Personal Data Privacy and Protection Policy

  1. Purpose

    The purpose of this Mintz Group Global Data Protection Policy (“Policy”) is to outline Mintz Group’s practices for the Processing of Client Data and Candidate Data on a worldwide basis, in accordance with the EU General Data Protection Regulation (“GDPR”) and other applicable laws. Unless it is otherwise Client Data or Candidate Data, this Policy does not apply to the Processing of information relating to online visitors.

    This Policy is designed to provide a global minimum standard for Mintz Group with respect to its Processing of Client Data and Candidate Data. Where specific local laws require stricter standards than those prescribed in this Policy, Mintz Group will Process Client Data in accordance with applicable local law and may develop specific local policies in this regard.  Where applicable local law provides a lower level of protection of Client Data and Candidate Data than that established by this Policy, then the standard required by this Policy will apply.

  2. Revision History

    Date

    Revision #

    Modification

    0.1

    Initial Draft

    0.2

    Final

    0.3

    Revised Final

    0.4

    Revised Final

    0.5

    Revised Final

    0.6

    Revised Final

  3. Scope

    This Policy applies to all Mintz Group Clients globally.

  4. Definitions

    All defined terms contained herein shall have the meaning ascribed to them in the Data Protection Glossary unless otherwise defined herein.

  5. Responsibilities

    Mintz Group’s Office of the General Counsel (“OGC”) Team is responsible for managing this Policy.  The Mintz Group Data Protection Team is responsible for responding to any requests by Clients or Candidates to access their Data held by the Mintz Group, or to any actual or potential violations of this Policy.

  6. Additional Documentation

    Data Protection Glossary

    DPIA Standard

    DPIA Template

    Data Classification Policy

    Data Classification Standard

    Enterprise Risk Assessment Standard

    Access & Correction Standard

    Personal Data Erasure Standard

    Data Protection Training Standard

    Data Protection Audit Standard

    Consent Standard

    Data Processing Register Standard

    Individual Recourse Standard

    Information Security Standards Policy

    1. Processing of Client Data and Candidate Data

      1. What is Processing?

        In the course of its relationships with Mintz Group Clients and Candidates, Mintz Group will Process Client Data and Candidate Data.

        In addition to the general definition in the Data Protection Glossary, the term ‘processing’ also means any action taken in connection with Client Data and/or Candidate Data, including: collection, handling, use, transfer and disclosure by transmission, dissemination or otherwise making available, as well as recording, organization, storage, retention, adaptation or alteration, access, retrieval, consultation, alignment or combination, blocking, anonymizing, erasure, disposal or destruction.

      2. What Are Mintz Group’s General Processing Principles?

        Mintz Group respects the privacy rights and interests of each Mintz Group Client and Candidate and adheres to the following general principles when Processing Client Data and Candidate Data:

        1. Client Data and Candidate Data will both be Processed fairly and lawfully and in accordance with this Policy.
        2. Client Data and Candidate Data will both be collected for legitimate purposes.
        3. Before Mintz Group collects Client Data or Candidate Data, Mintz Group Clients or Candidates will be informed about: the purposes for which their Data is collected and used; how they can make inquiries or complaints about the Processing of their Data; the types of third parties to which Mintz Group discloses their Data; the means Mintz Group offers for limiting the use and disclosure of their Data; and the security measures that Mintz Group adopts to safeguard their Data.
        4. lient Data and Candidate Data will be accurate and kept up-to-date. Reasonable steps will be taken to rectify or delete Client Data or Candidate Data that is inaccurate or incomplete.
        5. Subject to certain exceptions, Mintz Group Clients and Candidates will have the opportunity to choose not to have their Client Data or Candidate Data disclosed to a third party (other than those who are acting as agents for Mintz Group under its instructions) or used for a legitimate purpose which is incompatible with the original purpose for collection. Mintz Group Clients will be given a clear and conspicuous, readily available and affordable mechanism by which to exercise their choice, in that Mintz Group Clients and Candidates may contact Mintz Group at dataprotectionteam@mintzgroup.com to inform Mintz Group that they object to their data being disclosed to a third party as described above in this paragraph (e).
        6. Client Data and Candidate Data will be relevant to, and not excessive for, the purposes for which it is collected and used.
        7. Subject to applicable local record retention laws and any other applicable legal requirements, Client Data and Candidate Data will be held by Mintz Group only as long as it is necessary for the purposes for which it was collected and Processed.
        8. Mintz Group will not Transfer Client Data or Candidate Data to any third party unless the third party provides at least the same level of privacy protection as is required by this Policy.
        9. Reasonable precautions will be taken to prevent: unauthorized or accidental destruction, alteration or disclosure of; accidental loss of; unauthorized access to; misuse of; unlawful Processing of; or damage to, Client Data and Candidate Data.
      3. What are the Purposes of Processing?

        Mintz Group collects and uses Client Data and Candidate Data in order to: service requests for pre-employment or pre-board appointment background checks on Candidates; conduct pre-transaction background checks on individuals; and conduct other services in furtherance of its business relationship with Client.

        For example, the following is an illustrative, but not exhaustive, list of Mintz Group’s business activities all requiring the Processing of Client Data and Candidate Data in the context of Mintz Group’s business relationships with Clients:

        1. Mintz Group Client identification;
        2. reimbursement of Mintz Group Client expenses;
        3. compliance and risk management;
        4. communication with Mintz Group Clients;
        5. pre-employment, pre-board appointment and pre-transaction background investigations, including civil and criminal litigation checks;
        6. reporting on financial history and credit reviews of Candidates, including, with respect to certain United Kingdom candidates, credit-related address information as maintained by Experian Ltd.; Experian’s Credit Reference Agency Information Notice, or “CRAIN,” can be viewed on its website at https://www.experian.co.uk/legal/crain/index;
        7. regulatory and licensing checks of Candidates;
        8. press, internet, and social media reporting about Candidates; certain of Mintz Group’s social media research may be based in part on the use of artificial intelligence technology to conduct searches of publicly accessible social media content that has been posted on the Internet;
        9. verifying employment and education of Candidates;
        10. conducting searches in global risk compliance databases (“watchlists”);
        11. identifying past and present corporate affiliations;
        12. searching driving records;
        13. business development and growth opportunities; or
        14. compliance with applicable legal requirements.
    2. Transfers of Personal Data

      1. When Will Mintz Group Share Client Data or Candidate Data Amongst its Various Entities?

        A Transfer of Client Data or Candidate Data between Mintz Group companies will only occur if the Transfer is based on a clear business need and is for the purposes described in Section 8.A.3. above.

      2. What Client Data or Candidate Data Transfers Outside of Mintz Group May Be Made?

        Mintz Group may, from time to time, Transfer Client Data or Candidate Data outside of Mintz Group:

        1. where required as a matter of law;
        2. where required to protect its legal rights (e.g., to defend litigation);
        3. at the direction of the relevant Mintz Group Client;
        4. to select third parties, where permitted by applicable local law; or
        5. to select third parties, as described below.
      3. Under What Circumstances May Disclosures Be Made to Service Providers and Customers?

        Mintz Group may disclose Client Data or Candidate Data to select third parties:

        1. that have been engaged to provide services to or on behalf of Mintz Group (e.g., conducting background checks) (‘Vendors’). In such circumstances, Mintz Group will only disclose Client Data that is necessary for, and material, relevant and limited to, the Vendor’s provision of those services;
        2. safety, security and the protection of the Client’s resources. In such circumstances, Mintz Group will only disclose Client Data that is necessary for, and material, relevant and limited to, those purposes; or
        3. where otherwise permitted under applicable local law.
      4. What Requirements Will Be Imposed on Vendors?

        Mintz Group will require that Vendors undertake by written contract to guarantee at least the same levels of protection afforded under this Policy when Processing Mintz Group Clients’ Client Data.

      5. Mintz Group shall be responsible for the processing of any Client Data or Candidate Data that Mintz Group receives under the DPF Principles and subsequently transfers to a third party acting as an agent on Mintz Group’s behalf, and Mintz Group shall remain liable under the DPF Principles if its agent processes such data in a manner that is inconsistent with the DPF Principles, unless Mintz Group proves that Mintz Group is not responsible for the event(s) that gave rise to the damage.
      6. Mintz Group may be required to disclose Client or Candidate Data in response to lawful requests by public authorities.
    3. Security and Confidentiality

      Mintz Group is committed to taking appropriate technical, physical and organizational measures to protect Client Data and Candidate Data (including Sensitive Client Data and Sensitive Candidate Data) against: unauthorized or accidental destruction, alteration or disclosure; accidental loss; unauthorized access; misuse; unlawful Processing; or damage.

      These measures include equipment, application and information security, access security, and training of Mintz Group Workers who are required to Process Mintz Group Clients’ Client Data and Candidates’ Candidate Data about this Policy and the appropriate Processing of Client Data and Candidate Data.

      The level of the relevant measures reflecting the risks and nature of the different types of Client Data and Candidate Data will be reviewed and updated periodically consistent with Mintz Group’s Information Security policies.

    4. Sensitive Client Data and Sensitive Candidate Data

      1. How Will Mintz Group Treat Sensitive Client Data and Sensitive Candidate Data?

        Sensitive Client Data and Sensitive Candidate Data may be Processed for the purposes set out above. Mintz Group will endeavor to limit the Processing of Sensitive Client Data and Candidate Data to that strictly necessary for the purposes for which it was collected.

        A Mintz Group Client’s explicit Consent to the Processing of his/her Sensitive Client Data will be obtained, except as otherwise allowed by law. Similarly, a Mintz Group Candidate’s explicit Consent to the Processing of his/her Sensitive Candidate Data will be obtained, except as otherwise allowed by law.

      2. What Are Mintz Group Clients’ or Candidates’ Rights to Access Their Data?

        Any Mintz Group Client or Candidate, as the case may be, may inquire as to the nature of his/her Data held by Mintz Group.  Mintz Group will endeavor to respond to an inquiry without excessive delay and within the time limits prescribed by applicable local law (if any) or otherwise within a reasonable time period.

        A Mintz Group Client or Candidate wishing to access his/her Data held by Mintz Group should contact the Data Protection Team at dataprotectionteam@mintzgroup.com.

        In responding to a request for access, Mintz Group may request that the requesting Mintz Group Client or Candidate, as the case may be:

        1. provide Mintz Group with sufficient information to allow it to confirm the Mintz Group Client’s or Candidate’s identity;
        2. in order to locate responsive information, to identify his/her concerns which led to or motivated the request; and
        3. identify which Mintz Group companies the Mintz Group Client or Candidate interacted with and the nature of the Data requested.

        Mintz Group may, at its discretion and to the extent permitted to do so under applicable local law, require that a Mintz Group Client or Candidate, as the case may be, pay his/her reasonable costs of providing access.

      3. When Might Requests for Access to or Amendments to Client Data Be Refused?

        Mintz Group may refuse a Mintz Group Client’s or Candidate’s request for access to his/her Data in certain circumstances.  For example, depending on the circumstances of the request, access may not be provided where:

        1. the burden or expense of providing access would be disproportionate to the risks to the requester;
        2. the rights or interests of an individual other than the requester would be violated, such as where access would reveal another Mintz Group Client’s Client Data or Candidate’s Candidate Data;
        3. access would reveal information which Mintz Group has taken steps to protect from disclosure, where disclosure would help a competitor in the market (‘Confidential Commercial Information’), such as where Confidential Commercial Information cannot be readily separated from the Client Data or Candidate Data;
        4. the execution or enforcement of the law, including prevention, investigation or detection of offences or the right to a fair trial would be interfered with;
        5. a Mintz Group internal investigation or grievance proceeding would be prejudiced;
        6. any confidentiality that may be necessary: for limited periods in connection with Mintz Group Client or Candidate succession planning and corporate re-organizations; or in connection with monitoring, inspections or regulatory functions connected with sound economic or financial management, would be prejudiced;
        7. a court or other authority of appropriate jurisdiction determines that Mintz Group is not required to provide access;
        8. a legal or other professional privilege or obligation would be breached; or
        9. there is no legal requirement for Mintz Group to provide such access, including because the local legal requirements for a valid data subject access request have not been met.

        If a request for access or rectification is refused, the reason for the refusal will be communicated to the Mintz Group Client or Candidate. In this case the Mintz Group Client or Candidate affected may make use of the dispute resolution Processes described in ‘Grievance Mechanism’ below.

      4. What Are Mintz Group Clients’ or Candidates’ Rights to Amend Their Data?

        If a Mintz Group Client’s Client Data or Candidate’s Candidate Data is inaccurate or incomplete, the Mintz Group Client or Candidate may request that his/her Data be rectified.

    5. Transfer of EEA Data Outside of the EEA

      Client Data or Candidate Data (including EEA and Non-EEA Data from jurisdictions with cross-border data Transfer restrictions) is shared with Mintz Group companies around the world in accordance with applicable local law and/or under one or more inter-company agreements which safeguard the integrity of the Client Data or Candidate Data and the privacy rights of the Mintz Group Client whom the Client Data or Candidate Data concerns.

      Data Privacy Framework:  Mintz Group has certified to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework (collectively “DPF”) for personal data that it receives in the U.S. from companies in the EEA, and UK, and is committed to adhering to the DPF Principles in relation to such personal data. More information about the DPF, including the list of certified organizations, can be found at https://www.dataprivacyframework.gov/. Any personal data sent to Mintz Group in the U.S. may be used by Mintz Group and its agents for the purposes indicated in this Policy. If we intend to use your information for a purpose that is materially different from these purposes or if we intend to disclose it to a third party (a non-agent) not previously identified, we will notify you and offer you the opportunity to opt out of such uses and/or disclosures where it involves non-sensitive information or opt-in where sensitive information is involved.

      If you have any questions or concerns in relation to data transfers covered by the DPF, please write to Data Protection Team at dataprotectionteam@mintzgroup.com. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data in accordance with the DPF Principles. In the event we are unable to resolve your complaints or disputes, you may contact JAMS DPF Program, an alternative dispute resolution provider based in the U.S., and they will investigate and assist you free of charge in resolving your complaint. As further explained in the DPF Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. Mintz Group is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
    6. Grievance Mechanism

      If at any time a Mintz Group Client or Candidate believes that his/her Data has been Processed in violation of this Policy, the Mintz Group Client or Candidate may report the concern to the Data Protection Team at dataprotectionteam@mintzgroup.com.


      Mintz Group is obligated to arbitrate any individual claims and to follow the terms set forth in Annex I of the DPF Principles (available at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2), provided that the individual has invoked binding arbitration by delivering notice of such claims to Mintz Group at dataprotectionteam@mintzgroup.com and following the procedures and subject to conditions set forth in Annex I of the DPF Principles. 


      If a complaint of the nature described above concerns EEA Data and the complaint remains unresolved after referral to the Data Protection Team, Mintz Group will cooperate with the EEA Data Protection Authorities and/or their representatives (‘DPAs’), as appropriate, for investigation and resolution of the complaint.

      If the DPAs take the view that Mintz Group needs to take more specific action to comply with the GDPR, Mintz Group will comply with the advice of the DPAs, which may include:

      1. reversing or correcting the effects of any non-compliance, insofar as is feasible;
      2. ensuring that future EEA Client Data and Candidate Data Processing will be in conformity with the GDPR; and
      3. where possible, ceasing the Processing of the relevant EEA Client Data and Candidate Data.

      Mintz Group will provide the DPAs with written confirmation of the actions it has taken to comply with the advice of the DPAs.

      In addition, in compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Mintz Group commits to refer unresolved complaints concerning our handling of personal data received in reliance on {the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.

  7. Communication about this Policy

    Mintz Group is committed to communicating this Policy and how it may be accessed to all current and new Mintz Group Clients and Candidates. Mintz Group will make this Policy available on its website.

  8. Assessment Procedures

    Mintz Group will monitor its compliance with this Policy on an ongoing basis. Mintz Group will periodically verify that this Policy continues to conform to and comply with the GDPR. A statement affirming successful completion of any such assessment will be signed by a corporate officer or other authorized representative of Mintz Group at least once per year and made available upon request by a Mintz Group Client or Candidate or in the context of an investigation or complaint about compliance.

  9. Policy Governance

    This Policy supersedes and replaces any and all prior policies, guidelines and practices, written and unwritten, regarding its subject matter. Subject to any applicable local law requirements, the Company reserves the right to change, replace, or cancel this Policy with or without notice at its sole discretion at any time.

    Mintz Group is committed to ensuring that this Policy is observed by Mintz Group Clients and Candidates. Mintz Group Clients and Candidates must comply with this Policy. Non-compliance with this Policy could result in termination of any business relationship, contractual or otherwise, with a Mintz Group Client or Candidate.

    In some countries, violations of regulations designed to protect Client Data may result in administrative sanctions, penalties, and/or claims for compensation and/or damages.

    Compliance with this Policy may be verified through various methods, including internal and external audits.

  10. Resources

    Clients or Candidates should contact the Mintz Group Office of General Counsel Team at OGC@mintzgroup.com with any questions about this Policy. Clients or Candidate should contact the Data Protection Team at dataprotectionteam@mintzgroup.com with any concerns about possible violations of this Policy.