying compliance within local Data Protection Authorities, with the U.S. Safe Harbor provisions, and compliance with the Company’s own international Binding Corporate Rules.

18. Implementation

18.1 This Policy shall be available to employees through the company Intranet and/or Entropy compliance system, and an abridged public version shall be made available to others via the Company’s website.

18.2 The HGC, in cooperation with the Business Units, will develop a timeline and program for implementing this Policy.

18.3 This Policy may be revised at any time but at least annually by the HGC. Notice of significant revisions shall be provided to employees through the company Intranet and/or Entropy compliance system and to others via the Company’s website.

Appendix A

Glossary 

Consent:

Consent means “any freely given specific and informed indication of his wishes by which the Data Subject signifies agreement to Personal Data relating to him being processed.” 
Nevertheless, Consent may be obtained by a number of methods. These may include clauses in employment contracts, check boxes on replies to application or purchase forms, and click boxes on online forms where Personal Data are entered. 
In most European Union countries, Consent to the Processing of Sensitive Personal Data needs to be clear and unequivocal. This generally means that some form of specific, active Consent) is required. This requirement is sometimes found to be less unequivocal beyond the EU.

Data:

Data (whether or not having an initial capital letter) as used in this Policy shall mean information which either: 
* is being processed by means of equipment operating automatically in response to instructions given for that purpose; 
* is recorded with the intention that it should be processed by means of such equipment; 
* is recorded as part of a Relevant Filing System or with the intention that it should form part of a Relevant Filing System; 
* does not fall within any of the above, but forms part of a readily accessible record covering an individual. 
Data therefore includes any digital Data by computer or automated equipment, telephone recordings, and any manual information which is part of a Relevant Filing System. 

Data Controller
:
Data Controller means a person who (alone or with others) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed. Generally, Company itself will be the Data Controller in most cases. 

Data Exporter;

Data Exporter means the Data Controller or Data Processor who transfers the personal data abroad.

Data Importer;
Data Importer shall means the Data Controller or Data Processor who agrees to receive from the Data Exporter personal data for further processing in accordance with the terms of this Policy and the relevant Data Transfer Agreement.

Data Processor:
Data Processor means any person, other than an employee of the Data Controller, who processes the Data on behalf of the Data Controller. A company may be a Data Processor if defined as such under contractual terms with the Data Controller.

Data Subject:
Data Subject means the person to which Data refers. Data Subjects include customers and web users, individuals on contact /e-mailing lists or marketing Databases, employees, contractors and suppliers.

Personal Data:
Personal Data means Data related to a living individual who can be identified from those Data or from those Data and other information in the possession of, or likely to come into the possession of, a Data Controller or Data Processor. Personal data does not include information that has been anonymized, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.

Processing:
Processing covers a wide variety of operations relating to Data, including obtaining, recording or holding the Data or carrying out any operation or set of operations on the Data, including: 

* Organisation, adaptation, or alteration; 
* Disclosure by transmission, dissemination, or otherwise; and 
* Alignment, combination, blocking, erasure, or destruction. 

Relevant Filing System:

Relevant Filing System means any set of information relating to individuals, whether kept in manual or electronic files, structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. 
Therefore any digital Database and/or organised manual files relating to identifiable living individuals fall within the scope of Data Protection laws and regulations, while a Database of pure statistical or financial information (which cannot either directly or indirectly be related to any identifiable living individuals) will not. 

Safe Harbor

Safe Harbor means the "Safe Harbor" program that has been jointly established by the United States Department of Commerce and the European Commission as a method for transferring personal information from the European Union (EU) to companies in the United States. A similar arrangement has been agreed between the US Department of Commerce and the Information Commissioner of Switzerland, so that the Safe Harbor program now includes the U.S. - EU Safe Harbor Framework and the U.S. - Swiss Safe Harbor Framework. The Program is a voluntary self-certification process for companies operating in the United States. Companies that certify represent that they are upholding privacy standards for personal information received from the EU and Switzerland that have been accepted by the EU Commission, the Swiss Federal Data Protection and Information Commission and the US Department of Commerce. 

Sensitive Data:

Sensitive Data means Personal Data containing information as to the Data Subject’s: 
* Race or ethnic origin; 
* Religious beliefs or other beliefs of a similar nature; 
* Political opinions; 
* Physical or mental health or condition; 
* Sexual history or orientation; 
* Trade union membership; 
* Commission or alleged commission of any offense and any related court proceedings. 

Technology:

Technology is to be interpreted broadly, to include any means of collecting or Processing Data, including, without limitations, computers and networks, telecommunications systems, video and audio recording devices, biometric devices, closed circuit television, etc.

Safe Harbor Statement

This Safe Harbor Privacy Statement (the "Statement") details the privacy principles followed by all ATPI Group Companies in the USA which are Safe Harbor certified in connection with the transfer and protection of "personal information" received from the European Union (EU) or Switzerland. All ATPI Group Companies in the USA which are listed below have certified to Safe Harbor, and each reference to "ATPI" in this Safe Harbor Privacy Statement means each ATPI Group Company in the USA.

Safe Harbor Affirmation:

ATPI complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. ATPI has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor Program, and to view ATPI's certification, please visit http://www.export.gov/safeharbor.

Scope

This Statement governs personal information transferred from countries in the EU or Switzerland to the United States on behalf of ATPI. It applies to personal information in electronic and off-line formats.

Safe Harbor Privacy Principles

The following privacy principles apply to the transfer, collection, use or disclosure of personal information from the EU or Switzerland by ATPI.

Notice 

ATPI informs individuals in the EU and Switzerland about the purposes for which it collects and uses their personal information, how to contact ATPI the types of third parties with which ATPI shares their personal information, and the choice and means ATPI offers for limiting the use and disclosure of their personal information.
Consistent with the Safe Harbor requirements, ATPI may not be in a position to furnish notice in certain limited situations. Specifically, notice is not required where the processing of EU or Swiss personal information is necessary to respond to a government inquiry; is required by applicable laws, court orders or government regulations; or is necessary to protect ATPI's legal interests and providing notice would interfere with those interests.

Choice

ATPI will not process personal information about EU or Swiss individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual unless the individual affirmatively and explicitly consents ("opt-in") to the processing, or unless an exception applies. ATPI also provides EU and Swiss individuals with the opportunity to withdraw consent at any time ("opt-out"), in which case their personal information will not be further processed. 

Data Integrity

ATPI seeks to ensure that any personal information held about EU and Swiss individuals is accurate, complete, current and otherwise reliable in relation to the purposes for which the information was obtained. ATPI collects personal information that is adequate, relevant and not excessive for the purposes for which it is to be processed. EU and Swiss individuals have a responsibility to assist ATPI in maintaining accurate, complete and current personal information about them.

Transfers To Third Parties

ATPI will only transfer personal information about EU and Swiss individuals to third-parties where the third-party (a) has provided satisfactory assurances to ATPI that it will protect the information consistently with this Statement; or (b) is located in the EU, Switzerland or a country considered "adequate" for privacy by the EU or Swiss Commission, and therefore is required to comply with the EU or Swiss data protection laws or substantially equivalent privacy laws depending upon where the personal information originated ; or (c) the third-party has also certified to the Safe Harbor, and is accordingly independently responsible for complying with the Safe Harbor requirements.
Where ATPI has knowledge that a third-party to whom it has provided EU or Swiss personal information is processing that information in a manner contrary to this Statement or the Safe Harbor requirements, ATPI will take reasonable steps to prevent or stop the processing.

Access and Correction

Upon written request to ATPI, ATPI will provide EU and Swiss individuals with reasonable access to their personal information. ATPI will also take reasonable steps to allow EU and Swiss individuals to review their information for the purposes of correcting their information. There are certain limitations to the Access and Correction rights, as set forth in the US Department of Commerce's Safe Harbor website.

Security

ATPI takes reasonable precautions to protect EU and Swiss personal information in its possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Enforcement

ATPI has established internal mechanisms to verify its ongoing adherence to this Statement. ATPI also encourages individuals covered by this Statement to raise any concerns about our processing of their personal information by contacting the appropriate ATPI's Privacy Officer at the address below. ATPI will seek to resolve any concerns. ATPI has also agreed to participate in the dispute resolution programs provided by the European Data Protection Authorities.

Limitation On Scope Of Principle

Adherence to these Privacy Principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.

Contact Information

The ATPI US Group Companies which are listed below have certified to the Safe Harbor. If you have questions or comments about this Statement, write to the ATPI US Group Company responsible for the collection and/or processing of your personal information or call the telephone number provided below:
The current list of ATPI US Group Companies which are Safe Harbor Certified is:

ATP International USA, Inc. 
116 Washington Avenue, 4th Floor
North Haven, CT 06473
T: 203-772-0060

Instone International Holdings Inc.
One Greenway Plaza, Suite 1050
Houston, TX 77046
T: 713-590-8282

Instone (USA) International LLC
One Greenway Plaza, Suite 1050
Houston, TX 77046
T: 713-590-8282

Global Transportation Group LLC
2211 Norfolk, Ste. 300
Houston TX 77098-4031
T: +1 713 535 1472