Privacy Policy

HR Acuity Privacy Policy

December 2018 

1. General

HR Acuity LLC (“ HR Acuity ") is offering an award-winning web-based SaaS solution that standardizes how employee-related events are investigated, documented, and reported. Providing a disciplined and predictive approach to managing workplace issues, HR Acuity raises the bar in employee relations risk management. This is achieved through the unique HR Acuity On-Demand Application (" Application ").

Using our Application naturally involves the processing of data. As a matter of principle, HR Acuity applies high standards safeguarding adequate protection of any information relating to
an identified or identifiable natural person (" Personal Data"). For, HR Acuity is sincerely committed to the security and privacy of Personal Data as well as any other confidential
information.

For that reason, our customers (" Subscribers ") are asked to deploy the Application and HR Acuity's related services under an appropriate data processing scheme meeting the requirements of European privacy law, particularly Article 28 GDPR. HR Acuity will not process any personal data within scope of GDPR on behalf of Subscribers without such data processing arrangements which include explicit instructions on the processing to be undertaken.  In consequence, our Subscribers have the benefit of remaining the genuine data controller. We act as data processor
on behalf of and subject to the Subscriber's directives.

The details of our commitment to data privacy and data security are set out in this Privacy Policy (" Policy "). The Policy covers the entire handling of Personal Data collected, received,
used, processed or transferred in the course of the services offered by HR Acuity through the Application. Please kindly note that HR Acuity cannot accept any responsibility for

  • any processing of Personal Data by Subscribers or individuals Subscribers given access to the Application (" Users ");
  • any the privacy practices of Subscribers or Users.

This Policy therefore solely applies to HR Acuity's handling of Personal Data through the Application on behalf of the respective Subscriber.

2 . PRIVACY STATEMENT

A. Place of Data Processing

Our Application may be deployed on a world-wide basis. The data processing takes place on servers that are located within the territory of the United States of America.

B. EU-U.S. Privacy Shield

In accordance with our commitment to protect personal privacy, HR Acuity is a participant in the U.S. Department of Commerce's EU-U.S. Privacy Shield and has certified that we adhere to the EU-U.S. Privacy Shield Principles (" Privacy Shield Framework "). To learn more about the Privacy Shield Framework, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield Website.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, HR Acuity is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

HR Acuity complies with the Privacy Shield Principles for all processing of Personal Data being subject to the regime of the Regulation (EU) 2016/679 of the European Parliament and
of the Council dated 27 April 2016 (General Data Protection Regulation – " GDPR ") including onward transfers of Personal Data from the European Union (" EU ").  For the avoidance of doubt, all transfers of personal data under the EU-US Privacy Shield framework have been deemed as having an adequate level of protection by the European Commission by its powers under Article 45 of GDPR.  This is reviewed annually by the European Commission, and any updates will be noted, acted upon and implemented as necessary. 

In compliance with the Privacy Shield Framework, HR Acuity commits to resolve complains about our collection or use of your personal information. If you have an unresolved privacy or
data use concern that we have not addressed satisfactorily, please contact our U.S. Privacy Officer at the following address:

United States HR Acuity LLC U.S. Privacy Officer 25A Vreeland Road, Suite Florham Park, NJ
privacyofficer@hracuity.com

HR Acuity has further committed to cooperate with EU data protection authorities (DPAs) with regard to unsolved Privacy Shield complaints (concerning human resources data transferred from the EU in the context of the employment relationship). If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you.

Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

3. Application and Services

A. Scope of data processing

The Application is built on the principle of data protection by design and by default. It allows for the collection of information including Personal Data related to the Subscribers’ employees
such as, name, employee ID, job title, work address, and manager. Further information may include data such as but not limited to race, gender, age or date of birth, military status,
performance rating, etc. Some personal data is afforded extra protection under GDPR, which is called "Special Category Data."  Such data includes race, gender, political opinions, health and trade union membership. 

The Subscriber may feed into the Application information including Personal Data by way of a secured data transfer feed from this system which the Subscriber may provide in a fully
encrypted format.

In addition to the aforementioned transfer of information, the Subscriber’s authorized Users may enter additional Personal Data into the Application when documenting an employment- related issue.

It is the Subscribers' obligation as data controller to safeguard the use of the Application being adequately justified by either the affected data subjects' valid consent or statutory law (Article
6 GDPR and Article 9 if Special Category Data). It is therefore our general expectation that Subscribers have appropriate privacy practices and notification procedures in place to permit the deploying of the Application. In addition, HR Acuity will comply with its obligations as data processor as set out in Article 28 GDPR in particular. Where acting as a data processor, HR Acuity has a written contract in place with the data controller ensuring the obligations under Article 28 are documented and can be monitored. 

B. Relation to Data Subjects

In general, HR Acuity will not have a direct relationship with the data subjects whose Personal
Date is processed in the course of the Subscriber's deploying of the Application as HR Acuity is processing the Personal Data as data processor on the Subscriber's behalf and subject to his
directives. Data subjects are therefore asked to turn to the Subscriber in case of any queries regarding their Personal Data stored or processed in the Application.

Any such concern may be addressed by email to privacyofficer@hracuity.com

We will convey any concerns immediately to the Subscriber that the Personal Data is allocated with. The Application itself and the services we offer to our Subscribers are designed in a way
giving effect to all rights the data subject enjoys under the GDPR.

C. Limitations, Corrections and Updates

The Application provides means for the collection, usage, processing or transfer of Personal Data being restricted upon the Subscriber's request. Detailed information on the available
options is provided to the Subscriber.

Also, the Subscriber may correct and / or update any Personal Data stored in or processed through the Application at any time.

D. Data Retention

HR Acuity will retain Personal Data for as long as needed (1) for providing the Subscriber with the services subscribed in connection with the use of the Application, or (2) the retention has been justified under the applicable law. In both cases, the data retention is based on the need-to- maintain principle in order to be able to comply with our legal obligations, to resolve disputes,
and to enforce our agreements.

E. Service Provider, Sub-Processors / Onward Transfer

HR Acuity may transfer Personal Data to companies that help us provide our services in connection with the Application. Transfers to subsequent third parties are covered by the
provisions in this Policy. Such transfers will only take place on the basis of sub- processor agreements which ensure similar or strengthened requirements as between HR Acuity and the data controllers. However, HR Acuity will not engage another processor without prior specific or general written authorization of the Subscriber being the genuine data controller.

4 . TECHNICAL AND ORGANIZATIONAL MEASURES

A. GDPR

HR Acuity has implemented appropriate technical and organizational measures in such a manner that processing will meet the requirements of Article 28 GDPR.

As part of our organizational measures we offer training to authorized Users as to how our Application functions and is used. During such training, we also emphasize the importance of considering the omitting, redacting or extracting Personal Data before uploading such data into the Application where appropriate. Respective reminders are also embedded into the
Application workflows. Having said this, it remains the Subscriber's responsibility to decide which data is uploaded and which not.

HR Acuity has also appointed a Data Protection Officer to provide expert advice and guidance and to monitor compliance with GDPR throughout the organization.  Any comments or concerns should be directed to hracuity.dpo@kaleidoscopeconsultants.com.

B. ISO/IEC 27002 Information Security Standard**

HR Acuity has a robust Information Security Program based on the ISO/IEC 27002 information security standard published by the International Organization for Standardization (ISO). All sensitive information, including Personal Data, will be segregated and protected according to the classification requirements of the HR Acuity Policies including:

  • Encryption of data at rest
  • Encryption of data in transit
  • Strong Access Controls
  • Strong Authentication
  • Data Classification

For more information or to obtain a copy of the HR Acuity Information Security Program, please email to privacyofficer@hracuity.com.

5 . DISCLOSURE OF INFORMATION FOR LAW ENFORCEMENT

HR Acuity may disclose Personal Data as required by law, such as to comply with a subpoena, or similar legal or security process when we believe in good faith that disclosure is necessary to protect our rights, protect the safety of our Subscribers Users and data subjects whose Personal Data is stored in or processed through the Application, investigate fraud, or respond to a government request. HR Acuity will do so only in compliance with applicable law. Further HR Acuity will immediately notify the Subscriber of any such request or requirement (except to the extent otherwise required by law).

6 . APPLICABILITY

This Policy applies to the gathering and dissemination of Personal Data for the purposes of the Application and supersedes all other policies, procedures, practices, and guidelines relating to the matters set forth herein.

7 . EU Representative

HR Acuity has a designated EU representative as per Article 27 of GDPR who can be contacted by any data subject or supervisory authority with concerns regarding HR Acuity in its capacity as a data processor.  The representative can be contacted at hracuity.dpo@kaleideoscopeconsultants.com.

Privacy Policy Updated 10 December 2018