European Union General Data Protection Regulation Notice
Purpose and Intended Audience
This Notice provides information regarding Cassidy Consulting Group’s compliance with the European Union General Data Protection Regulation (“GDPR”).
This notice is intended for all C2G employees and applicants who work, or will work, in the European Union, European Economic Area, and Switzerland. This Notice is also intended for all C2G employees who have access to personal data for covered individuals, or responsibility for systems, processes, or vendors that interface with personal data for covered individuals.
Cassidy Consulting Group and its managed affiliates (collectively, “C2G” or “we”) make reasonable efforts to protect the personal data of covered individuals. This Notice aims to provide guidance to C2G employees on the standards that govern C2G’s compliance with GDPR principles for these covered individuals. It also aims to provide covered individuals with transparent information regarding the processing of their personal data.
Scope and Responsibility
This Notice applies to C2G and all managed affiliates. It covers all personal data related to C2G’s employees, applicants for employment, contract workers, and consultants who work, or will work, in the European Union, European Economic Area, and Switzerland. All employees of C2G that have access to such personal data are responsible for conducting themselves in accordance with this Notice. C2G employees responsible for engaging third parties to handle personal data covered by this Notice on behalf of C2G (e.g., temporary staff, independent contractors, sub-contractors, business partners, or vendors) are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Notice, including any applicable contractual assurances required by GDPR principles.
Failure of a C2G employee to comply with this Notice may result in disciplinary action up to and including termination.
Listed below are the definitions that pertain to this Notice. Where a term is not specifically defined in this section, the definitions of Article 4 of the GDPR shall apply. C2G is the data controller.
“C2G” – Cassidy Consulting Group and its managed affiliates, and all other affiliates not specifically listed.
“Personal data” – any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity. Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link.
“Processed” or “processing” personal data – this term is broadly defined and includes any manual or automatic operation (or set of operations) on personal data, including its collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, transmission, dissemination or publication, alignment, or combination, and even restriction, erasure, or destruction.
“Personnel” or “you” or “your” – all employees of C2G who work in the European Union, EuropeanEconomic Area, and Switzerland. As applicable, this may also refer to applicants for employment, contract workers, and consultants who work, or will work, in the European Union, European Economic Area, and Switzerland.
"Data Controller" - a person or entity who, either alone or jointly or together with other persons or entities, determines the purposes for which and the manner in which any personal data is, or are to be, processed. For purposes of this Policy, the Data controller is C2G. For questions, contact email@example.com, 703-493-1991).
“Sensitive personal data” – personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
1. General Rule
Personal data shall be collected and processed in compliance with the requirements of the GDPR and/or other applicable local data privacy laws (“Privacy Laws”).
C2G collects and processes personal data relating to its personnel primarily for job-related purposes. You can find a list of the purposes for which we process your personal data in Section 4 of this Policy. We do not collect and process more or other types of personal data than are necessary to fulfill the respective purposes. We will only use personal data as set forth in this Policy, unless you have specifically provided your consent to another use of your personal data, or such use is otherwise permissible under applicable Privacy Laws. You shall be informed about the categories of personal data collected and how the personal data will be processed. If we intend to use your personal data for purposes other than those for which the personal data was originally collected, we will inform you in advance. Where the processing is subject to your consent, we will use your personal data for a different purpose only with your permission. Access to the personal data shall be role-based and consistent with the job duty responsibilities of C2G’s employees who are given access.
2. Personal Data Collected and Held
Unless limited by local legislation, the following personal data will typically be collected, processed, and stored as part of the personnel record C2G holds on you:
-Your identity: to include last name, first name, maiden name; date of birth; sex;
home address; home telephone number; home email, name and telephone number
of a contact in case of emergency; passport number and related materials for
processing of residency or other immigration status (if applicable); adhesion to the
Catholic and Evangelic Church (in Germany and Switzerland only and exclusively for
host country tax purposes); driver's license number (if applicable); work permit
number; social security number (if applicable and only as required for payroll,
benefit and insurance purposes); country of birth and nationality (if applicable);
bank account details; employee identification number; and, if any, your disability
rate (if applicable) as required for C2G to comply with its legal duty; your disability and veteran status (if applicable); marriage certificates and banking loan information for processing for relocation matters; and personal banking information for
processing of payroll.
-Family status: to include marital status; last name, first name and date of birth of
your spouse or partner (should you and your spouse or partner wish to be added to
your insurance); last name, first name, and date of birth of your children (should you
wish to add them to your insurance); insurance information; retirement account
information; passport number and related materials for processing of residency or
other immigration status; school forms for local school enrollment or tuition
-Employment terms and conditions: to include fixed-term contract or open-ended
contract (if applicable); part-time or full-time job; hire date; termination date;
division; department; reporting structure; job title; pay grade; work telephone number and work email address; job description; salary schedule and other compensation elements; participation in and elements of awards under the executive compensation plan, if applicable; related payments; actual working hours or shift time; retirement fund contribution; tax and source tax deductions; absence management (in particular sick leave, leave of absence, family leave, parental leave); paid holidays (if applicable); time off given in compensation for extra time worked); personnel representative status (such as whether there is an applicable works council).
-Education and development: to include diplomas and training certificates held; languages and proficiency (if applicable); curriculum vitae detailing your work experience and if applicable, military experience (but not the reasons for deferment or rejection from the military service, if any); continuous training; mobility situation and management of career development actions; performance evaluations; training programs completed.
-Data collected through the Ethics Hotline (if applicable): You or a complainant can
submit complaints or inquiries on an anonymous basis to the C2G Ethics hotline. If you or a complainant wishes to use your or their identity, then the following personal data may be collected: last name, first name, job title, and contact information of the person who contacted the compliance hotline (the complainant); last name, first name, job title, and contact information of the person who is the subject of the communication to the compliance hotline; last name, first name, job title, and contact information of the person(s) involved in the collection and processing of the complaint; alleged facts reported by the complainant; follow-up required to verify the alleged facts; and information obtained or created in connection with reporting the complaint.
3. Collection and Processing of Sensitive Data
In principle, no personal data revealing your political opinions, religious or philosophical beliefs, sex life or sexual orientation, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, are collected, or processed by C2G.
However, racial, or ethnic origin personal data (e.g., your identified race and ethnic origin as provided by you at your time of hire or when you voluntarily self-disclose such information after your time of hire) may be collected and processed by C2G to the extent that C2G is required to do so in order to comply with its affirmative action and equal employment opportunity obligations.
Further, health-related personal data (e.g., absence records associated with illness or accidents, including possible exposure to certain materials or contaminants; maternity leave; disabilities; work-related injuries or claims; etc.) may be collected and processed by C2G to the extent C2G is required to do so in order to comply with its labor and social security obligations or to manage the safety at the workplace.
Additionally, personal data related to trade union membership may be collected and processed for purposes of administering the terms of union agreements, benefits and retirement plans, and other activities governed by collective bargaining agreements.
4. Purposes of the Personal Data Processing
Where it is necessary, we use your personal data to help ensure effective personnel
administration, for the following purposes:
-Payroll, Benefits, and Insurance: Personal data are used to administer the salaries, benefits, and insurance that you receive under your employment agreement, including annual merit increases, any other salary adjustments, annual bonus payments and retirement plan management, including other benefits provided to retirees; income tax; and social security withholdings.
-Travel Arrangements and Business Expense Processing: Personal data is used to make travel arrangements and to process business expenses associated with business travel; to process business expenses associated with approved coursework, books and periodicals, and training; to process business expenses associated with approved business expenditures.
-Performance Review and Management: C2G uses personal data to facilitate personnel
performance management and career development, notably through annual performance
appraisals; annual salary reviews, and if any, disciplinary measures in accordance with local legislation.
-Succession Planning and Leadership Development: Personal data may also be used for
succession planning and leadership development of employees.
-Administration of Executive Compensation Program or Other Similar Employee Equity Plan: Personal data may be used in the administration of the executive compensation program or other similar employee equity plan.
-Legal Obligations: We also use your personal data to comply with our legal obligations, such as income tax and social security withholdings; “Catholic and Evangelic Church tax” (in Germany only and exclusively for tax purposes); disability and family leave obligations; or cooperation with courts, including civil actions, and with law enforcement agencies in legal investigations regarding suspected criminal activities or other suspected illegal activities. Subject to local law requirements, C2G may use your personal data to protect our legal rights or support any claim, defense, or declaration in a case or before any jurisdictional and/or administrative authority or arbitration or mediation panel, in the context of disciplinary actions/investigations or of internal or external audit and inquiries.
-Security: Some of your personal data are collected and processed for security purposes including office access and IT resources access. Personal data may be collected in the course of IT resources security procedures, including security penetration tests, for which IT experts will try to access our system to find any security breaches.
-General Management and Human Resources Administration: Personal data may also be used for administration purposes, including employee feedback through the use of employee surveys and contacting employees; administration of email systems and company directories; assignment of offices and other Company equipment; assignment of identification badges; and evaluations performed for purposes such as headcount, diversity and inclusion measures and overall corporate programs to promote an optimal workplace. personal data may also be used for C2G’s planning and budgeting; financial reporting; corporate reorganizations; outsourcing; restructuring; and acquisitions and divestments. personal data may also be used for human resources administration such as to obtain feedback from personnel about C2G and the work-life environment, so as to identify areas where the organization can improve and related matters.
-Reporting: Personal data may be collected through the compliance hotline implemented by C2G Corporation as a means of allowing employees to report allegations related to the following matters, or other areas of concern: accounting, internal accounting controls, auditing matters, bribery, banking, and financial crime; facts affecting the vital interest of C2G; or issues related to employees’ physical or moral integrity. The collected personal data may be transferred to Cassidy Consulting Group located in Naples, Florida USA in the event that the message received through the reporting system may affect substantially the legitimate interests of C2G or any of their affiliates.
-Monitoring: We will only monitor your use of C2G IT Resources in accordance with applicable statutory requirements (including, if applicable, notification of relevant authorities) and, if applicable, works council agreements.
-Performance in Your Job Within C2G: To assign a workspace, office, computers, other C2G equipment, to keep track of the individuals to whom the equipment is assigned, and to enable access to C2G’s IT systems and applications, including third party applications used to perform your job.
5. Legal Basis for Processing
We only process your personal data so far as such Processing is legally permitted. Please see below for a more comprehensive description of the legal basis on which we process your personal data. Among other things, the Processing of your personal data is based on the legal principles set out below.
5.1. For the Performance of a Contract with You
C2G may enter into legal contracts with you other than your employment contract, e.g., with regards to fringe benefits or cost of living allowances. We may process your personal data to comply with legal obligations arising from these contracts.
5.2. Compliance with a Legal Obligation
C2G is subject to a number of statutory requirements, e.g., to ensure compliance with legal obligations throughout C2G. To comply with these requirements, we must process certain personal data, for example personal data that we collect through the compliance hotline. Such legal obligations may sometimes require the processing of certain Sensitive personal data.
5.3. Safeguarding Legitimate Interests
C2G will process certain personal data in order to safeguard our own or any third party’s interests. This may include personal data collected for General Management and Human Resources Administration, Security, Reporting, Monitoring, and Legal Obligation purposes.
5.4. Processing in the Context of Employment
Furthermore, we will process certain personal data in the context of your employment contract. This may include, for example, administrative processing of your personal data to manage, plan and organize your work and your workplace, e.g., to manage the payment of your salary. If you refuse to provide your personal data, which are required in the context of your employment, you might face adverse effects such as the loss of certain benefits, or we might not be able to fulfil our legal obligations to you, i.e., the employment contract cannot be performed.
6. Personal Data Retention Period and Place of Storage
C2G will only keep your personal data for so long as they are relevant for the purposes for which they were collected or as required by law.
C2G’s personnel's personal data are held in paper, electronic, and other formats, and must be securely stored and accessible only in accordance with job responsibilities. Refer to C2G’s policies on record retention practices.
7. Conditions of Disclosure of Personal Data
Access to personal data is given to those individuals of C2G and its affiliates who need such access for a purpose listed above or where required by law. These parties include human resources, international human resources, talent management, finance, accounting and payroll, contracts, procurement, ethics, business services, security, tax, and other department personnel who require access to administer designated responsibilities. Personal data may also be disclosed to information technology personnel, controllers and accounting personnel, and relevant business managers. C2G will from time to time and for the purposes listed above, need to make some of your personal data available to:
(i) Government administrations (for example tax authorities or social security services) or judicial authorities.
(ii) Your current, past, or prospective employers.
(iii) Other employees within C2G, C2G Corporation and their affiliates or subsidiaries.
(iv) Employment or recruitment agencies.
(v) External advisers (including C2G’s independent public accountants, authorized
representatives of internal control functions such as auditors or attorneys, corporate
security, and corporate legal) and to companies which provide services to C2G] for assisting C2G in human resources management (such as payroll services, candidates’ assessment purposes and outplacement services).
(vi) Third parties in the course of C2G’s general management (payroll administrators,
benefits providers and administrators, information technology systems providers, financial institutions, retirement plan institutions, and consultants, and professional advisors and consultants).
(vii) Customers and clients.
(viii) Distributors and suppliers of goods or services.
(ix) Travel agencies.
(x) Insurance companies.
(xi) Outsourcers for various services.
In addition, where permitted by applicable law, personal data may be disclosed in
connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of control or financial status of C2G Corporation, C2G, or any of their affiliates. Finally, and to the extent permitted by applicable laws, personal data may be transferred to respond to internal or external audit and inquiries, to law enforcement requests, to administrative or judicial authorities or where required by applicable laws, court orders, or government regulations (including disclosures to tax, employment/labor or other authorities).
You can be assured that your personal data are disclosed or transferred to C2G’s employees or to the recipients within the departments listed in Paragraph 7 above who need to use your personal data for the purposes described in this Notice, and that your personal data will be treated confidentially. C2G requires from the service providers to whom your personal data may be transferred that they undertake to process your personal data only on behalf and subject to C2G’s instructions and to implement appropriate security measures to keep your personal data confidential.
8. Transfer of personal data Outside of the EU
As certain of the recipients listed in the above paragraphs may be located outside the EU where the data protection laws might not provide a level of protection equivalent to the laws in your jurisdiction, C2G has taken the appropriate measures to comply with the requirements of the Privacy Law to secure transfer of personal data outside EU.
9. Security Measures Implemented to Protect Personal Data
C2G has undertaken efforts to put into place appropriate technical and organizational security measures to minimize the risk of unauthorized or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration, or damage to your personal data. These measures will help ensure an appropriate level of security in relation to the risks inherent to the processing and the nature of the personal data to be protected. Your personal data will only be accessible to those Company employees who have a need to know your personal data for the performance of their job duties.
We work to have appropriate physical, technical, and organizational security measures in place to protect the security of your data that we process. These security measures may be updated over time when legal and technological developments occur.
10. Your Rights
You have specific legal rights relating to the personal data C2G collects and Processes about you. In certain circumstances, you may have rights to:
-Access your personal data that C2G stores.
-Correct the personal data C2G holds about you.
-Erase your personal data.
-Restrict C2G use of your personal data.
-Object to C2G use of your personal data.
-Withdraw your consent, if applicable.
-Receive your personal data in a usable electronic format and transmit it to a third party (right to data portability).
You may contact the responsible persons as listed below at any time if you would like to access the personal data that C2G holds about you or if you want to exercise your rights. You may access information concerning the source of the personal data, e.g., the purposes for which your personal data are being used, the categories of personal data concerned and the details of the parties with whom C2G may share your personal data. Pursuant to the law, you may object to the processing of your personal data for legitimate reasons, notably the transfer of your personal data to some recipients. Please note that where C2G collects, holds, and processes your personal data to perform its obligations under your employment contract you may not oppose to such processing.
You further have the right to lodge a complaint with a relevant supervisory authority if you believe that we may have infringed your rights.
11. Changes to this Notice
This Notice may be updated from time to time. Any such changes will post on C2G’s
website and will be available by contacting the data privacy officer listed below.
12. Contact Information
-Data privacy officer contact information: 15275 Collier Blvd Suite 201 Naples Florida 34119, 703-483-1991, firstname.lastname@example.org