EVault Employee Personal Information Policy
1. Purpose and application of this Policy
The purpose of this Employee Personal Information Policy is to establish EVault’s global standard with respect to the protection it affords its employees’ personal information - in particular for the cross-border transfers of employees’ personal information.
EVault complies with the U.S. - EU Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. EVault has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view EVault's certification, please visit http://www.export.gov/safeharbor/.
This Policy applies across EVault’s worldwide operations. Where the standards in this Policy do not meet the required standards for processing employees’ personal information under applicable local law, EVault will comply with the standard required by applicable local law in that country.
This Policy applies to EVault’s processing of employees’ personal information. It does not apply to the processing of personal information of individuals other than employees, such as EVault’s customers, prospective customers and visitors to EVault sites, to the extent that those individuals are not otherwise employees.
2. Meaning of “EVault” and “EVault companies”
For the purposes of this Policy, “EVault” means EVault, Inc., its divisions, business units and subsidiaries and an “EVault company” is any one of them.
3. Meaning of “employees”, “personal information” and “sensitive personal information”
For the purposes of this Policy, “employee” means a prospective, current or former EVault employee. This Policy is not intended to, and does not, of itself, give rise to any employment relationship between an “employee” and an EVault Company, independently of the employee expressly being stated to be an EVault employee.
“Personal information” is any information in any form relating to an identifiable employee in the context of the employee’s relationship with EVault. This may include, for example, an employee’s name, contact details, government-issued identifier and date of birth. For clarity, employees’ personal information does not include statistical reporting relying on aggregate employment data, nor the use of anonymized or pseudonymized data. Where possible, as an alternative to employees’ personal information, EVault will use information that does not identify an employee, such as de-identified, anonymized or aggregate information.
“Sensitive personal information” is a specific subset of personal information. For the purposes of this Policy, “sensitive personal information” is information relating to an employee’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, medical condition, sex life or criminal record.
4. Meaning of “processing”
For the purposes of this Policy, “processing” means any action taken in relation to employees’ personal information, including, but not limited to: the collection, handling, use, transfer, disclosure, transmission, dissemination, recording, organization, storage, retention, adaptation, alteration, retrieval, consultation, alignment, combination, blocking, anonymizing, erasure, disposal or destruction of employees’ personal information, as well as providing access to and accessing employees’ personal information.
5. Processing purposes
EVault will only collect, use, retain and otherwise process employees’ personal information in the context of its relationship with employees and for the purposes of recruiting employees and administering and safeguarding its workforce and operations (“processing purposes”), including with respect to:
(a) payroll, compensation and benefits administration, including stock option administration;
(b) business travel and employee relocation administration;
(c) employee management, investigations, discipline and other workforce management functions;
(d) employee appraisal, and training and development;
(e) facility, security and health and safety management;
(f) staff recruitment, including pre-employment and employment background checking;
(g) workforce budgeting and planning;
(h) employee identification;
(i) reimbursement of employee expenses;
(j) compliance and risk management;
(k) communication with employees and their emergency contacts in the event of an emergency;
(l) internal technical and operational support;
(m) internal auditing;
(n) legal proceedings and document subpoenas; or
(o) compliance with local legal requirements.
EVault will take reasonable precautions to protect employees’ personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Access to employees’ personal information is limited to those EVault personnel with a legitimate business need for access, and may include employees’ managers and their designees, as well as representatives of EVault’s HR, IT, finance, audit, payroll, benefits and legal functions.
Before it processes an employee’s personal information, or as soon thereafter as is practicable (but in any event before EVault processes an employee’s personal information for a purpose for which choice must be provided in accordance with section 8 below), EVault will notify the relevant employee about:
(a) the purposes for which EVault collects and uses their personal information;
(b) how the employee can contact EVault with any inquiries or complaints concerning the processing of their personal information;
(c) the types of third parties to which EVault discloses employees’ personal information; and
(c) any choices EVault offers about the use and disclosure of employees’ personal information.
For EVault employees in the European Economic Area (EEA), EVault will provide employees with the opportunity to opt-out of:
(a) the disclosure of their personal information to third party service providers to which section 12.2 below applies. However, the provisions in section 7 above and this section may not apply if the third party service provider is acting as EVault’s agent to perform tasks on behalf of and under EVault’s instructions; and
(b) the use of their personal information for a purpose incompatible with the purpose for which it was originally collected, or the purpose subsequently authorized by the employee.
Employees will be advised if their choices will result in any adverse consequences for them.
Unless an employee chooses otherwise in accordance with section 8 above, EVault will only use employees’ personal information for the purposes for which it was collected. However, to the extent and for the period necessary to avoid prejudicing EVault’s legitimate interests in making promotions, appointments, or other similar employment decisions, EVault may not provide notice and choice in accordance with sections 7 and 8 above.
EVault will take reasonable steps to ensure that employees’ personal information is reliable and relevant for its intended use, accurate, complete, and current. EVault will encourage its employees to notify EVault of any changes to their personal information (e.g., new contact details), and will require that employees only provide personal information of third parties (such as emergency contacts, family members and insurance beneficiaries) where those third parties have provided their consent.
11. Sensitive personal information
Where the personal information to be disclosed or used in accordance with section 8 above is sensitive personal information, the employee will be asked to opt-in to the relevant processing, except where the processing is:
(a) in the vital interests of the employee or another person;
(b) necessary for the establishment of legal claims or defenses;
(c) required to provide medical care or diagnosis;
(d) necessary to carry out EVault’s obligations in the field of employment law; or
(e) related to sensitive personal information that is manifestly made public by the employee.
12.1 To other EVault companies
An EVault company may disclose employees’ personal information to another EVault company, but only where there is a legitimate business need to do so.
12.2 To third party service providers
EVault may disclose employees’ personal information to third parties that have been engaged to provide services to or on behalf of EVault (e.g., payroll processing, IT and insurance). EVault will only disclose employees’ personal information to third party service providers that have agreed in writing to: provide at least the same level of privacy protection as is required by EVault privacy standards; only use employees’ personal information to provide the relevant services; and only process employees’ personal information in accordance with applicable local law.
12.3 To other third parties
EVault may disclose employees’ personal information to third parties other than service providers:
(a) where required by law, e.g., in accordance with legislation or by court order;
(b) to its professional advisors, e.g., lawyers and accountants;
(c) in medical or security emergencies; and
(d) where otherwise permitted by applicable local law.
13. Cross-border transfers of employees’ personal information
13.1 EVault companies in the EEA transfer employees’ personal information to EVault companies in the U.S. in compliance with the Safe Harbor Privacy Principles.
13.2 EVault companies in the EEA transfer employees’ personal information to EVault companies outside the EEA in accordance with the standards in this Policy and applicable local legal requirements, as do EVault companies in countries outside EEA transfer employees’ personal information to EVault companies outside those countries.
An employee may request access to their personal information held by EVault. EVault will comply with access requests without excessive delay and within a reasonable time period, but may, in particular circumstances to be assessed on a case-by-case basis in accordance with applicable local law, deny an access request or only provide partial access, such as where:
(a) the burden or expense of providing access would be disproportionate to the risks to the employee's privacy;
(b) the rights of persons other than the employee would be violated;
(c) access would reveal confidential commercial information;
(d) access would interfere with execution or enforcement of the law, including the prevention, investigation or detection of offenses or the right to a fair trial;
(e) access would interfere with private causes of action, including the prevention, investigation or detection of legal claims or the right to a fair trial;
(f) access would breach a legal or other professional privilege or obligation;
(g) employee security investigations or grievance proceedings may be prejudiced;
(h) confidentiality that may be necessary for limited periods in connection with employee succession planning and corporate re-organizations may be prejudiced;
(i) confidentiality that may be necessary in connection with monitoring, inspections or regulatory functions connected with sound economic or financial management may be prejudiced;
(j) a court or other authority or appropriate jurisdiction determines that EVault is not required to or must not provide access; or
(k) there is no legal requirement for EVault to provide such access.
If EVault determines that access should be denied in any particular instance, it will provide the requester with an explanation of why it has made that determination and a contact point for any further inquiries.
EVault will not require that employees justify a request for access to their personal information. However, EVault may require that, in order to locate personal information in response to the request, the requester provide EVault with information about their concerns that led to the request, which part(s) of the organization the requester interacted with or the nature of the personal information or its use. Depending on the circumstances, EVault may charge a reasonable fee for access. EVault will not respond to repeated or vexatious requests for access and any requester must provide sufficient information concerning their identity before EVault will provide access.
An employee may ask EVault to correct, amend, or delete their personal information where that personal information is inaccurate or is no longer relevant.
All employee requests for access to their personal information held by EVault should be sent to: Dennis Weyrauch, Chief Privacy Officer, or your HR Business Partner.
If an employee has a question about this Policy or the processing of their personal information generally, or is concerned that EVault has processed their personal information in a manner that is inconsistent with this Policy, they should contact: Dennis Weyrauch, Chief Privacy Officer, or your HR Business Partner. EVault will investigate any concern (other than those that are obviously unfounded or frivolous) in an effort to resolve it.
Where the complaint is escalated outside of EVault and concerns the transfer of employees’ personal information from the EEA to the United States, EVault will cooperate with the relevant European Data Protection Authorities (“DPAs”) to investigate and resolve the issue and, if the DPAs ultimately take the view that EVault needs to take specific action, will comply with such advice. EVault will provide the DPAs with written confirmation that such action has been taken.
All employees who have access to personal information of other employees will receive training on this Policy.
All EVault employees must comply with this Policy, regardless of location. If an employee is found to have not complied with this Policy, they may be subjected to disciplinary action up to and including termination, where appropriate and lawful.
EVault will verify its compliance with this Policy and the Safe Harbor Privacy Priciples once per year.
17. Policy administration
The Policy may be amended by EVault from time to time at its discretion. The current version of this Policy may found at: http://www.evault.com/safe-harbor.html.
Any questions about this Policy or EVault’s processing of employees’ personal information generally should be directed to Dennis Weyrauch, Chief Privacy Officer, or your HR Business Partner.
(Last revised March 7, 2013)