Employee Privacy Notice

Effective date: October 21, 2024

At Abalta Technologies Inc. and our subsidiaries (“Abalta,” “we” “our,” or “us”), we are committed to the proper handling of the Personal Information collected or used in connection with your employment with us. We provide the following notice to all Abalta employees, job applicants, and independent contractors residing in US and in the European Economic Area.

This Notice describes the categories of Personal Information we collect and the purposes for which we collect and use that information. It also provides information concerning the company’s record retention practices and rights you may have as a California resident under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), and/or rights you may have as a citizen or resident of the European Economic Area under the General Data Protection Regulation (“GDPR”).

The CCPA defines “Personal Information” as categories of information that identify, relate to, describe, or are reasonably capable of being associated with, or can reasonably be linked, directly or indirectly, to a particular individual or household.[1] The GDPR defines “Personal Data” as any information which is related to an identified or identifiable natural person. When we use “Personal Information” in this Notice, we include the definitions under both CCPA and GDPR.

As a preliminary matter, we do not sell or otherwise disclose your Personal Information for monetary or other consideration to third parties. We may provide your Personal Information to those providing services for us, such as our benefits administrators or other entities that need the information to provide a business function for us, or to government agencies (such as taxing authorities and the social security administration).

1. Sources of Personal Information

Our sources of Personal Information can be directly from you, or we may also combine Personal Information collected from other sources with the Personal Information you provide to us. In some instances, Personal Information may be collected automatically, such as in connection with your use of the internet on company devices, or via key card access. The sources of your Personal Information may include:

You
Recruiters
Prior employers (eg., for references)
Professional references you provide to us
Educational institutions
Pre-employment screening services
Job posting and talent acquisition sites or services (e.g., LinkedIn, Indeed, etc.)
Credentialing and licensing organizations
Publicly available resources including your social media profile (e.g., LinkedIn, Twitter, Facebook) or your current employer’s website
Third parties as necessary for providing you with benefits and ancillary services
Your Abalta-owned or Abalta-controlled device (such as computers and phones)
Other sources as directed by you.

2. Personal Data Collected

This section describes what information we collect from you.

Category of Personal Information	Examples of Information Collected in this Category	Sources of Personal Information	Collected?	Sold or Shared
Identifiers	Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers.	YOU AUTOMATICALLY THIRD PARTIES	Yes	No/No
Personal information described in California Civ. Code § 1798.80(e) (the Customer Records statute)	Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information in this category may overlap with other categories.	YOU THIRD PARTIES	Yes	No/No
Characteristics of protected classifications under	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or credit, marital status, medical condition	YOU	Yes	No/No
California or federal law	(AIDS/HIV status, cancer), physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information), political activities or affiliations, familial status, source of income status, status as a victim of domestic violence, assault, or stalking.	THIRD PARTIES
Commercial information	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	YOU AUTOMATICALLY	Yes (for reimbursement of expenses or other submissions)	No/No
Biometric Information	An individual’s genetic, physiological, biological or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA) or activity patterns that can be used to establish individual identity, including images of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health or exercise data that contain identifying information.	YOU AUTOMATICALLY	Yes (audio and video of public work areas may be collected in some instances, or recordings kept for quality assurance)	No/No
Internet or other electronic network activity information	Browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.	AUTOMATICALLY	Yes	Yes/Yes (some analytics may be provided to third parties handling internet traffic)
Geolocation data	Physical location and/or movements	YOU AUTOMATICALLY	Yes (for company owned devices or devices accessing company systems)	No/No (but if location services are enabled on your device, other apps may push ads to you based on your location)
Sensory data	Audio, electronic, visual, thermal, olfactory, or similar information.	AUTOMATICALLY THIRD PARTIES	Yes (audio and video of public work areas may be collected in some instances, or for quality assurance)	No/No
Professional or employment related information	Current or past job history or performance evaluations	YOU THIRD PARTIES (e.g., from references)	Yes	No/No
Non-public education information (per the Family Educational Rights and Privacy Act – 20 U.S.C. § 1232g, 34 CFR Part 99)	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	YOU THIRD PARTIES (to verify degrees or for background checks)	Yes	No/No
Inferences drawn from other personal information	Information used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	YOU THIRD PARTIES	Yes	No/No
Sensitive Personal Information	Social security number, driver’s license number, account log-in, debit, or credit card number in combination with password or PIN, precise geolocation (less than 1850 sf radius), racial/ethnic origins, religious or philosophical beliefs, union membership, contents of e-mails or texts to others, genetic/biometric data, health information, sex life/sexual orientation data.	YOU AUTOMATICALLY (for geolocation related to company devices/company network access)	Yes	No/No

3. How We Share Personal Data

Service Providers

We share your Personal Information with our third-party service providers who provide services such as payroll and benefits processing, rewards and recognition, surveys, information technology, customer service, email delivery, auditing, and other services.

Other

Aside from the instances described above, we may share your Personal Information:

to comply with the law;
to respond to claims or comply with legal process served on Abalta (e.g., a lawful subpoena, warrant, or court order);
to enforce or apply our policies or agreements;
to protect and defend our rights or property or that of our customers, employees, visitors, or the public;
in connection with a business transfer, sale, liquidation, or merger;
if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure; and
to other parties only with your consent.

4. Use of Your Personal Information

We use the information collected for the business purposes stated below:

For Job Applicants:

To recruit employees, including evaluation of marketing and job offering services, website traffic, and referral sources;
To process your application for employment;
To conduct employment-related background screening and/or reference checks;
To send you correspondence and information relating to your application or your employment with Abalta;
To verify your identity, citizenship, or legal right to work for Abalta, or to assist or cooperate with obtaining relevant immigration documents;
To verify your educational background and/or degrees, certifications, or qualifications for the position you apply for;
To verify your prior employment;
To offer you employment with Abalta;
For testing, evaluation and/or reporting metrics, including but not limited to aggregating or anonymizing such information for workforce analytics, data analytics, and benchmarking;
To comply with applicable law or regulatory requirements, including legal requirements under state and federal law, law enforcement investigations or inquiries, as well as internal company reporting obligations, such as diversity, equity and inclusion initiatives and/or Equal Employment Opportunity Act reporting obligations;
To detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity;
For quality assurance purposes, including call monitoring or customer service, and debugging to identify and repair errors that impair existing intended functionality;
For auditing related to a current interaction with the applicant or employee and concurrent transactions, including, but not limited to, counting impressions to unique visitors, verifying positioning and quality of impressions, and auditing compliance with this and other standards;
To analyze the effectiveness of placement of job listings and job descriptions;
For fraud prevention; and
For internal research for technological development and demonstration; and
For other purposes stated at or before the time of collection of the information.

For Past and Current Employees and Independent Contractors:

All of the above, plus:

To track time and attendance;
To administer employee benefits, such as medical, dental, commuter and retirement benefits, including the recording and processing of eligibility of dependents and beneficiaries, absence and leave monitoring, insurance and accident management, and rewards or discount programs offered to employees;
To provide healthcare-related services, such as accommodations and/or services based on eligibility (e.g., disability, worker’s compensation, medical condition);
To provide payroll, invoice, and tax services, including reimbursement for expenses, salary administration, payroll management, payment of expenses, payment of state and/or federal income taxes (if applicable), social security and unemployment taxes, and to administer other compensation-related payments, including bonuses and equity, if applicable;
To conduct performance-related reviews, including performance appraisals, professional development, career planning, skills monitoring, job moves, promotions and staff re-structuring;
To monitor work-related licenses and credentials and ensuring compliance, training, examination and other requirements are met with applicable regulatory bodies or governing agencies;
To provide employees with other employment-related services, such as handling of employees’ claims, travel for Abalta, moving or relocation services, or administration of separation from employment;
To assist you in case of an emergency, including maintaining contact information for you, your partner or spouse, and/or your dependents in case of personal or business emergency;
To maintain the safety and security of our employees, contractors, visitors and others, including maintenance of security on Abalta websites, apps, intranets and/or extranets (such as monitoring email and internet access, and ensuring secure network access and data integrity), maintenance of physical security (including controlled entry to Abalta worksites and/or real estate assets), monitoring of worksite locations and/or real estate assets, including using biometrics or location monitoring for keys, key fob or key card entry to Abalta property, ensuring that employees, contractors and visitors comply with all applicable safety regulations;
In connection with audiovisual surveillance of public spaces;
For internal company directories;
For video presentations, interviews, training materials, and/or web conferences within the scope of your employment or contract;
For the tracking of Abalta-owned or Abalta-leased vehicles, computers, equipment, and devices, including, but not limited to, remote deletion of Abalta data on business or personal devices;
For verification of proper use of Abalta resources;
To facilitate a better working environment;
To maintain commercial insurance policies and overages, including for workers’ compensation and other liability insurance; and
For other purposes stated at or before the time of the collection of the information.

Further, please note that under the CPRA, we may use your Personal Information for Abalta business or other notified purposes, provided that the use of Personal Information is reasonably necessary and proportionate to achieve the operational purpose for which the Personal Information was collected or processed.

5. Collection and Use of Sensitive Personal Information:

We only collect your Sensitive Personal Information in order to enroll and administer benefits to you, to fulfill our contract with you, and for general human resource purposes. We do not collect your Sensitive Personal Information for the purpose of inferring characteristics about you.

6. Retention Schedule

We retain information related to applications for employment until the job is filled or for 60 days after your application. If you are not hired by Abalta, we do not keep your Personal Information, and your Personal Information will be deleted within 30 days after the position has been filled. Applicable law may require us to keep information for applicants for longer periods of time for compliance with federal or state law.

We retain information related to your employment for the term of your employment and for 7 years after your separation from the company. Some information, such as contact information, tax information, or historical information about your employment with Abalta, may be retained indefinitely for the integrity of our databases and our reporting requirements.

Third Parties with whom you have directly shared information during the term of your employment (e.g., benefits organizations) may have a different retention schedule for the information you have provided to them.

7. Your Rights Under the CCPA

Under the CCPA, you have several rights concerning the Personal Information collected by us. Upon the receipt of a verifiable employee request, we will use commercially reasonable efforts to honor your exercise the rights below, unless there is a business reason exception, or if your exercise of the rights is impossible or otherwise involves a disproportionate effort. We will let you know in writing if we are unable to process your request.

California residents have the following rights:

To know the categories of Personal Information being collected about you, the purposes for which the categories of information are collected or used, and whether that information is sold or shared;
To know if sensitive Personal Information is being collected about you, the categories of sensitive Personal Information being collected, the purposes for which the categories of sensitive Personal Information are collected or used, and whether the sensitive Personal Information is sold or shared;
To know the length of time we intend to retain each category of Personal Information;
To know whether your Personal Information is sold or disclosed and to whom;
To access your Personal Information;
To delete the information you have provided to us, with certain exceptions;
To correct your Personal Information if it is inaccurate;
To limit the use of your sensitive Personal Information;
To reject automated decision making and profiling;
To access information about automated decision making;
To opt out of the sale or sharing of your Personal Information; and
Not to be discriminated against, even if you exercise your privacy rights.

Please note that if we collected information about you for a single one-time transaction and do not keep that information in the ordinary course of business, that information will not be retained for purposes of a request under this section. In addition, if we have de-identified or anonymized data about you, we are not required to re-identify or otherwise link your identity to that data if it is not otherwise maintained that way in our records.

You may also view the additional rights for California residents here and the methods to exercise these rights.

8. Your Rights Under GDPR and the EU-U.S. Data Privacy Framework

If you are an employee or past employee located in the EU, we will ensure that your personal data is adequately protected by this Notice and the “Your Rights and Choices” section of the Privacy Policy and complies with the relevant legal and regulatory requirements.

Abalta Technologies Inc. complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) as set forth by the U.S. Department of Commerce. Abalta Technologies Inc. has certified to the U.S. Department of Commerce that it adheres to EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Abalta Technologies Inc. collects the types of employee personal data identified in the “Personal Data Collected” section above, and processes that data for the purposes set out in the “Use of Your Personal Information” section above. Your individual rights and choices are set out in the “Your Rights and Choices” section of the Privacy Policy and may differ from your rights under the DPF. That section includes applicable choices relating to Marketing, as well as accessing, updating and deleting your information. Abalta Technologies Inc. will make reasonable efforts to accommodate employee privacy preferences.

In compliance with the EU-U.S. DPF, Abalta Technologies Inc. will provide (a)(i) recourse for individuals to whom the employment data relate; (a)(ii) follow-up procedures for verifying that the attestations and assertions it has made about its privacy practices are true, and (a)(iii) obligations to remedy problems arising out of any failure to comply with the Principles. Abalta Technologies Inc. elects to satisfy the requirements in points (a)(i) and (a)(iii) by its commitment to cooperate and comply with the advice of the panel established by the EU Data Protection Authorities (“DPAs”) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF in the context of the employment relationship. Abalta Technologies Inc. further agrees to cooperate with the DPAs in the investigation of resolution of complaints brought under the Principles and will comply with any advice given by the DPAs where the DPAs take the view that Abalta Technologies Inc. needs to take specific action to comply with the Principles, including remedial or compensatory measures for the benefits of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken. EU individuals with inquiries or complaints should first contact Abalta Technologies Inc. as set forth in the Contact Us section below before proceeding to independent recourse mechanisms. Under the EU-U.S. DPF, we will provide a response within 45 days.

Abalta Technologies Inc. has further committed to refer unresolved DPF Principles-related complaints to the EU DPAs. You may submit a complaint directly to your local data protection authority (i.e., EU/EEA Member State data protection authority. Your data protection authority may refer your complaint directly to the U.S. Department of Commerce’s International Trade Administration on your behalf. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf. Additional information on the binding arbitration mechanism is available here for EU/EEA individuals. There is no fee to file for DPF Annex I Binding Arbitration, but if you choose to hire representation, attorneys’ fees are not covered costs under this mechanism.

Abalta Technologies Inc is responsible for the processing of personal information it receives under the EU-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. As a result, Abalta Technologies Inc. complies with the EU-U.S. DPF Principles for all onward transfers of personal

data from the EU, including the onward transfer liability provisions. To transfer personal data to a third party acting as an agent, Abalta Technologies Inc. certifies that it will (i) transfer such data only for limited and specific purposes, (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles, (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles,(iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles, (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing, and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce, upon request.

Abalta Technologies Inc. is subject to the investigator and enforcement powers of, as applicable, the Federal Trade Commission. Abalta Technologies Inc. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

9. Contact Us

If you are a current employee, you are required to keep your Personal Information updated. To update your Personal Information or if you have any questions regarding this Notice or the collection and processing of your Personal Information, please contact hr@abaltatech.com.

[1] Please note that the CCPA’s definition of Personal Information does not include the following:

Publicly available information lawfully made available to the general public from federal, state, or local government records (information is not publicly available if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained);
De-identified or aggregated consumer information;
Personal Information excluded from the CCPA’s scope, such as health or medical information covered by the Health Insurance Portability and Accessibility Act of 1966, the California Medical Information Act or clinical trial data; or
Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act or California Financial Information Privacy Act, and the Driver’s Privacy Protection Act of 1994.