Appendix: Safe Harbor Principles
APPENDIX: SAFE HARBOR PRINCIPLES
The obligations of personnel to comply with the Safe Harbor Principles for Personal Data are reflected in and reinforced by applicable corporate policies, directives, and procedures. Ford personnel can identify applicable corporate policies, directives, and procedures at Ford's Safe Harbor site.
Ford’s adherence to the Safe Harbor Principles may be limited to the extent required to meet legal, government, or national security obligations.
For the full text of the Principles, visit the U.S. Department of Commerce’s Safe Harbor website: http://www.export.gov/safeharbor/.
1. NoticeAs a Data Controller, Ford notifies individuals about the purposes for which it collects and uses Personal Data about them, how individuals can contact Ford with any inquiries or complaints, the types of third parties to which Ford discloses the Personal Data, and the choices and means Ford offers individuals for limiting the use and disclosure of the Personal Data. Ford requires a data subject’s specific consent to process Sensitive Personal Data.
When Ford acts as a Data Processor, it provides notice as instructed by the Data Controller and in accordance with the Safe Harbor Principles.2. Choice
As a Data Controller, Ford provides individuals with the opportunity to choose (opt out) of whether (a) their Personal Data will be disclosed to a third party (other than disclosure to a Data Processor or Data Subprocessor acting solely on Ford’s behalf), or (b) their Personal Data will be used for a purpose other than for the purpose for which it was originally collected or subsequently authorized by the individual.
For any Sensitive Personal Data, Ford will give individuals the opportunity to affirmatively or explicitly consent (opt-in) to (a) the disclosure of such Sensitive Personal Data to a third party (other than disclosure to a Data Processor or Data Subprocessor acting solely on Ford’s behalf) or (b) the use of the Sensitive Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
When Ford acts as a Data Processor, it provides choice as instructed by the Data Controller and in accordance with the Safe Harbor Principles.3. Onward Transfer
Onward transfers occur when Ford either acting as a Data Controller or Data Processor receives Personal Data and then provides access to that Personal Data to another entity. Ford will onward transfer Personal Data to a Subprocessor only where that Subprocessor is processing the data on Ford’s behalf. Ford ensures that Subprocessors subscribe to the Safe Harbor principles, are subject to another adequacy finding, or enter into a written agreement between Ford and the Subprocessor to provide at least the same level of privacy protection of the Personal Data as is required by Ford’s certification and the Safe Harbor principles.
To the extent Ford transfers Personal Data to any other third party (e.g., Data Processors acting at the direction of Ford as a Data Controller), it will do so only when the third party has provided assurances that it will provide at least the same level of privacy protection as is required by Ford’s Safe Harbor certification and the Safe Harbor Principles.
When Ford has knowledge that a third party is using or sharing Personal Data in a way contrary to this Policy, it will take reasonable steps to prevent or stop such processing or use.4. Security
Ford takes reasonable administrative, technical, and physical precautions to safeguard Personal Data against reasonably foreseeable risks of theft, loss, misuse, and unauthorized access, disclosure, alteration, and destruction.5. Data Integrity
Ford limits its collection and use of Personal Data to that which is relevant for the intended purposes for which the Personal Data was collected or subsequently authorized by the individual. Ford takes reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current.6. Access
Ford provides individuals reasonable access to Personal Data about them and individuals may request that Ford correct, amend, or delete Personal Data where it is unreliable for its intended use, inaccurate, incomplete, or out-of-date, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated.7. Enforcement
Ford has adopted a self-regulatory compliance program that includes mechanisms to verify ongoing compliance with the Safe Harbor Principles and this Privacy Statement. Ford will periodically review and verify its compliance with the Safe Harbor Principles and will rectify any issues of noncompliance. Personnel who are in violation of the Safe Harbor Principles or this Privacy Statement may be subject to disciplinary action, up to and including termination or release.
Ford acknowledges that its failure to provide an annual self-certification to the Department of Commerce will remove it from the Department’s list of participants and that thereafter the transfers of Personal Data described in this Policy will not be allowed unless Ford otherwise complies with the EU Data Protection Directive.
Individuals with questions or complaints regarding the use or disclosure of Personal Data in accordance with the Principles may seek resolution of such questions or complaints. They should first contact Ford at safeharb@ford.com.
Ford commits to cooperate with the European Data Protection Authorities for the purpose of handling any unresolved complaints regarding Personal Data collected in support of our human resources operations.
For other unresolved complaints, Ford will use the services of the American Arbitration Association (AAA) in the investigation and resolution of individual complaints that arise under the Safe Harbor Principles and comply with the AAA’s advice.