The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe. API will comply with applicable GDPR regulations as a data processor.
API respects the right of informational self-determination, and any law that appears to be effective in restricting the processing of personal data by domestic providers. We understand commercial interests and demonstrate this by the allowance of the use of personal data in some situations, for instance when it is possible to render that data anonymous for market research purposes, instead of requiring their deletion. API also takes a pragmatic approach to imposing data protection requirements by balancing protective requirements with their feasibility. We do not intend for the complexity and broad concepts to stand in the way of certainty and predictability. API is concerned with assuring we have adequate protection in place to deal with the technical and societal changes that have been brought through globalization, the increased use of search engines, smartphone applications, and social media and the resulting proliferation of personal data that is disclosed by the data subjects themselves. For these reasons, API welcomes the global guidelines on data protection, and complies with Privacy Shield, and prior Safe Harbor Principles.
This document describes both our approach to data collected on this public website, as well as our internal treatment of customer, supplier, and employee data. It applies to all API, divisions and subsidiaries as far as personal information is received in any format whatsoever, including electronic, paper or oral transmission. This Policy also applies to Agents (defined below) that handle and process EEA and/ or Swiss personal data on behalf of API.
We've structured our public website so that, in general, you can visit API on the Web without identifying yourself or revealing any personal information, yet gain access to common information. Once you choose to provide us personally identifiable information (any information by which you can be identified), you can be assured that it will only be used to support your relationship with API Heat Transfer.
API Heat Transfer uses your information to better understand your needs and provide you with better service. Specifically, we use your information to help you complete a transaction, to communicate back to you, to update you on service and benefits that you requested, and to personalize our web site for you. Credit card numbers are used only for payment processing and are not retained for other purposes. From time to time, we may also use your information to contact you for market research or to provide you with marketing information we think would be of particular interest. At a minimum, we will always give you the opportunity to opt out of receiving such direct marketing or market research contact.
API Heat Transfer will not use or share the personally identifiable information provided to us online in ways unrelated to the ones described without letting you know and offering you a choice. We will also provide you the opportunity to let us know if you do not wish to receive unsolicited direct marketing materials from us and we will do everything we can to honor such requests.
Concerning Personal Data Transferred to the United States
Regarding the processing of personal data transferred from European Economic Area (EEA)1, which includes the European Union (EU), and Switzerland to the United States (U.S.).
The U.S. Department of Commerce and the European Commission as well as Switzerland have agreed on a framework of data protection principles and supplemental principles to enable U.S. companies to provide an adequate level of protection for personal data transferred from the EEA to the U.S. ("EU-U.S. Privacy Shield" / “Swiss-U.S. Privacy Shield”; together the “Privacy Shield”). API Heat Transfer Company (“API”) respects the privacy of its customers, business partners and employees and recognizes the need for appropriate protection and management of personal information provided. API on behalf of itself and its wholly owned U.S. domiciled entities, has decided to voluntarily adhere to the Privacy Shield Principles recognized by the EEA and Switzerland as providing adequate data protection. API complies with the Privacy Shield Framework as agreed upon between the U.S. Department of Commerce and the European Commission and Switzerland regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. API has certified that it adheres to the Privacy Shield Privacy Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability as well as the supplemental principles of the framework. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/ . A current list of organizations certified under the Privacy Shield framework (“Privacy Shield List”) is available at https://www.privacyshield.gov/list
For purpose of this Policy, the following definitions shall apply:
“Agent” means any third-party processor that collects and/or uses personal information provided by API to perform tasks on behalf of and under the instructions of API.
“Personal Data” and “Personal Information” are data about an identified or identifiable individual that are within the scope of the Directive 95/46/EC or the Swiss Federal Act on Data Protection, received by an organization in the United States from the European Union or Switzerland, and recorded in any form. Personal information does not include information that is anonymous (e.g. statistical information not relating to an identifiable person).
Personal data can be defined as “individual pieces of information about personal or factual circumstances about an identified or identifiable human being.”
“Sensitive Personal Information” means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or personal information received from a third party that is identified and treated as sensitive by the third party. Where Swiss individuals are concerned, “Sensitive Personal Information” also includes ideological views or activities and information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
“Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Internal Applications Data”, “Network Data”, and “Content Data”, is information collected through use of API’s ERP systems, other applications, and IT infrastructure for the purposes of conducting its global business. These applications will have a mix of personal information and collective non-user related data. Personal information collected will be identified in API’s Application Data Processing Disclosure document. This document will be updated as applications and usage change, and provided to employees or their representatives as changes occur.
Processing of EEA and/ or Swiss personal data
API may from time to time process certain EEA and/ or Swiss Personal Information about current or prospective customers, business partners, suppliers, vendors, independent contractors,consumers, employees and candidates for employment, including information recorded on various media as well as electronic data. API will process these data in conformity with the Privacy Shield Principles and will continue to apply the Principles to personal data received under the application of the Privacy Shield.
API will use Personal Information concerning business partners and customers to provide customers and business partners with information and services and to help API personnel better understand the needs and interests of these business partners and/or customers. Specifically, API uses information to help customers and business partners complete a transaction or order, to facilitate communication, to deliver products/services, to bill for purchased products/services, to provide ongoing service and support, to communicate to individuals about products, services and related issues, to facilitate API’s internal administrative processes, to book travel, accommodation and event registration, for business continuity and/or disaster recovery, to organize and manage joint projects and joint ventures and to deliver IT services including malware prevention. Occasionally API personnel may use Personal Information to contact customers and business partners to complete surveys that are used for quality assurance purposes.
API may also share Personal Information with its service providers and suppliers (Agents) for the sole purpose and only to the extent needed to support the customers’ business needs. Service providers and suppliers are required to keep confidential Personal Information received from API and may not use it for any purpose other than originally intended. In case of data transfers to third parties acting as controllers the affected individuals will be informed about the transfer and the underlying purposes respectively.
API also collects Personal Information concerning its employees (Human Resources Data) in connection with administration of its Human Resources programs and functions and for purpose of communicating with its employees. API also applies the Privacy Shield Principles to these data. Further information in this regard can be found in API’s Application Data Processing Disclosure document available for employees upon request.
Smartphone and Geo Data are highly sensitive and unless there is consent for further processing, API will allow his data to be collected and used only to the extent that it is required. If the data is to be used for marketing purposes or for connection to smartphone applications, special forms of consent and notification are required. All data on company issued devices is the property of API. Data, such as API email communication, on employee owned devices is also the property of API, and can be removed at API’s discretion.
API may use photographs of employees or other individuals to facilitate intercompany communication through profile association in Office 365, Skype, Organizational Charts, or other tools deemed appropriate and disclosed to the subject.
GDPR sets out key principles: lawful fair & transparent processing, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality (security) & accountability. A detailed description of the Privacy Shield Principles can be found on the website of the U.S. Department of Commerce.
Where API collects Personal Information directly from individuals in the EEA and/ or Switzerland or receives it from its European affiliates, it or the respective European affiliate will inform those individuals about the purposes for which it collects and uses Personal Information about them; the transfer to API in the U.S., the types or identity of third parties acting as controllers to which API discloses that information, the purposes for which it does so; and the choices and means, API offers individuals for limiting the use and disclosure of their Personal Information, and about the right of individuals to access their personal data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to API, or as soon as practicable thereafter, and in any event before API uses the information for a purpose other than that for which it was originally collected or discloses it for the first time to a third party.
API will offer individuals the opportunity to choose (opt-out) whether their Personal Information is (a) to be disclosed to a third party acting as a controller, or (b) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal information, API will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of their Sensitive Personal Information to (a) a third party acting as a controller or (b) the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. API will provide individuals with reasonable (especially clear and conspicuous, readily available) mechanisms to exercise their choices.
3. Accountability for Onward Transfer
API will transfer Personal Information to Agents only for limited and specific purposes and obtain contractual assurances from its Agents that they will safeguard Personal Information consistent with this Policy and that they will provide at least the same level of protection as is required by the relevant Privacy Shield principles. API recognizes its responsibility and potential liability for onward transfers to Agents (job control). Where API has knowledge that an Agent is using or disclosing Personal Information in a manner contrary to this Policy and/or the level of protection as required by the Privacy Shield Principles, API will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure. Also, that personal data cannot be read, copied, modified or removed without authorization during electronic transmission (transmission control), and that data is received by the intended recipient.
If API transfers personal information to non-agent third parties acting as a controller, API will apply the Notice and Choice Principles unless a derogation for specific situations under European or Swiss data protection law applies and will obtain contractual assurance from these parties that they will provide the same level of protection as is required under the Principles.
Upon request, API will grant individuals reasonable access to Personal Information that it holds about them. In addition, API will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete or has been processed in violation of the Privacy Shield Principles. API may limit an individual’s access to Personal Information where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.
API will take reasonable and appropriate precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. We use encryption and/or secure servers when collecting or transferring sensitive data such as credit card information.
We require that a secure connection between computers be established. We use an encryption technology. A secure connection is constantly maintained. Although we use encryption to safeguard the confidentiality of personal information as it travels over the Internet, "perfect security" does not exist on the Internet and we cannot guarantee the safety of transmitting personal information over the Internet.
Password Protection. You are responsible for maintaining the confidentiality of your passwords. We have the right to assume that anyone using a password assigned to you has the right to do so. You will be solely responsible for the activities of anyone using a password assigned to you, even if the individual is not, in fact authorized by you. If you have reason to believe that your password has been compromised or used without authorization, you must promptly change it.
API will prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used (access control), as well as limiting those with access to only the data they are designated to have access to, and not more. Specific security requirements for Internal Application Data, describing how security is administered, is described per API’s Data Processing Disclosure document. Input control will be maintained by storing the user and time/date of data input into API’s application whenever possible, to support security audit requirements.
API is required to notify the data subject if data were unlawfully transmitted or otherwise became known to third parties to increase consumer confidence in automated systems. Notification is required only if the security breach threatens to cause serious impairment of the rights or the protection-worthy interests of the data subject.
6. Data Integrity and Purpose Limitation
API will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual (see 2. Choice). API will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current. API will adhere to the Principles as long as it retains personal information received under its Privacy Shield certification.
Personal data will be protected from accidental destruction or loss by the security methods described in section 5. Security, and API’s Data Processing Disclosure document (availability control). Additionally, backup processes will be employed to protect and restore data when necessary.
7. Recourse, Enforcement and Liability
Any questions or concerns regarding the use or disclosure of personal information should be directed to the Chief Information Officer at the address given below. API will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy.
With respect to any complaints relating to this Policy that cannot be resolved through API’s internal processes, API has agreed to cooperate with the data protection authorities in the EU and the Swiss Federal Data Protection and Information Commissioner and to participate in the dispute resolution procedures established by these Authorities to resolve disputes pursuant to the Privacy Shield principles available at the addresses given below. In the event that API or such Authorities determines that API did not comply with this Policy, API will take appropriate steps to address any adverse effects and to promote future compliance. API is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body under the Privacy Shield.
Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, individuals have a right to invoke binding arbitration under the Privacy Shield Panel as recourse mechanism of ’last resort’.
Rendering data anonymous is a general principle of data protection policies, to be employed whenever feasible, to minimize the proliferation of data. Data may also be placed under a pseudonym to preserve anonymity. These policies allow the data subject to retain control over his data while giving API greater possibilities for use and transmittal of the data. When data has become anonymous, they are no longer personal data and can therefore be freely used. They become personal data again if API has the possibility of identifying the data subject.
API's adherence to the Privacy Shield Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, e.g. in the course of lawful requests by public authorities (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.
Questions or comments regarding this Policy should be submitted to API by mail or e-mail as follows:
Dan Batten, CIO
API Heat Transfer Company
2777 Waldon Ave
Buffalo, NY 14225
If you are a citizen of an EEA member state, you may also address any unresolved complaints to the EU Data Protection Panel at the following address:
If you are a citizen of Switzerland, unresolved complaints can be addressed to the Swiss Federal Data Protection and Information Commissioner at the following address:
Changes to this Policy
This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield principles. Appropriate public notice will be given concerning such amendments.
Effective Date: February 26, 2018
Last updated: November 1, 2018
1 The EEA currently includes the following countries: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom, Iceland, Liechtenstein, and Norway.
2 Information about the U.S. Department of Commerce Privacy Shield certification can be found at https://www.privacyshield.gov/.