DATA PRIVACY FRAMEWORK POLICY

Drive System Design Inc. (“DSD”) respects the privacy of individuals and strives to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it, and its associated companies, do business. This Data Privacy Framework Policy (the “Policy”) describes the privacy principles with respect to certain personal information transmitted to DSD in the United States (the “U.S.”), from countries located within the European Union and the United Kingdom (“EU/ UK”). DSD complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.

DATA PRIVACY FRAMEWORK OVERVIEW.

The U.S. Department of Commerce and the European Commission have agreed on a set of
data protection principles and associated supplemental principles to enable US companies
to satisfy EU law so that when Personal Data is transferred from the EU to the U.S. it is
adequately protected. The European Commission has recognised the EU-U.S. Data Privacy
Framework (“DPF”) as providing adequate protection of Personal Data.

Consistent with its commitment to protect personal privacy, DSD has decided to certify to
the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework
Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received
from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and
Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between
the terms in this policy and the DPF Principles, this Policy shall be interpreted so as to be
consistent with the DPF Principles. If the conflict remains, the DPF Principles shall govern.

For more information about the DPF Principles or to access the DPF List and DSD’s
certification statement, please go to https://www.dataprivacyframework.gov/.

1. SCOPE

This Policy applies to all Personal Data received by DSD in the United States from the EU/
UK, either directly from individuals, from its affiliates or from third party organizations, in
any form whatsoever, including electronic, paper or oral transmission.

2. DEFINITIONS

For the purposes of this Policy, the following definitions shall apply:

Personal Data” and “Personal Information” means data about an identified or identifiable individual within the scope of the General Data Protection Regulation,
received by an organization in the United States, and recorded in any form. Personal
Data includes all Sensitive Personal Data (as defined below).

Sensitive Personal Data” or “Sensitive Personal Information” means personal information specifying medical or health conditions, racial or ethnic origin, political
opinions, religious or philosophical beliefs, trade union membership or information
specifying the sex life of the individual, or where received from a third party, data that is
identified and treated as sensitive by the third party.

Processing” of Personal Data means any operation or set of operations which is
performed upon Personal Data whether or not by automated means, such as collection,
recording, organization, storage adaption or alteration, retrieval, consultation, use,
disclosure or dissemination, and erasure or destruction.

Controller” means a person or organization which, alone or jointly with others,
determines the purposes and means of processing personal data.

Agent” means any third party that collects or uses Personal Data provided by DSD
under the instructions of, and solely for, DSD.

DSD,” “we,” “our” or “us” means Drive System Design and its successors, assigns and wholly owned affiliates and subsidiaries and their respective divisions and groups, each of which are located within the U.S.

3. PRIVACY PRINCIPLES FOR PROCESSING OF PERSONAL DATA RECEIVED FROM THE EEA.

The privacy principles set forth in this policy have been developed based on the Data Privacy Framework Principles.

4.1 NOTICE.

Where DSD collects Personal Data directly from individuals in the EU/ UK or receives it from
its affiliates, it, or its affiliates, will inform those individuals about the purposes for which
they collect and use personal data about them; the transfer of Personal Data to DSD in the
U.S.; the types or identity of third parties to whom DSD discloses that information and the
purposes for which it does so; and the choices and means DSD offers individuals for limiting
the use and disclosure of their Personal Data. Notice will be provided in clear and
conspicuous language and in any event before DSD uses the information for a purpose other
than that for which it was originally collected.

DSD may from time to time process certain Personal Data about customers, business
partners, suppliers, vendors, service providers, employees and candidates for employment,
including information recorded and stored on various types of media, including electronic
media.

DSD will process these types of data in conformity with the DPF Principles and will continue
to apply the Principles to Personal Data received under application of the DPF as long as it
holds this data.

Purposes for which we may collect and use Personal Data from our customers, consumers
and other non-employees include:

  • Communicating to individuals about our products, services and related issues.
  • Evaluating the quality of our products and services.
  • Allowing individuals to register for our websites, online communities and other social networking services, and administering and processing these registrations.
  • Transferring Personal Data in connection with DSD’s legal, regulatory compliance and auditing purposes.
  • Facilitating DSD’s internal administrative purposes and application functionality, maintaining, administering and complying with DSD’s legal, regulatory compliance and auditing obligations, policies and procedures.
  • Execution of contracts and delivery of products and services to customers; execution of management and developments, engineering and construction projects; manufacturing execution and supply chain management.

DSD also collects Personal Data concerning its employees and candidates for employment (“Human Resources Data”) in connection with administration of its human resources programs and functions, payroll and benefit administration, legal compliance and for purposes of communicating with its employees. DSD also applies the DPF Principles to this data.

We may share Personal Data with third party agents for the sole purpose of, and only to the extent needed to support DSD or our customer’s needs. We may also disclose Personal Data to our Agents in the U.S. or Agents of our affiliates and other third parties when required to do so under law or by legal process. Third Party Agents are required to keep confidential Personal Data received from DSD and may not use it for any purpose other than originally intended.

4.2 CHOICE.

DSD will offer individuals in the EU/ UK the opportunity to choose (by either opt in or opt out) if their Personal Data (a) is to be disclosed to a third party that is not an Agent, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.

For sensitive Personal Data, DSD will give individuals the opportunity to affirmatively and explicitly consent (opt in) to permit DSD to (a) disclose their sensitive Personal Data to a third party that is not an Agent or (b) use sensitive Personal Data for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.

DSD will provide individuals with reasonable, clear, and conspicuous and readily available
mechanisms to exercise these choices.

4.3 ACCOUNTABILITY FOR ONWARD TRANSFER.

DSD will transfer Personal Data to Agents only for limited and specific purposes. DSD will
obtain contractual assurances from its Agents that they will safeguard Personal Data in a
manner consistent with this Policy and that they will provide at least the same level of
protection as is required by the Data Privacy Framework Principles. DSD recognises its
responsibility and potential liability for onward transfers to Agents. Where DSD has
knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Policy and/or the level of protection as required by the DPF Principles, DSD will take steps to
prevent, remediate or stop such use or disclosure.

If DSD transfers Personal Information to non-agent third parties acting as a Controller, DSD
will apply the Notice and Choice principles and will obtain contractual assurance from these
parties that they will provide the same level of protection as is required under the DPF
Principles unless a derogation for specific situations under EU/UK data protection law
applies.

4.4 ACCESS

Upon request and in accordance with the DPF, DSD will grant individuals reasonable access
to their Personal Data that is held by DSD. In addition, DSD will take reasonable steps to
permit individuals to correct, amend, or delete their Personal Data that is demonstrated to
be inaccurate, incomplete or processed in violation of the DPF Principles. In accordance with
the DPF, DSD may limit or deny access to Personal Data where the burden or expense of
providing access would be disproportionate to the risk of the individuals privacy, where the
legitimate rights of persons other than the individual would be violated or if necessary to
safeguard important countervailing public interests (e.g., national security) or in other
limited circumstances (e.g., disclosure would breach a legal or other professional privilege).

4.5 SECURITY

DSD will take reasonable precautions to protect Personal Data in its possession from loss,
misuse and unauthorized access, disclosure, alteration and destruction, taking into account
the risks involved in the processing and nature of the Personal Data.

4.6 DATA INTEGRITY AND PURPOSE LIMITATION.

DSD will use personal data only in ways that are compatible with the purposes for which it
was originally collected or as subsequently authorized by the individual. DSD will also take
reasonable steps to ensure that personal data is relevant to its intended use, accurate,
complete and current. DSD will adhere to the DPF Principles for as long as it retains Personal
Information received under its DPF certification.

4.7 RECOURSE, ENFORCEMENT AND LIABILITY

DSD in its self-assessment approach to verify its compliance with this policy periodically
verifies that this policy is accurate, comprehensive for the information intended to be
covered, permanently displayed, completely implemented, and in conformity with the DPF
Principles. DSD will investigate and attempt to resolve complaints and disputes regarding
use of and disclosure of Personal Data in accordance with the DPF Principles. DSD will also
investigate suspected infractions of this Policy.

If DSD determines that any employee of DSD is in violation of this Policy, such person will be
subject to disciplinary action up to and possibly including termination of employment.

In compliance with the DPF Principles, DSD commits to resolve complaints about our
collection or use of personal information. EU/UK individuals with inquiries or complaints
regarding our Data Privacy Framework policy should first contact DSD at:

    • Gillian Talwar, General Counsel,
    • Drive System Design, Inc. 37655 Interchange Drive,
    • Farmington Hills, MI 48335

Gillian.Talwar@www.drivesystemdesign.com;

Tel: 248 893 6210.

DSD will respond to a complaint within 45 days of receipt. DSD has further committed to co-
operate with the panel established by the EU data protection authorities (DPAs) and the UK
Information Commissioner’s Office (ICO) with regard to unresolved DPF complaints concern-
ing human resources and non-human resources data transferred from the EU/UK, to partici-
pate in the dispute resolution procedures of the panel established by the EU/UK data pro-
tection authorities to resolve disputes pursuant to the DPF Principles, and to comply with
the advice given by such authorities

DSD is also subject to the investigatory and enforcement powers of the Federal Trade
Commission, which is the competent supervisory authority under the DPF.

Where a complaint cannot be resolved by any of the aforementioned recourse mechanisms,
individuals have a right to invoke binding arbitration under the DPF Panel as a recourse
mechanism of ‘last resort’.

In the event that DSD or such authorities determine that DSD failed to comply with this
Policy, DSD will take appropriate steps to address any adverse effects arising from such
failure and to promote future compliance.

5. LIMITATIONS

DSD’s adherence to the DPF Principles may be limited (a) to the extent necessary to meet
applicable national security, public interest or law enforcement requirements , e.g. in the
course of lawful requests by public authorities (b) by statute, government regulation or case
law that creates conflicting obligations or explicit authorizations , provided that , in
exercising any such authorization, an organization can demonstrate that its non- compliance
with the Principles is limited to the extent that is necessary to meet overriding legitimate
interests furthered by such organization; or (c) if the effect of the GDPR or Member State
law or UK law is to allow exceptions or derogations, provided such exceptions or
derogations are applied in comparable contexts.

6. CONTACT INFORMATION.

Questions or comments regarding this Policy or our practices concerning Personal Data should be submitted to DSD by mail or e-mail as follows:

        • Gillian Talwar, General Counsel,
        • Drive System Design, Inc. 37655 Interchange Drive,
        • Farmington Hills, MI 48335

Gillian.Talwar@www.drivesystemdesign.com;

Tel: 248 893 6210.

If you are an EU or U.K citizen, you may also address any unresolved complaints to the panel of the EU Data Protection Board at https://edpb.europa.eu/ or the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/ respectively.

7. CHANGES TO THIS POLICY

This Policy may be amended from time to time, consistent with the requirements of the DPF
Principles. Appropriate public notice will be given concerning such amendments.

8. EFFECTIVE DATE

This policy is effective as of March 12, 2024

Issue Number Date Changes Made Owner Approved By
1.0 04/15/2019 Initial Issue GHT GHT
1.1 04/13/2022 4.7 amended GHT GHT
1.2 05/01/2023 4.7 amended GHT GHT
2.0 03/12/2024 Change Privacy Shield to Data Privacy Framework GHT GHT