THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014

Agenda 1. Overview of Glatfelter 2. Data Privacy/Protection Introduction 3. European Union Requirements 4. Non-EU Highlights 5. Trends 6. Tips and Guidance 7. Questions 1. Overview of Glatfelter 2. Data Privacy/Protection Introduction 3. European Union Requirements 4. Non-EU Highlights 5. Trends 6. Tips and Guidance 7. Questions 1

Glatfelter products are marketed in over 90 countries around the world 2 GLATFELTER – Global supplier of choice for fiber-based engineered products Founded in 1864; Publicly traded on the NYSE as GLT Annual sales of $1.8 billion; 4,400 employees worldwide Manufacturing Facilities: U.S., Germany, U.K., Canada, France, Philippines Sales / Representative Offices: U.S., Germany, France, U.K., China, Russia

Specialty Papers Feminine Hygiene #1 Adult Incontinence #1 Specialty Wipes/Towels #2 Trade Book Publishing#1 Carbonless Products#1 Postal Applications#1 Playing Cards#1 Greeting Cards#2 Tea Bags/Coffee Filters #1 Nonwoven Wallcovering #1 Composite Laminates #1 Battery Pasting Papers #1 Metallized Products #2 Composite Fibers Advanced Airlaid Materials GLATFELTER – Leading Positions in Niche Markets 3 Total net sales of $1.8 billion

Supplier of Choice to a Well Respected Customer Base 4 Random House Specialty PapersComposite FibersAdvanced Airlaid Materials GLATFELTER – Strong Relationships with Global Customers

Introduction to Data Privacy/Protection PERSONAL DATA Any information that identifies or can be used to identify an individual:  Name  Address   Phone Number  ID Number  Date of Birth  Health Information  Banking Information  Marital Status, etc. PERSONAL DATA Any information that identifies or can be used to identify an individual:  Name  Address   Phone Number  ID Number  Date of Birth  Health Information  Banking Information  Marital Status, etc. 5 Data Privacy/Protection Laws regulate the Processing of Personal Data PROCESSING Includes the following:  Collection  Use  Storage  Sharing  Transmission  Alteration  Deletion PROCESSING Includes the following:  Collection  Use  Storage  Sharing  Transmission  Alteration  Deletion

European Union Data Protection EU Data Protection Directive (95/46/EC) Article 29 Working Party Laws: The collection, processing and use of Personal Data is banned unless an exception applies. Data Subjects have the right to know why and how their Personal Data is collected and processed. Principles: Consent of Data Subject Legal Obligation or Public Interest Performance of Contract Protection of Vital Interests of Data Subject Legitimate Interests of Data Collector Exceptions: 6

EU Data Protection – Personal Data Transfers Outside the EU Safe Harbor Certification 1.Joint EU Commission and US Department of Commerce Program 2. Companies certify compliance with EU data protection standards 3. Annual certification for employee personal data and third party personal data Corporate Binding Rules 1. Internal rules/policies of company meeting EU data protection standards 2. Approved by relevant EU member’s Data Protection Authority 3. Approval times vary 7

EU Data Protection - Controllers and Processors 8 Data Transfers:  Statutory Justification  Data Subject Consent  Data Processing Agreement  Safe Harbor Certification OR Corporate Binding Rules  Standard Contractual Clauses

EU Data Protection – Additional Member States’ Requirements Co-Determination Rights Data Protection Officers Individual Employee Consent Consultation with Works Councils Declaration filing with the Data Protection Authority (CNIL) Notification to U.K. Information Commissioner 9 Germany France United Kingdom

Highlights of Non-EU Data Protection Requirements Data Transfer Agreement Explicit Consent from Data Subjects National and Provincial Laws Data Transfer Agreements/Sharing Protocols Employee Notification of International Transfers Written Consent from Data Subjects Notification to Russian State Regulator if Processing Customer Data 10 China Canada Russia

Trends – Enforcement News · BRAZIL: Telecom company fined $1.59 million for violating users privacy. HONG KONG: Privacy Commissioner condemns employment agencies from collecting personal data for job applicants via blind recruitment advertisements. · U.K.: An individual awarded nominal damages for emotional distress due to data breach. IRELAND: Successfully prosecuted individual directors of a company for disclosures of personal data without the consent of the data controller. 11

Trends – EU Cookie Audits 12 EU ePrivacy (“Cookie”) Directive  Users must be informed about the use of cookies on a company’s website  Users have the right to consent to cookies prior to use  Exception for cookies that are strictly necessary to delivery of an on-line service  Jurisdictional split on consent: Express vs. Implied  Cookie sweeps and audits EU ePrivacy (“Cookie”) Directive  Users must be informed about the use of cookies on a company’s website  Users have the right to consent to cookies prior to use  Exception for cookies that are strictly necessary to delivery of an on-line service  Jurisdictional split on consent: Express vs. Implied  Cookie sweeps and audits

Trends – Proposed EU Data Protection Revisions Prior authorization of a national data protection authority required before personal data may be transferred to non- EU country. Fines increased to the greater of €100 million or 5% of annual worldwide turnover. Data Subjects have right to demand erasure of personal data. Internet service providers processing personal data must receive explicit consent from the data subject. 13

Tips and Guidance AssessmentTechnologyDocumentationCommunication 14

Thank you! Questions? 15