Privacy Policy

HR Acuity Privacy Policy

February 2018 

1. General

HR Acuity LLC (“ HR Acuity ") is offering an award-winning web-based SaaS solution that standardizes how employee-related events are investigated, documented, and reported. Providing a disciplined and predictive approach to managing workplace issues, HR Acuity raises the bar in employee relations risk management. This is achieved through the unique HR Acuity On-Demand Application (" Application ").

Using our Application naturally involves the processing of data. As a matter of principle, HR Acuity applies high standards safeguarding adequate protection of any information relating to
an identified or identifiable natural person (" Personal Data"). For, HR Acuity is sincerely committed to the security and privacy of Personal Data as well as any other confidential
information.

For that reason, our customers (" Subscribers ") are asked to deploy the Application and HR Acuity's related services under an appropriate data processing scheme meeting the requirements of European privacy law, particularly Article 28 GDPR. In consequence, our Subscribers have the benefit of remaining the genuine data controller. We act as data processor
on behalf of and subject to the Subscriber's directives.

The details of our commitment to data privacy and data security are set out in this Privacy Policy (" Policy "). The Policy covers the entire handling of Personal Data collected, received,
used, processed or transferred in the course of the services offered by HR Acuity through the Application. Please kindly note that HR Acuity cannot accept any responsibility for

  • any processing of Personal Data by Subscribers or individuals Subscribers give access to the Application (" Users ");
  • any the privacy practices of Subscribers or Users.

This Policy therefore solely applies to HR Acuity's handling of Personal Data through the Application on behalf of the respective Subscriber.

2 . PRIVACY STATEMENT

A. Place of Data Processing

Our Application may be deployed on a world-wide basis. The data processing takes place on servers that are located within the territory of the United States of America.

B. EU-U.S. Privacy Shield

In accordance with our commitment to protect personal privacy, HR Acuity is a participant in the U.S. Department of Commerce's EU-U.S. Privacy Shield and has certified that we adhere to the EU-U.S. Privacy Shield Principles (" Privacy Shield Framework "). To learn more about the Privacy Shield Framework, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield Website.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, HR Acuity is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

HR Acuity complies with the Privacy Shield Principles for all processing of Personal Data being subject to the regime of the Regulation (EU) 2016/679 of the European Parliament and
of the Council dated 27 April 2016 (General Data Protection Regulation – " GDPR ") including onward transfers of Personal Data from the European Union (" EU ").

In compliance with the Privacy Shield Framework, HR Acuity commits to resolve complains about our collection or use of your personal information. If you have an unresolved privacy or
data use concern that we have not addressed satisfactorily, please contact our U.S. Privacy Officer at the following address:

United States HR Acuity LLC U.S. Privacy Officer 25A Vreeland Road, Suite Florham Park, NJ
privacyofficer@hracuity.com

HR Acuity has further committed to cooperate with EU data protection authorities (DPAs) with regard to unsolved Privacy Shield complaints (concerning human resources data transferred from the EU in the context of the employment relationship). If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact he EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you.

Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

3. Application and Services

A. Scope of data processing

The Application is built on the principle of data protection by design and by default. It allows for the collection of information including Personal Data related to the Subscribers’ employees
such as, name, employee ID, job title, work address, and manager. Further information may include data such as but not limited to race, gender, age or date of birth, military status,
performance rating, etc.

The Subscriber may feed into the Application information including Personal Data by way of a secured data transfer feed from this system which the Subscriber may provide in a fully
encrypted format.

In addition to the aforementioned transfer of information, the Subscriber’s authorized Users may enter additional Personal Data into the Application when documenting an employment- related issue.

It is the Subscribers' obligation as data controller to safeguard the use of the Application being adequately justified by either the affected data subjects' valid consent or statutory law (Article
6 GDPR). It is therefore our general expectation that Subscribers have appropriate privacy practices and notification procedures in place to permit the deploying of the Application. In addition, HR Acuity will comply with its obligations as data processor as set out in Article 28 GDPR in particular.

B. Relation to Data Subjects

In general, HR Acuity will not have a direct relationship with the data subjects whose Personal
Date is processed in the course of the Subscriber's deploying of the Application as HR Acuity is processing the Personal Data as data processor on the Subscriber's behalf and subject to his
directives. Data subjects are therefore asked to turn to the Subscriber in case of any queries regarding their Personal Data stored or processed in the Application.

Any such concern may be addressed by email to privacyofficer@hracuity.com

We will convey any concerns immediately to the Subscriber that the Personal Data is allocated with. The Application itself and the services we offer to our Subscribers are designed in a way
giving effect to all rights the data subject enjoys under the GDPR.

C. Limitations, Corrections and Updates

The Application provides means for the collection, usage, processing or transfer of Personal Data being restricted upon the Subscriber's request. Detailed information on the available
options is provided to the Subscriber.

Also, the Subscriber may correct and / or update any Personal Data stored in or processed through the Application at any time.

D. Data Retention

HR Acuity will retain Personal Data for as long as needed (1) for providing the Subscriber with the services subscribed in connection with the use of the Application, or (2) the retention been justified under the applicable law. In both cases, the data retention is based on the need-to- maintain principle in order to be able to comply with our legal obligations, to resolve disputes,
and to enforce our agreements.

E. Service Provider, Sub-Processors / Onward Transfer

HR Acuity may transfer Personal Data to companies that help us provide our services in connection with the Application. Transfers to subsequent third parties are covered by the
provisions in this Policy. In general, such transfer will only take place on the basis of sub- processor agreements. However, HR Acuity will not engage another processor without prior specific or general written authorization of the Subscriber being the genuine data controller.

4 . TECHNICAL AND ORGANIZATIONAL MEASURES

A. GDPR

HR Acuity has implemented appropriate technical and organizational measures in such a manner that processing will meet the requirements of Article 28 GDPR.

As part of our organizational measures we offer training to authorized Users as to how our Application functions and is used. During such training, we also emphasize the importance of considering the omitting, redacting or extracting Personal Data before uploading such data into the Application where appropriate. Respective reminders are also embedded into the
Application workflows. Having said this, it remains the Subscriber's responsibility to decide which data is uploaded and which not.

B. ISO/IEC 27002 Information Security Standard**

HR Acuity has a robust Information Security Program based on the ISO/IEC 27002 information security standard published by the International Organization for Standardization (ISO). All sensitive information, including Personal Data, will be segregated and protected according to the classification requirements of the HR Acuity Policies including:

  • Encryption of data at rest
  • Encryption of data in transit
  • Strong Access Controls
  • Strong Authentication
  • Data Classification

For more information or to obtain a copy of the HR Acuity Information Security Program, please email to privacyofficer@hracuity.com.

5 . DISCLOSURE OF INFORMATION FOR LAW ENFORCEMENT

HR Acuity may disclose Personal Data as required by law, such as to comply with a subpoena, or similar legal or security process when we believe in good faith that disclosure is necessary to protect our rights, protect the safety of our Subscribers Users and data subjects whose Personal Data is stored in or processed through the Application, investigate fraud, or respond to a government request. HR Acuity will do so only in compliance with applicable law. Further HR Acuity will immediately notify the Subscriber of any such request or requirement (except to the extent otherwise required by law).

6 . APPLICABILITY

This Policy applies to the gathering and dissemination of Personal Data for the purposes of the Application and supersedes all other policies, procedures, practices, and guidelines relating to the matters set forth herein.

Privacy Policy Updated 01 February 2018