TRG Customer Solutions, Inc. d/b/a IBEX Global, and its operating groups, subsidiaries and divisions within the European Union, (the “Company”) are committed to protecting the privacy and security of Personal Data and/or personal data (“Personal Data”) of prospective, current and former employees (“Employees”). The Company collects, processes, and transfers Personal Data of Employees in connection with its human resources activities. The Company is s committed to complying with the EU General Data Protection Regulation , effective May 25, 2018; and all data protection laws, labor laws, and collective agreements in the countries in which it employs employees and does business regarding Employees’ Personal Data . All questions, concerns, or complaints should be directed to the Company’s Director of Security and Compliance by e-mail at firstname.lastname@example.org.
“Personal data,“ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, but only to the extent such personal data pertain residents of the European Economic Area (EEA) or are otherwise subject to the GDPR.
“Personal data breach,”, means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
“Process” or “processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Special personal data,” includes, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, data concerning sex life or sexual orientation of an individual, and data relating to criminal convictions and offenses.
"Criminal records data" means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.
Data Privacy Principles
The Company complies with the following data privacy principles with respect to personal data:
- Lawfulness, Fairness, and Transparency. The Company processes Personal Data lawfully, fairly and in a transparent manner in relation to Employees. The Company will process Personal Data only if and to the extent that (1) Employees have provided valid consent, (2) the Processing is necessary for the performance of an employment contract, (3) the Processing is necessary for compliance with a legal obligation to which the Company is subject, (4) the Processing is necessary to protect the vital interests of Employees or other persons, (5) the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, or (6) the Processing is necessary to further a legitimate interest of the Company or third party except where such interest is outweighed by the rights and freedoms of Employees. The Company will provide appropriate notice to Employees regarding the Processing of their Personal Data prior to such Processing or as soon as possible thereafter.
- Purpose Limitation. The Company collects Personal Data for specified, explicit and legitimate purposes set forth in this policy and does not further process Personal Data in a manner that is incompatible with those purposes;
- Data Minimization. The Company processes Personal Data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- Accuracy. The Company processes Personal Data that is accurate and, where necessary, kept up to date; and takes all reasonable steps to ensure that any inaccurate Personal Data is erased or rectified without delay;
- Storage Limitation. The Company keeps Personal Data in a form which permits identification of Employees for: (1) the period of time that it is necessary to process the Personal Data for the purposes for which it was collected and processed, (2) the period required under record retention laws, (3) the applicable statute of limitations for labor and employment claims, or (4) the necessary period of time to establish, exercise, or defend legal claims; and
- Integrity and Confidentiality. The Company processes Personal Data in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and protection against accidental loss, destruction or damage by using appropriate technical and organizational measures.
The Purpose and Legal Basis for Processing Personal Data
The Company processes the following personal dta regarding Employees for the following purposes and based upon the following legal bases in furtherance of its human resources activities.
- Recruitment/Onboarding: The Company processes Personal Data such name; contact information, education, languages, special competencies, certification information; employment history; work experience; military service information; background check information; and criminal convictions and offenses to fulfill its legitimate interest in hiring the most qualified applicants. The processing of criminal convictions and offenses in connection with the Company’s recruitment and human resources activities will be carried out only under the control of official authority or when authorized by EU and EU Member State law. The Company may collect recruitment-related Personal Data from third parties such as recruiters, background check companies, healthcare professionals, government authorities, former employers and references you provide. The Company may also collect Personal Data from publicly accessible sources such as public social media profiles.
- Performance of an employment contract: The Company processes Personal Data such as job title and duties; compensation and benefits information; terms and conditions of employment; tax and banking details related to payroll, type and duration of employment, probationary period; and other information necessary to perform the terms of an employment contract. The Company may collect such information from third parties such as payroll and benefits vendors, and government authorities.
- Compliance with obligations under applicable law and collective agreements: The Company processes Personal Data such as national and governmental identification information; passport information; birth date and birth place; citizenship information; immigration information; drivers’ license information; tax withholding information, trade union membership; and other information necessary to comply with its obligations under applicable law and collective agreements. The Company may collect such information from third parties such as government authorities, trade unions, and works councils or other employee representatives.
- Management, planning and organization. The Company processes Personal Data such as business contact information; job type or code; business site or location; work schedule, job assignments; promotions and transfers; job performance; awards and accomplishments; training and development information; emergency contacts; photographic image; skills, talents, and career goals; appraisal ratings; hours worked and attendance; employee policy acknowledgments, position profile data; vacancies, and geographic indicators to fulfill its legitimate interests in managing the employment relationship.
- Health and safety: The Company processes Personal Data regarding medical or health conditions, drug testing information, and health insurance information for the purposes of preventive or occupational medicine, assessment of your working capacity, medical diagnosis, or the provision of health or social care or treatment, management off health or social care systems and services or pursuant to a contract with a health professional who is subject to the obligation of professional secrecy, protection of your vital interests or the vital interests of another person, compliance with obligations and specific rights in the field of employment and social security and social protection law that is authorized by EU or EU Member State law or a collective agreement and compliance with legal obligations to provide a safe workplace. The Company may collect such information from third parties such as health care providers, third party benefits administrators, and government authorities.
- Protection of Company and customer property, equipment and confidential information: The Company processes the following Personal Data on company computer systems and mobile devices used for business purposes to fulfill its legitimate interest in protecting the Company and customer property, equipment, and confidential information: business e-mails, videos, photographs, and documents; user computer ID, user computer IP addresses, passwords; company web/media access information, instant messenger data; texts; log-in information; location; user computer browser version and browser add-in versions, and user computer software versions; traveler preferences, travel itinerary preferences; Company computer information and/or information related to personal computer devices used for business purposes, such as user computer ID, user computer IP addresses, and passwords; corporate credit card numbers, traveler preferences, travel itinerary preferences, Company web/media access information, user computer MAC address, user computer OS, user computer browser version and browser add-in versions, user computer software versions, dependent information for benefits purposes, and beneficiary designations for benefits purposes. The Company may collect such information from third parties such as computer vendors, internet services providers, and electronic communications vendors. The Company may also monitor employee use of company-provided equipment or the business information on personal devices to fulfill its legitimate interest in protecting company and customer property, equipment and confidential information.
- Exercise and enjoyment of rights and benefits related to employment: The Company processes Personal Data such as marital status, family status, and dependent information for benefits purposes; beneficiary designations for benefits purposes; leave of absence and holiday information; data regarding the company car leasing program and records; credit card and business expense reimbursement information; and frequent flyer/traveler membership/reward program numbers to fulfill its legitimate interest to provide employees with employment related rights and benefits.
- Discipline and termination of employment relationship The Company processes Personal Data regarding compliance with employment policies, internal investigation information; complaint and grievance information; and reasons for termination to fulfill its legitimate interest in administering its employment policies and providing an orderly and proper transition from employment.
- Defense of legal claims: The Company processes Personal Data necessary for the establishment, exercise or defense of legal claims.
Recipients of Personal Data
Personal Data may be disclosed as follows:
- Internal disclosure. . Personal Data may be disclosed to management personnel, human resources (HR) personnel and information technology (IT) personnel located at the Company’s place of employment who have a need to know about the Personal Data.
- Disclosure to Company entities. Personal Data may be disclosed to management personnel, HR personnel and IT personnel located at the Company Regional headquarters in Luxembourg who have a need to know about your Personal Data. Additionally, Personal Data may be disclosed to management personnel, HR personnel and IT personnel located at the Company headquarters in the United States who have a need to know about the Personal Data. The Company has implemented appropriate safeguards for the transfer of Personal Data to the U.S. through or self-certification under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield.
- Disclosure to Third Parties. Personal Data may be disclosed to third party processors such as payroll and benefits vendors, background check companies, computer and internet service providers, government authorities and the like who have a need to process the Personal Data for employment purposes pursuant to the written instructions of the Company. The Company will use only third party processors providing sufficient contractual guarantees to implement appropriate technical and organizational measures to comply with applicable data protection laws and ensure the protection of Employees’ privacy rights. To the extent that such third party processors are located outside of the EU, the Company has implemented appropriate safeguards for the transfer of your Personal Data to these countries through standard contract clauses.
- Disclosure to public authorities. Additionally, The Company may be required to disclose Personal Data in response to lawful requests by public authorities to comply with national security or law enforcement requirements.
Employee Data Subject Rights
Employees, as a data subjects, have the following rights regarding their Personal Data:
- Right of Access: Employees have the right to obtain confirmation from the Company as to whether or not Personal Data concerning you is being processed. You also have the right to obtain the following information unless providing such Personal Data adversely affects the rights and freedoms of others: (1) purpose of the processing, (2) categories of Personal Data concerned, (3) the recipients or categories of recipients to whom your Personal Data has or will be disclosed, (4) the envisaged period for which your personal data will be stored, (5) your right to request rectification or erasure of your Personal Data or restriction of processing of Personal Data, (6) your right to lodge a complaint with a supervisory authority, (7) the source from which your Personal Data was obtained if you did not provide the Personal Data, (8) the existence of any automated decision-making, including profiling, the logic involved in such decision-mailing, and the significance and consequences of such processing, and (9) the country to which your Personal Data is transferred if it is transferred to a third country. The Company may charge a reasonable fee to provide such Personal Data. The Company will provide a copy of the Personal Data being processed in a commonly used electronic form where you have made your access request by electronic means.
- Right to Rectification: You have the right to request and obtain the rectification of inaccurate Personal Data and the completion of incomplete Personal Data including providing a supplementary statement. The Company will notify any recipients of your Personal Data regarding the rectification unless such notification involves disproportionate effort. The Company will inform you about such recipients upon your request.
- Right to Erasure (Right to be Forgotten): You have the right to request and obtain erasure of personal data concerning you under the following circumstances: (1) the Personal Data is no longer necessary for the purposes for which it was collected or processed, (2) you have withdrawn consent for any processing for which you provided consent, (3) you object to the processing of your Personal Data based on The Company’s legitimate interest and there are no overriding legitimate ground for the processing, (4) your Personal Data has not been lawfully processed, or (5) the Personal Data is required to be erased based on The Company’s legal obligation to erase the Personal Data. However, your right to erasure does not apply where the processing is necessary for (1) exercising the right of freedom of expression and information, (2) The Company has a legal obligation requiring the processing of your Personal Data, (3) for reasons of public interest or public health, or (4) for the establishment, exercise or defense of legal claims. The Company will notify any recipients of your Personal Data regarding the erasure unless such notification involves disproportionate effort. The Company will inform you about such recipients upon your request.
- Right to Restrict Processing: You have the right to obtain a restriction on the processing of your Personal Data under the following circumstances: (1) during the period of time for The Company to verify the accuracy of your Personal Data where you have objected to its accuracy, (2) the processing is unlawful and you do not want the Personal Data erased, (3) The Company no longer needs the Personal Data for the purposes for which it was processed but you require The Company to retain the information for the establishment, exercise or defense of legal claims, (4) you have objected to The Company’s legitimate interest for processing the data and then for the period of time that The Company determines whether the legitimate interest overrides your privacy rights. While the restriction is in place, The Company will store and process the Personal Data subject to the restriction; process such Personal Data with your consent, for the establishment, exercise or defense of legal claims, to protect the rights of others, or for reasons of important public interest. Further, The Company will provide you with prior notice if the restriction is being lifted. The Company will notify any recipients of your Personal Data regarding the restriction unless such notification involves disproportionate effort. The Company will inform you about such recipients upon your request.
- Right to Portability: You have the right to receive Personal Data that you have provided to The Company and transmit such Personal Data to another controller where the processing of such Personal Data is based on consent and is processed by automated means. Additionally, you have the right to require The Company to transmit such Personal Data directly to another controller, where technically feasible. This right is not applicable if it adversely affects the rights and freedoms of others.
- Right to Object: You have the right to object to the processing of your Personal Data if the processing is based upon The Company’s legitimate interest, including any profiling based on such processing. The Company will cease processing such Personal Data unless The Company can demonstrate a compelling legitimate ground for the processing that outweighs your interest, rights or freedoms; or unless continued processing is necessary for the establishment, exercise or defense of legal claims.
- Right not to be Subject to Automated Decision-Making, Including Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you. The Company will provide a person to whom you can express your point of view and to contest the decision. This right does not apply if the decision is necessary to enter into or perform a contract between you and The Company, is authorized by applicable law, or is based on your explicit consent.
To make a subject access request, you should send the request to the Company’s Director of Security and Compliance by e-mail at email@example.com. . In some cases, the Company may need to ask for proof of identification before the request can be processed. The Company will inform you if it needs to verify your identity and the documents it requires.
The Company normally will respond to a request within a period of one month from the date it is received. In some cases, such as where the Company processes large amounts of an individual's personal data, it may respond within three months of the date the request is received. The Company will write to you within one month of receiving the original request to tell you if this is the case.
If an employee’s access request is manifestly unfounded or excessive, the Company is not required to comply with it. Alternatively, the Company can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the Company has already responded. If an employee submits a request that is unfounded or excessive, the Company will notify the employee that this is the case and whether or not it will respond to it.
The Company takes the security of HR-related personal data seriously. The Company has internal policies and technical measures in place to protect personal data against loss, accidental destruction, misuse or disclosure. Such internal policies and technical measures include:
- The use of pseudonymization and encryption of personal data where appropriate;
- Procedures and controls to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Procedures and controls to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- Procedures for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and
- Procedures to ensure that data is not accessed, except by employees in the proper performance of their duties.
Where the Company engages third parties to Process Personal Data on its behalf, such parties are (1) required by contract to process the personal data based on the Company’s written instructions, (2) are under a duty of confidentiality, and (3) are required to implement appropriate technical and organizational measures to ensure the security of the personal data.
Some of the Processing that the Company carries out may result in risks to privacy. Where Processing would result in a high risk to individual's rights and freedoms, the Company will carry out a Data Protection Impact Assessment (DPIA) to determine the necessity and proportionality of processing. The DPIA will consider the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
Data Breach Notification
If the Company discovers that there has been a breach of HR-related Personal Data that poses a risk to the rights and freedoms of individuals, it will report such breach to the appropriate data protection authority within 72 hours of discovery. The Company will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, the Company will notify affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
International data transfers
The Company has certified that it complies with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of human resources Personal Data transferred to the U.S. from the EU and Switzerland, respectively. This certification covers the following Company entities:
- TRG Customer Solutions, Inc. d/b/a IBEX Global
- Digital Globe Services, Inc.
- iSKY, Inc.
To learn more about the EU-U.S. and Swiss-U.S. Privacy Shield programs, please visit http://www.privacyshield.gov To view the Company’s certification under Privacy Shield, please visit http://www.privacyshield.gov/list.
Employees will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether their personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of the Company or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.
Additionally, employees will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether their sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice. However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.
Transfer of Personal Data from the EU or Switzerland to Processors in the U.S.
The Company’s EU and Swiss entities may transfer personal information to a processor in the United States solely for processing purposes. A “processor” is a third party who processes personal information on behalf of and in accordance with the instructions of the Company’s EU and/or Swiss entities. When personal information is transferred from the EU and/or Switzerland to the United States solely for processing purposes, the Company’s EU and/or Swiss entities will comply with the applicable data protection laws including the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP), respectively and enter into a contract with the processor to ensure that the processor (1) acts only on instructions of the Company’s EU and/or Swiss entities; (2) provides appropriate technical and organizational measures to protect the personal information against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and understands whether onward transfers are allowed; and (3) assists the Company’s EU and/or Swiss entities in responding to employees exercising their rights under the Privacy Shield principles, taking into account the nature of the processing.
Onward Transfers to Third Party Agents
After personal information is transferred from the EU and/or Switzerland to Company entities in the United States, the Company may thereafter transfer the personal information to third parties acting as controllers. A “controller” is a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal information. Examples of third party controllers may include banks and healthcare providers, or management personnel in other Company offices outside of the U.S. When the Company makes such onward transfers to third party controllers, the Company will comply with the Privacy Shield notice and choice principles and enter into a contract with the third party controller that provides that (1) such personal information may be processed only for limited and specified purposes consistent with the consent provided by the individual; (2) the third party controller will provide the same level of protections as the Privacy Shield principles; (3) the third party controller will notify the Company if the third party can no longer meet its obligation to provide the same level of protection for the personal information as required by the Privacy Shield principles; and (4) upon such notice by the third party controller, the third party controller will cease processing the personal information and/or take reasonable and appropriate steps to remediate any unauthorized processing.
Onward Transfers for Occasional Employment-Related Operational Needs
After personal information is transferred from the EU and/or Switzerland to Company entities in the United States, the Company may thereafter transfer the personal information of a small number of employees for occasional employment-related operational needs such as the booking of a flight, hotel room, or insurance coverage. When the Company makes such onward transfers, it will comply with the Privacy Shield Notice and Choice principles.
The Company has verified and will verify annually through self-assessment that the attestations and assertions made about its Privacy Shield privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the Privacy Shield principles. This verification has been and will be signed by an officer of the Company or other authorized representative of the Company at least once a year and is available upon request by employees or in the context of an investigation or a complaint about non-compliance. The verification includes the following:
- That the Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
- That the Policy conforms to the Privacy Shield Principles;
- That employees are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
- That it has in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it;
- That it has in place internal procedures for periodically conducting objective reviews of compliance with the above.
Recourse Mechanisms For Personal Data Transferred Under Privacy Shield
Inquiries or complaints regarding transfers of personal data from the EU or Switzerland to the U.S. pursuant to Privacy Shield should be directed to the local human resources officer. Additionally, complaints may be submitted pursuant to grievance procedures under applicable trade union contracts. If the inquiry cannot be answered or the complaint is not resolved locally, the matter should be directed to our Director of Security and Compliance by e-mail at firstname.lastname@example.org.
If a complaint remains unresolved, employees in the EU should contact the state or national data protection or labor authority in the jurisdiction where the individual works for resolution. A listing of the EU Data Protection Authorities (DPAs) is located at: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm. Employees in Switzerland should contact the Swiss Federal Data Protection and Information Commissioner (the Commissioner) for resolution. Information regarding the Commissioner is located at: https://www.edoeb.admin.ch/?lang=en
The Company will cooperate with the DPA’s and/or the Commissioner and comply with the advice of the DPA’s and/or Commissioner. In the event that the DPA’s and/or the Commissioner determines that the Company did not comply with this Policy or Privacy Shield principles, the Company will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPA’s and/or the Commissioner where the DPA’s and/or the Commissioner has determined that the Company needs to take specific remedial or compensatory measures for the benefit of employees affected by any non-compliance with this Policy or the Privacy Shield principles, and provide the DPA’s and/or the Commissioner with written confirmation that such action has been taken. Under certain conditions specified by the Privacy Shield Privacy Principles, employees may also be able to invoke binding arbitration to resolve their complaints.
The Company is also subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
In the context of an onward transfer of personal information, the Company has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party agent. The Company will remain liable under the Privacy Shield principles if its third party agent processes such personal information in a manner inconsistent with the Privacy Shield principles, unless the Company proves that it is not responsible for the event giving rise to the damage.
Individuals are responsible for helping the organisation keep their personal data up to date. Individuals should let the organisation know if data provided to the organisation changes, for example if an individual moves house or changes his/her bank details. Individuals may have access to the personal data of other individuals [and of our customers and clients] in the course of their [employment, contract, volunteer period, internship or apprenticeship]. Where this is the case, the organisation relies on individuals to help meet its data protection obligations to staff [and to customers and clients].
Individuals who have access to personal data are required:
- to access only data that they have authority to access and only for authorised purposes;
- not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
- to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
- not to remove personal data, or devices containing or that can be used to access personal data, from the organisation's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
- not to store personal data on local drives or on personal devices that are used for work purposes.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
The Company will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
Questions and Complaints
Questions or complaints regarding the processing of your Personal Data should be directed to your local HR representative. Additionally, complaints may be submitted pursuant to grievance procedures under applicable trade union contracts. If the inquiry cannot be answered or the complaint is not resolved locally, please direct the matter to our Director of Security and Compliance by e-mail at email@example.com.
EU employees also have the right to lodge a complaint with the local or national data protection authority in the jurisdiction where you work. A listing of the EU Data Protection Authorities (“DPAs”) is located at: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm .