Effective date: March 15, 2021
This Notice is intended to fulfill our notice obligations under the European Union (“EU”) General Data Protection Regulation (“GDPR”) with respect to our current, future and potential employees who reside in the EU (for these purposes, reference to the EU also includes the United Kingdom and the European Economic Area countries Iceland, Liechtenstein and Norway), as well as our notice obligations under the EU-U.S. Privacy Shield Framework. This Notice does not apply with respect to individuals located outside of the EU.
We may update this Notice from time to time by providing you with written notice. The most up to date version of this Notice is available for employee viewing on our internal network. If you have any questions regarding the information contained in this Notice, you may contact your designated HR representative or email firstname.lastname@example.org.
2. What Information About You We Collect, Use, Transfer And Disclose, And Why
In the course of your employment with Company, we may have collected or will collect information about you and your working relationship with our company, or your spouse, domestic/civil partner or dependents. We refer to such information as “Personal Data”. Company will not use Personal Data for any other purpose incompatible with the purposes described in this Notice, unless it is required or authorized by law, authorized by you, or is in your own vital interest (e.g., in the case of a medical emergency).
As your employer, Company needs to keep and process personal information about you (“Personal Data”) for normal employment purposes. The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run our business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, while you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of Company and protect our legal position in the event of legal proceedings.
The types of Personal Data that we may collect, use, transfer and disclose are:
- Personal Contact Details: Name, work and home contact details (email, phone numbers, physical address) of you and your emergency contact.
Purpose and Legal Ground: We need your contact information in order to enter into and perform our obligations under our employment contract with you. The legal ground for processing this information is necessity for performance of a contract to which you, the data subject, is a party. Additionally, we may process your contact information for the purposes of creating and maintaining one or more internal employee directories and for purposes of communicating with you and your nominated contacts in an emergency, in which case the legal ground for processing is our legitimate interest in administering HR services and managing employees throughout our organization and ensuring the safety and well-being of our employees.
- Other Personal Details: Employee identification number, language(s) spoken, gender, date of birth, national identification number, marital/civil partnership status, domestic partners, dependents, disability status and photographs.
Purpose and Legal Ground: We process these personal details in order to provide you with employment benefits, providing and administering HR services, and to prevent fraud. The legal ground for processing this information is our legitimate interests in administering our employee programs and ensuring the safety and well-being of our employees. We may also process this data for purposes of complying with legal and other requirements, such as income tax and national insurance deductions, record-keeping and reporting obligations, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal policies and procedures. The legal ground for such processing is our legitimate interest in complying with applicable legal and other requirements.
- Documentation Required under Immigration Laws: Citizenship, passport data, details of residency or work permit.
Purpose and Legal Ground: We require this information to comply with our legal obligations to verify your identity and eligibility to work. The legal ground for processing this information is necessity for compliance with a legal obligation to which we, the controller, are subject.
- Compensation and Payroll: Base salary, bonus, benefits, compensation type, salary step within assigned grade, details on stock options, stock grants and other awards, currency, pay frequency, effective date of current compensation, salary reviews, banking details, working time records (including vacation and other absence records, leave status, hours worked and department standard hours), pay data and termination date.
Purpose and Legal Ground: We process compensation and payroll data in order to provide you with compensation in accordance with your employment agreement with us, as well as for making business travel arrangements and managing business expenses and reimbursements. The legal ground for processing such data is necessity for the performance of a contract to which you, the data subject, is a party. We may also process this data for purposes of complying with legal and other requirements, such as income tax and national insurance deductions, record-keeping and reporting obligations, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal policies and procedures. The legal ground for such processing is our legitimate interest in complying with applicable legal and other requirements.
- Position: Description of current position, job title, corporate status, management category, job code, salary plan, pay grade or level, job function(s) and subfunction(s), company name and code (legal employer entity), branch/unit/department, location, employment status and type, full-time/part-time, terms of employment, employment contract, work history, hire/re-hire and termination date(s) and reason, length of service, retirement eligibility, promotions and disciplinary records, date of transfers, and reporting manager(s) information. This information may be collected from you directly, or where applicable, from other representatives within our organization.
Purpose and Legal Ground: We process these personal details in order to provide you with employment benefits, for managing work activities and personnel generally, including recruitment, appraisals, performance management, promotions and succession planning, rehiring, administering salary, and payment administration and reviews, wages and other awards such as stock options, stock grants and bonuses, healthcare, pensions and savings plans, training, leave, managing sickness leave, promotions, transfers, secondments, honoring other contractual benefits, providing employment references, loans, performing workforce analysis and planning, performing employee surveys, performing background checks, managing disciplinary matters, grievances and terminations, reviewing employment decisions, planning and monitoring of training requirements and career development activities and skills. The legal ground for processing such data is our legitimate interest in administering and providing our products and services as well as HR benefits and services, and complying with applicable laws.
- Talent Management Information: Details contained in letters of application and resume/CV (previous employment background, education history, professional qualifications, language and other relevant skills, certification, certification expiration dates), information necessary to complete a background check, details on performance management ratings, development programs planned and attended, e-learning programs, performance and development reviews, willingness to relocate, driver’s license information, and information used to populate employee biographies. This information may be collected from you directly, or where applicable, from other representatives within our organization or your previous employer if directed by you. Additionally, we may use a third party to perform a background check if permitted by applicable laws, and such third party may provide us with information about you.
Purpose and Legal Ground: We process these personal details for purposes of recruitment and management of employees and candidates. The legal ground for processing your personal data for that purpose is our legitimate interest in recruiting the right candidates, preventing fraud and ensuring the safety and well-being of all employees.
- Management Records: Details of any shares of common stock or directorships.
Purpose and Legal Ground: We process these personal details for administration of compensation and other awards such as stock options, stock grants and bonuses. The legal ground for processing your personal data for that purpose is our legitimate interest in providing and administering our stock program and directorships.
- System and Application Access Data: Information required to access Company systems and applications such as System ID, user ID, username, group id(s), group name(s), IP addresses associated with your access, email account(s), instant messaging account(s), 3rd party application information, keys, other access identifiers and tokens, previous employee ID, previous manager employee ID, system passwords, employee status reason, branch state, country code, previous Company details, previous branch details, and previous department details, and electronic content produced using Company systems.
Purpose and Legal Ground: We process this data for purposes of providing network access for authorized employees, managing authorization levels and ensuring the security of our systems, assets, information and employees, and for providing our products and services and associated support to customers. The legal ground for processing such data is our legitimate interest in providing our products and services to customers and at the same time ensuring the security and integrity of our systems and networks.
- Sensitive Information: We may also collect certain types of sensitive information only when permitted by local law, such as health/medical information, place of birth, trade union membership information, religion, and race or ethnicity. We collect this information for specific purposes, such as health/medical information in order to accommodate a disability or illness and to provide benefits; and diversity-related Personal Data (such as gender, race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and antidiscrimination. Please be assured that, as explained in the following section, we will only use such sensitive information for the following purposes and as provided by law.
Purpose and Legal Ground: We process this data for purposes of providing you with benefits and to comply with our legal obligations. The legal ground for processing such data is necessity for carrying out the obligations and exercising specific rights of Company or of you in the field of employment and social security and social protection law, but only in so far as it is authorized by applicable laws.
3. Disclosures within the Company Organization and to Third Parties and Transfers of Personal Data from the EU
Due to the global nature of Company’s operations, the processing of your Personal Data described above may involve the transfer and disclosure of such Personal Data to personnel and departments throughout our organization, as necessary for the purposes set forth above. For example, our main Human Resources team is located in the United States within our Company entity, and access to your Personal Data for the purposes set forth above may be required from the United States. Access to Personal Data within our organization will be limited to those who have a need to know the information, and may include your managers and their designees, as well as personnel responsible for HR, IT, marketing, legal and accounting matters. Additionally, all personnel within Company will generally have access to your business contact information such as name, position, telephone number, postal address and email address.
In cases where the Company transfers your personal data within the EEA and to the United States of America, the Company relies on an Intra-Group Data Transfer Agreement (the “Intra-Group DTA”) which contains the Controller-to-Controller version of the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries, pursuant to Decision 2004/915/EC.
YOUR RIGHTS UNDER THE GDPR
Notice: This Notice provides notice of the data we collect from you in your capacity as a current or former employee of Company and related entities and subsidiaries in the EU and transferred to Company in the U.S.. It also describes how we use and handle your information, and how you may exercise your GDPR rights with respect to it.
Onward Transfers: From time to time, we may need to make Personal Data available to the following unaffiliated third parties:
- Professional Advisors: Accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors in all of the countries in which Company operates.
- Service Providers: Companies that provide products and services to Company such as payroll, pension scheme, benefits providers; human resources services, performance management, training, expense management, IT systems suppliers and support; third parties assisting with equity compensation programs, credit card companies, medical or health practitioners, trade bodies and associations, and other service providers. These providers may only process or store our employee’s Personal Data in the course of performing their contractual duties to us. Our contracts with these providers limit their access, use and disclosure of Employee Data solely to meet their contractual obligations in the performance of the specific functions described above, and require them to provide the Employee Data with at least the same level of protection as is required by applicable law.
As of the date of this Notice, we use the following Service Providers to process Personal Data of our employees (please contact your HR team for an updated list):
- Public and Governmental Authorities; Law Enforcement and Courts: We may be required to disclose your Personal Data to meet a legal obligation, including national security or law enforcement obligations and applicable law, rule, order, or regulation.
- Corporate Transaction: We may also disclose Personal Data to a third party in connection with any proposed or actual investment or financing transaction, reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of Company’s business, assets or stock (including in connection with any bankruptcy or similar proceedings).
Choice: You may tell us not to disclose (“opt out”) your Personal Data if it will be used for a purpose that is materially different from the purpose for which it was originally collected or that you authorized. You may send an email to email@example.com to exercise your opt out preferences.
Data Integrity and Purpose Limitation: We will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current. We will retain the data in identifiable a form only for as long as it serves the purpose of the processing.
Access: You have the right to obtain confirmation from Company about whether or not we are processing Personal Data from you. You have certain rights to access, amend, correct or delete your Personal Data where the data is inaccurate or has been processed in violation of applicable laws. We will make good faith efforts to accommodate these requests. If you have any questions regarding your access rights or would like to access your Personal Data or request to correct, amend or delete Personal Data, please send an email to firstname.lastname@example.org. In order to obtain this information, you may need to provide Company with Personal Data and other information, such as to verify your identity and the nature of your request. Please note that in some circumstances, we may not be able to fully comply with your requests such as, if it is required or permitted by applicable laws – but of course will act as required by law.
Rectification: You have the right to have inaccurate or incomplete Personal Data concerning you corrected and, in certain circumstances, supplemented without undue delay. You can correct some of this information directly by accessing your employee human resources account or emailing the human resources team at email@example.com.
Portability: You may have the right to request transmission, in certain circumstances, of the Personal Data you directly provide to us, or that is directly generated or collected by virtue of your employment, to you and/or another controller.
Erasure: You may have the right, in certain circumstances and subject to some exceptions, to request that we erase some or all of your Personal Data from our systems.
Objection to Processing: Where you have provided consent for the processing of your Personal Data you have the right, in certain circumstances, to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. Additionally, if Company is processing your Personal Data based on its legitimate interest grounds, you may have a right to object to such processing.
Restriction of Processing: You may have the right, in certain circumstances, to request restriction of the processing of your Personal Data.
Recourse; Enforcement and Liability: If you have privacy-related complaints or inquiries, please send an email to firstname.lastname@example.org. Additionally, under the GDPR, you have the right to lodge a complaint about Company’s practices with respect to your Personal Data with the supervisory authority of your country or E.U. Member State.
For any privacy-related complaints that cannot be resolved directly with us, we have committed to working with the panel established by EU data protection authorities (“DPAs”) and to comply with the information and advice given by the panel regarding Personal Data transferred from the EU in the context of the employment relationship. Please contact us at the following address: email@example.com to be directed to the relevant DPA contacts.
4. Storage and Security
Your Personal Data will be stored for a period of up to 5 years following your departure from the Company, and you may request that we delete it immediately upon your termination. The Company seeks to protect Personal Data using appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the applicable type of Personal Data and processing activity.
5. Automated Decision Making
The Company does not conduct automated decision-making, including profiling, using personal data.
6. Employee’s Obligations
Please keep Personal Data up to date and inform us of any significant changes to Personal Data. You agree to inform your Dependents whose Personal Data you provide to Company about the content of this Notice, and to obtain their consent (provided they are legally competent to give consent) for the use (including transfer and disclosure) of that Personal Data by Company as set out in this Notice.
Human Resources Team Contact Information