Privacy & Security
The European Commission's Directive on Data Protection (October 1998) prohibits the transfer of Personal Data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. In order to bridge these different privacy approaches and provide a streamlined means for US organizations to comply with the Directive, the US Department of Commerce, in consultation with the European Commission, developed a "Safe Harbor" framework. The Safe Harbor-approved by the EU in July 2000-is a way for US companies to avoid experiencing difficulties with their dealings with the EU or potentially facing prosecution by EU authorities under European privacy laws.
3. Safe Harbor Privacy Statement
4. Compliance with Safe Harbor
The US Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the "Safe Harbor Principles") to enable US companies to satisfy the "adequacy standard" requirement under EU law that protection be given to Personal Data transferred from the EU to the US. Ferguson commits to adhere to the privacy principles of the Safe Harbor Program administered by the U.S. Department of Commerce. Information on the Safe Harbor Program can be found at the program's website http://export.gov/safeharbor. Consistent with its commitment to protect personal privacy, Ferguson adheres to the following Safe Harbor
definitions shall apply:
"Company" means Ferguson Enterprises, Inc. and its divisions but excluding all subsidiaries and affiliates.
"Agent" or "Vendor" means any third party that collects or processes or otherwise uses Personal Data or "Sensitive Personal Data" solely on behalf or under the instruction of Ferguson.
"Personal Data" means any information or set of information that identifies or can reasonably be used to identify an individual. Personal Data does not include data that is encoded, encrypted or made anonymous in part or in whole, or publicly available information that has not been combined with non-public "Personal Data."
"Sensitive Personal Data" means Personal Data that reveals race, ethnic origin, political opinions, religious or that concerns an individual's physical or mental health, marital status, family status or sexual orientation. Information is treated as "Sensitive Personal Data" when it is received from a user or third party that treats and identifies it as sensitive.
4.2 Personal Data Submitted to Ferguson
All personally identifiable information received by Ferguson is
voluntarily submitted by employees or by others on the employees' behalf with
their explicit or implicit consent.
Those providing the information may include individuals providing references; third parties responding to authorized background checks; workplace monitoring mechanisms; third parties sending email, mail or other deliveries to employees; other employees completing performance appraisals, and colleagues providing comments with respect to an employee's performance; where appropriate, from medical professionals; individuals conducting investigations in support of allegations of unlawful or inappropriate activity; and otherwise as required or permitted by law.
4.3 Use of Personal Data by Ferguson
The purposes for which we may use employee personal data it are specified in greater detail below in Appendix A.
5. Ferguson Safe Harbor Privacy Principles
The privacy principles in this policy are based on the Safe Harbor Principles:
Where Ferguson collects Personal Data directly from employees, it will inform them about the type of Personal Data collected, the purposes for which it collects and uses the "Personal Data," and the types of third parties to which Ferguson discloses or may disclose that information, and the choices and means, if any, Ferguson offers individuals for limiting the use and disclosure of their "Personal Data." Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Ferguson, or as soon as practicable thereafter, and in any event before Ferguson uses or discloses the information for a purpose other than that for which it was originally collected.
Ferguson will offer individuals the opportunity to choose ("opt out") whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For "Sensitive Personal Data," Ferguson will give individuals the opportunity to affirmatively and explicitly consent ("opt in") to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Ferguson will provide individuals with reasonable mechanisms to exercise their choices.
5.3 Transfers to Vendor Partners
On occasion, Ferguson will provide information stored on our servers to vendor partners, for the purpose of integrating with that vendor's product or service offerings, e.g., to providers of insurance products that Ferguson employees have voluntarily requested and agreed to purchase via payroll deduction. This integration is performed at the request of our vendor partner to further their business needs and to provide services or to improve those services. Data that is shared may include name, e-mail address, employee ID, address, Social Security Number, date of birth and other information; but Ferguson only transmits to these vendors data that is essential to the fulfillment of the product or service that the employee has voluntarily agreed to purchase. Contractual agreements are made between Ferguson and the vendor to whom the data is being transferred. Ferguson's vendor partners are assumed to hold similar privacy standards as Ferguson. If Ferguson becomes aware that a vendor is using or disclosing Personal Data or "Sensitive Personal Data" in a manner that is improper or that is contrary to this Safe Harbor Policy, Ferguson will take commercially reasonable measures to stop or prevent the use or disclosure of such data.
5.4 Access and Correction
Information that is stored about the users of Employee Self Service data is accessible and editable directly from within Ferguson's intranet site(s). Ferguson permits users to edit, correct, or delete any information that they feel is inaccurate or incomplete. Should an individual not be able to access or correct this information, the individual should contact the Payroll department at 757.989.2980 to obtain information about how to access and edit Personal Data or Sensitive Personal Data within the site.
5.5 Integrity of Data
Ferguson will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Ferguson will take commercially reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current.
5.6 Security of Information
Ferguson will take all reasonable precautions to protect all "Personal" and "Sensitive Personal" data in its possession from unauthorized access, loss, or misuse. This includes, but is not limited to, the use of 128-bit encryption technology, regularly scheduled backups of data, secured storage of all Sensitive Personal information and access limitations and restrictions to the servers and computers that contain such data.
5.7 Enforcement of Policy
5.8 Resolution of Disputes
Any questions or concerns regarding the use or disclosure of Personal Data should be directed to Ferguson's Safe Harbor Officer at the address given below. Ferguson will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this policy. For complaints that cannot be resolved between Ferguson and the complainant, Ferguson has agreed to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities to resolve disputes pursuant to the Safe Harbor Principles.
5.9 Limitations on Application
Ferguson's adherence to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule, or regulation. Web sites created by Ferguson may contain links to other Web sites. Please be aware that Ferguson is not responsible for the privacy practices of these web sites. Ferguson does not endorse them or make any representations about them or any information, services, products, or materials found on them. Users are strongly encouraged to read the privacy policies of any third-party sites accessed through links.
6. Contact Information
Questions, comments or concerns regarding the Safe Harbor Policy may be directed to:
Ferguson Enterprises, Inc.
John Allen Waldrop, III
Assistant General Counsel
12500 Jefferson Avenue
Newport News, VA 23602
The practices described in this Policy are current as of March 25, 2008. Ferguson reserves the right to modify or amend this policy at any time consistent with the requirements of the Safe Harbor Principles. Appropriate public notice will be given concerning such amendments. This policy may be changed periodically in accordance with the requirements of the Safe Harbor Principles. Changes to the Safe Harbor policy will be posted on Ferguson's corporate web site-www.Ferguson.com-or concerned parties may request notification of updates via e-mail.
8. Effective Date
This policy takes effect on August 1, 2007.
We collect, use and disclose Personal Data with expressed or implied consent of the employee, and as required or permitted by law. We use Personal Data for the following purposes:
- evaluating and selecting prospective employees, or for determining an employee's suitability for advancement, or transfer or promotion to another position, and for obtaining and providing references;
- identifying employees generally and for security purposes;
- paying employees all forms of remuneration and making changes to compensation, administering tax and other withholdings and deductions from wages;
- assessing and monitoring employees' attendance, performance and training requirements, and leave requests, and responding to employee absences, illness or injury;
- recognizing employees' special occasions and offering condolences where appropriate;
- maintaining records of employee acknowledgements of our policies and codes of conduct;
- administering employee benefits and insurance plans, pension plans, professional indemnity insurance plans and professional memberships, and maintaining records relating to those plans, programs and memberships;
- administering and processing employees' work-related expenses or personal expenses;
- resolving any disputes arising between employees or between an employee and our clients, suppliers or other third parties;
- facilitating inter-office and inter-departmental communication;
- contacting an employee or an emergency contact in the event of a work query or emergency;
- administering charitable campaigns and charitable donations in which the employee chooses to participate;
- maintaining the safety and security of and appropriate use of our premises, workplace computer systems, network, email, and Internet access;
- conducting investigations into suspected unlawful or inappropriate activity;
- conducting any due diligence reviews in connection with any potential merger, sale or purchase of Ferguson or all or part of its business; and
- complying with any federal or provincial statute or other legal requirement.
- We may also disclose Personal Data to the following parties:
- to third parties for the purpose of providing references;
- to financial institutions for the purpose of confirming employee salary and/or employment where the employee requests or consents;
- to third parties connected with the contemplated or actual financing, insuring, sale, merger, transfer, or assignment of all or part of our business or assets;
- to regulatory or governmental authorities as requested or required for the purpose of fulfilling their mandates or responsibilities;
- to third parties connected with workplace safety/workers' compensation insurance plans for the purposes of managing and administering any claims or complaints;
- to third parties for emergency and disaster management purposes;
- to any other third party authorized by the employee; and
- to any other person as may be permitted or required by law.
- We collect, use and disclose Personal Data with explicit oral or written consent of the employee or as required or permitted by law for the purposes of:
- ensuring health and safety in the work place;
- complying with non-discrimination requirements;
- carrying out services on behalf of the employee, such as handling disability, medical, dental, or life insurance claims on their behalf;
- in connection with actual or prospective legal proceedings; and
- considering reasonable adjustments to the workplace to accommodate workers with disabilities.