Personal Data Privacy and Protection Policy
The purpose of this Mintz Group Global Data Protection Policy (“Policy”) is to outline Mintz Group’s practices for the Processing of Client Data and Candidate Data on a worldwide basis, in accordance with the EU General Data Protection Regulation (“GDPR”) and other applicable laws. Unless it is otherwise Client Data or Candidate Data, this Policy does not apply to the Processing of information relating to online visitors.
This Policy is designed to provide a global minimum standard for Mintz Group with respect to its Processing of Client Data and Candidate Data. Where specific local laws require stricter standards than those prescribed in this Policy, Mintz Group will Process Client Data in accordance with applicable local law and may develop specific local policies in this regard. Where applicable local law provides a lower level of protection of Client Data and Candidate Data than that established by this Policy, then the standard required by this Policy will apply.
This Policy applies to all Mintz Group Clients globally.
All defined terms contained herein shall have the meaning ascribed to them in the Data Protection Glossary unless otherwise defined herein.
Mintz Group’s Office of the General Counsel (“OGC”) Team is responsible for managing this Policy. The Mintz Group Data Protection Team is responsible for responding to any requests by Clients or Candidates to access their Data held by the Mintz Group, or to any actual or potential violations of this Policy.
Data Protection Glossary
Data Classification Policy
Data Classification Standard
Enterprise Risk Assessment Standard
Access & Correction Standard
Personal Data Erasure Standard
Data Protection Training Standard
Data Protection Audit Standard
Data Processing Register Standard
Individual Recourse Standard
Information Security Standards Policy
Processing of Client Data and Candidate Data
What is Processing?
In the course of its relationships with Mintz Group Clients and Candidates, Mintz Group will Process Client Data and Candidate Data.
In addition to the general definition in the Data Protection Glossary, the term ‘processing’ also means any action taken in connection with Client Data and/or Candidate Data, including: collection, handling, use, transfer and disclosure by transmission, dissemination or otherwise making available, as well as recording, organization, storage, retention, adaptation or alteration, access, retrieval, consultation, alignment or combination, blocking, anonymizing, erasure, disposal or destruction.
What Are Mintz Group’s General Processing Principles?
Mintz Group respects the privacy rights and interests of each Mintz Group Client and Candidate and adheres to the following general principles when Processing Client Data and Candidate Data:
- Client Data and Candidate Data will both be Processed fairly and lawfully and in accordance with this Policy.
- Client Data and Candidate Data will both be collected for legitimate purposes.
- Before Mintz Group collects Client Data or Candidate Data, Mintz Group Clients or Candidates will be informed about: the purposes for which their Data is collected and used; how they can make inquiries or complaints about the Processing of their Data; the types of third parties to which Mintz Group discloses their Data; the means Mintz Group offers for limiting the use and disclosure of their Data; and the security measures that Mintz Group adopts to safeguard their Data.
- lient Data and Candidate Data will be accurate and kept up-to-date. Reasonable steps will be taken to rectify or delete Client Data or Candidate Data that is inaccurate or incomplete.
- Subject to certain exceptions, Mintz Group Clients and Candidates will have the opportunity to choose not to have their Client Data or Candidate Data disclosed to a third party (other than those who are acting as agents for Mintz Group under its instructions) or used for a legitimate purpose which is incompatible with the original purpose for collection. Mintz Group Clients will be given a clear and conspicuous, readily available and affordable mechanism by which to exercise their choice.
- Client Data and Candidate Data will be relevant to, and not excessive for, the purposes for which it is collected and used.
- Subject to applicable local record retention laws and any other applicable legal requirements, Client Data and Candidate Data will be held by Mintz Group only as long as it is necessary for the purposes for which it was collected and Processed.
- Mintz Group will not Transfer Client Data or Candidate Data to any third party unless the third party provides at least the same level of privacy protection as is required by this Policy.
- Reasonable precautions will be taken to prevent: unauthorized or accidental destruction, alteration or disclosure of; accidental loss of; unauthorized access to; misuse of; unlawful Processing of; or damage to, Client Data and Candidate Data.
What are the Purposes of Processing?
Mintz Group collects and uses Client Data and Candidate Data in order to: service requests for pre-employment or pre-board appointment background checks on Candidates; conduct pre-transaction background checks on individuals; and conduct other services in furtherance of its business relationship with Client.
For example, the following is an illustrative, but not exhaustive, list of Mintz Group’s business activities all requiring the Processing of Client Data and Candidate Data in the context of Mintz Group’s business relationships with Clients:
- Mintz Group Client identification;
- reimbursement of Mintz Group Client expenses;
- compliance and risk management;
- communication with Mintz Group Clients;
- pre-employment, pre-board appointment and pre-transaction background investigations, including civil and criminal litigation checks;
- reporting on financial history and credit reviews of Candidates, including, with respect to certain United Kingdom candidates, credit-related address information as maintained by Experian Ltd.; Experian’s Credit Reference Agency Information Notice, or “CRAIN,” can be viewed on its website at https://www.experian.co.uk/legal/crain/index;
- regulatory and licensing checks of Candidates;
- press, internet, and social media reporting about Candidates; certain of Mintz Group’s social media research may be based in part on the use of artificial intelligence technology to conduct searches of publicly accessible social media content that has been posted on the Internet;
- verifying employment and education of Candidates;
- conducting searches in global risk compliance databases (“watchlists”);
- identifying past and present corporate affiliations;
- searching driving records;
- business development and growth opportunities; or
- compliance with applicable legal requirements.
Transfers of Personal Data
- When Will Mintz Group Share Client Data or Candidate Data Amongst its Various Entities?
A Transfer of Client Data or Candidate Data between Mintz Group companies will only occur if the Transfer is based on a clear business need and is for the purposes described in Section 8.A.3. above.
What Client Data or Candidate Data Transfers Outside of Mintz Group May Be Made?
Mintz Group may, from time to time, Transfer Client Data or Candidate Data outside of Mintz Group:
- where required as a matter of law;
- where required to protect its legal rights (e.g., to defend litigation);
- at the direction of the relevant Mintz Group Client;
- to select third parties, where permitted by applicable local law; or
- to select third parties, as described below.
- Under What Circumstances May Disclosures Be Made to Service Providers and Customers?
Mintz Group may disclose Client Data or Candidate Data to select third parties:
- that have been engaged to provide services to or on behalf of Mintz Group (e.g., conducting background checks) (‘Vendors’). In such circumstances, Mintz Group will only disclose Client Data that is necessary for, and material, relevant and limited to, the Vendor’s provision of those services;
- that obtain services from Mintz Group and that require specific information concerning the Mintz Group Clients involved in the provision of those services for the purposes of safety, security and the protection of the Client’s resources. In such circumstances, Mintz Group will only disclose Client Data that is necessary for, and material, relevant and limited to, those purposes; or
- where otherwise permitted under applicable local law.
What Requirements Will Be Imposed on Vendors?
Mintz Group will require that Vendors undertake by written contract to guarantee at least the same levels of protection afforded under this Policy when Processing Mintz Group Clients’ Client Data.
- When Will Mintz Group Share Client Data or Candidate Data Amongst its Various Entities?
Security and Confidentiality
Mintz Group is committed to taking appropriate technical, physical and organizational measures to protect Client Data and Candidate Data (including Sensitive Client Data and Sensitive Candidate Data) against: unauthorized or accidental destruction, alteration or disclosure; accidental loss; unauthorized access; misuse; unlawful Processing; or damage.
These measures include equipment, application and information security, access security, and training of Mintz Group Workers who are required to Process Mintz Group Clients’ Client Data and Candidates’ Candidate Data about this Policy and the appropriate Processing of Client Data and Candidate Data.
The level of the relevant measures reflecting the risks and nature of the different types of Client Data and Candidate Data will be reviewed and updated periodically consistent with Mintz Group’s Information Security policies.
Sensitive Client Data and Sensitive Candidate Data
- How Will Mintz Group Treat Sensitive Client Data and Sensitive Candidate Data?
Sensitive Client Data and Sensitive Candidate Data may be Processed for the purposes set out above. Mintz Group will endeavor to limit the Processing of Sensitive Client Data and Candidate Data to that strictly necessary for the purposes for which it was collected.
A Mintz Group Client’s explicit Consent to the Processing of his/her Sensitive Client Data will be obtained, except as otherwise allowed by law. Similarly, a Mintz Group Candidate’s explicit Consent to the Processing of his/her Sensitive Candidate Data will be obtained, except as otherwise allowed by law.
- What Are Mintz Group Clients’ or Candidates’ Rights to Access Their Data?
Any Mintz Group Client or Candidate, as the case may be, may inquire as to the nature of his/her Data held by Mintz Group. Mintz Group will endeavor to respond to an inquiry without excessive delay and within the time limits prescribed by applicable local law (if any) or otherwise within a reasonable time period.
A Mintz Group Client or Candidate wishing to access his/her Data held by Mintz Group should contact the Data Protection Team at firstname.lastname@example.org.
In responding to a request for access, Mintz Group may request that the requesting Mintz Group Client or Candidate, as the case may be:
- provide Mintz Group with sufficient information to allow it to confirm the Mintz Group Client’s or Candidate’s identity;
- in order to locate responsive information, to identify his/her concerns which led to or motivated the request; and
- identify which Mintz Group companies the Mintz Group Client or Candidate interacted with and the nature of the Data requested.
Mintz Group may, at its discretion and to the extent permitted to do so under applicable local law, require that a Mintz Group Client or Candidate, as the case may be, pay his/her reasonable costs of providing access.
When Might Requests for Access to or Amendments to Client Data Be Refused?
Mintz Group may refuse a Mintz Group Client’s or Candidate’s request for access to his/her Data in certain circumstances. For example, depending on the circumstances of the request, access may not be provided where:
- the burden or expense of providing access would be disproportionate to the risks to the requester;
- the rights or interests of an individual other than the requester would be violated, such as where access would reveal another Mintz Group Client’s Client Data or Candidate’s Candidate Data;
- access would reveal information which Mintz Group has taken steps to protect from disclosure, where disclosure would help a competitor in the market (‘Confidential Commercial Information’), such as where Confidential Commercial Information cannot be readily separated from the Client Data or Candidate Data;
- the execution or enforcement of the law, including prevention, investigation or detection of offences or the right to a fair trial would be interfered with;
- an Mintz Group internal investigation or grievance proceeding would be prejudiced;
- any confidentiality that may be necessary: for limited periods in connection with Mintz Group Client or Candidate succession planning and corporate re-organizations; or in connection with monitoring, inspections or regulatory functions connected with sound economic or financial management, would be prejudiced;<< /li>
- a court or other authority of appropriate jurisdiction determines that Mintz Group is not required to provide access;
- a legal or other professional privilege or obligation would be breached; or
- there is no legal requirement for Mintz Group to provide such access, including because the local legal requirements for a valid data subject access request have not been met.
If a request for access or rectification is refused, the reason for the refusal will be communicated to the Mintz Group Client or Candidate. In this case the Mintz Group Client or Candidate affected may make use of the dispute resolution Processes described in ‘Grievance Mechanism’ below.
What Are Mintz Group Clients’ or Candidates’ Rights to Amend Their Data?
If a Mintz Group Client’s Client Data or Candidate’s Candidate Data is inaccurate or incomplete, the Mintz Group Client or Candidate may request that his/her Data be rectified.
- How Will Mintz Group Treat Sensitive Client Data and Sensitive Candidate Data?
Transfer of EEA Data Outside of the EEA
Client Data or Candidate Data (including EEA and Non-EEA Data from jurisdictions with cross-border data Transfer restrictions) is shared with Mintz Group companies around the world in accordance with applicable local law and/or under one or more inter-company agreements which safeguard the integrity of the Client Data or Candidate Data and the privacy rights of the Mintz Group Client whom the Client Data or Candidate Data concerns.
If at any time a Mintz Group Client or Candidate believes that his/her Data has been Processed in violation of this Policy, the Mintz Group Client or Candidate may report the concern to the Data Protection Team at email@example.com.
If a complaint of the nature described above concerns EEA Data and the complaint remains unresolved after referral to the Data Protection Team, Mintz Group will cooperate with the EEA Data Protection Authorities and/or their representatives (‘DPAs’), as appropriate, for investigation and resolution of the complaint.
If the DPAs take the view that Mintz Group needs to take more specific action to comply with the GDPR, Mintz Group will comply with the advice of the DPAs, which may include:
- reversing or correcting the effects of any non-compliance, insofar as is feasible;
- ensuring that future EEA Client Data and Candidate Data Processing will be in conformity with the GDPR; and
- where possible, ceasing the Processing of the relevant EEA Client Data and Candidate Data.
Mintz Group will provide the DPAs with written confirmation of the actions it has taken to comply with the advice of the DPAs.
Communication about this Policy
Mintz Group is committed to communicating this Policy and how it may be accessed to all current and new Mintz Group Clients and Candidates. Mintz Group will make this Policy available on its website.
Mintz Group will monitor its compliance with this Policy on an ongoing basis. Mintz Group will periodically verify that this Policy continues to conform to and comply with the GDPR. A statement affirming successful completion of any such assessment will be signed by a corporate officer or other authorized representative of Mintz Group at least once per year and made available upon request by a Mintz Group Client or Candidate or in the context of an investigation or complaint about compliance.
This Policy supersedes and replaces any and all prior policies, guidelines and practices, written and unwritten, regarding its subject matter. Subject to any applicable local law requirements, the Company reserves the right to change, replace, or cancel this Policy with or without notice at its sole discretion at any time.
Mintz Group is committed to ensuring that this Policy is observed by Mintz Group Clients and Candidates. Mintz Group Clients and Candidates must comply with this Policy. Non-compliance with this Policy could result in termination of any business relationship, contractual or otherwise, with a Mintz Group Client or Candidate.
In some countries, violations of regulations designed to protect Client Data may result in administrative sanctions, penalties, and/or claims for compensation and/or damages.
Compliance with this Policy may be verified through various methods, including internal and external audits.
Clients or Candidates should contact the Mintz Group Office of General Counsel Team at OGC@mintzgroup.com with any questions about this Policy. Clients or Candidate should contact the Data Protection Team at firstname.lastname@example.org with any concerns about possible violations of this Policy.