EU-U.S. Privacy Shield Privacy Statement

General Dynamics Information Technology, Inc. and its wholly owned subsidiaries Arma Global Corporation and Buccaneer Computer Systems and Service, Inc. and its managed affiliate CSRA Inc. (“GDIT,” or “we”) make reasonable efforts to protect Personal Data transferred from the European Union (EU)/European Economic Area (EEA) to GDIT’s operations in the United States (U.S.). This Privacy Statement sets forth the standards under which GDIT will treat such Personal Data.

GDIT complies with the EU-U.S. Privacy Shield framework regarding the processing of European Personal Data in the United States, and commits to subject to the Privacy Shield Principles all Personal Data received in the United States from the EU/EEA in reliance on Privacy Shield. GDIT has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

GDIT’s participation in Privacy Shield is subject to investigation and enforcement by the Federal Trade Commission.

DEFINITIONS

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Data Subject” means an identified or identifiable natural person to whom any given Personal Data covered by this Privacy Statement refers. An identified or identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

“Personal Data” means information relating to a Data Subject.

“Processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Controller.

“Sensitive Personal Data” means Personal Data regarding any of the following:

  • Health or medical condition;
  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership; or
  • Sex life.

“Third Party” is any natural or legal person, public authority, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data.

SCOPE AND RESPONSIBILITY
This Privacy Statement applies to the collection, use, and disclosure in the U.S. of Personal Data of employees (current and former), dependents, beneficiaries, applicants, consultants, and contract workers transferred from countries in the EU/EEA to GDIT’s operations in the U.S.

All employees of GDIT that have access to such Personal Data in the U.S. are responsible for conducting themselves in accordance with this Privacy Statement. GDIT employees responsible for engaging third parties to handle Personal Data covered by this Policy on behalf of GDIT (e.g., temporary staff, independent contractors, sub-contractors, business partners, or vendors) are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Privacy Statement, including any applicable contractual assurances
required by the Privacy Shield Principles.

Failure of a GDIT employee to comply with this Privacy Statement may result in disciplinary action up to and including termination.

PRIVACY PRINCIPLES

GDIT complies with the following principles with respect to the Personal Data described in the “Scope and Responsibility” section of this Privacy Statement that is transferred from countries in the EU/EEA to GDIT’s operations in the U.S.

Notice

GDIT collects, uses, discloses, and disposes of Data Subjects’ Personal Data for human resource management and other business purposes, including:

  • Determining, evaluating, and implementing employment-related actions and obligations.
  • Designing, evaluating, and administering compensation, benefits, payroll, training, and other human resource programs.
  • Monitoring and evaluating employee conduct and performance.
  • Implementing security programs and policies.
  • Maintaining facility and employee security, health, and safety.
  • Collecting and conducting accounting, auditing, and financial transactions and analyses.
  • Collecting and storing customer information in compliance with our contractual and legal obligations.
  • Facilitating business communications, negotiations, and transactions.
  • Cooperating with law enforcement and other governmental agencies.

Candidates for Employment with Clients. GDIT provides a wide variety of services and solutions to its business clients (“Clients”) that facilitate the selection, hiring, and internal mobility of individual candidates for specific employment (“Candidates”). In some instances, GDIT may obtain access to Personal Data about such Candidates in the course of providing the services and solutions. In other specific instances, GDIT may also obtain access to data about our Clients' existing employees or end users in the course of providing support services to the Clients (“End Users”). Such data may include contact details, work history, educational history, work preferences, and other information, depending on the particular Client and application at issue. Wherever we obtain access to Personal Data about Candidates or End Users, we are acting as a Processor on behalf of our Clients, and we therefore conduct such activities strictly in
accordance with their instructions and pursuant to our contractual arrangements with them. If you are a Candidate for employment with one of our Clients, or an End User with an existing relationship with one of our Clients, you should refer to the Client's website or human resources manager to understand the privacy practices that apply to Personal Data that we may maintain about you. Moreover, if you would like to access and review your Personal Data, you should contact our Client (your potential or existing
employer) with any such requests. We will cooperate as appropriate with requests from our Clients to assist with such responses.

GDIT may disclose Data Subjects’ Personal Data to third parties acting as its agent such as consultants, accountants, auditors, lawyers, benefit vendors, and financial services vendors for the purposes described above.

Access

Data Subjects have the right to access Personal Data about them that GDIT holds and will be able to correct, amend, or delete such Personal Data if they can demonstrate it is inaccurate (except when the burden or expense of providing access would be disproportionate to the risks to their privacy, or where the rights of persons other than Data Subjects would be violated). To request access to, correct, amend or delete Personal Data, please contact GDIT at: GDIT Privacy Office (privacy@GDIT.com).

Choice

GDIT will notify Data Subjects before (a) disclosing their Personal Data to any Third Party Controller or (b) using their Personal Data for a purpose that is materially different from the purpose(s) for which the Personal Data was originally collected or subsequently authorized by the Data Subject. That notice will provide Data Subjects with instructions on how they can opt out of such disclosure or use. You may exercise your choice to opt out by contacting GDIT at: GDIT Privacy Office (privacy@GDIT.com).

If GDIT collects Sensitive Personal Data, GDIT will not (a) disclose that information to a Third Party or (b) use that information for a purpose other than that for which the information originally was collected or subsequently authorized by the Data Subject, unless the Data Subject provides prior, explicit consent.

A Data Subject’s decision to opt out of, or refusal to consent to, a particular use or disclosure does not mean that Personal Data already collected will be erased or deleted or that GDIT cannot continue to use or disclose the information already collected for the purpose(s) for which it originally was collected or subsequently authorized by the Data Subject or, with respect to non-Sensitive Personal Data, for compatible purposes.

Accountability for Onward Transfer

Except as otherwise explained in this Privacy Statement, GDIT will transfer Personal Data only to (a) an entity that a Data Subject has specifically authorized to receive the data (and its designated representatives), or (b) Third Parties acting as GDIT’s agents (e.g., service providers that help host or support GDIT's web site, or that otherwise provide technical assistance). Furthermore, GDIT will transfer Personal Data to such Third Parties only if the transfer is for limited and specified purposes and the Third
Party will provide at least the same level of privacy protection as is required by this Privacy Statement and, as applicable, the Privacy Shield Principles.

With respect to transfer to its agents, GDIT will transfer only the Personal Data needed for an agent to deliver to GDIT the requested product or service. The agent will be prohibited from using such Personal Data for any other purpose and will be required to maintain commercially reasonable security measures to protect the confidentiality and security of that Personal Data. GDIT remains responsible under the Privacy Shield Principles if an agent processes Personal Data in a manner inconsistent with the
Principles, except where GDIT is not responsible for the event giving rise to the damage.

In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield, GDIT is potentially liable.

GDIT may also be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Security

GDIT takes reasonable physical, technical and organizational measures to protect the security of Data Subjects’ Personal Data. Such Personal Data is subject to restricted access in our offices. Only employees who need the information to perform a specific job are granted access to Personal Data. Furthermore, all employees are regularly informed about our security and privacy practices. When new policies are added, our employees are notified and/or reminded about the importance we place on privacy, and what they can do to protect our users' and customers' Personal Data. Finally, we maintain reasonable physical, technical, and organizational measures to make sure that the servers on which we store Personal Data are kept in an access restricted, physically secure, and monitored environment.

Data Integrity and Purpose Limitation

GDIT collects only Personal Data that is necessary for the purposes described above and, with respect to non-Sensitive Personal Data, for compatible purposes. GDIT takes reasonable steps to ensure that the Personal Data it collects is accurate, complete, current, and reliable for its intended use.

Recourse, Enforcement and Liability

GDIT is subject to the investigatory and enforcement powers of the Federal Trade Commission.

GDIT will periodically review and verify its compliance with the Privacy Shield Principles and remedy issues arising out of any failure to comply with those Principles.

In compliance with the EU-US Privacy Shield Principles, GDIT commits to resolve complaints about your privacy and our collection or use of your personal information. Data Subjects with inquiries or complaints regarding GDIT’s collection, use, disclosure, or transfer of their Personal Data should first contact GDIT at: Donald Creston, General Dynamics Information Technology, Inc., 3211 Jermantown Road, Fairfax, Virginia 22030; Email: privacy@gdit.com; Telephone: 703-995-1982.

GDIT has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If your inquiry or complaint does not involve human resource data and you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

Should your complaint remain fully or partially unresolved after a review by GDIT, BBB EU Privacy Shield and the relevant DPA, you may be able to, under certain conditions, seek binding arbitration. For more information, please visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Human Resources Data

If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by GDIT, and your inquiry or complaint involves human resource data, you may have your complaint considered by an independent recourse mechanism: for EU/EEA Data Subjects, a panel established by the EU data protection authorities (“DPA Panel”). To do so, you should contact the state or national data protection or labor authority in the jurisdiction where you work. GDIT agrees to cooperate and comply with the decisions of the DPA Panel.

LEGAL DISCLAIMER

We may disclose Personal Data when required by law or in the good faith belief that such action is necessary in order to conform to the edicts of the law, comply with legal mandates, enforce the terms of use of our websites, or to protect the rights, property, or personal safety of GDIT, its users and the public. This may include disclosure in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

QUESTIONS

If you have any questions about this Privacy Statement, or if you would like to request access to Personal Data that we may maintain about you, please contact: GDIT Privacy Office (privacy@GDIT.com).

Effective Date: September 13, 2016