National Steel & Shipbuilding Co. California Consumer Privacy Act Policy

This Privacy Policy is intended to provide information about the personal information collected, how this information may be used by General Dynamics National Steel & Shipbuilding Co. (the “NASSCO”), an individual’s privacy rights and the company’s obligations in accordance with the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”). Unless otherwise noted, all terms herein have the meanings set forth in California Civil Code §1798.140.

Scope

This Privacy Policy applies solely to natural persons residing in California. It does not apply to individuals living elsewhere, businesses, or other corporate entities unless required by law or regulation. NASSCO’s Human Resources Vice President is responsible for maintaining and updating this Privacy Policy.

Personal Information Collected

NASSCO collects personal information data through its interactions with individuals. Individuals provide this information voluntarily as a condition of employment or upon application for employment with NASSCO. NASSCO collects personal information as is practicably necessary, or as required by state and federal law, in order to provide services related to employment or potential employment with NASSCO as well as to manage and operate its business. NASSCO also collects such information to prevent unauthorized access and modification to company facilities and systems, to prevent unauthorized access to Government facilities and systems, and to update employment records. Where the company uses and/or discloses Sensitive Personal Information (SPI), its use and/or disclosure of SPI is limited to those purposes defined in the California Consumer Privacy Act Regulations §7027(m).

NASSCO does not sell or share your personal information to third parties, and has not done so in the previous twelve months. As such, NASSCO does not have actual knowledge that it sells or shares the personal information of consumers under 16 years of age.

A. Categories of Personal Information Collected

1. Identifiers such as real name, alias, postal address, email address, account name, social security number, driver’s license or state identification card number, passport number, or other similar identifiers;
2. Physical characteristics or description, insurance policy number, education and employment history, bank account number, medical information, and health insurance information;
3. Characteristics of protected classifications under California or federal regulation, as required by law;
4. Fingerprints and photographs, as necessary;
5. Internet (if on a company network or device) and company intranet network activity information, including but not limited to browsing history, search history, and information regarding an individual’s interaction with an internet website application or advertisement;
6. Geolocation data, if using a company device (e.g., a company-provided cellphone);
7. Visual and audio information obtained from security devices on the company’s premises;
8. Professional or employment-related information, including information obtained pursuant to exercising rights under the CCPA; and/or
9. Sensitive personal information (SPI), including:
   1. Social security, driver’s license, state identification card, and/or passport numbers;
   2. Account log-in and financial account with any required security or access code, password, or credentials allowing access to an account;
   3. Geolocation when using company devices or assets;
   4. Racial or ethnic origin, religious or philosophical beliefs, or union membership;
   5. Email and text messages if using company addresses, accounts and/or devices, and
   6. Personal information collected and analyzed concerning health and occupational injuries.

B. Categories of Sources from Whom the Company Collects Personal Information

The Company collects personal information from the following categories of sources:

1. An individual or designated agent;
2. Publicly accessible sources;
3. An individual’s healthcare provider, with consent;
4. A bank, credit union, or other financial institutions, with consent;
5. Background check providers, with consent; and
6. Security systems operating on company property.

C. Categories of Personal Information Disclosed to Third Parties for a Business Purpose
NASSCO discloses categories of Personal Information it collects to third parties only as necessary for business purposes. These business purposes are, as is practicably necessary, or as required by state and federal law, to provide services related to your employment or potential employment, and to manage and operate the business. NASSCO may also disclose such information to prevent unauthorized access and modification to its facilities and systems and to prevent unauthorized access to Government facilities and systems.

D. Rights under the CCPA

Under the CCPA, individuals may exercise the following rights:

1. The right to know what personal information the company has collected about them, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the Company discloses personal information, and the specific pieces of personal information the business has collected;
2. The right to delete personal information that the business has collected, if appropriate and subject to certain exceptions;
3. The right to correct personal information that the business maintains about an individual;
4. If the company sells or shares personal information, the right to opt-out of the sale or sharing of your personal information by the company, unless subject to an exception;
5. If the company uses or discloses sensitive personal information for reasons other than those set forth in CCPA Regulations §7027(m), the right to limit the use or disclosure of sensitive personal information by the company; and
6. The right not to receive discriminatory treatment by the company for the exercise of privacy rights conferred by the CCPA, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.

Please note that, as described above, the company limits its use of sensitive personal information to the uses necessary to perform the services expected by the average consumer, in addition to any of the legally authorized exceptions in CCPA Regulations §7027(m), and it does not sell or share personal information.

California residents may exercise any of the rights described herein and under applicable privacy laws as described in this Privacy Policy. The company will not discriminate against an individual for exercising such rights. Except as described in this Policy or provided for under applicable privacy laws, there is no charge to exercise legal rights under this policy; however, excessive and unfounded requests may result in a reasonable administrative fee or refusal to act on the request with notice.

Exercising Rights

For questions regarding NASSCO’s privacy policy, and to exercise rights under the CCPA, please contact NASSCO’s Privacy Officer at any time by emailing PrivacyInfo@nassco.com. Alternatively, the Privacy Officer may be contacted via mail at the following address:

Attn: Privacy Officer
National Steel & Shipbuilding Co.
2798 East Harbor Drive
San Diego, CA 92113-3650
United States

When making a request, the company may require up to three pieces of personal information to verify identity prior to responding to a request. For instance, current employees may need to verify a request by providing company computer log in and password along with employee badge number. Current employees without a company email account, may be asked to provide badge number and state identification number and/or social security number. Requests submitted by an authorized agent will require additional verification, including written permission to act on an individual’s behalf, which the company will verify.

Upon receipt of a request, the company will respond within ten business days to confirm receipt, provide information about how the request will be processed, begin the process of verifying the request, and provide notice when a response will be complete (no later than 45 calendar days from the day request is received). If the company is unable to verify an individual’s identity, additional information may be requested or the initial request denied. In the event it is proves difficult to verify an individual’s identity, the company may provide notice of up to an additional 45 days to process the request.

Modifications and Revisions

NASSCO reserves the right to modify, revise, or otherwise amend this Privacy Policy at any time and in any manner. Any new version of this policy will be posted on nassco.com and/or distributed as required.