POLARIS INDUSTRIES INC.
EU PRIVACY STATEMENT
Polaris Industries Inc. (the “Company”) respects individual privacy and values the confidence of its customers, employees and business partners. The Company complies with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, lawfulness of processing, notice, choice, onward transfer, security, access, rectification, erasure, portability and enforcement required under applicable laws, rules and regulations including the GDPR.
This Privacy Statement (the “Statement”) sets forth the privacy principles that the Company follows.
This Statement applies to personal data received by the Company in any format including electronic, paper or verbal.
Except as otherwise defined in this Statement, capitalized terms have the meanings set forth herein.
“Agent” means a third-party organization that performs tasks on behalf of and under the instructions of the Company.
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller
“Data subject” means an identified or identifiable natural person whose personal data is collected and processed by a data controller or a data processor.
“DPAs” means the European Data Protection Authorities.
“FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
“GDPR” means the General Data Protection Regulation 2016
“Non-Agent Third Party” means any third party that is not an Agent.
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Privacy Authorities” means the DPAs, the FDPIC, and the Supervisory Authorities.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Public record information” means records kept by governmental agencies or entities that are open to consultation by the public in general.
“Sensitive personal data” means personal data that reveals racial or ethnic origin, political opinions, religious, ideological, or philosophical beliefs, trade union membership and trade union-related views or activities, sexual orientation, or personal data concerning medical or health condition, personal sexuality, or sex life, or personal data relating to social security measures or administrative or criminal proceedings, sanctions, offenses or criminal convictions. Sensitive personal data shall also include national identification numbers where applicable law expressly provides that national identification numbers are included in the definition thereof. The Company will treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.
“Supervisory Authority” means an independent public authority which is established by a EU Member State.
The privacy principles of the Company are:
Lawfulness, Fairness, and Transparency
When the Company collects personal data, it will be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
When the Company collects personal data, it will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
When the Company collects personal data, it will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
When the Company collects personal data, it will be accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
When the Company collects personal data, it will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality
When the Company collects personal data, it will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Lawfulness of Processing
Any and all processing will be done lawfully. The Company and any Agent or Non-Agent Third Party will process personal data only if and to the extent that at least one of the following applies: (1) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the controller is subject; (4) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and (6) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
When the Company collects personal data from individuals in the EU, EEA or Switzerland it will: (1) inform them of the recipients of the personal data, (2) inform them of whether they are required to respond to questions and the consequences of a failure to respond, (3) inform them of the existence of rights of access to, and rectification of, their personal data, (4) inform them of the purposes for which it collects and uses personal data about them, (5) inform them of the types of Non-Agent third parties to which the Company discloses the information, (6) inform them of the choices and means for limiting the use and disclosure of personal data about them, (7) inform them of how to contact the Company, and (8) obtain their prior consent to such collection. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal data to the Company, or as soon as practicable thereafter, and in any event before the Company uses or discloses the information for a purpose other than for which it was originally collected.
The Company will give individuals the opportunity to affirmatively and explicitly consent (opt in) to the disclosure of such person data and sensitive personal data to a Non-Agent third party or the use of the personal data or sensitive personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
The Company will provide individuals with readily available, affordable and reasonable mechanisms to exercise their choices. With respect to employment related personal data, the Company will make reasonable efforts to accommodate employee privacy preferences. These may include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.
When the Company is transferring personal data to an Agent or Non-Agent Third Party outside of the EU, the Company will enter into a written agreement with such third party that incorporates the standard contractual clauses adopted by the EU for purposes of establishing that such Agents and Non-Agent Third Parties establish and maintain adequate levels of protection for the personal data transferred to them.
The Company will take reasonable steps to protect the personal data in its possession from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and will take all useful precautions with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent its alteration and damage or access by non-authorized third parties. The Company has put in place technical, physical, and organizational procedures and security measures designed to safeguard and secure the personal data from destruction, loss, alteration, unauthorized access or disclosure, or other forms of unauthorized or unlawful processing commensurate with the risks posed by the particular type of processing, the nature of the personal data and in accordance with applicable the GDRP and any other law and applicable guidelines, if any, promulgated by authorities having jurisdiction therefor, and taking into consideration the cost of implementing such measures. The Company cannot guarantee the security of personal data on or transmitted via the Internet.
The Company will comply with the GDPR, and other applicable local laws, rules and regulations with respect to data breach disclosure and notification.
Upon request that can be made by filling out this form by the individual, the Company will grant individuals reasonable access to their personal data. Such access will include: (1) confirmation as to whether or not personal data concerning him or her are being processed; (2) the purposes of the processing; (3) the categories of personal data concerned; (4) the recipients or categories of recipient to whom the processing data have been or will be disclosed, in particular recipients in third countries or international organizations; (5) if possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (6) the existence of the right to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (7) the right to lodge a complaint with a Supervisory Authority; (8) information about the source of the data, if not directly from the data subject; (9) whether the personal data will be subject to automated processing, including profiling and, if so, the logic and potential consequences involved; and (10) if the data is transferred to a third country or international organization, information about the safeguards that apply.
With respect to employment related personal data, the Company will comply with local regulations and ensure that EU, EEA and Swiss employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. If data processing with respect to employment related personal data occurs in the US, the Company will cooperate in providing such access either directly or through the EU, EEA or Swiss employer.
If the data subject requests, their personal data collected by the Company will be corrected and incomplete personal data completed based on information provided by the data subject. Where necessary, the Company will take steps to validate the information by the data subject to ensure that it is accurate before amending it.
If the data subject requests, their personal data collected by the Company will be erased without undue delay provided that one of the following applies: (1) the personal data are no longer necessary for the purposes for which they were collected; (2) the data subject withdraws consent and there is no other legal ground for processing; (3) the data subject objects to the processing of the personal data; (4) the personal data have been unlawfully processed; (5) the personal data have to be erased for compliance with a legal obligation of the Company; or (6) where the personal data was relevant to the data subject as a child.
If the data subject requests, their personal data collected by the Company will be provided to them in a structured, commonly-used and machine readable or the personal data transferred to another party.
The Company will use a self-assessment approach to verify compliance with this Statement and periodically verify that the Statement is accurate, comprehensive for the information intended to be covered, prominently displayed, implemented and accessible, and in conformity with this Statement.
The Company encourages interested persons to raise any concerns using the contact information provided in this Statement. The Company will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal data in accordance with this Statement. Any employee of the Company that the Company determines is in violation of this Statement will be subject to disciplinary action up to and including termination of employment.
The Company will (1) provide recourse to data subjects with respect to enforcement of this Statement; (2) provide follow up procedures for verifying that the attestations and assertions the Company has made about its privacy practices are true; and (3) remedy problems arising from the failure of the Company to comply with this Statement. Where the Company is required or determines to cooperate with the GDPR, or any other applicable law or regulation, in connection with the enforcement of this Statement (e.g., with respect to complaints alleging a violation of data protection rights of an employee of the Company in the EU, EEA or Switzerland with respect to employment related personal data), the Company will satisfy its commitment under clauses (1) and (3) of this paragraph as follows:
(A) The Company will cooperate with the Privacy Authorities in the investigation and resolution of complaints; and
(B) The Company will comply with any advice given by the Privacy Authorities where the Privacy Authorities take the view that the organization needs to take specific action to comply with the applicable law, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with applicable law, and will provide the Privacy Authorities with written confirmation that such action has been taken.
Collection and Use of Personal Information
As you interact with Polaris, there may be opportunities for you to provide us with your information. Additionally, we may collect certain information about your or your vehicles as further described below.
You may provide us with information about you or your vehicles through a number of sources: Polaris websites, applications, product and related events, surveys, social media platforms, sweepstakes entries, and through our customer contact centers. We also receive information about you through vehicle sales records provided by your dealer and we may obtain, with your consent, data obtained from your vehicle.
The types of information that Polaris collects about you may include, but are not limited to:
- Contact information (such as name, address, city, state and ZIP code, email address and telephone number)
- Payment information (such as your credit card number, CVV code, and expiration date)
- Information about your vehicle (such as license plate number, vehicle identification number (VIN), make, model, model year, selling dealer, servicing dealer, date of purchase or lease, lease/financing term, service history, mileage, oil/battery status, fuel or charging history, electrical system function, gear status, and diagnostic trouble codes)
- Information about your connected devices (such as mobile phone, computer, or tablet) and how you interact with our products, services, apps, and websites (such as IP address, browser type, unique device identifier, cookie data, and associated identifying and usage information)
- Demographic information (such as gender, date of birth, marital status, and household composition)
- Marketing profile information (such as when you plan to purchase or lease; the vehicle you’re interest)
- Photographs and videos such as those that you may submit for contests, sweepstakes and social sharing
- Relationships you have with Polaris in addition to the purchase and servicing of your vehicle (such as through a rewards card, etc.)
- Incentive eligibility verification information (such as college name, branch of service, or credit union name for vehicle purchase programs)
- Social Security Number (in limited circumstances Polaris may collect SSN, for example if you win a sweepstakes or receive compensation that must be reported for government tax purposes)
- Investor Information (name, address, phone number, and email address.
- e information Polaris collects about you and your vehicles may be used:
- To provide products and services and maintain customer relationships
- To improve the quality, safety, and security of our products and services
- To administer your account(s) and process your payments for products and services
- To operate our websites and applications, including online registration processes
- To facilitate and support Polaris dealer and supplier diversity programs and Polaris grant programs
- To autofill data fields on our websites to improve your online experience
- To develop new products and services, including connected, autonomous, and car-sharing products and services
- To provide customer and vehicle support and service (such as recall information)
- For warranty administration and validation
- To provide information and product updates
- To evaluate vehicle performance and safety
- For research, evaluation of use, and troubleshooting purposes
- To verify eligibility for vehicle purchases or incentive programs
- For marking and analytics purposes
- To support the electronic signature and delivery process between you and your dealer
- To customize and improve communication content
- To comply with legal, regulator, or contractual requirements
Communications with you in connection with these uses may be via mail, telephone, e-mail, text message, social medial, or other electronic messages, or via our websites and applications.
In compliance with this Statement, the Company commits to resolve complaints about the privacy, collection and use of personal data. The Company has appointed a Data Protection Officer with responsibility for the Company’s privacy practices. Persons with inquiries or complaints about this Statement are encouraged to first contact the Company’s Data Protection Officer by email at firstname.lastname@example.org , or by regular mail at DPO – Polaris Sales Europe SARL, Place de l’Industrie 2, 1180 Rolle, Switzerland.
For disputes involving employment related personal data received by the Company from the EU, EEA or Switzerland, or where EU, EEA or Swiss employees of the Company make complaints about violations of their data protection rights and are not satisfied with the results of the Company’s internal review, complaint and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they will be directed to the state or national Privacy Authorities or labor authority in the jurisdiction where the employee works. This includes cases where the alleged mishandling of personal data has taken place in the US, is the responsibility of the US organization that has received the information from the EU, EEA or Switzerland employer and thus involves an alleged breach of this Statement. The Company therefore commits to cooperate in investigations by and to comply with the advice of the Privacy Authorities and labor authorities in the EU, EEA and Switzerland and other competent authorities in such cases, and to participate in the dispute resolution procedures of the panel established by the Privacy Authorities, labor authorities, and such other authorities.
Changes to this Statement
This Statement may be amended from time to time, consistent with the requirements of applicable law. A notice will be posted by the Company on the Company Internet website located at www.polaris.com when this Statement is changed.
The Company has other policies that may be applicable to personal data that is within the scope of this. These policies may differ from this policy.
Questions, comments or communications regarding this Statement can be submitted to the Company by mail to:
Polaris Sales Europe SARL
Place de l’Industrie 2
Attention: Data Protection Officer
Or by e-mail to: email@example.com