bombardier-eservices-bba-wcm

Actions

Personal Data Protection Policy

BOMBARDIER AVIATION DATA AND PRIVACY POLICY

Last updated on December 9, 2024

1. Purpose of the Policy

1.1 This Personal Data Protection Policy (the “Policy”) reaffirms the general principles governing Bombardier regarding Personal Data protection. It is intended to provide the necessary guidelines to ensure Bombardier complies with Personal Data Protection Laws. It defines the roles and responsibilities of Employees who must implement the principles set out in the Policy.

2. Scope

2.1 The Policy applies to Bombardier Inc. and its entities worldwide (including joint ventures where Bombardier has a majority/controlling interest) (“Bombardier” or the “Company”), and to its employees and contractual resources (“Employees”). It also applies to Bombardier’s service providers and suppliers who process Personal Data on its behalf (each a “Service Provider”).

3. Definitions

  1. Data Privacy Officer (“DPO”): The person appointed by Senior Management responsible for the protection of Personal Data and the implementation of Bombardier’s Privacy & Data Protection Program.
  2. Data Subject: Any individual who is the subject of the Personal Data being handled.
  3. Personal Data: Any data related to an individual that directly or indirectly identifies them, including but not limited to name, age, identification numbers, financial information, IP addresses, and cookies.
  4. Personal Data Protection Laws: Laws applicable worldwide, including GDPR, PIPEDA, and other relevant legislation.
  5. Privacy Incident: Unauthorized access, use, or disclosure of Personal Data.
  6. Processing of Personal Data: Any action related to the collection, use, disclosure, retention, and destruction of Personal Data.
  7. Sensitive Personal Data: Data such as social security numbers, biometric, genetic, health data, political opinions, and sexual orientation.

4. Policy Content

4.1 Application of Personal Data Protection Laws

This Policy follows internationally accepted principles. If a country’s laws impose stricter rules than this Policy, those laws will take precedence.

4.2 Privacy Principles

  • Accountability: Bombardier is responsible for Personal Data under its control.
  • Lawfulness, Fairness, and Transparency: Data is processed lawfully and fairly.
  • Purpose Limitation: Data is collected for specified, legitimate purposes.
  • Necessity: Data processing is limited to what is required for its purpose.
  • Accuracy: Data is kept accurate and up-to-date.
  • Retention Limitation: Data is not kept longer than necessary.
  • Security and Confidentiality: Data is protected by security measures.
  • Access Limitation: Data access is limited on a “need-to-know” basis.

4.3 Legitimacy of Processing

  • Consent: The Data Subject has given consent.
  • Contract: Processing is necessary for contract performance.
  • Legal Obligation: Required for compliance with legal obligations.
  • Vital Interest: Required to protect an individual’s vital interests.
  • Public Interest: Processing is necessary for public tasks.
  • Legitimate Interests: Necessary for Bombardier or third-party interests.

4.4 Personal Data Lifecycle

  • Collection: Data is gathered by lawful means.
  • Use and Access: Data is used for intended purposes only.
  • Disclosure: Data is disclosed to third parties only when necessary.
  • Retention and Destruction: Data is deleted when no longer needed.

4.5 Privacy Impact Assessment (PIA)

When required, Bombardier conducts PIAs to assess and mitigate data protection risks.

4.6 Personal Data Confidentiality and Security

Personal Data is treated confidentially and protected against unauthorized access, modification, or loss.

4.7 Rights of the Data Subject

  • Right to access and rectify data.
  • Right to request deletion and withdraw consent.
  • Right to object to data processing.

4.8 Sanctions

Non-compliance with this Policy may result in disciplinary measures up to termination.

5. Policy Approval & Overall Responsibility

5.1 Approval Authority: The Senior VP, General Counsel, and Corporate Secretary approve this policy.

5.2 Delegation of Authority: This Policy falls under Category C and is approved by the most senior responsible executive.

5.3 Roles and Responsibilities

  • Data Privacy Officer (DPO): Implements and enforces this Policy.
  • Chief Information Security Officer: Ensures security measures.
  • Chief Information Officer: Implements data security measures.
  • Global Chief Security Officer: Ensures physical security.
  • Human Resources: Conducts privacy awareness training.
  • Corporate Audit Services: Audits policy compliance.
  • Employees and Service Providers: Ensure data protection compliance.

6. Periodic Review

This Policy is reviewed every two (2) years by the DPO.

If you have any questions or suggestions about this privacy statement or about how we use your personal data, please contact us at :

Corporate Legal Affairs
Phone: +1 (514) 855-5001
Email: corporatelegalaffairs@bombardier.com

Please let us know if you are unhappy with how we use your personal data. We will respond to your complaint within 30 days.