Effective Date: July 29, 2021
EU Employee Notice Regarding Use of Personal Data (“Notice”)
As your employer, Returnly Technologies Spain, S.L.U., or Midship sp. z o.o., as applicable to you as an employee of either company (collectively, “Company”, “we” or “us”) collect, use and disclose Personal Data relating to you for a variety of employment-related purposes both before, during and after your employment with the Company. Company is committed to ensuring that your Personal Data will be handled in accordance with all applicable data privacy laws. Data privacy laws generally require that individuals be informed of (and, under certain circumstances, consent to) the processing of their Personal Data and to transfers of the information to third parties and countries, and can impose other obligations on organizations processing such information.
Personal Data Company Collects:
Personal Data that the Company may collect and hold about you (in both paper or electronic format) includes:
- Your personal contact details
- Date of birth and any demographic information you provide us (e.g. preferred pronouns, race/ethnicity).
- Government identification numbers such as social security number, social insurance or other national insurance number, driver’s license number or other identification card number.
- Educational background and employment history (including references, work history and proof of work eligibility).
- Personal financial information (e.g., bank account and routing number for direct deposit).
- Family information including your marital status and beneficiary and dependent details and contact information for your emergency contacts.
- Information related to the activities you perform as a Company employee, including salary, benefits-related information, annual leave, job titles, working hours, holidays, absences, training records and professional memberships as well as performance evaluations, records of tasks assigned, disciplinary actions, and/or grievance information.
- Information about your health, such as medical conditions and health and sickness records, when you report this information to the Company. This includes details of any absences (other than holidays) from work, including time on statutory parental leave and sick leave; information related to biological screenings or testing for controlled substances (if applicable to your country); records related to administering and maintaining your healthcare and other benefits; and information about a condition needed for pensions and permanent health insurance purposes when you leave employment and the reason for leaving is related to your health.
- Union membership (if applicable to your country).
- Information relating to criminal convictions and offences (if applicable to your country).
- Information about your use of Company resources, systems, networks and devices.
How Company Uses Your Personal Data
Company collects information about you in the normal course of business and for other purposes related to your role and function in the Company, including:
- Decisions related to your employment, including reviewing your performance; evaluating your development as an employee; setting your job duties and assessing our staffing needs; assessing your qualifications for other roles within the Company or promotion; determining salary and compensation; for grievance or other disciplinary procedures, including termination; dealing with any legal disputes involving you or other employees and contractors, including accidents at work; and ascertaining your fitness for work.
- Business Purposes, including conducting data analytics studies to review and better understand employee retention and attrition rates; and ascertaining and fulfilling education, training, and development requirements.
- Administering payments and benefits, including making tax and other required deductions; making decisions about benefit eligibility; and fulfilling obligations related to employment leaves.
- Security measures and complying with health and safety obligations, including ensuring the physical safety of our facilities, resources, employees, and other people from threats; preventing fraud and to secure our systems, data, resources, and facilities from unauthorized access or exploitation; monitoring compliance with our IT policies; ensuring network and information security, including preventing unauthorized access to our computer and electronic communications systems, and preventing malicious software distribution; and investigating theft and other illegal activities.
- Compliance with legal obligations, including verifying that you are legally permitted to work in the country where you are employed and responding to mandatory government reporting requirements.
Monitoring Business and Private use of Company Systems
Company may, in accordance with local law and to guarantee its electronic systems, carry out monitoring operations on its information systems and communications systems, including computers, portable and other devices, telephone, e-mail, voicemail, Internet and other communications (collectively, “our Systems”).
Company reserves the right to preserve, collect, search, review, and disclose data; the contents of messages or documents on any medium; or check activity undertaken through our Systems for the following purposes (this list is not exhaustive):
- To detect, prevent or investigate cyberattacks or other information security incidents, including but not limited to attempts to gain unauthorized access to our Systems, the introduction of viruses and malware or other violations of Company’s information security policies (websites or communications may be blocked if they are likely to be, or known to be, sources of viruses, malware or other information security vulnerabilities).
- To detect, prevent or investigate corporate espionage and data loss.
- To monitor whether the use of our Systems is legitimate, lawful and compliant with the Company policies.
- To find lost messages or to retrieve messages lost due to computer failure or where the employee is absent and it is necessary for the business to continue his/her correspondence on its behalf or retrieve correspondence or documents he/she may have received or created during such absence.
- To identify and filter spam messages, which may entail accessing email content.
- To assist in the investigation of wrongful acts affecting Company or for which it may be liable.
- As part of any discovery or disclosure exercise or in relation to any possible litigation or investigation affecting Company.
- To protect confidential information and trade and business secrets.
- To protect Personal Data of third parties.
- To comply with any legal obligation.
The contents of communications and usage information may be disclosed to third parties (including affiliates, regulatory authorities, courts and counterparties in litigation and our or their agents anywhere in the world) as described below. Where evidence of misuse is found, we may undertake a more detailed investigation, involving the examination and disclosure of any monitoring records and interviewing of witnesses or managers involved.
More information can be found by accessing our Acceptable Use Policy.
Sharing Employee Information
We will share your Personal Data with third parties outside of Company where it is necessary to administer the working relationship with you, where such processing is necessary for compliance with a legal obligation to which Company is subject, or where we have another legitimate interest to do so.
We may disclose your Personal Data to service providers rendering services on Company’s behalf. Common examples of providers are payroll processors, call centers, employee benefits providers, and companies providing other support services to Company. We also may send your Personal Data to companies we have contracted with to operate various information systems or to process certain transactions (e.g., payroll services providers, cloud storage providers).
Generally, Company will only disclose workforce Personal Data to third parties other than service providers:
- when required to do so by law, regulation or court order;
- in response to a legitimate request for assistance by the police or other law enforcement agency;
- to seek legal advice from Company’s external legal counsel or in connection with litigation;
- to prevent or enable investigation of fraud or potential illegal conduct, or during emergency situations or where necessary to protect the safety of persons;
- in connection with the sale, purchase or merger of a business; or
- to provide a third party (such as a potential or existing business counterparty or customer) with a means of contacting you in the normal course of business, for example, by providing your contact details, such as your personal phone number and email address.
These third parties and Company entities may be located in jurisdictions whose data privacy laws may not be equivalent to data privacy laws in your own country of residence. Such transfers or disclosures will be made within the scope of applicable laws.
We hold your Personal Data in the United States, where Company is headquartered, or in Canada. From time to time, we may be required to transfer your Personal Data across borders and internationally for the purposes set forth above. When we do so, we will ensure that such transfers ensure that an appropriate level of protection is given to your information and that the transfers are conducted in compliance with applicable law.
We have implemented appropriate physical, technical and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration or disclosure. In addition, we limit access to personal data to those employees, agents, contractors and other third parties that have a legitimate business need for such access.
Company will retain your Personal Data for as long as is necessary, or for such longer period as may be required by law or to satisfy a legitimate business need. Records that are no longer needed are either deidentified (and the deidentified information may be retained) or securely destroyed.
Please note that these periods may be extended where reasonably necessary (for example, where we are required to do so by law or by a regulator).
Updates or Requests Related to your Personal Data
We process “Personal Data,” as that term is defined in the EU General Data Protection Regulation, on the following legal bases: (1) with your consent; (2) as necessary to perform our employment agreement; and (3) as necessary for our legitimate interests in providing the Services where those interests do not override your fundamental rights and freedom related to data protection. Information we collect may be transferred to, and stored and processed in, the United States or any other country in which the Company or our affiliates or subcontractors maintain facilities, as described above.
Under certain circumstances, you may have the right to:
- Request from us access to information held about you.
- Request that we rectify inaccurate or incomplete information we hold about you.
- Request that we erase data when such data is no longer necessary for the purpose for which it was collected, when you withdraw consent and no other legal basis for processing exists, or when you believe that your fundamental rights to data privacy and protection outweigh our legitimate interest in continuing the processing.
- Request that we restrict our processing if there is a dispute about the accuracy of the data, if the processing is unlawful, if the processing is no longer necessary for the purposes for which it was collected but is needed by you for the establishment, exercise or defense of legal claims, or if your request to object to processing is pending evaluation.
- Object to processing of your personal data based on our legitimate interests. We will no longer process the data unless there are compelling legitimate grounds for our processing that override your interests, rights, and freedoms, or for the purpose of asserting, exercising, or defending legal claims.
- Withdraw your consent at any time, if we are processing your Personal Data based on your consent.
To submit a request to exercise your rights, please contact us at email@example.com. Under applicable law, we may not be required to comply with your request in whole or in part, or may comply with it in a more limited way than you anticipated. If this is the case, we will explain that to you in our response.
Nothing in this Notice is meant to vest in an employee any greater rights than they may have under applicable data protection laws, employment contract or employment handbook. This Notice is not intended to replace other notices provided by the Company in accordance with applicable national laws and regulations. In the event of any conflict between notices required by local applicable law(s) and this Notice, any notices required by local law will control.
We reserve the right to amend this Notice from time to time and encourage you to periodically review this Notice.
Questions about Company’s Use of Your Personal Data
If you have a concern or a question about how we process your Personal Data, contact firstname.lastname@example.org.