Table of Contents
1.2 SCOPE OF APPLICABILITY
2. PERSONAL DATA PROCESSING PRINCIPLES
2.1 FAIRNESS, LAWFULNESS AND TRANSPARENCY
2.2 PURPOSE LIMITATION
2.3 DATA MINIMIZATION
2.4 STORAGE LIMITATION / DELETION
2.6 SAFEGUARD SECURITY OF PERSONAL DATA
3. PERSONAL DATA PROCESSING
3.1.2 THIRD ENTITIES
3.2 PERSONAL DATA TYPES
3.2.2 THIRD ENTITIES
3.3 PURPOSES OF PROCESSING
3.4 STORAGE AND RETENTION
3.5 TRANSFER OF PERSONAL DATA
3.5.2 TO THIRD ENTITIES
4. DATA SUBJECTS RIGHTS
4.1 THE RIGHT TO BE INFORMED
4.2 THE RIGHT TO RECTIFICATION
4.3 THE RIGHT TO RESTRICT PROCESSING
4.4 THE RIGHT TO ERASURE (OR THE RIGHT TO BE FORGOTTEN)
4.5 THE RIGHT TO DATA PORTABILITY
4.6 THE RIGHT TO OBJECT
4.7 THE RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION MAKING
5. ROLES AND RESPONSIBILITIES
5.3 DATA PROTECTION OFFICER
5.3.1 CONTACT DETAILS OF THE DATA PROTECTION TEAM
6. SECURE PROCESSING
7. INCIDENT MANAGEMENT
8. COMPLIANCE MANAGEMENT & DPIA
9. EMPLOYEE’S OBLIGATIONS
10. POLICY REVIEW
Persado Holdings plc and its affiliated entities (collectively, “Persado” or the Company”) value the trust of their employees and clients and are committed to protecting their personal information. This information helps Persado in contingency planning and internal talent searches, in addition to supporting routine Human Capital and operational processes. It also allows Persado to provide its clients with its services.
Persado operates in many different countries. Some of these countries have laws related to the collection, use, transfer and disclosure of the personal information of individuals, including our employees. Persado takes these obligations very seriously and is committed to protecting the privacy of current and former employees, clients and other third parties. The purpose of this Data Protection Policy (the “Policy”) is to give you information about what personal information the Company collects, uses, transfers and discloses, and why. It meets the requirements of the European Data Protection Regulation (GDPR) and ensures compliance with the principles of national and international data protection laws in force all over the world.
This Policy is applicable to all Persado departments and Employees as well as contractors, vendors, and other non-Employees that have a direct or indirect relation with Persado.
Personal Data: Personal Data, or Personal Information means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Personal Data Processing: Processing Personal Data means any process, with or without the use of automated systems, to collect, store, organize, retain, modify, query, use, forward, transmit, disseminate or combine and compare data. This also includes disposing of and deleting data.
Controller: Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Processor: Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
The Company will take commercially reasonable steps to ensure that the Personal Information processed is reliable for its intended use and is accurate and complete for carrying out the purposes described in this Policy.
Persado collects and processes Personal Data only in the context to perform a contract, or where the processing is in its legitimate interests and not overridden by Data Subjects’ protection interests or fundamental rights and freedoms, or where the Data Subject’s consent has been obtained. In some cases, Persado may also have a legal obligation to process Personal Data. Personal Data shall not be processed in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. Persado shall provide all required information to the Data Subject regarding the processing of Personal Data, such as: processing purposes, the identity of the Controller, third parties or categories of third parties to whom the data might be transmitted.
Personal Data can be processed only for the purpose that was defined before the data were collected. Subsequent changes to the purpose are only possible to a limited extent (compatible with the original purpose) and require the Data Subject to be informed and provide his / her consent or when there is a clear basis at law.
Persado shall ensure that Personal Data processed are:
Personal Data shall not be collected in advance and stored for potential future purposes unless required or permitted by Member State law.
The Company will retain Personal Information for the period it deems appropriate to fulfill the purposes outlined in this Policy unless a longer retention period is required or permitted by law.
Persado retains Personal Data for as long as necessary for the purposes for which the Personal Data was collected or where it has an ongoing legitimate business need to do so, or to comply with applicable legal, tax or regulatory requirements. For that purpose, appropriate retention periods have been defined taking into consideration legal, regulatory and business/contractual requirements (see Record of Processing Activities).
When there is no ongoing legitimate business need to process Personal Data, Persado will either securely destroy, erase, delete or anonymize them, or if this is not possible (for example, because Personal Data have been stored in backup archives), Personal Data shall be securely stored and isolated from any further processing until deletion is possible.
Persado shall take all reasonable steps to ensure the Personal Data processed are correct, complete and kept up-to-date as necessary. Appropriate steps shall be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
Personal Data shall be treated as Confidential Information and shall be handled accordingly. Appropriate technical and organizational measures are being enforced in order to safeguard confidentiality, integrity and availability of Personal Data (measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction).
The Company will take commercially reasonable measures to protect Personal Information that are substantially consistent with applicable privacy and data security laws and regulations, including requiring service providers to protect the confidentiality and security of Personal Information.
Persado collects Personal Data relating to its Employees either directly by themselves or through their use of communications media and electronic processing tools (corporate devices) allocated to them by the Company for the purposes of their work or, finally, through a closed television circuit that may exist in their facilities. Persado collects Personal Data relating to other Data Subjects, such as Visitors, Customers, Suppliers, Candidates and other entities directly from the Subjects themselves or through Third Parties with whom there is a contract. Entry Points of Personal Data may include: email, corporate website, cloud systems etc. Persado fully complies with the Principles of “purpose limitation” and “data minimization” and collects and processes Personal Data of:
In the course of your employment with Persado, the Company may have collected or will collect information about you and your working relationship with the Company, or your spouse, domestic/civil partner or dependents (“Dependents”). We refer to such information as “Personal Data” or “Personal Information”. Local employee handbooks, office manuals and notices, as applicable, provided in your local office may provide additional details or information. The Company will not use Personal Information for any other purpose incompatible with the purposes described in this Policy, unless it is required or authorized by law, authorized by you, or is in your own vital interest (e.g., in the case of a medical emergency).
With the exception of certain information that is necessary to fulfill the employment contract, required by law or important to the performance of our business, your decision to provide Personal Information to the Company is voluntary. However, if you do not provide certain information, the Company may not be able to accomplish some of the purposes outlined in this Notice.
Furthermore, the Company has the ability to collect and process Personal Data of its
Employees relating to the use of media at or in connection with the workplace (telephony, e-mail, internet use), provided that it is strictly necessary: (a) to protect persons and goods; and (b) to organize and control the performance of the work or the work done by employees, including the control of costs. Personal Data recorded and processed should be limited to what is necessary and appropriate to achieve the above aims.
Data from other Data Subjects (Visitors, Customers, Suppliers and Other Entities) that are appropriate and relevant and limited to the necessary purposes related to Persado’s operational, commercial, advertising, communications, and financial needs. In this context, Persado collects, in principle, Personal Data of Data Subjects (Visitors,
Customers, Suppliers, and Other Entities) when
In addition, the Company may, in special and exceptional cases, collect and process Personal Data from both Employees and other Data Subjects originating from the legally installed CCTV system located in particular facilities (e.g. entrance / exit of facilities). This treatment is justified by the nature and working conditions and is necessary to protect the health and safety of Employees or to protect critical facilities or critical infrastructure.
In particular, Persado may collect the following types of Personal Data from its Employees (for more details, see Personal Data Environment file):
Personal Information (Demographic Data, Identification Data): name, surname, employee identification number, work and home contact details (email, phone numbers, physical address), date and place of birth, ID number, registration number, social security number, marital/civil partnership status, domestic partners, dependents, nationality, passport and visa number etc., VAT number, social security number, language(s) spoken, gender, disability status, emergency contact information and photograph.
Documentation Required under Immigration Laws: Citizenship, passport data, details of residency or work permit.
Compensation and Information on Payroll (Financial Data): Base salary, bonuses, allowances, benefits, compensation type, salary step within assigned grade, details on stock options, stock grants and other awards, currency, pay frequency, effective date of current compensation, salary reviews, salary changes, banking details, working time records (including vacation and other absence records, leave status, hours worked and department standard hours), pay data and termination date, payment time, date and cause of compensation, bank account number – IBAN.
Information about the job position: Description of current position, job title, corporate status, management category, job code, salary plan, pay grade or level, job function(s) and subfunction(s), company name and code (legal employer entity), branch/unit/department, location, employment status and type, full-time/part-time, terms of employment, employment contract, work history, hire/rehire and termination date(s) and reason, length of service, retirement eligibility, promotions and disciplinary records, date of transfers, and reporting manager(s) information, retirement, disciplinary record, promotions history, work permit, etc.
Talent Management Information: Details contained in letters of application and resume/CV (previous employment background, education history, professional qualifications, language and other relevant skills, certification, certification expiration dates), information necessary to complete a background check or reference check, the background or reference check report, details on performance management ratings, development programs planned and attended, e-learning programs, performance and development reviews, willingness to relocate, driver’s license information, and information used to populate employee biographies
Management Records: Details of any shares of common stock or directorships.
System and Application Access Data: Information required to access company systems and applications such as System ID, user ID, username, group id(s), group name(s), IP addresses associated with your access, email account(s), instant messaging account(s), 3rd party application information, keys, other access identifiers and tokens, previous employee ID, previous manager employee ID, system passwords, employee status reason, branch state, country code, previous company details, previous branch details, and previous department details, and electronic content produced using Company systems.
Sensitive Information: We may also collect certain types of sensitive information only when permitted by local law, such as health/medical information, place of birth, trade union membership information, religion, and race or ethnicity. We collect this information for specific purposes, such as health/medical information in order to accommodate a disability or illness and to provide benefits; religion or church affiliation in countries such as Germany where required for statutory tax deductions; and diversityrelated Personal Information (such as gender, race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and anti-discrimination. Please be assured that, as explained in this Policy, we will only use such sensitive information for specific purposes and as provided by law.
In particular, Persado collects the following types of Personal Data from Third Entities (for more details, see Personal Data Environment file):
Information about consumer communication, promotional activities and advertising purposes: E-mail address, age, full name, phone number, gender, age, nationality, cookies, username, country of residence, preferences, IP Address, telephone number, etc.
Information about clients: E-mail address, gender, age, name, marital Status, telephone number, call duration, tariff information, consumer marketing preferences, maker of device, type of device, username, etc.
Information about other third entities (i.e. suppliers, subcontractors): E-mail address, name, tax registry No, telephone number, work address, network events/logs, tariff information, username, payment history, etc.
Categories of unaffiliated Third Parties with whom Persado may share Personal Information:
Professional Advisors: Accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors in all of the countries in which Persado operates.
Service Providers: Companies that provide products and services to Persado such as payroll, pension scheme, benefits providers; human resources services, performance management, training, expense management, IT systems suppliers and support; third parties assisting with equity compensation programs, credit card companies, medical or health practitioners, trade bodies and associations, and other service providers.
Public and Governmental Authorities: Entities that regulate or have jurisdiction over Persado such as regulatory authorities, law enforcement, public bodies, and judicial bodies.
Corporate Transaction: A third party in connection with any proposed or actual investment or financing transaction, reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of Persado business, assets or stock (including in connection with any bankruptcy or similar proceedings).
Persado may process the Personal Data in accordance with applicable Member State law and for the purposes set forth in this Data Protection Policy. In particular, Persado may process the Personal Data for the following purposes:
Managing Workforce: Managing work activities and personnel generally, including recruitment, appraisals, performance management, promotions and succession planning, rehiring, administering salary and payment administration and reviews, wages and other awards such as stock options, stock grants and bonuses, healthcare, pensions and savings plans, training, leave, managing sickness leave, transfers, secondments, honoring other contractual benefits, providing employment references, loans, performing workforce analysis and planning, performing employee surveys, performing background checks, managing disciplinary matters, grievances and terminations, reviewing employment decisions, making business travel arrangements, managing business expenses and reimbursements, planning and monitoring of training requirements and career development activities and skills, and creating and maintaining one or more internal employee directories.
Communication and emergency situations: Facilitating communication with you or your nominated contacts in an emergency, ensuring business continuity, providing references, protecting the health and safety of employees and others, safeguarding IT infrastructure, office equipment and other property.
Business operation and Corporate activities: Operating and managing the IT and communications systems, managing product and service development, improving products and services, managing company assets, allocating company assets and human resources, strategic planning, project management, business continuity, compilation of audit trails and other reporting tools, maintaining records relating to business activities, budgeting, financial management and reporting, communications, managing mergers, acquisitions, investments, financing, sales, re-organizations or disposals and integration with purchaser
Compliance: Complying with legal and other requirements, such as income tax and national insurance deductions, record-keeping and reporting obligations, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal processes such as subpoenas, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, conducting investigations and complying with internal policies and procedures.
Processing of Third-Party Transactions: Carrying out any commercial and financial transactions such as sales, distribution, and credit control of Third Parties (Suppliers etc.).
Client promotion and advertising: Conducting Competitions, Advertising, Promotions, Events, Sponsoring.
The Personal Data that Persado collects and processes in the context of the abovementioned processing purposes as described in this Data Protection Policy are stored on Persado’s computers and / or on servers and services hosted on the Internet in accordance with the corporate IT infrastructure. Personal Data may be transferred, processed and stored to a destination outside of the European Economic Area (EEA), in which case it is assured that the necessary measures have been taken to protect the Personal Data and the rights of the Data subjects.
Personal Data will be retained until their deletion for a specific and limited period based on Persado’s legal, regulatory and business / contractual claims / obligations (see Records of Processing Activities).
In the event that the Data Subject exercises his / her right, and sends a corresponding written request to the Company at firstname.lastname@example.org, requesting the deletion of all or some of their Personal Data submitted, then the Company must:
Due to the global nature of Persado operations, the Company may disclose Personal Information to personnel and departments throughout Persado to fulfill the purposes described in this Policy. This may include transferring Personal Information to other countries (including countries other than where you are based, that have a different data protection regime than is found in the country where you are based). If you are located in the European Economic Area (the “EEA”) this may include countries outside of the EEA, including the United States. Persado will remain responsible for Personal Information about you that is transferred and used. For personal information held, processed and accessed outside the European Economic Area to countries that have not been determined by the European Commission to provide an adequate level of data protection, Persado shall ensure that appropriate data protection safeguards (e.g. European Commission’s Standard Contractual Clauses) are in place. To obtain a copy of the relevant transfer mechanism or additional information on the transfers, please contact us at email@example.com and firstname.lastname@example.org .
Access to Personal Information within Persado will be limited to those who have a need to know the information for the purposes described at the end of this Policy, and may include your managers and their designees, personnel in HC, IT, Marketing, Legal and Accounting.
All personnel within Persado will generally have access to your business contact information such as name, position, telephone number, postal address and email address.
From time to time, Persado may need to make Personal Information available to other unaffiliated third parties. For a list of the categories of unaffiliated third parties, please see the respective part of this Policy. Some of unaffiliated third parties will be located outside of your home jurisdiction, including in the United States. Third party service providers and professional advisors are expected to protect the confidentiality and security of Personal Information, and only use Personal Information for the provision of services to the Company, and in compliance with applicable law.
Furthermore, Persado may disclose Personal Data to certain categories of Third Entities, provided that the legitimacy of the transfer of such data has been ensured (for example, prior explicit consent of the Data Subjects or in the context of performance of a contract). Such consent of the Data Subjects may be revoked freely and at any time by informing Persado by written request to the following address email@example.com.
In particular, Persado may disclose Personal Data to the following “Third Entity” categories:
Service Providers (Subcontractors): refers to companies providing services to Persado necessary for the orderly operation and fulfillment of its obligations resulting from the employment contract such as services related to payroll, advertising, communication (e.g. benefits such as health insurance, ticket restaurant , mobile telephony companies, etc.), services relating to the provision of medical services to employees and generally the supervision of compliance with health and safety of employees. It also applies to companies providing human resources training, health and life insurance / retirement plans, procurement and support of electrotechnical equipment, advertising companies that collaborate to promote the products or generally the Company’s goals.
Government or other Public Authorities / Services: tax, customs and any other public authorities, judicial / prosecutorial / police authorities, independent regulatory authorities, public or other services related to the payment of taxes and insurance contributions. The aforementioned authorities (except public services) should submit a prior and specific request to Persado in accordance with the applicable legislation in order for us to disclose such Personal Data.
Third Entities related to corporate transactions: any third party that may be linked to an existing or future corporate investment or financial transaction, reorganization, sale, merger, joint venture, assignment, transfer or other disposal of all or part of Persado’s business, bankruptcy and / or liquidation.
In the event that Persado participates in an agency, merger, redemption or sale of its assets, Personal Data may be transferred as part of that agreement. Persado will inform the Employees and other Data Subjects of any such agreement (e.g. via email to their email address) or other means of communication and will request them to renew the consent to the collection and processing of their Personal Data, where applicable.
Persado maintains appropriate contracts and takes all necessary measures to bind “Third Party” Service Providers (professional consultants, lawyers, accountants, tax consultants, advertisers, etc.) as well as third parties who may be related to existing or future Corporate Transactions, that they will guarantee the confidentiality and security of the Personal Data that may be communicated to them and that they will use the Personal Data exclusively and only for the purposes for which they have been disclosed.
In particular, in the above-mentioned cases, the relevant written agreement with the Third-Party Service Providers (Subcontractors) shall include terms regarding the lawful processing of Persado’s Personal Data by the Third Party. These terms will include Persado’s instructions regarding the type and manner of processing of Personal Data, the purpose of the processing, and the technical and organizational measures required to protect the data. The privacy, security and legal treatment of Personal Data should be considered as a criterion for selection of Subcontractors.
The General Data Protection Regulation grants Data Subjects a range of specific rights they can exercise under particular conditions. Each request has to be handled immediately by the responsible unit. Persado enforces appropriate mechanisms in order to handle these requests within 30 days from submission. That period may be extended by two further months where necessary, considering the complexity and number of requests. The Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. The Controller shall enforce the Data Subjects Rights Management Procedure and the Data Subjects Consent Management Procedure. This section provides an overview of the fundamental Data Subject Rights. All requests must be sent to firstname.lastname@example.org.
If you have any questions or concerns about how the Company processes Personal Information; if you wish to access, correct, suppress or delete Personal Information about you or request that we cease using it as permitted by applicable law; please contact email@example.com. Please note, however, that certain Personal Information may be exempt from such access, correction and deletion requests pursuant to applicable data protection laws or other laws and regulations. Persado commits to resolve complaints or concerns about its collection or use of Personal Information. Individuals with related complaints or concerns should first contact firstname.lastname@example.org.
Data Subjects shall have the right to be informed about the collection and use of their Personal Data. Privacy information such as: whether data concerning them are being processed, how Personal Data were collected, purposes for processing Personal Data, retention periods for that Personal Data, and information about the identity of the recipient or the categories of recipients, in case they are transferred to third parties.
In case Personal Data are incorrect or incomplete, the Data Subject shall have the right to request that it be corrected or supplemented.
The Data Subject shall have the right to request the restriction of processing of their Personal Data. In this case Persado is allowed to store the data, but not use it for certain purposes.
The Data Subject shall have the right to request their data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be taken under consideration.
The Data Subject shall have the right to receive the Personal Data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit these data to another controller without undue delay from the Controller.
The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of Personal Data concerning them, including profiling based on those provisions. The Controller shall no longer process the Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.
The Data Subject shall have the right to oppose to automated individual decisionmaking (deciding solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
Controller bears primary responsibility for ensuring that processing activities are compliant with EU data protection law (GDPR). This means that considering the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the requirements of GDPR. More specifically the controller will:
The following is a list of the Processor ‘s responsibilities/obligations:
Persado is not required by applicable law to appoint a Data Protection Officer. However, it has appointed personnel whose responsibilities include at least the following:
Important Note: The DPO and Data Protection personnel are not personally responsible for non-compliance with data protection requirements.
For any queries on Data Protection, please contact: email@example.com
Persado Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data are processed electronically or in hard copies. Appropriate technical and organizational measures shall be enforced in order to ensure an appropriate level of security, considering the state of the art and the costs of implementation in relation to the risks and the nature of the Personal Data to be protected. Especially before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect Personal Data shall be defined and implemented.
The technical and organizational measures for protecting Personal Data are part of Persado’s Information Security Management System (ISMS), which complies with the requirements of ISO 27001 Security Standard.
Persado’s internal procedures shall include appropriate organizational and technical measures to ensure the lawful processing of Personal Data. These procedures shall, as a minimum, ensure that:
Persado enforces the Incident Response procedure in order to address incidents from cases, such as:
All Employees shall initiate the Incident Response Procedure immediately when cases of violations against this Data Protection Policy or other regulations on the protection of personal data are identified.
Persado shall periodically review its Privacy and Information Security Framework in order to ensure compliance with applicable data protection laws and to ensure the continuing suitability, adequacy and effectiveness of its approach to managing Information Security and Privacy. An annual compliance assessment shall be performed and in case any non-compliance with the Policy is identified, the Company shall be responsible to determine the causes of the non-compliance, to evaluate the need for corrective actions to ensure that compliance is achieved, to determine and implement appropriate actions and review the actions taken.
Persado shall be responsible to perform periodic Data Protection Impact Assessments (DPIA) for all processing operations that are likely to result in a high risk to the rights and freedoms of Data Subjects. The Data Protection Team shall be informed of the results of DPIAs and an appropriate mitigation actions plan shall be defined and followed.
Please keep Personal Information up to date and inform the Company of any significant changes to Personal Information. You agree to inform your Dependents whose Personal Information you provide to the Company about the content of this Policy, and to obtain their consent (provided they are legally competent to give consent) for the use (including transfer and disclosure) of that Personal Information by the Company as set out in this Policy. You further agree to follow applicable law and the Company’s policies, standards and procedures that are brought to your attention when handling any Personal Information to which you have access in the course of your relationship with the Company. In particular, you will not access or use any Personal Information for any purpose other than in connection with and to the extent necessary for your work with the Company. You understand that these obligations continue to exist after termination of your relationship with the Company.
Persado reserves the right to review this Policy at regular intervals and to make public its latest version. Any changes to this Data Protection Policy will apply once the revised Policy is publicly available. The Company suggests to Employees and other Data Subjects to regularly visit the Policy, where it is available, so that they (the Employees and the Data Subjects) are aware of all the changes that have been made. If a review substantially reduces or alters their rights, they will be informed by the Company and may be asked to renew their consent regarding the collection and processing of their Personal Data.
For questions or queries about this Policy and how it is implemented, Employees and Data Subjects may contact: firstname.lastname@example.org.