Privacy notice for employees and contractors

Effective Date: September 15, 2021
  • 1. Introduction
    • 1.1. Purpose: This Privacy Notice (“Notice”) describes how QOMPLX, Inc., and its subsidiaries and affiliates globally (collectively "QOMPLX," “Company," "us" and "we"), use Personal Data (as defined below) relating to our applicants, employees, temporary/and contractor staff including contractors employed by staffing service providers (collectively “Staff”). We use the term “QOMPLX” throughout this Notice to refer to the global organization. However, QOMPLX is made up of several separate legal entities located across the globe, and we may sometimes refer to them individually for clarity.

      1.2. Summary: This Notice is intended to help you understand why and how we may use your Personal Data, as it relates to your application, contract or employment with QOMPLX. QOMPLX will not Process your Personal Data for reasons other than as covered in this Notice, but please know that the examples below are only illustrative and not meant to be exhaustive, so other examples that exist may not be listed below. QOMPLX may supplement this Notice with additional notices, policies or guidance ("Additional Policies"). Wherever such Additional Policies are inconsistent with this Notice, this Notice will only apply to the extent that it is consistent, or may be made consistent, with such Additional Policies. QOMPLX may also modify this Notice from time to time, and the most recent update will be noted by the date given at the end of the Notice.

  • 2. Definitions
    • 2.1. Personal Data: "Personal Data" means information about you and from which you could be identified, including information which may be protected under privacy or data protection laws. QOMPLX Processes different types of Personal Data about you depending on your circumstances, your role and the law.

      2.2. Processing: “Process” or “Processing” means any operation or set of operations performed upon Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

      2.3. Service Provider: “Service Provider” means an entity that is engaged by QOMPLX to provide a service, and that is contractually limited in its usage of data, including recruiting agencies, benefit providers and platform services.

  • 3. Categories
    • The types and categories of Personal Data Processed:

      3.1. Personal Information: Generally, in furtherance of your application and/or employment with QOMPLX, QOMPLX Processes the types of Personal Data listed in Annex A.

      3.1.1. Scope: The scope of our Processing is not limited to Personal Data. Any information put into a Company’s information technology service (e.g. work email or Slack message) becomes data processed by QOMPLX, which Processing may not be subject to privacy or data protection regulations.

      3.2. Sensitive Personal Information:

      3.2.1. Additional Definitions: Also, in furtherance of your application and/or employment, QOMPLX may Process some Personal Data classified as ‘sensitive’ for the purposes of country-specific data protection law (“Sensitive Personal Data”). When Processing Sensitive Personal Data, QOMPLX includes additional restrictions on how we may use and hold this information. For purposes of the European Economic Area (“EEA”), Sensitive Personal Data is information that relates to:

      3.2.1.1. Racial and ethnic origin;

      3.2.1.2. Religious, political or philosophical beliefs;

      3.2.1.3. Trade union membership;

      3.2.1.4. Physical or mental health;

      3.2.1.5. Sexual life or orientation;

      3.2.1.6. Genetic or biometric data; and

      3.2.1.7. Alleged or actual criminal convictions and proceedings.

      3.2.2. European Economic Area: For purposes of the EEA, it is generally necessary to obtain your consent before we can collect and use such sensitive information. In such cases, you will be able to withdraw your consent to use of this data at any time.

      3.2.3. Exceptions: However, QOMPLX may Process your Sensitive Personal Data without consent for the purposes of carrying out the obligations (and exercising specific rights) in the field of employment, social security, and social protection law, as authorized by applicable law or by a collective agreement (where applicable), providing for appropriate safeguards for the fundamental rights and the interests of the Staff.

      3.2.4. Use of Data: In particular, this means that QOMPLX may Process Sensitive Personal Data for:

      3.2.4.1. The purposes of the employment relationship, if necessary, to decide on the establishment of such employment relationship, the performance of, or the termination of such employment relationship;

      3.2.4.2. The exercise or fulfillment of the rights and obligations of an employee representation arising from a law or a collective agreement, works agreement or service agreement; and

      3.2.4.3. To investigate offenses during the employment relationship, if the Processing is necessary to disclose the offense and if the interest of the Staff in excluding the Processing is worthy of protection and does not outweigh the interest of the Staff. In particular, if the type and extent of such Processing must not be disproportionate with regard to the (alleged) offense.

      3.2.5. Statutory Exceptions: Further, QOMPLX may Process Sensitive Personal Data without consent for limited statutory purposes, such as monitoring compliance with our health and safety rules, or if necessary, to protect your vital interests, for legal claims, or in the public interest. If required by applicable law, we may provide the purposes for which we Process your Sensitive Personal Data, and, if required, obtain your consent.

      3.2.6. Compliance: QOMPLX may also Process Sensitive Personal Data without consent for the limited statutory purpose of monitoring compliance with our equal opportunities policies, if this is the case in your jurisdiction. Otherwise, QOMPLX will collect your consent for such monitoring.

      3.3. Categories: For purposes of the California Consumer Privacy Act of 2018, as amended (the “CCPA”), in furtherance of your employment or engagement, QOMPLX Processes the categories of Personal Data listed in Annex B.

  • 4. Why your Personal Data is Processed
    • 4.1. Your Personal Data is Processed when it is: (i) reasonably necessary for consideration of filling a position or beginning employment or contractual engagement with QOMPLX (“Applicant Data”); (ii) reasonably necessary for the performance of your employment or contractual contractor terms of employment/engagement; (iii) reasonably necessary for compliance with a legal obligation to which QOMPLX is subject (for example, within the field of employment); or (iv) is within QOMPLX' legitimate interests as your employer or in furtherance of a contractual engagement (principally for the purposes listed below). Applicant Data, together with Personal Data Processed via the remaining purposes, are collectively referred to as “Employment Data.”

      4.2. Processing of Applicant Data: Is necessary to consider and/or further an employment or engagement relationship with QOMPLX, and Employment Data is required to develop an employment or engagement relationship. If Personal Data is not provided, QOMPLX would be unable to satisfy its legal obligations or perform its role as your employer or in furtherance of a contractual engagement.

      4.3. Other Persons: To the extent QOMPLX Processes Personal Data about a person you list as your emergency contact, spouse (or spousal equivalent), or any dependents or beneficiaries, you confirm that you have notified such person of having provided QOMPLX with this Personal Data and, if necessary, provided them with a copy of this Notice.

      4.4. Purposes: Generally, QOMPLX Processes your Personal Data for a variety of purposes, including but not exclusively, as outlined in Annex C.

      4.5. CCPA: For purposes of the CCPA, the business purpose for which QOMPLX Processes Personal Data categorized as:

      4.5.1. Applicant Data: Is “Recruitment”, “Security Purposes” and “Legal Purposes", as further discussed in the chart above; and

      4.5.2. Employment Data: Is explained fully in the chart attached.

      4.6. Home Address: In furtherance of flexible work arrangements, QOMPLX may utilize your home address (in lieu of your office address) for purposes of shipping, delivering, or providing materials related to your employment. If you desire to not have your home address used for this purpose, please contact your regional HR partner.

  • 5. Sharing and Disclosure of your Personal Data
    • 5.1. Confidentiality: QOMPLX is committed to maintaining the confidentiality of your Personal Data. We comply with legal requirements regarding the sharing and disclosure of Personal Data and will disclose Personal Data to the following recipients where it is legitimate to do so:

      5.1.1. Governments: Central and local government departments and other statutory or public bodies, such as tax, data and labor authorities;

      5.1.2. Other Authorities: Law enforcement and crime/fraud prevention and detection authorities or organizations;

      5.1.3. Service Providers: Providers we use to provide services for some of our HR, IT, financial, and other data processing activities. We share such data only when the Service Provider has a legitimate business reason to use the data to provide the service requested and only where such Service Provider has agreed in writing to provide an adequate level of protection to the data, in accordance with applicable law;

      5.1.4. Regulatory: Regulatory and professional bodies that have the authority to request information about QOMPLX and our Staff, to the extent we will try to assist such bodies in their inquiries while respecting the rights and privacy of our staff as far as possible;

      5.1.5. Subsidiaries: QOMPLX subsidiary or affiliate companies, each of which is required to comply with this Notice and to ensure that the Personal Data of our Staff employees are treated as confidential and securely protected;

      5.1.6. Acquisitions: In the event QOMPLX is acquired, in whole or impart, QOMPLX may share certain Personal Data with the potential purchaser, subject to the applicable national restrictions; potential purchasers and their advisors may have limited access to QOMPLX company data that includes Personal Data as part of the acquisition process. Any use or transfer of your Personal Data for these purposes will remain subject to this Notice;

      5.1.7. Daily Business: QOMPLX employees and staff within your country and the global QOMPLX network to perform daily business operations (e.g., to provide and monitor network access or to administer employee benefits); and

      5.1.8. Others: Other third parties at your request, such as mortgage providers or prospective employers.

  • 6. Security and Integrity of Personal Data
    • 6.1. Safeguards: QOMPLX maintains appropriate administrative, technical and organizational measures designed to help safeguard the confidentiality and integrity of employee Personal Data and to protect it against accidental or unlawful destruction, accidental loss, unauthorized alteration, disclosure or access, misuse, and any other unlawful form of Processing. In adherence with data protection laws and internal QOMPLX policies, QOMPLX addresses security at appropriate technology infrastructure points.

      6.2. Training: QOMPLX trains its employees regarding its data privacy policies and procedures and permits authorized employees to access employee Personal Data on a need-to-know basis, as required to perform the functions of their role.

  • 7. European Transfers of Personal Data
    • 7.1. Background: When engaging with QOMPLX, you must be aware that QOMPLX is a globally operating company having its headquarters based in the United States. If you are located in the EEA, or employed by an QOMPLX European entity, European data protection law prohibits the transfer of Personal Data outside the EEA unless specific requirements are met for the protection of that Personal Data. We carry out such transfers where we are confident that the level of protection applied to your information will be consistent with the protections provided in the EEA. For transfers outside of the QOMPLX network of companies, such as to our Service Providers, we enter into 'model clause' data transfer agreements or rely upon an approved data transfer method to ensure adequacy.

      7.2. Examples: Examples of where and why your information may be transferred outside of the EEA are outlined below. However, this is not an exhaustive list, and, in accordance with ongoing changes in our IT and operational infrastructure, this list may change from time to time:

      7.2.1. United States: To the United States, where the servers for some of our global systems are housed and where some of our IT, HR, financial, and tax processing is completed;

      7.2.2. QOMPLX Affiliates: To all QOMPLX companies outside the EEA with whom we share information from global systems for work-related purposes, including employee collaboration, employee-generated work product or data, etc.;

      7.2.3. Regulatory Bodies: To non-EEA regulatory bodies, to enable them to assessor compliance with their regulations;

      7.2.4. QOMPLX Affiliates, Integration: To QOMPLX companies outside the EEA, to promote integration of systems and appropriate use of resources; and

      7.2.5. External Service Providers: To external Service Providers who support our IT, HR, Financial, or operational infrastructure. Any such Service Providers are bound by contractual terms requiring them to process our data with a similar level of care and security as though they were in the EEA.

      7.3. Data Controller: For the purposes of data protection laws within the EEA, the QOMPLX entity that employs you is the data controller of your Personal Data, and you have the right to complain to your local supervisory authority relating to QOMPLX’ Processing of your Personal Data.

  • 8. How Long We Keep Your Information
    • QOMPLX holds your Personal Data according to our data retention policies and applicable law. We retain your Personal Data for only as long as appropriate to satisfy the purposes for which it was collected, unless the law permits or requires that QOMPLX retains it longer (for example, for the purpose of administering any benefits to which you are entitled, such as your pension).

  • 9. Your Rights
    • 9.1. UK and EEA: Subject to applicable local law and certain exemptions, if you are a resident of certain jurisdictions, including the United Kingdom and the EEA, you may have the right to:

      9.1.1. Request access to and obtain a copy of certain of your Personal Data held by QOMPLX;

      9.1.2. Have your Personal Data amended, if it is inaccurate;

      9.1.3. Request to have certain of your Personal Data deleted, subject to any outstanding requirements to retain such data related to your employment relationship with QOMPLX;

      9.1.4. In certain circumstances, restrict or object to QOMPLX 'Processing of your Personal Data;

      9.1.5. Request to receive certain of your Personal Data in a structured, commonly used and machine-readable format for transfer to a third party; and

      9.1.6. Request that QOMPLX disclose the categories of Personal Information it has Processed about you.

      9.2. For More Information: For more information about your rights and how to exercise them, please contact your local/regional privacy or HR contact. You may also directly request this information by emailing privacy@QOMPLX.com.

  • 10. Contact Us
    • 10.1. Local HR Manager: If you have any questions or complaints about this Notice or how we Process your Personal Data, please speak to your local HR Manager or local data protection contact.

      10.2. Global Data Officer: You can also contact QOMPLX' global data protection officer at privacy@QOMPLX.com.

  • 11. Updates to this Notice
    • This Notice may be updated periodically and without prior notice to reflect changes in QOMPLX’ internal privacy practices. Please check Employee Central for updates to this document, as indicated at the top of the Notice.

  • Annex A
    • Types of Personal Data Examples
      Information about you: Name, address, date of birth, marital status, nationality, race, gender, religion, preferred language, details of any disabilities, work restrictions and/or required accommodations
      Information to contact you at work or home: Name, address, telephone numbers and email address
      Information about who to contact in case of an emergency (yours or ours): Name, address, telephone numbers, email address and a contact’s relationship to you
      Information to identify you: Photographs, passport and/or driver’s license details, governmental identifications, and electronic signatures
      Information about your suitability to work for us and/or with QOMPLX’ customers: References, interview notes, work visas, ID information such as passport details and driver’s license information, and records/results of pre-employment checks, including criminal record checks, credit and fraud checks
      Information about your skills and experience: CVs, resumes and/or application forms, references, and records of qualifications, skills, training and other compliance requirements
      Information about your term of employment with QOMPLX: Letters of offer and acceptance of employment, employment contract, and location information
      Information that we need to pay you: Bank account details, national identification numbers or social security numbers (where applicable), salary and benefits, and expense allowances
      Information that we need to provide you with benefits and other entitlements: Length of service information, health information (where applicable), leave requests and related information
      Information related to your work travel expenses and reimbursement: Bank account details, passport information or driver’s license, vehicle registration and insurance details
      Information related to your pension or retirement entitlements: Salary, pension/retirement base, annual accrual, and benefits
      Information to allow you to access and work within our buildings, network, and systems: Global People Number (GPN), computer or facilities access and authentication information, identification codes, passwords and log-into QOMPLX networks and devices, answers to security questions, photographs, and video images.
      Information related to your performance at work: Performance assessments and ratings (including development records and/or notes of one to ones and other meetings, and personal development plans), leadership ratings, financial interests (where applicable), directorships, performance targets and objectives, training recommended and completed, personal improvement plans, secondments, and related correspondence and reports
      Information related to absence management for periods of illness: Absence and time-keeping records, start and end date of reporting in sick, percentage of illness absences per employee, address where an employee is being treated (when different than home address)
      Information related to discipline, grievance and other employment related processes: Interview/meeting notes or recordings and related correspondence
  • Annex B
    • Categories or Personal Data Examples
      Personal Identifiers A name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, or other similar identifiers.
      Personal information Categories Account information, education, employment, or necessary financial information.
      Protected Classifications Age, gender expression or sexual orientation.
      Commercial Information Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
      Internet or Similar Activity Browsing history, search history, cookie information, and information on a consumer's interaction with a website, application, service, or advertisement.
      Geolocation Data Physical location.
      Professional & Employment Current or past job title.
      Inferences Drawn from Other Personal Information Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  • Annex C
    • Purposes for which we need your Personal Data Examples
      Recruitment:
      • To assess your suitability to work for QOMPLX;
      • To perform requisition and applicant management activities;
      • To perform matching to job vacancies;
      • To conduct screening, assessments and interviews;
      • To maintain a library of correspondence for employment purposes;
      • To make offers and provide contracts or terms of employment; and
      • To conduct pre-employment checks, including determining your legal righto work
      • and carrying out criminal record and credit checks, where applicable.
      Human Resources ("HR"), finance and other business administration purposes:
      • Staffing, including resource planning, secondments, skills allocation, engagement management, recruitment, termination and succession planning;
      • Budgetary and financial planning and administration;
      • Organizational planning and development and workforce management, including monitoring the effectiveness of our equal opportunities policies and the fair and consistent treatment of staff members and job applicants;
      • Compensation, payroll, and benefit planning and administration, including salary, tax withholding, tax equalization, awards, insurance and pensions;
      • Workforce development, education, training and certification, maintaining up to date records of professional qualifications, memberships and continuing professional development programs;
      • Performance management and performance rating details (including achievements and work history);
      • Problem resolution, including carrying out internal reviews, grievances, investigations, audits and disciplinary procedures;
      • Business travel and expense management;
      • To complete business reporting and analytics;
      • Administration of flexible work arrangements and employee recognition;
      • Administration of employee enrollment and participation in activities and programs offered to eligible employees, including matching donations to non-profit organizations, political action committee contributions, and wellness activities;
      • Promotional and marketing materials and activities, including quotes, photos and videos;
      • Work-related injury and illness, including the management of employee Health & Safety, and disabilities, sickness and absence management;
      • To provide HR help desk support and case management;
      • To communicate with you and to facilitate communication between you and other people (including voicemail, e- mail and electronic collaborations);
      • Compliance and compliance reporting, including conflict of interest and gifts and hospitality reporting;
      • Risk management;
      • Project management;
      • Billing and time-keeping;
      • Monitoring and assessing compliance with QOMPLX' Code of Conduct, other QOMPLX policies and standards, and applicable laws and regulations;
      • Training and quality purposes; and
      • In the event of an acquisition or merger, providing information to a future purchaser of any part of QOMPLX' business.
      Diversity & Inclusiveness (D&I), where legally allowed or based on your prior, explicit consent
      • Focus on diversity and inclusiveness in serving clients, developing employees, and playing a leadership role in communities; and
      • Meeting D&I targets (i.e. regarding increasing the number of females and minority hires/promotions).
      Security purposes:
      • Physical and identity access controls;
      • Authorizing, granting, administering, monitoring and terminating access to or use of QOMPLX or third-party facilities, records, property, devices and infrastructure including communications services such as business telephones and email/internet use;
      • CCTV and similar video surveillance, subject to national information obligations; and
      • Prevention and detection of fraud, immoral acts, or crime.
      Information Technology ("IT") administration purposes:
      • IT Systems access control and use monitoring;
      • IT fault reporting, management and resolution; and
      • Systems administration, support, development, management and maintenance.
      Legal purposes:
      • To comply with our legal, contractual and regulatory obligations, including but not limited to anti-bribery and anti-corruption, conflicts of interest and anti-money laundering, and enforcing internal policies and procedures; and
      • To keep a register of violations, incidents, or personal data breaches.
      Improve QOMPLX products, services and working environment:
      • Information provided or gleaned from employees, agents or contractors maybe used for improvement purposes.