At James Hardie we are committed to maintaining the accuracy, confidentiality and security of personal data. This Privacy Statement describes, inter alia, the categories of personal data we process, how your personal data may be processed, for what purposes and on what legal basis we process your data and how your privacy is safeguarded. Please read this Privacy Statement carefully to understand our views and practices regarding your personal data and how we treat it.
The James Hardie group is made up of different individual companies. Whenever dealing with one of our group companies, the “controller” of your personal data will be the company that decides why and how your personal data is processed alone or jointly with another James Hardie group entity or group entities. For a list of the James Hardie group companies for which this privacy statement is relevant, please have a look at section 18.
Where this privacy statement refers to “we”, “us”, “our” or “James Hardie”, this refers to the James Hardie group company (or companies) processing your personal data as controller under the GDPR.
James Hardie processes personal data from different categories of personal data in the normal course of its business. Such personal data may relate to individuals working for prospective and existing vendors and customers including employees working for parties such as dealers, distributors, architects and housebuilders. Personal data may also relate to individuals visiting our websites, downloading our online applications, connecting with us through social media or at business events or calling our telephone lines.
As a general rule, James Hardie only collects and processes personal data if there is a lawful justification to do so. This includes necessity for the performance of a contract or service offered by us, our legitimate interest to process the data or based on consent given.
2. From whom and how may we collect personal data?
We may collect and process data about the following categories of data subjects:
- Former, current and potential customers, including, without limitation, dealers, distributors, retailers, channel partners, contractors, architects and end-users (collectively, “Customers”)
- Former, current and prospective individuals providing goods and services to us, including, without limitation, temporary agents, contractors, outsourcers, consultants, experts, board members, auditors, dealers, distributors, suppliers, and vendors (collectively, “Suppliers”) of us;
- Entrants to sponsored competitions;
- Complainants, correspondents and enquirers;
- Current, former and prospective shareholders;
- Claimants or defendants in current or prospective litigation;
- Marketing contacts, journalists, trade association and lobbying contacts; and
- Individuals visiting our websites, downloading our online applications, connecting with us through social media or at business events or calling our telephone lines.
We collect this personal data because you have given this to us:
- by entering information on one of our websites;
- when we visit your stores;
- via our mobile applications;
- via social media platforms;
- when corresponding with us by phone, email or otherwise;
- by entering competitions run by us;
- by taking surveys undertaken by us or on our behalf;
- when signing up to receive newsletters, promotions and other notifications;
- when participating in promotional events, seminars or trainings; and
- when you open an account with us.
Or we may collect this personal data about you ourselves:
- because you have allowed your data to be shared as part of your company website, public profile, third party social network or other website that you operate or use;
- because you have allowed your data to be shared on online registers, professional platforms and websites for the purpose of getting into contact with third parties including Suppliers and Customers;
- because your information is otherwise publically available, for example with regards to journalists, trade association or lobbying contacts.
- because you have visited our websites, where we may track, for example, traffic data, location data, weblogs and other communication data, and the resources you access;
- technical information including anonymous data collected by the hosting server for statistical purposes, the Internet Protocol (IP) address used to connect your computer or device to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
3. What data do we collect?
The data that we may collect and process includes for example:
- Contract information (address, phone number, fax, email);
- The company for who you work;
- Job title(s) and/or function(s);
- Department and/or business unit;
- Your signature;
- Customer records (purchase history, after sale services, warranty history, buying preferences etc.);
- Technological data (IP addresses and data stored in cookies –see section 12 below for more information on cookies);
- Geo-location data, for example, when you sign for delivery using a mobile device and have activated the feature on your mobile device that allows us to locate you via GPS;
- Credit rating and bank details;
- Credit limit and payment terms;
- Identification data in official identification documents if permitted by national law;
- Sales information relating to the sale of products or services;
- Portraits (e.g. photograph)
- Correspondence or other communications with you about our products, services or business.
4. For what purposes do we use personal data?
We use the information we may hold on you for the following purposes:
- customer service purposes, including to provide products and services to Customers; to take, verify, process, and deliver orders and returns; to invoice and process payments; to manage credit limits; for warranty, technical support, or other similar purposes; and to establish and maintain Customer accounts;
- communication with Customers, including to respond to requests for assistance and to update them about the status of their orders by postal mail, email, telephone, and/or text message;
- administration purposes, including to understand how Customers access and use our websites (so called website analytics, see section 13 below for further information) and social media platforms (see section 15 below for further information;
- interest based online marketing (targeting; see section 12 for further information);
- marketing and promotional purposes, including through email or equivalent electronic means, to send news and newsletters, special offers and promotions, or to otherwise contact Customers about products, services or information;
- to review and fulfill orders, purchasing or sales history from Suppliers; to exchange information, including performance indicators, about goods or services; and to organize seminars, events, training courses and marketing activities;
- to enable administration for the entity structure, management and management reporting, administration of organization contacts;
- to update, rectify, block or erase personal data when appropriate; to permit data subjects to access and review their personal information; and
- research purposes, including in relation to market and industry research customer experience; to be used in daily correspondence (e.g. email messages, letters, etc.); Compliance with applicable legal obligations, including to respond to a court order; and to permit risk management, compliance, legal and audit functions.
5. Legal basis for processing data
We process your personal data on the following legal basis:
|Legal basis||Type of processing (examples)|
Our legitimate interests are:
Performance of a contract
The personal information you provide may be processed when it is necessary in order for us to:
Compliance with legal obligations
Where we are under a duty to disclose or share your personal information in order to comply with applicable law or with a request from government or law enforcement officials.
Where we rely on your consent as the legal basis for processing your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this Privacy Statement. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.
6. Who has access to your personal data?
If this is permitted by applicable data protection laws, your personal data transferred may be disclosed to the following recipients or categories of recipients:
- Authorized persons working for or on behalf of us (e.g. persons working in operations, IT, human resources, finance, marketing and customer service positions);
- Agents, service providers and advisers that we engage (e.g. James Hardie Group companies and third party vendors and advisers providing services in connection with marketing, customer service, transport, personal data storage, back-up and analytics, application development, payment and credit cards, procurement, and compliance vetting);
- Our partners, to offer joint products and services to you in connection with our products and services, or when such partners sponsor or participate in our events and conferences.
- Other authorized third parties in connection with a potential sale, divesture, or transfer of a James Hardie group company or companies (including any shares in the company) or any combination of its products, services, assets, affiliates, and/or businesses.
- With third parties, to enforce our terms, agreements, policies or rules, to help protect the security, integrity and availability of our products, systems and services; to exercise or protect James Hardie group company rights and property (including intellectual property), to comply with legal requirements, or in other cases if we believe in good faith that disclosure is required by law (including in response to a lawful subpoena or other law enforcement request).
- Law enforcement or government authorities where necessary to comply with applicable law.
If this is permitted by applicable data protection laws, your personal information may be shared with and processed other members within the James Hardie group including but not limited to the entities in section 18. This may occur, for example:
- When James Hardie group companies cooperate to provide operational, IT, Human Resources, finance, marketing and customer service services to other group companies;
- To help protect the security, integrity and availability of our products, systems and services;
- When different James Hardie group companies jointly develop products and services; and
- When James Hardie group companies combine products, services, systems, databases and companies. This may for example occur when data residing in a marketing or CRM system of one James Hardie group company is combined with and/or migrated to a marketing or CRM system of another James Hardie group company.
Where other members of the James Hardie group or these third parties act as a “data processor” they carry out their tasks on behalf of the data controller and upon its instructions for the above-mentioned purposes.
7. International transfers
When sharing data with other members within the James Hardie group or with third parties, it may happen that your personal data is collected and processed in a jurisdiction outside of Europe. If those jurisdictions do not have adequate protection (as determined by the European Commission, Art. 45 GDPR), we ensure prior to the transfer that the transfer is either subject to appropriate safeguards, for example by self-certification of the recipient for the EU-US Privacy Shield (for US recipients only) or by entering into so-called standard data protection clauses of the European Union with the recipient.
You are entitled to receive an overview of third country recipients and a copy of the specifically agreed-to provisions securing an appropriate level of data protection. For this purpose, please contact us using the contact information in section 16.
8. Security of your information
To help protect the privacy of personal data, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We generally try to restrict access to your personal data to those individuals working for James Hardie Group companies that have a need to know that information and always in compliance with applicable law.
In addition, we train the people working for us about the importance of confidentiality and maintaining the privacy and security of your personal data. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.
Please be aware, though, that despite our efforts, no security measures are perfect or impenetrable. We cannot ensure, and do not warrant or guarantee, that the information you transmit to us will remain secure, nor do we guarantee that this information will not be accessed, disclosed, altered, destroyed or used in an unauthorized manner.
If we learn of a security breach, we may attempt to notify you electronically so that you can take appropriate protective steps. We may also post a notice on our website if a security breach occurs. Depending on where you live, you may have a legal right to receive a notice of a security breach in writing.
9. Data storage and retention
Your personal data may be stored in different assets including but not limited in our CRM and ERP systems, email clients, James Hardies' servers, and on the servers of the (cloud-based) services James Hardie engages, located in the United States, Australia and in countries in the European Union. Where this is feasible we will try to encrypt your personal data at storage and during transmission.
Except as otherwise permitted or required by applicable law or regulatory requirements (in particular, data retention periods), James Hardie endeavours to retain your personal data only for as long as it is necessary to fulfil the purposes for which the personal data was collected. We will also retain and use your information for as long as necessary to resolve disputes and/or enforce our rights and agreements. We retain account information of existing, former and prospective customers and vendors for as long as the account is active and thereafter for a period subject to statutory data retention periods. Non-personally identifiable and aggregated information may be stored indefinitely. Further details can be found in our data retention policy which is available on request.
10. Right to access, correct and delete your personal data and further data subject’s rights
The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects.
Right of access and right to rectification: You have a right to request access to any of your personal data that James Hardie may hold, and to request correction of any inaccurate data relating to you.
Right to erasure: Provided the legal requirements are fulfilled, you may request deletion of your data. This does not apply to personal data which is subject to a statutory retention period or which are necessary for the establishment, exercise or defence of legal claims.
Right to lodge a complaint: You have a right to lodge a complaint with the appropriate data protection authority, in particular in the country of your residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes applicable law.
Right to restriction of processing: You have the right to restrict our processing of your personal data in certain cases.
Data portability: Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, you have a right to receive all personal data which you have provided to James Hardie in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
Rights to object: Where we are relying upon legitimate interest to process data, then you have the right to object to such processing on grounds relating to your particular situation, and we must stop such processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims. Normally, where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis. You also have the right to object to the processing of your personal data for marketing purposes at any time. Please also see section "Information regarding your rights to object".
Right to withdraw consent: Where we are relying upon your consent to process data, you have the right to withdraw such consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. This would particularly apply to Cookies and we have implemented functionality on our website to support this.
11. Are you required to provide your personal data?
You may interact with us without providing any personal data to us. However, please note that in this case certain features or services might not be available to you.
12. Cookies (only relevant for users of our website)
Information on the types and categories of cookies we use, and the way you can manage the usage of cookies by deactivating, rejecting or deleting them can be found in our Cookie Notice. You can also click our Cookie Settings button below to find out more.
13. Website analytics (only relevant for users of our website)
14. Links to other websites (only relevant for users of our website)
Our sites may contain links to other sites not affiliated with us for your convenience. When you access those links, you will leave our website. We do not control such websites. These sites have their own policies and practices with respect to online privacy, and we cannot be held responsible for the privacy practices or the content of these unaffiliated sites. For avoidance of doubt, the personal data you choose to give to unrelated third-party websites are not covered by this Privacy Statement.
We may display advertisements from third parties. Such an advertiser may ask you for personal data as well. We cannot be held responsible for the privacy practices of the advertisers on our websites. However, we encourage our partners and advertisers to adopt privacy policies that respect the local legal requirements.
15. Social Media and other Platforms (only relevant for users of our websites)
You can engage with us through social media websites. You may also choose to link your account with us to third party social media sites. When you link your account or engage with us on or through third party social media sites, you may allow us to have ongoing access to certain information from your social media account (e.g., name, e-mail address, photo, gender, birthday, the posts or the 'likes' you make).
16. Privacy and Data Protection Office and Data Protection Officers
James Hardie established a Privacy and Data Protection Office with data protection experts located in the United States, the European Union and Australia. In addition, for Germany, James Hardie has appointed a Data Protection Officer.
If you have any questions regarding the processing of your personal data or if you believe your privacy rights have been violated, please contact us at:
|Privacy and Data Protection Office||Data Protection Officer Germany|
Attn: Privacy and Data Protection Office
Düsseldorfer Landstraße 395,47259 Duisburg,Germany
Attn: Data Protection Officer
Düsseldorfer Landstraße 395,47259 Duisburg, Germany
The version of this Privacy Statement is dated 17 July 2018 and it replaces the Privacy Statement dated 10 April 2018. We may from time-to-time revise this Privacy Statement. We will make the revised Privacy Statement available on our websites. If we make a material change to the policy we will provide you with an appropriate notice in accordance with legal requirements. Our current customers and suppliers, as well as our registered website users will be informed about the changes beforehand.
This privacy statement applies to those entities belonging to the James Hardie group listed below that process your personal data. This privacy statement shall also apply to any entities not being listed to the extent this privacy statement is being referenced as being applicable.
Information regarding your rights to object
Your objection may be made informally. Please direct your objection to:
|Privacy and Data Protection Office||Data Protection Officer Germany|
Attn: Privacy and Data Protection Office
Düsseldorfer Landstraße 395,47259 Duisburg,
Attn: Data Protection Officer
Düsseldorfer Landstraße 395,47259 Duisburg