We and our assessments providers understand well that Personal Data, its security and its protection are becoming increasingly important to individuals and organisations as a consequence of the European Union General Data Protection Regulation (GDPR), now in full effect.
GDPR applies to all organisations established in the European Economic Area (EEA) and also to those established outside the EEA, when their processing activities relate to the offering of goods and services to individuals in the EEA or to the monitoring of individuals' behaviour within the EEA. This note is intended to set out the data privacy issues as they impact on our client organisations in respect of data processed by IBM, SHL or Podium on your behalf and, to a more limited extent, our clients' contact data held and/or processed by ourselves.
AFM as Data Processor:
We at AFM do not ourselves gather, record, store or otherwise process Personal Data other than the contact details provided to us by a client organisation in order to maintain the communication necessary to enable swift and flexible responses to their Talent Management needs. This Personal Data is managed in line with the attached Data Protection Policy (to be updated from time to time) and data security incident and audit procedures for our hosting services. If we are required by a client at any time to handle any other Personal Data (including for example, intervention in the processing of assessments or other candidate or employee related requests) we will do so under the client's instructions and, unless otherwise instructed by them, we will immediately, after completing the exercise, delete any such Personal Data from our systems and records. The Personal Data related to the relevant candidates or employees will thereafter reside on the servers of the relevant assessments service provider (IBM Inc, SHL Group Ltd, or Podium Systems Ltd, depending on the actual service provider / licensor) alone and AFM will have no access to such data.
Art. 27 GDPR: Representatives of controllers or processors not established in the EU: we do not intend to establish a Representative in the EU given that, as provided for in paragraph 2 of this Article, any processing that might be undertaken by us “will be occasional, will not include, on a large scale, processing of special categories of data as referred to in Article 9(1) GDPR, nor data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing”.
If you have any questions or need to discuss any issues around GDPR, please see our contact page.
Assessment service providers as Data processors:
Pursuant to GDPR Article 28, where, as resellers, we contract for a service to a client (the “Data Controller”) involving the processing of that client's Personal Data, the service provider and the client need to agree the terms for the processing of this Personal Data. Information about data privacy, each provider’s policy in this respect and in realtion to hosting and other policies and processes are found on their respective websites. For IBM services, see https://www.ibm.com/privacy/uk/en; for SHL, see https://online.shl.com/gb/en-gb/pages/privacy; and for Podium services, see https://www.podium365.com/about/privacy_policy.
Post Brexit: Personal Data may be processed on servers within EEA countries or in the USA. In order to help ensure compliance with applicable data protection law, on the date that the UK leaves the EU, references to the GDPR in any applicable contracts will include the UK Data Protection Act 2018 to the extent it applies. Other references to EU or EEA legislation will include any implementing or equivalent UK legislation, to the extent relevant and be addressed in the Data Privacy terms of that service provider.