Safe Harbor Policy

Effective July 1, 2010

Calgon Carbon Corporation (Calgon Carbon) respects and protects personally identifiable information that we collect or maintain. As part of our commitment, Calgon Carbon is certified to the US-EU Safe Harbor Agreement regarding human resources personal information. This Policy describes the principles we follow with respect to all transfers of personal information of our employees, whether in electronic, paper or verbal format, between countries in the European Economic Area (EEA) and the United States.

Safe Harbor

The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the Safe Harbor Principles) to enable U.S. companies to satisfy EU law requirements for adequate protection of personal information transferred from the EU to the United States. Consistent with our commitment to protect personal privacy, Calgon Carbon adheres to the Safe Harbor Principles.

Definitions

Agent - Any third party that processes personal information under the instructions of, and solely for, Calgon Carbon or to which Calgon Carbon discloses personal information for use on Calgon Carbon’s behalf.

Personal Information - Any information or set of information about an identified or identifiable individual regardless of the medium or format in which the data is stored that could be used by or on behalf of Calgon Carbon to identify an employee. Personal Information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

Sensitive Personal Information - Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life.

Employee - An individual employed by a Calgon Carbon affiliate, subsidiary or division located in a country of the EEA.

Calgon Carbon - Calgon Carbon Corporation including any wholly-owned subsidiaries that are incorporated in any state or territory in the United States.

Data Controller - A data controller is a party or entity that determines the purposes and means of the processing of Personal Information. A company functions as a data controller when it decides how such data is to be used and uses the data accordingly.

Data Processor - A data processor is a party or entity that processes Personal Information on behalf of a data controller. A company functions as a data processor when it acts as an agent of another company, following its instructions as to how the data should be handled and processed.

Calgon Carbon’s Roles in Handling Personal Data:

For some Personal Information covered by this Policy, Calgon Carbon acts as a data controller, making decisions about the purposes and means of processing of the information received from Europe and using the data for its business purposes, such as personnel management and business planning. For other Personal Information, Calgon Carbon acts as a data processor, maintaining data in its Data Center in Pittsburgh, Pennsylvania solely on behalf of its European subsidiaries and affiliates. The relationship of Calgon Carbon to the Personal Information received from Europe under its Safe Harbor certification is summarized in the following table:

Type of Personal Information

Calgon Carbon
acts as a
data controller

Calgon Carbon
acts as a
data processor

Lotus Notes Applications: Information provided by employees through an annual Code of Conduct survey certification and/or training process and quarterly certifications for SOX controls.

Data Center Servers Systems Environment: Information relating to employees and customers in legacy applications that support business and manufacturing processes, including time and attendance, manufacturing traceability and training records.

System Application & Products (SAP): Information relating to customers, suppliers and employees needed to support standard business functions, such as purchasing, general ledger, accounts payable and accounts receivable. The data consists of business

contact information, sales and purchase records and other transaction accounting, and data relating to billing, collections, customer service, and re-imbursement of employees for travel and expenses.

Cornerstone - Learning Management System (LMS): HR database for Calgon Carbon employees worldwide.

Global Data Warehouse: A sub-set of basic data relating to all employees needed to support management oversight, reporting and planning.

Lotus Notes: The server and related software that provides email capabilities to Calgon Carbon employees worldwide.

 

A. Calgon Carbon as a Data Controller

With respect to Personal Information received from Europe where Calgon Carbon operates

as a data controller (namely, data in Lotus Notes Applications, SAP, LMS, Global Data Warehouse and Lotus Notes), Calgon Carbon handles such information in accordance with the seven Safe Harbor Privacy Principles (Notice, Choice, Onward Transfer to Third Parties, Security, Data Integrity, Access and Enforcement). A full statement of these principles, summarized below, may be found on the Safe Harbor website of the U.S. Dept. of Commerce www.export.gov/safeharbor/eg_main_018247.asp.

The following privacy principles are based on the Safe Harbor Principles.

1.         Notice

Where Calgon Carbon collects Personal Information directly from Employees, we will inform them about the purposes for which we collect and use Personal Information about the Employee, how to contact Calgon Corporation with any inquiries or complaints, the types of non-agent third parties to which Calgon Carbon discloses that information, and the choices and means Calgon Carbon offers individuals for limiting the use and disclosure of their Personal Information. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as practicable thereafter, and in any event before Calgon Carbon uses the information for a purpose other than that for which it was originally collected.

2.         Choice

Calgon Corporation collects and uses Personal Information to help operate its business.  Where Calgon Carbon collects Personal Information directly from Employees in the EEA,we will offer the opportunity to Employees to choose (opt-out) whether their Personal Information is (a) to be disclosed to a non-agent third party or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Calgon Carbon will provide individuals with reasonable mechanisms to exercise their choices.

For Sensitive Personal Information, Calgon Carbon will give Employees the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of the information to a non-agent third-party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Employee.

3.         Onward Transfers to Third Parties

Calgon Carbon will obtain assurances from third party business partners (Agents) that they will safeguard Personal Information consistent with our policies. Before making a disclosure to a third party, Calgon Corporation will first apply the Notice and Choice principles described above.   Examples of appropriate assurances that may be provided by third party business partners include: a contract obligating the third party to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), Safe Harbor certification by the third party, or being subject to another European Commission adequacy finding. Where Calgon Carbon has knowledge that a third party business partner is using or disclosing Personal Information in a manner contrary to this Policy, Calgon Carbon will take reasonable steps to prevent or stop the use or disclosure.

4.         Security

Calgon Carbon will take reasonable precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5.         Data Integrity

Calgon Carbon will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Employee. Calgon Carbon will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current.

6.         Access

Upon request, Calgon Carbon will grant Employees reasonable access to Personal Information that it holds about them except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the rights of persons other than the individual would be violated. In addition, Calgon Carbon will take reasonable steps to permit Employees to correct, amend or delete information that is demonstrated to be inaccurate, out-of-date or incomplete.

7.         Enforcement and Dispute Resolution

Calgon Carbon will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy and reviews of the Employees who manage Personal Information. Any Employee that Calgon Carbon determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment. Complaints or concerns that can't be resolved internally will be referred to the Data Protection Panel comprised of EU data protection regulators. Calgon Carbon agrees to cooperate and comply with the Data Protection Panel, the U.S. Department of Commerce, the U.S. Federal Trade Commission, relevant state or provincial authorities and law enforcement and judicial authorities in investigating any complaints as well as correcting any noncompliant practices.


B. Calgon Carbon as a Data Processor

With respect to Personal Information received from Europe where Calgon Carbon operates as a data processor (namely, data in the Data Center Servers), all access to, and use of, such data is controlled by Calgon Carbon’s European subsidiaries and affiliates collecting the data. Staff in Calgon Carbon’s Data Center have no access to, and make no use of, such data. Their sole function is to provide the limited technical support needed to run the systems on Calgon Carbon’s servers for the benefit of authorized users in Europe.

In accordance with the provisions of Safe Harbor’s FAQ 10 – Article 17 contracts, Calgon Carbon has entered into a contract with each of its European subsidiaries and affiliates that control data in one of the supported systems. Under the terms of this contract, Calgon Carbon is obligated to process the data only in accordance with instructions from the exporting European business entity and to provide an appropriate level of security for the data. The principles underlying these requirements can be summarized as follows:

1.         Limits on Processing

Calgon Carbon acts strictly as an “arms-length” data processor with respect to data in the supported systems referenced above, with the sole responsibility of keeping the systems up and running. Calgon Carbon does not have the authority to access or use the Personal Information in these systems. Data Center staff attempting to bypass security protocols and policies in order to access Personal Information are subject to dismissal and/or prosecution.

2.         Security

Calgon Carbon takes reasonable precautions, including administrative, technical, personnel, and physical measures, to safeguard Personal Information against loss, misuse, theft, and unauthorized access, disclosure, alteration, and destruction. Calgon Carbon’s security policies, operating procedures and technical controls, where applicable, generally adhere to commonly accepted standards for security of networks, infrastructure, applications and data.

As indicated in FAQ 10, Calgon Carbon’s European subsidiaries and affiliates, as data controllers with respect to the data, remain responsible for following other privacy principles or provisions required by local laws, such as those relating to notice, choice, data integrity, access, etc.

Limitation on Scope of Principles

Adherence by Calgon Carbon to this Policy may be limited to the extent required to meet legal, governmental or national security obligations.

Changes to This Policy

This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. Calgon Carbon will provide appropriate notice about such amendments.

Contact Information

Questions or comments? Send your inquiries to safeharbor@calgoncarbon-us.com.