1.  Introduction

Tecan Ltd EMPLOYEE PRIVACY NOTICE 

(“DPO”)

This Employee Privacy Notice (“Notice”) describes the steps Tecan Ltd, Tecan Way, Weymouth, UK.  DT4 9TU (“Company”), as part of IDEX Corporation (“IDEX”), takes to protect the Personal Data that we  Process about our Employees. In connection with your employment with the Company, we collect,  store, use and otherwise Process Personal Data about you for various business purposes. The Company  is committed to the protection of the Personal Data that we Process about you consistent with the data  protection principles set out in all applicable Data Protection Law.

This Notice applies to all Company Employee Personal Data, Processed by both automated and manual  means provided that the personal data are contained, or are intended to be contained, in a structured  Filing System, e.g. a personnel file.  

This Notice may be amended from time to time. The Company will post any change to this Notice within  a reasonable period of time in advance of the effective date of the change.

2. Definitions

The following terms are used within this Notice and are defined as follows:

Term Definition
Consent Any freely given, specific, informed and unambiguous indication of the  Data Subject’s wishes by which he/she, by a statement or by a clear  affirmative action, signifies agreement to the specific processing of  his/her Personal Data. It has to be a clear affirmative act (“Opt-In”).  Silence or inactivity are not sufficient. Consent may be withdrawn at  any time with effect for the future.
Data Controller The natural or legal person or other body which alone, or jointly with  others, determines the purposes and means of the Data Processing.
Data Processing Any operation, or set of operations, which is performed on Personal  Data or on sets of Personal Data, whether or not by automated means,  such as collection, recording, organization, structuring, storage,  adaptation or alteration, retrieval, consultation, use, disclosure by  transmission, dissemination or otherwise making available, alignment  or combination, restriction, erasure or destruction.
Data Processor A natural or legal person, public authority, agency or other body, which  processes Personal Data on behalf of the Data Controller  (Article 28 GDPR).
Data Protection Any local BU internal policies/procedures supplementing this Policy.
Data Protection All applicable state, local and federal/national laws related to data  protection including, but not limited to, GDPR.
Data Protection The person which is appointed by the Company (only where required by  law) to protect the Data Subjects’ rights and to act as the point of  contact between the Company and you in order to ensure that the  Company complies with all applicable Data Protection Law.
Data Subject Any person to whom the respective Personal Data refers.
Employee(s) Temporary, full-time, part-time and contract employees, interns,  contingent workers, retirees, and former employees.
Filing System Any structured set of Personal Data which are accessible according to  specific criteria, whether centralized, decentralized or dispersed on a  functional or geographical basis.
Personal Data Any information relating to an identified or identifiable natural person  (Article 4 GDPR).
Privacy Lead Personnel situated locally at each IDEX BU; whose responsibilities  include supporting data protection initiatives in their respective local  BUs. The Privacy Leads are the local coordinators for all data protection  matters and also serve as the point of contact for the Team. They also  manage all data protection documents for an IDEX BU, e.g., policies,  procedures, templates and data protection statements.
Sensitive Data Personal Data revealing racial or ethnic origin, political opinions,  religious or philosophical beliefs, or trade union membership, and the  processing of genetic data, biometric data for the purpose of uniquely  identifying a natural person, data concerning health or data concerning  a natural person’s sex life or sexual orientation (Article 9 GDPR).
Supervisory An independent public authority, which is established by a European  Union Member State (Article 51 GDPR) or any other public authority  which is responsible for monitoring the application of Data Protection  Law.

 

3. Categories and Sources of Personal Data Processed

The Company Processes different categories of Employee Personal Data. These may include:

  • Contact details and master data, including name; marital status, gender; nationality; date of birth;  home address; and contact details such as telephone number and email address.
  • Workplace identifiers, including an employees’ UID and work e-mail address.
  • Information about your employment and work related experiences and abilities, including your CV;  education & work history; hire date; termination date and reason; employment status; salary; any other  supporting data submitted by candidates or employees; job interests; reference checks; job applications;  evidence of skills/qualifications; relocation information.
  • Information in relation to HR and performance management, including data about job performance  and actual, as well as potential, advanced workplace learning methods and individual development. • Information from offer, activity or project participation, including pictures and attendance  information.
  • Data which is necessary in order to fulfil all obligations related to employment status, including  working hours, working conditions, specific health conditions, work accidents prevention/clarification and  nationality.
  • Files and work product you created during your work, including emails, data files, blueprints, memos,  spreadsheets and presentations.
  • Financial information in relation to compensation and payroll, including bank account details; salary;  payroll data; individual tax letter details; bonus letters; salary reviews; holiday records; social benefits; and  social security relevant data such as job title, entry date and working/travel times.
  • Information on benefits administration, including childcare voucher forms; pension details and  administration documents; and dependent’s information.
  • Information arising from work administration and security, including information about work wear to  be provided or access control.
  • Information about your use of corporate systems, our IT infrastructure or property, including  Personal Data related to routine inspections, internal investigations or dispute resolution cases. • Disciplinary and grievance procedures, including disciplinary investigation notes and witness  statements; grievance hearing minutes; and grievance appeal documentation.
  • Sensitive Data, these may include race or ethnic origin; trade union membership; and religious beliefs  and information.
  • Technical data, including all data automatically created by IT-systems, such as log files, connection data or metadata connected with individual files.
  • Legal documents, including legal letters; documents created in anticipation, preparation or during the  course of a trial; and information on data subject requests under Data Protection Laws.

Most of the Personal Data we Process you have provided directly to us. Other Personal Data may be  provided by your managers, HR, benefits providers or other instances which are necessarily involved in  managing your work relationship.

4. Purposes for Processing Personal Data

The Company Processes Employee Personal Data for various necessary business purposes in connection  with your employment at the Company:

  • To perform our obligations as an employer towards you, including the execution of compensation,  payroll and benefits administration.
  • For supplying and monitoring use of work equipment or corporate systems including monitoring the  professional use of computer equipment and telecommunication networks, as well as any other devices  and machines used within the context of work.
  • For work administration, including compensation and payroll management; Company car  management; project management; the fulfilment of your job description; benefits administration; and management of time and attendance in the Company.
  • For security control of IDEX’ physical premises or for IT security and data breach procedures. • For the improvement of the Company’s processes and organization, including efficiency analyses and  redesign of different teams and departments.
  • For strategic decisions, including planning of restructuring processes, mergers and acquisitions or sale  of entities.
  • For the management of booking transportation and accommodation, including transfers in case of  work-related travel.
  • For HR and performance management, including the implementation of performance evaluation; job  specific and other IDEX related trainings (such as annual Code training); organizational talent  management; personality tests; satisfaction and corporate value surveys; monitoring health, healthcare

medicine and management of temporary and permanent employment-related disabilities derived from  common and professional contingencies whi8ch affect your job position; and the execution of  investigations and disciplinary and grievance procedures.

  • To improve the working climate, including to congratulate or express our condolences in certain  circumstances in accordance with the Company’s core values.
  • For communication and information divulgation, including to share your professional contact details  in an IDEX group internal directory; and to send news of IDEX’ group and other corporate information,  materials and equipment.
  • To comply with legal obligations addressed by employers in relation to the work relationship. • For the fulfilment of other legal obligations, including local tax and commercial law, as well as audits  by governmental and regulatory authorities.
  • For asserting or the defense of legal claims or the prevention of misconduct, compliance violations  or other infringements, such as routine inspections; internal investigations; or dispute resolution cases.  • To report to public authorities, including to send tax information to tax authorities; or sending  information on your employment status to the employment agency.
  • To fulfill your co-determination or similar rights, including providing information to the works council or providing your contact information to works council election committees.

5. Legal Basis for Processing Personal Data

The Company Processes Personal Data based on multiple different legal basis:

  • Once you have been informed about the intended Processing of your Personal Data and you have  provided your consent. You may withdraw your consent at any time. The withdrawal of consent will not  affect the lawfulness of processing based on your consent before the withdrawal. Article 6 GDPR. • If the Processing of your Personal Data is necessary to carry out the employment contract or  employment relationship between you and the Company. (in some countries an additional national legal  basis might apply for the Processing of employment data). Article 6 GDPR.
  • If the Processing is necessary for the Company to comply with an applicable legal obligation. E.g., a  court orders the release of certain information for legal proceedings). Article 6 GDPR. • If the Processing is necessary for purposes of the legitimate interests pursued by the Company or by a  third party except where overridden by Employee interests or fundamental rights and freedoms of a Data  Subject which require protection of Personal Data. Article 6 GDPR. These legitimate interests can  include:
  • business process execution and internal management;
  • strategic planning;
  • travel and expense management;
  • business reporting;
  • systems reporting and access analyses;
  • performance management and employee training,
  • administering compensation programs;
  • disciplinary purposes and other business purposes related to employee management; o conducting or preparing for sale, merger and/or acquisition activities;
  • improving the Company’s efficiency; and
  • for communication and information divulgation.

In accordance with Art. 9 para. 2 or para. 4 GDPR regarding Sensitive Data, we Process limited  amounts of Sensitive Data. This is only done in instances where: i) explicit consent has been given by the  Data Subject; ii) necessary in order to carry out obligations and exercise specific rights of the data  controller for reasons related to employment, social security, and social protection; iii) necessary to  protect the vital interests of individuals (e.g., health and safety); or iv) required for the establishment,  exercise or defense of legal claims.

6. Your Rights

The GDPR provides you with rights relating to the Processing of your Personal Data. These rights  include:

  • Request access to Personal Data about you (commonly known as a “data subject access request”). This  enables you to receive information about the Personal Data we hold about you and to check that we are  lawfully Processing it.
  • Request rectification, correction, or updates to Personal Data that we hold about you. This enables you  to correct any incomplete or inaccurate information.
  • Request Personal Data to be transferred in machine-readable format (“data portability”) to the extent  this right is relevant in the employment context.
  • Request erasure of Personal Data. This enables you to request deletion or the removal of Personal Data  where there is no legitimate reason for us to continue to Process it. You also have the right to ask us to  delete or remove Personal Data where you have exercised your right to object to Processing (see below). • Request the restriction of Processing of your Personal Data. This enables you to ask us to suspend the  Processing of Personal Data about you if you want us to establish its accuracy or the reason for  Processing it.
  • Withdraw consent you have given at any time without affecting the lawfulness of processing based on  consent before its withdrawal.

Object to the Processing of your Personal Data in certain circumstances. 

This right may apply where the Processing of your Personal Data is based on the legitimate interests  of Company, as described in Annex 1, or where decisions about you are based solely on automated  processing, including profiling.  

Notwithstanding, you have the right to object at any time to Processing of your Personal Data for  direct marketing purposes.

These rights are not absolute and are subject to various conditions under Data Protection Law and any  other applicable laws and regulations.

You may exercise these rights by contacting your Privacy Lead (see Section 3). You also have the right to  lodge a complaint with a Supervisory Authority.

7. Data Sharing and International Data Transfers: Intra-Group and External Third Parties Intra-group transfers 

As a member of a multinational enterprise operating under a decentralized management structure, the  Company may share Employee Personal Data with IDEX affiliates / BUs listed here, for the purposes set  out in this Notice. Please note that the Company only shares Employee Personal Data with those  listed companies where this is covered by a lawful basis for such Processing.  

These transfers are protected by the obligations set out in intra-group agreements that we have entered  into between the various IDEX legal entities. International transfers within the IDEX are governed by EU  Commission-approved Standard Contractual Clauses for Data Controllers and, where relevant, for Data

Processors. You may receive a copy of these Standard Contractual Clauses used in our intra-group  agreements by contacting the Privacy Lead (see Section 3).

External Third Parties  

The Company may share Personal Data with external third parties whom we engage to perform services  or functions on our behalf and under our instructions. Where applicable, their Processing of your  Personal Data will be subject to the GDPR requirements. The Company will also ensure that its contracts  with these third parties ensure they only Process Personal Data in accordance with our instructions and  in order to provide the agreed services and protect the integrity and confidentiality of the Personal Data  entrusted to them, in line with the GDPR requirements.

For the purposes set out in this Notice, we may also disclose Employee Personal Data to our IT service  providers, auditors, lawyers, consultants, law enforcement, courts and tribunals and other public  authorities (such as tax and social security bodies). We may also disclose your Employee Personal Data  to current employers; banks; pension and benefits administrators and insurance companies; hotels,  travel agencies, airlines and telecommunications operators. Some of these recipients are themselves  responsible to determine the purposes and means of the Processing and for the lawfulness of the  Processing on their end. Where necessary, we will ensure that appropriate contractual measures are in  place to ensure the protection of your Personal Data.

Some of the vendors we engage to Process Employee Personal Data are located outside the European  Economic Area. We will ensure that these transfers are either:

  • To countries, which fall under an adequacy decision by the EU-Commission and have been deemed to  provide an adequate level of protection, currently including Switzerland, Uruguay, Argentina, Japan,  Israel, Isle of Man, New Zealand, Guernsey, Canada, Andorra, Faroe Islands and Jersey; or are
  • Governed by one of the following safeguards: EU Commission-approved Standard Contractual  Clauses; GDPR-compliant Data Processor clauses where the US vendor is certified under the EU-US  Privacy Shield Framework; or Binding Corporate Rules approved by an EU data protection authority. You  may receive a copy of these data protection safeguards by contacting us at the contact details given in  Section 3 above.

8. Retention of Personal Data

The Company will keep and Process your Personal Data only for as long as is necessary for the purposes  for which it was collected in connection with your employment with Company. In general, Personal Data  will be deleted where required by law and after the expiration of any applicable statute of limitation,  unless the Company has a legal right or obligation to retain the data for a longer period of time.

9. Statutory/Contractual Requirements

You may choose not to provide us with your Personal Data and/or provide incomplete Personal Data.  However, please be aware that, in certain cases, we may not be able to engage in, or continue a  contractual or employment relationship with you, as your Personal Data is required for administrative  purposes and/or to fulfil statutory requirements.

10.Automated Decision-Making and Profiling

Your Personal Data will not be used for automated decision-making and/or profiling.