HR Acuity LLC (“ HR Acuity ") is offering an award-winning web-based SaaS solution that standardizes how employee-related events are investigated, documented, and reported. Providing a disciplined and predictive approach to managing workplace issues, HR Acuity raises the bar in employee relations risk management. This is achieved through the unique HR Acuity On-Demand Application (" Application ").
Using our Application naturally involves the processing of data. As a matter of principle, HR Acuity applies high standards safeguarding adequate protection of any information relating to
an identified or identifiable natural person (" Personal Data"). For, HR Acuity is sincerely committed to the security and privacy of Personal Data as well as any other confidential
For that reason, our customers (" Subscribers ") are asked to deploy the Application and HR Acuity's related services under an appropriate data processing scheme meeting the requirements of European privacy law, particularly Article 28 GDPR. HR Acuity will not process any personal data within scope of GDPR on behalf of Subscribers without such data processing arrangements which include explicit instructions on the processing to be undertaken. In consequence, our Subscribers have the benefit of remaining the genuine data controller. We act as data processor on behalf of and subject to the Subscriber's directives.
used, processed or transferred in the course of the services offered by HR Acuity through the Application. Please kindly note that HR Acuity cannot accept any responsibility for
This Policy therefore solely applies to HR Acuity's handling of Personal Data through the Application on behalf of the respective Subscriber.
Our Application may be deployed on a world-wide basis. The data processing takes place on servers that are located within the territory of the United States of America.
While HR Acuity was previously certified under the EU.-U.S Privacy Shield, following the invalidation of this scheme by the Schrems II case, HR Acuity now relies upon Standard Contractual Clauses in order to meet our obligations regarding restricted transfers of Personal Data being subject to the EU General Data Protection Regulation (GDPR) and UK GDPR . HR Acuity has also undertaken a risk assessment of transfer and can provide further safeguards around the protection of Personal Data through additional contractual clauses if required.
HR Acuity currently relies on the Standard Contractual Clauses from decision 2010/87/EU, however, will transition to any new approved Standard Contractual Clauses as and when they become available from the European Commission.
The Application is built on the principle of data protection by design and by default. It allows for the collection of information including Personal Data related to the Subscribers’ employees such as, name, employee ID, job title, work address, and manager. Further information may include data such as but not limited to race, gender, age or date of birth, military status, performance rating, etc. Some personal data is afforded extra protection under GDPR, which is called "Special Category Data." Such data includes race, gender, political opinions, health and trade union membership.
The Subscriber may feed into the Application information including Personal Data by way of a secured data transfer feed from this system which the Subscriber may provide in a fully encrypted format.
In addition to the aforementioned transfer of information, the Subscriber’s authorized Users may enter additional Personal Data into the Application when documenting an employment- related issue.
It is the Subscribers' obligation as data controller to safeguard the use of the Application being adequately justified by either the affected data subjects' valid consent or statutory law (Article 6 GDPR and Article 9 if Special Category Data). It is therefore our general expectation that Subscribers have appropriate privacy practices and notification procedures in place to permit the deploying of the Application. In addition, HR Acuity will comply with its obligations as data processor as set out in Article 28 GDPR in particular. Where acting as a data processor, HR Acuity has a written contract in place with the data controller ensuring the obligations under Article 28 are documented and can be monitored.
In general, HR Acuity will not have a direct relationship with the data subjects whose Personal Date is processed in the course of the Subscriber's deploying of the Application as HR Acuity is processing the Personal Data as data processor on the Subscriber's behalf and subject to his directives. Data subjects are therefore asked to turn to the Subscriber in case of any queries regarding their Personal Data stored, processed, or disclosed in the Application.
Any such concern may be addressed by email to firstname.lastname@example.org
We will convey any concerns immediately to the Subscriber that the Personal Data is allocated with. The Application itself and the services we offer to our Subscribers are designed in a way giving effect to all rights the data subject enjoys under the GDPR.
The Application provides means for the collection, usage, processing or transfer of Personal Data being restricted upon the Subscriber's request. Detailed information on the available options is provided to the Subscriber.
Also, the Subscriber may correct and / or update any Personal Data stored in or processed through the Application at any time.
HR Acuity will retain Personal Data for as long as needed (1) for providing the Subscriber with the services subscribed in connection with the use of the Application, or (2) the retention has been justified under the applicable law. In both cases, the data retention is based on the need-to- maintain principle in order to be able to comply with our legal obligations, to resolve disputes, and to enforce our agreements.
HR Acuity may transfer Personal Data to companies that help us provide our services in connection with the Application. Transfers to subsequent third parties are covered by the provisions in this Policy. Such transfers will only take place on the basis of sub- processor agreements which ensure similar or strengthened requirements as between HR Acuity and the data controllers. However, HR Acuity will not engage another processor without prior specific or general written authorization of the Subscriber being the genuine data controller.
HR Acuity has implemented appropriate technical and organizational measures in such a manner that processing will meet the requirements of Article 28 GDPR.
As part of our organizational measures we offer training to authorized Users as to how our Application functions and is used. During such training, we also emphasize the importance of considering the omitting, redacting or extracting Personal Data before uploading such data into the Application where appropriate. Respective reminders are also embedded into the Application workflows. Having said this, it remains the Subscriber's responsibility to decide which data is uploaded and which not.
HR Acuity has also appointed a Data Protection Officer to provide expert advice and guidance and to monitor compliance with GDPR throughout the organization. Any comments or concerns should be directed to email@example.com.
HR Acuity has a robust Information Security Program based on the ISO/IEC 27002 information security standard published by the International Organization for Standardization (ISO). All sensitive information, including Personal Data, will be segregated and protected according to the classification requirements of the HR Acuity Policies including:
For more information or to obtain a copy of the HR Acuity Information Security Program, please email to firstname.lastname@example.org.
HR Acuity may disclose Personal Data as required by law, such as to comply with a subpoena, or similar legal or security process when we believe in good faith that disclosure is necessary to protect our rights, protect the safety of our Subscribers Users and data subjects whose Personal Data is stored in or processed through the Application, investigate fraud, or respond to a government request. HR Acuity will do so only in compliance with applicable law. Further HR Acuity will immediately notify the Subscriber of any such request or requirement (except to the extent otherwise required by law).
HR Acuity will only disclose personal data to third parties other than law enforcement or a sub-processor as described in 3E at the instruction of the Subscriber where there is a lawful basis to do so.
This Policy applies to the gathering and dissemination of Personal Data for the purposes of the Application and supersedes all other policies, procedures, practices, and guidelines relating to the matters set forth herein.
HR Acuity has a designated EU representative as per Article 27 of GDPR who can be contacted by any data subject or supervisory authority with concerns regarding HR Acuity in its capacity as a data processor. The representative can be contacted at email@example.com.