1. Policy Statement
Chemonics International, Inc. (hereinafter referred to as “Chemonics”) and its affiliates, divisions, business units, and subsidiaries has issued this Policy, which applies to all Chemonics current and former employees, consultants, contractors, sub-contractors, customers, suppliers, and clients who are physically present in the European Union (EU) hereinafter referred to as “Workers” or “Chemonics Workers”.
It is Chemonics’ practice to request, collect, and store personal data necessary to carry out its everyday business functions and activities to provide the products and services defined by our business type. Such data collected includes, but is not limited to: name, address, email address, data of birth, IP address, identification numbers, private and confidential information (such as physical, physiological, genetic, economic, cultural or social identity).
Chemonics has developed policies, procedures, controls and measures to ensure ongoing accountability with the EU General Data Protection Regulation (EU) 2018/679 (the “GDPR”), including staff training, procedure documents, audit measures and assessments.
Data Protection Law for the purposes of this document, is the collective description of the GDPR and any other relevant data protection laws that Chemonics is directly subject to. The purpose of this policy is to ensure that Chemonics meets its legal, statutory, and regulatory requirements under Data Protection Law and ensure that all personal and special category data is processed accordingly. For the purpose of this policy and in accordance with GDPR, personal and special categories of personal data are defined as:
- Personal Data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Special Categories – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The data protection laws include provisions that promote accountability and governance and as such Chemonics has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimize the risk of data breaches and uphold the protection of personal data. This policy also serves as a reference document for employees and third-parties on the responsibilities of handling and accessing personal data and data subject requests.
This policy applies to all Chemonics Workers including permanent, fixed term, temporary current and former employees, consultants, contractors, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents’ personal data who are physically present and residing in the European Union (EU) and engaged with Chemonics. The policy is designed to provide a minimum standard for Chemonics International with respect to its processing of Worker Data.
Where specific local laws require stricter standards than those prescribed in this Policy, Chemonics will process Worker Data in accordance with applicable local law and may develop specific local policies in this regard. Where applicable local law provides a lower level of protection of Worker Data than that established by this Policy, then the standard required by this Policy will apply.
- Material scope – the GDPR applies to the processing of personal data regardless of automated means (i.e. by computer) or otherwise (i.e. paper records).
- Territorial scope – the GDPR applies to all controllers that are established in the European Union (EU) who process the personal data of data subjects, in the context of that establishment. It also applies to controllers outside of the EU that process personal data in order to offer goods and services to, or monitor the behavior of, data subjects who are resident in the EU.
4. Key Definitions
Biometric Data. Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Confidential Commercial Information: Any information of any nature which is not generally known or not classified as Public by Chemonics (e.g. patent applications, inventions and improvements, whether patentable or not development projects, policies, processes, formulas, techniques, know-how and other facts relating to sales, advertising, franchising)
Binding Corporate Rules: Personal data protection policies which are adhered to by Chemonics for transfers of personal data to a controller or processor in one or more third countries or to an international organization.
Consent: Of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Cross Border Processing: Processing of personal data which:
- Takes place in more than one EU Member State (within the European Union (EU) and the European Economic Area (EEA); or
- Substantially affects or is likely to affect data subjects in one jurisdiction from another jurisdiction within the EU.
Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Protection Authority: An independent public authority of a country responsible for monitoring the relevant laws and regulations relating to data protection.
Data Subject: An individual who is the subject of personal data.
Filing System: Any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
Genetic Data: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with EU or EU Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Sensitive Worker Data: Worker Data containing personal information that is considered sensitive, under applicable law.
Supervisory Authority: An independent public authority which is established by an EU Member State.
Third Party: A natural or legal person, public authority, agency or body other than the data subject, under our direct authority.
Transfer: In the context of Personal Data, any capability of accessing Personal Data by an individual, the capability of access of a personal data in one jurisdiction from another jurisdiction which entails the transfer of the Personal Data.
Worker Data: Includes any information relating to an identified or identifiable Worker as defined (current and former employees, consultants, contractors and sub-contractors, customers, suppliers and clients) insofar as that information has been obtained by Chemonics International in the context of Worker’s actual or potential relationship with Chemonics.
5. Roles and Responsibilities
Chemonics has appointed the Data and Records Management Director whose role is to identify and mitigate any risks to the protection of Worker Data; to act in an advisory capacity to the business, its employees, and upper management; and to actively stay informed and up-to-date with all legislation and changes relating to data protection.
The GDPR Owner, currently identified as the Data and Records Management team, is responsible for managing this Policy and is responsible for responding to any actual or potential violations of this Policy.
The GDPR Owner has overall general responsibility for due diligence, privacy impact assessments, risk analysis and data transfers where personal data is involved and will also maintain adequate and effective records and management reports in accordance with the data protection laws and our own internal objectives and obligations.
The business process owner will have specific responsibility for implementing procedures to comply with this Policy for those business processes of which they are responsible, under advisement from the GDPR Owner.
Staff who manage and process personal or special category information will be provided with relevant data protection training and will be subject to ongoing development support and mentoring to ensure that they are competent and knowledge for the role they undertake.
6. The GDPR Principles
6.1. Purposes for Processing of Worker Data
Chemonics collects and uses Worker Data in order to: select and administer its workforce, run its operations, and ensure the safety and protection of Chemonics Workers residing in EU, and its resources, in the context of its relationship with a Worker.
Business activities that require the processing of Worker Data include but are not limited to:
- Payroll, compensation and benefits administration;
- Business travel and employee relocation administration;
- Worker performance management, corrective action, and investigations;
- Worker performance assessments, training and development;
- Worker recruitment; placement, and on-boarding;
- Engagement of Chemonics contractors and sub-contractors;
- Worker identification;
- Worker expense reimbursements;
- Chemonics communication with Workers;
- Compliance with applicable legal requirements;
- Chemonics International facility, security and health and safety management;
- Security, compliance, and risk management;
- Communication with Chemonics International Workers;
- Investigations by Chemonics International;
- Internal safety, security, technical, and operational support;
- Business development and growth opportunities.
6.2. Principles for Processing of Worker Data
Chemonics respects the privacy rights and interests of each Chemonics Worker and adheres to the following general principles when processing Worker Data:
- Personal data is processed fairly, lawfully, and in a transparent manner in relation to the data subject, in accordance with this Policy;
- Personal data is collected for specific and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- Personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
- Personal data is accurate and, where necessary, kept up to date; reasonable steps will be taken to ensure that personal data that are inaccurate or incomplete, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- Personal data is kept in a way which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; subject to the appropriate technical and organizational measures required by the Policy or relevant law (‘storage limitation’);
- Personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’);
- Chemonics shall be able to demonstrate, compliance with the data protection laws principles’ (‘accountability’) and requires third-parties engaging with Chemonics to show how they comply with the principles;
- Before Personal Data is processed, or as soon as practicable, Chemonics Workers will be informed about: the purposes for which their Worker Data is collected and used; how they can make inquiries or complaints about the processing of their Worker Data; the types of third parties to which Chemonics discloses their Worker Data; the means Chemonics offers for limiting the use and disclosure of their Worker Data; and the security measures that Chemonics adopts to safeguard their Worker Data;
- Subject to certain exceptions, Chemonics Workers will have the opportunity to choose to not have their Worker Data disclosed to a third party (other than those who are acting as agents for Chemonics under its instructions) or used for a purpose (even if legitimate) which is incompatible with the original purpose for collection. Chemonics Workers will be given a clear and conspicuous, readily available and affordable mechanism by which to exercise their choice.
- Chemonics will not transfer Worker Data to any third party unless the third party provides at least the same level of privacy protection as is required by this Policy; and
- Reasonable precautions will be taken to prevent: unauthorized or accidental destruction, alteration or disclosure of; accidental loss of; unauthorized access to; misuse of; unlawful processing of; or damage to, Worker Data.
7. Legal Basis for Processing (Lawfulness)
The core of all personal information processing activities undertaken by Chemonics is the assurance and verification that we are complying with GDPR and our lawfulness of processing obligations. Prior to carrying out any Worker Data processing activity, we identify and establish the legal basis for doing so and verify these against the regulation requirements to ensure we are using the most appropriate legal basis.
The legal basis is documented in our specific task Work Instructions, data processing register and in our Data Privacy Notice. Where applicable, it will be provided to the data subject as part of our information disclosure obligations. Data is only obtained, processed, or stored. All processing must done pursuant to one of the following legal bases:
- The data subject has given consent to the processing of their personal data for one or more specific purposes (as applicable and required);
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which Chemonics is subject;
- Processing is necessary in order to protect the vital interests of the Worker or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested on Chemonics; or
- Processing is necessary for the purposes of the legitimate interests pursued by Chemonics or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child).
8. Compliance with Applicable Legal Requirements
Chemonics maintains strict due diligence, procedures, and measures in order to ensure review and assess processors prior to forming a business relationship. Chemonics obtains company documents, certifications, and references to ensure that the processor is adequate, appropriate, and effective for the task Chemonics is employing them for.
9. Transfers of Worker Data
9.1. Sharing Worker Data Internally
A transfer of Worker Data between project offices and third-parties will only occur if the transfer is based on a clear business need and is for the purposes described in section 6.1 above, or as specified hereinafter.
9.2. Transferring Worker Data Outside of Chemonics
Chemonics may transfer Worker Data to external parties:
- Where required as a matter of law (e.g., to tax and social security authorities);
- Where required to protect its legal rights (e.g., to defend litigation);
- Where required in an emergency where the health or security of a Chemonics Worker, or other data subject, is endangered (e.g., an accident at work);
- At the direction of the relevant data subject;
- To select third parties, where permitted by applicable local law; or
- To select third parties, as described below.
Chemonics International may disclose Worker Data to select third parties:
- That have been engaged to provide HR or employment-related services to or on behalf of Chemonics, including but not limited to the processing of payroll, insurance, etc. (‘Service Providers’). In such circumstances, Chemonics will only disclose Worker Data that is necessary for the Service Provider’s provision of those HR-related services;
- That obtain services from Chemonics requiring specific information concerning the Chemonics Workers involved in the provision of those services for the purposes of assessing the suitability of Chemonics or the Chemonics Worker providing services to the Client; or safety, security and the protection of the Client’s resources. In such circumstances, Chemonics will only disclose Worker Data that is necessary for those purposes; or where otherwise permitted under applicable local law.
Chemonics will require that Service Providers and Clients undertake, by written contract, to guarantee at least the same levels of protection afforded under this Policy when processing Worker Data.
10. Data Retention & Disposal
Chemonics have defined procedures for adhering to the retention periods as set out by the relevant laws, contracts, our business requirements, as well as adhering to the GDPR requirement to generally hold and process personal information for as long as is necessary. All personal data is disposed of in a way that protects the rights and privacy of a Chemonics Worker (e.g. shredding, disposal as confidential waste, secure electronic deletion) and prioritizes the protection of the personal data in all instances.
Please refer to our Records Control Procedure and Register for full details on our retention, storage, periods and destruction processes.
11. Hard Copy Files and Data
Due to the nature of our business, it is sometimes essential for us to obtain, process and maintain personnel files, share personal and special category information which is only available in a paper format without a de-identification procedure option (e.g. for Biographical Data Sheets (biodatas), copies of personal identification, medical records, hospital invoices, claims information, etc.). Where this is necessary, we utilize a tiered approach to minimize the information we hold and the length of time we hold it for. Chemonics will take reasonable steps to ensure that all Worker Data collected is stored in a secure environment accessible only to authorized personnel.
12. Security and Confidentiality
Chemonics International is committed to taking appropriate technical, physical and organizational measures to protect Worker Data (including Sensitive Worker Data) against: unauthorized or accidental destruction, alteration or unauthorized disclosure, accidental loss, unauthorized access, misuse, unlawful processing, or damage.
These measures include application security, access security, and training for Chemonics Workers about this Policy and the appropriate processing of Worker Data.
The level of the relevant measures will reflect the risks and nature of the different types of Worker Data and will be reviewed and updated periodically consistent with Chemonics’ Information Security Policies.
13. Processing of Sensitive Categories of Worker Data
13.1. Sensitive Worker Data
Chemonics will endeavor to limit the processing of Sensitive Worker Data to that which is necessary for the purposes for which the data was collected. Where Chemonics processes any personal information classed as Special Category, we do so in accordance with the GDPR regulations. Chemonics will only process Special Category data where:
- The Chemonics Worker has given explicit consent to the processing of the personal data (where applicable and required);
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
- Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim;
- Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services; or
- Processing is necessary for reasons of public interest in the area of public health such as protecting against serious cross-border threats to health on the basis of a EU law/government directive.
14. Employee Personal Data
Generally, we do not use consent as a legal basis for obtaining or processing employee personal information. The most common legal basis for processing Personal data is either as necessary for performance for a contract, or in Chemonics’ legitimate interest.
All employees are provided with our Local Field Office Policy Manual, which informs them of their rights under the data protection laws, how to exercise these rights; and are provided with a Data Privacy Notice specific to the personal information we collect and process about them.
15. The Right of Access
15.1. Chemonics Workers’ Rights to Access Their Worker Data
Any Chemonics Worker may inquire Chemonics of regarding the nature of their Personal Data held and to whom it has been disclosed. A Chemonics Worker wishing to access his/her Worker Data should contact his or her local HR representative in the respective Field Offices or the DQ&G team. The request can be made online or Subject Access Request (SAR) Form that Chemonics provides.
Chemonics will ensure that appropriate measures are taken to provide information and any communication with respect to the right of data subjects, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Such information is provided free of charge and is in writing, or where authorized by the data subject to use electronic means (with prior verification as to the data subject’s identity).
Information is provided to the data subject, where required, at the earliest convenience, but at a maximum of 30 days from the date the request is received. Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary. However, this is only done in exceptional circumstances and the data subject is kept informed in writing throughout the retrieval process of any delays or reasons for delay.
Chemonics may request the following from the Worker in order to fulfill his/her request:
- Additional verification of the Worker’s identity;
- Additional information regarding the nature of the request to best determine the appropriate information to provide; and
- The information or processing activities to which the request relates.
Where requests from Worker are manifestly unfounded or excessive, in particular because of their repetitive character, Chemonics may, at its discretion and to the extent permitted under applicable local law, require the Worker to pay a reasonable cost for providing access, or deny such request pursuant to Section 15.2 below.
15.2. Denying Requests to Access Worker Data
Chemonics may refuse a Worker’s request for access to his/her Worker Data in certain circumstances. For example, depending on the circumstances of the request, access may not be provided where:
- The burden or expense of providing access would be disproportionate to the risks to the requester;
- The rights or interests of an individual other than the requester would be violated, such as where access would reveal another individual’s data;
- Access would reveal information which Chemonics has taken steps to protect from disclosure because disclosure would help a competitor in the market (Confidential Commercial Information), such as where Confidential Commercial Information cannot be readily separated from the Worker Data;
- The execution or enforcement of the law, including prevention, investigation or detection of offences or the right to a fair trial would be interfered with;
- An investigation or grievance proceeding being conducted by Chemonics would be prejudiced;
- Any confidentiality that may be necessary for limited periods in connection with Chemonics Worker succession planning and corporate re-organizations or in connection with monitoring, inspections or regulatory functions connected with sound economic or financial management;
- A court or other authority of appropriate jurisdiction determines that Chemonics is not required to provide access;
- A legal or other professional privilege or obligation would be breached; or
- There is no legal requirement for Chemonics to provide such access, including because local legal requirements for a valid data subject access request have not been met.
Where we do not comply with a request for data access, the Worker will be informed within 30 days of the reason(s) for the refusal. The Worker affected may make use of the dispute resolution processes described in ‘Grievance Mechanism’ below to seek remedy.
15.3. Workers’ Rights to Correct Their Worker Data
Personal Data held and processed by Chemonics is reviewed and verified as being accurate and current wherever possible. Where inconsistencies are identified, or where the Worker or a controller identifies the data held is inaccurate, Chemonics will take reasonable steps to ensure that such inaccuracies are corrected.
Where notified of inaccurate data by the Worker, the error will be rectified within 30 days and Chemonics will inform any third party of the rectification if we have disclosed the personal data in question to them. The Worker will be informed in writing of the correction and where applicable, is provided with the details of any third-party to whom the data has been disclosed.
If for any reason, Chemonics is unable to act in response to a request for rectification or completion, a written explanation will be provided to the individual with information of the Workers right to contest.
(a) The Right to Erasure
Also, known as ‘The Right to be Forgotten’, Chemonics ensures that personal data which identifies a data subject, is not kept longer than is necessary for the purposes for which the personal data is processed.
All personal data obtained and processed by Chemonics is categorized when assessed by the Data Classification Standard and Records Control Procedure, and is either given an erasure date or is monitored so that it can be destroyed when no longer necessary. Note that where Personal Data is still being processed for a legitimate purpose, and the legal basis for processing is not consent, or Chemonics’ legitimate interest, the right to erasure is barred.
(b) The Right to Restrict Processing
There are certain circumstances where Chemonics restricts the processing of personal information, to validate, verify or comply with a legal requirement of a data subjects request. Restricted data is removed from the normal flow of information and is recorded as being restricted on the information audit.
Any account and/or system related to the data subject of restricted data is updated to notify users of the restriction category and reason. When data is restricted it is only stored and not processed in any way.
Chemonics will apply restrictions to data processing in the following circumstances:
- Where an individual contest the accuracy of the personal data and Chemonics is in the process of verifying the accuracy of the personal data and/or making corrections;
- Where an individual has objected to the processing, where it was necessary for the performance of a public interest task or purpose of legitimate interests, and Chemonics is considering whether there is a legitimate ground to override those of the individual;
- When processing is deemed to have been unlawful, but the data subject requests restriction as opposed to erasure; or
- Where Chemonics no longer needs the Worker Data, but the Worker requires the data to establish, exercise or defend a legal claim.
The GDPR Owner reviews and authorizes all restriction requests and actions and retains copies of notifications from and to Chemonics Workers and relevant third-parties. Where data is restricted, and Chemonics has disclosed such data to a third-party, Chemonics will inform the third-party of the restriction in place, the reason for such restriction, and re-inform them if any such restriction is lifted.
15.4. Objections and Automated Decision Making
Chemonics Workers are informed of their right to object to solely automated processing in our Data Privacy Notice at the point of first communication, in a clear and legible form and separate from other information. Chemonics provides opt-out options during employment application receiving process and provides an online objection option where such solely automated processing is carried out online.
Where a Chemonics Worker objects to data other processing on permitted grounds, Chemonics will determine if such objection requires processing to be stopped, and if it does, cease the processing for that purpose and advise the Worker of cessation in writing within 30 days of the objection being approved.
Chemonics will use solely automated decision-making processes within the guidelines of the regulations. Such instances include:
- Where it is necessary for entering into or performance of a contract between Chemonics and the individual;
- Where it is authorized by law (e.g. fraud or tax evasion prevention);
- When based on explicit consent to do so; or
- Where the decision does not have a legal or similarly significant effect on someone.
Where Chemonics uses, automated decision-making processes, the Worker is always informed and is advised of their rights.
16. Transfer of Worker Data
Worker Data from the European Economic Area (EEA) is shared with Chemonics and its project offices around the world in accordance with applicable local law and/or under one or more inter-company agreements which safeguard the integrity of the Worker Data and the privacy rights of the Chemonics Worker whom the Worker Data concerns.
Where data is being transferred for a legal and necessary purpose, Chemonics utilizes a process that ensures strong protections which includes data minimization methods where possible.
17. Grievance Mechanism
If at any time a Chemonics Worker believes that his/her Worker Data has been processed in violation of this Policy, the Worker may report the concern to the GDPR Owner or the Office of Business Conduct at email@example.com, or +1 (888) 955-6881.
If a complaint of the nature described above concerns European Economic Area Worker Data and the complaint remains unresolved after referral to the Worker Data Protection team, Chemonics will cooperate with the EEA Data Protection Authorities and/or their representatives (DPAs), as appropriate, for investigation and resolution of the complaint.
If the DPAs determine that Chemonics must take more specific action to comply with legal requirements, Chemonics will comply with the appropriate advice of the DPAs which may include:
- Reversing or correcting the effects of any non-compliance, in so far as is feasible;
- Ensuring that future EEA Worker Data processing will comply with applicable law; and
- Where possible, ceasing the processing of the relevant EEA Worker Data.
18. Communication About this Policy
Chemonics is committed to communicating this Policy to and how it may be accessed by all current and new Workers. This Policy will be available on the internal website.
19. Assessment Procedures
Chemonics will monitor its compliance with this Policy on an ongoing basis. Chemonics will periodically verify that this Policy complies with applicable law and is being complied with. A statement affirming successful completion of any such assessment will be signed by a corporate officer or other authorized representative of Chemonics at least once per year and made available upon request by a Chemonics Worker or in the context of an investigation or complaint about compliance.
20. Policy Governance
This Policy supersedes and replaces any and all prior policies, guidelines and practices, written and unwritten, regarding its subject matter. Subject to any applicable local law, Chemonics reserves the right to change, replace or cancel this Policy with or without notice at its sole discretion at any time.
Chemonics is committed to ensuring that this Policy is observed by all Chemonics Workers. Non-compliance with this Policy may result in corrective action up to and including (where appropriate and lawful) termination of employment.
Compliance with this Policy may be verified through various methods, including internal and external audits.
Employees should contact GDPRcontact@chemonics.com with any questions about this Policy, or with any concerns about possible violations of this Policy.