Client and Third-Party Data Protection Policy – GDPR Compliant

Introduction

Purpose

Humatica is committed to being transparent about how it collects and uses personal data and to meeting its data protection obligations. This policy (the “Policy”) sets out Humatica’s commitment to data protection, and individual rights and obligations in relation to personal data.

The Policy applies to the personal data of Humatica’s clients and related third parties, as well as individuals otherwise connected to the performance of Humatica’s services (the “Data Subjects”).

Please contact us at dataprotection@humatica.com if you have any questions about the Policy, or requests for further information.

Definitions

“Personal data” is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

Individual rights

Under certain circumstances, Data Subjects have by law the right to:

  • Object to processing of their personal information where Humatica is relying on a legitimate interest (or that of a third party) and there is something about the Data Subject’s particular situation which makes it want to object to processing on this ground.
  • Request access to their personal information (commonly known as a “data subject access request”). This enables the Data Subject to receive a copy of the personal information Humatica holds about them and to check that Humatica is processing it lawfully.
  • Request correction of the personal information that Humatica holds about them. This enables the Data Subjects to have any incomplete or inaccurate information Humatica holds about them corrected.
  • Request erasure of their personal information. This enables Data Subjects to ask Humatica to delete or remove personal information where there is no good reason for Humatica to continue processing it.
  • Request the restriction of processing of their personal information.
  • Request the transfer of their personal information to another party in a machine-readable, commonly used and structured format.

If a Data Subject wants to exercise any of these rights, they should contact Humatica using the details below. The various rights set out above are not absolute, and each of them is subject to certain exceptions or qualifications. For example, with respect to withdrawing consent or objecting to processing, Humatica may need to discuss with the Data Subject whether Humatica’s use of the data needs to continue for other lawful purposes, such as fulfilment of a legal or contractual requirement.

To make a request, the individual should send the request to dataprotection@humatica.com. In some cases, Humatica may need to ask for proof of identification before the request can be processed. Humatica will inform the individual if it needs to verify their identity and the documents it requires.

Humatica will normally respond to a request within a period of one month from the date it is received. In some cases, such as where Humatica processes large amounts of the Data Subject’s data, Humatica may respond within three months of the date the request is received. Humatica will write to the individual within one month of receiving the original request to tell them whether this is the case.

If a Data Subject is not satisfied with Humatica’s response to their complaints or believe Humatica’s processing of their information does not comply with data protection law, the Data Subject can make a complaint to the Information Commissioner’s Office: https://ico.org.uk/global/contact-us/ or 0303 123 1113.

Information Humatica collects

Humatica collects the personal information of Data Subjects from a variety of sources, as set out in the Policy. Where necessary, Humatica collects information directly from the Data Subjects or indirectly from third parties.

Information provided by Data Subjects during interviews

This section details the personal data Humatica collects about Data Subjects in the course of their interviews. Humatica collects:

Please note that Humatica may record interviews in order to a) enable interviews to be reviewed at a later date to revisit discussion topics, b) ensure anonymised quotes taken are as close to verbatim as possible (only adjusted to ensure anonymity) and not misrepresented, and c) transcribe the quotes to share with the wider team who have not been able to attend the interview.

Information collected from publicly available sources as part of background searches

As part of providing services, Humatica conducts background searches and receives information of Data Subjects from sources such as LinkedIn and other publicly available sources. Humatica collects the following information from these sources:

Information provided on Data Subjects from an HR data request

Humatica requests and receives information on Data Subjects that is stored by a company’s HR department to understand the organisation set-up (e.g. the organisational structure and reporting lines) and contact the Data Subjects for participation in surveys. Humatica collects the following information:

  • Full name
  • Year of birth
  • Year started at the company
  • Email address
  • Job title
  • Gender
  • Full-time/part-time (%)
  • Location
  • Department
  • Level in the organisation / Seniority / Hierarchy
  • Compensation

Information provided by Data Subjects during surveys

For some areas of support, Humatica surveys employees to gather viewpoints from across the full organisation, this provides information that cannot be gained from the selected interviewees. Humatica collects:

  • Level of agreement with statements on business processes and activities across the organisation (Likert scale of 1 – Strongly Disagree to 5 – Strongly Agree)
  • Open text comments on business processes and activities across the organisation
  • % time spent on key activities

How Humatica uses the information collected

To enable Humatica to perform its services to clients. The information which Humatica collects and what Humatica uses it for depends on the nature of Humatica’s business relationship with the Data Subjects. Humatica uses the information:

  • Background and experience to provide context to interviews and support manager assessments (if conducted)
  • Viewpoints/anonymised quotes to support identification of improvement areas and prioritise recommendations
  • Full name to provide feedback where relevant and provide personalised communications (e.g. when distributing the survey, requesting data, sending personalised feedback based on results)
  • Year of birth to understand areas where succession plans should be considered to ensure information is not lost if individuals retire
  • Year started at the company to segment/group the survey results to and compare results by Tenure
  • Email address, to distribute the survey and provide personalised feedback where relevant
  • Job title to build an organisational chart and understand levels of responsibility
  • Gender to review gender balance across the company
  • Full-time/Part-time (%) to understand the time spent working at the company
  • Location to segment/group the survey results to ensure anonymity and compare locations
  • Department to segment/group the survey results to ensure anonymity and compare departments
  • Level in the organisation to segment/group the survey results to ensure anonymity and compare levels in the organisation
  • Compensation to compare to other companies and review alignment
  • Level of agreement with statements on business processes and activities to support identification of improvement areas and development of recommendations
  • Open text comments on business processes and activities to support identification of improvement areas and development of recommendations
  • % time spent on key activities to support identification of improvement areas and development of recommendations (e.g. reducing the amount of time spent on admin with improved systems to increase time spent on core activities, such as sales)

Bases for collecting and using the information

Humatica is entitled to use the personal data of Data Subjects in the ways set out in the Policy on the following bases:

  • the use of the Data Subject’s personal data is necessary for Humatica’s legitimate interests in:
    • Developing recommendations to improve the organisation, as per the mandate of Humatica engagements/services (described on our website); and/or provide actionable recommendations to managers across the organisation based on their team’s survey results
  • explicit consent provided by the Data Subjects in the course of their interviews.

Humatica processes Data Subjects’ sensitive and special categories of personal data where Humatica has asked for the Data Subjects’ explicit consent or otherwise where this is necessary for the establishment, exercise, or defence of legal claims.

In the case that Data Subjects have obviously made information public (e.g. on social media), Humatica will process sensitive/special categories of personal data for the purposes of carrying out Humatica’s legal obligations.

Keeping the information

Humatica will keep the Data Subject’s information only for as long as necessary depending on the purpose for which it was provided.

Humatica keeps the full Data Subject’s information that is relevant for future projects for 12 months, after which the data is deleted or anonymised in the next bi-annual “data review”.

Following either the end of this period or during the data review, to enable statistical and analytical modelling (e.g. comparison of performance between companies), Humatica will anonymise the Data Subject’s information by deleting the following information:

  • Any names or roles attributed to quotes or viewpoints
  • Full name
  • Date of birth
  • Date started at the company
  • Email address
  • Gender

All other information will be retained, but it will no longer be classified as Data Subject’s information as the Data Subject cannot be identified.

Data security

Humatica takes the security of Data Subjects’ personal data seriously. Humatica has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. These include password protection, policies to avoid accidental loss of data such as privacy screens.

Where Humatica engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and company measures to ensure the security of data.

Data breaches

If Humatica discovers that there has been a breach of a Data Subject’s personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. Humatica will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

International data transfers

The personal data of Data Subjects may be transferred to countries outside the EEA only for legitimate purpose and where there are appropriate security measures in place.

Data is stored on servers in the United Kingdom, Switzerland, and the United States. Data is transferred to the United States as a part of our cloud-sharing storage. Transfers are made under standard contractual clauses.

Providing Information over the telephone

Humatica employs appropriate technical and organisational security measures to help protect the personal data of Data Subjects against access by unauthorised persons. When dealing with enquiries related to the Policy, Humatica may check or request the following:

  • Check the caller’s identity to make sure that information is only given to a person who is entitled to it.
  • Suggest that the caller puts their request in writing if they are not sure about the caller’s identity and where their identity cannot be checked.
  • Refer to the Project Manager for advice in difficult situations or where there is uncertainty about the validity of the request.

Data protection principles

Humatica processes personal data in accordance with the following data protection principles:

  • Humatica processes personal data lawfully, fairly and in a transparent manner.
  • Humatica collects personal data only for specified, explicit and legitimate purposes.
  • Humatica processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • Humatica keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • Humatica keeps personal data only for the period necessary for processing.
  • Humatica adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
  • Humatica may share personal data with Third Party providers, who collect and process personal data on Humatica’s behalf.
  • Where third parties process data on behalf of Humatica, Humatica will ensure that the third party takes such measures in order to maintain Humatica’s commitment to protecting data. In line with GDPR, Humatica understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
  • Humatica will only share personal data with Third Party providers, with whom there is a contractual arrangement, setting out the specific details relating to the processing, as well as appropriate security measures in place.

Third Party providers will only collect and process personal data within the remit of the Policy.