Aptiv Drive Line Reporting - Privacy Notice
1. Scope and Overview
Aptiv Global Operations Limited and its affiliates and related entities (“Aptiv”), as a Data Controller, is committed to protecting the privacy and security of your Personal Data. This Privacy Notice applies to all individuals whose Personal Data we process when we are contacted via Aptiv’s Drive Line, whether by phone or web, to speak up or to report any conduct that is believed, in good faith, to be improper, and which may violate our Policies, including but not limited to: workplace harassment, theft, fraud, bribery, corruption, kickbacks, improper sharing of confidential information, inaccurate financial reporting, anti-competitive conduct.
This Privacy Notice describes the use of this Drive Line Reporting Service, the Personal Data or Personal Information that we collect, how we use it, secure it, when we may disclose it to Third Parties, and when we may transfer it outside of your home jurisdiction. This Privacy Notice also describes Your Rights regarding the Personal Data that we hold about you and how you can exercise them.
We will only process your Personal Data as described in this Privacy Notice unless otherwise required by applicable law. We take steps to ensure that the Personal Data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.
2. Use of the Reporting Service
Use of this service is entirely voluntary and can be done anonymously. All reports are handled by an independent, impartial Third-Party vendor (Navex) staffed by non-Aptiv employees. Aptiv’s Investigation process ensures a thorough and impartial investigation. Investigators will not be assigned to a case if they have a close relationship with any of the parties involved. For example, if a report alleges that local site leadership or Human Resources may be involved, then a case investigator outside of the site will be assigned.
The information you submit will be handled in accordance with our Policies and kept strictly confidential, to the extent allowed by applicable law, and discussed only with those directly involved in the investigation and those with a specific need-to-know.
3. Personal Data We Collect
As noted above, you can make your report anonymously (without disclosing any personal identifiable data), however, there are instances where you might disclose the following Personal Data:
- Your identifying information – such as your full name, work email address, telephone number and other contact details, etc.;
- Third Party identifying information – such as full name, job title and other Personal identifiable data or data that are capable of indirectly identifying the persons you might name in your report;
- Confidential/Special Category Data – such as data revealing either your, or a Third Party’s, race, ethnicity, religious beliefs, criminal convictions etc.
- Other information – such as either you or a Third Party’s information like photographs, videos, facts (suspected or witnessed) and any other personal identifiable data that could be attached as supporting evidence to a report.
4. Purposes for Processing Your Personal Data
- To manage, process and investigate your filed report;
- To carry out the necessary actions including, where appropriate, to stop any potential wrongdoings, preserve evidence, and adoption of the relevant disciplinary or legal measures to defend Aptiv’s rights and assets
- To analyse, store and follow-up on reports (including exclusion of irrelevant reports), and
- To protect the privacy, rights and safety of the reporting person, witness and Third Parties mentioned in the report, as well as the rights of the accused person.
5. How We Obtain Your Personal Data
6. Our Lawful Bases for Processing your Personal Data
We rely on either of the following lawful basis to process your Personal Data, where:
- The processing is necessary for compliance with our legal obligations (depending on your jurisdiction) to detect, prevent and protect our business against any legal, or compliance violations;
- The processing is necessary for the purposes of our legitimate interest or that of a Third Party – to detect, prevent and/or protect our business against any ethical or policy violations;
- The processing is necessary in the exercise or defense of legal claims against us, or
- In limited circumstance, the processing might be necessary for the performance of a task carried out in the public interest.
7. Sharing of Personal Data
The Personal Data processed in the context of any filed report, where necessary may be shared with the following trusted Third Parties:
- Navex Global, Inc., - an independent external service provider, who manage the Drive Line platform for Aptiv;
- Investigators, advisors, or consultants instructed to support in the reported case, or
- The police and/or other law enforcement agencies and regulatory bodies, where required by law.
All our Third-Party service providers are required to take appropriate security measures to protect your Personal Data based on the associated risks including proper access controls. They will only process your Personal Data on our instructions and are subject to a duty of confidentiality. We require Third Parties to respect the security of your Personal Data and to treat it in accordance with the law.
8. International Transfers of Personal Data
We may require transferring your Personal Data across International borders, in line with applicable laws. To ensure that International Transfers of Personal Data are adequately protected, we have put in place appropriate safeguards with our group companies, service providers, contractors, distributors, business partners, and agents. We take appropriate contractual, technical, organizational measures, and conduct Transfer Impact Risk Assessments, as required, to protect your Personal Data by ensuring it is given adequate levels of protection and Your Rights are upheld.
For more information on the appropriate safeguards in place to protect your Personal Data, please contact us using the details at the end of this statement.
9. Retention of Information
We will retain your Personal Data only as long as necessary to fulfil the purposes for which it was collected, bearing in mind that reports can take some time to investigate and conclude, or as required by law. Otherwise, we aim to keep our files current and will make reasonable efforts to remove Personal Data that is no longer relevant for the purposes for which it was collected.
10. Security and protection of Personal Data
Aptiv is committed to safeguarding the security of your Personal Data, and has implemented among others, the following technical and organizational measures:
- Contractual measures - we have executed appropriate intercompany and Third-Party Data Protection Contractual documents;
- Need-to know restrictions - User Access is limited and restricted to a strict need-to-know basis;
- Reporting policy – all reports will be handled in strict adherence with our Policies, to protect the privacy, rights and safety of the Reporting person, witnesses and the Accused person and prohibit any retaliation against individuals who reports or voices concerns in good faith;
- Guaranteed anonymity – Your confidentiality shall be protected to the maximum extent permitted by law, especially with reference to your identity, which shall not be disclosed either to the reported person or Third Parties, unless this is necessary to seek protection in court, fulfil legal obligations, etc. When reporting, a person is not obliged to identify themselves, instead, reporting individuals are assigned a unique Reporting Key and password - the combination of both will act as their login details, which enables them to follow-up the case anonymously.
11. Data Subjects’ Rights in Relation to the Processing of Your Personal Data
In accordance with applicable law, in certain circumstances, you have the following rights with regard to the processing of your Personal Data:
- The right to be informed about the processing of your data
- The right to access your data
- The right to correct your data if it is incorrect
- The right to have your data erased
- The right to restrict processing of your data
- The right to object to processing, including the right to object to direct marketing
- The right to have a copy of your data transferred to different Third Party
If you wish to exercise any of your above rights, please submit your request through the link here.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is deemed to be unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
12. Complaint Procedure
Depending on your jurisdiction, you also have a right to make a complaint at any time to your local Data Protection Supervisory Authority (find a list of EEA (European Economic Area) Authorities here). Aptiv Global Operations Limited is an Irish Company, and its lead EU (European Union) Regulator is the Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD 28, Ireland or (by email) info@dataprotection.ie.
13. Changes to this Privacy Notice
We reserve the right to update this statement at any time. We may also notify you in other ways from time to time about the processing of your Personal Data.
If you have any questions about this statement, please submit a request through the link here.
Updated: 22 October 2024