CCPA category reference | Categories of Personal Information | Collected in the last 12 months: | Categories of sources from which information may be collected: | Business or commercial purposes for collection, use, and sharing: | May be disclosed for business purposes to the following categories of third parties: | May be sold to the following categories of third parties: |
A. | Personal and online identifiers (such as first and last name, email address, or unique online identifiers) | Yes | From users, corporate customers and third party data vendors | Website improvement, user authentication, security, provision of IHRDC Solution and Website services, marketing, | Service providers and IHRDC customers | None |
B. | Categories of information described in Section 1798.80 of the California Civil Code (such as name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories) | No | N/A | N/A | N/A | N/A |
C. Protected classification characteristics under California or federal law. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | Yes | From users, and IHRDC customers | Provision of the IHRDC Solution to IHRDC customers | IHRDC Customers | None |
D. Commercial information. | Commercial or transactions information (such as records of personal property or products or services purchased, obtained or considered) | No | N/A | N/A | N/A | N/A |
E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | No | N/A | N/A | N/A | N/A |
F. Internet or other similar network activity. | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | Yes | Directly from users and from third party data vendors | Analytics and IHRDC Solution and Website improvement, user authentication, security, provision of IHRDC Solution and Website services, marketing | Service providers and IHRDC customers | None |
G. Geolocation data. | Physical location or movements. | Yes | Directly from user. | Analytics and IHRDC Solution and Website improvement, user authentication, security, provision of IHRDC Solution and Website services, marketing | Service providers and IHRDC customers | None |
H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. | No | N/A | N/A | N/A | N/A |
I. Professional or employment-related information. | Current or past job history or performance evaluations. | Yes | IHRDC customers | IHRDC Solution improvement, user authentication, security, provision of IHRDC Solution | IHRDC customers | None |
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | No | N/A | N/A | N/A | N/A |
K. Inferences drawn from other personal information. | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | Yes | Directly from users, from vendors of analytics services and from third party data vendors | Analytics and IHRDC Solution and Website improvement, marketing | Service providers and IHRDC customers | None |
Standard Contractual Clauses
Where Personal Data is transferred from EEA countries to countries outside the EEA in the course of provision of the IHRDC Solution, that transfer is subject to the terms set out in the EU Standard Contractual Clauses below.
EUROPEAN COMMISSION
DIRECTORATE-GENERAL JUSTICE
Directorate C: Fundamental rights and Union citizenship
Unit C.3: Data protection
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The entity, individual or organization who accesses or uses the IHRDC Solution
(the data exporter)
And
Name of the data importing organisation:
International Human Resources Development Corporation
Address: 535 Boylston Street
Boston, MA 0211
Tel.: [1](617)536-0202
e-mail:[email protected]
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
Clause 6
Liability
Clause 7
Mediation and jurisdiction
Clause 8
Cooperation with supervisory authorities
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
Clause 12
Obligation after the termination of personal data processing services
On behalf of the data exporter:
Agreed to by the data exporter by accessing or using the IHRDC Solution.
On behalf of the data importer:
Name (written out in full): | Timothy Donahue |
Position: | Vice President, e-Learning and Knowledge Solutions |
Address: | International Human Resources Development Corporation, 535 Boylston Street, Boston, MA 02116 |
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
transferring the data to the data importer in connection with the data exporter’s use of the data importer’s Instructional, e-Learning, Kowledge and Competency Solutions (collectively, the “IHRDC Solution”).
Data importer
The data importer is a provider of Instructional, e-Learning, Kowledge and Competency Solutions.
Data subjects
The personal data transferred may concern data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Categories of data
The data exporter shall identify to the data importer any categories of personal data transferred.
Processing operations
The personal data transferred will be subject to the following basic processing activities:
tracking and processing related to the use of the IHRDC Solution by the individual and the Data Exporter. The Data Exporter acknowledges that the Data Importer may use third party data hosts such as Amazon Web Services as sub-processors in connection with its processing operations.
DATA EXPORTER
Agreed to by the data exporter by accessing or using the IHRDC Solution.
DATA IMPORTER
Name: International Human Resources Development Corporation
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Term of Use
ACCEPTABLE USE POLICY
1. INTRODUCTION. This acceptable use policy (the “AUP”) specifies guidelines for users of the hosted version of the IHRDC Services (the “IHRDC Solution”). By using the IHRDC Solution, you agree to the latest version of the AUP. IHRDC may modify the AUP at any time by posting a revised version on IHRDC’s website. If you violate the AUP or authorize or help others to do so, we may suspend or terminate your use of the IHRDC Solution.
2. ACCEPTABLE USE POLICY. The IHRDC Solution shall not be used by any person or entity:
3. REPORTING A VIOLATION OF THE AUP
4. DIGITAL MILLENNIUM COPYRIGHT ACT (“DMCA”)
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a comprehensive update to existing European Union laws that goes into effect on May 25, 2018. The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU resident’s data privacy and to reshape the way organizations across the region approach data privacy.
GDPR Principles Related to Processing of Personal Data
Within the GDPR framework, in most cases IHRDC is considered a Processor as we relate to our customers employee data. Although we will be compliant on all of the GDPR requirements, we are paying special emphasis on the six principles of processing personal data as reference in Article 5 of the GDPR.
GDPR Principle: 1. Lawfulness, fairness and transparency
GDPR Principle Verbiage: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
IHRDC Compliance Efforts: IHRDC will offer customers a robust data processing addendum containing strong privacy commitments that are aligned with the spirit of “lawfulness, fairness, and transparency” as expressed in Article 5(a). This addendum also contains specific provisions to assist customers in their compliance with the GDPR.
In addition, we are in the process of reviewing all of the ways in which we process customer and user data. For each process we will provide methods for users to consent in advance of processing as well as withdrawing consent at a later time.
GDPR Principle: 2. Purpose limitation
GDPR Principle Verbiage: b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
IHRDC Compliance Efforts: IHRDC will ensure that the purposes of the processing are precisely and fully identified prior to, or at the moment of the collection. The objective is to make explicit and communicate the reasons why their data are collected and processed.
GDPR Principle: 3. Data minimisation
GDPR Principle Verbiage: c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
IHRDC Compliance Efforts: IHRDC is committed to capture only the personally identifiable information necessary to provide the highest value to our customers. As part of our GDPR readiness effort, we will inventory and review all data captured by our products and eliminate personally identifiable information that is does not in alignment with the value we offer to our customers through our various product offerings.
GDPR Principle: 4. Accuracy
GDPR Principle Verbiage: d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
IHRDC Compliance Efforts: IHRDC is working to provide policies, procedures, and features for users to review the data stored within our products and easily request corrections and even export for portability.
GDPR Principle: 5. Storage limitation
GDPR Principle Verbiage: e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
IHRDC Compliance Efforts: IHRDC will be reviewing all policies related to data storage. We will unify our policies across all lines of business to retain user data only as long as necessary and to provide users with the ability to export their data for portability purposes.
GDPR Principle: 6. Integrity and confidentiality
GDPR Principle Verbiage: f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
IHRDC Compliance Efforts: IHRDC is working to enhance our systems to have security built into every layer of our product platforms. The infrastructure layers will include replication, backup, and disaster recovery planning. Network services already have encryption in transit and advanced threat detection. Our application services have impemented identity, authentication, and user permissions.
Data Protection Declaration
International Human Resources Development Corporation (“IHRDC”) knows you care about how your Personal Information is used and shared, and we take your privacy seriously. Please complete the Privacy Contact Form below should you have any questions or concerns about how IHRDC manages your personal user data.
IHRDC Data Privacy Contact Information:
International Human Resources Development Corporation
Chief Information Security Officer
535 Boylston St. 12 Floor
02116, Boston, MA
USA