Personal Data Privacy and Protection Policy

  1. Purpose

    The purpose of this Mintz Group Global Data Protection Policy (“Policy”) is to outline Mintz Group’s practices for the Processing of Client Data and Candidate Data on a worldwide basis, in accordance with the EU General Data Protection Regulation (“GDPR”) and other applicable laws. Unless it is otherwise Client Data or Candidate Data, this Policy does not apply to the Processing of information relating to online visitors.

    This Policy is designed to provide a global minimum standard for Mintz Group with respect to its Processing of Client Data and Candidate Data. Where specific local laws require stricter standards than those prescribed in this Policy, Mintz Group will Process Client Data in accordance with applicable local law and may develop specific local policies in this regard.  Where applicable local law provides a lower level of protection of Client Data and Candidate Data than that established by this Policy, then the standard required by this Policy will apply.

  2. Revision History

    Date

    Revision #

    Modification

    0.1

    Initial Draft

    0.2

    Final

    0.3

    Revised Final

    0.4

    Revised Final

    0.5

    Revised Final

    0.6

    Revised Final

    0.7

    Revised Final

  3. Scope

    This Policy applies to all Mintz Group Clients globally.

  4. Definitions

    All defined terms contained herein shall have the meaning ascribed to them in the Data Protection Glossary unless otherwise defined herein.

  5. Responsibilities

    Mintz Group’s Office of the General Counsel (“OGC”) Team is responsible for managing this Policy.  The Mintz Group Data Protection Team is responsible for responding to any requests by Clients or Candidates to access their Data held by the Mintz Group, or to any actual or potential violations of this Policy.

  6. Additional Documentation

    1. Processing of Client Data and Candidate Data

      1. What is Processing?

        In the course of its relationships with Mintz Group Clients, Mintz Group will Process Client Data and Candidate Data.

        The term ‘processing’ shall mean any action taken in connection with Client Data and/or Candidate Data, including: collection, handling, use, transfer and disclosure by transmission, dissemination or otherwise making available, as well as recording, organization, storage, retention, adaptation or alteration, access, retrieval, consultation, alignment or combination, blocking, anonymizing, erasure, disposal or destruction.

      2. What Are Mintz Group’s General Processing Principles?


        In its capacity as a controller, Mintz Group respects the privacy rights and interests of each Mintz Group Client and adheres to the following general principles when Processing Client Data:

        1. Client Data will be Processed fairly and lawfully and in accordance with this Policy.
        2. Client Data will be collected for legitimate purposes. 
        3. Before Mintz Group collects Client Data, Mintz Group Clients will be informed about: the purposes for which their Personal Data is collected and used; how they can make inquiries or complaints about the Processing of their Personal Data; the types of third parties to which Mintz Group discloses their Personal Data; the means Mintz Group offers for limiting the use and disclosure of their Personal Data; and the security measures that Mintz Group adopts to safeguard their Personal Data.
        4. Client Data will be accurate and kept up-to-date. Reasonable steps will be taken to rectify or delete Client Data that is inaccurate or incomplete.
        5. Subject to certain exceptions, Mintz Group Clients will have the opportunity to choose not to have their Client Data disclosed to a third party (other than those who are acting as agents for Mintz Group under its instructions) or used for a legitimate purpose which is incompatible with the original purpose for collection. Mintz Group Clients will be given a clear and conspicuous, readily available and affordable mechanism by which to exercise their choice, in that Mintz Group Clients may contact Mintz Group at dataprotectionteam@mintzgroup.com to inform Mintz Group that they object to their Personal Data being disclosed to a third party as described above in this paragraph (e).
        6. Client Data will be relevant to, and not excessive for, the purposes for which it is collected and used.
        7. Subject to applicable local record retention laws and any other applicable legal requirements, Client Data will be held by Mintz Group only as long as it is necessary for the purposes for which it was collected and Processed.
        8. Mintz Group will not Transfer Client Data to any third party unless the third party provides at least the same level of privacy protection as is required by this Policy.
        9. Reasonable precautions will be taken to prevent: unauthorized or accidental destruction, alteration or disclosure of; accidental loss of; unauthorized access to; misuse of; unlawful Processing of; or damage to, Client Data

          As a processor, Mintz Group will only process Candidate Data in accordance with the lawful instructions of Clients and as set out in this Policy.
      3. What are the Purposes of Processing?


        Mintz Group collects and uses Client Data and Candidate Data in order to: conduct pre-transaction background checks on individuals on behalf of Clients; and conduct other services in furtherance of its business relationship with Client. Mintz Group Collects and uses Candidate Data solely for the purposes that have been defined by Mintz Group’s Clients as controllers.


        For example, the following is an illustrative, but not exhaustive, list of Mintz Group’s
        business activities all requiring the Processing of Client Data and Candidate Data in the
        context of Mintz Group’s business relationships with Clients:

        1. Client Data Processing
          1. Mintz Group Client identification;
          2. reimbursement of Mintz Group Client expenses;
          3. compliance and risk management;
          4. communication with Mintz Group Clients;
          5. pre-employment, pre-board appointment and pre-transaction background investigations, including civil and criminal litigation checks;
          6. reporting on financial history and credit reviews of Candidates, including, with respect to certain United Kingdom candidates, credit-related address information as maintained by Experian Ltd.; Experian’s Credit Reference Agency Information Notice, or “CRAIN,” can be viewed on its website at https://www.experian.co.uk/legal/crain/index;
          7. regulatory and licensing checks of Candidates;
          8. press, internet, and social media reporting about Candidates; certain of Mintz Group’s social media and other research may be based in part on the use of artificial intelligence technology to conduct searches of and/or to prepare preliminary summaries of publicly accessible social media content that has been posted on the Internet or is otherwise available in the public record;
          9. verifying employment and education of Candidates;
          10. conducting searches in global risk compliance databases (“watchlists”);
          11. identifying past and present corporate affiliations;
          12. searching driving records;
          13. business development and growth opportunities; or
          14. compliance with applicable legal requirements.
        2. Candidate Data Processing
          1. pre-employment, pre-board appointment and pre-transaction background investigations, including civil and criminal litigation checks;
          2. reporting on financial history and credit reviews of Candidates, including, with respect to certain United Kingdom Candidates, credit-related address information as maintained by Experian Ltd.; Experian’s Credit Reference Agency Information Notice, or “CRAIN,” can be viewed on its website at https://www.experian.co.uk/legal/crain/index;
          3. regulatory and licensing checks of Candidates;
          4. press, internet, and social media reporting about Candidates; certain of Mintz Group’s research may be based in part on the use of artificial intelligence technology to conduct searches of and/or prepare preliminary summaries of publicly accessible press, social media and other content that has been posted on the Internet;
          5. verifying employment and education of Candidates;
          6. conducting searches in global risk compliance databases (“watchlists”);
          7. identifying past and present corporate affiliations;
          8. searching driving records; and
          9. compliance with applicable legal requirements.

            Clients are responsible for identifying an appropriate legal basis for processing Candidate Data, as permitted by applicable law.
    2. Transfers of Personal Data

      1. When Will Mintz Group Share Client Data or Candidate Data Amongst its Various Entities?

        A Transfer of Client Data or Candidate Data between Mintz Group companies will only occur if the Transfer is based on a clear business need and is for the purposes described in Section 6.A.3. above

      2. What Client Data or Candidate Data Transfers Outside of Mintz Group May Be Made?

        Mintz Group may, from time to time, Transfer Client Data or Candidate Data outside of Mintz Group:

        1. where required as a matter of law;
        2. where required to protect its legal rights (e.g., to defend litigation);
        3. at the direction of the relevant Mintz Group Client;
        4. to select third parties, where permitted by applicable local law; or
        5. to select third parties, as described below.
      3. Under What Circumstances May Disclosures Be Made to Service Providers and Customers?

        Mintz Group may disclose Client Data or Candidate Data to select third parties:

        1. that have been engaged to provide services to or on behalf of Mintz Group (e.g., conducting background checks) (‘Vendors’). In such circumstances, Mintz Group will only disclose Client Data or Candidate Data that is necessary for, and material, relevant and limited to, the Vendor’s provision of those services;
        2. for the purpose of safety, security and the protection of the Client’s resources. In such circumstances, Mintz Group will only disclose Client Data or Candidate Data that is necessary for, and material, relevant and limited to, those purposes; or
        3. where otherwise permitted under applicable local law.
      4. What Requirements Will Be Imposed on Vendors?

        Mintz Group will require that Vendors undertake by written contract to guarantee at least the same levels of protection afforded under this Policy when Processing Client Data or Candidate Data.

      5. Mintz Group shall be responsible for the processing of any Client Data or Candidate Data that Mintz Group receives under the DPF Principles and subsequently transfers to a third party acting as an agent on Mintz Group’s behalf, and Mintz Group shall remain liable under the DPF Principles if its agent processes such Client or Candidate Data in a manner that is inconsistent with the DPF Principles, unless Mintz Group proves that Mintz Group is not responsible for the event(s) that gave rise to the damage.
      6. Mintz Group may be required to disclose Client or Candidate Data in response to lawful requests by public authorities.
    3. Security and Confidentiality

      Mintz Group is committed to taking appropriate technical, physical and organizational measures to protect Client Data and Candidate Data (including Sensitive Client Data and Sensitive Candidate Data) against: unauthorized or accidental destruction, alteration or disclosure; accidental loss; unauthorized access; misuse; unlawful Processing; or damage

      These measures include equipment, application and information security, access security, and training of Mintz Group Workers who are required to Process Mintz Group Clients’ Client Data and Candidates’ Candidate Data about this Policy and the appropriate Processing of Client Data and Candidate Data.

      The level of the relevant measures reflecting the risks and nature of the different types of Client Data and Candidate Data will be reviewed and updated periodically consistent with Mintz Group’s Information Security policies.


      Mintz Group will retain Candidate Data for the period specified by our Client, save where otherwise required by applicable law.

      Mintz Group will retain Client Data for as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law.  The criteria used to determine Mintz Group’s retention periods for Client Data include: 
      1. The length of time we are providing services to the Client;
      2. Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of transactions for a certain period of time before we can delete them); or
      3. Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations). 
    4. Sensitive Client Data and Sensitive Candidate Data

      1. How Will Mintz Group Treat Sensitive Client Data and Sensitive Candidate Data?

        Sensitive Client Data and Sensitive Candidate Data may be Processed for the purposes set out above. Mintz Group will endeavor to limit the Processing of Sensitive Client Data and Candidate Data to that strictly necessary for the purposes for which it was collected.


        A Mintz Group Client’s explicit Consent to the Processing of his/her Sensitive Client Data will be sought, except as otherwise allowed by law.

        Where Mintz Group is instructed to Process Sensitive Candidate Data on behalf of a Client, Mintz Group relies on the Client’s lawful condition to Process the Sensitive Candidate Data.  Where such lawful condition is the explicit Consent of the Candidate, the Client will be responsible for seeking the Candidate’s explicit Consent, except where the Client instructs Mintz Group to seek consent from the Candidate directly on the Client’s behalf

      2. What Are Mintz Group Clients’ or Candidates’ Rights to Access Their Data?

        Any Mintz Group Client or Client’s Candidate, as the case may be, may inquire as to the nature of his/her Personal Data held by Mintz Group or request to exercise their data protection rights as permitted under applicable law, including by issuing a request to access, correct, update, suppress, restrict, or delete Personal Data, or object to the Processing of Personal Data.  Mintz Group will endeavor to respond to an inquiry from a Mintz Group Client without excessive delay and within the time limits prescribed by applicable local law (if any) or otherwise within a reasonable time period.  With respect to inquiries from Candidates, as stated above, Mintz Group will promptly refer such inquiries to Mintz Group’s Client(s) on whose behalf Mintz Group processed the Candidate’s Personal Data and Client(s) will be responsible for providing a response as controller.

        A Mintz Group Client or Client’s Candidate wishing to request to exercise his/her rights with respect to their Personal Data held by Mintz Group should contact the Data Protection Team at dataprotectionteam@mintzgroup.com.

        In processing a request from a Mintz Group Client, Mintz Group may request that the requesting Mintz Group Client:

        1. provide Mintz Group with sufficient information to allow it to confirm the Mintz Group Client’s or Client’s Candidate’s identity;
        2. in order to locate responsive information, to identify his/her concerns which led to or motivated the request; and
        3. identify which Mintz Group companies the Mintz Group Client or Candidate interacted with and the nature of the Data requested.

        Mintz Group may, at its discretion and to the extent permitted to do so under applicable local law, require that a Mintz Group Client, as the case may be, pay his/her reasonable costs of complying with the request.


        Upon receipt of a request from a Candidate regarding their Personal Data held by Mintz Group, Mintz Group may, at its discretion, require that the Candidate identify which Mintz Group Clients are the controllers in respect of the Personal Data requested, so that Mintz Group can refer the Candidate’s inquiry to the applicable Client. 
      3. When Might Requests for Access to or Amendments to Client Data Be Refused?

        Mintz Group may refuse a Mintz Group Client’s request for access to his/her Personal Data in certain circumstances where permitted by applicable law. 

        If a request is refused, the reason for the refusal will be communicated to the Mintz Group Client. In this case the Mintz Group Client affected may make use of the dispute resolution Processes described in ‘Grievance Mechanism’ below.
    5. Transfer of EEA Data Outside of the EEA

      Client Data or Candidate Data (including EEA and Non-EEA Personal Data from jurisdictions with cross-border data transfer restrictions) is shared with Mintz Group companies around the world in accordance with applicable local law and/or under one or more inter-company agreements which safeguard the integrity of the Client Data or Candidate Data and the privacy rights of the Mintz Group Client whom the Client Data or Candidate Data concerns.


      Data Privacy Framework:  Mintz Group has certified to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework (collectively “DPF”) for Personal Data that it receives in the U.S. from companies in the EEA or UK, and is committed to adhering to the DPF Principles in relation to such Personal Data. More information about the DPF, including the list of certified organizations, can be found at https://www.dataprivacyframework.gov/. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. Any Personal Data sent to Mintz Group in the U.S. may be used by Mintz Group and its agents for the purposes indicated in this Policy. If we intend to use your information for a purpose that is materially different from these purposes or if we intend to disclose it to a third party (a non-agent) not previously identified, we will notify you and offer you the opportunity to opt out of such uses and/or disclosures where it involves non-sensitive information or opt-in where sensitive information is involved.


      If you have any questions or concerns in relation to data transfers covered by the DPF, please write to Data Protection Team at dataprotectionteam@mintzgroup.com. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the DPF Principles. In the event we are unable to resolve your complaints or disputes, you may contact JAMS DPF Program (https://www.jamsadr.com/DPF-Dispute-Resolution), an alternative dispute resolution provider based in the U.S., and they will investigate and assist you free of charge in resolving your complaint. As further explained in the DPF Principles, a binding arbitration option (https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2) will also be made available to you in order to address residual complaints not resolved by any other means. Mintz Group is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
    6. Grievance Mechanism

      If at any time a Mintz Group Client or Client’s Candidate believes that his/her Data has been Processed in violation of this Policy, the Mintz Group Client or Candidate may report the concern to the Data Protection Team at dataprotectionteam@mintzgroup.com.


      Mintz Group is obligated to arbitrate any individual claims and to follow the terms set forth in Annex I of the DPF Principles (available at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2), provided that the individual has invoked binding arbitration by delivering notice of such claims to Mintz Group at dataprotectionteam@mintzgroup.com and following the procedures and subject to conditions set forth in Annex I of the DPF Principles. 


      If a complaint of the nature described above concerns Personal Data processing subject to the GDPR and the complaint remains unresolved after referral to the Data Protection Team, Mintz Group will cooperate with the applicable Data Protection Authorities and/or their representatives (‘DPAs’), as appropriate, for investigation and resolution of the complaint.

      If the DPAs take the view that Mintz Group needs to take more specific action to comply with the GDPR, Mintz Group will comply with the advice of the DPAs, which may include:

      1. reversing or correcting the effects of any non-compliance, insofar as is feasible;
      2. ensuring that future EEA Client Data and Candidate Data Processing will be in conformity with the GDPR; and
      3. where possible, ceasing the Processing of the relevant EEA Client Data and Candidate Data.

      Mintz Group will provide the DPAs with written confirmation of the actions it has taken to comply with the advice of the DPAs.

      In addition, in compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Mintz Group commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

  7. Communication about this Policy

    Mintz Group is committed to communicating this Policy and how it may be accessed to all current and new Mintz Group Clients and Client’s Candidates. Mintz Group will make this Policy available on its website.

  8. Assessment Procedures

    Mintz Group will monitor its compliance with this Policy on an ongoing basis. Mintz Group will periodically verify that this Policy continues to conform to and comply with the GDPR. A statement affirming successful completion of any such assessment will be signed by a corporate officer or other authorized representative of Mintz Group at least once per year and made available upon request by a Mintz Group Client or Client’s Candidate or in the context of an investigation or complaint about compliance.

  9. Policy Governance

    This Policy supersedes and replaces any and all prior policies, guidelines and practices, written and unwritten, regarding its subject matter. Subject to any applicable local law requirements, the Company reserves the right to change, replace, or cancel this Policy with or without notice at its sole discretion at any time.

    Mintz Group is committed to ensuring that this Policy is observed by Mintz Group Clients. Mintz Group Clients must comply with this Policy. Non-compliance with this Policy could result in termination of any business relationship, contractual or otherwise, with a Mintz Group Client.

    In some countries, violations of regulations designed to protect Client Data may result in administrative sanctions, penalties, and/or claims for compensation and/or damages.

    Compliance with this Policy may be verified through various methods, including internal and external audits.

  10. Resources

    Clients or Candidates should contact the Mintz Group Office of General Counsel Team at OGC@mintzgroup.com with any questions about this Policy. Clients or Candidates should contact the Data Protection Team at dataprotectionteam@mintzgroup.com with any concerns about possible violations of this Policy.