#1. General information
This Personal Data Protection Policy (“Policy”) provides description of processes of personal data protection of the employees and Clients’ data, as part of the provision of ACUMEN Services to its Clients. This information may be hold on ACUMEN side, Client side or third-party systems to which ACUMEN is provided access to for the provision of Services and this has been authorized by Clients. Where ACUMEN provides Services to Clients, ACUMEN is treated as Processor and the Client is treated as Controller. This Policy applies globally to all Services provided by ACUMEN to its Clients.
ACUMEN Processes Personal Data on behalf of the Client in compliance with Acting Data Protection Legislation. Where necessary, the Global Employment Services Agreement will be supplemented with a Data Processing Agreement with Annexes to include any additional topics that are specific to the Client and are not covered by this Policy.
This Policy does not apply to the collection of Personal Data through our website or through cookies with respect to which ACUMEN is treated as Controller; we refer to our separate Privacy Note and Cookies Policy for more information in this regard.
This Policy is available through the ACUMEN Group website at the following link: ACUMEN reserves the right to update this Policy without consulting or pre-informing its Clients.
The capitalized terms listed below have the follow meaning in this Policy:
a. “Client” means the counterparty to the Service Agreement with ACUMEN;
b. “Client Affiliate” means any legal entity affiliated to the Client;
c. “Client Data Subjects” shall mean the former and current directors, officers and employees and customers of the Client and Client Affiliates;
d. “Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
e. “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Service Agreement, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) together with all implementing laws and any other applicable data protection, privacy laws or privacy regulations;
f. “Personal Data” means any information through which a Client Data Subject can be identified directly or indirectly;
g. “Processing” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
h. “Processor” shall mean the party, which Processes Personal Data on behalf of the Controller;
i. “Services” means services ACUMEN provides to the Client under the Service Agreement;
j. “Service Agreement” means any written contract, any written statement of work, or any other written binding agreement, including any annexes thereto, between ACUMEN and the Client;
k. “Subprocessor” means any data processor appointed by Processor to process Personal Data on behalf of the Controller;
#3. Personal data processed by ACUMEN
The details of the Personal Data that will be Processed by ACUMEN on behalf of the Client, including the duration, purpose and categories of Personal Data, will be set out in the Data Processing Agreement with Annexes which supplements the Global Employment Service Agreement.
#4. Use of personal data
ACUMEN shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than:
- as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of Client, or
- as required to comply with Data Protection Laws or other laws to which ACUMEN is subject, in which case ACUMEN shall (to the extent permitted by law) inform Client of that legal requirement before processing the Personal Data.
In addition, ACUMEN is allowed to use aggregated data – to the extent this can no longer be considered Personal Data – for analyzing purposes, for website and for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes and for improving the quality of its Services.
ACUMEN may be required to involve certain third-party providers to provide part of the Services to the Client or assist with providing technical support, such as IT service providers or other suppliers. By signing the Data Processing Agreement, the Client authorizes ACUMEN to subcontract the Processing of Personal Data to Sub-processors. Sub-processors are in each case subject to the terms between ACUMEN and the Sub-processor which are no less protective than those set out in this Policy and the Service Agreement. ACUMEN will inform the Client of the details of such Sub-processor(s) upon written request from the Client.
#6. Confidentiality and security
ACUMEN keeps the Personal Data confidential and will instruct its staff and Sub-processors to the same. ACUMEN shall implement appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk required pursuant to applicable Data Protection Laws and, where the Processing concerns personal data of EU residents, shall take all measures required pursuant to article 32 GDPR. In assessing the appropriate level of security, ACUMEN shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. The security measures are further described and specified in the document “Statement of Continuity”, which is published on the ACUMEN website (www.expressglobalemployment.com/statement-of-continuity/) and forms an integral part of this Policy.
7. Co-operating with requests of the client
ACUMEN shall, upon request and to the extent required under Data Protection Laws, co-operate with requests of the Client that relate to the Processing of Personal Data. In particular, ACUMEN shall co-operate with requests that relate to Client Data Subject rights, Data Protection Impact Assessments and audit rights as described below.
Client Data Subject rights: ACUMEN shall co-operate as requested by the Client to enable the Client to comply with any exercise of rights by a Client Data Subject in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under Data Protection Laws. Provided in each case that the Client shall reimburse ACUMEN in full for all costs (including for internal resources and any third party costs) reasonably incurred by ACUMEN performing its obligation under this section.
Data Protection Impact Assessment: ACUMEN shall provide reasonable assistance to the Client with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Client which are required under Article 36 GDPR, in each case in relation to Processing of Personal Data by ACUMEN on behalf of the Client and taking into account the nature of the processing and information available to ACUMEN.
Audit rights: On reasonable request and notice and at the Client’s expense, ACUMEN will co- operate in the conduct of any audit or inspection, reasonably necessary to demonstrate ACUMEN’s compliance with the obligations laid down in this Policy, provided always that this requirement will not oblige ACUMEN to provide or permit access to information concerning: (i) Supplier internal pricing information; (ii) information relating to ACUMEN’s other Clients; (iii) any of ACUMEN non-public external reports; (iv) ACUMEN confidential information, or (v) any internal reports prepared by ACUMEN’s internal audit function.
The Client’s requests provided in this section 7. will be fulfilled in close co-operation with and under supervision of ACUMEN’s Chief Information Security Officer, ACUMEN’s Chief Privacy Officer, or similar ACUMEN local officials.
#8. Deletion or return of client personal data
ACUMEN Group will, at the choice of the Client, delete or return the Personal Data at the end of the provision of the Services relating to Processing, to the extent reasonably possible and unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided (“Applicable Law”), or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by ACUMEN.
#9. Incident management
ACUMEN shall notify the Client without undue delay after becoming aware of a personal data breach, providing the Client with sufficient information which allows the Client to meet any obligations to report a data breach under Data Protection Laws. Upon request by the Client and at the full expense of the Client for all costs incurred by ACUMEN (including for internal resources and any third party costs), ACUMEN shall fully co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation and remediation of each data breach, in order to enable the Client to (i) perform a thorough investigation into the data breach, (ii) formulate a correct response and to take suitable further steps in respect of the data breach in order to meet any requirement under the Data Protection Laws.
#10. International transfers of client personal data
In the event of international transfers of Personal Data between ACUMEN and any Subprocessor, the following shall apply (insofar relevant):
- The Personal Data may (i) be transferred to one or more Subprocessors (other than ACUMEN’s Affiliates) in one or more Member States of the EEA or Switzerland on the basis of Data Protection Laws pursuant to the Clients permission ex section 5 of this Policy, or (ii) to one or more such Sub-processors in one or more third countries on the basis of an exception under Data Protection Laws, or (iii) on the basis of adequate safeguards added either, insofar as allowed under Data Protection Laws, by ACUMEN to ensure the protection of the Personal Data, or by the Client, in which case ACUMEN shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Sub-processor. At the Client’s request, ACUMEN shall inform the Client of the applicable basis for the cross-transfer of the Personal Data.
- Where the data protection or privacy law of any country outside the EEA or Switzerland applies to the Personal Data, the Client warrants that any cross-border transfer of Personal Data from ACUMEN to a Sub-processor shall be allowed, by implementing additional safeguards pursuant to Data Protection Laws or as otherwise permitted by Data Protection Laws.
The Client warrants that all Personal Data processed by ACUMEN on behalf of the Client has been and shall be Processed by the Client in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the Client; and (b) ensuring that all Personal Data is Processed fairly and lawfully, is accurate and up to date and that a fair notice is provided to Client Data Subjects which described the processing to be undertaken by ACUMEN pursuant to the Services agreed upon in the Service Agreement.
By signing the Service Agreement, the Client shall indemnify and hold ACUMEN harmless against all claims, actions, third party or Supervisory Authority claims, losses, damages and expenses arising from any breach by the Client of this Policy.
The exclusions and limitations of the liability of ACUMEN set out in the Global Employment Service Agreement shall also apply to this Policy.