P&G Employee Privacy Policy /
Last Updated: October, 2012 / Scope: Global with Country Limitations
Owner: Global Privacy Director / Approver: Ethics & Compliance Committee

Company Intent

P&G values the trust and loyalty of our Employees and has designed our privacy policy to meet both the business needs of the Company and the security and protection of P&G Employees’ personally identifiable information (PII). The intent of this policy is to provide global principles and notice to you about how P&G will do this. In addition, many countries have specific legal requirements governing the use of PII, including your Employee PII. The Company will comply with all laws and regulations, including local data protection and co-determination laws, and will implement additional procedures, standards, and policies wherever needed to meet these requirements.

This policy informs you of how P&G will use your Employee PII. It also describes for you the Company’s expectations for those who collect, manage, or otherwise administer P&G Employee PII. This Employee policy is in line with P&G’s Purpose, Values, and Principles.

Table of Contents

Principles

Definitions Used within this Policy

Individuals Handling Employee PII for P&G Must Abide by This Policy...... 2

POLICY...... 3

How P&G Will Collect and Manage Your Employee PII...... 3

Types of Employee PII P&G May Collect and Use...... 4

Protecting You, Protecting P&G:...... 5

Additional Information...... 6

Related Links / Policies:...... 6

Principles

  • Collect and manage Employee PII solely to meet P&G’s legitimate business interests, including protecting the Company and its Employees
  • Respect individual privacy
  • Comply with relevant laws
  • Follow appropriate standards and procedures when collecting and/or managing PII

Definitions Used within This Policy

Employee: For the purposes of this policy, the term Employee includes current and former Employees, retirees, and prospective Employees.

Personally Identifiable Information (“PII”): As defined by laws and regulations, PII is any information that directly or indirectly can identify an individual – such as, among others, name, physical address, email address, government ID, photograph, birth date, service date, family relationships, religion or belief, expressions of opinion and indication of intentions relating to individuals or any combination of such information that might allow others to identify an individual. For clarity, within P&G, this definition also includes any information related to a person -- such as T#, Employee ID, P&G salary and rating, etc. -- that when combined with other PII can identify a P&G Employee. Refer to P&G’s data classification standard for more detail.

Sensitive Personally Identifiable Information (“Sensitive PII”):P&G’s data classification standard also defines Sensitive and Highly Sensitive PII (referred to collectively here as “Sensitive PII”). Examples of Sensitive and Highly Sensitive PII include, among others, Personally Identifiable Information relating to an individual’s racial or ethnic origin, gender, political opinions, religious or political beliefs, trade-union membership, health or medical records, benefits plan enrollment, information about sexual life, social security number, financial accounts including account numbers and personal identification numbers (PINs), or criminal records.

Privacy: In some countries, Privacy is referred to as Data Protection.

The Company or P&G: For purposes of this policy, the Company or P&G refers to The Procter & Gamble Company and its subsidiaries.

Individuals Handling Employee PII for P&G Must Abide by This Policy

The Company expects its Employees and any P&G contractors, suppliers, agencies, temporary workers, etc., or any other parties acting on P&G’s behalf (collectively, “third parties”) who collect or manage Employee PII to follow this policy, whether they are utilizing P&G’s and/or their own electronic systems and data management tools. P&G Employees are responsible for ensuring any third parties they supervise comply with this policy and with any additional specific standards and procedures that are applicable.

Failure to comply with this policy by P&G Employees can result in disciplinary action which may include termination. All disciplinary action will be applied in a manner consistent with local law. For third parties collecting or managing Employee PII on P&G’s behalf, failure to comply with this policy can lead to negative business consequences, up to and including termination of the business relationship and damages claim.

POLICY

How P&G Will Collect and Manage Your Employee PII

P&G respects its Employees’ privacy, and we will use your Employee PII solely for legitimate business purposes in accordance with local laws and with guidance and approval provided by appropriate levels of HR and Legal management. Such purposes may include, but are not limited to, the provision of services to you and protecting the Company and its Employees.

P&G has established general guidelines for any Employee or third party acting on P&G’s behalf who anticipates a need to collect, store or use your Employee PII:

  1. Transparency: Whenever reasonably possible, P&G will inform you and, where applicable, your representatives about the Employee PII that is being collected about you and how it will be used. Note that the type of notification may vary depending on local laws. In some circumstances, the Company may use Employee PII without notification to you, but this will be done in accordance with the law and pursuant to P&G’s legitimate business purposes.
  2. Choice: Whenever reasonably possible, P&G will give you choices about how your Employee PII is collected and used. For example, you may voluntarily choose to participate in marketing research, function calling trees, and department birthday lists. In all cases, when required by law, we will offer you choices regarding participation in certain Company activities that will ask you for your Employee PII.
  3. Handling of Sensitive PII: The Company may collect your Sensitive PII in limited circumstances, such as when required or permitted by law, with your express consent, or when the information is necessary to enter an agreement with you or on your behalf. The Company’s collection, management, and use of such Sensitive PII will be subject to more stringent security and protection measures (e.g. physical security, encryption, access restrictions, or destruction procedures).
  4. Access: You may inquire about the personal data stored or processed about you by P&G. The Company will provide you access to your Employee PII as is required by law or otherwise offered by P&G. However, access to your Employee PII may be restricted under local laws or where needed to protect the Company’s legitimate business interests or its Employees.
  5. Data Quality: The Company makes every reasonable effort to ensure that your Employee PII is reliable for its intended use. Employees are equally responsible for updating and checking the accuracy of the information provided to P&G. If you provide PII of others (e.g., beneficiaries, family members), you must ensure they have granted consent to provide such PII to the Company.
  6. Use, Retention and Disposal: The Company will only collect, access, use, retain or disclose Employee PII for legitimate business purposes and with appropriate HR and Legal guidance and approval. P&G will dispose of your Employee PII according to applicable policies and law. Upon request by you, P&G will delete your Employee PII when this right is granted by local law and/or where P&G can reasonably comply with the request.
  7. Disclosure to Others: P&G will only share your Employee PII with those who have a legitimate business need to know. This may include, for example: when using third party suppliers to perform services on behalf of the Company; when required by law (e.g., to government tax and social security authorities); to defend a lawsuit or regulatory inquiry; or in case of mergers, joint ventures, acquisitions, divestitures, transfer of business or transfer of part of a business. The Company requires that third parties guarantee equivalent levels of protection as applied by the Company when handling your personal information. When required by Company policy or the law, P&G requires that third party suppliers are contractually bound to put in place the appropriate privacy and security measures.
  8. Data Transfer: For some Employee services, it may be necessary for the Company to transfer your Employee PII to affiliates and/or third parties in and/or outside the country where it was collected. This policy will apply to any such data transfers.
  9. Security for PII: P&G will follow appropriate technical, administrative and physical procedures to protect your Employee PII and will take steps to properly secure such PII from unauthorized access. A detailed list of types of PII and their respective classifications and security requirements can be found on Privacy Central.
  10. Enforcement: Each P&G business unit shall perform its own self-assessments of compliance with this policy. In addition, P&G Global Internal Audit will periodically assess whether Employees and relevant third parties comply with this policy and related Company standards and procedures when they handle your Employee PII. Appropriate follow-up measures, if necessary, are enforced.

Additional guidelines on how the Company handles your Employee PII can be found on Privacy Central and/or by contacting your local Privacy Council representative.

Types of Employee PII P&G May Collect and Use

The types of personal information the Company may collect from or about you include:

  • Recruiting records
  • Payroll, benefits and Employee services data
  • Contact information
  • Data required for regulatory agency reporting (.e.g., Equal Employment Opportunity data)
  • Attendance records
  • Disciplinary and grievance records
  • Performance records
  • Records regarding your use of digital products and services (including your use of email, the internet, social media and user generated content), including such data that we collect through use of “cookie” technology
  • Information gathered from your voluntary participation in marketing and research for P&G products and services
  • Information you choose to share (e.g., via the WBCM Helpline, PG Pulse or other sharing tools and services)
  • Public records (including criminal offence records)
  • Health records you consent to sharing
  • Other records

To learn more about each of these types of personal information and how it may be used by P&G, consult the guidance at Privacy Central.

Protecting You, Protecting P&G:

P&G trusts us to do the right thing; those expectations are described in the Worldwide Business Conduct Manual and our Company policies, standards and procedures. In addition, the Company has an obligation to follow the law and protect Company assets, facilities and Employees. As a result, the Company reserves the right to use lawful means to protect itself and your data from internal and external threats related to the use of the Company’s systems and assets, including individuals’ use of equipment, networks, operations and programs.

The Company may routinely scan, on an aggregated and anonymous basis, electronic networks and system usage data for purposes including, but not limited to, ensuring system integrity, optimal system/network availability, security and cost-effectiveness, appropriate access, application performance, financial compliance and appropriate use by Employees and third parties.

The Company may also perform aggregated non-anonymous system scans which may send automated messages to Employees regarding their use of a system or service. These scans typically help P&G improve its services, tools, Employee training, policies, standards and compliance, and manage costs effectively. Any such scan will be proportional to the specific legitimate business interests of the Company, follow an internal approval process, and be consistent with applicable local law.

The Company reserves the right to perform a more detailed investigation on an individual level when inappropriate or suspicious use of the Company’s systems (e.g., internet and email) by internal or external parties is detected or reported. Any such investigation will be proportional to the specific legitimate business interests of the Company, follow an internal approval process, and be consistent with applicable local law.

The Company also reserves the right to perform real-time surveillance(e.g., cameras, keystroke capture, etc.) to protect itself from internal or external threats or if there is suspicion of illegal behavior (including criminal behavior) or serious violation of the WBCM. Any such real-time surveillance will be proportional to the specific legitimate business interests of the Company, follow an internal approval process, and be consistent with applicable local law.

Additional Information

Resources: Resources available to you are listed on Privacy Central, including the P&G designated country-level Data Protection Officers where required by law.

Questions about Use of Your PII: If you are asked to provide PII about yourself or your family members and you question the business relevancy of the request or if you have other questions or concerns regarding your Employee PII, please contact your HR representative.

Reporting Potential Policy Violations: If you feel this policy has been violated, you have many resources available to help you, including your immediate manager, your HR representative, a member of the Global Privacy Council, Legal, any Officer of the Company, WBCM Helpline (where applicable) and/or your Data Protection Manager (where applicable). We will follow the Incident Response Guidelines for any reported violation.

U.S.-EU and Swiss Safe Harbor Notice: P&G complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. P&G has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view P&G’s certification, please visit

Future Modifications of This Policy: P&G reserves the right to modify this policy as needed, for example, to comply with changes in laws, regulations, Company practices and procedures, or to respond to new threats or new requirements imposed by data protection authorities.

Last updated: October, 2012

Related Links / Policies:

The following policies and procedures relate to employee Privacy and provide additional guidance:

  • Worldwide Business Conduct Manual – global standards to be followed in our daily business activities.
  • Incident Response Guidelines – Explains the process for handling concerns or incidents reported by employees
  • Employee Electronic Data Scanning Approval – outlines approval process to implement electronic scanning of employee records.
  • Employee Privacy Policy Country Level Exceptions – explains country specific variance to P&G Employee Privacy policy due to local laws
  • Appropriate Use of Hardware and Software – outlines employee’s responsibility when using company provided devices.
  • Social Media Policy – provides guidance about choosing to disclose your personal, financial information or Company proprietary information in a posting.
  • Records Retention Schedule – provides standards for disposing of Employee records per company policy, when no longer needed.
  • Privacy Central – contains privacy standards for collecting, using and disposing of Employee records and list of key Privacy contacts.

Privacy Central - 1