The UK Data Privacy Standards
(the “Standards”)

Flex is a socially responsible and leading electronics manufacturing services provider delivering design, engineering, and manufacturing services to aerospace and defense, automotive, computing, consumer, industrial, infrastructure, medical, energy, and mobile original equipment manufacturers. Flex helps customers design, build, ship, and service electronics and other products through a network of international facilities. This global presence provides design and engineering solutions combined with core electronics manufacturing and logistics services.

These Standards set out our approach to and the commitment of the Flex Group and its Executive Management and Board of Directors to maintaining the highest standards of data privacy. These Standards for processing of Personal Data relate to the Personal Data of employees, contractors and business contacts, or other individuals and must be followed by all members and employees of the Flex Group, and the Executive Management and Board of Directors will enforce such compliance. Failure to comply with these Standards will lead to appropriate corrective and disciplinary actions.

We shall handle all Personal Data in accordance with Data Protection Laws and all other Applicable Law. Our compliance with these Standards will provide you with the protection required to enable us to process certain Personal Data within the Flex Group, including the transfer of that Personal Data outside of the United Kingdom.

Data Privacy (also known as “data protection”) requires companies to process Personal Data in accordance with certain good practice principles. It also grants certain rights to individuals (for example, to access and correct their information). Data Privacy law governs the way in which Flex collects, stores and uses Personal Data about employees, contractors, business contacts, and other individuals.

Data Protection Laws do not permit the international transfer of Personal Data to countries outside the UK unless they ensure an adequate level of data privacy. Flex has taken proper steps to ensure that any transfer of Personal Data to countries outside the UK is lawful. These Standards create a binding corporate rules framework to comply with rules contained in the Data Protection Laws and provide an adequate level of protection for Personal Data transferred to Flex Group companies outside the UK in accordance with Data Protection Laws (in particular the mechanism set out in UK Data Protection Laws for the approval of binding corporate rules). Flextronics Global Services (Manchester) Limited is the member of the Flex Group with delegated Data Privacy responsibilities and will be responsible for compliance with these Standards.

These Standards apply to our processing and the transfer by us of Personal Data which is subject to the Data Protection Laws for which we are a Data Controller and to:

(a)           the processing of this Personal Data by a member of the Flex Group within the UK;

(b)           the processing of this Personal Data in the UK by a member of the Flex Group located outside the UK in: (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018;

(c)           the transfer of this Personal Data from within the UK to outside the UK in: (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018, in each case by a member of the Flex Group to another member of the Flex Group and the subsequent processing or onward transfer of this Personal Data by that member to other members of the Flex Group.

(d)           The processing we carry out may be manual or automated. The types of Personal Data which are processed by us are Employee Personal Data, Business Contact Data and other Personal Data.

We will process Personal Data fairly and lawfully. One or more of the conditions set out in Annex A or under Data Protection Laws, which should be relied on in order to legitimise data processing, will always be met. We will make sure that it is clear to you how Personal Data concerning you are collected, used, consulted or otherwise processed and to what extent the Personal Data are or will be processed. We will also provide information as required by Data Protection Laws including information to explain how we may disclose and/or transfer Personal Data as well as the legal basis for Processing, legitimate interests, categories of recipients, and available rights. Any information and communication relating to the processing of your Personal Data will be easily accessible and easy to understand.

These Standards shall be publicly available on the Flex public website and also available on the Flex internal Data Privacy Portal and upon written request to the Global Data Privacy Officer. Before your Personal Data is processed, we will let you know the identity of the Flex Group company that is the Data Controller and provide you with all of the information which is required under Data Protection Laws and under these Standards.

We will ensure that the Personal Data we hold on you will be processed for specific, explicit, and legitimate purposes which were determined at the time of the collection of the Personal Data and not further processed for any additional purposes which are incompatible with the initial purposes for which the Personal Data were collected.

We shall ensure that our processing operations handle Personal Data which is adequate, relevant and also limited to what is necessary in relation to the purposes for which we are processing the Personal Data. We will ensure that the period for which the Personal Data are stored is limited to a strict minimum. We will not keep Personal Data for longer than is necessary for the purposes for which it is collected and processed unless it is required to be kept longer under applicable law. Personal Data will only be processed if the purposes of the processing could not be fulfilled by other means.  We will limit access to Personal Data to those employees who need access to fulfil their duties. We require our vendors and suppliers to follow a similar approach to Personal Data they access in providing services to Flex.

We will ensure that Personal Data is kept up to date and is accurate. Flex provides individuals with various methods to update and correct their Personal Data including online, using self-service systems and by contacting the HR Global Business Services or the appropriate person. We will ensure that we take every reasonable step in order to ensure that Personal Data which are inaccurate are rectified or deleted without delay.

We will ensure that time limits are established for the Personal Data to undergo erasure or periodic review in accordance with applicable law including Data Protection Laws.

We use appropriate technical, organisational, administrative, and physical security measures to protect your Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Taking into account the state of the art, the cost of implementation of these measures, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, we impose security appropriate to the risks represented by the processing and nature of the data to be protected. In addition, in the event of a data security breach Flex will notify the Supervisory Authority unless the data security breach is unlikely to result in a risk to the rights and freedoms of Data Subjects, and notify Data Subjects if the data security breach is likely to result in a high risk to the rights and freedoms of the Data Subjects.

You shall have the right to request a copy of all Personal Data held about you. We will provide you with access to such data as required by Data Protection Laws, unless we are permitted by Data Protection Laws to refuse or only partially comply with the request (e.g. where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character). We may, where permitted by Data Protection Laws, charge a fee for this.

You shall have the right to request us to correct your Personal Data if it is inaccurate, including by means of a supplementary statement if the Personal Data is incomplete.

You shall also have the right, in certain circumstances, to have your Personal Data deleted, request restriction of processing of your Personal Data or object, on grounds relating to your particular situation, to the processing of Personal Data or to any direct marketing.

You shall have the right, in certain circumstances, to request that we port your Personal Data to you or a third party in a structured, commonly-used, and machine readable format.

If you wish to exercise any of these rights you should do so by contacting the Data Privacy Liaison Officer, Global Data Privacy Officer, or if you are an employee of Flex, HR Global Business Services. Further information and procedure is set out in the Global Data Subject Rights Policy which is attached at Annex C.

If we use your Personal Data for direct marketing, we will only do so if we have collected your consent for such marketing or if otherwise permitted in accordance with Data Protection Laws. If you object to our use of your Personal Data for direct marketing, you should contact the Global Data Privacy Officer, HR Global Business Services, or using such other method as may be set out in the applicable marketing communication.

There are requirements under the Data Protection Laws to ensure that no evaluation of, or decision about, an individual which produces legal effects or similarly significantly affects them can be based solely on automated processing of Personal Data except in limited circumstances. For example, we make use of automated decision making in certain recruitment processes to test the aptitude of a particular candidate. However, this process will usually be used in conjunction with other recruitment processes such as interviews and so are not conducted on a solely automated basis. If Flex makes significant decisions on a solely automated basis, it will, as required by Data Protection Laws, implement safeguards such as rights for individuals to obtain human intervention, express his or her point of view, and contest the decision.

We will only process your Special Category Data and data relating to criminal convictions and offences in accordance with Data Protection Laws, including relying on at least one of the conditions set forth under UK Data Protection Laws which is required to process such data. This may include the use of enhanced safeguards in relation to such Special Category Data and data relating to criminal convictions and offences, where necessary.

Data Processors may include a member of the Flex Group or an external vendor who processes Personal Data on behalf of a member of the Flex Group. We shall ensure that if we use any internal or external Data Processors:

(a)           we will have a written contract in place with that Data Processor;

(b)           the written contract will contain all the clauses that are mandatory under UK Data Protection Laws and otherwise under Data Protection Laws;

(c)           the written contract will state that the Data Processor, amongst other things:

(i)             will only act on the instructions of the Data Controller; and

(ii)            has a duty to notify Flex without undue delay of any personal data breaches. There may be a duty to notify Data Subjects where the personal data breach is likely to result in a high risk to their rights and freedoms. The Data Processor shall have a duty to document any Personal Data breaches comprising the facts relating to the Personal Data breach, its effects and the remedial action taken. The documentation should be made available to the Supervisory Authority on request.

We also have in place a comprehensive audit program to ensure Data Processors comply with the above measures (see Paragraph 6.2 below).

In principle, international transfers of Personal Data from the UK to a country or territory which has inadequate Data Privacy laws are not allowed unless adequate safeguards are in place in accordance with Data Protection Laws, for example, by a member of the Flex Group (based outside the UK) entering into these Standards or by putting in place contractual clauses (such as the Standard Contractual Clauses as recognised under UK Data Protection Laws) which protect the Personal Data being transferred. We will only transfer Personal Data where such safeguards are in place in accordance with Data Protection Laws, provided that adequate protection is provided as required under UK Data Protection Laws. We will ensure that all transfers of Personal Data to external vendors based outside the UK respect the rules relating to processors (as set out in Paragraph 5.12 above) in addition to the rules on transfers outside of the UK.

We maintain a comprehensive network of privacy officers throughout the Flex Group who are responsible for Data Privacy within their country, region or segment, including compliance with these Standards. Each Data Privacy Liaison Officer reports into the relevant Regional Data Privacy Officer and, ultimately, to the Global Data Privacy Officer who directly reports to the Executive Board. The Flex Board comprises the Head of Legal, the Chief Financial Officer, and Chief HR Officer, and it reports to the Chief Executive. The Global Data Privacy Officer shall be the Data Protection Officer as defined by UK Data Protection Laws and is ultimately responsible for the network of Regional Data Privacy Officers and Data Privacy Liaison Officers, the development and implementation of these Standards responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority and monitoring and reporting annually on compliance to the Executive Board. The Regional Data Privacy Officers and Data Privacy Liaison Officers are responsible for handling local complaints from Data Subjects, reporting Data Privacy issues to the Global Data Privacy Officer, monitoring training and compliance at a local level, and assisting with responding to requests from the Supervisory Authority, and co-operating with the Supervisory Authority.

In addition, we have in place a comprehensive audit programme which includes regular internal privacy assessments covering all aspects of these Standards. The results of such privacy assessments are provided to the Global Data Privacy Officer and the Executive Board of Flex Ltd. If we identify any gaps in compliance with our Data Privacy requirements (including these Standards) work plans are put in place to rectify any gaps. Where such assessment relates to these Standards, they will be provided to the Supervisory Authority upon request.

We take Data Privacy very seriously and evidence this by providing mandatory Data Privacy training to all employees who have permanent or regular access to Personal Data, who are involved in the collection of Personal Data or in the development of tools used to process Personal Data in carrying out their duties. In addition to this, all employees are required to comply with all Flex policies and procedures which includes these Standards and are also required to confirm acknowledgement of the Flex Code of Conduct which sets out the Flex Group’s commitment to Data Privacy and confidentiality.

Every Flex Group member acting as a data controller shall be responsible for and able to demonstrate compliance with the Standards where they process Personal Data described in Paragraph 4.1 of the Standards. In order to demonstrate compliance, Flex Group members will document categories of processing activities carried out in line with the requirements as set out in UK Data Protection Laws. This record should be maintained in writing, including in electronic form, and should be made available to the Supervisory Authority on request.

In order to enhance compliance and when required, Flex Group members will carry out data protection impact assessments in consultation with the Global Data Privacy Officer for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. Where the outcome of a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by Flex Group member to mitigate the risk, the Supervisory Authority should be consulted prior to processing.

Appropriate technical and organisational measures should be implemented by Flex Group members which are designed to implement the data protection principles under the UK Data Protection Law and to facilitate compliance with the requirements set up by these Standards.

We will ensure that if applicable data protection and privacy laws provide less protection than these Standards, these Standards will apply to our processing of Personal Data. However, if applicable data protection and privacy laws provide a higher protection, we will ensure that we will comply with the higher standard. Additionally, if a member of the Flex Group believes that a conflict with applicable data protection and privacy laws prevents it from fulfilling its duties under these Standards (including following the advice of the Supervisory Authority) that member entity will promptly notify the Global Data Privacy Officer or applicable Data Privacy Liaison Officer who will (in consultation with the Legal Department or the Supervisory Authority, where necessary) responsibly decide what action to take.

Flex will ensure that where it has reason to believe that legislation applicable to it prevents it from fulfilling obligations under these Standards or has a substantial effect on its ability to comply with these Standards, it will promptly notify the Flex Group member with delegated data protection responsibility and the Global Data Privacy Officer unless otherwise prohibited by a law enforcement body such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

Where any legal requirement Flex is subject to in a non-UK country is likely to have a substantial adverse effect on the protection afforded by these Standards, the problem should be reported to the Supervisory Authority.  This includes any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body. The Supervisory Authority should be clearly informed about the request, including information about the data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). In these cases, the Flex member will use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so. If, in the above cases, despite having used its best efforts, the Flex member is not in a position to notify the Supervisory Authority, Flex must annually provide general information on the requests it received to the Supervisory Authority (e.g. number of applications for disclosure, type of data requested, requester if possible, etc.). In any case, the transfers of Personal Data by a Flex member of the group to any public authority cannot be massive, disproportionate, and indiscriminate in a manner that would go beyond what is necessary in a democratic society.

The members of the Flex Group will co-operate with the Supervisory Authority and will provide assistance to each other in order to do so and to handle any request or complaint from a Data Subject or an investigation or inquiry.  Any questions about our compliance with Data Protection Laws should be addressed to the Global Data Privacy Officer using the contact details set out at the end of these Standards who will consult with the Supervisory Authority, where applicable.

Members of the Flex Group will abide by the advice of the Supervisory Authority on any issues regarding the interpretation of these Standards in accordance with the Data Protection Laws. The Supervisory Authority is authorised to audit any member of the Flex Group who is bound by these Standards and advise on all matters related to these Standards. Such members of the Flex Group must respect the decisions of the Supervisory Authority to the extent consistent with Data Protection Laws and due process and without waiving any defences or rights of appeal.

The policies and procedures described in these Standards are in addition to any other remedies available under applicable data protection and privacy laws or provided under our other policies and procedures. 

Flextronics Global Services (Manchester) Limited has been nominated by the Flex Group as the company within the UK with delegated responsibility for these Standards in the context of UK Data Protection Laws. Flextronics Global Services (Manchester) Limited will be responsible for and will take any action necessary to remedy any breach by a member of the Flex Group outside the UK bound by these Standards and has sufficient assets to pay compensation for any damages resulting from a breach of these Standards. This will include any sanction imposed or other remedy available under applicable data protection and privacy laws including the requirement to pay compensation for any material or non-material damages resulting from the breach of the Standards by members of the Flex Group outside the UK. If a member of Flex Group outside the UK breaches these Standards, the Courts or Supervisory Authority in England & Wales will have jurisdiction and Flextronics Global Services (Manchester) Limited shall be liable to you as if the breach had been caused by them in England & Wales instead of the Flex Group member outside the UK. Flextronics Global Services (Manchester) Limited shall not be liable if it is able to show that the member of the Flex Group which is alleged to be in breach is not liable for the breach giving rise to damages or that no such breach took place. The burden of proof will lie with Flextronics Global Services (Manchester) Limited in order to demonstrate that the Flex Group member outside the UK which is alleged to be in breach is not liable for any breach of the Standards which has resulted in the claim for damages. In each case identified above, if it is held that these Standards have been breached, it shall be the responsibility of the claimant to demonstrate that he or she has suffered damage and establish facts which show it is likely that the damage has occurred as a result of such breach.

If you believe a member of the Flex Group is in breach of these Standards, you may raise a complaint by contacting HR Global Business Services or the Global Data Privacy Officer (please see Paragraph 10 below).   Please also refer to the Global Procedure for Raising and Handling Data Privacy Complaints (a copy of which can be found on the Flex Data Privacy Portal and can be found at Annex D to these Standards) which sets out further detail regarding the complaints handling process.

You can enforce the rights as set out in these Standards (including those set out in Paragraphs 5, 6.4, 6.7, 7, 8.1, 8.2, 8.3, and 9.1) as a third party beneficiary, in relation to transfers of Personal Data made by a member of the Flex Group or a Data Processor appointed by a member of the Flex Group located within the UK to a country outside the UK in (i) while the General Data Protection Regulation (EU) 2016/679 applies as law in the UK, a country that is not in the EEA or a country deemed adequate for the purposes of Personal Data transfers pursuant to a decision of the European Commission under Article 45 of the GDPR; and (ii) at such point as when the General Data Protection Regulation (EU) 2016/679 no longer applies as law in the UK, in a country not considered adequate for the purposes of Personal Data transfers pursuant to adequacy regulations under section 17A of the Data Protection Act 2018. This can be done by (a) raising and bringing the issue of breach before the Supervisory Authority or bringing the issue of breach before the Courts in the jurisdiction of England and Wales. The rights contained in this paragraph are in addition to and shall not prejudice any other rights or remedies that you may otherwise have at law including the right to compensation, if appropriate. Without prejudice to the provisions set out in Section 8.2, Flex will not be deemed to have breached these Standards if it has observed the appropriate standard of care in the circumstances or otherwise acted in accordance with Data Protection Law.

From time to time we may amend these Standards (including to take account of modifications to the regulatory environment or the company structure). Additional members of the Flex Group may become bound by the Standards and certain members of the Flex Group may no longer be bound by these Standards. Therefore we will ensure that a fully updated list of members of the Flex Group is available from the Global Data Privacy Officerand will provide this information to Data Subjects and the Supervisory Authority on request. The Global Data Privacy Officer will keep track of and record any updates to the Standards. In addition, all amendments to the Standards will be subject to the approval of the Global Data Privacy Officerand reported without undue delay to all Flex Group members and to the Supervisory Authority.

Any changes to the Standards or to the list of Flex Group members should be reported to the Supervisory Authority at least annually with a brief explanation of the reasons justifying the update. Significant changes, such as those which would possibly affect the level of protection offered by the Standards or significantly affect the Standards must be promptly communicated to the Supervisory Authority and where necessary, the approval of the Supervisory Authority will be sought. 

Once any amendments to the Standards are approved these will be communicated to all members of the Flex Group bound by these Standards and posted on the Flex public website and Data Privacy Portal on the Flex Group’s intranet. Any revisions to the Standards shall include the date of the revision. We shall not make transfers of Personal Data covered by these Standards to a member of the Flex Group until such member is bound by these Standards and can deliver compliance.

30 June 2015
Date of update effective from: 22 December 2020

(a)           Flextronics (Flex) is committed to privacy and respecting the rights of those whose personal data Flex collect and use. Supporting privacy requires all of us to have an awareness of the rights which individuals have over the data belonging to them which we collect or hold.

(b)           Every individual whose personal data we hold and use has rights in respect of that data. This includes employees, business contacts, and website users. This policy is to enable us to respect those rights in accordance with our Data Privacy Standards.

(c)           The individual rights contained in this Policy reflect those rights outlined in the Data Privacy Standards and at Section 7 of the Flex Global Privacy Policy and Rules.

(d)           Flex support the entitlement of individuals to exercise their rights to protect and verify the correct use of their personal data. Flex will respond in a quick and helpful manner if an individual asks us a question about the personal data Flex hold about them. Flex will facilitate individuals to exercise these rights and, where practicable, provide electronic means for these rights to be exercised.

(e)           Individuals may contact Flex verbally or in writing to request that Flex take some action in connection with their personal data. Requests should be referred to the local Data Privacy Liaison Officer for your jurisdiction in the first instance, or to the Global Data Privacy Officer, who is the Data Protection Officer for the purposes of UK data protection laws and can be contacted on: dataprotection@flex.com or +43 1 602 4100 1737.

(f)            This policy explains how Flex identify and respond to requests from individuals concerning their data.

(g)           In general, Flex must respond to queries within one month from the receipt of the request, so it is important that requests are identified and handed to the correct people within Flex as soon as possible.

(h)           Our key objectives when handling requests from individuals are to:

(a)           Individuals have the right to make the following types of request regarding the personal data Flex holds about them: 

(b)           Flex will respond to requests listed in 1.2(a) above in accordance with Annex C 1.1(g). However, in certain circumstances that period may be extended by a further two months, taking into account the complexity of the request(s) and the number of requests made.  If applicable, the GDPO, in consultation with the Legal Team, will take this decision and notify the Data Subject within one month of the receipt of the request, together with the reasons for the delay. Where the Data Subject has made the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.

(a)           Requests relating to personal data may not always be completely obvious or clear. Requests may refer to data protection law but requests do not need to refer to any law to be valid.

(b)           Listen and look for key words and phrases to identify whether a particular communication is a request concerning personal data. The following keywords and phrases are a non-exhaustive list of indicators:

(c)           Flex, through its Global Business Services (GBS) maintains a dedicated email address for subjects to submit individual rights requests. The address is dataprivacy@flextronics.com. However rights requests can be made by any means, e.g. in person, on the phone, by email, letter, or fax. It is also possible to receive more than one form of rights request in the same communication.

(d)           If you identify a request as one which does, or which may, concern personal data, immediately inform the Data Privacy Liaison Officer (DPLO).

(e)           If you cannot be certain that the request is legitimate or that the person making the request is who they say they are, then take common sense steps to check. For example, call a number provided by the individual to check they have made the request or ask them to send an email from a recognised account. If you are still not certain about the identity of the person making the request, liaise with the Global Data Privacy Officer (GDPO) to determine what further steps should be taken.

(a)           You will work with the GDPO and the IT team to progress an access request by arranging a search of all our relevant systems for the appropriate personal data (including local storage such as shared and personal drives), email servers, back-up locations and third party applications on which personal data is stored on our behalf, and under our instruction, of (e.g. HR systems, CRM platforms, accounting programs etc.). Have the individual complete an individual rights request form, if possible. Copies of forms will be available on the Portal.

(b)           The search process shall be started as soon as possible as it can be a detailed and time consuming exercise.

(c)           All relevant teams/departments should be contacted to ensure that all relevant file, folders (whether electronic or paper) and third party applications are searched.

(d)           Where a general request is made for “all information held by Flex”, the search criteria should be as broad as possible in the first instance to identify all possible documents relating to the individual. Search criteria such as the individual’s name, address, initials, alias etc. should be used to assist. The individual’s personal data may appear in letters, memos, e-mails, file notes, electronic address books etc. as well as in our customer or HR database and in customer profiles.

(e)           Upon completion of the search you will work with the GDPO (and the Legal team, if necessary) to prepare and respond to the individual, providing copies of the relevant personal data and associated information that the individual is legally entitled to receive.

(f)            All responses must be signed off by the GDPO, and contain the following information:

(g)           If the subject access request is made in electronic form (e.g. by email), the information should be provided in a commonly used electronic form, for example, in PDF, Word or Excel (unless the data subject requests otherwise).

(h)           Exemptions:

(i)            If the GDPO believes an exemption may apply, the GDPO will notify the Legal team and a decision must be made jointly between the GDPO and Legal team.

(j)            Timing

(k)           Record Keeping

(a)           You will work with the GDPO and IT team to locate the data the individual claims to be incorrect and, if the circumstances are as the individual described, correct the data on all our files and systems where it is stored.

(b)           If the individual asks for incomplete data to be completed you will work with the GDPO and IT team to complete the data. This includes enabling the individual to give a supplementary statement to complete the data.

(c)           You will work with the GDPO to inform the individual that the information has been corrected / completed as soon as possible.

(d)           Time period

(e)           Record Keeping

(a)           This right is only available in certain circumstances (set out below). The GDPO will first assess whether the individual actually has this right before liaising with the HR Information Systems team to carry out the erasure.

(b)           This right only applies when:

(c)           If the GDPO concludes that this right applies, this conclusion will be referred to the Legal team for review. If the Legal team and the GDPO agree that the right applies, the IT team will assist in deleting the relevant data from our systems (and any third party systems on which the individual’s data is stored (e.g.IT hosting providers, database providers, etc.)

(d)           If the data has been made public by Flex, it is also necessary to inform others who may be using that data (e.g. partners, linked social media sites, etc.) that the individual has requested their data is to be deleted. Flex will take reasonable steps to do this (taking into account the available technology and cost of implementation). The GDPO, working with the Legal team where necessary, will decide what these reasonable steps are.

(e)           Exemptions

(f)           Time period

(g)           Record Keeping

(a)           An individual may request that Flex restrict the processing of their personal data in certain circumstances.

(b)           This right only applies when:

(c)           In each of the scenarios outlined above, Flex can be required to restrict use of the data until the situation is resolved; however, Flex may continue to store the data.  This right is intended as a temporary measure only.

(d)           When data is restricted, Flex may only store the data. Otherwise it must not be used unless:

(e)           The GDPO shall assess whether the right applies, and if it does, shall work with the IT team to restrict the processing of the relevant data.

(f)            Where the data in question is ordinarily processed automatically, the GDPO shall instruct the IT team to put measures in place to isolate or block the data in question.

(g)           The GDPO shall work with the Business Unit that process the personal data to ensure that all relevant staff are aware of the restrictions in place.

(h)           The GDPO, working with the Legal team where necessary, may determine that the restriction no longer applies as the requirements above can no longer be met. Prior to unrestricting the processing of the data, the GDPO must first inform the relevant individual.

(i)            Time period

(j)           Record Keeping

(a)           An individual may request that we transfer certain data held about them to the individual or to another entity.

(b)           This right only applies:

(c)           If the right applies, Flex must provide the relevant data to the individual in a structured, commonly used and machine readable form. This means an excel spreadsheet, word document or other common text file.

(d)           The purpose of this right is to enable the information to be used by a third party provider, so this goes further than the right to access.

(e)           If the individual requests that their data is transferred directly to another entity, Flex must do this where it is technically feasible.

(f)            Exemption

(g)           If the GDPO believes an exemption may apply, the GDPO will notify the Legal team and a decision will be made jointly between the GDPO and the Legal team.

(h)           Time period

(j)           Record Keeping

(a)           An individual may inform us that he/she objects to our processing their personal data.

(b)           This right only applies where Flex are processing the individual’s personal data on the basis of its or a third party’s legitimate interests (rather than having obtained consent for such processing or such processing being required to provide requested products or services to the individual) and Flex cannot demonstrate that such legitimate interests override the individual’s own rights, or that the processing is necessary for Flex’s legal rights.

(c)           The GDPO, together with the Legal team (if required), shall assess whether Flex (or a relevant third party) have any continuing legitimate interests which overrides the rights and freedoms of the individual, taking into consideration any specific circumstances, which Flex are aware of, relating to that individual.

(d)           If the GDPO and the Legal team determine that Flex (or the third party) has no continuing overriding legitimate interests, Flex shall cease to process that individual’s personal data.  The personal data shall be deleted from the Flex  systems (and third party systems).

(e)           Separately, an individual may request that Flex cease to use their personal data for direct marketing, including for any profiling that Flex undertake in connection with such marketing.

(f)            Upon receipt of a request to cease using personal data for direct marketing, the GDPO shall inform the relevant operational and marketing teams who shall cease using the individual’s personal data for marketing as soon as possible and shall cease sending any marketing to that individual. All profiling of that individual carried out in connection with the marketing must also cease. 

(g)           Time period

(h)           Record Keeping

(a)           This right applies where Flex use solely automated means to make a decision that significantly affects an individual. This might include decisions on employment or promotion based solely on aptitude tests or introduction of psychometric testing. It might also apply where we generate targeted messages to users which adjust price for the individual or specifically exploit vulnerable groups.

(b)           An individual may inform Flex that he or she objects to a significant decision being made about him or her by us based solely on automated processing.

(c)           Where such a request is received the GDPO, together with the Legal team, shall assess whether an exemption applies.

(d)           Exemptions

(e)           If such an exemption does not apply, Flex shall not make such a decision based solely on automated means.  Instead, any such decision shall be re-considered by an appropriate member of the relevant team/Business Unit.

(f)            Where an exemption does apply, Flex may continue with such decision but shall:

(g)           Time period

(h)           Record Keeping

(a)           Flextronics (Flex) is committed to data privacy and the fair processing of Personal Data, including enabling individuals to exercise the rights in respect of their Personal Data to which they are entitled under our Data Privacy Standards and applicable local data privacy laws.

(b)           Many privacy regimes (including privacy laws of the UK) often grant individuals certain rights in respect of the collection and processing of their Personal Data by organisations. Flex commits to respecting and enabling individuals to exercise these rights, as set out in our Data Privacy Standards and the Global Data Subject Rights Policy.

(c)           A Data Subject has a right to raise a Data Privacy Complaint relating to any processing of their Personal Data by Flex or a Flex entity.

(a)           The purpose of this policy is to set out the procedure which is to be followed by:

(a)           Data Privacy Complaints: A complaint or concern about data privacy matters made against a person or entity, including a complaint that Flex or a specific Flex entity is not complying with the Data Privacy Standards, any Flex policies relating to data privacy or applicable data privacy laws.

(b)           Business Contact: A business contact at any clients, underlying investors, shareholders, suppliers, partners or vendors.

(c)           Data Subject: All individuals whose Personal Data is processed by one or more Flex entities, including current and former employees, Business Contacts and any other data subjects. A Data Subject has a right to raise a Data Privacy Complaint pertaining to any processing of their Personal Data by Flex or a Flex entity.

(d)           Personal Data: Information relating to an identified or identifiable individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Examples include, but are not limited to:

(a)           a description of the Data Privacy Complaint,

(b)           a description of the respondent’s response(s), if any, to the Data Privacy Complaint;

(c)           and a statement of the Global Data Privacy Officer’s findings and conclusions.

(a)           raise the issue before the Information Commissioner’s Office;

(b)           raise the issue before the Courts in the jurisdiction of England and Wales.