Notice at Collection and Privacy Policy for Individuals Who Reside in California
Last Updated: August 2023
Aaron Thomas Company, Inc. and its subsidiaries and affiliated companies (“Company”) takes your privacy seriously. We want you to know how we collect, use, and disclose your personal information.
California Notice at Collection: Company collects the personal information identified in Section 1 for the purposes identified in Section 3 and retains it for the period described in Section 5. We do not sell your personal information or disclose it for cross-context behavioral advertising (“sharing”). We also do not collect or process sensitive personal information for the purpose of inferring characteristics about you. To the extent you provide Company with personal information about your dependents, spouse, beneficiaries, or emergency contacts, you are responsible for providing this notice to them.
Assistance For The Disabled
Alternative formats of this Privacy Policy are available to individuals with a disability. Please contact hr@packaging.com for assistance.
This Privacy Policy explains:
- The categories of personal information we collect about you
- The categories of sources from which we collect your personal information
- The purposes for which we use your personal information
- How we may disclose your personal information
- How long we keep your personal information
- Your privacy rights and how to exercise them
- Changes to this Privacy Policy
Scope:
This Privacy Policy applies to the personal information of California residents who are (a) employees, (b) independent contractors, temporary staffing agency employees, interns, volunteers, owners, board members, and other individuals who perform work for Company (collectively “Non-Employee Workers”), or (c) employees’ and Non-Employee Workers’ dependents, emergency contacts, and beneficiaries (“Related Contacts”), (all collectively, “HR Individuals”) in their role as HR Individuals. This Privacy Policy informs HR Individuals about the categories of personal information Company has collected about them in the preceding twelve months as well as the categories of personal information that the Comply will collect about HR individuals in the future.
Except where the Privacy Policy specifically refers only to a specific category of HR Individuals, e.g., employees, this Privacy Policy refers to all categories of HR Individuals collectively.
“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular HR Individual.
“Personal information” does not include:
- Information publicly available from government records or made publicly available by you or with your permission;
- Deidentified or aggregated information;
- Information excluded from the CPRA’s scope, such as:
- protected health information covered by the Health Insurance Portability and Accountability Act (“HIPAA”) or the Health Information Technology for Economic and Clinical Health Act (“HITECH”) or medical information covered by California Confidentiality of Medical Information Act (“CMIA”); or
- personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the California Financial Information Privacy Act (“FIPA”).
1) THE CATEGORIES OF PERSONAL INFORMATION WE COLLECT ABOUT YOU
We may collect the following categories of personal information. Not all categories may be collected about every HR Individual.
A. Employees
- Identifiers, for example: real name, alias, telephone number, postal address, e-mail address, signature, bank account name and number for direct deposits, Social Security number for example for tax purposes, driver’s license number, and photographs.
- Professional or Employment-Related Information, for example: educational institutions attended, degrees and certifications, licenses, work experience and previous employers, professional memberships and affiliations, union representation, seniority, training, employment start and ending dates, and job title.
- Compensation and benefits information for employees, for example: salary, bonus and commission, equity compensation information, hours and overtime, leave information, bank details (for payroll and reimbursement purposes only), benefits in which you may be enrolled, and identifying information for dependents and beneficiaries.
- Non-public educational information, for example: academic transcripts.
- Commercial Information, for example:businesstravel and expense records.
- Internet or Other Electronic Network Activity Information, for example: Internet browsing and search history while using Company’s network, log in/out and activity on Company’s electronic resources, interactions with Company’s Internet web site, application, or advertisement, and publicly available social media activity.
- Sensory or Surveillance Data, for example: voice-mails, recordings of meetings or video-conferences, and footage from video surveillance cameras.
- § 1798.80: personal information described under Cal. Civ. Code § 1798.80 to the extent not already included in other categories here, such as benefit information to administer short and long-term benefits as well as other benefit plans.
- Preferences, for example, hobbies and leisure activities, membership in voluntary/charitable/public organizations, and preferences regarding work tools, travel, hours, food for company events, etc.
- Inferences, for example, Company might infer characteristics from activity on Company’s electronic resources, e.g., willingness to try new technologies.
- Characteristics of Protected Classifications Under California or Federal Law for employees, for example: race, age, national origin, disability, sex, and veteran status as necessary to comply with legal obligations and to support diversity and inclusion programs; disability, medical condition, and pregnancy, childbirth, breastfeeding, and related medical conditions, as necessary to comply with Federal and California law related to leaves of absence and accommodation; and marital and familial status as necessary to provide benefits to employees and for tax purposes.
- Biometric information, for example, a fingerprint for a biometric timeclock.
- Geolocation data, for example: GPS tracking on Company vehicles.
B. Non-Employee Workers
Company collects the categories of personal information listed in Section 1.A, above, excluding the following categories: (a) Compensation and benefits information for employees and (b) Characteristics of protected classifications under California or federal law for employees.
In addition, Company collects the following personal information regarding Non-Employee Workers:
- Compensation: Amounts paid to Non-Employee Workers for services rendered;
C. Related Contacts
- Company only collects contact information about emergency contacts.
- Company may collect the following categories of personal information about spouses or domestic partners, dependents, and beneficiaries: (a) Identifiers; (b) Commercial Information if, for example, Company arranges travel for a dependent to attend a Company event; (c) Internet Activity Information if the individual uses Company electronic resources and web sites; (d) Sensory or Surveillance Data if the individual enters Company facilities; (e) § 1798.80 personal information, such as insurance policy numbers if the individual is covered by Company insurance or health information, for example, infectious disease testing when a Related Contact attends a Company event; and (f) Protected Categories of Personal Information, for example, childbirth to administer parental leave, marital status to pay taxes, and familial status to administer benefits.
Note on inferring characteristics: Company does not collect or process sensitive personal information or characteristics of protected classifications for the purpose of inferring characteristics about the HR Individual.
2) THE CATEGORIES OF SOURCES FROM WHICH WE COLLECT YOUR PERSONAL INFORMATION
We collect personal information from the following categories of sources. Not all categories apply to every HR Individual.
- You, for example, in your job application, forms you fill out for us, assessments you complete, surveys you submit, and any information you provide us during the course of your relationship with us.
- Your spouse or dependent with respect to their own personal information.
- Vendors and service providers, for example, law firms.
- Affiliated companies, for example, when an employee works on a cross-enterprise team.
- Third parties, for example, job references, business partners, professional employer organizations or staffing agencies, insurance companies.
- Automated technologies on Company’s electronic resources, for example, to track logins and activity across Company network.
- Surveillance/recording technologies installed by Company, for example, video surveillance in common areas of Company facilities, global positioning system (“GPS”) technologies, voicemail technologies, webcams, audio recording technologies, and blue-tooth technologies, any of these with consent to the extent required by law.
- Government or administrative agencies, for example, law enforcement, public health authorities, California Department of Industrial Relations, Employment Development Department.
- Acquired company, if Company acquired your employer, Company might collect personal information from that employer.
3) THE PURPOSES FOR WHICH WE USE YOUR PERSONAL INFORMATION
A. General Purposes
We may use the personal information we collect for one or more of the following purposes:
- Fulfilling the purpose for which you provided the information or at your direction. For example, if you share your name and contact information to apply for a job or become an employee, we will use that personal information in connection with your employment or potential employment.
- Administering the employment relationship including, but not limited to, human resources administration, payroll processing, benefits administration, leave programs, corporate travel and other business expenses, timekeeping, managing work supplies, grievance or disciplinary matters, diversity and inclusion, ascertaining your fitness to work, drug and alcohol screening, worker’s compensation administration, occupational health surveillance, direct threat analysis, and facilitating employee communication and collaboration.
- Managing and/or analyzing all aspects of employee performance including, but not limited to, talent management, periodic reviews, performance tracking, promotions, retention, discipline, education, training and development, and data analytics.
- Administering the relationship with Non-Employee Workers, including, but not limited to, evaluating the Non-Employee Worker’s qualifications, negotiating and executing work contracts, orientation and familiarization with Company’s working environment, administering the contractual relationship including payments, facilitating communications, and workforce satisfaction.
- Administering the relationship with Related Contacts, including, but not limited to, communications, managing and administering benefits, and managing participation in Company events.
- Promoting Company and creating a positive environment in the workplace, including, but not limited to, planning and running Company events, conducting surveys, running contests, and supporting diversity, equity, and inclusion.
- Ensuring compliance with Company policies and applicable laws and regulations, including, but not limited to, developing and enforcing policies and procedures, authenticating your identity, conducting internal audits and investigations, administering Company’s whistleblower hotline, and preparing reports.
- Protecting health and safety of HR Individuals, visitors, customers, and the public, including, but not limited to, responding to medical emergencies, reducing the risk of exposure to infectious disease and preventing its spread in compliance with applicable laws and regulations, and protecting the safety and security of Company’s facilities.
- Managing the security and integrity of our information and electronic resources including, but not limited to, monitoring use of our electronic resources, preventing unauthorized access to our electronic resources, preventing malicious software distribution, debugging, audits, disaster recovery, business continuity, and cyber security.
- Running our business, including, but not limited to, customer service, project management, research, data analysis, and development, quality assurance and improvement, managing licenses, permits, and authorizations applicable to Company’s business operations, maintaining records, and efficiently managing and operating administrative, information technology, and communications systems, risk management and insurance functions, budgeting, financial management and reporting, and strategic planning.
- Providing, supporting, personalizing, and improving our website and online services relating to your prospective, current, or former employment or engagement.
- Protecting the rights or property of Company, including, but not limited to, detecting and prevent fraud or other types of wrongdoing, managing litigation involving Company, and other legal disputes and inquiries, crisis management, dispute resolution, reporting suspected criminal conduct to law enforcement and cooperating in investigations, short-term transient use of personal information, responding to requests or orders from governmental agencies, exercising Company’s rights under applicable law, and supporting any claim, defense, or declaration involving the Company in a case or before a jurisdictional and/or administrative authority, arbitration, or mediation panel.
- In connection with a corporate transaction, transfer, or assignment of assets, merger, divestiture, or other changes of control or our financial status or any of related subsidiaries or affiliates.
B. Purposes Specific To Certain Categories Of Employees’ Personal Information
We may use the categories of employees’ personal information listed in this Section 3.B for the purposes stated below:
Purposes For Using Employees’ Health Information:
- To the extent necessary to comply with Company’s legal obligations, such as to accommodate disabilities
- To conduct a direct threat analysis in accordance with the Americans with Disabilities Act and state law
- For workers’ compensation purposes
- For occupational health surveillance
- For occupational health and safety compliance and record-keeping
- To conduct fitness-for-duty examinations
- To administer leaves of absence and sick time
- To provide a wellness program
- To respond to an employee’s medical emergency
Purposes For Using Employees’ Protected Categories Of Information:
Company collects information about race, age, national origin, disability, sex, and veteran status as necessary to comply with legal obligations, including the reporting requirements of the federal Equal Employment Opportunity Act, The Office of Federal Contracting Compliance Programs (applicable to government contractors), and California’s Fair Employment and Housing Act. Company also collects information about disability status to the extent an employee may need special assistance during emergencies from Company or from first responders.
Company also collects the following characteristics (in addition to those listed above) for its diversity and inclusion programs (including analytics): (a) religion, (b) sex, (c) gender, (d) pregnancy, (e) childbirth, (f) breastfeeding, or related medical conditions, (g) sexual orientation, (h) disability, (i) gender identity, (j) gender expression, (k) marital status, (l) age, (m) familial status, or (n) ancestry.
In addition, Company uses this personal information for purposes including:
- with respect to disability, medical condition, familial status, marital status, and pregnancy, childbirth, breastfeeding, and related medical conditions: as necessary to comply with Federal and California law related to leaves of absence and accommodation;
- with respect to military and veteran status: as necessary to comply with leave requirements under applicable law and for tax purposes;
- with respect to age: incidentally to the use of birth date for birthday celebrations and identity verification;
- with respect to religion and pregnancy, childbirth, breastfeeding, and related medical conditions: as necessary for accommodations under applicable law;
- with respect to protected classifications, such as national origin: to the extent this information is contained in documents that you provide in I-9 documentation; and
- with respect to marital status and familial status: for Company events and as necessary to provide benefits and for tax purposes.
- Company collects personal information about membership in protected categories on a purely voluntary basis, except where required by law, and uses the information only in compliance with applicable laws and regulations.
C. Deidentified Information
At times, Company converts personal information into deidentified information using reasonable measures to ensure that the deidentified information cannot be associated with the individual (“Deidentified Information”). Company maintains Deidentified Information in a deidentified form and does not attempt to reidentify it, except that Company may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes ensure that the information cannot be associated with the individual.
4) HOW WE MAY DISCLOSE YOUR PERSONAL INFORMATION
Company generally maintains personal information related to HR Individuals as confidential. However, from time to time, Company may have a legitimate business need to disclose personal information. In that event, Company discloses information within the categories of personal information listed in Section 1, above, only to the minimum extent necessary to achieve the purpose of the disclosure and only if the disclosure is permitted by the CPRA and other applicable laws.
A. Disclosures for Business Purposes
Company may disclose each of the categories of personal information listed in Section 1, above, to the following categories of third parties for the following “business purposes”, as that term is defined under the CPRA:
- Service providers: Company may disclose to service providers any of the categories of personal information listed in Section 1, above, for the business purpose of performing services on Company’s behalf and, in particular, for the specific purposes described in Section 3, above.
- Auditors, lawyers, consultants, and accountants engaged by Company: Company may disclose the categories of personal information listed in Section 1, above, to these services providers or contractors for the business purpose of auditing compliance with policies and applicable laws, in addition to performing services on the Company’s behalf.
- Affiliated companies: Company may disclose any of the categories of personal information listed in Section 1, above, to other companies within the [insert name of family of companies] family of companies for the business purposes of (a) auditing compliance with policies and applicable laws, (b) helping to ensure security and integrity, (c) debugging, (d) short-term transient use, (e) internal research, and (f) activities to maintain or improve the quality or safety of a service or device.
Company does not sell or “share” (disclose to a third party for cross-context behavioral advertising) your personal information in connection with the HR relationship. In addition, we have no actual knowledge that we sell or share the personal information of individuals of any age in connection with the HR relationship, including the personal information of children under 16.
Company may disclose personal information to the following additional categories of third parties although these disclosures may be for purposes in Section 3, above, other than a business or commercial purpose as defined by the CPRA:
- Your direction: We may disclose your personal information to third parties at your direction.
- Clients: This may include, for example, disclosing a sales representative’s contact information to clients.
- Affiliated companies: Other companies within the [insert name of family of companies] family of companies, for example, of you work on a cross-enterprise team.
- Business partners: For example, Company might disclose your business contact information to a co-developer of a new product or service with which you will be working.
- Government or administrative agencies: These may include, for example the Internal Revenue Service to pay taxes or the California Department of Industrial Relations as required to resolve workers’ compensation claims.
- Public: Company may disclose your personal information to the public as part of a press release, for example, to announce promotions or awards. If you do not want your personal information in press releases, please contact HR@packaging.com. Company does not disclose sensitive personal information to the public.
- Required Disclosures: We may be required to disclose personal information (a) in a court proceeding, (b) in response to a court order, subpoena, civil discovery request, other legal process, or (c) as otherwise required by law.
- Legal Compliance and Protections: We may disclose personal information when we believe disclosure is necessary to comply with the law or to protect the rights, property, or safety of Company, HR Individuals, or others.
- Corporate Transactions: We may disclose your personal information in connection with a corporate merger, consolidation, bankruptcy, the sale of all, or substantially all, of our membership interests and/or assets or other corporate change, including to any prospective purchasers.
5) HOW LONG WE KEEP YOUR PERSONAL INFORMATION
Company keeps your personal information no longer than necessary for the purposes described in Section 3 above and in accordance with our Personal Document Management Procedure available for review upon request to HR@packaging.com, unless Company is required to retain your personal information longer by applicable law or regulation, by administrative needs, by legal process, or to exercise or defend legal claims.
6) YOUR PRIVACY RIGHTS AND HOW TO EXERCISE THEM
A. Your California Privacy Rights
Subject to applicable law, HR Individuals have the following rights:
- Right to Know: You have the right to submit a verifiable request up to twice in a 12-month period for specific pieces of your personal information and for information about Company’s collection, use, and disclosure of your personal information.
Please note that the CPRA’s right to obtain specific pieces does not grant a right to the whole of any document that contains personal information, but only to discrete items of personal information. Moreover, HR Individuals have a right to know categories of sources of personal information and categories of external recipients to which personal information is disclosed, but not the individual sources or recipients.
- Right to Delete: You have the right to submit a verifiable request for the deletion of personal information that you have provided to Company.
- Right to Correct: You have the right to submit a verifiable request for the correction of inaccurate personal information maintained by Company, taking into account the nature of the personal information and the purposes of processing the personal information.
B. How to Exercise Your Rights
Company will respond to requests to know, delete, and correct in accordance with applicable law if it can verify the identity of the individual submitting the request. You can exercise these rights in the following ways:
- Call 877-667-8688
- Email HR@packaging.com Or complete the form below:
C. How We Will Verify Your Request
Otherwise, we match personal information that you provide us against personal information we maintain in our files. The more risk entailed by the request (e.g., a request for specific pieces of personal information), the more items of personal information we may request to verify your identity. If we cannot verify your identity to a sufficient level of certainty to respond securely to your request, we will let you know promptly and explain why we cannot verify your identity.
D. Authorized Agents
You may designate an authorized agent to exercise your right to know, to correct, or to delete. If an authorized agent submits a request on your behalf, the authorized agent must submit with the request another document signed by you that authorizes the authorized agent to submit the request on your behalf. In addition, we may ask you or your authorized agent to follow the applicable process described above for verifying your identity. You can obtain the “Authorized Agent Designation” form by contacting us at HR@packaging.com.
In the alternative, you can provide a power of attorney compliant with the California Probate Code.
E. Company’s Non-Discrimination and Non-Retaliation Policy
Company will not unlawfully discriminate or retaliate against you for exercising your rights under the California Privacy Rights Act.
7. CHANGES TO THIS PRIVACY POLICY
If we change this Privacy Policy, we will post those changes on this page and update the Privacy Policy modification date above.
For More Information
For questions or concerns about Company’s privacy policies and practices, please contact us at HR@packaging.com.