1. GENERAL

Use of our CemexHRM service and platform (the “Service”) involves the processing of data. We apply high standards to safeguard and provide adequate protection of any information relating to any identified or identifiable natural person ("Personal Data").

Our customers ("Subscribers") are requested to adopt an appropriate data processing scheme, which meets the requirements of international privacy law, including Article 28 GDPR, when using the Service. We will not process any personal data on behalf of Subscribers without such data processing arrangements which include explicit instructions on the processing to be undertaken. In consequence, our Subscribers have the benefit of remaining the genuine data controller. We act as a data processor on behalf of and subject to the Subscriber's directives.

The details of our commitment to data privacy and data security are set out in this Privacy Policy ("Policy"). The Policy covers the entire handling of Personal Data collected, received, used, processed or transferred in the course of the services offered by us through the Service. Please kindly note that we cannot accept any responsibility for any processing of Personal Data by Subscribers or individuals Subscribers given access to the Service (" Users ") and/or any the privacy practices of Subscribers or Users.

This Policy therefore solely applies to our handling of Personal Data through the Service on behalf of the respective Subscriber.

2. PLACE OF DATA PROCESSING

Our Service may be deployed on a world-wide basis. The data processing takes place on servers that are located within the territory of the United States of America.

We commit to resolve complaints about our collection or use of your personal information. If you have an unresolved privacy or data use concerns that we have not addressed satisfactorily, please contact our Privacy Officer at info@cemexHRM.com.

3. APPLICATION AND SERVICES

• A. Scope of data processing

The Service allows for the collection of information including Personal Data related to the Subscribers’ employees such as, name, employee ID, job title, remuneration, benefits, address, and manager. Further information may include data such as but not limited to race, gender, age or date of birth, performance rating, etc. Some personal data is afforded extra protection (under GDPR for example), which is called "Special Category Data." Such data includes race, gender, political opinions, health and trade union membership.

The Subscriber may input into the Service information including Personal Data. In addition Subscriber’s authorized Users may enter additional Personal Data into the Service when documenting an employment related issue.

It is the Subscribers' obligation as data controller to safeguard the use of the Service being adequately justified by either the affected data subjects' valid consent or statutory law. It is therefore our general expectation that Subscribers have appropriate privacy practices and notification procedures in place to permit the deploying of the Service. In addition, we will comply with our obligations as data processor, as set out in Article 28 GDPR in particular. Where acting as a data processor, we have a contract in place with the data controller ensuring the obligations under Article 28 are complied with.

• B. Relation to Data Subjects

In general, we will not have a direct relationship with the data subjects whose Personal Date is processed in the course of the Subscriber's deploying of the Service as we are processing the Personal Data as data processor on the Subscriber's behalf and subject to its directives. Data subjects are therefore asked to turn to the Subscriber in case of any queries regarding their Personal Data stored, processed, or disclosed in the Service.

Any concerns addressed to us will be conveyed immediately to the Subscriber that the Personal Data is allocated with. The Service itself and the services we offer to our Subscribers are designed in a way giving effect to all rights the data subject enjoys under the GDPR.

• C. Limitations, Corrections and Updates

The Service provides means for the collection, usage, processing or transfer of Personal Data being restricted upon the Subscriber's request. Detailed information on the available options is provided to the Subscriber.

Also, the Subscriber may correct and / or update any Personal Data stored in or processed through the Service at any time.

• D. Data Retention and Destruction

We will retain Personal Data for as long as needed (1) for providing the Subscriber with the services subscribed in connection with the use of the Service, or (2) the retention has been justified under the applicable law. In both cases, the data retention is based on the need-to-maintain principle in order to be able to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

In the event that the Subscriber no longer subscribes in connection with the use of the Service all data in the Service relating to that Subscriber (including all personal data of employees) will be permanently deleted and erased from the Service, its servers and back-ups within 7 days of the expiration of the subscription.

4. TECHNICAL AND ORGANIZATIONAL MEASURES

• A. GDPR

We have implemented appropriate technical and organizational measures in such a manner that processing will meet the requirements of Article 28 GDPR.

We have appointed a Data Protection Officer to provide expert advice and guidance and to monitor compliance with GDPR throughout the organization. Any comments or concerns should be directed to info@cemexHRM.com.

• B. Information Security

We have a robust Information Security Policy. For more information or to obtain a copy of the Information Security Policy, please email to info@cemexHRM.com.

5. DISCLOSURE OF INFORMATION FOR LAW ENFORCEMENT AND TO THIRD PARTIES

We may disclose Personal Data as required by law, when we believe in good faith that disclosure is necessary to protect our rights, protect the safety of our Subscribers, Users and data subjects whose Personal Data is stored in or processed through the Service, investigate fraud, or respond to a government request. We will do so only in compliance with applicable law. Further we will immediately notify the Subscriber of any such request or requirement (except to the extent otherwise required by law).

We will only disclose personal data to third parties other than law enforcement at the instruction of the Subscriber where there is a lawful basis to do so.

6. APPLICABILITY

This Policy applies to the gathering and dissemination of Personal Data for the purposes of the Service and supersedes all other policies, procedures, practices, and guidelines relating to the matters set forth herein.

7. REPRESENTATIVE

We have a designated representative (as per Article 27 of GDPR) who can be contacted by any data subject or supervisory authority with concerns regarding us in its capacity as a data processor. The representative can be contacted at info@cemexHRM.com.