SHL WEBSITES & BUSINESS CONTACT PRIVACY NOTICE

Effective Date: 20 February 2019

Version No: 3.3

CHANGES TO THIS NOTICE: The Notice has been updated to include a new section 4 (TalentCentral Users) and we have updated section 6 (INTERNATIONAL TRANSFERS) to address the possibility of the United Kingdom leaving the European Union.

  1. THIS PRIVACY NOTICE

1.1 Our Privacy Notice

SHL takes its obligations to protect privacy and personal information very seriously. Please read this Privacy Notice (the Notice) carefully as it sets out important information relating to how we handle your personal information.

1.2 SHL companies issuing the Notice

In this Notice, references to “we“, “us“, or “SHL” are references to SHL Global Management Limited and all its group companies. This Notice sets out how we, as data controller, will collect and use personal information, and the choices and rights available to you in connection with our use of your personal information.

1.3 To whose personal information does this Notice apply?

This Notice describes our practices when using the personal information of:

  • employees of corporate customers and of suppliers to all our group companies and other third parties (business contacts); and

other persons who (1) may visit our websites such as shl.com, or other SHL websites that link to this Privacy Notice including users that sign up for a TalentCentral account (website users) or (2) who may visit our SHL pages on social media sites. TalentCentral means any of the following domains: talentcentral.us.shl.com, talentcentral.eu.shl.com, talentcentral.au.shl.com, or talentcentral.cn.shl.com

This Notice will apply whether you have provided the information directly to us or we have obtained it from a different source, such as a third party.

Our websites contain business-related content and are specifically aimed at and designed for use by adults. We do not knowingly solicit or collect personal information from or about individuals under the age of 18 years.

This Privacy Statement does not apply to data collected via SHL’s Talent Assessment systems which are governed by the terms of the specific Data Protection Notice (“DPN”) available at the beginning of each assessment.

  1. BUSINESS CONTACTS

2.1 Sources of business contact information

We collect personal information from our business contacts directly or from the following sources:

  • Third party referrals;
  • Our vendor on-boarding process;
  • Client checking and verification processes such as due diligence checks;
  • Marketing materials such as newsletters, white papers, training sessions and other events;
  • Public resources such as social media sites, telephone directories, newspapers, internet sites, registries or public records.

2.2 What personal information we collect about business contacts

The categories of information we collect about business contacts includes:

  • Personal details including name, office address, work telephone numbers and work email addresses, position title, level, function, and area of interest, and employer details such as organisation name, industry;
  • Financial details including annual revenue and payment details;
  • Services provided or purchased;
  • Testimonials;
  • Communications with our business contacts;

Log-in and similar account credentials and information about use of these services;

  • Image capturing, such as photos taken at events, videos, and CCTV footage;
  • Information provided from publically available sources; and
  • Any other personal information our business contacts provide in correspondence with us.

2.3 How we use the personal information we collect about business contacts

We use this information for certain activities, including:

  • Facilitating smooth running of the business through communication with corporate customers, for example, to communicate about the services we provide or to respond to inquiries;
  • Creating, maintaining and building upon customer and supplier relationships;
  • Business planning;
  • To fulfil a transaction initiated by a business contact;
  • To fulfil a transaction initiated by a member of the SHL Group such as the purchase of supplies or equipment;
  • Keeping accounts and financial records related to any business or other activity carried on by SHL;
  • Deciding whether to accept any person as a customer or supplier;
  • Business development including to send information that we believe may be of interest to business contacts, such as newsletters and details of upcoming events and to post customer testimonials on our websites;
  • For internal analysis and research to help us improve our products and services;
  • Sending administrative information such as notices related to product, service, or policy changes; and
  • Preventing, detecting, mitigating, and investigating fraudulent or illegal activity.

2.4 Why we use the personal information of business contacts

We use this information because:

  • It is necessary for performing our obligations, or exercising our rights, under our contracts with customers or suppliers;
  • It is necessary for compliance with any legal or regulatory obligations that we are subject to;
  • We have a legitimate business interest to:
  • manage our business and brand;
  • provide and improve our products and services;
  • operate our business;
  • keep our business contacts updated on products and services which may be of interest to them.

In limited circumstances, such as in the case of marketing, a business contact’s consent is required under applicable law. Where we rely upon a business contact’s consent, they will have the right to withdraw their consent by contacting SHL’s Global Data Protection Officer (DPO).

If a business contact requires further information regarding our legitimate interests as applied to their personal information, they may contact the DPO on the contact details below.

In certain circumstances, where a business contact does not provide personal information which is required, we will not be able to perform our obligations under the contract with them or may not be able to provide them with products and services. We will make it clear if and when this situation arises and what the consequences of not providing the information will be for the business contact.

3 WEBSITE USERS AND WEB-RELATED PRIVACY ISSUES

3.1 What personal information we collect about website users and visitors to SHL’s social media pages

The categories of information we collect about users of our website and SHL webpages on social media sites such as Facebook, YouTube, LinkedIn, WeChat and Twitter include:

  • Information users provide when they enter information on our website, such as when they make an online purchase (e.g. their name, address, phone number, email address and payment details) or when they apply for a role (further details on data collected during our recruitment process are set out in our Recruitment Notice);
  • Information users post on blogs, public forums on our sites, including our social media sites;
  • Information users provide when they correspond with us over WeChat (e.g. name, email address, details of any queries they may have);
  • Information users provide when they create a profile where required in order to post on online blogs and public forums (e.g. their name and email address);
  • Technical Information including your IP address, hardware and browser type/settings and operating system information and details of the webpages you visit and links you click on (including actions you take when accessing our website, services or emails) in accordance with our Cookies Notice;
  • Advertising information (such as size/type of ad, ad impressions, location/format of ad, data about interactions with ad);

3.2 How we use the personal information of website users and visitors to SHL social media pages:

We use personal information of users of our website and SHL webpages on social media sites such as Facebook, YouTube, LinkedIn and Twitter for certain activities, including:

  • Personalising the experience of our website;
  • Providing products and services that website users have requested;
  • Responding to any queries that website users have;
  • Administering the website, diagnosing website technical problems, investigating any complaints and providing customer services;
  • Providing website users and individuals accessing our web pages on social media sites with information and offers on products or services that may be of interest to them; and
  • Monitoring social media content to manage relations with our customers and promote our business and brand; and
  • Performing statistical and trend analysis to improve the user experience and performance of our website.

3.3 Why we use the personal information of website users and visitors to SHL social media pages:

We use personal information of users of our website and SHL webpages on social media sites such as Facebook, YouTube, LinkedIn and Twitter because:

  • It is necessary for compliance with any legal or regulatory obligations we are subject to;
  • We have a legitimate business interest to:
  • Promote our brand and business through our website and through social media tools;
  • Monitor, investigate and report any attempts to breach the security of our websites;
  • Provide support services and respond to any queries;
  • Improve the performance and user experience of our websites;
  • Manage and administer our sites and social media pages.

If a website user or individual accessing our web pages on social media sites requires further information regarding our legitimate interests as applied to their personal information, they may contact the DPO.

In certain circumstances, where a website user does not provide personal information which is required (for example, in relation to our online services), we will not be able to perform our obligations under the contract with them or may not be able to provide them with products and services. We will make it clear if and when this situation arises and what the consequences of not providing the information will be for the website/social media site user.

  1. TALENTCENTRAL USERS

4.1 What personal information we collect about TalentCentral users

The categories of information we collect about users of talentcentral.com include:

  • Account Registration information – When you register to use TalentCentral, we will collect personal information as necessary to register for a TalentCentral account (including name, email-address, password, gender, country/region)
  • If you complete as SHL assessment through talentcentral.com, you may also be required to provide us with additional personal information. You will be provided a further data protection notice for the collection of any additional personal information.

4.2 How we use the personal information of talentcentral.com users

We use personal information of users of TalentCentral for certain activities, including:

  • Providing our products and services as offered over our product interfaces; and
  • To allow users to have single identity on talentcentral.com.

4.3 Why we use the personal information of TalentCentral users

We use personal information of users of TalentCentral users because:

  • we collect your Account Registration with your consent to operate the TalentCentral site and provide our services to you including
    • Authenticate your access to a TalentCentral account
    • Communicate with you about your TalentCentral account
    • Where you have so elected, create an account connection between your TalentCentral account and a third party website (such as Facebook or Google
  • We collect your Country of Residence Information because we have a legitimate interest to comply with legislation applicable to the SHL, in particular US Trade Sanctions law.

In certain circumstances, where a website user does not provide personal information which is required (for example, in relation to registering for a TalentCentral account), we will not be able to to provide them with access to TalentCentral. We will make it clear if and when this situation arises and what the consequences of not providing the information will be for the TalentCentral users

4.4 Information we collect from third party sites

We may also get information about you from other sources. For example, if you create or log into your talentcentral.com account through another third-party website such as Facebook or Google. We will receive information from your selected third- party service provider (such as name and email address) via the authorization procedures used by such third-party service provider. The information we receive depends on which services you authorize and any options that are available.

By accessing TalentCentral through your Facebook, Google or LinkedIn account, you understand that Facebook or Google will share certain data detailed in the above paragraph with SHL for the purposes of authentication to permit you to access TalentCentral in a secure manner. You may stop this at any point from your Facebook or Google account. This information will be considered SHL account information for purposes of your use of the TalentCentral.

You have the ability to disable the connection between your Facebook or Google account and your TalentCentral account at any time by accessing your privacy settings on your Facebook or Google account. Facebook or Google may also ask for your permission to share certain other details with SHL, including but not limited to your name, profile picture, public profile information, and email address. Once you give this permission, the requested information will be shared with SHL, SHL may use this information to provide Services to you. The shared information will remain associated with your TalentCentral profile until you modify or delete it.

PLEASE NOTE THAT YOUR RELATIONSHIP WITH FACEBOOK OR GOOGLE, OR ANY OTHER THIRD-PARTY WEBSITE IS GOVERNED SOLELY BY YOUR AGREEMENT WITH SUCH THIRD-PARTY WEBSITE.

  1. Data Sharing

We may disclose personal information of business contacts and website/social media site users to third parties as follows:

  • to SHL group companies in order to process the data for the above mentioned purposes;
  • business associates and other professional advisers (e.g. auditors and lawyers);
  • to suppliers and/or providers of goods and services and other third parties who work on our behalf to service or maintain business contact databases and other IT systems, such as suppliers of the IT systems which we use to process personal information, or who provide other technical services;
  • to third parties who resell the SHL service and/ or provide value added services;
  • to competent authorities such as tax authorities, courts, regulators and security or police authorities where required or requested by law or where we consider it necessary;
  • subject to applicable law, in the event that SHL is merged, sold, or in the event of a transfer of some or all of our assets (including in bankruptcy), or in the event of another corporate change, in connection with such transaction;
  • SHL may offer solely or jointly with third parties webinars, white paper downloads, or other services related to SHL offerings or services. We will share your contact information and product interest in these offering or services with third parties to communicate with you, subject to applicable law;
  • SHL may also disclose information in special cases when we have a good faith belief that such action is necessary to: (a) protect and defend our rights or property; (b) enforce the Website Terms and Conditions; (c) act to protect the interests of our users or others; and
  • SHL also may share aggregate or anonymous information with third parties, including advertisers, investors, and partners. Aggregate or anonymous information does not contain any information that can be used to directly identify you.
  1. INTERNATIONAL TRANSFERS

We may transfer personal information we collect about our business contacts and website/ social media users outside the European Economic Area (EEA), the United Kingdom (UK) and/or Switzerland including to the USA and/or countries that do not have equivalent data protection laws to those applicable to the EU, UK and Switzerland, and to any other country in which we have offices. Privacy laws in these countries may not provide protections equivalent to those of your country of residence. It may also be processed by staff operating outside the EEA, UK or Switzerland who work for us or for one of our affiliated companies.

However, to ensure your personal information is properly protected in line with EU, UK and Swiss data protection laws, the transfer of this information is governed by a contract including Standard Contractual Clauses approved by the European Commission in accordance with Article 46(2)(c) of the European General Data Protection Regulation (GDPR).

We will only transfer data to jurisdictions outside the scope of the GDPR where the appropriate safeguards set out in the GDPR are in place.

SHL US LLC complies with the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (Privacy Shield) as set forth by the US Department of Commerce regarding the collection, use, and retention of information from the EEA, UK and Switzerland, and is subject to the investigatory and enforcement powers of the United States Federal Trade Commission. SHL US LLC adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability. If there is any conflict between this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles will take priority. More information about the Privacy Shield program can also be found at https://www.privacyshield.gov/.

SHL’s accountability for information that we receive under the Privacy Shield and subsequently transfer to a third party is described in the Privacy Shield Principles. In particular, we remain responsible and liable under the Privacy Shield Principles if third-party agents that we engage to process the information on our behalf do so in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

SHL’s participation in the Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission. In compliance with the Privacy Shield Principles, SHL commits to resolve complaints about your privacy and our collection or use of your Personal Data. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact SHL at dpo@shl.com.

For complaints from EU, UK or Swiss data subjects that cannot be resolved with SHL directly, SHL has chosen to cooperate with EU data protection authorities (DPAs) and Swiss Federal Data Protection and Information Commissioner (Commissioner) and will comply with information and advice the DPAs and/or Commissioner may provide in relation to such unresolved complaints (as further described in the Privacy Shield Principles). The relevant DPA may be contacted here. The Commissioner may be contacted here.

Please note that if your complaint is not resolved through these channels, under certain circumstances, a binding arbitration option may be available before a Privacy Shield Panel.

SHL agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. SHL acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.

If you require more information on the safeguards identified above, you can contact the DPO on the contact details below.

  1. RETENTION PERIODS

We will keep your information for as long as it is reasonably necessary to provide our services to you, to comply with legal, tax, accounting or reporting requirements and to protect and defend against legal claims. The time period will depend on factors such as whether you have registered an account with us or agreed to receive marketing from us.

If you wish to obtain further information about the retention periods as applied to your personal information, you can contact the DPO on the contact details below.

  1. DATA SUBJECT RIGHTS

We have listed the rights you have over your personal data and how you can use them below. These rights are subject to exemptions in applicable law and will only apply to certain types of information or processing. You can exercise these rights by contacting the DPO on the contact details below.

8.1        The Rights

  • Access: you are entitled to ask us if we are processing your information and, if we are, you can request access to your personal information.  This enables you to receive a copy of the personal information we hold about you and certain other information about it.
  • Correction: you are entitled to request that any incomplete or inaccurate personal information we hold about you is corrected.
  • Erasure: you are entitled to ask us to delete or remove personal information in certain circumstances. There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.
  • Restriction: you are entitled to ask us to suspend the processing of certain of your personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Transfer: you may request the transfer of certain of your personal information to another party.
  • Objection: where we are processing your personal information based on a legitimate interest (or those of a third party) you may challenge this.  However, we may be entitled to continue processing your information based on our legitimate interests or where this is relevant to legal claims.

You also have a right to lodge a complaint with a supervisory authority, in particular in the Member State in the European Union where you are habitually resident where we are based or where an alleged infringement of data protection law has taken place.

8.2        Direct Marketing

You can opt-out of receiving directing marketing from us at any time.  You can do this by contacting us on the contact details below or by clicking the “unsubscribe” button within our correspondence with you.

  1. MISCELLANEOUS

9.1 Security

We have put in place technical and organisational security measures to prevent the loss or unauthorised access of your personal information. We train our employees in the proper handling of personal information. However, whilst we have used our best efforts to ensure the security of your data, please be aware that we cannot guarantee the security of information transmitted over the Internet. If you have reasons to believe that your interaction with us is no longer secure, please immediately notify us of the problem by contacting us as set out below.

9.2 Links

Our Website may contain links to other “non-SHL” websites. We do not control and assume no

responsibility for the content, security or the privacy policies and practices on those websites. SHL encourages all users to read the privacy policies of those sites to determine how they protect and use personal information.

9.3 Changes to this Notice

This Notice will be changed from time to time.

If we change anything important about this Notice (the information we collect, how we use it or why) we will provide a prominent link to it for a reasonable length of time following the change on the Website.

If you would like to access previous versions of this Notice please click on the link to archived policies at the top of this page or contact us on the contact details below.

9.4        How to Contact Us

If you have any questions regarding our Notice you can contact us at: dpo@shl.com or by regular mail addressed to: SHL Group Ltd, Attn: Global Data Protection Officer, The Pavilion, 1 Atwell Place, Thames Ditton, England KT7 0NE, UK.