SPENCER STUART CANDIDATE DATA PROTECTION STANDARDS

Transcription

1 SPENCER STUART CANDIDATE DATA PROTECTION STANDARDS Spencer Stuart is the leading privately-held glbal executive search firm and advisr f chice amng tp cmpanies seeking guidance and cunsel n senir leadership needs. Clients turn t us t seek highly-qualified and talented executives and directrs such as yu. Given the imprtance f safeguarding and keeping yur infrmatin up-t-date t ensure yu are cnsidered as a candidate when the pprtunity arises, we have cmmitted urselves t prtecting the privacy f yur Persnal Data. The fllwing describes ur firm s plicy regarding the cllectin, use, and transfer f yur Persnal Data. 1. Objective & Scpe The purpse f the Candidate Data Prtectin Standards (the Standards ) is t prvide cnsistent safeguards fr the prcessing f the Persnal Data f candidates by Spencer Stuart. Prcessing refers t any human manual r autmated actin perfrmed n Persnal Data by Spencer Stuart. This includes, but is nt limited t: recrding, rganizing, string, mdifying, disseminating, transferring, disclsing, deleting, and sharing such data amng the Spencer Stuart grup in accrdance with Spencer Stuart s plicies. Candidate is any individual whm Spencer Stuart presents t a client. This includes but is nt limited t: executive, directr, and management search and assessment services. Persnal Data is any infrmatin abut a Candidate riginally cllected r therwise used by a Spencer Stuart data cntrller in the Eurpean Unin in the cntext f a search r assessment assignment. Persnal Data includes, but is nt limited t: candidate name, cntact infrmatin, prfessinal experience, academic qualificatins, skills, etc. Please nte these Standards d nt apply t any Persnal Data that has been annymised and used in the aggregate such as cmpiling industry and emplyment statistics where such data des nt invlve persnally identifying infrmatin and individuals are nt identifiable frm it. 2. Spencer Stuart Glbal Standards & Lcal Laws Spencer Stuart currently perates mre than 50 ffices thrughut the wrld. Regardless f the jurisdictin, each ffice and entity f Spencer Stuart is required t abide by these Standards thrugh the creatin f a Declaratin binding all Spencer Stuart entities. Ding s prtects the Persnal Data prcessed by Spencer Stuart in cuntries that pssess less rigrus prtectin than thse cntained in these Standards. Spencer Stuart will ensure that any new entities frmed after the creatin f these Standards will abide by the prtectins described herein. Of curse, where certain cuntries r supranatinal entities in which Persnal Data is prcessed emply mre stringent regulatins than thse cntained in these Standards, Spencer Stuart will naturally cmply with thse mre stringent regulatins. 3. Prcessing Persnal Data Spencer Stuart s Standards require the fllwing with regard t prcessing Persnal Data: Persnal Data is prcessed fairly and lawfully; Persnal Data is prcessed fr legitimate purpses assciated with Spencer Stuart s services ( Purpses ); Persnal Data is nt prcessed in any manner incmpatible with these Purpses; Persnal Data is always relevant t the Purpses fr which the Persnal Data is btained;

2 Persnal Data is nly used by Spencer Stuart and is nt sld r shared fr related r unrelated purpses t nn-licensed third parties unless therwise stated at the time f cllectin r as required by law; Persnal Data is prcessed and maintained in a manner that assures reasnable accuracy; Persnal Data that is inaccurate is crrected, updated, r deleted within a reasnable time f the discvery f the inaccuracy; Persnal Data is stred nly fr the duratin necessary t fulfill these Purpses; Persnal Data is prtected by all necessary and apprpriate prtective measures bth technlgical and legal. Persnal Data will nt be autmatically prcessed in any manner which will have a significant effect n the data subject except where authrized by a law which als safeguards the data subject s legitimate interests. Persnal Data will nt be transferred t third parties withut adequate prtectins in place unless an exceptin permitting such transfers, as fund in Eurpean data prtectin laws, applies. 4. Purpses fr Persnal Data Prcessing Spencer Stuart prcesses and disseminates Persnal Data nly fr its wn use, nly fr legitimate Purpses, and in accrdance with applicable law. Such Purpses include: Executive, Bard, and Management Search: Spencer Stuart prcesses and disseminates Persnal Data in rder t match Candidates wh are qualified fr a particular psitin with client rganizatins wh have an pening fr such a psitin. Examples f prcessing fr this purpse include, but are nt limited t: cllecting data frm the Candidate directly, perfrming backgrund searches with the Candidate s cnsent, relaying Persnal Data t a client with the Candidate s cnsent, and receiving referrals frm individuals assciated with the Candidate. Executive Assessment Services: Spencer Stuart prcesses and disseminates Persnal Data in rder t evaluate the efficiency, prductivity, and benefits f a client rganizatin at the client s request. Examples f prcessing fr this purpse include, but are nt limited t, cllecting data frm a Candidate directly, administering tests and assessing the Candidate s results, relaying Persnal Data t a client with Candidate s cnsent, and receiving referrals and evaluatins frm individuals assciated with the Candidate. Infrmatin Sharing Glbally Within Spencer Stuart: Spencer Stuart perates in a glbal marketplace and cllects and disseminates Persnal Data within and acrss its wrldwide netwrk f ffices fr the purpses f Executive, Bard, and Management Search and Executive Assessment Services as described abve. This will invlve the cllectin f Persnal Data n Candidates and the strage f that infrmatin in secure data centers in the United Kingdm and United States, which is then accessible by all Spencer Stuart Entities wrldwide. 5. Security, Cnfidentiality and Enfrcement Spencer Stuart will take all necessary and apprpriate prtective measures t prevent unauthrized access, lss, r damage t Persnal Data and t ensure any prcessing f Persnal Data is dne in accrdance with these Standards. Thse measures include: Emplyee Cntracts and Plicies: Spencer Stuart s plicy is t keep all Persnal Data

3 cnfidential. All emplyees f Spencer Stuart are required t sign and abide by the fllwing: The Red Bk : All emplyees f Spencer Stuart sign Spencer Stuart s Cde f Cnduct utlining the values and cmmandments f the cmpany. The Red Bk requires strict adherence t the cnfidentiality and integrity f Persnal Data. Emplyment Cntract: All emplyees f Spencer Stuart sign emplyment cntracts that cntain rbust cnfidentiality clauses. Cnfidentiality Agreement: In additin, all emplyees f Spencer Stuart are required t sign a separate and extensive cnfidentiality agreement. Spencer Stuart Grup Agreements: All Spencer Stuart ffices and licensees have cntractually agreed t implement apprpriate security measures, including respecting these Standards, t prtect Persnal Data as mandated by Spencer Stuart. Training: All emplyees f Spencer Stuart wh have permanent r regular access t Persnal Data, wh are invlved in the cllectin f Persnal Data r in the develpment f tls used t prcess Persnal Data are trained in these Standards and the best practices f handling such data. Access Security: Persnal Data is securely stred and can nly be accessed via Spencer Stuart s prprietary sftware. Persnal Data is nly accessible by Spencer Stuart emplyees frm Spencer Stuart cmputers and nly thrugh Spencer Stuart s private netwrk. Access is cntinually mnitred and restricted t emplyees f Spencer Stuart and is secured by apprpriate physical, electrnic, and managerial security prcedures t prevent unauthrized access, lss, r damage t the Persnal Data. Cntractr Obligatins: All Cntractrs perfrming services fr Spencer Stuart must execute a written service cntract. Beynd business terms, these service cntracts include cnfidentiality and security bligatins and data prtectin prvisins and prvide enfrcement mechanisms thrugh all available legal remedies. Spencerstuart.cm Safeguards: T safeguard all Persnal Data that is submitted by Candidates via spencerstuart.cm, apprpriate physical, electrnic, and managerial security prcedures have been put in place t prevent unauthrized access, maintain the accuracy f data and ensure prper use f infrmatin via spencerstuart.cm. Candidate Cnsent Frms: All Candidates are presented with cnsent frms which must be signed befre any Persnal Data will be disclsed t a client rganizatin r ther third party. 6. Required Prcessing In situatins where Persnal Data must be disclsed as a matter f law, Spencer Stuart will use its best effrts t lawfully resist, limit, r delay disclsure and will ensure that nly the Persnal Data that is necessary and relevant t the request is prvided. In the event that Spencer Stuart becmes aware f any legislatin applicable t it which is likely t have a substantial adverse effect n the ability f Spencer Stuart t cmply with these Standards, Spencer Stuart will determine a suitable curse f actin aimed at ensuring cmpliance with these Standards in cnsultatin with the relevant Data Prtectin Authrity. 7. Candidate Rights f Access, Rectificatin and/r Deletin Given the nature f Spencer Stuart s services, the Candidate is invlved in the prcessing f his r her Persnal Data in furtherance f the Purpses. Additinally, the Candidate may, at any time, in accrdance with lcal law, cntact Spencer Stuart and inquire abut his r her Persnal Data. Requests by the Candidate fr access t his r her Persnal Data, fr revisins, r fr Spencer Stuart t cease prcessing f Persnal Data can be made t any Spencer Stuart emplyee r via t

4 The Data Prtectin Officer fr the Spencer Stuart ffice where the Persnal Data was prcessed will crdinate all revisins r deletins f Persnal Data. Upn request, Spencer Stuart will cmpile the infrmatin and prvide it t the Candidate. The Candidate may request a revisin f his r her Persnal Data if it is incmplete r cntains inaccuracies. Spencer Stuart updates r revises the Persnal Data as the situatin r law requires. A Candidate may als request that his r her Persnal Data n lnger be prcessed. All requests t stp prcessing f a Candidate s Persnal Data will prmptly be hnred by Spencer Stuart and, unless therwise nted in the request, will apply t all frms f prcessing by Spencer Stuart (including search and assessment services and any marketing cmmunicatins). 8. Candidate Enfrcement Rights and Mechanisms Any persn may inquire as t the nature f the data stred r prcessed abut him r her by Spencer Stuart. Any Spencer Stuart emplyee cntacted regarding such a request will frward the infrmatin t their lcal Data Prtectin Officer. The Data Prtectin Officer will cntact the individual directly and will remain Spencer Stuart s liaisn with the individual while the handling f the request is nging. If the Candidate believes his r her Persnal Data is being prcessed in cntraventin f these Standards, the Candidate may reprt the cncern t their cntact at Spencer Stuart, t any Spencer Stuart emplyee, r via t [email protected]. The matter will then be reprted t the Data Prtectin Officer f the Spencer Stuart ffice f where the Persnal Data was prcessed. Shuld the Candidate and Data Prtectin Officer be unable t reslve the dispute within nine mnths, the Candidate can ldge a cmplaint befre the cmpetent Data Prtectin Authrities and enfrce these Standards as third-party beneficiaries against Spencer Stuart and Assciates lcated in the United Kingdm ( Spencer Stuart UK ) either in the curts f the jurisdictin in which the Spencer Stuart Eurpean entity respnsible fr exprting such data is established r the UK curts in which case the Candidate may be represented by an assciatin r ther bdy if they s wish and if permitted by law. Spencer Stuart UK assumes respnsibility fr damages t Candidates resulting frm the vilatin f these Standards by any Spencer Stuart entity wrldwide where a Candidate can demnstrate that they have suffered damage and can establish facts which shw that it is likely that the damage has ccurred because f a breach f these Standards, the burden f prf t shw that a Spencer Stuart entity utside the United Kingdm is nt liable fr the breach r t shw that n such breach tk place will stay with Spencer Stuart UK. The Candidate may enfrce against Spencer Stuart UK any judicial remedy arising frm such vilatin, including the payment f cmpensatin. 9. Internal Oversight Prcedures Spencer Stuart ensures enfrcement f these Standards thrugh a team f lcal and reginal Data Prtectin Officers wh mnitr prcessing f Persnal Data and cnduct peridic data prtectin cmpliance audits. The lcal Data Prtectin Officers are further respnsible fr investigating any claims related t data prcessing and may crdinate with Crprate Legal Cunsel t analyze the scpe f the alleged vilatin. In additin, emplyees will self-plice their actins and the actins f peers regarding the prcessing f Persnal Data. Emplyees are required t immediately reprt any vilatin t their direct superir wh will ntify and wrk with the lcal Data Prtectin Officer t investigate the claim. T verify cmpliance with these Candidate Data Prtectin Standards, the Crprate Legal Department will administer regular internal audits and reprt any issues r instances f nncmpliance t Spencer Stuart s Bard f Directrs and implement methds fr ensuring crrective measures. Each Spencer Stuart ffice, via its Data Prtectin Officer, shall cmplete a data prtectin cmpliance review and submit the results t the Legal Department. The results f this review are evaluated by the Legal Department t ensure cmpliance with these Standards. T the extent that such matters cannt be adequately handled within Spencer Stuart s wn resurces, Spencer Stuart may appint an independent third party t cnduct an investigatin/audit f any f the prcedures r issues invlving its Candidate Data Prtectin Standards.

5 10. Cmmunicatin f Standards These Standards will be published at spencerstuart.cm as well as privately fr Spencer Stuart emplyees n its intranet. Emplyees are trained t adhere t these Standards and t fllw the apprpriate prtcl. Additinally, a cpy f these Standards will be distributed t any Candidate wh requests ne. Upn request, the Candidate may als btain a cpy f the Declaratin which binds the Spencer Stuart grup f cmpanies t these Standards and a current list f such entities by reprting t their cntact at Spencer Stuart, t any Spencer Stuart emplyee, r via t [email protected] Mdificatin f Standards Spencer Stuart reserves the right t mdify these Standards as needed. Where lcal law requires a higher standard fr Persnal Data it will take precedence ver these Standards. Shuld Spencer Stuart make any substantive mdificatins t these Candidate Data Prtectin Standards, the changes will be prmulgated thrughut the Firm via an annuncement, a psting f the revised Candidate Data Prtectin Standards t the intranet and training in accrdance with any legal requirements. Candidates will be infrmed ging-frward and have access t the updated Candidate Data Prtectin Standards at Spencer Stuart will als take apprpriate steps t ntify the relevant Data Prtectin Authrities. 12. Obligatins t Data Prtectin Authrities Spencer Stuart will respnd diligently and apprpriately t all requests frm data prtectin authrities regarding these Standards, including cnsenting t requests by a cmpetent Data Prtectin Authrity t audit Spencer Stuart s cmpliance with these Standards. Spencer Stuart will abide by the advice f the Data Prtectin Authrities n any issues related t the interpretatin and applicatin f Spencer Stuart s Candidate Data Prtectin Standards. Upn request, the Data Prtectin Authrity shall receive a cpy f any cmpliance audits cnducted by Spencer Stuart regarding these Standards and Spencer Stuart will further cmply with requests by the Data Prtectin Authrities fr additinal review f cmpany-wide cmpliance. A current list f the Spencer Stuart cmpanies bund by these Standards shall be prvided, as required, t the Data Prtectin Authrities.