WestRock Privacy Notice

The WestRock group (“WestRock” or “us”), comprised of the WestRock Company of 1000 Abernathy Road NE, Atlanta, GA 30328, USA, and all of its subsidiaries, respects your privacy.  This Privacy Notice (“Notice”) describes the personal data we collect, how and why we collect it, and what we do with it. It also informs you of steps you may take to access, update or otherwise control your personal data.

If you have any questions about this Notice or about WestRock’s data privacy practices, please contact us at WestRock Global Privacy Office (the “Privacy Office”) by post to 501 S. 5th Street, Richmond, Virginia, USA, or by email to WestRock_Global_Privacy_Office@westrock.com.

Index

 

Personal Data and How We Collect It

Personal data is any information relating to an identified or identifiable natural person.

We collect personal data from you that is necessary and appropriate based on the type of relationship we have with you.   This data may include your name or other identifier, your contact information and the content of any requests or other communication from you to us.   For example, if you are a job applicant you may provide us details about your educational background or employment experience. 

We collect some personal data through your interactions with us, such as completing a visitor log when you visit one of our facilities.

Some personal data may be created by WestRock itself.  Examples may include an employee identification number, department name/number, and WestRock email address.

WestRock may obtain some information, where lawful to do so, from public sources or third parties, including third party benefit or facility providers, other colleagues, family members, government, tax or law enforcement agencies, customers, suppliers, reference and vetting service providers and others. 

Finally, we collect some personal data through our IT equipment, software and communications systems which may be used by you, as well as software used to assist with the performance and administration of human resources, benefits, staffing and other related functions.

We do not knowingly collect any personal information from children under the age of 18 without parental consent, unless permitted by law. If we learn that a child under the age of 18 has provided us with personal information, we will delete it in accordance with applicable law.

 

Our Legal Basis for Collecting and Processing Personal Data

We will only collect and process personal information where we have a lawful basis to do so. This is particularly important under the European Union’s General Data Protection Regulation (GDPR).  The legal basis under GDPR may be different for different types of processing of personal data, and may fall into one of the following categories:

  • “Legitimate Interests” – Those pursued by WestRock as a business, except where such interests are overridden by the interests and fundamental rights of the data subject. For example, we may rely on this legal basis when processing personal information to ensure IT security, or to communicate with business contacts.
  • “Performance of a Contract” - We may rely on this legal basis in dealing with the personal information of employees with an employment contract, for example. It also applies to pre-contractual data exchanges such as job application information.
  • “Compliance with WestRock’s Legal Obligations” - For example, we are usually required by law to report employee payroll information to the relevant tax authority.
  • “Consent of the Data Subject” – We may process some personal data based on the specific, freely given and clearly documented consent of the data subject.

Transfer of Personal Data Within WestRock

The WestRock group operates in many countries and may share your information among its affiliate companies including those that operate in countries outside your own.  WestRock has put in place standard contractual clauses to ensure that your personal information is protected as described in this Notice.

Transfer of Personal Data Outside WestRock

Personal data may be transferred to our outsourced service providers, including those located in another country. In these circumstances WestRock will, as required by applicable law, ensure that your personal data is adequately protected by appropriate technical, organizational, contractual and/or other lawful means.

WestRock may transfer personal data to public authorities when we are required by law to do so.

Retention of Personal Data

We will retain your personal data for as long as is reasonably necessary for the purposes provided in this Notice or to meet other legal, regulatory, tax or accounting requirements.

We may keep an anonymized form of personal data, which will no longer refer to an individual person or have personally identifying information, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.

Security of Personal Data

WestRock is committed to protecting the personal data you share with us or that we process. We have implemented technical and organizational measures to ensure a level of security appropriate to the risk. The measures include:

  • Logical Access Control
  • Personnel Security
  • Network Security
  • Physical Access Control
  • Hardware Management
  • Back-up and Recovery
  • Vendor Security
  • Security Reviews

Monitoring

WestRock may monitor use of its physical facilities, its informational and communications systems and other assets. ‘Monitoring’ includes without limitation intercepting, blocking, recording or otherwise accessing systems and processes whether on a full-time or occasional basis, as permitted by applicable law.  It may also include the use of CCTV cameras at various physical locations on and around our facility premises, as permitted by applicable law. 

Your Rights Regarding Your Personal Data

You have the right to view your personal information, change it, or request to have it deleted.  In particular, you may:

  • where permitted by applicable law, request copies of your personal data. To do so, please contact the WestRock Global Privacy Office.We reserve the right to request that you provide proof of your identity.
  • request that we correct any inaccurate and/or incomplete personal data.
  • where permitted by applicable law, withdraw consent to the processing of personal data at any time. Such withdrawal will not affect the lawfulness of processing based on your prior given consent. Please note that if consent is withdrawn, you may not be able to benefit from certain service features for which the processing of personal data is essential.
  • request that we stop processing, including automated processing and profiling, of your personal information. In the case of computerized or technology driven automated processing, you may request human intervention.
  • request that we erase your personal data. We will comply with such requests unless there is a lawful reason for not doing so. For example, we may be required to keep some payroll information for tax reporting purposes.
  • lodge a complaint with the relevant data protection authority. We suggest contacting us about any questions or complaints in relation to how we process personal information. However, based on applicable law you may also have the right to contact the relevant data protection authority in your country, state or jurisdiction directly.

Changes to WestRock’s Privacy Notice

If we change our privacy policies, we will update this Notice.

Effective Date of this Notice: December 27, 2018

 

Website Visitors

Types of Data, Purpose of Processing and Legal Basis

The table below provides the categories of personal data we collect, the purpose of processing, and the legal basis of processing.

Data

Purpose

Basis

Name and Related Information

Identification

Legitimate Interest in Business Communications

Contact Information

(email address, telephone number, postal address, etc.)

Enable communication

Legitimate Interest in Business Communications

Details of Communication (contents of forms, emails, faxes, etc.)

Make and respond to requests, exchange information, etc.

Legitimate Interest in Business Communications

 

This site contains links to sites not owned by WestRock. Those sites may be subject to their own privacy notice. This Notice applies only to information collected by this site and not to any other sites.

See WestRock’s Cookies Notice for information about our use of cookies.

Transfer of Personal Data

External suppliers may provide infrastructure, hosting services and data analytics. Personal data will be processed by these providers subject to requirements described in this Notice.

Retention of Personal Data

In some cases, a website visitor becomes a job applicant, employee or business contact. In those cases, see the appropriate category for details.

 

Customers, Suppliers and their Representatives (current, former or prospective)

Types of Data, Purpose of Processing and Legal Basis

The table below provides the categories of personal data we collect, the purpose of processing, and the legal basis of processing.

Data

Purpose

Basis

Name and Related Information

Identification

Legitimate Interest in Business Communications

Contact Information

(email address, telephone number, postal address, etc.)

Enable communication

Legitimate Interest in Business Communications

Details of Communication (contents of emails, faxes, invoices, purchase orders, etc.)

Make and respond to requests, exchange information, etc.

Legitimate Interest in Business Communications

User Account Information

(user name, password, etc.)

Use WestRock website, IT systems

Legitimate Interest in Business Communications

Employer Information

(name of employer, job title, names of managers and associates, transactional information, etc.)

Associate business contact with correct business, conduct business

Legitimate Interest in Business Communications

Transfer of Personal Data

External suppliers may provide procurement/sales systems, IT infrastructure and hosting services, and AP/AR and other accounting services. Personal data may be processed by these providers.

Retention of Personal Data

Because the business contact’s information may appear in certain business records (invoices, for example) we may be required to retain the information for a longer period.

 

Job Applicants

Types of Data, Purpose of Processing and Legal Basis

The table below provides the categories of personal data we collect, the purpose of processing, and the legal basis of processing.

Data

Purpose

Basis

Name and Related Information

Identification

Legitimate Interest in Business Communications

Contact Information

(email address, telephone number, postal address, etc.)

Enable communication

Legitimate Interest in Business Communications

Application Information (resume/CV, application form, letter of application, supporting documents, etc.

Evaluate job candidate

Performance of a Contract (for those jobs which involve an employment contract); otherwise Legitimate Interests in Administering Human Resources

Details of Communication (Offer and Acceptance letters, contents of emails, faxes, etc.)

Make and respond to requests, exchange information, etc.

Legitimate Interest in Business Communications

Special Data

(Age, Disability, National Origin, Religion, Race/Ethnic Background, Sexual Orientation, etc.)

Complete legally-required reporting; collected only where required

Compliance with WestRock’s Legal Obligations

Collecting Personal Data

WestRock uses external recruiters and other external providers of pre-employment services. We may collect personal data from these service providers.

Transfer of Personal Data

An external supplier provides WestRock’s applicant tracking system. Where legally allowed, external suppliers provide background check services. Personal data will be processed by these providers.

WestRock may be required to provide certain personal data to government agencies or authorities.

Retention of Personal Data

For successful applicants, see the employee category for details.

Personal data of unsuccessful applicants will be retained as long as legally required.

 

Employees and Former Employees

WestRock has policies that address the collection and use of data relating to employees and former employees. These policies cover privacy, information security, acceptable use of IT resources, social media and CCTV. WestRock provides notice (“WestRock Employee Data Privacy Notice”) of these policies upon commencement of employment with the Company, makes the notice available on request by local HR management and provides the notice as necessary to comply with relevant data privacy laws. Copies of the policies are available on the Company’s intranet site.

 

Network and IT Security Data

Types of Data, Purpose of Processing and Legal Basis

The table below provides the categories of personal data we collect, the purpose of processing, and the legal basis of processing.

Data

Purpose

Basis

Network and IT Security Data

Secure the Company’s IT and knowledge assets, along with those belonging to other parties

Legitimate Interest in Network and IT Security

Transfer of Personal Data

External suppliers provide infrastructure, hosting services and data analytics. Personal data will be processed by these providers.

Retention of Personal Data

The data is generally kept in logs for one year.