Introduction
GE respects the privacy rights of individuals and is committed to handling Personal Information responsibly, in accordance with applicable law, applicable contractual obligations, and GE’s Commitment to the Protection of Personal Information (the Commitment), described below. The Commitment sets out GE’s principles for the processing of Personal Information by and on behalf of GE.
The Commitment establishes a legal basis for cross-border transfers of Personal Information within the GE Group (all wholly or majority-owned divisions of GE Company, including Electric Insurance Company and its subsidiaries), including where GE Group members adhere to relevant parts of the Commitment as data processors. Additionally, GE may carry out cross-border transfers of Personal Information to third parties outside the GE Group in accordance with applicable law. GE will handle Personal Information in accordance with the Commitment where applicable, unless in conflict with stricter requirements of local law, in which case local law will prevail.
Scope
The Commitment is designed to ensure that Personal Information will be protected regardless of geography or technology, when used within the GE Group, and applies to GE’s processing of GE Personal Information and GE Customer Personal Information.
Processing Personal Information
GE observes the following principles when processing Personal Information:
Fairness: GE will process Personal Information fairly and lawfully.
Purpose: GE will limit the processing of Personal Information to the fulfilment of GE’s specific, legitimate purposes. GE will only carry out processing that is compatible with such purposes unless GE, or its Customer where GE is a processor, has unambiguous consent for unrelated purposes.
In general, GE will process Personal Information:
- where GE has a legitimate interest that, on balance, justifies the processing;
- where necessary for the maintenance or the performance of a legal relationship between GE and the individual;
- where necessary for complying with an obligation imposed on GE by applicable law, regulation, or governmental authority;
- where there are exceptional situations that threaten the life, health or security of the individual or of another person;
- after obtaining the individual’s freely given, explicit and informed consent where required by applicable law;
- where the processing is in connection with a Customer service agreement.
Where consent has been obtained directly by GE, GE will provide a process to allow individuals to withdraw their consent to the extent required under applicable law, at any time and without charge.
Proportionality: GE will limit the processing of Personal Information to that which is adequate, relevant and not excessive in relation to the purposes for which GE collects and uses it.
Information Quality: GE will take reasonable steps to, and where GE is a processor provide Customers with a means to, ensure that Personal Information is accurate and kept up to date, to keep Personal Information only for as long as necessary for the purposes for which it is collected and used, and to delete or to render it anonymous after such retention requirements have been met.
Transparency: Where required by applicable law, GE will make available to individuals at the point of collection, or within a reasonable period of collection, information about GE’s identity; the purposes and legal basis of processing their Personal Information; intended recipients and cross-border data transfers; source(s) of Personal Information; how individuals may exercise their rights regarding Personal Information; contact details for the Data Protection Officer where applicable; and additional explanations as needed to ensure fair processing. Where GE collects Personal Information through the Internet or other electronic means, GE will post an easily accessible privacy notice that meets these transparency requirements.
Confidentiality: GE will maintain the confidentiality of Personal Information it processes, except where disclosure is required by an applicable operational or legal requirement. This obligation will continue even after the relationship with the individual, or Customer where GE is a processor, has ended.
Security: GE strives to protect Personal Information with appropriate technical and organizational measures to ensure its integrity, confidentiality, security and availability. GE will inform individuals of a security breach affecting their GE Personal Information that could pose a high risk to their individual rights and freedoms. In accordance with applicable law, GE will provide reasonable assistance to Customers, where GE is a processor, to ensure the security of their processing and will inform GE Customers of a security breach of GE Customer Personal Information as required under such laws.
Sharing and/or Transferring Personal Information
GE may share or transfer Personal Information in the following circumstances:
- Personal Information may be shared within the GE Group for the purposes specified above, provided the GE Group entity processing Personal Information adheres to this Commitment.
- GE may provide Personal Information to selected suppliers or service providers hired to perform certain processing or other services on its behalf. GE will strive to ensure that new supplier engagements provide for processing of Personal Information in a manner consistent with this Commitment and applicable law by means of a legal relationship established through a contract or other legally permissible means. Under such contracts, suppliers must implement adequate security measures and may only process Personal Information in accordance with GE’s instructions.
- GE may disclose certain Personal Information to other third parties where required by law, to protect GE’s legal rights, or in connection with any GE merger or acquisition activity or the insolvency or re-organization of any part of GE.
Processing of Sensitive Personal Information
Where GE processes and/or transfers Sensitive Personal Information GE will inform the individual of the processing and/or transfer and obtain explicit consent for such processing and/or transfer when GE is required to do so by applicable law. Appropriate security measures will be provided depending upon the nature of this information and the risks associated with its intended uses.
Accountability
GE is accountable for fulfilling the requirements sets out in the Commitment and under applicable law. In particular, GE will:
- take the necessary measures to observe the requirements of the Commitment and applicable law; and
- have the necessary internal mechanisms in place to demonstrate such observance, including maintaining a record of its processing activities in accordance with applicable law.
Privacy Program
GE employs privacy practices designed to support its compliance with the Commitment and applicable law, including the appointment of a network of privacy leaders, education and awareness programs, incident response protocols, privacy impact assessments, audit routines and a Privacy by Design approach to process and system development.
Individual Rights
In accordance with applicable law, an individual who has satisfactorily established his or her identity to GE may exercise the following rights in relation to Personal Information GE has collected directly from him or her; where GE is a processor, GE will assist the Customer in meeting its privacy obligations toward individuals:
Access: Where required by applicable law, GE will provide an individual Personal Information about him or her that GE holds, including information concerning the source of the Personal Information, the purposes of any processing by GE and the recipients, or categories of recipients, to whom such Personal Information is disclosed.
Correction and Deletion: Valid requests for correction or deletion of Personal Information which is incomplete, inaccurate or excessive will be respected, and confirmed as such, except that deletion will not be performed where retention is required by the contractual relationship between GE and the individual, in the context of a legal dispute or other legal retention requirement, or as otherwise required by applicable law.
Objection: GE will cease processing Personal Information where an individual’s objection is justified under applicable law, for example where the individual’s life or health is at risk due to the processing. An individual also has the right to object to decisions based solely on automated processing of Personal Information that produce legal effects which significantly affect the individual involved, except where the individual requested the processing, or when necessary for the legal relationship between GE and the individual. In the latter case, the individual may give his or her views on the automated decision. An individual has the right to object to processing of Personal Information by GE for marketing purposes where allowed by applicable law. The exercise of this right to object may be superseded where GE can demonstrate that its compelling legitimate interest in continuing the processing overrides the interests or fundamental rights and freedoms of the individual.
Restriction: An individual also has the right to request the restriction of any processing of his or her GE Personal Information by GE, to the extent such right is provided for under applicable law, for example where the accuracy of the GE Personal Information is contested. GE will cease processing such information where the restriction is justified, with the exception of storage and other permitted continued processing under applicable law.
Complaints: Any individual who claims to have suffered damage as a result of non-compliance by a GE Group entity with the Commitment may file a complaint with the
applicable GE Group Privacy Leader or Compliance Officer, or with GE’s Complaint
Handling Processes available on GE’s websites if other channels are unavailable or
exhausted:
Internal concern reporting: integrity.ge.com or security.ge.com
External concern reporting: [email protected]
If GE considers the complaint to be justified, it will take reasonable steps to resolve the complaint to the reasonable satisfaction of the individual. GE endeavors to respond to complaints within thirty days of receipt. An individual with an unresolved complaint regarding GE’s compliance with the Commitment within countries governed by the APEC Cross Border Privacy Rules may contact GE’s US-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Enforcement: An individual who has suffered damage as a result of a breach of the Commitment may be entitled to receive compensation for such damages in accordance with applicable law and as provided in the Commitment. An individual who is entitled to receive compensation may enforce his or her rights as provided in the Commitment by direct recourse to the courts or other judicial authority in accordance with applicable law.
Cooperation with Supervisory Authorities
GE will cooperate with any competent national or regional supervisory authority responsible for supervising applicable privacy law that has good cause to question any processing of Personal Information by GE, and will comply with such competent supervisory authority’s decisions on any issue related to the Commitment.
Changes to the Commitment
GE reserves the right to modify the Commitment. Any material changes will be submitted to GE’s lead Data Protection Authority and/or its trustmark agent, where appropriate, and will be notified on GE’s website.
Definitions
Personal Information is any information relating to an identified or identifiable natural person.
GE Personal Information is any Personal Information that is obtained in the context of an individual’s relationship with GE and which GE processes for its own purposes. Such GE Personal Information may include, for example, employment data obtained in the context of an employment relationship with GE, customer data obtained in the context of a customer relationship with GE and supplier data obtained from GE’s suppliers.
GE Customer Personal Information is any Personal Information that is obtained in the context of the provision of services by GE to a Customer under a service agreement and which GE processes on behalf of the Customer.
Customer is a person or entity that enters into a service agreement with GE.
Sensitive Personal Information, a special category of Personal Information, is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation.