Get your copy of the 2017 HR Acuity Employee Relations Benchmark Study - Available Now!

Privacy Policy

HR Acuity Privacy Policy

February 2018 

1. General

HR Acuity LLC (“ HR Acuity ") is offering an award-winning web-based SaaS solution that
standardizes how employee-related events are investigated, documented, and reported. Providing a disciplined and predictive approach to managing workplace issues, HR Acuity
raises the bar in employee relations risk management. This is achieved through the unique HR
Acuity On-Demand Application (" Application ").

Using our Application naturally involves the processing of data. As a matter of principle, HR
Acuity applies high standards safeguarding adequate protection of any information relating to
an identified or identifiable natural person (" Personal Data "). For, HR Acuity is sincerely
committed to the security and privacy of Personal Data as well as any other confidential
information.

For that reason, our customers (" Subscribers ") are asked to deploy the Application and HR
Acuity's related services under an appropriate data processing scheme meeting the
requirements of European privacy law, particularly Article 28 GDPR. In consequence, our
Subscribers have the benefit of remaining the genuine data controller. We act as data processor
on behalf of and subject to the Subscriber's directives.

The details of our commitment to data privacy and data security are set out in this Privacy
Policy (" Policy "). The Policy covers the entire handling of Personal Data collected, received,
used, processed or transferred in the course of the services offered by HR Acuity through the
Application. Please kindly note that HR Acuity cannot accept any responsibility for

  • any processing of Personal Data by Subscribers or individuals Subscribers give access to
    the Application (" Users ");
  • any the privacy practices of Subscribers or Users.

This Policy therefore solely applies to HR Acuity's handling of Personal Data through the
Application on behalf of the respective Subscriber.

2 . PRIVACY STATEMENT

A. Place of Data Processing

Our Application may be deployed on a world-wide basis. The data processing takes place on
servers that are located within the territory of the United States of America.

B. EU-U.S. Privacy Shield

In accordance with our commitment to protect personal privacy, HR Acuity is a participant in
the U.S. Department of Commerce's EU-U.S. Privacy Shield and has certified that we adhere to
the EU-U.S. Privacy Shield Principles (" Privacy Shield Framework "). To learn more about the
Privacy Shield Framework, and to view our certification, please visit the U.S. Department of
Commerce’s Privacy Shield Website.

With respect to Personal Data received or transferred pursuant to the Privacy Shield
Framework, HR Acuity is subject to the regulatory enforcement powers of the U.S. Federal
Trade Commission.

HR Acuity complies with the Privacy Shield Principles for all processing of Personal Data
being subject to the regime of the Regulation (EU) 2016/679 of the European Parliament and
of the Council dated 27 April 2016 (General Data Protection Regulation – " GDPR ") including
onward transfers of Personal Data from the European Union (" EU ").

In compliance with the Privacy Shield Framework, HR Acuity commits to resolve complains
about our collection or use of your personal information. If you have an unresolved privacy or
data use concern that we have not addressed satisfactorily, please contact our U.S. Privacy
Officer at the following address:

United States HR Acuity LLC U.S. Privacy Officer 25A Vreeland Road, Suite
Florham Park, NJ
privacyofficer@hracuity.com

HR Acuity has further committed to cooperate with EU data protection authorities (DPAs) with
regard to unsolved Privacy Shield complaints (concerning human resources data transferred from the EU in the context of the employment relationship). If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact he EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you.

Under certain conditions, more fully described on the Privacy Shield website, you may invoke
binding arbitration when other dispute resolution procedures have been exhausted.

3. Application and Services

A. Scope of data processing

The Application is built on the principle of data protection by design and by default. It allows
for the collection of information including Personal Data related to the Subscribers’ employees
such as, name, employee ID, job title, work address, and manager. Further information may
include data such as but not limited to race, gender, age or date of birth, military status,
performance rating, etc.

The Subscriber may feed into the Application information including Personal Data by way of a
secured data transfer feed from this system which the Subscriber may provide in a fully
encrypted format.

In addition to the aforementioned transfer of information, the Subscriber’s authorized Users
may enter additional Personal Data into the Application when documenting an employment- related issue.

It is the Subscribers' obligation as data controller to safeguard the use of the Application being
adequately justified by either the affected data subjects' valid consent or statutory law (Article
6 GDPR). It is therefore our general expectation that Subscribers have appropriate privacy
practices and notification procedures in place to permit the deploying of the Application. In
addition, HR Acuity will comply with its obligations as data processor as set out in Article 28
GDPR in particular.

B. Relation to Data Subjects

In general, HR Acuity will not have a direct relationship with the data subjects whose Personal
Date is processed in the course of the Subscriber's deploying of the Application as HR Acuity is
processing the Personal Data as data processor on the Subscriber's behalf and subject to his
directives. Data subjects are therefore asked to turn to the Subscriber in case of any queries
regarding their Personal Data stored or processed in the Application.

Any such concern may be addressed by email to *privacyofficer@hracuity.com*

We will convey any concerns immediately to the Subscriber that the Personal Data is allocated
with. The Application itself and the services we offer to our Subscribers are designed in a way
giving effect to all rights the data subject enjoys under the GDPR.

C. Limitations, Corrections and Updates

The Application provides means for the collection, usage, processing or transfer of Personal
Data being restricted upon the Subscriber's request. Detailed information on the available
options is provided to the Subscriber.

Also, the Subscriber may correct and / or update any Personal Data stored in or processed
through the Application at any time.

D. Data Retention

HR Acuity will retain Personal Data for as long as needed (1) for providing the Subscriber with
the services subscribed in connection with the use of the Application, or (2) the retention been
justified under the applicable law. In both cases, the data retention is based on the need-to- maintain principle in order to be able to comply with our legal obligations, to resolve disputes,
and to enforce our agreements.

E. Service Provider, Sub-Processors / Onward Transfer

HR Acuity may transfer Personal Data to companies that help us provide our services in
connection with the Application. Transfers to subsequent third parties are covered by the
provisions in this Policy. In general, such transfer will only take place on the basis of sub- processor agreements. However, HR Acuity will not engage another processor without
prior specific or general written authorization of the Subscriber being the genuine data
controller.

4 . TECHNICAL AND ORGANIZATIONAL MEASURES

A. GDPR

HR Acuity has implemented appropriate technical and organizational measures in such a
manner that processing will meet the requirements of Article 28 GDPR.

As part of our organizational measures we offer training to authorized Users as to how our
Application functions and is used. During such training, we also emphasize the importance of
considering the omitting, redacting or extracting Personal Data before uploading such data
into the Application where appropriate. Respective reminders are also embedded into the
Application workflows. Having said this, it remains the Subscriber's responsibility to decide
which data is uploaded and which not.

B. ISO/IEC 27002 Information Security Standard**

HR Acuity has a robust Information Security Program based on the ISO/IEC 27002 information
security standard published by the International Organization for Standardization (ISO). All sensitive information, including Personal Data, will be segregated and protected according to the classification requirements of the HR Acuity Policies including:

  • Encryption of data at rest
  • Encryption of data in transit
  • Strong Access Controls
  • Strong Authentication
  • Data Classification

For more information or to obtain a copy of the HR Acuity Information Security Program,
please email to _privacyofficer@hracuity.com._

5 . DISCLOSURE OF INFORMATION FOR LAW ENFORCEMENT

HR Acuity may disclose Personal Data as required by law, such as to comply with a subpoena,
or similar legal or security process when we believe in good faith that disclosure is necessary
to protect our rights, protect the safety of our Subscribers Users and data subjects whose
Personal Data is stored in or processed through the Application, investigate fraud, or respond
to a government request. HR Acuity will do so only in compliance with applicable law.
Further HR Acuity will immediately notify the Subscriber of any such request or requirement
(except to the extent otherwise required by law).

6 . APPLICABILITY

This Policy applies to the gathering and dissemination of Personal Data for the purposes of
the Application and supersedes all other policies, procedures, practices, and guidelines
relating to the matters set forth herein.

Privacy Policy Updated 01 February 2018