Privacy Statement

1. Introduction

At James Hardie we are committed to maintaining the accuracy, confidentiality and security of personal data. This Privacy Statement describes, inter alia, the categories of personal data we process, how your personal data may be processed, for what purposes and on what legal basis we process your data and how your privacy is safeguarded. Please read this Privacy Statement carefully to understand our views and practices regarding your personal data and how we treat it.

The James Hardie group is made up of different individual companies. Whenever dealing with one of our group companies, the “controller” of your personal data will be the company that decides why and how your personal data is processed alone or jointly with another James Hardie group entity or group entities. For a list of the James Hardie group companies for which this privacy statement is relevant, please have a look at section 18.

Where this privacy statement refers to “we”, “us”, “our” or “James Hardie”, this refers to the James Hardie group company (or companies) processing your personal data as controller under the GDPR.

James Hardie processes personal data from different categories of personal data in the normal course of its business. Such personal data may relate to individuals working for prospective and existing vendors and customers including employees working for parties such as dealers, distributors, architects and housebuilders. Personal data may also relate to individuals visiting our websites, downloading our online applications, connecting with us through social media or at business events or calling our telephone lines.

As a general rule, James Hardie only collects and processes personal data if there is a lawful justification to do so. This includes necessity for the performance of a contract or service offered by us, our legitimate interest to process the data or based on consent given.

 

2. From whom and how may we collect personal data?

We may collect and process data about the following categories of data subjects:

  • Former, current and potential customers, including, without limitation, dealers, distributors, retailers, channel partners, contractors, architects and end-users (collectively, “Customers”)
  • Former, current and prospective individuals providing goods and services to us, including, without limitation, temporary agents, contractors, outsourcers, consultants, experts, board members, auditors, dealers, distributors, suppliers, and vendors (collectively, “Suppliers”) of us;
  • Entrants to sponsored competitions;
  • Complainants, correspondents and enquirers;
  • Current, former and prospective shareholders;
  • Claimants or defendants in current or prospective litigation;
  • Marketing contacts, journalists, trade association and lobbying contacts; and
  • Individuals visiting our websites, downloading our online applications, connecting with us through social media or at business events or calling our telephone lines.

We collect this personal data because you have given this to us:

  • by entering information on one of our websites;
  • when we visit your stores;
  • via our mobile applications;
  • via social media platforms;
  • when corresponding with us by phone, email or otherwise;
  • by entering competitions run by us;
  • by taking surveys undertaken by us or on our behalf;
  • when signing up to receive newsletters, promotions and other notifications;
  • when participating in promotional events, seminars or trainings; and
  • when you open an account with us.

Or we may collect this personal data about you ourselves:

  • because you have allowed your data to be shared as part of your company website, public profile, third party social network or other website that you operate or use;
  • because you have allowed your data to be shared on online registers, professional platforms and websites for the purpose of getting into contact with third parties including Suppliers and Customers;
  • because your information is otherwise publically available, for example with regards to journalists, trade association or lobbying contacts.
  • because you have visited our websites, where we may track, for example, traffic data, location data, weblogs and other communication data, and the resources you access;
  • technical information including anonymous data collected by the hosting server for statistical purposes, the Internet Protocol (IP) address used to connect your computer or device to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;

 

3. What data do we collect?

The data that we may collect and process includes for example:

  • Name
  • Contract information (address, phone number, fax, email);
  • The company for who you work;
  • Job title(s) and/or function(s);
  • Department and/or business unit;
  • Your signature;
  • Customer records (purchase history, after sale services, warranty history, buying preferences etc.);
  • Technological data (IP addresses and data stored in cookies –see section 12 below for more information on cookies);
  • Geo-location data, for example, when you sign for delivery using a mobile device and have activated the feature on your mobile device that allows us to locate you via GPS;
  • Credit rating and bank details;
  • Credit limit and payment terms;
  • Identification data in official identification documents if permitted by national law;
  • Sales information relating to the sale of products or services;
  • Portraits (e.g. photograph)
  • Correspondence or other communications with you about our products, services or business.

 

4. For what purposes do we use personal data?

We use the information we may hold on you for the following purposes:

  • customer service purposes, including to provide products and services to Customers; to take, verify, process, and deliver orders and returns; to invoice and process payments; to manage credit limits; for warranty, technical support, or other similar purposes; and to establish and maintain Customer accounts;
  • communication with Customers, including to respond to requests for assistance and to update them about the status of their orders by postal mail, email, telephone, and/or text message;
  • administration purposes, including to understand how Customers access and use our websites (so called website analytics, see section 13 below for further information) and social media platforms (see section 15 below for further information;
  • interest based online marketing (targeting; see section 12 for further information);
  • marketing and promotional purposes, including through email or equivalent electronic means, to send news and newsletters, special offers and promotions, or to otherwise contact Customers about products, services or information;
  • to review and fulfill orders, purchasing or sales history from Suppliers; to exchange information, including performance indicators, about goods or services; and to organize seminars, events, training courses and marketing activities;
  • to enable administration for the entity structure, management and management reporting, administration of organization contacts;
  • to update, rectify, block or erase personal data when appropriate; to permit data subjects to access and review their personal information; and
  • research purposes, including in relation to market and industry research customer experience; to be used in daily correspondence (e.g. email messages, letters, etc.); Compliance with applicable legal obligations, including to respond to a court order; and to permit risk management, compliance, legal and audit functions.

 

5. Legal basis for processing data

We process your personal data on the following legal basis:

Legal basis Type of processing (examples)

Legitimate interests

Our legitimate interests are:

  • to run, promote and grow our business;
  • business development, marketing and market research;
  • to service and know our Customers and the market we are operating in.

 

  • day-to-day communication with Customers,  Suppliers and other individuals by postal mail, email, telephone, and/or text message; including to respond to inquiries and for warranty, technical support, or other similar purposes;
  • managing credit limits of Customers;
  • to provide updates to you on James Hardie group companies;
  • When James Hardie group companies cooperate to provide operational, IT, Human Resources, finance, marketing and customer service services to other group companies;
  • To help protect the security, integrity and availability of our products, systems and services;
  • for market research in order to improve our products and/or services and to gain a better understanding of the market;
  • to organize seminars, events, training courses and marketing activities;
  • for prevention of fraud and other criminal activities;
  • to verify the accuracy of data that we hold about you and create a better understanding of you; to comply with a request from you in connection with the exercise of your rights under the GDPR;
  • processing data you give us about your customers for the purposes for which you provide us with that data and as a record of any sale and delivery;
  • making deliveries to you and your customers;
  • to enable administration for the entity structure, management and management reporting, administration of organization contacts;
  • to provide marketing to you including through email or equivalent electronic means, to send news and newsletters, special offers and promotions, or to otherwise get in contact about products, services or information;
  • When James Hardie group companies combine products, services, systems, databases and companies, for purpose of continuity of the business and running a central and effective administration. This may, for example, occur when data residing in a marketing or CRM system of one James Hardie group company, such as Fermacell GmbH, is combined with and/or migrated to a marketing or CRM system of another James Hardie group company such as James Hardie Europe B.V.
  • to provide digital tools or features to our customers and users of our websites;
  • for profiling and statistical analysis. We may for example combine different categories of personal information that we collect about you online or through the buying of our goods;
  • when you browse our website, we may use certain cookies;
  • when you visit our social media platforms, to be able to connect with you;
  • Under certain circumstances, to use your photograph,  video or credentials;
  • for the exercise or defense of legal claims.

Performance of a contract

The personal information you provide may be processed when it is necessary in order for us to:

  • enter into or perform a contract with you or take the necessary steps for us to enter into or perform a contract with you;
  • supply you with any products or services; or
  • where you are in discussions with us about any new product or service

 

  • Making deliveries to you and your customers;
  • to establish and maintain Customer accounts; to take, verify, process and deliver orders and returns; to invoice and process payments;
  • to place and manage orders with Suppliers; to process invoices and make payments; to exchange information, including performance indicators, about goods or services;
  • day-to-day communication with Customers and Suppliers by postal mail, email, telephone, and/or text message; including to respond to inquiries and for warranty, technical support, or other similar purposes;
  • when you enter an on-line competition or promotional feature, to administer the competition or promotion and notify winners;
  • For the exercise or defense of legal claims.

Compliance with legal obligations

Where we are under a duty to disclose or share your personal information in order to comply with applicable law or with a request from government or law enforcement officials.

 

  • to meet national security or law enforcement requirements or to prevent illegal activity;
  • to identify you when you contact us;
  • to verify the accuracy of data we hold about you;
  • to meet transparency obligations imposed on us by law.

Consent

Where we rely on your consent as the legal basis for processing your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this Privacy Statement. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

 

  • to provide marketing to you including through email or equivalent electronic means, to send news and newsletters, special offers and promotions, or to otherwise get in contact about products, services or information, but only if we do not rely on another legal basis such as legitimate interest;
  • when you allow us to use your photograph or video or when you have given us credentials which we would like to use for business purposes.

6. Who has access to your personal data?

If this is permitted by applicable data protection laws, your personal data transferred may be disclosed to the following recipients or categories of recipients:

  • Authorized persons working for or on behalf of us (e.g. persons working in operations, IT, human resources, finance, marketing and customer service positions);
  • Agents, service providers and advisers that we engage (e.g. James Hardie Group companies and third party vendors and advisers providing services in connection with marketing, customer service, transport, personal data storage, back-up and analytics, application development, payment and credit cards, procurement, and compliance vetting);
  • Our partners, to offer joint products and services to you in connection with our products and services, or when such partners sponsor or participate in our events and conferences.
  • Other authorized third parties in connection with a potential sale, divesture, or transfer of a James Hardie group company or companies (including any shares in the company) or any combination of its products, services, assets, affiliates, and/or businesses.
  • With third parties, to enforce our terms, agreements, policies or rules, to help protect the security, integrity and availability of our products, systems and services; to exercise or protect James Hardie group company rights and property (including intellectual property), to comply with legal requirements, or in other cases if we believe in good faith that disclosure is required by law (including in response to a lawful subpoena or other law enforcement request).
  • Law enforcement or government authorities where necessary to comply with applicable law.

If this is permitted by applicable data protection laws, your personal information may be shared with and processed other members within the James Hardie group including but not limited to the entities in section 18. This may occur, for example:

  • When James Hardie group companies cooperate to provide operational, IT, Human Resources, finance, marketing and customer service services to other group companies;
  • To help protect the security, integrity and availability of our products, systems and services;
  • When different James Hardie group companies jointly develop products and services; and
  • When James Hardie group companies combine products, services, systems, databases and companies. This may for example occur when data residing in a marketing or CRM system of one James Hardie group company is combined with and/or migrated to a marketing or CRM system of another James Hardie group company.

Where other members of the James Hardie group or these third parties act as a “data processor” they carry out their tasks on behalf of the data controller and upon its instructions for the above-mentioned purposes.

 

7. International transfers

When sharing data with other members within the James Hardie group or with third parties, it may happen that your personal data is collected and processed in a jurisdiction outside of Europe. If those jurisdictions do not have adequate protection (as determined by the European Commission, Art. 45 GDPR), we ensure prior to the transfer that the transfer is either subject to appropriate safeguards, for example by self-certification of the recipient for the EU-US Privacy Shield (for US recipients only) or by entering into so-called standard data protection clauses of the European Union with the recipient.

You are entitled to receive an overview of third country recipients and a copy of the specifically agreed-to provisions securing an appropriate level of data protection. For this purpose, please contact us using the contact information in section 16.

 

8. Security of your information

To help protect the privacy of personal data, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We generally try to restrict access to your personal data to those individuals working for James Hardie Group companies that have a need to know that information and always in compliance with applicable law.

In addition, we train the people working for us about the importance of confidentiality and maintaining the privacy and security of your personal data. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.

Please be aware, though, that despite our efforts, no security measures are perfect or impenetrable. We cannot ensure, and do not warrant or guarantee, that the information you transmit to us will remain secure, nor do we guarantee that this information will not be accessed, disclosed, altered, destroyed or used in an unauthorized manner.

If we learn of a security breach, we may attempt to notify you electronically so that you can take appropriate protective steps. We may also post a notice on our website if a security breach occurs. Depending on where you live, you may have a legal right to receive a notice of a security breach in writing.

 

9. Data storage and retention

Your personal data may be stored in different assets including but not limited in our CRM and ERP systems, email clients, James Hardies' servers, and on the servers of the (cloud-based) services James Hardie engages, located in the United States, Australia and in countries in the European Union. Where this is feasible we will try to encrypt your personal data at storage and during transmission.

Except as otherwise permitted or required by applicable law or regulatory requirements (in particular, data retention periods), James Hardie endeavours to retain your personal data only for as long as it is necessary to fulfil the purposes for which the personal data was collected. We will also retain and use your information for as long as necessary to resolve disputes and/or enforce our rights and agreements. We retain account information of existing, former and prospective customers and vendors for as long as the account is active and thereafter for a period subject to statutory data retention periods. Non-personally identifiable and aggregated information may be stored indefinitely. Further details can be found in our data retention policy which is available on request.

 

10. Right to access, correct and delete your personal data and further data subject’s rights

The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects.

Right of access and right to rectification: You have a right to request access to any of your personal data that James Hardie may hold, and to request correction of any inaccurate data relating to you.

Right to erasure: Provided the legal requirements are fulfilled, you may request deletion of your data. This does not apply to personal data which is subject to a statutory retention period or which are necessary for the establishment, exercise or defence of legal claims.

Right to lodge a complaint: You have a right to lodge a complaint with the appropriate data protection authority, in particular in the country of your residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes applicable law.

Right to restriction of processing: You have the right to restrict our processing of your personal data in certain cases.

Data portability: Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, you have a right to receive all personal data which you have provided to James Hardie in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.

Rights to object: Where we are relying upon legitimate interest to process data, then you have the right to object to such processing on grounds relating to your particular situation, and we must stop such processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims. Normally, where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis. You also have the right to object to the processing of your personal data for marketing purposes at any time. Please also see section "Information regarding your rights to object".

Right to withdraw consent: Where we are relying upon your consent to process data, you have the right to withdraw such consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. This would particularly apply to Cookies and we have implemented functionality on our website to support this.

 

11. Are you required to provide your personal data?

You may interact with us without providing any personal data to us. However, please note that in this case certain features or services might not be available to you.

 

12. Cookies (only relevant for users of our website)

Cookies. This website uses cookies. Cookies are small text files which a website may put on your computer or mobile device when you visit a site or page in order to for example provide language setting functionality, help analyze the website’s performance and to recommend content relevant to your visit. Cookies are stored in your browser. The cookie will help the website, or another website, to recognize your device the next time you visit. Most cookies won’t collect information that identifies you as a person (personal data), and will instead collect more general information such as how visitors arrive at and use our website. Cookies may be used to create a profile of the visitor's activities on the Internet. You can find further information about this in section 13.

Information on the types and categories of cookies we use, and the way you can manage the usage of cookies by deactivating, rejecting or deleting them can be found in our Cookie Notice. You can also click our Cookie Settings button below to find out more.  

Tags. This website may use tags. A tag is a generic name for code elements found our websites. Most tags simply describe the content of the page, but certain types of tags contain programmatic elements or inject dynamic content like video or audio files into the page. Some tags, in particular ones that add content or functionality from sources external to your domain, can carry privacy risks which require assessment and management. These are third party tags and in most of cases they provide additional value to your website. However, you need to be aware of these, so that you can focus on where there are higher risks. Most of the cookies set on our websites will be set via these tags, but some tags may also collect data about you without the use of cookies.

 

13. Website analytics (only relevant for users of our website)

We use web analytics to measure the web sites activity and determine the areas of the web sites which are the most visited, hence improving visibility of our content. For this we use the tool Google Analytics which is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). We use Google Analytics with the additional function offered by Google to anonymize IP addresses. While doing so, Google saves shortened IP addresses. You may object to the collection or processing of your data by using the following link to download and install a browser plugin: http://tools.google.com/dlpage/gaoptout?hl=en. Google Analytics uses cookies. Google is located outside the EEA but is certified under the EU-US Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI).

 

14. Links to other websites (only relevant for users of our website)

Our sites may contain links to other sites not affiliated with us for your convenience. When you access those links, you will leave our website. We do not control such websites. These sites have their own policies and practices with respect to online privacy, and we cannot be held responsible for the privacy practices or the content of these unaffiliated sites. For avoidance of doubt, the personal data you choose to give to unrelated third-party websites are not covered by this Privacy Statement.

We may display advertisements from third parties. Such an advertiser may ask you for personal data as well. We cannot be held responsible for the privacy practices of the advertisers on our websites. However, we encourage our partners and advertisers to adopt privacy policies that respect the local legal requirements.

 

15. Social Media and other Platforms (only relevant for users of our websites)

You can engage with us through social media websites. You may also choose to link your account with us to third party social media sites. When you link your account or engage with us on or through third party social media sites, you may allow us to have ongoing access to certain information from your social media account (e.g., name, e-mail address, photo, gender, birthday, the posts or the 'likes' you make).

 

If you post information when you interact with our websites through social media sites, depending on your privacy settings, this information may become public on the Internet. You can control what information you share through privacy settings available on some social media sites. For more information about how you can customize your privacy settings and how third party social media sites handle your personal information, please refer to their privacy help guides, privacy notices and terms of use.

 

16. Privacy and Data Protection Office and Data Protection Officers

James Hardie established a Privacy and Data Protection Office with data protection experts located in the United States, the European Union and Australia. In addition, for Germany, James Hardie has appointed a Data Protection Officer.

If you have any questions regarding the processing of your personal data or if you believe your privacy rights have been violated, please contact us at:

Privacy and Data Protection Office Data Protection Officer Germany

Europe (general)

Germany (only)

Attn: Privacy and Data Protection Office

Düsseldorfer Landstraße 395,47259 Duisburg, Germany

Dpo@jameshardie.com

Attn: Data Protection Officer

Düsseldorfer Landstraße 395,47259 DuisburgGermany

datenschutz-fermacell@jameshardie.com

17. Version

The version of this Privacy Statement is dated 17 July 2018 and it replaces the Privacy Statement dated 10 April 2018. We may from time-to-time revise this Privacy Statement. We will make the revised Privacy Statement available on our websites. If we make a material change to the policy we will provide you with an appropriate notice in accordance with legal requirements. Our current customers and suppliers, as well as our registered website users will be informed about the changes beforehand.

 

18. Entities

This privacy statement applies to those entities belonging to the James Hardie group listed below that process your personal data. This privacy statement shall also apply to any entities not being listed to the extent this privacy statement is being referenced as being applicable.

Information regarding your rights to object

Objection to direct marketing

You may at all times object to the processing of your personal data for direct marketing purposes. Please take into account that, due to organizational reasons, there might be an overlap between your objection and the usage of your data within the scope of a campaign already running.

 

Objection to data processing on grounds relating to your particular situation

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning yourself. We will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

 Your objection may be made informally. Please direct your objection to:

Privacy and Data Protection Office Data Protection Officer Germany

Europe (general)

Germany (only)

Attn: Privacy and Data Protection Office

Düsseldorfer Landstraße 395,47259 Duisburg,

Germany

Dpo@jameshardie.com

Attn: Data Protection Officer

Düsseldorfer Landstraße 395,47259 Duisburg

Germany

datenschutz-fermacell@jameshardie.com