California Privacy Rights for Prospective & Current Employees

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

Mechanics Bank and its subsidiaries and/or affiliates (the "Company" or "we") provide this privacy policy to its employees who reside in California ("you") in accordance with the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA").

The purpose of this privacy policy is to provide you with a comprehensive description of the Company's online and offline information practices, inform you about the rights you have regarding your personal information and provide information that is necessary for you to exercise those rights.

Categories of Personal Information Collected

The Company will collect and has collected the following categories of personal information and sensitive personal information from you in the past 12 months:

Categories	Examples	Third parties disclosed to for a business purpose in the past 12 months	Sold or shared within the past 12 months	Retention period
Identifiers	Name, alias, postal address, email address, date of birth, social security number, passport number, driver’s license number, and state identification card number.	A, B, C, D, E, F, G, H, I	None	Duration of employment plus three (3) years after termination
Protected Classifications	Race, color, ethnicity, sex/gender, marital status, military or veteran status, disability, age.	D	None	Duration of employment plus four (4) years after termination
Account Information	Company account log-in information, including your access code, password, or credentials allowing access to a Company account.	A, B, E	None	Duration of employment plus three (3) years after termination
Financial Information	Financial account information, and credit check if applicable.	A, B	None	Duration of employment plus four (4) years after termination
Biometric Information	Fingerprints via Live Scan.	Not Disclosed	None	Duration of employment plus five (5) years after termination
Internet or Other Electronic Network Activity	Browsing history or search history on Company-owned devices, and data identifying personal device information if used on Company networks.	A, E	None	Duration of employment plus three (3) years after termination
Geolocation Data	IP address from Company-owned devices or personal devices used on Company networks, GPS location from Company-owned vehicles and devices.	A, C, E	None	Retained for three (3) months
Audio, Electronic and/or Visual Information	Your photograph or image when recorded on Company surveillance cameras, or captured at Company events, your voice or image when captured on recorded meetings after being given prior notification.	A, C, I	None	Retained for one (1) month
Employment-Related Information	Information contained in your personnel file, payroll records, I-9 verification forms, tax documents, requests for leave and/or accommodations, performance evaluations, training records.	A, B, C, D, E, F, G	None	Duration of employment plus four (4) years after termination
Education Information	Information regarding your degrees, field of study, prior educational institutions attended.	A, F, G	None	Duration of employment plus four (4) years after termination
Medical and Health Information	Doctor's notes or records from medical examinations	A, D, F, H	None	Duration of employment plus five (5) years after termination
Content of Mail, Email and/or Text Messages where the Company is not an Intended Recipient	Mail, email and/or text messages received on Company systems where the Company is not an intended recipient.	A, C, E, F, H	None	Duration of employment plus three (3) years after termination

Of the above categories and examples, the following is considered sensitive personal information:

Identifiers (social security, driver's license, state identification card, or passport number)
Protected Classifications (racial or ethnic origin)
Account Information (Company account log-in information in combination with any required security or access code, password or credentials allowing access to the Company account)
Financial Information (financial account information)
Biometric Information (fingerprints)
Geolocation Data (IP address, GPS location)
Medical and Health Information
Content of Mail, Email and/or Text Messages Where the Company is Not an Intended Recipient

The following is NOT considered personal information under the CCPA/CPRA:

Publicly available information, including information that is lawfully made available from federal, state or local government records, information that is lawfully made available to the general public by a consumer or from widely distributed media, and information made available by a person to whom a consumer had disclosed the information if the consumer has not restricted the information to a specific audience.
Lawfully obtained, truthful information that is a matter of public concern.
Deidentified or aggregate consumer information.

The following is a list of categories of third parties to whom your personal information is disclosed to in the past 12 months, as described in the chart above:

Government agencies
Payroll providers
Communications providers
Benefits providers
Information technology and security providers
Human resources information systems
Recruiters and/or staffing agencies
Professional employer organizations
Social media

Categories of Sources from Which Personal Information is Collected

The Company collects your personal information from the following categories of sources:

You, the consumer under the CCPA.
Recruiters and/or staffing agencies.
Personal references and/or former employers.
Government agencies.

Business Purposes for Which Personal Information is Disclosed

The Company collects, discloses, and shares your personal and sensitive personal information for the following business purposes:

To fulfill the reason for which you provided the information.
To maintain the safety and security of the Company's premises and networks.
To respond to requests as required by applicable law, court orders, or government agencies/regulations.
To facilitate your employment with the Company, including for purposes related to employment verification, promotion, discipline, payroll, etc.
To verify and respond to consumer requests.
To communicate with you regarding your employment.
To ensure compliance with local, state, and federal laws related to infectious diseases.

Selling/Sharing of Personal Information and Sensitive Personal Information

The Company does not sell or share your personal or sensitive personal information as defined under the CCPA/CPRA.

Use and Disclosure of Sensitive Personal Information

The Company does not use or disclose your sensitive personal information for purposes other than the following:

To perform the services reasonably expected by an average consumer who requests those services.
To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information.
To resist malicious, deceptive, fraudulent, or illegal actions directed at the Company and to prosecute those responsible for those actions.
To ensure the physical safety of natural persons.
For short-term, transient use.
To perform services on behalf of the Company.
To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by the Company, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by the Company.
To collect or process sensitive personal information where the collection or processing is not for the purpose of inferring characteristics about a consumer.

Your Privacy Rights Under the CCPA

The CCPA confers the following rights on your regarding your personal information:

The Right to Know. The right to know what personal information the Company has collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business purpose for collecting, or sharing personal information, the categories of third parties to whom the Company discloses personal information, and the specific pieces of personal information the business has collected about you.
The Right to Delete: The right to delete personal information that the Company has collected from you, subject to certain exceptions.
The Right to Correct: The right to correct inaccurate personal information that the Company maintains about you.
The right not to receive discriminatory treatment by the Company for the exercise of privacy rights conferred by the CCPA, including an employee's right not to be retaliated against for the exercise of their CCPA rights.

How to Exercise Your Privacy Rights Under the CCPA

You may exercise your privacy rights under the CCPA as described above through one of the following methods:

Submit a request at 800.383.2350 - California Privacy Rights Act
Submit a request by emailing: fm_hrbp@mechanicsbank.com

An authorized agent is a natural person or business entity that you have authorized to act on your behalf. An authorized agent can make a request under the CCPA on your behalf if the authorized agent provides the Company with your written and signed permission to make the request. The Company may deny a request from an authorized agent if the agent does not provide to the Company your signed permission demonstrating that they have been authorized by you to act on their behalf. For requests to delete, correct, or know, the Company may also require you to either verify your identity directly with the Company or directly confirm with the Company that you provided the authorized agent permission to submit the request.

How We Will Verify Your Request Under the CCPA

The Company has established the following reasonable methods for verifying that the person making a request to delete, correct, or know is the person about whom the Company has collected information. The Company may request additional information from you for the purposes of verifying your identity when you are seeking to exercise your rights under the CCPA and for security and fraud-prevention purposes. For example, the Company may request that you provide the amount of your last paycheck, date of birth, and last four digits of your social security number to verify your identity. If the Company collects any new personal information about you for verification purposes, such information will be deleted as soon as possible after processing your request.

How We Will Respond to Your Request Under the CCPA

Ten (10) business days after receiving a request to delete, correct, or know, the Company will confirm receipt of your request and provide you with information regarding how the Company will process your request. The Company will respond to your request to delete, correct, or know in 45 calendar days after receipt of the request. If the Company cannot verify your request, the Company may deny your request. If necessary, the Company may take up to an additional 45 calendar days to respond to your request. If so, the Company will provide you with notice and an explanation as to why it will take more than 45 days to respond to your request.

Personal Information of Consumers Under 16 Years of Age

The Company does NOT have actual knowledge that it sells or shares the personal information of consumers under 16 years of age.

Contact Us

If you have questions or concerns about the Company's privacy policy and information practices, please contact Human Resources at fm_hrbp@mechanicsbank.com.

Date Last Updated: July 30, 2024

Changes to Our Privacy Notice

Mechanics Bank reserves the right to amend this PRIVACY NOTICE for California Residents at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the Website and update the Notice's effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.