CTG recognizes that European privacy law requires “adequate protection” for the transfer of such European non-HR and HR Data to CTG U.S. To provide this adequate protection, CTG U.S. adheres to the principles of the EU-U.S. Privacy Shield Framework (the “Framework”). To the extent we have received European non-HR Data and HR Data in reliance of the Framework, we are committed to subjecting such information to the Framework’s Principles. For more information about the Privacy Shield Principles or to access CTG’s certification statement, please go to https://www.privacyshield.gov/list.
This Privacy Shield Policy ("Policy") applies to all European non-HR and HR Data received by CTG U.S., either directly from the Internet or from other sources, and in any format whatsoever. This Policy does not apply to information about individuals located outside of the EEA.
For the purpose of this Policy, the following definitions shall apply:
- “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- "European HR Data” means Personal Data about EEA employees (past or present) collected in the context of the employment relationship.
- "European non-HR Data" means Personal Data about EEA citizens collected or processed as a result of our business relationships with our customers, delivery of CTG’s services, individuals accessing our websites, marketing, and the processing of prospective job candidates’ information.
- "Sensitive Personal Data” means Personal Data specifying medical, biometric, genetic, or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual or regarding criminal convictions or offenses.
- "Processing” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
Types of Personal Data CTG Collects
European HR Data
CTG processes Personal Data of its employees in the EEA in order to facilitate standard day-to-day business activities and employment relationship activities. The categories of Personal Data, the purpose and legal basis for processing, and other required disclosures are communicated and provided to CTG EEA employees via internal policies and procedures.
European Non-HR Data
- Contact Data: Names, addresses, telephone numbers, email addresses
- Job Candidate Data: Candidate-provided work background including education, employment background, training related to employment opportunities with CTG
- Customer Data: Personal Data received from CTG’s customers necessary to support CTG’s services
- Registration Data: Publication requests, training events, subscriptions, and downloads
- Marketing Data: Participation in marketing campaigns, access, and requests for content and information
- System and Device Data: IP addresses, CTG cookies, third party cookies
CTG notifies all non-employee EEA Data Subjects about its data practices regarding European non-HR Data and their Personal Data processed by CTG in the U.S. from the EEA in this policy.
CTG notifies its employees in the EEA regarding its policies and practices for European HR Data regarding their Personal Data received by CTG in the U.S. from the EEA, via internal policies and procedures. CTG employees should contact their local Human Resources Department or the Privacy Office for these policies.
CTG U.S. may disclose European Personal Data to its third-party service providers/agents for the exclusive purpose of enabling them to provide services and/or support to CTG in connection with the above-mentioned purposes and functions. CTG U.S. will exercise appropriate due diligence in the selection of such third party service providers and require that such third party service providers maintain reasonable precautions to protect European Personal Data and otherwise process European Personal Data only as instructed by CTG U.S. and for no other purposes.
If European Personal Data covered by this Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, CTG will provide EEA Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt-out of such uses or disclosures of Personal Data should be sent to firstname.lastname@example.org.
3. Accountability for Onward Transfer
Regardless of any other provisions in this Policy, we may also disclose European Personal Data when required to do so under law or by legal process or as may be otherwise permitted by the Framework. CTG U.S. remains liable in cases of onward transfers to third parties unless it is established that CTG U.S. is not responsible for the event giving rise to the damage.
CTG takes reasonable and appropriate measures to protect personal data from loss, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the data.
Pursuant to the Privacy Shield Principles, and in concurrence with applicable data protection laws, EEA Data Subjects may have the right to: (i) request access to their European Personal Data; (ii) request rectification of their European Personal Data; (iii) request deletion of their Personal Data; or (iv) lodge a complaint with the competent data protection supervisory authority. Please note that these aforementioned rights might be limited under the applicable national data protection law, where the legitimate rights of other persons would be infringed, or where the burden or expense of providing access would be disproportionate.
6. Recourse, Enforcement, and Liability
CTG will remain responsible for the collection, use, and disclosure of European Personal Data in accordance with the Framework. CTG U.S. will investigate and attempt to resolve complaints and disputes regarding use and disclosure of European Personal Data in accordance with the Privacy Shield Principles. CTG encourages interested employees with questions or concerns relating to CTG U.S.' Privacy Shield participation to contact the Privacy Shield Contact using the contact information as follows.