Graco Global Privacy Policy

Graco Inc. and its subsidiaries (collectively referred to in this document as “Graco,” “we,” “our” or “us”) are committed to respecting and protecting the privacy of every individual who provides us with their personal information.  This Global Privacy Policy (the “Policy”) outlines the types of information Graco collects from individuals, how Graco uses and secures that information, the choices individuals can make about how that information is used and disclosed, and the privacy principles Graco follows in handling and transferring that information anywhere in the world, including transfers from the European Union (“EU”) and Switzerland to the United States.

This Policy applies to all personal information received by Graco in any format, including electronic, paper or verbal.  For purposes of this Policy, “personal information” means any information or set of information that identifies or could be used by or on behalf of Graco to identify an individual.  Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

If we indicate in this Policy or on our websites that personal information is being collected, maintained, used or disclosed, it may be collected, maintained, used or disclosed by Graco through its employees, agents or duly authorized representatives.  By visiting our websites or providing us with your personal information, you consent to the collection, maintenance, use or disclosure of your personal information as described in this Policy.

II.     Privacy Shield

The United States Department of Commerce and the European Commission have developed a framework of data protection principles known as the EU – U.S. Privacy Shield.  The Privacy Shield is designed to provide U.S. companies with a means to satisfy the EU’s legal requirement that an adequate level of privacy protection be afforded to personally identifiable information transferred from the EU to the United States.

The United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland have developed a similar framework of data protection principles known as the Swiss – U.S. Privacy Shield to enable U.S. companies to satisfy Switzerland’s legal requirement that an adequate level of privacy protection be afforded to personally identifiable information transferred from Switzerland to the United States.

As part of Graco’s commitment to respecting and protecting personal privacy, Graco complies with the EU – U.S. Privacy Shield framework and the Swiss – U.S. Privacy Shield framework regarding the collection, use, and retention of personal information transferred from the EU and Switzerland to the United States, respectively.  Graco has certified to the Department of Commerce that it adheres to the Privacy Shield Principles (the “Principles”).  If there is any conflict between the terms in this Policy and the Principles, the Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Graco Inc. and its U.S. subsidiaries are eligible to participate in the EU – U.S. Privacy Shield and the Swiss – U.S. Privacy Shield as they are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). The U.S. subsidiaries of Graco Inc. participating in the EU – U.S. Privacy Shield and the Swiss – U.S. Privacy Shield are Advanjet, Alco Valves (US), Inc., Gema USA, Inc., Graco High Pressure Equipment Inc., Graco Minnesota Inc., Q.E.D. Environmental Systems, Inc. and White Knight Fluid Handling Inc.

III.   Principles

A.    Notice

Graco may collect and use personal information from job applicants, employees and former employees in connection with the management and administration of human resource functions and other employment-related matters, including but not limited to: recruiting, job application and hiring activities; payroll administration; training; succession planning; performance management; employee directories; organization charts; security badges; monitoring the use of company resources; emergency contacts; temporary/contingent workforce planning and staffing; administration and operations of benefits and compensation programs; meeting governmental reporting requirements; security, health and safety management; business travel; access to Graco facilities and computer networks; record keeping; and other employment-related purposes.

Graco may also collect and use personal information from prospective, current and former distributors, suppliers, vendors, contractors, business partners, end-user customers and others for legitimate business purposes, including but not limited to: completing transactions or orders; customer service; developing and improving products and services; product, warranty and claims administration; maintenance of accounts payable and receivable records; internal marketing research and supporting our marketing promotions; generating sales leads; safety and performance management; financial and sales data; meeting governmental reporting and records requirements; and contact information.

When Graco collects personal information from an individual, Graco will inform the individual of the purposes for which Graco is collecting and using the information at the time of collection or as soon as practicable thereafter, but in any event before Graco uses the information for a purpose other than that for which it was originally collected.  Graco will also inform the individual about how to contact Graco with any inquiries or complaints, the types of third parties to which Graco may disclose the information, and the choices and means Graco offers individuals for limiting the use and disclosure of their information.

B.    Choice

Graco will offer individuals the opportunity to choose (opt-out) whether their personal information is to be: (1) disclosed to a third party (other than a third party that is acting as an agent to perform a task on behalf of and under the instruction of Graco); or (2) used for a purpose that is materially different than the purpose(s) for which it was originally collected or subsequently authorized by the individual.

For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), Graco will offer individuals the opportunity to affirmatively and explicitly choose (opt-in) whether such information is to be: (1) disclosed to a third party (other than a third party that is acting as an agent to perform a task on behalf of and under the instruction of Graco); or (2) used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual.  Affirmative and explicit choice (opt-in) is not required when necessary for the establishment of legal claims or defenses, to provide medical care or diagnosis, or to carry out Graco’s obligations in the field of employment law.

Graco will offer individuals reasonable mechanisms to exercise these choices.

C.    Onward Transfer (Transfers to Third Parties)

Graco is a company with operations around the world.  Accordingly, personal information received by Graco may be used globally in connection with employment or business operations within Graco.  Personal information may be transferred between Graco entities located in North America, South America, Europe, the Middle East, Africa, Asia-Pacific and elsewhere.  Personal information may also be transferred to third parties acting as agents and performing tasks on behalf of and under the instructions of Graco.  Graco will transfer personal information received from the EU or Switzerland to a third party agent only if Graco first ascertains that the third party agent subscribes to the Principles, is subject to the European Commission’s Directive on Data Protection or another adequacy finding, or agrees in writing to provide at least the same level of privacy protection as is required by the Principles.  Graco will remain liable under the Principles if a third party agent it engages processes personal information received from the EU or Switzerland in a manner inconsistent with the Principles, unless Graco proves it is not responsible for the event giving rise to the damage.

D.    Security

Graco will take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.  These precautions may include the use of physical, electronic and organizational security measures.  Physical security measures are intended to prevent unauthorized access to database equipment and hard copies of sensitive personal information.  Electronic security measures, such as firewalls, restricted access and/or encryption, are intended to monitor access to Graco’s servers and protect against hacking and other unauthorized access from remote locations.  Organizational security measures are intended to limit access to personal information to only those employees and agents of Graco who have a specific human resources or business purpose for maintaining, using and processing such information.

Graco employees who have access to personal information will be trained regarding this Policy and the privacy principles contained in it, and will be advised that they are responsible for complying with this Policy and that violation of this Policy will result in appropriate disciplinary action up to and including termination.

E.    Data Integrity

Personal information must be relevant for the purposes for which it is to be used.  Graco will not process personal information in a way that is inconsistent with the purposes for which it has been collected or subsequently authorized by the individual.  To the extent necessary for those purposes, Graco will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.  Graco will retain personal information only for so long as it serves a processing purpose.

F.     Access

Graco will provide individuals with access to their personal information and the ability to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.

Employees who wish to review, update, correct or delete their personal data may do so by utilizing the self-service function available on the applicable information technology system or by contacting their local Human Resources representative.

Non-employees who wish to correct, amend or delete their personal information may contact Graco at the address or e-mail address provided in the “Recourse, Enforcement and Liability” section below.

G.    Recourse, Enforcement and Liability

Graco uses a self-assessment approach to verify that the attestations and assertions it makes about its privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the Principles.  The verification will be signed by a corporate officer or other authorized representative of Graco at least once per year and is available upon request or in the context of an investigation or a complaint about non-compliance.  The verification will indicate that: (1) this Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible; (2) this Policy conforms to the Principles; (3) individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; (4) Graco has in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it; and (5) Graco has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Employees who have questions or concerns regarding the use or disclosure of their personal information should contact their local Human Resources representative.  If the questions or concerns cannot be resolved locally, the matter should be directed to the Vice President of Human Resources.  If the matter cannot be resolved by the Vice President of Human Resources, Graco will cooperate with the competent EU Data Protection Authorities (“DPAs”) or the Federal Data Protection and Information Commissioner of Switzerland as applicable in the investigation and resolution of complaints brought under the Principles.  Graco will comply with any advice given by the DPAs or the Commissioner as applicable in the event the DPAs or the Commissioner determine Graco needs to take specific action to comply with the Principles.

Non-employees who have questions or concerns regarding the use or disclosure of their personal information should contact Graco at:

Graco Inc.Attn: Privacy
88 – 11^th Ave N.E.
Minneapolis, MN, 55413  USA

or privacy [at] graco [dot] com

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our third party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield.

If you are located in the EU or Switzerland you may have the possibility to engage in binding arbitration to address residual complaints not resolved by other means.  For additional information about the arbitration process, please visit www.privacyshield.gov.

IV.  Required Disclosure.

Graco may disclose personal information: (a) to meet national security, public interest or law enforcement requirements; (b) to the extent required by applicable law, regulation or a valid order by a court or other governmental body; (c) to the extent necessary, in Graco’s good faith judgment, to protect the rights, safety or property of Graco, its employees, customers or the public; or (d) in connection with a merger, joint venture, sale or transfer of all or a portion of Graco’s assets or stock, or other similar corporate transactions, subject to applicable law.

V.  Internet Privacy

Information automatically collected upon visiting Graco websites includes the internet protocol (IP) address of the user, the date and time of visit, what pages were visited, what page the user visited immediately before visiting the Graco website, and whether the user is a return visitor.  This information is used to measure the number of visitors to different sections within the Graco websites, to provide the user with a more customized experience, and to help drive improvements for the Graco websites.  “Cookies,” which are small data files that are stored on a user’s computer for record keeping purposes, are used in public areas of the Graco websites.  Most web browsers are set to accept cookies by default.  If users prefer, they can usually choose to set their browsers to remove and reject cookies.  In some cases, removing or rejecting cookies may affect certain features or services on the Graco websites.  Cookies are enabled in the Graco Extranet Distributor Information (GEDI), Customer Inquiry System (CIS) and Sales Inquiry System (SIS) areas of the websites and may be required in order to use certain password protected portions of the websites.  Additional information is available in the GEDI, CIS and SIS policies.

Individuals may choose to send Graco personally identifiable information (such as their name, address, e-mail address and telephone number) when requesting information on-line from Graco.  This personal information is used in order to assist Graco in gathering the information requested and responding to the request.  Information provided in this manner may be viewed by various individuals, depending on the nature of the request.  In limited circumstances, including requests via subpoena, Graco may be required by law to disclose this personal information.  If you do not want this information collected, please do not submit it to Graco.  If you have already submitted this information on-line and have changed your mind, please contact Graco at the address or e-mail address provided in the section entitled “Recourse, Enforcement and Liability” above.

Graco websites may contain links to third party websites or third party websites may have linked to Graco websites.  Graco has no control over third party websites and assumes no responsibility for the content or the privacy policies and practices on those websites.  This Policy will not apply to those websites.  Therefore, Graco encourages all users to read the privacy statements of those websites as their privacy practices may differ from those of Graco.

VI.  Children

Graco’s websites are not directed at children, and Graco has no intention of collecting any personal information from individuals under eighteen years of age.  If a child has provided Graco with personally-identifiable information, a parent or guardian of that child may contact us at the address or e-mail address provided in the section entitled “Recourse, Enforcement and Liability” above to request that this information be deleted from our records.

VII.  Amendments

Graco reserves the right to amend this Policy from time to time consistent with the Principles, so please review this Policy periodically, and especially before providing personal information to Graco.  If we make a material change to this policy, we will notify you here or by posting a notice on our homepage.

Last Updated: 16 April 2018