EU-US, UK-US and Swiss-US Data Privacy Framework Policy

Policy Number: IT-0022-12-16
Effective Date: 22 December 2016
Last Revision: 18 April 2024

INTRODUCTION
This Data Privacy Framework Policy (this “Policy”) describes how Boart Longyear and its subsidiaries and affiliates in the United States (“US”) collect, use, and disclose certain personally identifiable information that we receive in the US from the European Union, United Kingdom or Switzerland. This Policy supplements our Privacy Policy located at http://www.boartlongyear.com/company/legal.

Boart Longyear recognizes that the EU, UK, and Switzerland have established strict protections regarding the handling of personal data, including requirements to provide adequate protection for personal data transferred outside of the EU, UK, or Switzerland. To provide adequate protection for certain personal data about employees, corporate customers, clients, suppliers, and business partners received in the US, Boart Longyear has elected to self-certify to the EU-US Data Privacy Framework Principles, the UK-US Data Privacy Framwork Principles, and the Swiss-U.S. Data Privacy Framework Principles administered by the US Department of Commerce (“Data Privacy Framework”).

Boart Longyear complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Boart Longyear has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Boart Longyear has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/govern.

For purposes of enforcing compliance with the Data Privacy Framework, Boart Longyear is subject to the investigatory and enforcement authority of the US Federal Trade Commission In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Boart Longyear commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

DEFINITIONS
For the purposes of this Policy, the following definitions shall apply:

“Boart Longyear”, “we” or “us” means Boart Longyear Company and their respective affiliates, subsidiaries, divisions and groups organized under the laws of any State of the United States of America or registered to do business in any State of the United States of America, and which may be listed as “Covered Entities” on Boart Longyear’s Data Privacy Framework certification; including but not limited to, BLY US Holdings Inc., Boart Longyear Manufacturing and Distribution Inc., and Veracio Ltd.

“European Union” or “EU” means, for the purposes of this Policy, all countries within the European Economic Area (EEA) including Switzerland.

“Personal data” and “personal information” means data about an identified or identifiable individual that is within the scope of the Data Privacy Framework, received by Boart Longyear in the US from the EU, and recorded in any form. It does not include personal information that has been anonymized or that is publicly available, that has not been combined with non-public personal information.

“Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

“Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns health or sexual orientation. In addition, Boart Longyear will treat as sensitive, any information received from a third party where that third party treats and identifies the information as sensitive.

PRIVACY PRINCIPLES
The privacy principles in this Policy are in accordance with the Data Privacy Framework Principles set out in the Data Privacy Framework.

NOTICE
Where Boart Longyear collects personal information directly from individuals in the EU, it will inform them about the purposes for which it collects and uses personal information about them, the types of non-agent third parties to which Boart Longyear discloses that information, and the choices and means, if any, that we offer individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to Boart Longyear, or as soon as practical thereafter, and in any event before we use the information for a purpose other than that for which it was originally collected.

Where Boart Longyear receives personal information from its subsidiaries, affiliates or other entities in the EU, it will use such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.

During the conduct of its operations, Boart Longyear may collect and process the following types of personal information:

  • 1. Boart Longyear keeps contact information, account numbers and information relating to billing, together with other information which may be necessary for the daily operation of Boart Longyear’s services including conducting customer, product and service surveys, direct marketing of products and services, handling customer complaints and inquiries, making disclosure under the requirements of any applicable law and any other directly related matters.

  • 2. Human resources data such as contact information, residential address, date of birth, gender, government identification number, account information, qualifications and training records, performance reviews, which is processed to support Boart Longyear’s human resources functions and activities including the administration of employee benefits, compensation, management of employee performance, business planning, disciplinary procedures including the investigation and reporting of complaints and for compliance with legal obligations, policies and procedures.

  • 3. Prospective users of Boart Longyear applications and websites who make inquiries regarding Boart Longyear’s products and services may be asked to provide personal information in order to provide the requested information, products or services. Personal information provided may be used for the processing of requested transactions, improving the quality of our products and services, sending communications about our products and services, enabling our business partners and service providers to perform certain activities on our behalf and complying with our legal obligations, policies and procedures.

Boart Longyear may use the personal information it collects to comply with its legal obligations, policies and procedures and for internal administrative purposes.

CHOICE
Boart Longyear offers individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party, or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by such individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise their choice.

For sensitive information, Boart Longyear will obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, Boart Longyear will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

ACCOUNTABILITY FOR ONWARD TRANSFER
Boart Longyear recognizes potential liability in cases of onward transfers to third parties. We will not transfer any personal information to a third party without first ensuring that the third party adheres to the Data Privacy Framework Principles, or is subject to binding contractual obligations to: (i) only process the personal data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the personal data; together with any additional requirements under applicable law.

We disclose personal data to other entities within the Boart Longyear (BLY) group, for legitimate business purposes and the operation of our sites, Apps, products, or services to you, in accordance with applicable law. In addition, we disclose personal data to:

  • a) you and, where appropriate, your appointed representatives;

  • b) legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation; or disclosures made in the vital interest of an identifiable person such as those involving life, health, or safety;

  • c) accountants, auditors, lawyers and other outside professional advisors to BLY, subject to binding contractual obligations of confidentiality;

  • d) third party processors (such as payment services providers; shipping companies; etc.), located anywhere in the world, subject to the requirements noted below in this section (G);

  • e) any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise, or defence of legal rights;

  • f) any relevant party for the purposes of prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties;

  • g) any relevant third-party acquirer(s), in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution, or liquidation); and

  • h) any relevant third-party provider, where our sites and our Apps use third party advertising, plugins, or content. If you choose to interact with any such advertising, plugins, or content, your personal data may be shared with the relevant third-party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins, or content.  

Boart Longyear does not transfer personal information to unrelated third parties, unless lawfully directed, or in certain limited or exceptional circumstances, in accordance with the Data Privacy Framework. For example, such circumstances would include disclosures of personal information required by law or legal process including lawful requests by public authorities for example, to meet national security or law enforcement requirements. In the event that Boart Longyear is requested to transfer personal information to an unrelated third party, we will ensure that such party is either subject to the Data Privacy Framework, subject to similar laws providing an adequate and equivalent level of privacy protection, or will enter into a written agreement with the third party requiring them to provide protections consistent with the Data Privacy Framework and this Policy. Should Boart Longyear learn that an unrelated third party to which personal information has been transferred by us is using or disclosing such personal information in a manner contrary to this Policy, we will take reasonable steps to prevent or stop the use or disclosure.

 Personal information is accessible only by those Boart Longyear employees and consultants who have a reasonable need to access such information in order for us to fulfill contractual, legal and professional obligations. All of Boart Longyear’s employees and consultants have entered into strict confidentiality agreements, and/or have been subjected to thorough criminal background checks requiring that they maintain the confidentiality of personal information.

SECURITY
Boart Longyear takes reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

DATA INTEGRITY AND PURPOSE LIMITATION
Boart Longyear uses personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. We take reasonable steps to ensure that personal information is reliable for its intended use, accurate, complete, and current. Boart Longyear will only collect and store personal information that is relevant to fulfil the desired purpose and will retain such information no longer than appropriate to fulfil such purpose.

ACCESS AND CORRECTION
Upon request, Boart Longyear will grant individuals reasonable access to the personal information we hold about them. In addition, Boart Longyear will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or has been processed in violation of the Data Privacy Framework Principles.

VERIFICATION
Boart Longyear assures compliance with this Policy by utilizing the self-assessment approach as specified by the U.S. Department of Commerce. The assessment is conducted on an annual basis to ensure that all of Boart Longyear’s relevant privacy practices are being followed in conformance with this Policy and the Privacy Policy. Any employee that Boart Longyear determines is in violation of these policies will be subject to discipline, up to and including termination of employment and/or criminal prosecution.

RECOURSE, ENFORCEMENT AND LIABILITY
Any complaints or concerns regarding the use or disclosure of personal information transferred from the EU or Switzerland to the US should, in the first instance, be directed to the Boart Longyear Data Protection Manager or the Confidential Compliance Helpline at the address given below. Boart Longyear will investigate and attempt to resolve complaints in accordance with the Data Privacy Framework Principles within 45 days of receiving a complaint. Complaints that cannot be resolved internally will be referred to the applicable EU Data Protection Authorities to address complaints and provide appropriate recourse, which will be provided free of charge to the individual. Boart Longyear is committed to following the determination and advice of these authorities. Under certain circumstances, an individual may choose to invoke binding arbitration to resolve any disputes that have not been resolved by other means.

Boart Longyear complies with the Data Privacy Framework Principles and is subject to the investigatory and enforcement powers of the Federal Trade Commission.

In compliance with the Data Privacy Framework Principles, Boart Longyear commits to resolve complaints about our collection or use of your personal information.  EU and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact Boart Longyear at: 

Robert Tate Data Protection Manager, 2455 South 3600 West, Salt Lake City, Utah 84119, dataprotection@boartlongyear.com

Confidential Compliance Helpline via the internet: www.convercent.com/report; via telephone: + 1 720 514 4400 (collect call/reverse charge call accepted); via mail: Boart Longyear Confidential Compliance Helpline 2455 South 3600 West Salt Lake City, UT, 84119

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Boart Longyear commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPFin the context of the employment relationship.

LIMITATION ON SCOPE OF PRINCIPLES
Adherence by Boart Longyear to the Data Privacy Framework Principles may be limited (a) to the extent we are required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

CHANGES TO THIS POLICY
This Policy may be amended from time to time, consistent with the requirements of applicable laws and regulations. The revisions will take effect on the date of publication of the amended Policy, as stated. Notice of any such amendment will be posted on http://www.boartlongyear.com/company/legal.

CONTACT INFORMATION
Questions, complaints or comments related to this Policy, data processing or data collection should be submitted to the Boart Longyear Data Protection Manager or the Confidential Compliance Helpline as follows:

Robert Tate
Data Protection Manager
2455 South 3600 West
Salt Lake City, Utah 84119
dataprotection@boartlongyear.com

Confidential Compliance Helpline

Via the internet: www.convercent.com/report

Via telephone: + 1 720 514 4400 (collect call/reverse charge call)

Via mail: Boart Longyear Confidential Compliance Helpline

2455 South 3600 West

West Valley City, UT 84119

ADMINISTRATION AND REVISION HISTORY