Brightstar’s COVID-19 Privacy Notice

Introduction

This privacy notice is an addendum to Brightstar’s privacy policies and notices found here: www.brightstar.com. Brightstar, its affiliated companies and subsidiaries worldwide (“Brightstar”), is committed to protecting and respecting your privacy. Through this privacy notice, we have sought to be as transparent as possible and thoroughly explain how your personal data may be held and processed if you enter one of our facilities during these unprecedented challenges we are all facing during the coronavirus pandemic (“COVID-19”).

Notice to individuals in the European Economic Area (“EEA”): this Privacy Notice is intended to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union 27 April 2016 (the “General Data Protection Regulation” or “GDPR”) and provide appropriate protection and care with respect to the treatment of your user information in accordance with the GDPR.

Why are we collecting your personal data?

Before entering a Brightstar facility, we may ask you to provide us with certain personal data. The data that we may seek to collect and process about you is above and beyond what we would ordinarily collect. However, the purpose of collecting this data is to safeguard those that are vulnerable, aid business continuity, and ensure the safety and well-being of our employees, contractors, and visitors.

Such information will be limited to what is proportionate and necessary, taking into account the local laws and the latest guidance issued by local Government and health professionals to manage and contain the virus.

What personal data is being collected?

Before entering a Brightstar facility, you could be asked to fill out a questionnaire, if legally allowed.  The questionnaire may collect some of the following data about you: name, phone number, department (or company name), manager (or Brightstar Host’s name), and whether you have had COVID-19 like symptoms, been in contact with a person who has tested positive/diagnosed with COVID-19, or been asked or recommended to self-quarantine by health officials.

As an additional cautionary measure, many Brightstar facilities have implemented a non-invasive temperature screening procedure at the entrance to the facility, where legally allowed.

No temperature screening data will be recorded for contractors or visitors. However, if an employee has a temperature reading above the “normal range of body temperature,” Brightstar may collect the employee’s: name, manager, position, contact number, and the fact that the employee had a higher than normal body temperature.

Who is processing your data?

The Data Controller for the information outlined in this privacy notice is Brightstar. This means that Brightstar management has the accountability and the responsibility to set structure and procedures to treat and protect your data. Appointed members of staff are responsible for the actual treatment of your data; as a result, they will be instructed to treat your data in the same manner.

On occasion, your personal data may be shared within the Brightstar Group for internal administrative purposes. This may involve transferring your data outside the jurisdiction that you are in.

How will we use the information we hold about you?

The information we collect about you will only be used to determine whether you will be able to gain access to a Brightstar facility, to prevent the spread of COVID-19, and to reduce the potential risk of exposure to our workforce and visitors.

Who will we share your information with?

We will only share your information, on a need to know basis, with appropriate individuals. Only the minimum information for the purpose will be shared.

We will not share your information with anyone else unless required to do so under additional legal requirements, for example, to assist the Government in containing the spread of COVID-19. This may be where we are required to do so by law, to safeguard public safety, and in risk of harm or emergency situations.

How long will your personal data be retained by Brightstar?

We will only keep your information for as long as it is necessary, considering the Government’s advice and the ongoing risk presented by COVID-19. Health information provided by you in relation to this Coronavirus pandemic will not be used for any other purpose.

When the information is no longer needed for this purpose, it will be securely deleted.

How to contact us?

We value your opinions and feedback. Should you have questions or comments related to this Notice, please contact Brightstar’s Global Ethics & Compliance Office at EthicsCompliance@Brightstar.com.

Notice to individuals in the EEA:

The GDPR requires specific conditions to be met to ensure that the processing of personal data is lawful. These relevant conditions are below:

Article 6(1)(d) – processing is necessary in order to protect the vital interests of the data subject or another natural person.

Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.

Article 6(1)(f) – processing is necessary for the purposes of the legitimate interest pursued by the data controller.

Recital 48 adds that “[c]ontrollers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes.”

The processing of special categories of personal data, which includes data concerning a person’s health, is prohibited unless specific further conditions can be met. These additional relevant conditions are below:

Article 9(2)(b) – processing for the purpose of fulfilling obligations under labour and social law.

Article 9(2)(h)– processing for the transmission of health data to the health authorities, where legally allowed. Article 9(2)(h), in conjunction with Recital 56, provides a corresponding lawful basis (processing for reasons of public interest in the field of public health).

On occasion, your personal data may also be shared within the Brightstar Group for internal administrative purposes. This may involve transferring your data outside the EEA. In that case, we will transfer your personal data to a country where the European Commission confirms an adequate level of protection; pursuant to a lawfully executed standard contractual clauses designed by the European Commission; or at least one of the derogations set out in Article 49 (Derogations for specific situations) (1) of the GDPR applies.

Please contact us at GDPRSupport@brightstar.com if you want further information on the specific mechanism used by us when transferring your personal data outside of the EEA.

As with our existing privacy policy, which is still applicable, under certain circumstances, you have rights under data protection laws in relation to your personal data:

– Request access to your personal data.
– Request the correction of your personal data.
– Request erasure of your personal data.
– Object to processing of your personal data.
– Request restriction of processing your personal data.
– Request the transfer of your personal data.
– Right to withdraw consent.

If you wish to exercise any of the rights set out above, you have questions about this policy notice, or if you are not happy about the way your personal data is being processed, we have a dedicated team ready to assist you: GDPRSupport@brightstar.com

You have the right to make a complaint at any time to the relevant supervisory authority for data protection. A list of EU Data Protection Authorities can be found here http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm. We would, however, appreciate the chance to deal with your concerns before you approach a Data Protection Authority, so please contact us in the first instance.