Data Protection Policy
This Policy does not form part of any contract of employment. It may be amended or withdrawn at anytime. If we modify this Policy, modified versions will be made available upon request. We encourage you to regularly review this Policy to ensure that you are always aware of the personal information we collect in respect of you and how we use and otherwise process it.
The purpose of this Policy is to describe how Aliz collects, uses and otherwise processes personal information about you during and after your relationship with us, in accordance with the General Data Protection Regulation (‘GDPR’) and other applicable laws.
This Policy applies to all Aliz employees (current and former), interns and dependents, as well as job applicants, visitors, users of websites, clients, suppliers and other contractors and any individual acting on their behalf to the extent that their personal information is collected, used and otherwise processed in European countries.* When we refer to “Aliz”, “we” or “us” in this Policy, we are referring to entities within our group now and in the future.
It is important that you read this Policy, together with any other policies or notices that Aliz may provide to you when it collects or processes personal information about you, so that you are aware of how and why Aliz uses such information. In particular, if you are employed to work in a country outside of Europe, this Policy should be read in conjunction with any local policy that sets out rules concerning the use of your personal information in that country. To the extent of any inconsistency, your local policy, or privacy documentation, will prevail. We also confirm that we only process information within Europe about employees who live in non-European countries to the extent that this is permitted by local law and in accordance with the requirements of Aliz’s regulators.
*Europe includes: Austria, Belgium, Bulgaria, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Italy, Ireland, Jersey, Luxembourg, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Spain, Sweden, Switzerland and United Kingdom.
The owner of this Policy is the CEO of Aliz.
5. Effective date
This Policy is effective from 25 May 2018.
6. Aliz will process your personal information
7. What personal information does Aliz process?
Your “Personal Information” means any information about you as an individual (that Aliz collects, uses or otherwise processes) from which you are able to be identified.
Aliz will normally obtain your Personal Information directly from you in the course of your relationship (mostly during onboarding/visiting and on or about the time that you commence your employment or other form service provision with us, but also throughout the duration of the relevant relationship). In some cases, this Personal Information may also be obtained from third parties such as from references or certain background screening information. In addition, we will receive Personal Information about you from your manager and other Aliz employees as well as our vendors and suppliers where relevant.
When you work or apply to work for Aliz in any form or you contact or visit Aliz for any reason whatsoever, we will collect a range of Personal Information about you, subject to the particular features of the relationship between you and Aliz and in accordance with any applicable local legal requirements. Aliz will at all times strive to restrict the data collection to the necessary minimum level. The data collection may cover:
While the above list is detailed, it may not be an exhaustive list of all of the Personal Information that Aliz collects, uses or otherwise processes in the context of the employment relationship which may change from time to time.
8. How Aliz will use your personal information?
We will collect, receive, use, store and otherwise process your Personal Information (manually and electronically) during the course of our relationship and afterwards to comply with legal obligations or to otherwise carry out our legitimate business interests as an employer or a buyer or a service provider as the case may be and to fulfil our business interests and strategy connected with our relationship and in order to meet our regulatory requirements. We may in certain circumstances also process your Personal Information in order to perform our obligations under your employment contract. We will process your Personal Information to pursue our legitimate business interests (subject to any applicable local legal requirements), which includes the following:
Aliz may also process information in connection with lawsuits or for regulatory purposes and for investigations or audits pursuant to the Code of Conduct and limited to the relevant information strictly necessary for the purpose at hand.
We have sought to be precise in providing the detailed list above. However, in case of activities as complex as those performed by Aliz you will appreciate that this list may not be exhaustive and Aliz may undertake additional processing of Personal Information in line with the purposes set out above.
Further, as an IT services provider Aliz has in particular a legitimate interest in protecting our business, reputation, resources and equipment and as part of Aliz’s overall program for information security, operates a content monitoring program to detect proprietary or confidential information or Personal Information that is being sent out in breach of applicable policies and requirements and or applicable laws and regulations from time to time.
Aliz may collect information which may be considered specially protected under applicable law, but only to the extent that this is legally permissible, properly safeguarded and with specific authorizations in place (and/or where required by local law), including ethnicity related information if, for example, required for government reporting in the individual’s country of residence on such matters as diversity, gender or employment equity (see also section 5); information as necessary to cross reference individuals against national and United Nations lists of known terrorists, criminal suspects and/or ensure compliance with insider trading and money laundering laws; information about health (physical and mental) as necessary for participation in benefits plans and leaves of absence; and union membership for countries where unions are present.
Aliz may also facilitate your participation in non-work related schemes and programs (for example, global volunteer day or other initiatives in the country where you normally work). The provision of such programs to employees means that your Personal Information and other information related to your participation in such programs may from time to time be transferred to and processed by Aliz affiliates and third parties involved in the administration and operation of such schemes, which may be located outside of Europe.
9. Automated decision-making
Automated decision-making takes place when an electronic system uses Personal Information to make a decision without human intervention, which produces legal effects that concern you.
Aliz does not have systems that use automated decision making in connection with any individual connecting Aliz.
10. What we expect from you
We expect you to be open and honest in the information that you provide. Where there is any change to your Personal Information you are required to inform Aliz as soon as reasonably possible by contacting the HR team in the country where you ordinarily work or have any other contact with Aliz.
If you are asked to provide documentation to evidence changes to your Personal Information, you must do so before we are able to make the change that has been requested.
Subject to any applicable local legal requirements, the Personal Information that Aliz will collect, receive, use, store and otherwise process about you is required for the performance of our relationship and any associated processing. Certain Personal Information, such as right to work documentation, health and safety or accident information, or tax and social security identity numbers are required in order for Aliz to meet our statutory obligations as an employer. Aliz may also require Personal Information from you in order to meet any statutory or regulatory obligations or requests. If we ask you to provide information or documents to us, and you fail to do so in a timely manner after this is requested or at all, we may not be able to carry out all of our normal activities for which this information is required. This may include, as examples only, paying you salary or providing certain benefits. If you do not provide the information required for these entitlements it may affect our ability to accomplish the purposes stated in this Policy and potentially affect your ongoing employment or other form of relationship.
Any Personal Information that you hold concerning an individual (whether a client, customer, supplier, or fellow worker) must be kept in accordance with any applicable Aliz policies and in a secure place and should not be accessible to others without your knowledge and consent, and only in pursuit of Aliz’s legitimate interests or as required by law or regulation. You must not collect, use, store or otherwise process any information about an employee’s sensitive Personal Information detailed in section 5, unless this is part of your normal day to day work activities.
If you have any questions or you are unclear about the information you may use or disclose or otherwise process, please contact your country’s Data Protection Office (if there is one).
Please be aware that employees who act in breach of this Policy may be subject to disciplinary action, which may include termination of employment if deemed by Aliz to be the appropriate sanction, in light of the nature of the breach and the relevant circumstances.
11. Former employees
It may be necessary for your Personal Information to be processed after you leave employment with Aliz for a range of different purposes, in particular: to answer requests from prospective employers for references; to handle, request or provide information relevant to pension and benefits which extend beyond your employment; in connection with your employment or the cessation of your employment; for statistical purposes or looking at trends in our workforce, such as headcount or costs; in order to assess your eligibility to be rehired by Aliz; to respond to requests from tax or other regulatory authorities who make enquiries or conduct audits or investigations that relate to your employment with us; for the purpose of distribution of shares, options or company share plans; or to defend current or prospective legal claims that may be brought by you or which you may be connected to.
12. Where we send your personal information
First and foremost your Personal Information is received by the legal entity within Aliz that is your employer/supplier/client/contractor/potential employer or a service provider you contact for any other reason whatsoever. Aliz decides the means and purpose for processing certain Personal Information about you and is therefore a data controller. However, as outlined in section 2.2, we may use your Personal Information for many reasons connected with our relationship, and in addition, because different businesses and functions work across multiple countries around the globe, your employer is not the only Aliz data controller that will have access to your Personal Information. We have set out the details of Aliz’s main data controllers in Appendix 1, together with the relevant contact details.
In order to provide you with the best possible visibility of who may receive your Personal Information, we have created a list below of persons who may have access to your Personal Information, aside from the legal entity that is your employer. All recipients will only have access to the relevant information that is necessary for performing their tasks (for example: pay slip printing companies have access only to information that is strictly necessary for preparing the pay slips and not to information about work calendars or performance, etc).
13. Who has access to your personal information
Aliz may have reason to send information to third parties with whom Aliz has business relationships or is bound by service contracts (IT service providers, etc.). Additionally Aliz may send information to local regulatory authorities when required in order to comply with local law or reporting requirements. We only disclose information that is strictly necessary to enable us to manage or administer our business and employees. For our employees this means we may provide your Personal Information to third parties to enable us to use their services or when required or permitted by laws and regulations. This includes for example, services relevant to the insurances and health benefits we provide, payroll, actuarial benefits or disclosures required for us to use third party software and applications or to obtain advice relevant to you and for the processing set out in section 2.2, to the extent we outsource any of these activities or use third party systems or technology to administer them. Where we provide your Personal Information to third parties, or we ask you to provide your Personal Information directly to particular suppliers or vendors, this is on the basis that they agree to comply with the provisions of the General Data Protection Regulation and/or any other applicable laws.
The recipients of Personal Information concerning you are limited. Subject to information transferred outside of Europe (see section 3.2), they are:
14. Transfer of information outside of Europe
Given our global reach some information about you may be processed by or on behalf of group entities anywhere in the world – for example, payroll or IT services may be performed by one or more group entities acting on behalf of other entities in different locations. Therefore, the work that you complete and our business processes may involve transferring your Personal Information to countries outside of Europe which have different data protection standards to those which apply in Europe.
In making such transfers, Aliz conforms to this Policy and any bylaws of Aliz. Please refer to the provisions of this Policy for information on how Aliz may transfer personal data in compliance with EU law.
Aliz may also transfer Personal Information to Aliz franchises in jurisdictions which have been deemed equivalent to Europe for data protection purposes in accordance with decisions of the European Commission, or on the basis of further appropriate safeguards, including but not limited to entry by Aliz companies into “Model Contracts” for the purposes of Europe data protection laws.
In addition, data can be accessed only by group entities that are legally bound this Policy and have implemented the commitments made hereunder.
We also rely on other permitted data transfer mechanisms such as relying on the relevant third party’s Privacy Shield certification or third party corporate rules (approved by relevant data protection authorities and put in place to protect your Personal Information). You have a right to ask us for a copy of the safeguard used by contacting us as set out below.
15. Consent and existing terms and conditions (Europe only)
Aliz may have previously relied on consent in certain European countries in order to process your Personal Information. You may therefore have previously entered into an employment contract or signed forms or other terms and conditions that provide consent to Aliz to process your Personal Information. As outlined in section 2.2, Aliz processes your Personal Information in order to perform our obligations arising under our relationship with you, to comply with legal obligations or to otherwise carry out our legitimate business interests and for the purposes outlined in that section. This means that generally speaking and subject to any applicable local legal requirements we do not request your express consent (or rely on existing consent except in limited circumstances where this is specifically necessary) to use your Personal Information for these purposes.
However, Aliz may from time to time ask you to provide consent in order to process specific types of Personal Information, including the types of personal information detailed in section 5 below. If you do opt to provide consent where it is requested, you have the right to withdraw your consent for that specific processing at any time in writing. Please send such requests to your usual HR partner.
Please be aware that it is not a condition of your relationship with us that you agree to any request for consent from us. Providing consent is purely voluntary. You will not be subjected to any detriment by declining to provide your consent. This also applies to any consent that you may be asked to give as detailed in section 5.
Please note that section 4 only applies to individuals connected with Aliz in European countries.
16. Circumstances where we may rely on consent to process your personal information
17. Sensitive personal information
Sensitive Personal Information includes information that reveals: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Please note that Aliz does not ask you for information concerning political opinions, a person’s sex life, religious or philosophical beliefs or genetic/biometric data (that could be used to identify you) in European countries, unless required by law to do so.
Subject to any applicable local legal requirements/restrictions, we may process your sensitive Personal Information if it is necessary:
In addition, from time to time Aliz may also offer you the opportunity to voluntarily participate in initiatives which involve the processing of sensitive Personal Information. Where Aliz does so, this will be done on the basis of your consent to participate in such initiatives.
18. Criminal convictions
During employment we will only process information concerning criminal convictions and offences (criminal history check), where this is necessary to comply with our legal or regulatory requirements, and provided that this is authorised by the laws of the country where you are employed. Such laws may require us to obtain your consent in order to process this type of Personal Information. Where this applies, this will be made clear to you and your consent may be withdrawn at any time.
We implement technical and organisational measures that are appropriate to the risk to protect the Personal Information that we process about you. This may include:
Specifically, Personal Information may be protected by technical and organizational security measures appropriate to the sensitivity of the information and how it is stored. Such measures may include encryption, password protection, contractual confidentiality and data protection obligations, locked storage facilities, and/or restricted and recorded access, as applicable.
Despite all of our best efforts the security of information may be breached from time to time, for example, if a Aliz employee sends an email to the wrong recipient or leaves documents on public transport. Aliz has policies and processes, such as the Electronic Communications Policy, that all employees must be familiar with in order to ensure that our information is kept secure and confidential.
Importantly, any data breaches must be notified immediately and without delay to your Business Information Security Officer. In certain circumstances we will need to notify data protection authorities about breaches within 72 hours and it is therefore critical that you tell us straight away.
20. Data storage and retention periods
In general your Personal Information will be held and managed in accordance with the record retention periods specified in accordance with the local laws of the country in which you are connected with Aliz.
Personal Information is kept for the period of time that it is needed by Aliz in connection with your relationship. This includes for the duration of, and following, your relationship with us, until the relevant retention period expires Aliz applies the following considerations to its retention periods:
21. Your rights in respect of your personal information
Under certain circumstances, you have the right to:
Limitations can apply to your ability to exercise some of these rights. For example, under the General Data Protection Regulation (or other applicable laws), if you request erasure of your Personal Information, Aliz can keep the Personal Information if processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (in addition to other grounds).
We may need to request specific information from you to help us confirm your identity and ensure your right to access the Personal Information concerning you that we hold (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it and otherwise to assist us to process your request in a timely manner.
If you want to review, verify, correct or request erasure of your Personal Information, or object to the processing of your Personal Information, please contact the HR team.
Please note that Aliz will not transfer your data to a third party at the request of another individual, save as required by the General Data Protection Regulation or any other applicable laws.
22. No fee usually required
Normally you will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee based on administrative costs, if we consider your request for access to be unfounded, excessive or repetitive. Alternatively, we may refuse to comply with the request in such circumstances. In that event, we will explain to you why we have made that decision.
23. Who can I contact about how Aliz processes my personal information?
As outlined in Section 8, if you wish to review, verify, correct, erase or object to the processing of your Personal Information, please contact the HR team.
We would always encourage you to raise issues to Aliz in the first instance. In the event that you have any concerns or complaints related to our processing of your Personal Information, please contact the Operations team.
You can also contact Aliz’s Data Protection Officer who oversees Aliz’s compliance with privacy requirements including the General Data Protection Regulation.
We appreciate that you may not feel that it is possible to raise your concerns with us directly. As such, you may make a complaint at any time to the relevant Supervisory Authority in the location where you normally work.
24. Information concerning family members and dependents
In certain countries Aliz may collect information from you concerning your family members or dependents either for the purposes of providing benefits and insurance, for example, health insurance, social benefits or allowances or for contacting them in the case of an emergency or in connection with relocating certain employees as part of Aliz mobility. In certain countries we may need this information in order to assess your eligibility for certain statutory or Aliz provided entitlements, such as family friendly leave or leave in connection with you caring for an ill family member or other benefits or entitlements.
These details will be kept solely for those purposes and will be held and retained for these reasons. To the extent applicable, sections 2 and 3.2 to 9 of this Policy apply to your family members and dependents, so please inform them about the content of this Policy.