Smurfit Westrock Privacy Notice

1. About this Privacy Notice

The Smurfit Westrock domain (“www.smurfitwestrock.com”) is operated by Smurfit Westrock plc (“Smurfit Westrock”, “Group”, “we”, “us” or “our”). In this Privacy Notice, your personal data means any information which Smurfit Westrock processes about you from which you can be directly or indirectly personally identified (“Personal Data”). This Privacy Notice applies to Personal Data that we and/or on our behalf by our third-party service providers collected and process in the course of your dealings with us. Smurfit Westrock acts as data controller in this regard and your Personal Data will be under the responsibility of the Group.

Smurfit Westrock plc is a global company with locations around the world. As part of our global approach, we endeavor to adopt consistent approaches to our processing of Personal Data to the extent possible. Depending on the region in which you are located, the entities within the Group have established procedures in place to ensure that your Personal Data is protected.

Controller Contact Details

Smurfit Westrock plc is the Controller for the processing activities identified in this Notice. If you have any questions about this Privacy Notice, please contact the Smurfit Westrock Privacy Office at privacyoffice@smurfitwestrock.com

2. How We Collect Your Personal Data

i). Information you provide to us:

We will collect and store any information you provide to us when you:

have opted-in for marketing and / or business communications;
communicate with us via email, phone, post, online forum, or chats
use our website to access our services;
use our social media accounts;
invest in our group;
are an existing Smurfit Westrock customer or supplier; and
access our vendor portal.

ii) Other Information we collect:

when you visit our website we collect cookie data

3. Categories of Personal Data Collected

Please find listed below details of categories of Personal Data that we collect in connection with our domain and the relevant activities listed below. Smurfit Westrock acts as controller with respect to this Personal Data.

WHEN YOU OPT-IN TO OUR MARKETING AND/OR COMMUNICATIONS

i) CONTACT DETAILS

Personal data we collect: Name, Email address, Telephone number and Address
Description: We process this information when you agree to receive marketing or other communications from us

ii) EMPLOYMENT DETAILS

Personal data we collect: Company and location
Description:

iii) BUSINESS ACTIVITIES AND INTERESTS

Personal data we collect: Area of Interest and Marketing Preferences
Description: We process this information when you agree to receive marketing or other communications from us

iv) CONTENTS OF COMMUNICATIONS

Personal data we collect: Content of Messages, Emails, Faxes, Invoices and Purchase Orders
Description: We process this information when you agree to receive marketing or other communications from us

WHEN YOU USE OUR WEBSITE

i) DEVICE/IP DATA

Personal data we collect: IP address, Operating System, Browser information, Internet Service Provider, URLs of Pages Visited, Device Identifiers, Time and Date of Access
Description: This information is collected through the settings on our website. See Smurfit Westrock's Cookie Policy.

WHEN YOU USE OUR SOCIAL MEDIA ACCOUNTS

i) CONTACT DETAILS

Personal data we collect: Name, Email Address, Telephone Number and Social Media Handle
Description: We process this information when you interact with our social media accounts to enable communication.

ii) LOCATION DETAILS

Personal data we collect: Location and Country
Description: We process this information when you interact with our social media accounts to enable communication.

iii) EMPLOYMENT DETAILS

Personal data we collect: Job Title, Company and Area of Interest
Description: We process this information when you interact with our social media accounts to enable communication.

iv) CONTENTS OF COMMUNICATIONS

Personal data we collect: Content of Messages, Emails, Communication sent through Social Media.
Description: We process this information when you interact with our social media accounts to enable communication.

IF YOU ARE A SMURFIT WESTROCK CUSTOMER OR SUPPLIER

i) CONTACT DETAILS

Personal data we collect: Name, Email Address, Telephone Number, Postal address and other information to communicate with you.
Description: This information is collected to process and deliver your order, enable payments, or conduct business with you.

ii) EMPLOYMENT DETAILS

Personal data we collect: Name of Employer, Job Title, Managers and Associates
Description: This information is collected to process and deliver your order, enable payments, or conduct business with you.

iii) PAYMENT INFORMATION

Personal data we collect: Name of Employer, Job Title, Managers and Associates
Description: This information is collected to process and deliver your order, enable payments, or conduct business with you.

IF YOU USE OUR VENDOR PORTAL OR HOLD AN ONLINE ACCOUNT

i) SUPPLIER DETAILS

Personal data we collect: Name, Address, Tax Identification Number
Description: We process this information, collected through our system, vendor portal, or online account, when you create and interact with such systems.

ii) SUPPLIER BANK DETAILS

Personal data we collect: Bank Name, Account Number, IBAN Bank Account key
Description: We process this information, collected through our system, vendor portal, or online account, when you create and interact with such systems.

iii) EMPLOYMENT DETAILS – CONTACT PERSON

Personal data we collect: Name, Telephone, Email Address and Job Title
Description: We process this information, collected through our system, vendor portal, or online account, when you create and interact with such systems.

iv) ONLINE ACCOUNT CREDENTIALS AND USAGE DATA

Personal data we collect: Username, Password and Device Usage Data
Description: We process this information, collected through our system, vendor portal, or online account, when you create and interact with such systems.

IF YOU ARE AN INVESTOR IN OUR GROUP

i) CONTACT DETAILS

Personal data we collect: Name, Email Address, Telephone Number and Address
Description: We process this information, collected through the investment process, to contact you or mail information to you.

4. Purposes for Processing Personal Data

If you are from a jurisdiction that requires a legal basis for processing your Personal Data (such as the EU or the UK), our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it. We will only process your Personal Data if we have a lawful basis for doing so.

The lawful bases are explained below:

i. Performance of a Contract: When it is necessary for Smurfit Westrock to process your Personal Data to

Comply with legal obligations under a contract with you. This includes our obligations under the terms and conditions of your order, or
To verify information before entering into a contract with you.

ii. Legitimate Interest: Where Smurfit Westrock has an interest in using your Personal Data in a certain way, which is necessary and proportionate in light of improving our customer experience and audience & targeting.

iii. Consent: When Smurfit Westrock asks you to actively indicate your agreement to our use of your Personal Data for a certain purpose.

iv. Compliance with Legal Obligations: When Smurfit Westrock must process your Personal Data to comply with a law.

Listed below are details how Smurfit Westrock will use your Personal Data and the accompanying lawful basis.

A) PROVISION OF GOODS

To provide Goods in accordance with our contract with you. For example, when we use your Personal Data to i) confirm your order; ii)fulfill your order.

Legal basis: Performance of a Contract, Legitimate Interest in communications and business operations
Categories of personal data processed: Contact Data, Telephone Number, Business Address, Business Email Address, Employer

B) USE OF OUR VENDOR PORTAL OR WEBSITE PORTALS AND ACCOUNTS

To provide access to and use of our portals and accounts.

Legal basis: Legitimate Interest including to provide an efficient way of communicating with our customers/suppliers and administering the customer/supplier relationship
Categories of personal data processed: Name of the supplier, Address, Contact Details, Content of Communications, Bank Details, Bank Name, Account Number, IBAN, Bank Account key, Tax Identification Number. Mandatory Attachments include Legal Representative ID (copy), Company registration document, Bank Letter / Statement, Company Tax ID document (copy) and Letterhead.

C) NETWORK AND INFORMATION SECURITY MONITORING

To ensure the safety of our environment and provide effective platforms to interact with you

Legal basis: Legitimate Interest in network and information security
Categories of personal data processed: IP address Location, Operating System Browser, URLs of Pages Visited, Device Identifiers

D) PAYMENT PROCESSING

To process your payment to Smurfit Westrock

Legal basis: Performance of a Contract
Categories of personal data processed: Payment Information

E) MARKETING

For marketing, promotion and advertising purposes where the law requires us tocollect your consent. For example, when the law requires consent for email marketing.

Legal basis: Consent, Legitimate Interest
Categories of personal data processed: Contact Details, Advertising Preferences

F) INFORMATION PROVIDED ON A VOLUNTARY BASIS

To provide certain voluntary services as part of your Smurfit Westrock experience. When this is the case, we will ask for your consent. For example, when we use your Personal Data to i) develop and maintain relationships with you, or ii) to monitor and analyse your interest in the marketing material we send you.

Legal basis: Consent, Legitimate Interest, including to provide our goods
Categories of personal data processed: IP address Location, Operating System Browser, URLs of Pages Visited, Device Identifiers

G) LEGAL CLAIMS

To establish, exercise or defend legal claims. For example, if we are involved in litigation and we must provide information to our lawyers in relation to that legal issue.

Legal basis: Legitimate Interest, including to seek legal advice and to protect ourselves, our clients or others in legal proceedings
Categories of personal data processed: Device/IP Data, Contact Data, Identifier(s), Payment Information, Contact Details, All Relevant Information

H) COMPLIANCE WITH LEGAL OBLIGATIONS

To comply with legal obligations we are subject to. For example, to comply with an obligation under the law of the country / region you are in.

Legal basis: Compliance with Legal Obligations, Legitimate Interest, including compliance with international legal requirements
Categories of personal data processed: Device/IP Data, Contact Data, Identifier(s), Payment Information, Contact Details , All Relevant Information

I) COMPLIANCE WITH LAW ENFORCEMENT REQUESTS

To comply with a request from law enforcement, courts, or other competent authorities.

Legal basis: Compliance with Legal Obligations, Legitimate Interest, including to assist law enforcement authorities with prevention or detection of serious crime
Categories of personal data processed: Device/IP Data, Contact Data, Identifier(s), Payment Information, Contact Details, All Relevant Information

J) RESEARCH AND SURVEYS

To conduct research and surveys. For example, when we contact you to ask for feedback on your experience

Legal basis: Consent, Legitimate Interest, including to improve our service provision
Categories of personal data processed: Customer Request

Where required by applicable data privacy laws, we will only use your Personal Data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for any other reasonable purposes in connection with our engagement with you, the purpose and legal basis for any other further processing will be notified in advance from time to time.

Where we rely on a legitimate purpose of Smurfit Westrock or a third-party recipient of the personal data in order to use and disclose personal data, you are entitled to object to such use or disclosure and if you do, we will stop processing your personal data for that purpose unless we can show there are compelling legitimate reasons for us to continue to do so.

5. How We Share Your Personal Data

Depending on your relationship with us, we may disclose some or all of your Personal Data to service providers and other parties listed in this section.

Service Providers and Affiliates

We will share Personal Data with our service providers and affiliates so that they can provide services to us. Our service providers help us to provide the website and support our marketing and PR services to you. We carefully select our service providers, and we take corresponding measures to protect your Personal Data when service providers are engaged. Smurfit Westrock may provide the personal information above to the following categories of third parties:

Vendors performing services on behalf of Smurfit Westrock;
Vendors offering services to you; and
Third parties who offer our market services to you.

Legal Obligations

We may share any Personal Data where this is required by law or regulation, or court or administrative order having force of law, or where required by any of Smurfit Westrock’s regulators.

Business Transfers

Your Personal Data may be transferred to a different entity, and our legal or other advisors, if we undergo or evaluate a merger, acquisition, bankruptcy or other transaction (or proposed transaction) in which that entity assumes control of our business or assets of our business (in whole or in part).

6. Transfers of Personal Data

Because of the global nature of our business, your Personal Data may be transferred to Smurfit Westrock affiliate companies, subcontractors, and partners located in countries across the world. We will always take steps to ensure that any international transfer of Personal Data is carefully managed to protect your rights and interests.

Some transfers may be outside of the European Economic Area (“EEA”) or an originating jurisdiction to countries which do not have equivalent protections. For those transfers, Smurfit Westrock’s policy is to implement an appropriate transfer mechanism to protect your Personal Data, including as required by applicable law, standard contractual clauses and appropriate technical, organizational, contractual and/or other lawful measures to protect your personal data.

You have the right to ask us for more information about the safeguards we have put in place (including a copy of the transfer mechanism as mentioned above). Contact us if you would like to receive further information or to request a copy of the relevant safeguard (which may be redacted to ensure confidentiality).

7. Data Security and Retention

We seek to protect your Personal Data from unauthorised access, use, and disclosure using appropriate physical, technical, and organisation security measures based on the type of Personal Data and how we are processing that Personal Data.

We retain Personal Data about you for as long as necessary to provide you with our products or marketing purposes. In some cases, we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, to defend a legal claim or is otherwise required by applicable law, rule, or regulation. In general, Smurfit Westrock (or its service providers on its behalf) will retain Personal Data only for as long as is necessary for the purposes provided in this notice in accordance with our retention policy or to meet other legal, regulatory, tax, or accounting requirements.

Any Personal Data is deleted or rendered unavailable as soon as the purpose of processing no longer applies. The data is also rendered unavailable or deleted when a prescribed storage duration mandated by the laws in your jurisdiction expires unless there is a necessity for the continued storage of the data for the conclusion of a contract or the fulfilment of a contract.

8. Your Rights in relation to Personal Data

Under applicable privacy laws, you may have rights over your Personal Data as a data subject. We have set out in this section certain data subject rights under GDPR, which apply to individuals based in the EEA.

i. Request access to your Personal Data. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

ii. Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

iii. Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).

iv. Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation, which makes you want to object to processing on this ground.

v. Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data, for example if you want us to establish its accuracy or the reason for processing it.

vi. Request the transfer of your Personal Data to another party.

vii. Withdraw your consent at any time if your Personal Data is processed on the basis of consent. If you withdraw your consent, this will not affect the lawfulness of how we used your Personal Data before you withdrew consent.

viii. Lodge a complaint with a competent supervisory authority if you consider that the processing of your Personal Data infringes applicable law. We request that you contact us in the first instance so that we can respond to your complaint. The contact details are available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

You can request to exercise the rights above by contacting us using the details below. Your rights will in each case be subject to the restrictions set out in applicable data protection laws. Further information on these rights, and the circumstances in which they may arise in connection with our processing of your Personal Data, can be obtained by contacting our Data Protection Representative in writing to privacyoffice@smurfitwestrock.com.

9. Changes to this Privacy Notice

We constantly try to improve our services, so we may need to change this Privacy Notice from time to time to reflect changes in technology, law, business operations, or any other reason we determine is necessary or appropriate.

If we decide to use your Personal Data in a manner significantly different from that stated in this notice, or otherwise disclosed to you at the time it was collected, we will notify you by e-mail or post, or we will post an updated version of this notice with a revised “Last Updated” date included. In certain circumstances, you may have a choice as to whether or not we use your Personal Data in the new manner.

10. Contact Information

If you have any questions or queries about this Privacy Notice, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at privacyoffice@smurfitwestrock.com.

Alexa Limeres serves as the Data Protection Officer in Canada and Brazil. You may contact her via email at privacyoffice@smurfitwestrock.com.

Last Updated: July 1, 2024

SPECIAL NOTICES

Legal basis for processing.

Under the Brazilian General Data Protection Law (the “LGPD”), Smurfit Westrock’s legal basis for processing of personal data may fall into one of the following categories:

DATA SUBJECTS/CATEGORIES OF DATA

1. Website visitors, users of our mobile app, and individuals who contact us via phone, post, or other means
- Name and contact information, Content of communications Legitimate interest in business communication
- Legal Basis | Legitimate interest in business communication
2. Website visitors
- Data about your interaction with our platforms, including your IP address, location, operating system, browser, URLs of any pages you visit on our sites or apps, device identifiers, and other similar usage information. Legitimate interest in communication and network and information security
- Legal Basis | Legitimate interest in business communication
3. Business customers, suppliers or vendors, or employees or representatives of such an entity
- Name, employer, and contact information, such as phone number, business address, business email address, and other identifiers Performance of a contract and Legitimate Interest in communications and business operations
- Legal Basis | Performance of a contract and Legitimate Interest in communications and business operations
4. On-site Visitors
- Contact information (email address, telephone number, postal address, etc.). To protect the physical safety of individuals, Legitimate interest in protecting our assets, employees, and partners
- Legal Basis | To protect the physical safety of individuals, Legitimate interest in protecting our assets, employees, and partners
5. Job Applicants
- Contact information, such as email address, telephone number, postal address; application information, such as resume/CV, application form, letter of application, supporting documents, etc.; details of communications, such as offer and acceptance letters, contents of emails, etc.; demographic information such as age and date of birth, and special category data where required such as disability, national origin, religion, race/ethnic background, sexual orientation, and COVID19 Vaccine status. To comply with Smurfit Westrock’s legal obligations and as needed for the contract with the data subject.
- Legal Basis | To comply with Smurfit Westrock’s legal obligations and as needed for the contract with the data subject
Individual Rights.

If you reside in Brazil the LGPD may provide you with certain privacy rights. This section of the Notice describes the rights that may be available to you and how you may exercise those rights with Smurfit Westrock.

In particular, you may request that Smurfit Westrock:
- Confirm that we are processing your personal data, and provide information about the processing;
- Provide access to your personal data;
- Update and correct incomplete, inaccurate or outdated data;
- Anonymize, block or delete unnecessary or excessive data, or data processed in non-compliance with the provisions in the LGPD;
- Provide a portable copy of your personal data;
- Delete personal data processed on the basis of consent, except for the situations where maintaining the data is necessary or allowed by legislation;
- Provide information on public and private entities with which we shared your personal data;
- Provide information on the possibility of not giving consent and the consequences of the refusal;
- Recognize that you have revoked consent to process your personal data, and take appropriate actions; and
- Review decisions made exclusively based on automated processing of your Personal Data.
To exercise one or more of these rights, please contact the Smurfit Westrock Privacy Office. We may request that you provide proof of your identity. Smurfit Westrock will not discriminate against you based on your decision to exercise your rights.
Under the Canada’s data privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) a company must have a legitimate and specific purpose to process your personal information. Smurfit Westrock has described those purposes here.

If you reside in Canada, the PIPEDA may provide you with certain privacy rights. This section of the Notice describes the rights that may be available to you and how you may exercise those rights with Smurfit Westrock.

In particular, you may:
- Access the personal information Smurfit Westrock holds about you;
- Correct any inaccurate or outdated personal information Smurfit Westrock holds about you (or, if that is not possible, ask that Smurfit Westrock delete such data);
- Withdraw consent for any activities you have previously consented to.
- Under PIPEDA requires that Smurfit Westrock share with you what personal information is made available to related organizations and third parties.
Categories of Information:

1. Your contact information, such as your mailing address, telephone number, or email address for purposes of contacting you or mailing information or products to you.

Purpose of Processing: Provide our products, respond to questions, marketing, investor relations

Third Parties to Whom This Information Was Disclosed: Service Providers Performing Services on Behalf of Smurfit Westrock

Like many businesses, Smurfit Westrock uses vendors who provide customer services, advertisements/promotions and contextual customization of advertisements, marketing services, process or fulfill orders and transactions, process payments, provide marketing or advertising services, and provide analytic, legal or insurance services.

As a part of providing services on behalf of Smurfit Westrock, our vendors may need to process your personal information (such as your email address or your payment information) in order to fulfill an order you may have requested from Smurfit Westrock. We sometimes allow service providers to also utilize aggregated or de-identified information for other purposes.

Service providers offering services to you. In addition, we may share your contact information with certain third parties who offer or market services to you.
Smurfit Westrock affiliates: We may share your personal information with Smurfit Westrock affiliates for the purpose of providing you with information about our products, for marketing, investor relations, or other similar business purposes.

2. Demographic data, website usage, IP addresses, account login information, and additional traffic information.

Purpose of Processing: Product development or marketing

Third Parties to Whom This Information Was Disclosed: Service Providers Performing Services on Behalf of Smurfit Westrock.
Aviso de Privacidad - México

Smurfit Westrock plc y sus subsidiaries (en lo sucesivo “Smurfit Westrock”, o el “Responsable”), en atención a Ley Federal de Protección de Datos Personales en Posesión de los Particulares, su Reglamento y diversa normativa vigente y relacionada (en lo sucesivo, la “Legislación de DP”) y en cumplimiento con la Legislación de DP, por medio del presente Aviso de Privacidad le informamos sobre el tratamiento de sus Datos Personales.

Smurfit Westrock le informa que los Datos Personales (según dicho término se define más adelante) obtenidos del Titular (según dicho término se define más adelante), en su carácter presente o futuro de cliente, proveedor y/o empleado de Smurfit Westrock, así como aquellos obtenidos por la contratación de Smurfit Westrock para brindar cualesquiera de sus servicios o por cualquier tipo de relación contractual o de negocios que celebre con Smurfit Westrock, serán tratados bajo los principios de legalidad, consentimiento, información, calidad, propósito, lealtad, proporcionalidad y responsabilidad de conformidad con lo siguiente:

1. Responsable del Tratamiento de Datos Personales

Smurfit Westrock es el responsable del tratamiento legítimo, controlado e informado de sus datos personales (los “Datos Personales”), de conformidad con lo establecido en la Legislación de DP, a efecto de garantizar la privacidad y el derecho a la autodeterminación informativa y protección de sus Datos Personales, que serán obtenidos de manera directa y/o personal a través de usted, como cliente o potencial cliente, proveedor o potencial proveedor y/o empleado o potencial empleado (en lo sucesivo, el “Titular”). Para tal fin, Smurfit Westrock pone a su disposición el presente Aviso de Privacidad, previo a la obtención de los mismos.
Nuestra persona responsable de dar trámite a las solicitudes de ejercicio de derechos y de fomentar la protección de Datos Personales en Westrock es Alexa Limeres, quien se ubica en el domicilio antes mencionado. Usted podrá contactarlo tanto en el domicilio señalado, así como por medio de correo electrónico a la siguiente dirección: privacyoffice@smurfitwestrock.com

2. Finalidad de Tratamiento de sus Datos Personales

Smurfit Westrock recabará los Datos Personales de manera directa a través de Usted. Los Datos Personales que Smurfit Westrock recabe del Titular serán utilizados para (i) identificar un contacto; (ii) proporcionar los servicios requeridos y cualquier servicio relacionado; (iii) informarle sobre nuevos servicios relacionados con el contrato de servicios; (iv) dar cumplimiento a las obligaciones de Smurfit Westrock; (v) evaluar la calidad del servicio; (vi) estar en contacto por correo, correo electrónico o teléfono para compartirle boletines de información y para realizar encuestas en relación con la calidad de los Servicios proporcionados por Smurfit Westrock; (vii) Evaluación como proveedor, contratista, transportista, cliente, empleado o trabajador potencial, y en su caso la apertura de un expediente físico para control de sus antecedentes como nuestro trabajador; en caso de ser candidato, para la debida selección y, en su caso, trámites de contratación; (viii) Para efectos de la elaboración y celebración del (los) contrato(s) que, acorde a la relación jurídica correspondiente, en su caso se requieran; (ix) El cumplimiento de obligaciones que deriven de la relación jurídica, correspondiente; (x) Diligencias de cobranza extrajudicial en el caso de clientes morosos o cualquier otro deudor; y/o (xi) avisos ante autoridades judiciales, administrativas o del trabajo para el cumplimiento de obligaciones derivadas de la relación particular que se tenga con cada “titular”.

En caso de que haya proporcionado datos de contacto de terceros como referencias, autorizados, cotitulares, cónyuges, beneficiarios, coacreditados, referencias, garantes, obligados solidarios, avales, fiadores, tutores, proveedores, beneficiarios y demás figuras legales relacionadas con servicios del Responsable, Usted garantiza que cuenta con su autorización para proporcionar dichos datos, incluyendo en su caso los datos personales aplicables, y es responsable de comunicar a dichas personas sobre los términos y razones por las cuales los contactaremos y, en su caso, el tratamiento de sus datos personales conforme al presente Aviso de Privacidad, así como los medios para conocer el contenido íntegro del mismo. Adicionalmente, mediante su consentimiento al presente Aviso de Privacidad, usted ratifica su autorización para que el Responsable contacte a dichas personas.

3. Datos Personales que serán Recabados por Smurfit Westrock

a. Nombre
b. Fecha de nacimiento
c. RFC
d. CURP
e. Estado Civil
f. Domicilio
g. Correo Electrónico
h. Teléfono
i. Registro Federal de Causantes
j. así como datos financieros y patrimoniales
k. Experiencia laboral
l. Edad
m. Nivel de estudios
n. número de seguridad social
o. antecedentes laborales
p. fotografías, imágenes de video
q. huella dactilar
r. antecedentes escolares
s. dirección de página web

4. Datos Personales Sensibles

Le informamos que no serán recabados ni tratados por Smurfit Westrock, Datos Personales Sensibles del Titular.

5. Medios para ejercer los Derechos ARCO (Acceso, Rectificación, Cancelación y Oposición)

Usted o su representante legal debidamente acreditado podrán ejercer los derechos de Acceso, Rectificación, Cancelación u Oposición (los “Derechos ARCO”), que la Legislación de DP prevé. Para ello, deberá solicitar un formato de ejercicio de Derechos ARCO mediante el envío de un correo electrónico a la dirección: privacyoffice@smurfitwestrock.com
El formato de ejercicio de Derechos ARCO se deberá llenar, firmar y presentarse acompañado de la siguiente documentación, a fin de que pueda llevarse a cabo su autenticación:

a. Identificación oficial vigente (Credencial del Instituto Nacional Electoral, Pasaporte, Cartilla del servicio Militar Nacional o Cédula Profesional).
b. En los casos en que el ejercicio de los Derechos ARCO se realice a través de su representante legal, deberá acompañarse la identificación oficial del representante, así como el poder correspondiente protocolizado que acredite la representación legal conferida por usted.
c. Cuando se quiera ejercer el derecho de rectificación, deberá exhibirse la documentación que acredite el cambio solicitado de acuerdo con los Datos Personales a rectificar.

Se le dará respuesta a cualquiera de sus solicitudes en un plazo no mayor a 20 (veinte) días hábiles, y la determinación adoptada se hará efectiva dentro de los 15 (quince) días siguientes a la fecha en se comunique la respuesta. Estos plazos se podrán ampliar una sola vez por un periodo igual, siempre y cuando así lo justifiquen las circunstancias del caso, lo cual haremos de su conocimiento.

Smurfit Westrock tomará medidas de seguridad organizacionales y técnicas razonables para prevenir la pérdida, uso indebido, alteración o divulgación ilegal de su información y datos personales, mismas que exigimos sean cumplidas por los proveedores de servicios que contratamos, inclusive tratándose de servicios que prestan las empresas subsidiarias o afiliadas de Smurfit Westrock.

6. Limitación de uso y Divulgación de Datos Personales
Usted puede limitar el uso y divulgación de sus Datos Personales siguiendo el procedimiento mencionado anteriormente.

7. Transferencia de Datos
Adicionalmente, le informamos que sus Datos Personales pueden ser transmitidos y tratados dentro o fuera del país, por personas distintas a Smurfit Westrock; en este respecto, su información puede ser compartida con subsidiarias o sociedades afiliadas de Smurfit Westrock tanto en México como en el extranjero. En caso de que usted no haga saber su objeción para que su información personal sea así transmitida, se entenderá que usted otorgó su consentimiento para hacerlo.

8. Revocación del Consentimiento para el Tratamiento de sus Datos Personales
En todo momento usted podrá revocar el consentimiento que nos ha otorgado para el tratamiento de sus Datos Personales, con el fin de que dejemos de hacer uso de los mismos. Para ello, es necesario que presente su petición a través del correo privacyoffice@smurfitwestrock.com

9. Modificaciones al Aviso de Privacidad
El presente Aviso de Privacidad puede sufrir modificaciones, cambios o actualizaciones derivadas de necesidades propias de Smurfit Westrock, por los productos o servicios que ofrecemos; de nuestras prácticas de privacidad; de cambios en nuestro modelo de negocio, o por otras causas. Cualquier modificación al presente Aviso de Privacidad le será notificada a través de cualquiera de los siguientes medios: (i) mensaje enviado a su correo electrónico; o (ii) mensaje publicado en nuestra página de internet.

10. Protección
A pesar de contar cada día con herramientas más seguras, las transmisiones de datos a través de internet nunca son 100% seguras o libres de error. En consecuencia, Smurfit Westrock no garantiza la seguridad, precisión o exactitud de la información personal cuando la misma se transmita por Internet. Sin embargo, Smurfit Westrock aplica procedimientos físicos, electrónicos y administrativos para proteger la información personal contra incidentes y vulneraciones, tales como destrucción accidental o ilegal, perdida o alteración accidental y divulgación o acceso no autorizado.
Smurfit Westrock no es responsable respecto al contenido y políticas de privacidad de sitios externos a su portal.

11. Reconocimiento
Al proporcionarnos sus Datos Personales y al no manifestar su oposición al tratamiento de los mismos, reconoce y consciente el tratamiento de los Datos Personales en apego a este Aviso de Privacidad. En todos los casos procedamos al tratamiento de sus Datos Personales de la forma en que se señala en el presente y con estricto apego al mismo, Legislación de DP.

12. Quejas y Denuncias
Si usted considera que su derecho de protección de Datos Personales ha sido lesionado por alguna conducta de nuestros empleados, o de nuestras actuaciones o respuestas presume que en el tratamiento de sus Datos Personales existe alguna violación a las disposiciones previstas en la Legislación de DP, podrá interponer la queja o denuncia correspondiente ante el Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI). Para mayor información visite www.inai.org.mx
Privacy Notice - Mexico

Smurfit Westrock plc, together with its subsidiaries (hereinafter “Smurfit Westrock”, which for purposes of this privacy notice will be referred to as the “responsible person”), provides the following in accordance with the Federal Law for the Protection of Personal Data in Possession of Individuals, its Regulations and other current and related regulations (hereinafter, the "DP Legislation") and in compliance with the DP Legislation, we hereby inform you about the treatment of your Personal Data.

Smurfit Westrock informs you that the Personal Data (as such term is defined below) obtained from the Data Subject (as such term is defined below), as a present or future customer, supplier and/or employee of Smurfit Westrock, as well as those obtained by contracting from Smurfit Westrock to provide any of its services or by any type of contractual or business relationship with Smurfit Westrock, will be processed under the principles of legality, consent, information, quality, purpose, loyalty, proportionality and responsibility in accordance with the following:

1. Controller of the Processing of Personal Data
Smurfit Westrock is responsible for the legitimate, controlled and informed processing of your personal data (the "Personal Data"), in accordance with the provisions of the DP Legislation, in order to guarantee the privacy and the right to informative self-determination and protection of your Personal Data, which will be obtained directly and/or personally through you, as a customer or potential customer, supplier or potential supplier and/or employee or potential employee (hereinafter, the "Data Subject"). For this purpose, Smurfit Westrock makes this Privacy Notice available to you, prior to obtaining such Personal Data.

Our responsible person for processing requests for the exercise of rights and to promote the protection of Personal Data in Smurfit Westrock is Alexa Limeres, who is located at the above address. You may contact this person at the above address, as well as by e-mail at the following address: privacyoffice@smurfitwestrock.com

2. Purpose of the Processing of your Personal Data
Smurfit Westrock will collect Personal Data directly from You. The Personal Data that Smurfit Westrock collects from the Data Subject will be used to (i) identify a contact; (ii) provide the requested services and any related services; (iii) inform you about new services related to the service contract; (iv) comply with Smurfit Westrock's obligations; (v) evaluate the quality of the service or good; (vi) be in contact by mail, email or telephone to share newsletters with you and to conduct surveys regarding the quality of the Services provided by Smurfit Westrock; (vii) assess potential vendors, contractors, carriers, customers, employees or workers and, as applicable, open the physical file to control your background as our worker; in case of a candidate, to choose such person, and as applicable, for hiring procedures; (viii) prepare and enter into agreements that, pursuant to the relevant legal relations, are required, as applicable; (ix) to comply with obligations under applicable law; (x) to manage the extrajudicial collection of defaulting customers or any other debtor and/or (xi) for purposes of notices before judicial, administrative or labor authorities to perform the obligations under a specific relation with each data subject.

In case you have provided to us with contact information of third parties such as references, authorized persons, co-owners, spouses, beneficiaries, co-creditors, referrals, guarantors, joint obligors, sureties, assignees, guardians, suppliers, beneficiaries and other legal figures related to services of the Responsible, you guarantee that you have their authorization to provide such information, including, if applicable, the applicable personal data, and you are responsible for communicating to such persons the terms and reasons for which we will contact them and, if applicable, the processing of their personal data in accordance with this Privacy Notice, as well as the means to know the full content of the same. Additionally, by your consent to this Privacy Notice, you ratify your authorization for the responsible person to contact such persons.

3. Personal Data to be Collected by Smurfit Westrock

a. Name
b. Date of birth
c. RFC
d. CURP
e. Marital Status
f. Physical Address
g. E-mail address
h. Telephone number
i. Tax address
j. Financial and property data
k. Professional experience
l. Age
m. Education level
n. Social security number
o. Employment history
p. Photograph, video image
q. Fingerprint
r. School background
s. Webpage

4. Sensitive Personal Data
We inform you that Smurfit Westrock will not collect or process Sensitive Personal Data of the Data Subject.

5. Means to exercise the ARCO Rights (Access, Rectification, Cancellation and Opposition)
You or your legal representative duly authorized may exercise the rights of Access, Rectification, Cancellation or Opposition (the "ARCO Rights"), which the DP Legislation provides. For this purpose, you must request an ARCO Rights exercise form by sending an e-mail to privacyoffice@smurfitwestrock.com

The ARCO Rights exercise form must be filled out, signed and submitted together with the following documentation, so that it can be validated:

a. Current official identification (Instituto Nacional Electoral, Passport, National Military Service Card or Professional ID).
b. In cases where the exercise of the ARCO Rights is performed through your legal representative, the official identification of the representative, as well as the corresponding notarized power of attorney that proves the legal representation granted by you, must be attached.
c. When seeking to exercise the rectification right, the documentation evidencing the requested change in accordance with the Personal Data to be rectified must be exhibited.

We will respond to any of your requests within 20 (twenty) business days, and the decision will be effective within 15 (fifteen) days of the date the response is communicated. These periods may be extended only once for an equal period, as long as justified by the circumstances of the case, which we will inform you about.

Smurfit Westrock will take reasonable organizational and technical security measures to prevent the loss, misuse, alteration or illegal disclosure of your personal information and data, which we require to be complied with by the service providers we hire, including services provided by Smurfit Westrock's subsidiaries or affiliates.

6. Limitation of Use and Disclosure of Personal Data
You may limit the use and disclosure of your Personal Data by following the procedure mentioned above.

7. Data Transfer
Additionally, we inform you that your Personal Data may be transferred and processed inside or outside the country, by persons other than Smurfit Westrock; in this regard, your information may be shared with subsidiaries or affiliated companies of Smurfit Westrock both in Mexico and abroad. In the event that you do not express your objection for your personal information to be transferred in this way, it will be understood that you have given your consent for this.

8. Revocation of Consent to the Processing of your Personal Data
At any time you may revoke the consent given to us for the processing of your Personal Data, in order for us to stop using them. To do so, it is necessary that you submit your request via email privacyoffice@smurfitwestrock.com

9. Amendments to the Privacy Notice
This Privacy Notice may be amended, changed or updated due to Smurfit Westrock’s own needs, the products or services we offer, our privacy practices, changes in our business model, or other causes. Any modification to this Privacy Notice will be notified to you through any of the following means: (i) a message sent to your e-mail address; or (ii) a message posted on our website.

10. Protection
Although increasingly secure tools are becoming available, data transmissions over the Internet are never 100% secure or error-free. Accordingly, Smurfit Westrock does not guarantee the security, accuracy or correctness of personal information when transmitted over the Internet. However, Smurfit Westrock applies physical, electronic and administrative procedures to protect personal information against incidents and breaches, such as accidental or unlawful destruction, accidental loss or alteration, and unauthorized disclosure or access.
Smurfit Westrock is not responsible for the content and privacy policies of sites outside its portal.

11. Acknowledgment
By providing us with your Personal Data and by not expressing your opposition to the treatment of the same, you acknowledge and consent to the treatment of the Personal Data in accordance with this Privacy Notice. In all cases we proceed to the treatment of your Personal Data in the manner indicated herein and in strict compliance with the same, DP Legislation.

12. Reports and Complaints
If you believe that your right to protection of Personal Data has been violated by any conduct of our employees, or from our actions or responses you presume that in the processing of your Personal Data there is any violation of the provisions of the DP Legislation, you may file a complaint or complaint with the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI). For more information visit www.inai.org.mx
Smurfit Westrock plc, its subsidiaries and affiliates (collectively “Smurfit Westrock”), is committed to protecting your privacy. This Privacy Notice details Smurfit Westrock’s privacy practices, including how we collect and use your personal information in the United States.

Personal Information We Collect

The type of information we collect varies based on our interaction with you. We strive to collect only data that is necessary and appropriate for the nature of our interaction with you. In most cases, we collect your personal information directly from you. Please note that this information may be collected through either online or offline means.

Smurfit Westrock collects the following categories of personal information:

1. Name, contact information, and other identifiers
- Categories of Sources of Data: We usually collect this information directly from you. For example, you might give us your contact information so that we can respond to a question or request, or you might do so when applying for a job with us. In some cases, we might collect your information from someone else. For example, your company may provide your name and information as a point of contact for us.
- Business or Commercial Purpose of Processing: Communicate with you directly or in your capacity as an employee of a Smurfit Westrock customer or 5supplier. Provide the products, services, or information you have requested or purchased. Manage our human resources and meet legal requirements.
2. Commercial information, including products or services purchased, obtained, or considered
- Categories of Sources of Data: We collect this information when you or your company purchase our products, or we purchase yours.
- Business or Commercial Purpose of Processing: Provide the products or services that you have requested or purchased, or request or purchase products or services from your or your company. Evaluate and improve the provision of our products or services.
3. Financial data such as bank account numbers and similar information
- Categories of Sources of Data: We collect bank account information from contractors, vendors, and related persons for payment purposes.
- Business or Commercial Purpose of Processing: Facilitate the purchase of products or services. Manage our human resources and meet legal requirements.
4. Internet and other electronic network activity
- Categories of Sources of Data: Internet and other electronic network activity When you visit our website, we collect information such as browsing activity on our site, ads viewed or clicked, and search terms used. Our systems automatically collect information such as IP address, browser type and language, operating system, device type, and hardware attributes from all website visitors. Communicate with you directly or in your capacity as an employee of a Smurfit Westrock customer or supplier. Evaluate and improve our systems and websites. Diagnose technical issues and ensure the security of our systems and data.
- Business or Commercial Purpose of Processing: Communicate with you directly or in your capacity as an employee of a Smurfit Westrock customer or supplier. Evaluate and improve our systems and websites. Diagnose technical issues and ensure the security of our systems and data.
5. Geolocation
- Categories of Sources of Data: When you visit our website, you provide Smurfit Westrock with a general location associated with your IP address.
- Business or Commercial Purpose of Processing: Provide location specific notices and services.
6. Audio, electronic, visual, or similar information
- Categories of Sources of Data: Security cameras are located on the premises of our facilities. Also, you may choose to access our social media platforms, where you may choose to provide photos and other user generated content.
- Business or Commercial Purpose of Processing: Ensure the physical security of our facilities, assets, and personnel. Refine our services. Communicate with you about Smurfit Westrock and Smurfit Westrock products.
7. Professional or employment related information
- Categories of Sources of Data: Professional or employment related information We collect this information from job applicants, former employees, non-employees performing services for Smurfit Westrock, and related persons, as a normal part of our human resources processes. We may also collect this information from third-party networking sites, such as LinkedIn or service providers. Additionally, if your company has provided your name as a point of contact for us, then we will know the name of your employer and possibly information such as your title and general responsibilities. Manage our human resources and meet legal requirements. Transact business with other companies through their employees.
- Business or Commercial Purpose of Processing: Manage our human resources and meet legal requirements. Transact business with other companies through their employees.
8. Education Identifiers
- Categories of Sources of Data: We collect this information from job applicants, former employees, non-employees performing services for Smurfit Westrock, and related persons, as a normal part of our human resources processes. We may also collect information from third party verification service providers.
- Business or Commercial Purpose of Processing: Manage our human resources and meet legal requirements.
9. Sensitive Personal Information
- Categories of Sources of Data: Under some circumstances, we may collect Social Security, driver’s license, state identification card, or passport numbers, and racial or ethnic origin identifiers as part of our legally required human resources processes. Under some circumstances, we may collect health information.
- Business or Commercial Purpose of Processing: Manage our human resources and meet legal requirements. Smurfit Westrock does not collect or process sensitive personal information for the purpose of inferring characteristics about any individual. In California, Smurfit Westrock only uses or discloses sensitive personal information as allowed under CCPA Regulations, Section 7027.
10. Protected classifications under California or federal law
- Categories of Sources of Data: We collect this information only as required by law, typically as part of the employment process. (For a list, see: https://www.senate.ca.gov/content/protected-classes)
- Business or Commercial Purpose of Processing: Manage our human resources and meet legal requirements.
11. Inferences
- Categories of Sources of Data: At Smurfit Westrock, like many other companies, we use contextual customization of advertisements to enhance your visit to our website. We do not build a profile of your user experience but instead use this information to share advertisements with you after you have exited our website.
- Business or Commercial Purpose of Processing: Refine our services. Communicate with you about Smurfit Westrock and Smurfit Westrock products.
Please note that Smurfit Westrock employees may find information regarding Smurfit Westrock’s privacy practices for employees on the Company intranet website.

Retaining Your Personal Information

How long do we retain your personal data?

Personal information is retained only for as long as is necessary for the purposes provided in this notice or to meet other legal, regulatory, tax or accounting requirements. We consider factors such as the sensitivity of the information, whether we have automatic controls to delete the data or a technical ability to do so, and legal, contractual, or similar obligations to retain your information when establishing criteria for the retention periods. Because these factors can vary based on the information collected and your interaction with us, actual retention periods can vary significantly.

Sharing and Selling Your Personal Information

Smurfit Westrock does not sell your personal information for monetary consideration. However, our use of cookies and other tracking technologies, as well as the collection of personal information on our sites and applications by third parties, may be considered “sharing” under California law and “targeted advertising” in other states. The following table represents the categories of personal information we have “shared” in the last twelve months, the categories of recipients, and the business purpose for the “sharing.”

1. Name, contact information and other identifiers
- Category of Third-Party Recipients: Advertisers and marketing partners, providers of data analytics, and social media networks
- Business Purpose for Sharing: Make the online advertisements you see more relevant to your interests, including advertisements for Smurfit Westrock products and services. We may also share this information with data analytics service providers to improve our understanding of our relevant markets.
2. Commercial information including products or services purchased, obtained, or considered
- Category of Third-Party Recipients: Advertisers and marketing partners, providers of data analytics, and social media networks
- Business Purpose for Sharing: Make the online advertisements you see more relevant to your interests, including advertisements for Smurfit Westrock products and services. We may also share this information with data analytics service providers to improve our understanding of our relevant markets.
3. Internet and other electronic network activity
- Category of Third-Party Recipients: Advertisers and marketing partners, providers of data analytics, and social media networks
- Business Purpose for Sharing: Make the online advertisements you see more relevant to your interests, including advertisements for Smurfit Westrock products and services. We may also share this information with data analytics service providers to improve our understanding of our relevant markets.
Disclosing Your Personal Information

As noted in the list below, we may disclose your personal information to vendors performing operational services on our behalf, including customer services, advertisements, promotions, marketing services, processing and order fulfillment services, transaction and payment processing services, and analytic, legal, or insurance services. The table below lists the categories of personal information that Smurfit Westrock has disclosed to third parties for a business purpose in the preceding 12 months:
1. Name, contact information and other identifiers

Category of Recipients: Service providers, Government entities, Unions and Trade organizations

Business or Commercial Purpose of Disclosure: Respond to your questions and requests. Conduct business with you, your employer, or a similar relevant entity. Ensure the security and integrity of our network, systems, and data. Track website usage. Collect employment-related information to manage our human resources and administer employee benefits. Comply with union labor agreements. Short-term, transient use. Meet legal requirements.

2. Commercial information, including products or services purchased, obtained, or considered

Category of Recipients: Service providers

3. Financial data such as bank account numbers, credit or debit card numbers, and similar information

Category of Recipients: Service providers

Business or Commercial Purpose of Disclosure: Conduct business with you, your employer, or a similar relevant entity. Payment processing. Administer employee benefits. Short term transient use.

4. Internet and other electronic network activity

Category of Recipients: Service providers

Business or Commercial Purpose of Disclosure: Communicate with you about Smurfit Westrock and Smurfit Westrock products. Evaluate and improve our systems and websites. Diagnose technical issues and ensure the security of our systems and data. Tailor and analyze advertisements.

5. Geolocation

Category of Recipients: Service providers, Unions and Trade Organizations

Business or Commercial Purpose of Disclosure: Process employment-related information. Administer employee benefits or provide similar services. Comply with union and trade organization labor agreements. Meet legal requirements.

6. Education Identifiers

Category of Recipients: Service providers

Business or Commercial Purpose of Disclosure: Process employment related information to manage our human resources and administer employee benefits.

7. Sensitive personal information, including the protected classifications listed above, your Social Security, driver’s license, state identification card, or passport number; your account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; your precise geolocation; your racial or ethnic origin; and the contents of your mail, email, and text messages (unless Smurfit Westrock is the intended recipient of the communication) Service providers
Government entities Process employment-related information to manage our human resources and administer employee benefits. Comply with legal requirements; (as allowed under California privacy law (CCPA Regulations, Section 7027)). Smurfit Westrock does not collect or process sensitive personal information for the purpose of inferring characteristics about any individual. Smurfit Westrock does not use or disclose sensitive information for purposes other than those business purposes specified in this Notice.

Category of Recipients: Service providers, Government entities

Business or Commercial Purpose of Disclosure: Process employment-related information to manage our human resources and administer employee benefits. Comply with legal requirements; (as allowed under California privacy law (CCPA Regulations, Section 7027)). Smurfit Westrock does not collect or process sensitive personal information for the purpose of inferring characteristics about any individual. Smurfit Westrock does not use or disclose sensitive information for purposes other than those business purposes specified in this Notice.

8. Protected classifications under California or federal law. (for a list, see: https://www.senate.ca.gov/content/protected-classes)

Category of Recipients: Service providers, Government entities

Business or Commercial Purpose of Disclosure: Process employment related information to manage our human resources and administer employee benefits. Meet our legal requirements.

Your Privacy Rights

Smurfit Westrock strives to honor your privacy rights, based on your state of residence and to answer your questions regarding how we may process your data. Based on your state of residence, your rights may include the following:

Right to know and access personal information: You have the right to request that we disclose: (1) the categories of personal information we have collected about you; (2) the sources from which we collected the personal information; (3) the business or commercial purpose for the collection, selling or sharing of personal information; (4) the categories of third parties to whom we disclose personal information; (5) the categories of personal information that we sold or disclosed for a business purpose; and (6) the specific pieces of personal information we have collected about you.

Right to opt-out: You have the right to opt out of the sale or sharing of your personal information, the use of your personal information for targeted advertising, and the use of your personal information for profiling. If you use an opt-out preference signal, we will process your opt-out preference at the device level using our cookie compliance tool. Smurfit Westrock processes opt-out preference signals in a frictionless manner using our cookie banner, which means that we respect opt-out signals sent from your browser using the Global Privacy Control (GPC) specification. You can set your browser to send these signals, but the specific settings that need to be configured depend on the specific browser you use. Some browsers may require a browser extension. To learn more about the GPC and browsers which support it, visit the Global Privacy Control website. If you have questions about opting out or need a different way to opt-out, please submit a request here or call us at 1-888-914-9661, pin # 159311.

Right to correct: If you find that we have inaccurate personal information about you, you have the right to request that we correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

Right to delete: You have the right to request that we delete your personal information. There are some exceptions to this right.

Right of data portability: You have the right to obtain a copy of your personal data in a portable and readily usable format that allows you to transmit the data to another controller without impediment. There are some limits to this right.

Right to Non-discrimination or Retaliation: We will not discriminate or retaliate against you for exercising your privacy rights. This includes under, for example, California law the right not to receive discriminatory treatment by a business for the exercise of privacy rights conferred by California law, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their rights under California law.

Methods for exercising your rights: If you wish to exercise your privacy rights or have any questions or concerns about Smurfit Westrock’s privacy policies and information practices, please submit a request here or call us at 1-888-914-9661, pin # 159311. To verify your request, you may need to provide proof of identity, such as non-personal information about your Smurfit Westrock account or a copy of your driver’s license. You may also designate an authorized agent to make a request. The agent will follow the same procedures described above. If you use an authorized agent, we may require proof that the agent acts on your behalf.

Appeal of Certain Decisions: If we decline your request, partially or fully, you may appeal the decision to our senior management. Simply follow the same process for submitting a request as outlined above and include “Appeal” in the title or other part of the request. If that Appeal is denied, you may be able to contact your Attorney General’s office, depending on the state in which you reside, to submit a complaint. Smurfit Westrock does not use or disclose sensitive personal information for any purposes that would require a user to exercise a right to limit according to California law.
We do not knowingly collect any information from children under the age of 18 outside of providing benefits to our employee’s dependents. If we learn that a child under the age of 18 has improperly provided us with personal information, we will delete it in accordance with applicable law. If you are a parent or guardian and believe we have inadvertently collected information from your child in a manner not permitted by law, please contact us at privacyoffice@smurfitwestrock.com.