Your Privacy

Amcor Privacy Notice

Effective date: June 2024

Amcor Group, including all its affiliated companies ("Amcor" or "we" or "our"), takes data privacy seriously. You can access information on Amcor entities, including their addresses, by clicking here.

This Privacy Notice (the "Notice") aims to inform our current, past, and prospective:

• Users of www.amcor.com and any subdomains under the amcor.com domain which are managed by both the Corporate Communications team and Business Group Marketing Communications.
• Customers, vendors, suppliers, and other business partners of Amcor (and their representatives);
• Amcor job applicants (including candidates for our graduate and accelerated career development programs);
• Participants in our events (including video conferencing events).

This Notice is displayed on and specifically pertains to www.amcor.com and its directly managed subdomains. Other applications and sites created and managed by Business Group Marketing Communications, which are not covered by this corporate-managed privacy policy, will adhere to their respective privacy notices. Nonetheless, any platforms bearing the Amcor brand or using the amcor.com domain will ensure that their privacy practices are consistent with this Notice.

The integration and uniformity of privacy practices across all platforms bearing the Amcor name, regardless of the managing entity, will be subject to ongoing review and coordination among all relevant stakeholders, including Business Group Marketing Communications leads.
about how Amcor processes personal data and other information of such individuals in a manner consistent with applicable data protection and privacy laws of the countries in which it is established (“Applicable Data Protection Laws”).

This Privacy Policy does not apply to our current employees, former employees, or independent contractors (“Personnel”), however, our California and EEA, Swiss, or UK Personnel may obtain a separate privacy notice that applies to them by contacting their respective Human Resources Departments.

Your State Privacy Rights: Residents of California and Nevada have certain rights detailed in the U.S. State Privacy Notice section below. To the extent there is a conflict between any language in this Privacy Policy and the U.S. State Privacy Notice section, the U.S. State Privacy Notice section will control with respect to residents of California (“Consumers”).

Content Overview

1. What personal data do we process about you and where do we get it?

2. Why do we process your personal data and on what basis?

3. Who do we share your personal data with?

4. How long do we keep your personal data?

5. What if you provide us with someone else’s data?

6. Children

7. Do we use cookies and other tracking technologies?

8. Supplemental information for the EEA, Switzerland and the UK

9. U.S. State Privacy Notice

10. Supplemental information for Brazil

11. Questions and contact information

12. Changes to this Notice

1. What personal data do we process about you and where do we get it?

a. When you use our Website and/or otherwise reach out to Amcor

When visiting our Website, you may subscribe to an Amcor newsletter, download Amcor marketing material or product information, request product information or make an inquiry through any of our online contact forms or by reaching out to us directly, we collect personal data about you, such as: your job function/title, name, the company name of your employer or who you otherwise represent, contact details (such as email address and phone number), the country and city where you are based, and additional personal data you provide us with in your enquiries or submissions (such as through the Whistleblower Service, if you do not opt to provide information anonymously).

We will also automatically collect the following information that result from your use of the Website, each time you visit it: browser type and version, operating system and interface, your domain name, if applicable, the website from which you are visiting us (referrer URL), webpage(s) you are visiting on our Website, the documents you download, the date and time of accessing our Website, and your internet protocol (IP) address.

b. When you do business with Amcor

To an extent permitted by the applicable law, Amcor may collect and process personal data concerning our current, past and prospective customers, vendors, suppliers, investors and business partners (and their representatives), such as name, contact details (e.g., email address, telephone number, residential address), job and employer-related information, bank account details and financial information (including credit/income history), transaction history, communications and criminal records, your customer portal login details, information included in your profiles on professional networking platforms (e.g., LinkedIn) , vaccination status, and other business-related information that you or your employer make available to us. We may also obtain personal data about you from other sources, including distributors, Service Providers and Third-Party Services. We are not responsible or liable for the accuracy of the information provided by third parties or for third party policies and practices.

c. When you apply for a job with Amcor (including candidates for our graduate and accelerated career development programs)

Amcor collects personal data from prospective employees, independent consultants, advisers and other prospective staff who submit applications for consideration (e.g., via a dedicated, online talent management platform or via email communication). This includes candidates for our graduate and accelerated career development programs. We may also receive personal data about job applicants from third parties who provide services to us, such as a third-party staffing or recruiting firm, or from our employees through Amcor employee referral program (if applicable), and from candidates’ former employers. This may include personal data, such as your name, contact information, CV (including education and work history, skills, qualifications, and other relevant information), information about your previous work performance provided by your former employers, and other information discussed with you in the course of your application process. We may also view or collect information regarding your right to work in the country, where the position for which you are applying is located (this may include citizenship/residency data, passport data, visa data, and work permit details).

d. When you participate in our events, including webinars and video conferences

We may collect personal data such as your name, job function/title, the company name of your employer, contact details (such as email address and phone number), the country and city where you are based, photos with your likeness, voice and/or video recordings, as part of registration and in the course of training events, meetings, conferences and other events we may organize. We may receive some of this personal data from third parties, if they help us organize these events or co-organize them with us.

e. Sensitive personal data

Some of the personal data that we collect may be deemed sensitive under certain Applicable Data Protection Laws. For example, we may process personal data relating to your disabilities and health, such as your dietary restrictions of special access needs, when you register to participate in one of our events or when you come in for an interview. In certain locations, we may be required by law to employ a certain number of people of a particular gender, of a particular origin or race, or with disabilities or special needs, and therefore, may need to collect relevant information regarding gender, origin, race, disabilities or special needs from job applicants in those limited instances. We may also process personal data related to criminal convictions and offences, as part of our background checks for certain important positions in Amcor. We will only process sensitive personal data about you where this is necessary, and authorized by Applicable Data Protection Laws.

2. Why do we process your personal data and on what basis?

We will process your personal data for the following purposes:

Based on our legitimate business interests as outlined below,
Based on consent we have collected from you/notice we have provided to you,
Based on a need to fulfil/enter into a contract with you,
To fulfil our legal obligations,
Where these are an adequate legal basis for processing of personal data under Applicable Data Protection Laws, or to notify you of other lawful legal basis, as appropriate, in which case we will rely on such legal basis.

Where applicable, we will point out, at the time of the data collection, if the provision of the personal data is a statutory or contractual requirement and whether you are obliged to provide the personal data and the possible consequences of failure to provide such data. We may use personal data about you for any purposes not incompatible with our statements under this Privacy Notice, or otherwise made by us in writing at the point of collection, and not prohibited by applicable law, including, without limitation, for the following purposes:

a. Provide services and products: We process your personal data to provide you (or your employers) with services and products or information pertaining to our services and products you requested. Our transactions will generally be governed by a contract and in order for Amcor to fulfil the terms and conditions of such contract, we need to process your personal data.

This includes facilitation of sales orders, credit and management, preparation of quotes and any applicable discounts, warranty management, credit and payment collection, compliance with relevant export control, AML, KWC and other business-based legal requirements that ask us to process your personal data, and accounting.

b. Customer Portal: If you have an account on one of our Customer Portal(s), we will use your personal data to enable you to access and use its features (such as visibility to your order status, view your pending releases, inventory, invoices etc.). This includes authenticating your account and your access to it over time.

c. Investor relations: We will use your personal data to provide you with updates as required under applicable laws and/or contracts with you, as well as when you subscribe to Amcor investor email alerts on our Website or to reach out to you as otherwise appropriate.

d. Event organization, promotion and management: When you register for/participate in our events, webinars and video conferences, we will process your personal data to authenticate you and ensure your place in the event is reserved. We may also record (voice and/or video) and/or take pictures of some of the events for the following purposes: training, reporting (including to fulfil funding or grant conditions), to document corporate decision-making processes, make records of events available to registered participants after the events took place, other promotional activities.

e. Security of your Amcor accounts: We aim to ensure security of your accounts and our business by preventing and detecting fraud or abuses of our Website and other services, for example, by requesting verification information in order to reset your account password;

f. Improvement of our Website, products and services: We may analyze your visits to our Website and use of or request for our services and products to improve our offerings and internal business processes.

g. Surveys and questionnaires: Amcor may ask users on our Website to complete online surveys, opinion polls or other questionnaire in order to obtaining your input on our products and services, which will help us improve our business practices.

h. Marketing and communications materials: We process your personal data to provide you with various newsletters, news alerts and other marketing materials and product information you have subscribed to, downloaded and otherwise requested from us, or where we have other lawful grounds to provide you with such materials/advertise to you. We may provide these using various marketing communication methods, including, but not limited to: email, SMS/MMS, fax, social media, voice telephony, or other messaging services.

You can unsubscribe from receiving certain marketing communications through mechanisms provided, such as an "unsubscribe" check box included in the messages we send. Additionally, each Business Group's marketing team manages their own subscription centre. You can unsubscribe from any newsletters at any time via the email preference centre for your region:

- For the EMEA region, you can email flexibles@amcor.com to request to unsubscribe.

- For AFNA and ARP, you can email northamericaflexibles@amcor.com to request to unsubscribe.

To opt out of promotional SMS messages, follow the instructions provided in text messages from Amcor to text the word "STOP."

Some of our marketing materials and information may use tracking technologies and analytics tools to help us understand your preferences. For further information, please read our Cookie Policy.

Note: All marketing communications are managed by respective Business Group marketing teams, and not directly by Amcor.com. Please ensure that any actions or requests regarding subscriptions are directed to the appropriate Business Group's marketing team.

i. Whistleblower Service: We provide a whistleblower service for all employees, customers, contractors, principal suppliers and other third parties as a means to report concerns or anything you see or suspect that constitutes: fraud (theft or accounting irregularities); bribery/ corruption; unethical/ illegal behavior; conflicts of interest; and breaches of safety and environmental policies or regulations. If you decide not to file your report anonymously, we will process such report using your personal data, however, at all times in line with our Whistleblowing Policy. In some instances, due to variations in local law, restrictions may apply to your right to remain anonymous or the type of concern you can raise. When you raise your concern either by phone or online you will be informed of any restrictions that may apply. You can learn more about the service on the dedicated Whistleblower Service page.

j. Talent recruitment: We will process and evaluate your application for a job position at Amcor or for a placement in our graduate or accelerated career development programs. We will carry out an initial screening of applications received and may choose to proceed to additional assessment rounds with some of the candidates where further information may be required. Amcor may use automated decision-making in employment decisions, including but not limited to assuring the application meets the legal requirements for work permit and age limit. We may keep and disclose (to other Amcor entities) your application information for consideration of other potential future open positions. We will provide successful candidates with a dedicated notice for employees and other workers, as appropriate.

k. Corporate transactions: We may need to use your personal data in order to comply with requests of a prospective or an actual purchaser interested in Amcor or its assets, or in relation to a prospective or actual purchase of companies or assets by Amcor.

l. Enable your access to and use of our mobile applications: vAmcor may receive personal data during your access to and use of any Amcor mobile application in order to allow your continued use of the apps by verifying your credentials, storing information you create when interacting with our apps and carrying out necessary app maintenance. We may process your personal data for additional specific purposes, for which the apps have been created. If appropriate, we will provide you with relevant additional information in the description of each respective app.

m. Respond to any other requests or inquiries from you.

n. Establishment, exercise or defense of legal claims: We may have against you, pursue together with you, whether in court proceedings or in an administrative or out-of-court procedure.

o. Compliance with applicable laws: Where required by law and/or in response to a request from a court or regulatory body, where such request is made in accordance with the law, we may process your personal data in order to comply with the relevant obligations applicable to Amcor.

p. Improve our business development approach: By processing your personal data, our service providers help us understand how to best connect with on a personal level, when communicating with you about our services and products.

3. Who do we disclose your personal data with?

Personal data may be disclosed to other Amcor subsidiaries and affiliates (i.e., intra-group) or with third parties.

a. Intra-Group

Our affiliates may receive your personal data as necessary for the processing purposes described in section 2 of this Notice. Information on all Amcor affiliates is available here. Depending on the categories of personal data and the purposes for which the personal data is processed, different internal departments within Amcor may receive your personal data. For example, relevant members of our IT department which may be located in multiple Amcor entities, have access to your Website account data in order to ensure access; sales department members in a relevant country will handle your inquiry with regards to our products, depending on where your company is based; and HR staff in the country where you applied for a position with Amcor, together with HR at our local HQ will be handling your applications. Moreover, other departments within the Amcor Group have access to certain personal data about you on a need to know basis, such as the legal department, the finance department or internal auditing.

b. Third Parties

i. Service Providers Acting on our Behalf

Certain third party service providers whether affiliated or unaffiliated, will receive your personal data to process such data under appropriate instructions on our behalf, as necessary for the processing purposes described above, such as:

IT providers such as companies who provide software, computing services and / or hardware, including IT support (e.g., data management, IT service management and storage services, web-hosting, video and / or voice conferencing, email services, digital communication platforms, companies providing machine translations, data analytics providers, etc.);
third parties we hire to perform support services for us (e.g., distributors and shipping partners, as permitted by applicable law);
support services such as companies that provide business support services (e.g., marketing and business development strategy (e.g., companies that help us understand how to best approach you) services providers, mailing vendors, etc.);
companies that provide financial administration (e.g., services and product payment services management, etc.);
companies that provide training and event organization services (e.g., vendors providing training platforms, event organizers, etc.).

These service providers are bound by law and/or contract to protect the confidentiality and security of personal data, and to only use personal data to provide requested services to us and in accordance with applicable law.

ii. Other companies, vendors, suppliers, business partners and public entities

We may also disclose personal data to other companies, vendors, and business partners to perform functions for us, whereby these companies are themselves responsible to determine the purposes and/or means of the processing. We may also share some of your personal data with public or regulatory authorities. Examples include:

financial institutions,
recruitment agencies who identify job candidates;
telecommunications companies who provide fixed line and mobile telecommunications services;
various professional advisors such as lawyers, accountants and auditors;
in relation to prospective or actual strategic transactions involving Amcor (such as mergers and acquisitions),or third parties involved in such transactions;
public authorities such as law enforcement agencies, governmental authorities, courts, tribunals, opposing or other related parties to the proceedings and their professional advisors.

4. How long do we keep your personal data?

Your personal data will be retained as long as necessary to fulfil the purposes we have outlined in section 2 of this Notice, including to provide you with the services and products requested; maintain our business relationship with you; determine eligibility of candidates, prepare for future contract establishment and keep data to account for future job offers (this is limited to 24 months); to organize events, follow up regarding the same and offer the opportunity to participate in future events; or otherwise in accordance with the normal Amcor document retention policy. Once you have terminated the contractual relationship with us or otherwise ended your relationship with us, we will remove your personal data from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it.

We may retain your personal data after the termination of the contractual relationship if your personal data are necessary to comply with other applicable laws, surviving contractual provisions or if we need your personal data to establish, exercise or defend a legal claim, on a need to know basis only. To the extent possible, we will restrict the processing of your personal data for such limited purposes after the termination of the contractual relationship.

If you would like to know more about retention periods applicable to your particular circumstance, you can contact us using details provided in section 11 below.

5. What if you provide us with someone else’s personal data?

In certain circumstances, you might provide us with another person’s personal data – e.g., contact details of your colleagues who can assist with certain orders, character references in your job application, etc. In these cases, we require you to inform that person regarding what personal data of theirs you will give to us and for what purposes you have shared such personal data with us. You shall provide them with a link to or copy of this privacy notice and our contact details. Please let such persons know that they should contact us if they have any additional questions about how we will use their personal data.

6. Children

Our Website is not directed to children under the age of eighteen and we do not knowingly aim to process personal data of such children. Please do not provide such information to us through the Website or otherwise. We may ask you to confirm that you have not done so. If we become aware that such information has been provided to us, we will erase it from our records without undue delay, unless we are required to retain such information by applicable laws.

7. Do we use cookies and other tracking technologies?

The Website uses cookies and other tracking technologies. For further information, please read our Cookie Policy.

8. Supplemental information for the EEA, Switzerland and the UK (including where relevant Applicable Data Protection Laws apply otherwise)

The following terms supplement the Notice with respect to the Company’s processing of European Economic Area (i.e., European Union Member States, Iceland, Lichtenstein and Norway), Swiss and the UK personal data, or where relevant Applicable Data Protection Laws otherwise apply.

To the extent applicable, in the event of any conflict or inconsistency between the Notice and the terms of this Addendum, this Addendum shall govern and prevail with regards to the processing of EEA, Swiss and UK personal data.

a. Data Controller

The Amcor entity with which you have a primary relationship with (such as the entity that concluded sales/services/supply contract with you; the entity that has provided you with marketing and promotional materials and communications; the primary entity in the country for which we created a local website; the entity which (co)-organized an event; or the entity, representatives of which you have been videoconferencing with) is the controller of personal data collected from individuals within the scope of this Notice.

As for the job applicants in particular, the relevant controller for your personal data is the Amcor entity to which you have submitted your job application.

When there is more than one entity responsible for the processing, such as: when two Amcor entities co-signs a business contract with your company; multiple Amcor entities organize an event/training/webinar together; or when our HQ (Amcor Group GmbH) helps local entities pick the right candidates for senior roles in the company; such entities are jointly responsible for the lawfulness of a specific processing activity (“Joint Controllers”).

On some occasions, more than one Amcor entity may process your personal data as independent controllers. If you have any questions about controllership, do not hesitate to contact us (see Section 11 for contact information).

You can check the list of the Amcor entities, including addresses, by clicking here.

b. Legal bases for processing

We only ask you to provide personal data when we have a good reason. Accordingly, in this section we list the legal bases for the processing of personal data.

We rely on the following legal grounds for the collection, processing, and use of your personal data:

the processing is necessary to provide the Website and its services to you;
the processing is necessary for the performance of a contract to which you are a party (section 2.a-d, 2.h, 2.I and 2.m) or to take steps at your request prior to entering into a contract (section 2.j);
the processing is necessary for compliance with a legal or statutory obligation to which we are subject (section 2.a, 2.c,2.i, 2.j);
the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party (section 2.f, 2.g, 2.h, 2.j, 2.k and 2.p above);
where you provided us with your consent to the processing of your data for one or more specific purposes, including in section 2.d (where we ask for your consent with keeping your data for future events), 2.h (for certain direct marketing communications where this is required by Applicable Data Protection Laws), and 2.j (where you give us consent for recruitment purposes or for keeping your application for other future opportunities);
the processing is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure (section 2.n);
to carry out the obligations and exercising specific rights in the field of employment, social security and social protection law (2.j above where national employment laws regulate certain aspects of hiring procedures that require processing of sensitive personal data).

c. Your Data Protection Rights

Under the conditions set by Applicable Data Protection Laws, you may exercise the following rights regarding your personal data (see also Section 11 on how to exercise those rights):

i. Access You have the right to obtain from us confirmation if personal data is being processed, and related information; and the right to obtain a copy of your personal data undergoing the processing.

ii. Rectification You have the right to request the rectification of inaccurate personal data and to have incomplete data completed.

iii. Objection You have the right to object to the processing of your personal data for compelling and legitimate reasons relating to your particular situation, except in cases where legal provisions expressly provide for that processing.

iv. Portability You may receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit it to other data controllers without hindrance. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.

v. Restriction You may request to restrict the processing of your personal data in certain cases.

vi. Erasure You may request to erase your personal data if (i) it is no longer necessary for the purposes for which we have collected it, (ii) you have withdrawn your consent and no other legal ground for the processing exists, (iii) you objected and no overriding legitimate grounds for the processing exist, (iv) the processing is unlawful, or erasure is required to comply with a legal obligation.

vii. Right to lodge a complaint You also have the right to lodge a complaint with a supervisory authority, in particular in the country of the EEA, Switzerland or the UK where you reside, or where the issue that is the subject of the complaint occurred.

viii. Right to refuse or withdraw consent In case we ask for your consent to processing, you are free to refuse to give consent and you can withdraw your consent at any time without any adverse negative consequences. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected.

d. International Transfers of personal data

i. Intra-Group Due to the global nature of our operations, some of the recipients mentioned in section 3 of the Notice may be located in countries outside the European Economic Area (“EEA”), Switzerland or the UK, which do not provide an adequate level of data protection as defined by data protection laws in the EEA, Switzerland or the UK. Certain third countries, such as Argentina, Canada, New Zealand and Switzerland, have been officially recognized by the European Commission as providing an adequate level of protection. International transfers will be to countries where Amcor entities have offices, including the United States of America. The transfer of your personal data outside the EEA takes place on the basis of our Intra-Group Data Transfer Agreement which provides data protection safeguards for the personal data transferred thereunder.

ii. Third Parties

Some of the third parties with whom we share personal data are also located outside the EEA, Switzerland or the UK in third countries, which do not provide an adequate level of data protection as defined by as defined by data protection laws in the EEA, Switzerland or the UK. Transfers to third parties located in other third countries outside the EEA, Switzerland or the UK take place using an acceptable data transfer mechanism, such as the EU Standard Contractual Clauses, Binding Corporate Rules, approved Codes of Conduct and Certifications, or on the basis of permissible statutory derogations, or any relevant data transfer clauses issued by the UK Secretary of State or the UK Information Commissioner (and approved by the Parliament).

Please reach out to us using the contact details in section 11, if you want to receive further information or, where available, a copy of the relevant data transfer mechanism.

9. U.S. State Privacy Notice

This U.S. State Privacy Notice (“Notice”) applies to “Consumers” as defined under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (together, the “CCPA”), Chapter 603A of the Nevada Revised Statutes, and all laws implementing, supplementing, or amending the foregoing, including regulations promulgated thereunder (collectively, “U.S. Privacy Laws”).

This Notice is designed to meet our obligations under U.S. Privacy Laws and supplements the any other Amcor privacy policy. In the event of a conflict between any other Amcor policy, notice, or statement and this Notice, this Notice will prevail as to California Consumers unless stated otherwise.
Applicability

Section 8(a) of this Notice provides notice of our data practices, including our collection, use, disclosure, and sale of Consumers’ Personal Information (“PI”), as defined by the CCPA.
Sections 8(b)-(d) of this Notice provide information regarding Consumer rights and how you may exercise them.
Section 8(e) of this Notice provides additional information for California residents.

For California residents the term “Consumer” is not limited to data subjects acting as individuals regarding household goods and services and includes data subjects in a business-to-business context.

The description of our data practices in this Notice covers the twelve (12) months prior to the Effective Date and will be updated at least annually. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements. Otherwise, this Notice serves as our notice at collection.

We may Collect your PI directly from you (e.g., when you register for an account); our affiliates; service providers; or other businesses (for example, your employer / our Customer) or individuals.

Generally, we Process your PI to provide services to you or our Customer and as otherwise related to the operation of our business, including for one or more of the following Business Purposes: Performing Services; Managing Interactions and Transactions; Security; Debugging; Advertising and Marketing; Quality Assurance; Processing Interactions and Transactions; and Research and Development. We may also use PI for other Business Purposes in a context that is not a Sale or Share under U.S. Privacy Laws, such as disclosing it to our Service Providers, Contractors, or Processors that perform services for us (“Vendors”), to the Consumer or to other parties at the Consumer’s direction or through the Consumer’s action; for the additional purposes explained at the time of collection (such as in the applicable privacy policy or notice); as required or permitted by applicable law; to the government or private parties to comply with law or legal process or protect or enforce legal rights or obligations or prevent harm; and to assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”) (“Additional Business Purposes”). Subject to restrictions and obligations under U.S. Privacy Laws, our Vendors may also use your personal data for Business Purposes and Additional Business Purposes and may engage their own vendors to enable them to perform services for us.

We may also use and disclose your PI under this Notice for Commercial Purposes, which may be considered a “Sale” or “Share” under applicable U.S. Privacy Laws, such as when Third-Party Digital Businesses (defined below) Collect your PI via third-party cookies, and when we Process PI for certain advertising purposes. In addition, we may make your PI available to Third Parties for their own use.

We provide more detail on our data practices in the two charts that follow.

a. PI Collection, Disclosure, and Retention – By Category of PI:

We collect, use, disclose, and retain PI as follows:

Category of PI

There may be additional information we Collect that meets the definition of PI under applicable U.S. Privacy Laws but is not reflected by a category above, in which case we will treat it as PI as required but will not include it when we describe our practices by PI category. Because there are numerous types of PI in each category, and various uses for each PI type, actual retention periods vary. We retain specific PI pieces based on how long we have a legitimate purpose for the retention.

b. Your Consumer Rights

As described more below, subject to meeting the requirements for a Verifiable Consumer Request (defined below) under the California Consumer Privacy Act (CCPA), Amcor provides Consumers the privacy rights described in this section as required by the CCPA. For residents of states without consumer privacy rights we will consider requests but will apply our discretion in how we process such requests except as required by applicable law. We will also consider applying state law rights prior to the effective date of such laws but will do so in our discretion.

Right to Limit Sensitive PI Processing – We only Process Sensitive PI for purposes that are exempt from Consumer choice under U.S. Privacy Laws.
Right to Know / Access – Residents of California are entitled to access PI up to twice in a 12-month period.
Right to know – categories (California Residents only) – California residents have a right to submit a request for any of the following for the period that is 12-months prior to the request date:

1. The categories of PI we have collected about you.

2. The categories of sources from which we collected your PI.

3. The business or commercial purposes for our collecting, selling, or sharing your PI.

4. The categories of Third Parties to whom we have disclosed your PI.

5. A list of the categories of PI disclosed for a business purpose and, for each, the categories of recipients, or that no “sale” or “share” occurred.

Right to know – specific pieces – You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have collected and are maintaining. For your specific pieces of PI, as required by applicable U.S. Privacy Laws, we will apply the heightened verification standards as described below. We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests.

Do not Sell/Share – Under the California Consumer Privacy Act (CCPA), there is a broad concept of “Selling” personal information (PI) for which an opt-out is required. California also provides an opt-out from “Sharing” for Cross-Context Behavioral Advertising, which involves the use of PI from different businesses or services to target advertisements. We may Sell or Share your PI and/or use your PI for Cross-Context Behavioral Advertising (also known as Targeted Advertising under certain laws). However, we provide U.S. Consumers an opt out of Sale/Sharing/Targeting that is intended to combine all of these state opt-outs into a single opt-out available regardless of state of residency.

Third-Party Digital Businesses – Third-Party Digital Businesses may use cookies and other tracking technologies that Collect PI about you on our Services, or otherwise Collect and Process PI that we make available about you, including digital activity information. We recognize that providing access to PI on our Services to Third-Party Digital Businesses could be deemed a Sale and/or Share under some state laws. Therefore, we will treat such PI (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Third-Party Digital Businesses, where they are not limited to acting as our Service Provider (or Contractor or Processor), as a Sale and/or Share, and subject to a Do Not Sell/Share/Target opt-out request. We will not Sell your PI, Share your PI for Cross-Context Behavioral Advertising, or Process your PI for Targeted Advertising if you make a Do Not Sell/Share/Target opt-out request.

o Opt-out for cookie PI: If you wish to limit our Processing of your cookie-related PI for Targeted Advertising, or opt-out of the Sale/Sharing of such PI, you need to exercise a separate opt-out request on our cookie management tool available here. Due to the technological differences in handling cookie PI and non-cookie PI, separate mechanisms are required for each. Our cookie management tool allows you to manage cookie preferences effectively on your device. Please note that you must set your preferences individually on each of our websites and apps you visit, across every browser and device you use. As opt-outs via browsers are cookie-based, clearing or blocking cookies will reset these preferences, necessitating a reapplication of your settings through our cookie management tool. Additionally, if you use ad-blocking software, you may not see our cookie banner and may need to directly access our management tool via the provided link.

Opt-out preference signals (also known as global privacy control or GPC): In accordance with U.S. Privacy Laws, certain states require businesses to process Global Privacy Control (GPC) signals, known in California as Opt-out Preference Signals (OOPS), which communicate a user's choice to opt-out of the Sale and Sharing of PI. These signals are generated by platforms, technologies, or mechanisms enabled on devices or browsers. We have configured the settings of our consent management platform to receive and process these GPC signals on our website, details of which are explained by our consent management platform here. While we process GPC/OOPS signals for cookie PI, technical limitations prevent us from doing so in contexts other than those involving cookies. Consequently, we do not process GPC/OOPS signals for non-cookie PI opt-outs. Please be aware that enabling GPC/OOPS will not result in additional fees, alter your service experience, or trigger any intrusive notifications. We do not knowingly Sell or Share the PI of Consumers under 16, unless we receive affirmative authorization (“opt-in”) from either the Consumer who is between 13 and 16 years old, or the parent or guardian of a Consumer who is less than 13 years old. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please [Contact Us](https://www.amcor.com/contact-us). We may disclose your PI for the following purposes, which are not a Sale or Sharing: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Amcor as defined above, or as part of a merger or asset sale; and (iv) as otherwise required or permitted by applicable law.

Right to delete – Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI. Our retention rights include, without limitation:

1. to complete transactions and services you have requested;

2. for security purposes;

3. for legitimate internal Business Purposes (e.g., maintaining business records);

4. to comply with law and to cooperate with law enforcement; and

5. to exercise or defend legal claims.

Please also be aware that making a deletion request does not ensure complete or comprehensive removal or deletion of PI or content you may have posted.

Note also that, depending on where you reside (e.g., California), we may not be required to delete your PI that we did not collect directly from you. For residents of U.S. states that do not have laws granting Consumers this right we will consider deletion requests but will apply our discretion in how we process such requests except as required by applicable law.

Correct your PI – Consumers may bring inaccuracies they find in their PI that we maintain to our attention, and we will act upon such a complaint as required by applicable law. You can also make changes to your online account in the account settings section of the account. That will not, however, change your information that exists in other places.

Automated Decision Making / Profiling – We do not engage in Automated Decision Making or Profiling.

c. How to Exercise Your Consumer Privacy Rights

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, please email us at privacy@amcor.com, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests submitted through other means (example, via fax, chats, social media, etc.).

i. Your Request Must be a Verifiable Consumer Request

As permitted or required by applicable U.S. Privacy Laws, any request you submit to us must be a Verifiable Consumer Request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, phone number and/or account information. We will review the information provided and may request additional information (e.g., transaction history) via e-mail or other means to ensure we are interacting with the correct individual. We will not fulfil your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. We do not verify opt-outs of Sell/Share or Limitation of Sensitive PI requests unless we suspect fraud.

We verify each request as follows:

Right to Know (Categories) (available for California residents only) – If you do not have a password-protected account, we verify your Request to Know Categories of PI to a reasonable degree of certainty. If we cannot do so, we will refer you to this Notice for a general description of our data practices.

Right to Know (Specific Pieces) – If you do not have a password-protected account, we verify your Request to Know Specific Pieces of PI to a reasonably high degree of certainty. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request if you are a California resident.

Do Not Sell/Share & Limit SPI – No specific verification required unless we suspect fraud.

Right to Delete – If you do not have a password-protected account, we verify your Request to Know Specific Pieces of PI to a reasonable degree of certainty or to a reasonably high degree of certainty, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized deletion. If we cannot verify you sufficiently to honor a deletion request, you can still make a Do Not Sell/Share and/or Limit SPI request.

Correction – If you do not have a password-protected account, we verify your Request to Correct PI to a reasonable degree of certainty or to a reasonably high degree of certainty, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized correction.

To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honour your request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses unless you also gave it to us for another purpose.

ii. Agent Requests

You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf and of you. You can learn how to do this by e-mailing us at privacy@amcor.com. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of the CCPA.

iii. Our Responses

Some PI that we maintain is insufficiently specific for us to be able to associate it with a verified Consumer (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests. If we deny a request, in whole or in part, we will explain the reasons in our response.

We will make commercially reasonable efforts to identify Consumer PI that we Process to respond to your Consumer request(s). In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with applicable U.S. Privacy Laws and our interest in the security of your PI, we will not deliver to you your account password in response to a Consumer privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

iv. Non-Discrimination / Non-Retaliation

We will not discriminate against you in a manner prohibited by CCPA for your exercise of your Consumer privacy rights. We may charge a different price or rate or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable data.

v. Our Rights and the Rights of Others

Notwithstanding anything to the contrary, we may collect, use, and disclose your PI as required or permitted by applicable law and this may override your rights under the CCPA. In addition, we are not required to honour your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

d. Additional Notice for California Residents

i. California Minors

Although our online Service(s) are intended for an audience over the age of majority, any California residents under the age of eighteen (18) who have registered to use our online Services, and who posted content or information on the Service, can request removal by contacting us at privacy@amcor.com, detailing where the content or information is posted and attesting that you posted it. We will then make reasonable, good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. However, this removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines and others that we do not control.

ii. Shine the Light

We may disclose "personal information," as defined by California's "Shine the Light" law (Civil Code Section 1798.83), to third parties for those third parties' own direct marketing purposes. This provision is separate from and in addition to rights provided under the California Consumer Privacy Act (CCPA), and requests must be made separately. If you are a California resident and wish to request a list of the personal information we have shared with third parties for their direct marketing purposes during the preceding calendar year, please contact us at privacy@amcor.com. For Shine the Light requests, please include "Shine the Light Request" in the subject line of your correspondence. In your request, you must attest to being a California resident and provide a current California address for our response. Please note that we will not accept Shine the Light requests by telephone or by fax, and we are not responsible for notices that are not labelled or sent properly, or that do not have complete information. Please be aware that this disclosure requirement applies even if we share the personal data among Amcor entities, which are considered separate "businesses" for the purposes of the CCPA. Functionally, most clients maintain one consolidated opt-out list for both Do Not Sell/Share and Shine the Light requests to streamline the process.

10. Supplemental information for Brazil

The following terms supplement the Notice with respect to the Company’s processing of personal data in Brazil.

a. Data Controller

As for the job applicants in particular, the relevant controller for your personal data is the Amcor entity to which you have submitted your job application.

You can check the list of the Amcor entities, including addresses, by clicking here.

b. Legal bases for processing

We only ask you to provide personal data when we have a good reason.
Accordingly, in this section we list the legal bases for the processing of personal data.

We rely on the following legal grounds for the collection, processing, and use of your personal data:

the processing is necessary to provide the Website and its services to you;
the processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract;
the processing is necessary for compliance with a legal or statutory obligation to which we are subject;
the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party;
where you provided us with your consent to the processing of your data for one or more specific purposes;
the processing is necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure;
to carry out the obligations and exercising specific rights in the field of employment, social security and social protection law;
fraud prevention and security guarantee, in the identification and authentication processes of registration in electronic systems.

c. Your Data Protection Rights

Under the conditions established by the Applicable Data Protection Laws, you can exercise the following rights in relation to your personal data. To exercise them click here:

Confirmation of the existence of the processing;
Access to your personal data;
Correction of incomplete, inaccurate or out-of-date data;
Anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of the Law;
Portability of the data to another service provider or product provider, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets;
Deletion of personal data processed with the consent of the data subject, except in the situations described in section 9, b;
Information about public and private entities with which the controller has shared data;
Information about the possibility of denying consent and the consequences of such denial;
Consent Withdrawal, at any time;

d. International Transfers of personal data

Due to the global nature of our operations, some of the recipients mentioned previously on the Notice may be located in countries outside Brazil. We will only transfer your personal data to countries or international organizations that provide a level of protection similar to LGPD or to companies that contractually undertake to adopt such level. We will always take appropriate steps to ensure your personal data is safe.
International transfers will be to countries where Amcor Group entities have offices, including the United States of America. The transfer of your Personal Data outside Brazil takes place on the basis of our Intra-Group Data Transfer Agreement which provides additional data protection for the Personal Data transferred thereunder.

e. Minors

We may process personal data of minors (persons under the age of 18), such as registration data, in the case of dependents and beneficiaries, with the authorization provided by the legal guardian, when necessary, and always in the best interest.

f. Personal Data Security and Protection

We are constantly using and improving tools to protect your personal data from malicious or unauthorized third parties. We adopt adequate security measures to protect ourselves against unauthorized access, alteration, disclosure or destruction of data. These measures include internal reviews of our data collection, storage and processing practices.
Personal data collected and processed internally is only accessed by duly authorized professionals, respecting the principles of proportionality, necessity and relevance for the purposes of our business, ensuring confidentiality and privacy under the terms of this Notice.
Business partners that process any personal data we collect must respect the conditions stipulated in our policies, notices, contracts, applicable legislation and information security standards, necessarily.

g. Contact Channel for Privacy Requests in Brazil

For questions, requests, or concerns related to data privacy and the General Data Protection Law (LGPD) within the Brazilian territory, users may contact us at dpo_br@amcor.com. Currently, Protiviti – ICTS DESENVOLVIMENTO DE SISTEMAS E TECNOLOGIA LTDA serves as the Data Protection Officer (DPO) for Amcor in Brazil, represented by Fernando Fleider. The company is committed to reviewing and responding to inquiries as promptly as possible, in compliance with applicable legal timelines and requirements.

11. Questions and contact information

If you have any questions about this Notice or if you want to exercise your rights, please contact us privacy@amcor.com

12. Changes to this Notice

We may update this Notice from time to time in response to changing legal, regulatory or operational requirements. We will notify you of any such changes, including when they will take effect, by updating the "Effective date" above or as otherwise required by applicable law.