Policy Regarding the Protection of Personal Information

EFFECTIVE: May 21, 2018

_____________________

1.0      PURPOSE OF THIS POLICY

1.1       Rebuilders International, LLC^[1] (“the Company”) will follow the principles in this Policy regarding the collection, use, storage, transfer, and destruction of “Personal Information” by the Company or its agents (as defined below).  The Company will adhere to legal and contractual requirements for protecting Personal Information. 

2.0     SCOPE OF THIS POLICY

2.1       This Policy applies to Rebuilders as well as all of its operating companies, employees, agents and contractors working on its behalf worldwide.  The Company will extend this Policy to third parties that access and/or process Personal Information on its behalf.

2.2       For Personal Information collected in the European Union (“EU), this Policy is intended to address compliance with the EU’s General Data Protection Regulation (“GDPR”), effective May 25, 2018.

2.3       In accordance with the law of the State of California, U.S.A., California residents may request and obtain information (if any) that the Company shared within the prior calendar year with other businesses for direct marketing use (as defined by California’s “Shine the Light Law”), using the contact information provided in this Policy.

2.4       In accordance with Connecticut, U.S.A. law, Rebuilders protects the confidentiality of, prohibits unlawful disclosure of, and limits access to Social Security numbers (“SSNs”).  The Company does not intentionally communicate SSNs to the general public, print SSNs on any document required for an individual to access products or services, require an individual to transmit SSNs over an unencrypted electronic connection, or require an individual to use SSNs to access a Rebuilders Internet or Intranet web site unless a password or other unique identifier is also required.  

3.0.    TERMS USED IN THIS POLICY

3.1       “Agent” means any third party that controls or processes Personal Information to perform tasks on behalf of and under the instructions of Rebuilders .

3.2       “Data Breach(es)” is any set of circumstances that involves actual or a reasonable possibility of unauthorized access to or possession of, or the loss or destruction of Personal Information. The circumstances contributing to a breach may be unintentional or accidental and the access, loss, or destruction may be confirmed or only suspected. Personal Information can be lost or destroyed in many ways, such as by stolen computer hardware (e.g., laptops), physical destruction or compromise due to natural disaster or accidents (e.g., flood of an office, destroying the only copy of certain records); and inability to access the only copy of data on a server if there is no anticipated resolution or the inability to access lasts for more than a week. Data Breaches can include unauthorized access, possession or denial of service at a third party.

3.3       “Personal Information” means information relating to an identified or identifiable natural person, regardless of the medium in which the information is collected, processed, or transferred. The term includes Sensitive Personal Information. The term includes information about a Rebuilders director, employee, contractor, contract laborer, customer, supplier, or other third party. Anonymous, pseudonymized, or aggregate information used for statistical, historic, and scientific or other purposes is excluded. The term includes information collected, processed, and/or transferred in any format, including but not limited to hard copy, electronic, video recording, and audio recording.

3.4       “Sensitive Personal Information” is a subset of Personal Information and means information relating to an identified or identifiable person that involves racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; sexual preference; sex life; or the commission or alleged commission of any crime.

4.0     REBUILDER’S PRIVACY COMMITMENTS

4.1.      Compliance with Laws and Regulations:  Rebuilders complies with laws and regulations applicable to its operating units worldwide that relate to the protection of Personal Information. Local laws, regulations, and other pertinent restrictions will apply to the extent of any conflicts with this Policy.  The  GDPR shall govern in the event of any conflict with this Policy.

4.2       Collection, Use, and Retention of Personal Information: 

4.2.1    Rebuilders collects, uses, and retains Personal Information only as necessary and appropriate for legitimate business and legal purposes, ensuring that the collection, processing, and transfer of Personal Information are adequate, relevant, and not excessive in relation to the purpose or purposes for which the information is processed.

4.2.2   Collection and uses by the Company of the Personal Information of directors, employees and third parties include the collection and use of Personal Information described in detail in Exhibit 1.  In some cases, such as with human resources data, the data are necessary in order for Rebuilders to manage employment relationships and contractual agreements regarding pay and benefits.

4.2.3   The Company does not keep Personal Information for longer than needed for the purpose(s) for which it was collected, unless otherwise required by law or with the data subject’s consent;

4.3.      Notices:

4.3.1    When Rebuilders collects Personal Information directly from individuals, it informs them about the purposes for which it collects and uses Personal Information about them, the types of agents to which the Company discloses that information, and the choices and means it offers for limiting its use and disclosure. The Company identifies the purposes for which it is collecting Personal Information and does not process the Personal Information for any incompatible purpose(s) unless supported by consent of the individual data subject, a legal obligation, a threat of physical harm, or another legitimate interest recognized by law. 

4.3.2   Notice is provided in clear and conspicuous language when individuals are first asked to provide such information to Rebuilders, or as soon as practicable thereafter, and in any event before the Company uses the information for a purpose other than that for which it was originally collected.  Privacy notices shall be accessible to data subjects and posted online, whenever practicable;

4.3.3   Rebuilders provides appropriate notices regarding individuals’ rights of access, correction, and updating.  The Company ensures that an individual is given the chance to discuss the results of any automated decision-making (such as employee background checks) before any negative action is taken based on that decision-making;

4.3.4   Rebuilders sees the Internet and the use of other technologies as valuable tools for communicating and interacting with employees, customers, business partners, and others. The Company recognizes the importance of maintaining the privacy of information collected online and has created specific Internet privacy policies for its websites, which govern the treatment of Personal Information collected through web sites that it operates. With respect to Personal Information that is transferred from the EEA, each website privacy policy is subordinate to this Privacy Policy.  The Company ensures that each of its online websites (both external/www. and internal/intranet) that collect Personal Information provide a privacy notice. The privacy notice identifies:

1. The Personal Information that is collected;
2. The purpose(s) for which that Personal Information is collected;
3. The ways that Rebuilders uses Personal Information;
4. Use of “cookies” or other tracking devices by external-facing websites and, if used, how to reconfigure the browser to decline the cookies;
5. Third parties with whom Rebuilders shares the information;
6. The choices provided to individuals, the means for limiting collection, use, and disclosure of Personal Information, and the consequences of those choices; and
7. How to contact Gerber with questions or complaints about privacy matters concerning the website or to correct/update Personal Information already provided.

4.3.5   Each privacy notice is reviewed by the system owner at least once every three years to ensure that it is current and accurate. Where required by law, Rebuilders ensures that Sensitive Personal Information is collected online only with an individual’s explicit consent, via a meaningful opt-in approach, and is appropriately protected against improper use.

4.4       Consent:

4.4.1    Depending on the location in which the data subject lives, local laws may require that the data subject give specific consent for the collection, use and disclosure of Personal Information for some of the purposes described in Exhibit 1.  Individuals who opt-in are notified of the process to follow in exercising this choice. 

4.4.2   Where required, Rebuilders asks for consent by appropriate and permitted means. The Company offers individuals the opportunity to opt-out of providing Personal Information if it is to be (1) disclosed to an Agent, or (2) used for a purpose other than the purpose for which it was originally collected or subsequently authorized. It may occasionally inform individuals of offers available from selected non-agent third parties.  For Sensitive Personal Information, it gives individuals the opportunity to affirmatively and explicitly opt-in prior to (1) disclosing the information to a non-agent third party, or (2) using the information for a purpose other than the purpose for which it was originally collected or subsequently authorized. The Company offers appropriate opportunities to opt-out when using Personal Information for direct marketing;

4.5       Access & Correction:          

4.5.1    Rebuilders takes reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current.

4.5.2   As described in Exhibit 2, Rebuilders grants individuals reasonable access to their Personal Information. In addition, the Company takes reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. In addition, the data subject has the right to object to the data processing as well as the right to data portability.  If explicit consent has been provided for the processing of data, then the data subject has the right to withdraw that consent at any time.

4.6       Data Security:

4.6.1    Rebuilders takes reasonable precautions to protect Personal Information in its possession from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. The Company’s computer networks and systems, including Internet and Intranet-based applications, are designed to protect Personal Information from unauthorized access, loss, disclosure, or use. Personal Information is made available within the Company only to those persons who possess a business need-to-know.

4.6.2   Rebuilders maintains systems and procedures to assure the security and integrity of Personal Information, whether provided by employees, generated by the Company and its operating companies, or otherwise provided by agents or third parties.  These measures include reasonable restrictions upon physical access to hard copy records containing Personal information and the storage of such records in locked facilities, storage areas, or containers.

4.6.3   The security program identifies and assesses reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any records containing Personal information, and evaluates and improves, where necessary, the effectiveness of the current safeguards for limiting such risks. The program includes:

• Ongoing employee (including temporary and contract employee) training;
• Means of ensuring employee compliance with security program policies and procedures;
• Means for detecting and preventing security program failures;
• Security policies for employees relating to the storage, access and transportation of records containing Personal information outside of business systems or premises;
• Disciplinary measures for violations of security program rules;
• Means of preventing terminated employees from accessing records;
• Regular monitoring to ensure that the security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Personal information, and upgrading information safeguards as necessary to limit risks;
• Annual reviews of the scope of security rules and more often when there is a material change in business practices that may reasonably implicate the security or integrity of Personal information;
• Documentation of responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of Personal information; and
• Procedures for sanitization and destruction of storage or other media removed from service, prior to disposal.

4.6.4   Rebuilders periodically reevaluates these measures to ensure they remain current, reasonable, and appropriate.

4.6.5   Rebuilders does not transfer Personal Information from one country to another or from one legal entity to another unless properly supported by law and under appropriate security measures for the data while in transit and in storage;

4.6.6   Rebuilders ensures that handling of employees’ and third parties’ Personal Information is consistent with the relevant Privacy Notice for the information in question, subject to local supplement or amendment to ensure compliance with local law. 

4.6.7    Rebuilders takes proper care of personal government-issued identification numbers by protecting the confidentiality, limiting collection, ensuring access on a need-to-know basis, implementing appropriate safeguards, including but not limited to encryption, and ensuring proper disposal in accordance with Rebuilder’s document and data retention policies and practices;

4.7       Data Breaches:

4.7.1    Rebuilders maintains and implements a Data Breach response plan to respond to and remediate any actual data breaches, and discloses breaches involving Personal Information, as appropriate and as legally required.

4.8      Transfers of Personal Information To Third Parties:

4.8.1    Personal Information is used by and shared among Rebuilders entities, agents (e.g., IT and other professional and nonprofessional services, benefit plan sponsors and administrators, etc.), applicable government organizations and agencies, and third parties as permitted or required by law, regulation, or court order. Rebuilders shares Personal Information with companies Rebuilders acquires and transfers and to effect the divestiture of companies Rebuilders divests. 

4.8.2   If services by a third party to Rebuilders involve access to Personal Information, third parties are selected and managed so that they are capable of maintaining appropriate security measures to protect such information, and are required by contract to implement and maintain appropriate security measures.  Rebuilders enters into a written agreement obligating third parties that collect, process, access, or possess Personal Information on behalf of Rebuilders to follow this Policy or equivalent requirements. Rebuilders obtains assurances from the transferee(s) that they will safeguard Personal Information consistently with this Privacy Policy. Examples of appropriate assurances include: a contract, agreement, or relevant provision obligating the agent to provide at least the same level of protection as is required by the relevant the Company’s security standards; EU/US Privacy Shield certification by the agent; or being subject to an adequacy finding by the EEA/European Commission. 

4.8.3   Rebuilders and its operating units execute and maintain the model clauses (also called the standard contractual clauses) adopted by the European Commission as an authorization for the transfer of Personal Information from the EEA to the U.S.  Rebuilders and its operating units comply with the requirements of the model clauses for intra-company transfers. 

4.8.4   Where Rebuilders has knowledge that a transferee is using or disclosing Personal Information in a manner contrary to this Policy, Rebuilders takes reasonable steps to prevent or stop the use or disclosure, up to and including termination of our contractual or other business relationship with the agent.

4.9       Privacy Risk Assessment:

4.9.1    Rebuilders maintains an effective privacy risk assessment process to evaluate Company-wide risks and to develop appropriate mitigation plans. The Privacy Risk Assessment process reviews Rebuilders overall collection, processing (including storage and destruction), and transfer of Personal Information and is updated as needed.

4.9.2   Whenever Rebuilders or an operating unit seeks to implement a new or modified system, or use a new or modify the use of a third party to collect, process, or transfer Personal Information, a written Privacy Impact Assessment is completed before adoption of the new or modified process or new or modified use of the third party.  A Privacy Impact Assessment must be completed only for systems or service providers that collect, process, or transfer Personal Information and for the launch of a new system or service provider or substantial modification of a system or use of the service provider involving Personal Information. 

4.10     Governance & Training:

4.10.1  Rebuilders ensures that individuals who in any material way are involved in the collection, use, and storage of Personal Information, including designing, modifying, or managing automated systems, are trained to identify privacy concerns, to receive privacy complaints, and to forward both to the appropriate resources for review and resolution. Rebuilders privacy compliance governance is exercised as described in Exhibit 3. 

4.10.2Rebuilders ensures that all professional staff and employees who handle Personal Information as an integral part of their responsibilities receive periodic training on data privacy and security.

4.10.3Education and training are provided to all employees on the proper use of the computer security systems and the importance of information security, e.g., limiting collection and storage of unneeded information; use of encryption; restricting access to drives, folders, and files; recognizing risks to information security posed by file sharing programs.

4.10.4 Rebuilders has a strategic communications plan to raise awareness and educate employees and third parties, as appropriate, regarding data privacy and security.

4.10.5Rebuilders conducts internal self-assessments and has a hotline in place for the receipt of confidential reports of violations of this Privacy Policy.  This is to verify adherence to this Policy.

4.10.6Rebuilders enforces this Policy and any implementing procedures. Failure to adhere to this Policy or its implementing procedures may lead to disciplinary action for employees, up to and including dismissal, and termination of its contractual relationship with Rebuilders for third parties.

5.0     QUESTIONS & DISPUTES

5.1       Questions or concerns from persons regarding a particular website or system should be addressed to the contact listed in the privacy notice provided on that website or system.

5.2       Requests for access or correction from employees should be addressed to their local Human Resources representative, in accordance with Exhibit 2.

5.3       Complaints or questions regarding compliance with this Policy should be directed to:

• By mail: 

Rebuilders International, LLC
654 Columbine Ct.

Louisville, CO 80027

• Telephone: +1.860.870-2804
• Via email to [email protected]
• Information requested under the California “Shine the Light” law should be requested via email to [email protected]with “California Shine the Light Privacy Request” in the subject line as well as in the body of the message. 

6.0     CHANGES TO THIS POLICY

6. Rebuilders amends this Policy as needed to conform to changes in pertinent laws or regulations.  Appropriate notice of amendments is provided.

Exhibit 1 – Types of Personal Information We Collect & Use 

The types of Personal Information Rebuilders collects and shares depend on the nature of the individual’s relationship with Rebuilders (e.g., officer, employee, applicant for employment, website visitor, customer, supplier, other third party) and the provisions/restrictions of applicable laws. Examples of this information and its uses include:

• Management and employee communications and notices;
• Maintenance of employee biographies, curriculum vitae, and similar information;
• Emergency contacts;
• Global enterprise headcount and demographics;
• Career development, performance feedback, and progression;
• Succession planning;
• Compensation and benefits;
• Establishment and administration of employee benefits and benefit plans;
• Rewards and recognition;
• Travel and expense reimbursement, including travel and/or credit card administration;
• Training;
• Relocation;
• Tax reporting and withholdings;
• Payroll administration, including deductions, contributions, etc.;
• Enterprise Resource Planning (ERP) systems;
• Planning and provision of health services, including drug screening, processing of workers’ compensation or similar health and safety programs;
• Personal security, including access controls and security for computer and other systems;
• Reporting and statistical analyses;
• Personnel transactions, including tenure with the Company, hire/start date of employment, termination date, and other transaction dates such as promotion, salary increase, etc.;
• Legal and regulatory reporting and other requirements, including right-to-work screening, workplace environment, health and safety reporting, and administration;
• Visas, licenses and other right-to- work authorizations;
• Management of litigation and related discovery/e-discovery issues;
• Import, export, and other trade compliance controls, including automated information technology controls;
• Sanctions screening, including screening of the U.S. Entity List, Specially Designated Nationals and Blocked Persons List, Denied Persons List, and the Unverified List, and similar lists maintained by the U.S. and other countries;
• Internal and external investigations, including management reviews and audits of the status of Rebuilders compliance with laws and regulations in all the places in which we do business; audits and reviews of the status of employee’s compliance with laws, Rebuilders Code of Ethics and Business Conduct and Company policies; online and telephonic contacts with Rebuilders reporting hotline;
• Internet, intranet, e-mail, social media, and other electronic screening;
• Law enforcement and other government inquiries;
• Business planning, including prosecution of mergers, acquisitions, and divestitures, including acquisition of Personal Information from an acquired company and transfers of Personal Information to a divested company;
• Identification of persons via photographs or other likenesses, including facial recognition;
• Location tracking, duration, and other telematics of certain Rebuilders assets;
• Time collection and allocation;
• Data mining for internal Company management purposes;
• Biometrics;
• Data supplied to vendors providing benefits;
• Physical and information technology security monitoring;
• Data backup and recovery; and
• Automated information technology threat assessments and response;
• Given and Family names, including suffixes;
• Middle name(s);
• Preferred name;
• Country of birth;
• Citizenships held (past and present);
• S. and other country permanent resident and/or asylee status;
• SMTP address;
• Place of work, including street mailing address and other pertinent contact information;
• Home address and other pertinent contact information;
• Supervisor identifier;
• Job-related information such as title, department, job function, title, etc.;
• Other data to support human resources applications;
• Management reports and data mining (usually anonymized and not containing individually identifying data);
• Computer asset location & billing data, including computer location;
• For third parties resident in Rebuilders business locations, identification of persons via photographs or other likenesses, including facial recognition; location tracking, duration, and other telematics; biometric data; forensics analysis; physical and information technology security monitoring; sanctions screening and automated information technology threat assessments and response;
• E-mail message content (end-user controlled);
• Message attachments (end-user controlled);
• Public folder content (local administrator supplies folder permissions);
• Web page address;
• Instant Messaging address;
• Authorizing, granting, administering, monitoring and terminating access to or use of Rebuilders systems, facilities, records, property and infrastructure;
• Administration of customer and supplier contracts and agreements, joint ventures, and other business combinations;
• Support of marketing efforts;
• Budget planning and administration;
• Invoice processing and payment-related purposes;
• Training and certification of customer and supplier personnel;
• Data collected as part of job application and hiring processes;
• Background checks and sanctions screening;
• Problem resolution, internal investigations, auditing, compliance, risk management and security;
• Conflict of interest reporting;
• On-site injury and illness evaluation and reporting, for those who access Rebuilders facilities;
• Monitoring and surveillance for industrial hygiene, public health and safety;
• Legal proceedings and government investigations, including preservation of relevant data;
• As required or expressly authorized by laws or regulations applicable to our business globally or by government agencies that oversee our business globally;
• Personal data (e.g., date of birth, day or year of birth, citizenship(s), preferred language);
• Biographies, curriculum vitae, and similar information;
• Organizational and institutional affiliations;
• Professional credentials;
• Agreements, programs, and activities in which the data subject participates(d);
• Agreements entered into with Rebuilders;
• Payment-related information, including social security number or tax identification number and bank information;
• Communications preferences;
• Education and training;
• Industrial hygiene exposure assessment and monitoring information;
• Computer or facilities access and authentication information (e.g., identification codes, passwords, address lists, etc.);
• Photographs and other visual images of the data subject;
• Provide investor services;
• Communicate with you about products, services, and events relating to Rebuilders ;
• Improve our products, services, and websites;
• Evaluate interest in and/or allow persons to apply for employment with Rebuilders ;
• Verify identity to ensure security for one of the other purposes listed here;
• Ensure or enhance the security of Rebuilders electronic systems;
• Protect against fraud;
• Screen against sanctions and antiterrorism lists as required by law;
• Respond to a legitimate legal request from law enforcement authorities or other government regulators;
• Investigate suspected or actual illegal activity;
• Prevent physical harm or financial loss; and
• Support the sale or transfer of all or a portion of our business or assets (including through bankruptcy).

Exhibit 2 – Accessing & Correcting Your Personal Data

For Rebuilders employees and third parties who are subject to the European Union’s General Data Protection Regulation, normally within one month (subject to certain exceptions) after receipt from you (or from a competent legal representative you designate), Rebuilders is committed to providing you with the following:

• Confirmation of whether, and where, Rebuilders is processing your personal data;
• Information about the purposes of the processing;
• Information about the categories of your data that are being processed;
• Information about the categories of recipients with whom the data may be shared;
• Information about the period for which the data will be stored (or the criteria used to determine that period);
• Information about your rights to erasure, to rectification, to restriction of processing and to object to processing;
• Information about your right to complain to the relevant EU data protection authority;
• Where the data were not collected directly from you, information as to the source of the data; and
• Information about the existence and an explanation of how automated processing is being used to process your data and/or make decisions regarding you or your data solely on the basis of automated processing.

You may request a copy of your personal data that are being processed.  Copies will be provided in a structured, commonly used, machine-readable format that supports reasonable re-use in commonly-available IT systems and applications.  Upon reasonable request, Rebuilders will transfer your personal data from one data controller to another, store your personal data for further personal use on a private device, and/or have your personal data transmitted directly from Rebuilders to another controller without hindrance.  This is not applicable to personal data you did not provide to Rebuilders directly, and Rebuilders is not obligated to retain your personal data for longer than is otherwise necessary or if no longer legally available.

Normally, Rebuilders does not charge any costs or fees for the above.  However, as provided by law, we reserve the right to charge a reasonable fee for repetitive, excessive, or unfounded requests, and for additional copies.

Rebuilders takes all reasonable measures to ensure that inaccurate or incomplete personal data are erased or rectified. You have the right to inform Rebuilders of any discrepancies or inaccuracies and to rectification of inaccurate personal data. 

You have the right to restrict the continued processing of your personal data if:

• You contest the accuracy of your data (and only for as long as it takes to verify and correct the accuracy of your data);
• The processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
• Rebuilders no longer needs the data for its original purpose, but the data are still required by Rebuilders to establish, exercise or defend its legal rights; or
• If you have validly requested erasure or destruction of your data, but Rebuilders is evaluating other overriding grounds for retaining and processing your data.
• Rebuilders will erase or otherwise render inaccessible your personal data when:
• Your data are no longer needed for their original purpose (and no new lawful purpose exists);
• The legal basis for the processing is your consent, you withdraw that consent, and no other lawful ground exists;
• You exercise your right to object to Rebuilders continued processing of your data and the Company has no overriding grounds for continuing the processing;
• Your data have been processed unlawfully; or
• Erasure is necessary for compliance with EU law or the law of the relevant Member State of the EU to which you are subject.

If Rebuilders has disclosed your personal data to any third parties, and you subsequently exercise any of the rights described above, Rebuilders will notify those third parties unless it is impossible or would require disproportionate effort. You may request the identity of those third parties. In exceptional cases where Rebuilders has made your data public, Rebuilders will take reasonable steps (taking costs into account) to inform relevant third parties.

Questions regarding implementation of these requirements should be addressed as described elsewhere in this Policy.

EXHIBIT 3 – How We Manage Data Protection

The Information Security and Privacy Subcommittee of Rebuilders Ethics & Compliance Committee is charged with evaluating Rebuilders information security and privacy policies, procedures, and operations to set the strategic direction for the Company’s information privacy and security programs. The subcommittee consists of senior executives from each of the following organizations:   Information Technology, Human Resources, Finance, and Marketing, supported as needed by other subject matter experts when necessary. 

The Subcommittee is responsible for:

1. Assessing the inventory of Rebuilders high‐risk  information management programs and processes (paper and electronic) and coordinating plans to address information privacy and security weaknesses;
2. Reviewing information security and privacy policies and standards and recommending improvements and revisions, as appropriate;
3. Reviewing and responding to specific information security and data breaches;
4. Serving as a resource for Company management on information security and privacy issues;
5. Evaluating conflicts between management requirements and information security and privacy requirements;
6. Evaluating information security and privacy staffing, training, and communication  needs;  and
7. Coordinating efforts to make information security and privacy visible within the Company. 

Rebuilders has elected not to appoint a Data Protection Officer (“DPO”) having the duties and responsibilities delineated in Articles 37-39 of the GDPR.  Rebuilders does not fall within the standards of the GDPR for mandatory appointment of a DPO. A privately-held company such as Rebuilders is not required under the GDPR to have a formal DPO.  Our core business activities do not involve monitoring data subjects, do not infringe on those data subjects’ rights, and involve no collection or processing of “special category” personal information.  We are neither a consumer products company nor one heavily reliant on personal information collected from our employees, customers, or suppliers.  We manage mainly internal employee data, mostly within the US and the EU, most of which are required for legal compliance reasons (e.g., tax, pensions, etc.).  Data obtained from customers and suppliers is narrowly framed to support our business contacts and contractual relationships and not for intrusion into the personal details of third parties or other purposes not directly related to our business with our customers and suppliers.  Therefore, after careful review, we determined that a DPO in Rebuilders would neither be gainfully occupied nor represent a significant risk mitigation.

Questions regarding our program should be addressed as provided elsewhere in this Policy. 

EXHIBIT 4 – Legal Entity Listing

Rebuilders International, LLC

^[1] See Exhibit 4 for legal entity listing