Privacy Policy

Version: 1.0

Owner: GIS – Information Security

Table of Contents

1.     Purpose. 

2.     Scope. 

3.     General Guidelines. 

4.     Definitions. 

5.     Relationship with the applicable law.. 

5.1.  Procedure to be adopted in case of conflict with the applicable law.. 

6.     General principles relating to processing personal data. 

6.1.  Data subject rights. 

6.2.  Transparent information about the purpose of the processing. 

6.2.1.         Minimisation of the processing. 

6.3.  The data subject’s consent 

6.4.  Data Protection Impact Assessment 

7.     Data security. 

7.1.  Special categories of Personal Data. 

8.     Transfer of personal data. 

9.     Cooperation with the competent Data Protection Authorities. 

10.   Compliance. 

11.   References. 

 

 

 Revision History 

Version #

Revision Date

Description of Changes

1.0

13-Apr-2018

First Release

     
     

Document Control Summary of Changes

Version #

Version Date

Author

Nature of Change

1.0

13-Apr-2018

Ernst & Young team

First Release

       
       

Document Change Approvals

Name

Role

Approval Date (mm/dd/yyyy)

     

Document Review Plans

This document is reviewed and updated as follows:

  • Annual review
  • Any major organizational changes

1. Purpose

The ManpowerGroup entities, as the entities that decide the purposes and means of Processing Personal Data (“Data Controllers”), must ensure compliance with the principles embodied in this Privacy Policy. In this respect, the managerial employees of the ManpowerGroup entities shall ensure that this Privacy Policy is implemented, which includes in particular providing information to the employees. A ManpowerGroup Data Controller shall provide appropriate training on these rules and other privacy and data security obligations to personnel that have permanent or regular access to personal data that are involved in the collection of Personal Data or in the development of tools used to process Personal Data.

The ManpowerGroup and its companies take privacy seriously and works every day to ensure lawful, fair and transparent processing. This Privacy Policy defines guidelines and principles for the processing of personal data within the ManpowerGroup, in order to ensure the protection of business partners, clients, candidates, employees and other Data Subjects with regard to the processing of personal data.

2. Scope

This Privacy Policy applies to:

  • All ManpowerGroup entities: Manpower may supplement these principles through sub‐policies and notices that are consistent with this Privacy Policy. Should this Privacy Policy become invalid, irrespective of the reasons or causes for such invalidity, all ManpowerGroup entities are bound by this Privacy Policy with respect to Personal Data transferred prior to the date of such invalidity;
  • The Processing of Personal Data carried out by and or on behalf of the ManpowerGroup: Employees, customers, suppliers, other contractual partners, subjects and other parties, regardless of the origin of the data, can processes personal data on behalf of the ManpowerGroup. Only authorized personnel, who have undertaken to observe data secrecy requirements, are allowed to be involved in the Processing of Personal Data. It is prohibited for them to use such data for their own private purposes or to make it accessible to any unauthorized person/entity. Unauthorized in this context also means the use of Personal Data by employees who do not need access to such data to fulfill their employment duties.

The Data Processor shall observe the general principles of this Privacy Policy. To ensure compliance with the requirements of this Privacy Policy in respect of the processing to be carried out on behalf of a ManpowerGroup entity (Data Controller), when entrusting a Data Processor with processing activities, the Data Controller should use only Data Processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Privacy Policy, including for the security of processing.

3. General Guidelines

This section provides general guidelines for the understanding and implementation of the policy statements.

  1. This is a global policy and it lays down the minimum baseline requirements for information security to be followed and implemented in scope ManpowerGroup locations.
  2. In order to comply with the requirements specified in the policy, the ManpowerGroup locations may choose to customize certain policy statements to suit the local law or requirement resulting in location-specific policy.
  3. If a data security and privacy law and regulation of a specific ManpowerGroup location has a conflict or has higher degree of requirements than the requirements under this policy, then the local law or requirements will supersede these policy statements.
  4. The policy statements should be deemed as mandatory requirements. To indicate additional controls that are applicable, certain clauses of the policy statements have been phrased so as to include ‘as/wherever applicable’ or ‘based on technical feasibility’. ManpowerGroup users are recommended to consider such controls through business/technical feasibility analysis for their in-scope systems.
  5. This policy is applicable to all users of the systems covered under the scope of this policy. The Policy can be referred to and enforced by the respective IT Security Teams.
  6. The “Associated Processes and Guidelines” section of the Policy enlists the recommended processes, which might be documented to help the implementation of the Policy.
  7. The “Roles and Responsibilities” section provides only indicative list of roles and responsibilities. The composition of team might vary depending on ManpowerGroup local team's organization structure.

4. Definitions

The following table provides definitions of common terms and acronyms used across this policy.

Term or Acronym

Description

Confidentiality

The authorized access to or disclosure of information. Confidentiality is maintained by not making it available or disclosing it to unauthorized individuals, entities, or processes.

Data controller

It means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

Data processor

It means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Data Protection Impact Assessment (DPIA)

A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).

Data Protection Officer (DPO)

A figure appointed by the Data Controller or Data Processor that provides advisory services regarding the implementation of GDPR

Data Subject

Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about.

GDPR

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU)

Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Personally identifiable information (PII)

Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Examples of PII include, but are not limited to, full name (if not common), home address, phone, date of birth, residential address, and so on.

Personal Data

Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive personal information (SPI)

Sensitive personal information (SPI) is defined as information that if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Examples of SPI include, but are not limited to, health records, gender, and so on.

Supervisory Authority

Supervisory Authority means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR

 

5. Relationship with the applicable law

Existing legal obligations – both national and international – shall prevail over this Privacy Policy.

Every recipient of personal data must therefore check whether those regulations apply in his/her field of responsibility and ensure compliance. However, where data protection requirements under national or international law applicable to Personal Data Processing are less strict than under this Privacy Policy, this policy shall prevail. In certain countries, the Data Protection Authorities require notification and/or registration from the Data Controller before any wholly or partially automated processing of personal data is performed. Each ManpowerGroup entity is responsible for complying with any notification and registration obligations in its respective countries. The transfer of Personal Data to government authorities and agencies is only permissible in accordance with the respective applicable national laws.

5.1. Procedure to be adopted in case of conflict with the applicable law

Whenever a ManpowerGroup entity has reasons to believe that legal obligations are preventing it from fulfilling its obligations under this Privacy Policy, it shall notify the Legal Dept. (“Legal Affairs”) immediately, unless prohibited from doing so by a law enforcement agency under national law. ManpowerGroup entities shall:

  • make a responsible decision on the matter in consultation with Legal Affairs and, if necessary, shall notify the respective national Data Protection Authority accordingly;
  • develop and implement policies and procedures to comply with the principles of this Privacy Policy.

6. General principles relating to processing personal data

6.1. Data subject rights

The ManpowerGroup entities process personal data lawfully, fairly and in a transparent manner in relation to the Data Subject. Processing shall be lawful only to the extent that the following Data Subject rights applies: right of access by the data subject, right to rectification, right to erasure, right to restriction of processing, right to portability, right to object and automated individual decision-making.

6.2. Transparent information about the purpose of the processing

The data subject shall be previously informed about the purpose of the processing: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

6.2.1. Minimisation of the processing

The processing of personal data must be required for the intended purpose. The time range for processing of personal data should be strictly necessary to fulfill the intended purposes. Available possibilities for the anonymization of personal data should be used at an early stage, as far as this is possible and the cost is appropriate to the intended protective purpose.

6.3. The data subject’s consent

The processing of personal data is permitted only if the data subject has given the consent or if permissible under applicable law at the place of processing. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. The declaration of Consent must be highlighted when included as part of other statements so as to be clear to the data subject.

6.4. Data Protection Impact Assessment

The GDPR puts a lot of emphasis on the Accountability of the Data Controller. It is therefore required, to the Data Controller and Data Processor, a higher responsibility in what concerns the protection of personal data. In order to do that, it is necessary to introduce a privacy risk-based approach for the identification of the appropriate measures for the protection of personal data.

Article 35 of the GDPR defines the activity of evaluating the impact on the personal data protection through a Data protection impact assessment (hereafter DPIA), aiming to promote a such approach.

The DPIA aims to identify the risk level exposure associated to personal data processing, as well as an evaluation of the need and proportionality of the processing.

The evaluation, as prescribed by the GDPR, has to provide at least the following elements:

  • description of the foreseen data processing and the processing purposes;
  • assessment of the need and proportionality of the data processing related to their objectives;
  • assessment of the risks concerning the fundamental rights and freedoms of data subjects;
  • the foreseen measures in order to mitigate the risks and the mechanism to protect personal data.

A DPIA may relate to a single treatment or more than an analogous operation in terms of nature, scope, context, ends and risks.

DPIA should be conducted prior to processing. However, a continuous review of the DPIA should be provided, repeating the evaluation at regular intervals.

ManpowerGroup will define a formal process and procedure to be applied for:

  • determining whether a DPIA is required;
  • determining the involvement of the Data Protection Officer (if appointed);
  • determining what departments will be involved in the process;
  • provide adequate tools to perform the DPIA appropriately across the organization;
  • determine measures to address the envisaged risks;
  • determine means to involve the Supervisory Authority if the results is an high risk to the freedom and rights of the data subjects involved.

7. Data security

ManpowerGroup entities shall implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These measures refer in particular to ICT systems (i.e. server, clients, workstations, networks and communication links, operating systems, DBs, and applications). The appropriate measures which have been implemented within the ManpowerGroup to avoid the unauthorized processing of personal data include, among other things, controls on information security (physical and logical accesses); input of data into data processing systems; data processing within processing systems; output of data from data processing systems; data transfer among different processing systems.

7.1. Special categories of Personal Data

Special categories of personal data (or “Sensitive Data”) merit higher protection: their collection and processing are generally prohibited. Depending on the category of Sensitive Data and the risks associated with the intended use, appropriate security measures will be taken (e.g. pseudonymization, technical security devices, encryption and limitation of physical access).

8. Transfer of personal data

The transfer of personal data across national borders is only permissible if such data are properly protected or if the ManpowerGroup entity that processes the data can give an adequate guarantee that the Privacy of the individuals whose data are transmitted is being protected. This Privacy Policy is designed to ensure that all ManpowerGroup entities meet this requirement, in either of the following cases:

  • from the European Union (EU) to a Third Country (every country outside the EU): If the recipient is not a ManpowerGroup entity, it must be ensured that this Privacy Policy applies to the recipient accordingly. The ManpowerGroup entity transferring personal data will take appropriate measures in case of violations by the recipient;
  • within a Third Country or to another Third Country: The further transfer of personal data which have been transferred from the EU to a recipient within the Third Country or to another Third Country is only permitted if such Third Country has an adequate data protection standard. In any case, the ManpowerGroup entity in the EU that transferred the Personal Data shall be informed prior to a further transfer of personal data within the Third Country or to another Third Country.

9. Cooperation with the competent Data Protection Authorities

A local ManpowerGroup entity - and other affiliates to which the entity transfers Personal Data out of the EU - shall respond to all requests for information from the local Data Protection Authority, to the extent such requests are consistent with applicable law and regulations and relate to compliance with this Privacy Policy in the country or in relation to Personal Data exported by the entity.

Each ManpowerGroup entity shall cooperate and assist each other to handle a request or complaint from an individual or an investigation or inquiry by Data Protection Authorities.

10. Compliance

ManpowerGroup will evaluate, test and report on the Manpower Data Controller’s compliance with this Privacy Policy. Such audit must be carried out on a regular basis by the internal or external accredited audit team. The results of all audits should be communicated to the relevant board of management. Where any noncompliance with this Privacy Policy is identified in such audits, the relevant business manager shall design and implement remediation measures.

Data Subjects may contact ManpowerGroup or his/her local representatives at any time with any questions and complaints regarding the processing of personal data. Such questions and complaints will be processed confidentially.

If a question or complaint raised by a data subject relates to an alleged violation of this Privacy Policy by a ManpowerGroup entity located in a country other than the country in which the Data Subject resides, the Data Subject may contact the ManpowerGroup entity which transferred the data. Should the alleged violation be confirmed, the ManpowerGroup entities affected will cooperate with the respective parties (e.g. Data Protection Authorities, other entities) in line with this Privacy Policy and remedy such alleged violation. In order to make the principles accessible to data subjects, the current version of this Privacy Policy shall be made available to all data subjects in a suitable manner, e.g. via the Intranet or Internet.

11. References

MPG DSAR Policy

Data Breach Policy