Privacy notice – EY Catalyst smart factory applications
This Privacy Notice is intended to describe the practices EY follows in relation to the EY Catalyst Smart Factory Applications (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right. The entity that is acting as data controller by providing this Tool on which your personal data will be processed and stored is EY Catalyst Ltd.
The personal data you provide in the Tool is shared by EY Catalyst Ltd with one or more member firms of EYG (see “Who can access your information” section below).
The Tool is hosted on servers in the European Union.
3. Why do we need your information?
The Tool is a product family that integrates human capabilities and smart technologies to help accelerate and sustain performance improvement.
Your personal data processed in the Tool is used as follows:
Client and personal data are used in the system to perform the following functions:
- Create and update master data for CIL tasks and CL tasks (create tasks, modify task fields, approve tasks, set task effective dates and versions)
- Execute daily CIL and CL tasks per their defined schedules as part of the client’s Operations Excellence program
- Create and update equipment defect incident information
- Execute the client’s Operational Excellence meeting program, in which each production line has regular meetings to review the collected data on machine performance and downtime, production statistics, and other topics of interest defined by the client
- View performance and reliability analytics for client production equipment
- View analytics on client’s Operational Excellence activities.
- Track changes to data in the system for diagnostic and support purposes
- Track and report on individual adherence to schedule (individual)
- Track and report on completion of learning activities (individual)
- Track team/line performance (through KPIs and assessments)
- Track and report on usage analytics (automated and manual)
Client confidential information is used by the client only to assist in day-to-day operations and knowledge sharing efforts.
EY personnel data is used for log in purposes. Their data is also tracked as per a normal system user when they use any applications in the support of a client. For example, they may create assessments, plans or tasks or may leave comments or notes in the system for client users.
EY relies on the following basis to legitimize the processing of your personal data in the Tool: The legitimate interests pursued by the data controller or by a third party. The specific legitimate interest pursued are conducting client engagements.
The provision of your personal data to EY is optional. However, if you do not provide all or part of your personal data, we may be unable to carry out the purposes for processing.
4. What type of personal data is processed in the Tool?
The Tool processes these personal data categories:
- Unique identifiers such as nickname
- Email address
- Job title/role
- Work task listings (e.g. works items that are assigned to them through the system)
- Whether or not the individual carried out the task to standard/within requirements
- Documents associated with users (standards, examples of work carried out, general information that they share through the applications)
- User-generated comments and discussion threads and any user-generated insights
- Records of learning completion, pass/fail/marks achieved
- Shift/work schedule information
- Machine data linked to user (when user is the operator)
- Process/batch information (when user is the operator/QC, etc)
- User initiated support requests (details of the request, response history)
- Online identifiers such as internet protocol (IP) addresses, internet domain name, cookie strings, information regarding which website pages are accessed, browser type, and version
- All user system interactions are logged in system/application logs, including (but not limited to):
- User connections
- Authentication events and errors
- Token validations
- API connections
- Email requests via SMTP
- Back Office integration service
- File indexing events
- Application errors (may be associated with a user)
This data is provided directly by EY partners, employees and contractors, clients and a feed from other EY systems, specifically Active Directory in relation to employee data for authentication purposes.
5. Sensitive Personal Data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via the Tool. The Tool’s intention is not to process such information.
6. Who can access your information?
Your personal data is accessed in the Tool by the following persons/teams:
- Named users have access to the application via the front end as well as the backend as required to assist with troubleshooting and application development requirements. These currently include certain members of other EY member firms as well as Catalyst development partners.
- External and internal developers have access to all data in the system as they have access to the database for development, deployment, testing and production support purposes.
- EY System Administrator, EY Support. EY Administrators and support specialists have access to all data in the system as they have access to the database for development, deployment, testing and production support purposes.
- EY System Administrator is responsible for maintaining the operational status of the application system
- EY Support is responsible for troubleshooting and diagnostics of application operation, including resolution of data errors and user login issues.
Client Roles: Client End Users and Client Administrators
- Client users have various levels of access to application functionality. This differs depending on the application and security level within the application. For each application there is typically at least one level of client user that has access to all system information for that client.
- Each client has their own instance and can only access their own data.
- The above parties are located in the following places and have the following levels of access:
EY System Administrators
- Location: South Africa, USA, UK, Costa Rica, Poland, India, Argentina (others potentially)
- Purpose: Application development and infrastructure management
- Level of Access: Read, Edit, Delete
EY Catalyst Application Support
- Location: South Africa, USA, Costa Rica, Poland, China, India
- Purpose: resolution of end-user and system technical issues, assignment of authentication and access rights, client set-up/configuration, subscription management, application testing and troubleshooting
- Level of Access: Read, Edit, Delete
Client Roles (All)
- Location: Variable (client may have sites in any country, each client role will be associated with one of them).
- Manual entry of data for which there is no automated source
- Authoring of standards, content creation and upload, knowledge sharing activities (sharing images, standards, advice, etc.)
- Generating work plans and assigning responsibility
- Completing training activities
- Level of Access: Read, Edit
The number of users will vary depending on client needs.The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at (www.ey.com/ourlocations). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (www.ey.com/bcr).
7. Data retention
The policies and/or procedures for the retention of personal data in the Tool are: Data is retained for client until a) client discontinues service, or b) client’s defined data retention period is reached. Disaster recovery data sets (i.e. backups) may briefly retain data that has been purged from the operating application until they are purged.
Your personal data will be retained in compliance with privacy laws and regulations.
After the end of the data retention period, your personal data will be deleted.
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool, contact your usual EY representative or email your request to firstname.lastname@example.org.
10. Rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to email@example.com
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at firstname.lastname@example.org or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email data protection team.