General Dynamics Information Technology, Inc. and its wholly owned subsidiary Arma Global Corporation (“GDIT,” or “we”) make reasonable efforts to protect Personal Data transferred from the European Union (EU)/European Economic Area (EEA) to GDIT’s operations in the United States (U.S.). This Privacy Statement sets forth the standards under which GDIT will treat such Personal Data.
GDIT complies with the EU-U.S. Data Privacy Framework regarding the processing of European Personal Data in the United States, and commits to be subject to the Data Privacy Framework Principles for all Personal Data received in the United States from the EU/EEA in reliance on Data Privacy Framework. GDIT has certified that it adheres to the Data Privacy Framework Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification page, please visit https://www.dataprivacyframework.gov.
GDIT’s participation in Data Privacy Framework is subject to investigation and enforcement by the Federal Trade Commission.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Subject” means an identified or identifiable natural person to whom any given Personal Data covered by this Privacy Statement refers. An identified or identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
“Personal Data” means information relating to a Data Subject.
“Processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Controller.
“Sensitive Personal Data” means Personal Data regarding any of the following:
“Third Party” is any natural or legal person, public authority, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data.
This Privacy Statement applies to the collection, use, and disclosure in the U.S. of Personal Data of employees (current and former), dependents, beneficiaries, applicants, consultants, and contract workers transferred from countries in the EU/EEA to GDIT’s operations in the U.S.
All employees of GDIT that have access to such Personal Data in the U.S. are responsible for conducting themselves in accordance with this Privacy Statement. GDIT employees responsible for engaging third parties to handle Personal Data covered by this Policy on behalf of GDIT (e.g., temporary staff, independent contractors, sub-contractors, business partners, or vendors) are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Privacy Statement, including any applicable contractual assurances required by the Data Privacy Framework Principles.
Failure of a GDIT employee to comply with this Privacy Statement may result in disciplinary action up to and including termination.
GDIT complies with the following principles with respect to the Personal Data described in the “Scope and Responsibility” section of this Privacy Statement that is transferred from countries in the EU/EEA to GDIT’s operations in the U.S.
Notice
GDIT collects, uses, discloses, and disposes of Data Subjects’ Personal Data for human resource management and other business purposes, including:
Candidates for Employment with Clients. GDIT provides a wide variety of services and solutions to its business clients (“Clients”) that facilitate the selection, hiring, and internal mobility of individual candidates for specific employment (“Candidates”). In some instances, GDIT may obtain access to Personal Data about such Candidates in the course of providing the services and solutions. In other specific instances, GDIT may also obtain access to data about our Clients' existing employees or end users in the course of providing support services to the Clients (“End Users”). Such data may include contact details, work history, educational history, work preferences, and other information, depending on the particular Client and application at issue. Wherever we obtain access to Personal Data about Candidates or End Users, we are acting as a Processor on behalf of our Clients, and we therefore conduct such activities strictly in accordance with their instructions and pursuant to our contractual arrangements with them. If you are a Candidate for employment with one of our Clients, or an End User with an existing relationship with one of our Clients, you should refer to the Client's website or human resources manager to understand the privacy practices that apply to Personal Data that we may maintain about you. Moreover, if you would like to access and review your Personal Data, you should contact our Client (your potential or existing
employer) with any such requests. We will cooperate as appropriate with requests from our Clients to assist with such responses.
GDIT may disclose Data Subjects’ Personal Data to third parties acting as its agent such as consultants, accountants, auditors, lawyers, benefit vendors, and financial services vendors for the purposes described above.
Access
Data Subjects have the right to access Personal Data about them that GDIT holds and will be able to correct, amend, or delete such Personal Data if they can demonstrate it is inaccurate (except when the burden or expense of providing access would be disproportionate to the risks to their privacy, or where the rights of persons other than Data Subjects would be violated). To request access to, correct, amend or delete Personal Data, please contact GDIT at: GDIT Privacy Office privacy@gdit.com.
Choice
GDIT will notify Data Subjects before (a) disclosing their Personal Data to any Third Party Controller or (b) using their Personal Data for a purpose that is materially different from the purpose(s) for which the Personal Data was originally collected or subsequently authorized by the Data Subject. That notice will provide Data Subjects with instructions on how they can opt out of such disclosure or use. You may exercise your choice to opt out by contacting GDIT at: GDIT Privacy Office privacy@gdit.com.
If GDIT collects Sensitive Personal Data, GDIT will not (a) disclose that information to a Third Party or (b) use that information for a purpose other than that for which the information originally was collected or subsequently authorized by the Data Subject, unless the Data Subject provides prior, explicit consent.
A Data Subject’s decision to opt out of, or refusal to consent to, a particular use or disclosure does not mean that Personal Data already collected will be erased or deleted or that GDIT cannot continue to use or disclose the information already collected for the purpose(s) for which it originally was collected or subsequently authorized by the Data Subject or, with respect to non-Sensitive Personal Data, for compatible purposes.
Accountability for Onward Transfer
Except as otherwise explained in this Privacy Statement, GDIT will transfer Personal Data only to (a) an entity that a Data Subject has specifically authorized to receive the data (and its designated representatives), or (b) Third Parties acting as GDIT’s agents (e.g., service providers that help host or support GDIT's web site, or that otherwise provide technical assistance). Furthermore, GDIT will transfer Personal Data to such Third Parties only if the transfer is for limited and specified purposes and the Third Party will provide at least the same level of privacy protection as is required by this Privacy Statement and as applicable, the Data Privacy Framework Principles.
With respect to transfer to its agents, GDIT will transfer only the Personal Data needed for an agent to deliver to GDIT the requested product or service. The agent will be prohibited from using such Personal Data for any other purpose and will be required to maintain commercially reasonable security measures to protect the confidentiality and security of that Personal Data. GDIT remains responsible under the Data Privacy Framework Principles if an agent processes Personal Data in a manner inconsistent with the Principles, except where GDIT is not responsible for the event giving rise to the damage.
In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Data Privacy Framework, GDIT is potentially liable.
GDIT may also be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Security
GDIT takes reasonable physical, technical and organizational measures to protect the security of Data Subjects’ Personal Data. Such Personal Data is subject to restricted access in our offices. Only employees who need the information to perform a specific job are granted access to Personal Data. Furthermore, all employees are regularly informed about our security and privacy practices. When new policies are added, our employees are notified and/or reminded about the importance we place on privacy, and what they can do to protect our users' and customers' Personal Data. Finally, we maintain reasonable physical, technical, and organizational measures to make sure that the servers on which we store Personal Data are kept in an access restricted, physically secure, and monitored environment.
Data Integrity and Purpose Limitation
GDIT collects only Personal Data that is necessary for the purposes described above and, with respect to non-Sensitive Personal Data, for compatible purposes. GDIT takes reasonable steps to ensure that the Personal Data it collects is accurate, complete, current, and reliable for its intended use.
Recourse, Enforcement and Liability
GDIT is subject to the investigatory and enforcement powers of the Federal Trade Commission.
GDIT will periodically review and verify its compliance with the Data Privacy Framework Principles and remedy issues arising out of any failure to comply with those Principles.
In compliance with the EU-US Data Privacy Framework, GDIT commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-US Data Privacy Framework. EU individuals with inquiries or complaints should first contact GDIT at: Donald Creston, General Dynamics Information Technology, Inc., 3150 Fairview Park Drive, Falls Church, Virginia 22042; Email: privacy@gdit.com; Telephone: 703-995-1982.
GDIT has further committed to refer unresolved privacy complaints under the EU-US Data Privacy Framework Principles to an independent dispute resolution mechanism, BBB National Programs. If your inquiry or complaint does not involve human resource data and you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www, bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.
If your complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.
Human Resources Data:
If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by GDIT, and your inquiry or complaint involves human resource data, you may have your complaint considered by an independent recourse mechanism: for EU/EEA Data Subjects, a panel
established by the EU data protection authorities (“DPA Panel”). To do so, you should contact the state or national data protection or labor authority in the jurisdiction where you work. GDIT agrees to cooperate and comply with the decisions of the DPA Panel.
LEGAL DISCLAIMER
We may disclose Personal Data when required by law or in the good faith belief that such action is necessary in order to conform to the edicts of the law, comply with legal mandates, enforce the terms of use of our websites, or to protect the rights, property, or personal safety of GDIT, its users and the public. This may include disclosure in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have any questions about this Privacy Statement, or if you would like to request access to Personal Data that we may maintain about you, please contact: GDIT Privacy Office privacy@gdit.com.
Effective Date: September 13, 2016, as amended.