Keter Privacy and Data Protection Policy and Notice
Last Updated: September 9, 2020
Keter Plastic Ltd, Keter UK Ltd, Keter US Inc, Keter Luxembourg Sarl and their affiliates (including wholly and partially owned subsidiaries) (“Keter”, “we”, “our” or the “Company”, and their cognates) respects the privacy of its customers, employees and candidates, and is committed to protecting the personal information you share with us. We also protect the privacy of our website visitors, site visitors, followers, vendors, service providers, consumers, partners and others who come in contact with Keter (these and any others with respect to whom we collect personal data, shall collectively be referred to as “Customers” or “you” or “Data Subjects”).
Please read the following carefully to understand our practices regarding your personal data and how we will process it.
For the purposes of EU’s General Data Protection Regulation (“GDPR”) and other applicable European Economic Area data protection law, (the “Data Protection Law”), Keter will usually be a data controller (the “Controller”).
Summary: we collect various categories of personal data in order to meet our contractual obligations, and also to meet various legitimate interests, such as fraud prevention and marketing.
There are several categories of information and data we collect from our Customers.
This includes data you provide to enable us to communicate with you, sell you our products, and provide services including on our websites.
One type of Data we process is non-identifiable and anonymous information ("Non-Personal Data"). We also collect several categories of personal data, also called personal information ("Personal Data").
Personal Data which is being gathered consists of any details which are personally identifiable provided consciously and voluntarily by you, or by an organization you represent or are associated with or through your purchases of Keter products, or your use of Keter services, or your provision of services/product to Keter, including use of the Keter’s websites (as described below).
This may include personal information, such as: your name (first and last), email address, phone numbers, picture, postal address, birthdate or year of birth, gender, position and organization name, billing details, billing address, login credentials, your Keter account username and password and usage details, and other information you choose to provide to Keter.
Additionally, we may obtain location data related to the geographic location of your laptop, mobile device or other digital device on which the Keter website(s) is used.
You do not have any legal obligation to provide any information to Keter, however, we require certain information in order to perform contracts, such as sale or purchase, or to provide any services and products.
If you choose not to provide us with certain information, we may not be able to provide you with some or all of the services or fulfill your order for products.
Keter also collects the email addresses of people who communicate with Keter via email or via messenger services or other social media platforms or create accounts and login credentials. By registering on Keter’s website(s), or submitting requests for support or information via the website(s), Keter will collect details, including also your name, your company name, your phone number and the personal or company email you provided, your address, your birthdate and other such information.
Keter uses this information to offer Keter’s services and support, and will share this data across Keter group companies and service providers in order to optimize its services.
You may create a Keter account on certain Keter websites. In some cases you may be able to access Keter services through login credentials of a designated third party website or service (each a “Third Party Account”), including but not limited to Google, LinkedIn, Facebook or Twitter.
Doing so will enable you to link your Keter account and your Third-Party Account.
If you choose this option, then you will be required to approve the connection as well as the provision of information (which may include Personal Information, such as your profile picture, gender, birthdate, headline, summary that appears in the profile, friends’ lists, previous positions and organizations), that we obtain from your Third Party Account. Any data submitted to any Third-Party Account, even on and through Keter services, is managed directly by such third party and is not the responsibility of Keter.
Keter also collects Personal Data through the use of CCTV cameras and employee’ site access cards.
This consists of video images of you in the public spaces at Keter sites, as well as records of your entrances and exits of the Keter sites, buildings and office floors.
It also includes identity verification systems and data.
We may not always be aware of the nature of the information collected through our services (for example, through our CCTV systems), and such information may inadvertently include sensitive or special categories of Personal Data, but we do not knowingly collect such data about our Customers, members, site visitors etc.
We collect this Personal Data based on our legitimate interest in keeping our premises safe and secure and preventing and responding to crime. Keter also collects data relating to its employees.
This is governed by a specific notice we have made available to our employees. Keter also collects data relating to employment candidates.
This includes CVs and the data contained therein, notes on meetings, standardized tests, reports, references, interviewer impressions and such industry standard data, as well as collecting data made publicly available or available to us on social networks.
We collect such data based on the intention of the candidate to enter into an employment agreement with Keter.
Summary: we collect personal data when you or your organization send it to us, or when a vendor sends it to us so; we collect personal data through our websites and services.
We collect Personal Data through your use of our websites. In other words, when you are using the websites, we are aware of it and will gather, collect and record the information relating to such usage, either independently or through the help of third-party services as detailed below. This may include technical information and behavioral information such as your Internet Protocol (IP) address, your uniform resource locators (URL), the operating system of your browsing device, type of browser, browser plug-in types and versions, screen resolution, Flash version, time zone setting, the User’s ‘clickstream’ on the website, the period of time the User visited the website, methods used to browse away from a page, and any phone number used to call our customer service number. We likewise place cookies on your browsing devices through which you visit our websites (see section 6 below).
We collect Personal Data required to provide services when you register interest, make an order, register for warranty, contact our support centers, contact us for information, sign up for newsletters and updates, or open an account. In most cases, you provide this information to us directly, in other cases your employer or an organization you represent may provide this information, or it may be provided by a vendor with whom you have contracted. We also collect Personal Data through our CCTV recordings and through our card reader software, which automatically collect information about your presence in Keter facilities. We collect Personal Data when you apply for a position at Keter, and throughout the recruiting process – such as through interviews, references, background checks and so on.
Summary: we process personal data to meet our obligations, protect and enforce our rights and manage our business.
We will process Personal Data to provide and improve our services to our customers and others and meet our contractual, ethical and legal obligations, including for example:
- Processing which is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract:
- To enable us to meet our legal, contractual, ethical and business obligations as an employer or a potential employer for our employees and job applicants;
- Carrying out our obligations arising from any contracts entered into between you or your employer or organization and Keter and/or any contracts entered into with Keter and to provide you with the information, products and services that you request from Keter;
- Administering your account with Keter including to identify you and authenticate your identity;
- Verifying and carry out financial transactions in relation to payments you make in connection with the products;
In all cases, assembly requires no special DIY skill and involves standard household tools, for quick, easy construction.
Processing which is necessary for the purposes of the legitimate interests pursued by Keter or by a third party of providing an efficient and wide-ranging service to Customers:
- Notifying you about changes to our service and products;
- Contacting you for the purpose of providing you with technical assistance and other related information about the products;
- Contacting you to give you commercial and marketing information about events or promotions or additional services and products offered by Keter, including in other locations;
- Soliciting feedback in connection with your use of the services and the products purchased;
- Tracking use of Keter facilities and services to enable us to optimize them;
- Replying to your queries, troubleshooting problems, detecting and protecting against error, fraud or other criminal activity;
- Sharing data across the Keter group and its service providers, including across multiple locations internationally, in order to ensure effective management of our business;
- Analyzing transactions and communications for fraud prevention, crime prevention and protecting our staff, property, site visitors and third parties.
Processing which is necessary for compliance with a legal obligation to which Keter is subject:
- Compliance and audit purposes, such as meeting our reporting obligations in our various jurisdictions, and for crime prevention and prosecution in so far as it relates to our staff, customers, facilities etc;
- If necessary, we will use personal data to enforce our terms, policies and legal agreements, to comply with court orders and warrants and assist law enforcement agencies as required by law, to collect debts, to prevent fraud, infringements, identity thefts and any other service misuse, and to take any action in any legal dispute and proceeding;
- For security purposes and to identify and authenticate your access to our facilities and services ;
- We collect personal data of our clients’ personnel which will be used for the purposes set out above;
- To detect and prevent damage to Keter, its employees and third parties;
- For additional purposes related to the management of the Keter group across multiple locations, as described in section 8 below.
Summary: we share personal data with our service providers, partners, group companies and authorities where required.
We transfer Personal Data to: Members of our Group: This includes any member of our group, which means our subsidiaries - whether wholly or partially owned by Keter, in the EU, in Israel, in the US, in Canada and elsewhere. Third Parties. We transfer personal data to third parties in a variety of circumstances. We take steps to ensure that these third parties use your information only to the extent necessary to perform their functions, and in particular we have a contract in place with them to govern their processing on our behalf. These third parties include business partners, suppliers, affiliates, agents and sub-contractors for the performance of any contract we enter into with you. They assist us in providing the products we offer, processing transactions, fulfilling requests for information, receiving and sending communications, analysing data, providing IT and other support services or in other tasks, from time to time. These third parties also include analytics and search engine providers that assist us in the improvement and optimisation of our website and our marketing. They also include service providers who may help prevent fraud, protect Keter, its staff and its property, and assert our rights.
We periodically add and remove third party providers. At present, third party providers to whom we transfer personal data include also the following:
- Website analytics (such as Google Analytics);
- Document management and sharing services (such as Microsoft Sharepoint);
- Customer ticketing and support (such as Signature);
- On-site and cloud-based database services (such as EnterpriseDB);
- Vendor and customer Interface (such as Nipendo);
- Payroll and pension management systems and providers (such as Mercer, ADP, Absal, Synel, Hargall), and other HR management software;
- Time and attendance software (such as Adeco, Winsarp, Synel);
- CRM software (such as Aventeam);
- ERP software (such as Oracle, Dynamix AX);
- Data security, data backup, and data access control systems;
- Visitors registration system;
- Project Management system;
- Web VC and meeting room platforms (such as Microsoft Teams);
- Call center systems;
- Customer service providers for Keter products;
- Recruiting and applicant management software and partners;
- Our lawyers, accountants, and other standard business software and partners.
In addition, we may disclose your personal data to third parties: if some or all of our companies or assets are acquired by a third party including by way of a merger, share acquisition, asset purchase or any similar transaction, in which case personal data may be transferred. Likewise, we may transfer personal data to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal, ethical, audit or compliance obligation, in the course of any legal or regulatory proceeding or investigation, or in order to enforce or apply our terms and other agreements with you or with a third party; or to assert or protect the rights, property, or safety of Keter, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud prevention and credit risk reduction and to prevent cybercrime. For avoidance of doubt, Keter transfers and discloses non-personal data to third parties at its own discretion.
Summary: we retain personal data according to our data retention policy, as required to meet our obligations, protect our rights, and manage our business.
Keter will retain Personal Data in accordance with our data retention policy, as long as required to provide the services and as necessary to comply with our legal and other obligations, to resolve disputes and to enforce agreements. We will also retain personal data to meet any audit, compliance and business best-practices.
Our websites may, from time to time, contain links to external sites. We are not responsible for the operation, privacy policies and practices or the content of such sites.
Summary: we take data security very seriously, invest in security systems, and train our staff. In the event of a breach, we will notify the right people as required by law.
We take great care in implementing, enforcing and maintaining the security of Personal Data. Keter implements, enforces and maintains security measures, technologies and policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of personal data. We likewise take steps to monitor compliance of such policies on an ongoing basis. Where we deem it necessary in light of the nature of the data in question and the risks to data subjects, we may encrypt data. Likewise, we take industry standard steps to ensure our websites are safe. Note however, that no data security measures are perfect or impenetrable, and we cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur. Within Keter, we limit access to personal data to those of our personnel who: (i) require access in order for Keter to fulfil its obligations, and (ii) have been appropriately and periodically trained in Personal Data practices, and (iii) are under confidentiality obligations as may be required under applicable law. Keter shall act in accordance with its policies and with applicable law to promptly notify the relevant authorities and data subjects in the event that any personal data processed by Keter is lost, stolen, or where there has been any unauthorized access to it, all in accordance with applicable law and on the instructions of qualified authority. Keter shall promptly take reasonable remedial measures. We store Personal Data on devices and servers which will be owned or controlled by Keter in our various sites, or processed by third parties on behalf of Keter, by reputable cloud-service providers. Personal Data is stored in all Keter group locations, such as USA, Israel, UK, EU, Australia, Brazil and many more.
Summary: we transfer personal data within and to the EEA, UK, USA, Israel and elsewhere, with appropriate safeguards in place. We store your personal data across multiple locations globally.
- To Israel. Keter headquarters are in Israel. Israel is considered by the European Commission to offer an adequate level of protection for the personal information; we may transfer data to other countries with an adequacy ruling too; and
- To the United States of America and additional non-EU locations. Transfer to the US and elsewhere is done subject to the Privacy Shield or its successor certifications, or subject to Standard Contractual Clauses, or some other mechanism valid under GDPR; and
- Within / to the EEA.
We may transfer your personal data that is inside the EEA / UK / Switzerland and any other country to outside of those areas for the same purposes described above in section 3, including the following specific purposes:
- Store or backup the information;
- Enable us to provide you with the services and products and fulfill our contract with you;
- Fulfill any legal, audit, ethical or compliance obligations which require us to make that transfer;
- Facilitate the operation of our group businesses, where it is in our legitimate interests and we have concluded these are not overridden by your rights;
- Serve our customers across multiple jurisdictions;
- Operate parent company, subsidiaries and affiliates in an efficient and optimal manner;
- Detect and prevent damage to Keter, its employees and third parties.
Summary: depending on the law that applies to your personal data, you may have various data subject rights, such as rights to access, erase, and correct personal data, and information rights. We will respect any lawful request to exercise those rights.
Data subjects with respect to whose data Californian law applies, please see section 11 below. Data subjects with respect to whose data GDPR applies, have rights under GDPR and local laws, including, in different circumstances, rights to: data portability, access data, rectify data, object to processing, and erase data. It is clarified for the removal of doubt, that where personal data is provided by a customer being the data subject's employer, such data subject rights will have to be effected through that customer. In addition, data subject rights cannot be exercised in a manner inconsistent with the rights of Keter employees and staff, with Keter proprietary rights and other Keter rights and legal interests, and third party rights. As such, job references, reviews, internal notes and assessments, documents and notes including proprietary information or forms of intellectual property, cannot generally be accessed or erased, and may not be rectifiable. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, for example emails, or where other exemptions apply. If processing occurs based on consent, data subjects have a right to withdraw their consent. Cookies and any rights associated with cookies may be exercised through our cookie management tool, or your own device and browser settings. If, for any reason, a data subject wishes to exercise these rights and modify, delete or retrieve their Personal Data, they may contact Keter by email ([email protected]). Note that Keter will undertake a process to identify a data subject exercising their rights. Keter may keep details of such rights exercised for its own compliance and audit requirements. Data subjects in the EU have the right to lodge a complaint, with a data protection supervisory authority in the place of their habitual residence. Our lead supervisory authority is the National Commission for Data Protection (‘CNPD’) of the Grand Duchy of Luxembourg (complaints may be lodged at https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html). If the supervisory authority fails to deal with a complaint you may have the right to an effective judicial remedy.
Summary: The California Consumer Privacy Act (“CCPA”) provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights. Access to Specific Information and Data Portability Rights.
You have the right to request that Keter disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights You have the right to request that Keter delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to: 1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you. 2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities. 3. Debug products to identify and repair errors that impair existing intended functionality. 4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law. 5. We may Protect our legal interests, to defend our rights in a case of potential, threatened, or actual litigation, and to enforce our rights. 6. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.). 7. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent. 8. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us. 9. Comply with a legal obligation. 10. Make other internal and lawful uses of that information that are compatible with the context in which you provided it. Exercising Access, Data Portability, and Deletion Rights To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
- Calling us toll free at 877-638-7056, or
- Sending a letter to us at: Keter Plastic Ltd. (Attention: Data Protection Officer), 1 Sapir Street Herzliya, Israel.
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. Response Timing and Format We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. Non-Discrimination We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time. Other California Privacy Rights.
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Websites that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected].
Summary: we do not knowingly collect data of minors aged 16 or under. We may make changes to this policy. Mistakes in translation of this policy may occur. You may contact us with suggestions or complaints regarding personal data.
Keter and Keter’s Data Protection Officer contact details: Keter Plastic Ltd., 1 Sapir Street Herzliya, Israel [email protected].