GE respects the privacy rights of individuals and is committed to handling Personal Information responsibly, in accordance with applicable law and GE’s Commitment to the Protection of Personal Information (the Commitment), described below. The Commitment sets out GE’s principles for the treatment of Personal Information subject to the European Data Protection Directive or analogous Member State legislation.
The Commitment establishes a legal basis for cross-border transfers of Personal Information within the GE Group (all wholly or majority-owned divisions of GE Company, including Electric Insurance Company and its subsidiaries). Additionally, GE may carry out cross-border transfers of Personal Information to third parties outside the GE Group in accordance with applicable law. GE will handle Personal Information in accordance with the Commitment where applicable, unless in conflict with stricter requirements of local law, in which case local law will prevail.
The Commitment establishes GE’s obligations concerning the processing of Personal Information subject to the European Data Protection Directive or analogous Member State legislation. Such Personal Information will be protected in accordance with that legislation regardless of geography or technology, when used within the GE Group.
Processing Personal Information
GE observes the following principles when processing Personal Information:
Fairness: GE will process Personal Information fairly and lawfully.
Purpose: GE will limit the processing of Personal Information to the fulfilment of GE’s specific, legitimate purposes. GE will only carry out processing that is compatible with such purposes unless GE has the unambiguous consent of the individual to process the data for unrelated purposes.
In general, GE will process Personal Information:
- where GE has a legitimate interest that, on balance, justifies the processing;
- where necessary for the maintenance or the performance of a legal relationship between GE and the individual;
- where necessary for complying with an obligation imposed on GE by applicable law, regulation, or governmental authority;
- where there are exceptional situations that threaten the life, health or security of the individual or of another person; or
- after obtaining the individual’s freely given, explicit and informed consent where required by applicable law.
Where consent has been obtained, GE will provide a process to allow individuals to withdraw their consent in accordance with applicable law, at any time and without charge.
Proportionality: GE will limit the processing of Personal Information to that which is adequate, relevant and not excessive in relation to the purposes for which GE collects and uses it. Further, GE will make reasonable efforts to limit Personal Information to the minimum necessary for these purposes.
Information Quality: GE will take reasonable steps to ensure that Personal Information is accurate and kept up to date, to keep Personal Information only for as long as necessary for the purposes for which it is collected and used, and to delete or to render it anonymous after such retention requirements have been met.
Transparency: Where required by applicable law, GE will make available to individuals at the point of collection, or within a reasonable period of collection, information about GE’s identity; the purposes and nature of processing their Personal Information; intended recipients and cross-border data transfers; source(s) of Personal Information; how individuals may exercise their rights regarding Personal Information; and additional explanations as needed to ensure fair processing. Where GE collects Personal Information through the Internet or other electronic means, GE will post an easily accessible privacy notice with these elements.
Confidentiality: GE will maintain the confidentiality of Personal Information it processes, except where disclosure is required by an applicable operational or legal requirement. This obligation will continue even after the relationship with the individual has ended.
Security: GE strives to protect Personal Information with appropriate technical and organizational measures to ensure its integrity, confidentiality, security and availability.
Sharing and/or Transferring Personal Information
GE may share or transfer Personal Information in the following circumstances:
- Personal Information may be shared within the GE Group for the purposes specified above, provided the GE Group entity processing Personal Information adheres to the Commitment.
- GE may transfer Personal Information to third parties hired to perform services on GE’s behalf, subject to applicable law. The third parties will have access to Personal Information solely for the purposes of performing the specified services and may transfer Personal Information globally in accordance with the principles specified in the Commitment and with GE’s instructions, including a relevant data transfer mechanism. GE will select reliable third parties and will strive to ensure that new supplier engagements provide for processing and security of Personal Information in accordance with the Commitment and applicable law.
- GE may disclose certain Personal Information to other third parties where required by law, to protect GE’s legal rights, or in an emergency where the health or security of any person is endangered.
- Personal Information will only be shared for a third-party’s research and/or promotional purposes with the consent of the affected individuals where required by law.
Processing of Sensitive Personal Information
Where GE processes and/or transfers Sensitive Personal Information GE will inform the individual of the processing and/or transfer and obtain explicit consent for such processing and/or transfer when GE is required to do so by law.
GE employs privacy practices designed to support its compliance with the Commitment and applicable law, including the appointment of a network of privacy leaders, education and awareness programs, incident response protocols, privacy impact assessments, audit routines and a Privacy by Design approach to process and system development.
An individual who has satisfactorily established his or her identity to GE may exercise the following rights in relation to Personal Information GE holds about him or her:
Access: Where required by local law, GE will provide an individual Personal Information about him or her that GE holds, including information concerning the source of the Personal Information, the purposes of any processing by GE and the recipients, or categories of recipients, to whom such Personal Information is disclosed.
Correction and Deletion: Valid requests for correction or deletion of Personal Information which is incomplete, inaccurate or excessive will be respected, except that deletion will not be performed where retention is required by the contractual relationship between GE and the individual, in the context of a legal dispute or other legal retention requirement, or as otherwise required by law.
Objection: GE will cease processing Personal Information where an individual’s objection is justified under applicable law, for example where the individual’s life or health is at risk due to the processing. An individual also has the right to object to decisions based solely on automated processing of Personal Information that produce legal effects which significantly affect the individual involved, except where the individual requested the processing, or when necessary for the legal relationship between GE and the individual. In the latter case, the individual may give his or her views on the automated decision. An individual has the right to object to processing of Personal Information by GE for marketing purposes where allowed by applicable law.
Complaints: Any individual who claims to have suffered damage as a result of non-compliance by a GE Group entity with the Commitment, including when committed by a GE Group entity located outside the European Union, may file a complaint with the applicable GE Group Privacy Leader or Compliance Officer, or with GE’s Complaint Handling Processes available on GE’s websites if other channels are unavailable or exhausted:
- Internal concern reporting: firstname.lastname@example.org
- External concern reporting: email@example.com
Enforcement: An individual who has suffered damage as a result of an unlawful processing operation or a breach of applicable privacy law or of the Commitment may be entitled to receive compensation for such damages from the European Union (EU) GE entity exporting Personal Information for the damage suffered. An individual may enforce his/her rights under applicable law and as provided in the Commitment, by direct recourse to the courts or other judicial authority in the jurisdiction of the EU GE entity exporting Personal Information or administratively before a competent Data Protection Authority. Where permitted under local law, GE may specify alternative mechanisms for resolving disputes.
Cooperation with Supervisory Authorities
GE will cooperate with any regulatory authority responsible for supervising applicable privacy laws that has good cause to question any processing of Personal Information by GE, and will comply with their legally binding decisions on issues related to the Commitment.
Changes to the Commitment
GE reserves the right to modify the Commitment. Any changes will be submitted to the relevant Data Protection Authority as required, and will be posted promptly on GE EU web sites once effective.
Personal Information is any information within the scope of the Commitment relating to an identified natural person or a person who may be identifiable by reasonable means that is obtained in the context of an individual’s relationship with GE. Such personal information may include employment data, customer data and supplier data.
Sensitive Personal Information, a special category of Personal Information, is information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, health or medical records and criminal records.