This policy explains how we may Process your Personal Data in connection with our Occupational Health Management System (the “OHMS”), which is provided to us by a third-party, Cority Software, Inc. (“Cority”). Certain legal terms used in this policy are displayed in red the first time they’re used and defined below at the end of this policy. For the purposes of this policy:
- “Dow,” “we,” “us,” and “our” refers to The Dow Chemical Company and its direct and indirect global subsidiaries and controlled affiliates that use the OHMS, including:
- Dow’s occupational health business function and its local occupational health providers that use the OHMS (“Dow Occupational Health”), including its personnel and any person acting on its behalf (collectively, “OH Personnel”);
- your respective Dow employing entity, if you have—or had or are seeking—a work-related contractual relationship with Dow (“Dow Worker”); and
- the Dow entity that has contracted with your employer to provide Dow Services Business (“DSB”) occupational health services via the OHMS, if you have—or had or are seeking—a work-related contractual relationship with a DSB customer that receives DSB services via the OHMS (“DSB Worker”).
- “Data Subject,” “you,” and “your” refers to each Data Subject to whom the OHMS Personal Data relate (e.g., Dow Workers, DSB Workers, site visitors, etc.).
This policy explains:
1. What this policy covers
2. Our approach
3. The OHMS
4. Who is Processing your Personal Data
5. What Personal Data we Process
6. The legal bases on which we Process your Personal Data
7. How we use your Personal Data
8. Who can access your Personal Data
9. Cross-border transfer of your Personal Data
10. Retention of your Personal Data
11. Your rights to your Personal Data
12. Changes to this policy
13. Data security
14. Contacts
15. Definitions
1. What this policy covers. This policy applies to all Personal Data Processed by Dow Occupational Health in connection with the OHMS. For Dow Workers, this policy supplements Dow’s Applicant and Candidate Privacy Notice, Employee Privacy Notice, Privacy Policy for Dow’s HR Management System (Workday), which describe more broadly how we use your Personal Data before, during, and after your working relationship with Dow. For other Data Subjects (e.g., site visitors), this policy supplements Dow’s Privacy Statement. For DSB customers (and their DSB Workers), this policy supplements Dow’s Customer Privacy Notice.
Back to the top
2. Our approach. Our data protection obligations differ depending on applicable law. We must comply primarily with applicable law where you reside. This policy describes a set of common principles and practices governing our Processing of Personal Data in connection with the OHMS. Where country-specific additions to this policy are warranted to ensure local compliance, they will be permitted and should be communicated by the local Dow Occupational Health provider. OH Personnel have ethical duties and professional and legal obligations to maintain and protect the confidentiality of occupational health records and patient/client information in any form (including OHMS records), subject to limited exceptions under applicable law (the “Confidentiality Obligations”). This policy does not attempt to address or explain the nuances of the Confidentiality Obligations, which are complex and vary by jurisdiction. We require Dow Occupational Health and OH Personnel—and any other person entrusted with access to your Personal Data as part of their job responsibility—to treat your Personal Data as confidential, in accordance with this policy, applicable law, and the Confidentiality Obligations. We require our service providers to maintain the privacy and security of your Personal Data.
Back to the top
3. The OHMS. The OHMS is Dow Occupational Health’s system of record for storing your occupational health data (“Your Occupational Health Record”), including information: (a) you provide to us directly; (b) you authorize us to collect; (c) we create; and (d) we receive from other sources. You can manage Your Occupational Health Record via the myCority portal.
Back to the top
4. Who is Processing your Personal Data.
4.1. Dow. Certain OHMS Personal Data is Processed by Dow (acting as Data Controller), including Dow Occupational Health and The Dow Chemical Company, Global Dow Center, 2211 H.H. Dow Way, Midland, Michigan 48674.
4.2. Cority. Cority (acting as Data Processor on Dow’s behalf) hosts the OHMS in its AWS production tenant, which is stored in a data center located in Germany. In certain locations, the local Dow Occupational Health provider may host the OHMS on premises, in which case Cority may act as Data Processor in providing any customer support. To learn more about Cority’s privacy practices, please refer to its Privacy Policy.
4.3. DSB scenarios. Dow (acting as Data Processor) Processes DSB Worker Personal Data on behalf of DSB customers (acting as Data Controller). Dow Occupational Health may act as an independent Data Controller (given its professional services and Confidentiality Obligations).
Back to the top
5. What Personal Data we Process.
5.1. Information that you provide to us. We most often collect your Personal Data directly from you. While there may be no legal requirement for you to provide your Personal Data, refusing to do so may prevent us from providing services and performing legal and contractual obligations. Before you provide us with the Personal Data of others (e.g., emergency contacts), you must: (a) tell them that you intend to provide us with their Personal Data; (b) tell them how we will Process their Personal Data; and (c) confirm they do not object.
5.2. Information we collect from other sources. We may collect your Personal Data from other sources, subject to applicable law. For example, you may authorize us to receive information from your primary health care provider. We will Process such information as part of Your Occupational Health Record, in accordance applicable law and Confidentiality Obligations.
5.3. Sensitive Personal Data. We may collect your Sensitive Personal Data, including information about your physical/mental health. For example, if there is a clinical reason to do so, OH Personnel request information relating to ethnicity, drug and alcohol treatment, genetic information, family history, lifestyle, or physical/mental wellbeing, subject to applicable law. Sensitive Personal Data you provide to us will form part of Your Occupational Health Record. We will treat it with the utmost care, in accordance with applicable law and Confidentiality Obligations.
5.4. Children. The OHMS is not intended for children. We do not knowingly collect data relating to children, except to the limited extent (if at all): (a) there is a clinical reason to do so; or (b) it is necessary to identify dependents, emergency contacts, family history, lifestyle, etc.
5.5. Categories of Personal Data collected. We may Process all or certain of the following categories of your Personal Data in connection with the OHMS, depending on applicable law, business needs, and your location, employer, job, circumstances, and choices. The categories listed below may not include all categories of Personal Data that we Process via the OHMS.
(a) Business contact: name; business address/email/phone; office location; country.
(b) Personal contact: name; personal address/email/phone; emergency contact; authorized personal representative.
(c) Employment: employment status; company; business unit/division; job title/role; start/end date; line of reporting/manager; health/safety-related information and reporting; record of absence, time tracking, annual leave; user ID.
(d) Family: spouse, dependents, family health history.
(e) Demographics: age, date of birth, sex/gender; nationality; language; location; occupation; marital status; disability status.
(f) System: activity in OHMS, IP address, device, login credentials, log file data.
(g) Appointments: appointments, visits, dates, locations; OH personnel involved; tests, medications, treatments, referrals; recordkeeping/reporting actions triggered.
(h) Health assessments: information provided/obtained in connection with pre-employment, job-required, periodic, or any other health assessment/exam/questionnaire. This includes information relating to (and necessary to assess) your overall health and medical conditions, job demands, ability to wear PPE, ability to perform job functions/duties, activity restrictions, accommodations, work-related injuries/illnesses, toxic exposures, etc.
(i) Authorization to disclose/receive health information: who is authorized to disclose/receive health information; description/content of information disclosed/received.
6. The legal bases on which we Process your Personal Data. Applicable data protection laws generally require us to Process your Personal Data lawfully, and to inform you of the legal bases for our Processing. The legal bases vary by jurisdiction but typically include:
6.1. Necessity. We may Process your Personal Data on the basis that the Processing is:
(a) necessary for the performance of a contract to which you are a party, or to take steps at your request prior to you entering into such a contract;
(b) necessary for compliance with a legal obligation to which we are subject;
(c) necessary for the purposes of legitimate interests that are pursued by us or by a third party, and not overridden by your interests, rights, or freedoms;
(d) necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of applicable law or pursuant to a contract with a health professional; provided, however, that the Personal Data are Processed under the responsibility of an authorized professional (or person) subject to Confidentiality Obligations;
(e) necessary for the purposes of carrying out our/your obligations or to exercise our/your specific rights under employment, social security, or social protection law, to the extent permissible under applicable laws;
(f) necessary to protect your (or another person’s) vital interests, where you (or they) are physically or legally incapable of giving consent—e.g., due to a medical emergency; and/or
(g) necessary for the establishment, exercise or defense of legal claims.
6.2. Consent. In addition (or alternatively, to the extent that our Processing of your Personal Data cannot be based—under applicable law—on one or more of the legal bases described above in section 6.1), we may obtain your consent to our Processing of that Personal Data. We will obtain your consent separately and/or otherwise through your acceptance of this policy, in accordance with applicable legal requirements. Where we have sought your consent to the Processing of your Personal Data, you may withdraw this consent by contacting your local Dow Occupational Health provider or, in some cases, deleting this information from the OHMS yourself. Where you have withdrawn your consent, we will only retain and Process that data if we have another legal basis on which to do so (e.g., if the Processing remains necessary to carry out our legal obligations and/or necessary for the establishment, exercise, or defense of legal claims). Withdrawing consent may prevent us from carrying out certain tasks (e.g., notifying your emergency contact).
7. How we use your Personal Data. We Process your Personal Data for various purposes, subject to applicable law. Below is a non-exhaustive list of the purposes for which we Process Personal Data. Some may not be relevant to you, depending on your employer, job, location, circumstances, and choices. Additional information about the purposes for which your local Dow Occupational Health provider Processes your Personal Data may be notified to you separately.
7.1. Purposes.
(a) Appointment/visits: booking and conducting phone/video and in-person appointments; verifying your identity; contacting you for feedback; responding to your requests.
(b) Medical case management: providing consultation services (if you’re unable to perform work tasks or return to work due to an injury/illness); reviewing job requirements; determining fitness for work; assessing need for adjustments, accommodations, or support due to health condition; assessing workplace risk and adverse health impact; providing your employer with relevant information (e.g., about your fitness to work and need for modified work) subject to applicable law and the Confidentiality Obligations.
(c) Health assessments: conducting pre-employment/periodic health assessments, job-required testing, international-transfer counseling, retirement reviews, personal stress and agility assessments, laboratory tests, physical examinations, biometric measurements; analyzing your overall health and medical conditions; interpreting diagnostic results and/or medication for your employer (e.g., for alcohol and drug testing services or biological monitoring services).
(d) Medical emergencies: providing first aid and emergency medical treatment; administering medications; communicating with you or your contacts in emergencies.
(e) Reproductive health consultation: discussing work-related pregnancy concerns with you (e.g., working with chemicals or job safety).
(f) Travel health: providing travel health support (e.g., immunizations and consultation); coordinating travel-related health care and evacuation support.
(g) Vaccination: offering flu shots other vaccinations depending on location/need.
(h) Clinical services: delivering work-related injury or illness care; providing clinical services (e.g., assessment, treatment, counseling, referral, documentation, safety notification, communication with supervisors/external providers, etc.).
(i) Worker assistance/health programs: offering confidential and professional guidance and support for you and your dependents; providing workplace health programs; preventing worker injury/illness; promoting healthy behaviors (e.g., physical activity, healthy eating, tobacco abstinence); improving personal health risk factors (e.g., blood pressure, glucose, cholesterol, BMI); analyzing aggregated worker health metrics and reporting aggregated results.
(j) Workforce management: managing work activities and personnel; conducting workforce planning, analysis, reporting, surveys.
(k) Communications, facilities, emergencies: Communicating with you; protecting the health and safety of the workforce/community; responding to emergencies; safeguarding and maintaining physical facilities, IT infrastructure, office equipment, and other property.
(l) Business operations: operating and managing IT, communications systems, facilities; developing and improving our products and services; conducting public relations, other communications, business management and planning, accounting and auditing; managing and allocating company assets and resources; strategic planning, project management, business continuity, recordkeeping and reporting, budgets and finances; conducting transactions with third parties, mergers, acquisitions, sales, reorganizations, divestitures, and integration activities.
(m) Compliance and monitoring: complying with applicable legal obligations (e.g., recordkeeping, reporting, audits, government inspections, internal policies/procedures, industry certifications); responding to regulatory requests, legal processes, subpoenas, complaints, claims; pursuing legal rights/remedies; managing legal disputes, claims, litigation; conducting internal audits/investigations; monitoring for legal/policy violations, fraud, financial reporting concerns.
7.2. Data analysis using deidentified/anonymous data. We may use aggregated, deidentified, pseudonymized, and/or anonymized OHMS data for various purposes, including to: (a) improve our services; (b) conduct data/statistical analysis and reporting; (c) promote healthy behaviors; (d) improve personal health risk factors; and (e) comply with legal/contractual obligations. We do not share personally identifying information outside our business (other than with clinical contractors who complete identity/security checks and sign confidentiality agreements) unless you give us express permission—or we are legally required—to do so. We may provide your employer with aggregated OHMS data about their workforce (e.g., to identify key themes/trends). We will use only anonymized data for this purpose, which means the data is rendered anonymous in such a way that the Data Subject is no longer identifiable.
7.3. Automated decision-making and profiling. Solely automated decision-making is the ability to make decisions by technological means (i.e., automated Processing) without human involvement. We do not make any occupational health decisions based solely on automated Processing. However, in furtherance of certain security/compliance-related purposes (particularly: to safeguard our facilities/IT infrastructure and comply with applicable law), we may use automated methods to build a deidentified profile based on data that we have obtained as described in this policy, subject to applicable law. Access to such profiles generally is limited to Dow Information Security Services. Use at the individual level requires a compelling security and compliance-related interest. For more information about—or to object to—these profiling activities, you may submit a request here (internal) or here (external).
7.4. Artificial intelligence. We may use AI—including enterprise Generative AI—to Process your Personal Data (e.g., in connection with basic word processing activities), subject to applicable law. We do not use AI to provide medical services or analyze your health-related information. For more information about—or to object to—our use of AI, you may submit a request here (internal) or here (external).
8. Who can access your Personal Data.
8.1. Access within Dow. You can access Your Occupational Health Record via the myCority portal or via a Data Subject request. OH Personnel have role-based, tiered, access to OHMS data, which may include Your Occupational Health Record and Personal Data. In addition, the following people and teams within Dow may be granted role-based, tiered access to certain of your Personal Data on a strictly need-to-know basis, subject to applicable law and the Confidentiality Obligations, and depending on your relationship with Dow and choices: (a) HR personnel and management responsible for making decisions in connection with your work or involved in an HR Process concerning your work (e.g., your fitness to work and need for modified work); (c) EH&S and Sustainability personnel (i.e.,limited to your work-related injuries/illnesses); (d) system administrators; and (g) other teams (e.g., IT, OHMS support) that perform necessary tasks or system maintenance.
8.2. Access outside Dow. We may need to grant organizations and individuals outside of Dow access to your Personal Data, subject to applicable law and the Confidentiality Obligations, and depending on your relationship with Dow and choices. This may include the following:
(a) Authorized recipients: individuals to whom we disclose your health information or Personal Data, pursuant to your specific request and written authorization.
(b) DSB customers: the DSB customer with which you have a work-related contractual relationship (if you are a DSB Worker).
(c) Professional advisors: lawyers or other advisors.
(d) Service providers: companies that provide clinical services to us and/or you (e.g., testing services).
(e) Public and government authorities: entities that regulate or have legal jurisdiction over Dow (e.g., regulatory authorities, law enforcement, courts, etc.).
(f) Corporate transactions: Third parties involved in proposed or actual business reorganizations, mergers, sales, joint ventures, assignments, transfers, or other dispositions of all or any portion of Dow businesses, assets, or stock.
9. Cross-border transfer of your Personal Data. Where we share your Personal Data within Dow or with a third party—so that it is transferred (or becomes accessible from) outside the European Economic Area ("EEA") or outside the country where the Dow company that controls your data is located—we put adequate safeguards in place. Examples include an adequacy decision of the European Commission (read more here), Standard Contractual Clauses (read more here), and the Binding Corporate Rules that certain suppliers have adopted (read more here). If you would like an overview of the safeguards in place, you may submit a request here (internal) or here (external) or email fglpriv@dow.com. Cority complies with and is certified to the EU-U.S., UK Extension to the EU-U.S., and Swiss-U.S. Data Privacy Frameworks. To learn more, visit Cority’s Privacy Policy and Data Privacy Framework Statement, and the U.S. Department of Commerce’s Data Privacy Framework website.
10. Retention of your Personal Data. We will retain your Personal Data for no longer than is necessary to fulfill our Processing purposes, typically for the retention periods below, subject to applicable law, and depending on your relationship with us and choices. We may anonymize and retain your Personal Data beyond these retention periods for statistical, research, or reporting purposes, or to comply with applicable law.
| Relationship | Information | Retention period |
| Dow Worker | Your Occupational Medical Record* | 75 years after termination(or last encounter) |
| Dow applicant (not hired) | Your pre-placement health records* | 3 years |
| DSB Worker | Your Occupational Medical Record** | 75 years after termination (or last encounter), unless otherwise directed by the DSB customer |
| DSB applicant (not hired) | Your pre-placement health records*** | 3 years, unless otherwise directed by the DSB customer |
11. Your rights to your Personal Data. Depending on the jurisdiction in which you (and/or your Dow Occupational Health provider) are located and applicable law, you may have the Data Subject rights listed below. Such rights are not absolute (and may not apply in your jurisdiction). You may submit a Data Subject request by email (fglpriv@dow.com) or via the form here (internal) and here (external). We cannot always act on a request (e.g., if our legal/contractual obligations prevent us from doing so). No fees or payments are required to exercise your rights, but we may charge fees for duplicate/excessive requests. We may request information to confirm your identity and applicable rights.
| Data subject right | What it means |
| Right of access | You may request access to—and information about the Processing of—your Personal Data. |
| Right to rectification | You may request rectification of your inaccurate—and completion of your incomplete—Personal Data. |
| Right to erasure | You may request erasure of your Personal Data. |
| Right to restriction | You may request restriction of the Processing of your Personal Data. |
| Right to data portability | You may request to receive your Personal Data in a commonly used and machine-readable format (and/or transmit the data to another controller). |
| Right to object | You may object to the Processing of your Personal Data. |
| Right to withdraw consent | You may withdraw your consent to the Processing of your Personal Data. |
| Right to lodge a complaint | You may lodge a complaint with data protection authorities regarding the Processing of your Personal Data. |
| Right to not be subject to decisions based soley on automated Processing/profiling | We may not subject you to a decision based solely on automated Processing/profiling (without human intervention) that produces adverse legal effects or significantly affects you, absent your consent or a legal requirement or lawful contractual obligation/necessity to do so. |
| Right to information | We must provide you with information regarding the Processing of your Personal Data collected from you or from others. |
12. Changes to this policy. Any changes we make to this policy will be posted to the OHMS or otherwise presented to you. For any material change, we may notify you about the change and ask you to accept the updated version of the policy. At the end of this policy, we disclose the date of our last update to the policy.
13. Data security. Maintaining the security and integrity of your Personal Data is a high priority. We endeavor to maintain appropriate administrative, technical, personnel and physical measures to safeguard Personal Data against loss, theft, and unauthorized uses or modifications. We expect you to contribute to the security of the OHMS by following appropriate security protocols and reporting suspected incidents promptly. You may report suspected incidents to fglpriv@dow.com. To learn about Cority’s security protocols and practices, please visit Cority’s Privacy Policy and Data Privacy Framework Statement.
14. Contacts. If you have questions about this policy, please contact your local Dow Occupational Health provider or email the Dow Data Privacy Team (fglpriv@dow.com).
15. Definitions. The legal terms displayed in red above are defined below for the purposes of this policy. The use (and meaning) of these terms may vary by jurisdiction and applicable law.
| Term | Definition |
| Personal data | Any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
| Processing | Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Data controller | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. |
| Data Processor | The natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the controller. |
| Sensitive Personal Data | Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. |
Last Updated: August 22, 2025