The Hays Group, Inc. Privacy Shield Notice

This Privacy Shield Notice (“Notice”) describes how The Hays Group, Inc. d/b/a/ Hays Companies and its Affiliates (“Hays Companies,” “we,” or “us”) collect, use, and disclose certain personally identifiable information (“Personal Data”) that we receive in the United States (“U.S.”) from the European Economic Area (“EEA”) and Switzerland. This Notice applies to the processing of Personal Data that Hays Companies obtains of Data Subjects who reside in the EEA and Switzerland. This Notice applies to both HR-related and non-HR related Personal Data that is provided to us by a Data Controller. This Notice supplements our Website Privacy Notice located at https://www.hayscompanies.com/privacy-policy-statement/, and unless specifically defined in this Notice, the terms in this Notice have the same meaning as the Website Privacy Policy.

Hays Companies recognizes that the EEA and Switzerland have established strict protections regarding the processing of Personal Data, including requirements to provide adequate protection for Personal Data transferred outside of the EEA and Switzerland. To provide adequate protection for certain Personal Data about Data Subjects received in the U.S., Hays Companies has elected to self-certify to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from Data Subjects in the EEA and Switzerland. (“Privacy Shield”).

Hays Companies adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.

If there is any conflict between the policies in this Notice and the Privacy Shield Privacy Principles, the Privacy Shield Privacy Principles shall govern. To learn more about the Privacy Shield program, and to review our certification, please see the U.S. Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov. The Federal Trade Commission (“FTC”) has jurisdiction over Hays Companies’ compliance with the Privacy Shield.

All Hays Companies employees who handle Personal Data from the EEA and Switzerland are required to comply with the Principles stated in this Notice.

Capitalized terms are defined in Section XII of this Notice.

I. SCOPE

This Notice applies to the processing of Personal Data that Hays Companies receives in the U.S. from a Data Controller concerning individuals who reside in the EEA and Switzerland. This Notice does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used (the use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible).

II. RESPONSIBILITIES AND MANAGEMENT

Hays Companies has designated the Information Technology Department with assistance from the Legal Department to oversee its information security program, including its compliance with the E.U. and Swiss Privacy Shield program.  The Information Technology Department and Legal Department reviews and approves any material changes to this program as necessary.  Any questions, concerns, or comments regarding this Notice may be directed to privacy@hayscompanies.com or 612-373-7277.

III. COLLECTION AND USE OF PERSONAL DATA

Our Website Privacy Policy located at https://www.hayscompanies.com/privacy-policy-statement/ describes the categories of Personal Data that we may receive in the U.S. as well as the purposes for which we use that Personal Data. We will only process Personal Data in ways that are compatible with the purpose designated by the Data Controller.

The Personal Data that we collect may vary based on the Data Controller. As a general matter, Hays Companies collects the following types of Personal Data from individuals: contact information, including, but not limited to, a person’s name, email address or other electronic contact information, home mailing address, telephone number, date of birth, gender, and national origin.

The information that we collect from individuals is used for communicating with the Data Controller, including offering broker services to employers that sponsor employee benefit plans, managing transactions, reporting, invoicing, and other operations related to providing services for the benefit of the Data Subject. In such cases, we are acting as a data processor and will process the personal information on behalf of and under the direction of our partners and/or agents who act as the Data Controller.

Hays Companies uses Personal Data that it collects for the following business purposes, without limitation:

  • maintaining and supporting its services, delivering and providing the requested services, and complying with its contractual obligations related thereto (including managing transactions, reporting, invoices, renewals, and other operations related to providing services to Data Controllers);
  • satisfying governmental reporting, tax, and other requirements (e.g., import/export);
  • storing and processing data, including Personal Data, in computer databases and servers located in the United States;
  • interactions with Data Controller’s local brokers at the request of the Data Controllers and other activities as requested by the Data Controller;
  • for other business-related purposes permitted or required under applicable local law and regulation; and
  • as otherwise required by law.

Hays Companies does not disclose Personal Data to third parties for purposes that are materially different than what the Personal Data was originally collected for.

IV. DISCLOSURES / ONWARD TRANSFERS OF PERSONAL DATA

Except as otherwise provided herein, Hays Companies discloses Personal Data only to Third Parties who reasonably need to know such data only for the scope of the initial transaction and not for other purposes.  Such recipients must agree to abide by confidentiality obligations.

Hays Companies may provide Personal Data to Third Parties that act as agents, consultants, and contractors to perform tasks on behalf of and under our instructions. For example, Hays Companies may store such Personal Data in the facilities operated by Third Parties. Such Third Parties must agree to use such Personal Data only for the purposes for which they have been engaged by Hays Companies and they must either:

  • comply with the Privacy Shield Principles or another mechanism permitted by the applicable E.U. & Swiss data protection law(s) for transfers and processing of Personal Data; or
  • agree to provide adequate protections for the Personal Data that are no less protective than those set out in this Notice;

Hays Companies also may disclose Personal Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure. Hays Companies is potentially liable for onward transfers to third parties of personal data of EU or Swiss individuals received pursuant to Privacy Shield.   Please be aware that Hays Companies may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

V. DATA INTEGRITY AND SECURITY

Hays Companies maintains reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield.

VI. ACCESSING PERSONAL DATA

Hays Companies personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.

VII. RIGHT TO ACCESS, CHANGE OR DELETE PERSONAL DATA

Right to Access. Individuals may have the right to access the Personal Data that Hays Companies holds about them and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If individuals would like to request access to, correction, amendment, or deletion of Personal Data, they can submit a written request to the contact information provided below. We may request specific information from the requestor to confirm and authenticate identity. In some circumstances we may charge a reasonable fee for access to such information. We may need to contact the Data Controller to confirm the authorization to access, amend, or delete.

Satisfying Requests for Access, Modifications, and Corrections. Hays Companies will endeavor to respond in a timely manner to all reasonable written requests to view, modify, or inactivate Personal Data.

VIII. CHANGES TO THIS NOTICE

We reserve the right to amend this Notice from time to time consistent with the Privacy Shield’s requirements and applicable data protection and privacy laws and principles.  We will make individuals aware of changes to this Notice either by posting to our website, through email, or other means.

Effective Date: May 15, 2018

Last modified: July 3, 2018

IX. QUESTIONS OR COMPLAINTS

E.U. and Swiss residents or Employees may contact Hays Companies with questions or complaints concerning this Notice at: privacy@hayscompanies.com.

X. ENFORCEMENT AND DISPUTE RESOLUTION

In compliance with the E.U.-U.S. and Swiss-U.S. Privacy Shield Principles, Hays Companies commits to resolve complaints about your privacy and our collection or use of your personal information.  EEA and Swiss individuals with questions or concerns about the use of their Personal Data should contact us at privacy@hayscompanies.com.

We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your Personal Data within 45 days of receiving your complaint.

Hays Companies has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, JAMS at https://www.jamsadr.com/eu-us-privacy-shield.

If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed by Hays Companies, please go to https://www.jamsadr.com/eu-us-privacy-shield for more information and to file a complaint. Finally, as a last resort and in limited situations, EEA and Swiss individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism. For more information on binding arbitration, see US Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration).

Hays Companies also commits to cooperate with E.U. and Swiss data protection authorities and comply with the advice given by such authorities with regard to human resources data transferred from the EEA and Switzerland in the context of the employment relationship.

XI. CONTACT US

If you have any questions about this Notice or would like to request access to your Personal Data, please contact us at privacy@hayscompanies.com or (612) 373-7277.

XII. DEFINED TERMS

In addition to terms defined in the text, capitalized terms in this Privacy Notice have the following meanings:

“Affiliate” means any direct or indirect parent or subsidiary of Hays Companies or company under common ownership with Hays Companies.

“Data Controller” means a person or organization which alone or jointly with others determines the purposes and means of the processing of Personal Data.

“Data Subject” means an identified or identifiable natural living person who has a residence in the E.U. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics. For individuals residing in Switzerland, a Data Subject also may include a legal entity.

“Hays Companies’ Website” means any website authorized by Hays Companies to be operated in connection with the Hays Companies brand, whether operated by Hays Companies, or an Affiliate of Hays Companies.

“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of Hays Companies or any of its affiliates or subsidiaries, who is also a resident of a country within the European Economic Area or Switzerland.

“Europe” or “European” refers to a country in the European Union.

“Personal Data” as defined under the European Union Directive 95/46/EC (and the successor regulation known as the General Data Protection Regulation) means data that personally identifies or may be used to personally identify a person, including an individual’s name in combination with country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password, and identification numbers. Personal Data does not include data that is de-identified, anonymous, or publicly available. For Switzerland, the term “person” includes both a natural person and a legal entity, regardless of the form of the legal entity.

“Sensitive Data” means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership.

“Third Party” means any individual or entity that is neither Hays Companies nor a Hays Companies employee, agent, contractor, or representative.