Stepan Company Workforce Privacy Statement

Last Modified: February 2024

This Workforce Privacy Statement (“Workforce Statement”) sets out how the Stepan Company (“Stepan,” “we,” or “us”) collects, uses, discloses, and protects the personal information about our workforce, including employees, contractors, job applicants, and job candidates who reside in certain jurisdictions, namely California (“Workforce”). This Policy supplements our general Privacy Statement, but it does not apply to Stepan customers.

We are committed to protecting the privacy of our Workforce. Accordingly, we will use any Workforce personal information in accordance with this Workforce Statement. However, this Workforce Statement does not protect information you post to public areas or third-party websites, except as set forth herein. This Workforce Statement imposes no duties on us not imposed by state, federal, or other applicable law.

We may change this Workforce Statement periodically by updating this page. You should check back from time to time to ensure that you continue to agree with the terms contained in this Workforce Statement.

Any inquiries about this Workforce Statement should be directed to us at dataprivacy@stepan.com or by mail to:

Stepan Company
Attn: Snr Global Ethics & Compliance Manager
1101 Skokie Boulevard

Northbrook, Illinois, USA 60093

EU-U.S. Privacy Framework Statement

Stepan acknowledges that it is subject to the investigatory and enforcement powers of the Federal Trade Commission, participates in the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), which provides a framework for the transfer of information from the European Union to the United States.

Stepan complies with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Stepan has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the UK Extension, the Principles shall govern.

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Information We Collect

We collect, store and use various types of personal information about our Workforce and applicants, in addition to the personal information outlined in our Privacy Statement. We collect this information through our application, recruitment, employment or engagement processes, either directly from you or (where applicable) from another person or entity, such as an employment agency or consulting firm, recruitment or professional networking website, or other representative, background check provider, or from others who provide references for prospective applicants. We will collect additional personal information throughout the course of your employment.

The kind and amount of information we may hold about you depends on your role with us, or the position you are applying for.

Biographical information: such as name, aliases, date and place of birth, gender and gender identity, and the names and dates of your birth of your dependents.
Contact information: such as home and business addresses, telephone numbers, and email addresses, including about your beneficiaries or emergency contacts.
Financial information: such as wages and compensation history, bank account details if required for direct deposit, social security number, payroll records, tax identifier and tax information.
Business travel and expense information: such as TSA Known Traveler number, passport information and corporate credit card usage.
Application, recruitment, new-hire, or other engagement information: such as application forms and information included in a resume; copies of identity and immigration/work authorization documents; citizenship and residence status; background screening results and references.
Historical career/education information (both internal and external): such as job title, organization charts, start and end dates, work location, appraisal and performance information, details of skills, qualifications, experience and preferences (e.g., mobility), timecards, time-off records, training records, disciplinary and grievance information, HR records, termination details, volunteer activities, professional memberships, educational history (college, vocational schools, high schools, etc.), transcripts.

Internet, electronic network, and device activity information and related identifiers: such as information about your use of our information, communication, and collaboration systems, including user IDs, passwords, IP addresses, and audit trails of system access.
Physical security system information: such as security camera footage and security pass entry records.
Photographs: provided by you or used for work purposes.

Protected classification characteristics: race, national origin, citizenship, marital status, medical condition, physical or mental disability, pregnancy or childbirth and related medical conditions, sexual orientation, veteran or military status.

Use Of Personal Information

We use Workforce personal information for many purposes, including:

Workforce planning, recruitment, and hiring: including assignment planning and budgeting, job advertising, interviewing, background checking as permitted by law, and selecting and engaging individuals to join our team.
Workforce management and administration: including payroll processing, timekeeping, training administration, compensation and benefits, succession planning, handling complaints, grievances and disciplinary procedures, and performance management.
Performance of business operations: including providing, managing, supporting, and improving information and communication systems and processes, maintaining accounts and internal directories, data administration, crisis management, arranging business travel, processing expense claims; and general workplace management.
Legal and regulatory compliance: complying with any state or federal legal, regulatory, and fiscal obligations such as tax, social security and legal reporting obligations, via and immigration status, reporting to governmental agencies, dealing with litigation and other proceedings and claims, responding to and cooperating with legal or regulatory requests and investigations, participating in due diligence activities for the sale, purchase, or reorganization of our business or a part of it, investigating and preventing fraud and other illegal activity, ensuring compliance with policies, guidelines and contracts.
Communications with our Workforce: including about updates and other changes.
Security management: To help maintain the safety, security, and integrity of our network, systems, technology assets, business, premises, customers, and other members of our Workforce.
Matters relating and/or incidental to the items above: including data analytics and management reporting.
As described to you when collecting your personal information or as otherwise permitted under applicable law.

Some of the information we collect may be considered “sensitive personal information” under applicable law. We use sensitive personal information in the following ways:

We may use information relating to medical conditions and disabilities or leaves of absence to comply with (or exercise rights under) employment and other legal or contractual obligations, for workforce planning and administration, and preparing analyses and reports.

We may use information about your physical or mental health or disability status to help protect the health and safety of our workforce and workplace, to assess your fitness to work, to provide reasonable workplace accommodations and to monitor and manage absence to comply with (or exercise rights under) employment and other legal or contractual obligations, and (if necessary) to protect your or others’ vital interests.

We may use information that we may collect about your demographics to ensure meaningful equal opportunity and diversity and inclusion monitoring and reporting, and to comply with (or exercise rights under) employment and other legal requirements.
We will use your social security number for tax, payroll and benefits purposes.

Where the processing of your sensitive personal information is not required by law, we will obtain your affirmative express consent if we are (i) disclosing such information to a third-party or (ii) using such information for a purpose other than the purpose associated with its original collection, or as subsequently authorized by you. In so doing, we will provide you with information regarding the purposes for which your information will be used. Your decision to provide consent is voluntary. If you choose to consent, you will be able to withdraw your consent at any time without penalty. We will also explain the possible consequences of not providing your consent, if applicable, to ensure that your decision is fully informed.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Of Personal Information

We may disclose your personal information to the following third-party service providers:

Compensation and benefits providers,
Payroll service providers,
Tax and other professional advisors,
Technology service providers,
Corporate card issuers,
Travel and expense management providers,
Transport and security providers,
HR management and administration suppliers,
Recruiting agencies and temporary employment agencies,
Background check providers,
Consumer reporting agencies and/or background check providers, and
Auditors, lawyers, and other professional services providers.

Otherwise, we may disclose Workforce personal information:

If and when required to do so by law, regulation, or court order;
In response to a request for assistance by a law enforcement agency;
To seek legal advice external lawyers or in connection with litigation;
In connection with the sale, purchase, or merger of a business or the establishment of a joint venture;
To provide another entity (such as a potential or existing business counterparty or customer) with a means of contacting you in the normal course of business, for example, by providing your contact details, such as your phone number and email address.

Your Rights And Choices

The CCPA provides California-resident consumers with specific rights regarding their personal information. Other jurisdictions such as, the European Union, Canada, Brazil, or China also provide similar rights regarding your right to know, delete, correct, opt-out of, receive notice of, and rights to data portability.

Right to Know and Data Portability: You have the right to request that we disclose certain information to you about our collection and use of your personal data over the past 12 months, which includes:
- The categories of personal data we collect about you.
- The categories of sources from which we collected personal data.
- Our business or commercial purpose for collecting or selling (when applicable) that personal data.
- The categories of third parties with whom we share personal data.
- The categories of personal data about you that we disclosed for a business purpose, and the categories of service providers to whom disclosed that information for a business purpose.

Additionally, you may request that we provide the specific pieces of personal data we collect about you in a portable format.

Right to Delete: You have the right to request that we delete any of your personal data that we have collected from you and retained, subject to certain exceptions. We may deny your deletion request if retaining the personal data is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal data, provide the services you have requested, or take actions reasonably anticipated within the context of our ongoing business relationship.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Enable (internal only) uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Other internal and lawful uses of that information that are compatible with the context in which you provided it.
Right to Correct: You have the right to request correction of any inaccurate personal data we hold about you.
Right to opt-out of a sale: You have the right to opt-out of our sale or our use of personal data for targeted advertising purposes.
Right to receive notice: You have the right to receive notice of our practices at or before collection of personal data and you have a right not to receive discriminatory treatment for exercising any of your rights described under this section. We will not discriminate against you based on your exercise of any of your rights.

In compliance with the EU-US Data Privacy Framework Principles (“DPF Principles”), Stepan commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union and United Kingdom individuals with DPF inquiries or complaints should first contact us at dataprivacy@stepan.com.

For any complaints related to the DPF Principles that Stepan cannot resolve directly, we have chosen to cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals, and the UK Information Commissioner (for UK individuals) in the context of the employment relationship.

Please contact us if you’d like us to direct you to your data protection authority contacts.

Stepan acknowledges that it is subject to the investigatory and enforcement powers of the Federal Trade Commission.

Data Security

While no method of data transmission is guaranteed against unlawful third-party interception or other misuse (for example, e-mail sent to or from our Site may not be secure), Stepan uses commercially reasonable administrative, technical, and physical efforts to ensure protection of your personal information from unauthorized access, disclosure, alteration, and destruction.

Data Retention

We will keep your personal information for as long as is necessary to fulfil the purposes we collected it for, including for the purpose of satisfying legal, accounting and reporting requirements. To determine the appropriate retention period for workforce personal information, we consider the amount, nature and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the personal information, the purposes for which we process the personal information and whether we can achieve those purposes in other ways, the applicable legal requirements and our reasonable internal purposes. For example, we will keep certain information about former employees (e.g., name, job title, work location, organizational hierarchy, dates of employment) for as long as necessary for our reasonable internal purposes of keeping this information as part of our organizational history and to confirm the facts of their employment with us.

Transfers to Third Parties. We may transfer personal data to certain third-party agents and/or service providers, with whom we have entered into written agreements requiring their compliance with the DPF Principles and at least the same level of privacy protections, to perform services on our behalf. Furthermore, we take reasonable and appropriate steps to ensure that the third party is effectively processing your personal data consistent with our obligations under the DPF Principles.

We may also transfer personal data to our affiliated entities for administrative purposes (i.e accounting or financial reporting) after ensuring that they apply the same level of protection as the DPF Principles and have implemented appropriate technical and organizational measures.

We remain liable under the Data Privacy Framework if a third-party to whom we disclose personal data processes such data in a manner inconsistent with the DPF Principles and/or applicable law, unless we prove that we are not responsible for the event giving rise to the damage.

Submit complaints or questions. If you wish to raise a complaint on how we have handled your personal data, you can contact us as described below. If you reside in an E.U. member state, you may also lodge a complaint with the supervisory authority in your country.

Unresolved privacy complaints arising under DPF Principles may be heard by an independent dispute resolution mechanism. Stepan participates in the JAMS Data Privacy Dispute Resolution process. For more information on the JAMS DPF Resolution process, please visit https://www.jamsadr.com/DPF-Dispute-Resolution or to file a JAMS DPF Dispute Resolution Claim, please visit https://www.jamsadr.com/file-a-dpf-claim. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2