This Privacy Policy details how Guangzhou Zhuyu Architectural Engineering Design Co., Ltd. processes personal data when you work for the Company or do business with the Company.

Personal data is processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and other applicable national and European privacy laws and regulations (together, "Data Privacy Laws").

The definitions of bold terms used in this policy can be found in Annex I Glossary.

1. Scope
This Privacy Policy applies to all personal data that we process as a data controller.
If the Company has the power to decide the purposes and means of processing personal data, the Company is the controller of such personal data.

The Company may process personal data of employees, former employees and their families, temporary workers, self-employed persons, job applicants, contractors, supplier contacts, customers and visitors.

2. Purpose
This Privacy Policy is intended to explain the types of personal data we process and how and for what purposes we process personal data. In addition, this Privacy Policy outlines our responsibilities in relation to the protection of personal data.

This Privacy Policy does not provide an exhaustive description of our data protection practices and we will notify you of any changes to the extent practicable.

If national data protection laws (“National Laws”) are relevant to this Privacy Policy and/or HALFEN (Beijing) Building Accessories Sales Co., Ltd. (“Company”) processes personal data in any other manner than described in this Privacy Policy (e.g. regarding the purposes for which the personal data is processed, etc.), please refer to Annex II for details of such specific processing.

1. Types of Personal Data
1.1 Employees and Contractors
The Company collects and processes personal data relating to employees, applicants and contractors, as well as former employees and former contractors. These personal data include: personal information such as name, date of birth, social security number, bank account information, family relationships, social media account information, visa/passport information; contact information such as address and phone number; personnel file information, including employment terms and conditions, training, performance evaluations, promotions, personal development plans, behavioral and disciplinary data, work location, salary information, bank account information and tax and social security numbers, security clearance; work experience/application information, such as education and work experience; editorial or news content, such as work links, including links to video or audio files; medical information, such as medical certificates and sick notes; family situation, such as children's names and dates of birth (for example: relevant when applying for parental leave); details required for pensions; union membership information; and performance-related data, such as performance management ratings for managers and annual salary increase evaluations for employees, professional psychological assessments, etc. The above is not exhaustive, but covers the most commonly collected, used and processed personal data.

1.2 Suppliers and Customers
The Company collects and processes personal data related to suppliers and customers and/or its partners. This personal data may include: personal information such as name, title, position, work identification number, department, division (including contact information collected for training/verification); contact information such as email, phone number and place of work; and tax information such as VAT number/tax number.

1.3 Special categories of personal data
Special categories of personal data that the Company may process include, but are not limited to, health data, criminal conviction information and biometric data. The Company will process all personal data in accordance with data protection laws, in particular any special categories of personal data.

2. Purposes of processing
The Company will process personal data in accordance with the purpose for which the personal data was obtained.

Common purposes for which the Company processes personal data include: payroll and benefits administration; human resources, performance and talent management; marketing and public relations; improving corporate products and services; research and statistical analysis; business strategy; internal audits or investigations; preventing and investigating illegal and/or criminal conduct against us or our customers and employees; and/or complying with legal obligations. We may process personal data for other purposes from time to time. The Company endeavors to ensure that individuals are informed of the purpose for which their personal data is processed when obtaining their consent. If this is not possible or practicable, the Company will notify you as soon as possible after processing the Personal Data. Individuals have the right to withdraw their consent at any time.

3. Profiling
The Company may process the Personal Data of various categories of individuals (e.g., employees, contractors, and job applicants) for the purposes of talent management and workforce assessment (for attendance and performance analysis).

The Company will carry out such processing where: (a) it is expressly authorized by national law (including fraud and tax evasion monitoring); (b) it is necessary for the conclusion or performance of a contract; or (c) the individual has given appropriate consent. For more information on the types of profiling, please see Annex II.

4. Individual Rights
Individuals have certain rights under data protection laws:

4.1 Inspection and access: You can ask us for a summary and copy of your personal data processed by us or on our behalf;

4.2 Correction/addition/deletion: You have the right to ask us to correct, amend or delete your personal data if you believe it is inaccurate or incomplete;

4.3 Objection: You can object to our processing of your personal data where we have legitimate grounds to do so;

4.4 Restriction: You can ask us to restrict the processing of your personal data if the accuracy of your personal data is contested, our processing is unlawful, you believe we no longer need the personal data, or you have objected to processing your personal data; and

4.5 Automated decision-making: You have the right to object to automated decision-making (including profiling) that the Company uses that significantly affects you.

The Company’s Individual Rights Procedure explains how to make the above requests and how the Company manages them.

5. Security
5.1 Security Measures
The Company has implemented technical and organizational measures to protect personal data from destruction, loss, modification, disclosure, acquisition or access due to illegal or unauthorized acts.

Personal data is stored securely through a series of security measures, including locked file cabinets and various IT and other appropriate physical measures.

For more information on the Company's security measures, please refer to the Information Security Policy.

5.2 Personal Data Leakage
The Company will manage data leaks in accordance with the Personal Data Leakage Reporting Procedure. For how to identify and report data leaks, please refer to our Personal Data Leakage Response Procedure.

6. Disclosure of Personal Data
From time to time, the Company may disclose personal data to third parties or allow third parties to access personal data we process (for example, when a law enforcement agency or regulator makes a valid request for access to personal data).

The Company may also share Personal Data: (a) with other members of the CRH Group (which includes our subsidiaries, our ultimate holding company and its subsidiaries); (b) with selected third parties, including business partners, suppliers and subcontractors; (c) with third parties involved in the event that we sell or buy any business or assets; or (d) if the Company is under a legal obligation to disclose Personal Data. This includes exchanging information with other companies and organizations for fraud protection purposes.

Where the Company enters into an agreement with a third party to process Personal Data on its behalf, the Company will ensure that appropriate contractual safeguards are in place to protect them from loss. These third parties include communications service providers, payroll service providers, occupational health service providers, marketing or recruitment agencies, data center operators used by the Company, etc. For further details on the categories of third parties to whom the Company discloses Personal Data, please see Annex II.

7. Data Retention
The Company will only retain Personal Data for as long as it is necessary to fulfill the purposes for which the Personal Data is processed. Personal Data will be retained in accordance with applicable law and the Company’s policies. For details on the periods of retention of Personal Data (or the criteria used to determine such periods) followed by the Company, please see Annex II.

8. Transfer of Data Outside the European Economic Area
From time to time, the Company may need to transfer Personal Data outside the European Economic Area. Such transfer will be made in accordance with applicable data protection laws. The Company takes reasonable steps to ensure that Personal Data is processed securely and in accordance with this Privacy Policy when it is transferred outside the European Economic Area.

9. Roles and Responsibilities
The Company is responsible for the processing of Personal Data. The Company’s General Manager has the overall responsibility for ensuring that the Company complies with the provisions of this Privacy Policy and will designate the primary contact person in relation to: (i) the processing of Personal Data of current and former employees and contractors of the Company; (ii) the processing of Personal Data of business contacts; and (iii) maintaining the security and integrity of Personal Data processed by the Company.
The Legal and Compliance Department shall support the Company by providing legal advice and guidance on the interpretation of data protection laws and local privacy policies.
All Company employees are required to comply with the most current version of this Privacy Policy. Employees found to have willfully violated the provisions of this Privacy Policy may be subject to disciplinary action, including dismissal.

10. Complaints Procedure
You may contact your HR Manager for information regarding this Privacy Policy and/or the processing of Personal Data, or to lodge a complaint in relation thereto. While you may lodge a complaint regarding compliance with data protection laws with the relevant data protection supervisory authority, we would prefer that you contact your HR manager first to give us the opportunity to assist you with any concerns you may have.