Privacy Shield Policy

Last Updated: August 9, 2018

As a global company, CTG will receive and process both European non-HR Data and some of its European employees’ HR Data at CTG's operations in the United States ("CTG U.S."). CTG recognizes that European privacy law requires “adequate protection” for the transfer of such European non-HR and HR Data to CTG U.S. To provide this adequate protection, CTG U.S. adheres to the principles of the EU-U.S. Privacy Shield Framework (the “Framework”). To the extent we have received European non-HR Data and HR Data in reliance of the Framework, we are committed to subjecting such information to the Framework’s Principles. For more information about the Privacy Shield Principles or to access CTG’s certification statement, please go to https://www.privacyshield.gov/list.

Scope

This Privacy Shield Policy ("Policy") applies to all European non-HR and HR Data received by CTG U.S., either directly from the Internet or from other sources, and in any format whatsoever. This Policy does not apply to information about individuals located outside of the EEA.

Definitions

For the purpose of this Policy, the following definitions shall apply:

  • “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  • "European HR Data” means Personal Data about EEA employees (past or present) collected in the context of the employment relationship.
  • "European non-HR Data" means Personal Data about EEA citizens collected or processed as a result of our business relationships with our customers, delivery of CTG’s services, individuals accessing our websites, marketing, and the processing of prospective job candidates’ information.
  • "Sensitive Personal Data” means Personal Data specifying medical, biometric, genetic, or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual or regarding criminal convictions or offenses.
  • "Processing” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

TYPES OF PERSONAL DATA CTG COLLECTS

EUROPEAN HR DATA

CTG processes Personal Data of its employees in the EEA in order to facilitate standard day-to-day business activities and employment relationship activities. The categories of Personal Data, the purpose and legal basis for processing, and other required disclosures are communicated and provided to CTG EEA employees via internal policies and procedures.

EUROPEAN NON-HR DATA

CTG collects the following categories of Personal Data about site visitors, clients, prospective employment candidates, suppliers, and other third parties. The company uses this information for the purposes indicated in CTG’s Privacy Policy.

  • Contact Data: Names, addresses, telephone numbers, email addresses
  • Job Candidate Data: Candidate-provided work background including education, employment background, training related to employment opportunities with CTG
  • Customer Data: Personal Data received from CTG’s customers necessary to support CTG’s services
  • Registration Data: Publication requests, training events, subscriptions, and downloads
  • Marketing Data: Participation in marketing campaigns, access and requests for content and information
  • System and Device Data: IP addresses, CTG cookies, third party cookies

1 Notice

CTG notifies all non-employee EEA Data Subjects about its data practices regarding European non-HR Data and their Personal Data processed by CTG in the U.S. from the EEA in this policy.

CTG notifies its employees in the EEA regarding its policies and practices for European HR Data regarding their Personal Data received by CTG in the U.S. from the EEA, via internal policies and procedures. CTG employees should contact their local Human Resources Department or the Privacy Office for these policies.

2 Choice

CTG U.S. may disclose European Personal Data to its third party service providers/agents for the exclusive purpose of enabling them to provide services and/or support to CTG in connection with the above mentioned purposes and functions. CTG U.S. will exercise appropriate due diligence in the selection of such third party service providers, and require that such third party service providers maintain reasonable precautions to protect European Personal Data and otherwise process European Personal Data only as instructed by CTG U.S. and for no other purposes.

If European Personal Data covered by this Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, CTG will provide EEA Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: privacy@ctg.com

3 Accountability for Onward Transfer

Regardless of any other provisions in this Policy, we may also disclose European Personal Data when required to do so under law or by legal process or as may be otherwise permitted by the Framework. CTG U.S. remains liable in cases of onward transfers to third parties unless it is established that CTG U.S. is not responsible for the event giving rise to the damage.

4 Security

CTG takes reasonable and appropriate measures to protect personal data from loss, unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the data.

5 Access

Pursuant to the Privacy Shield Principles, and in concurrence with applicable data protection laws, EEA Data Subjects may have the right to: (i) request access to their European Personal Data; (ii) request rectification of their European Personal Data; (iii) request deletion of their Personal Data; or (iv) lodge a complaint with the competent data protection supervisory authority. Please note that these aforementioned rights might be limited under the applicable national data protection law, where the legitimate rights of other persons would be infringed, or where the burden or expense of providing access would be disproportionate.

6 Recourse, Enforcement, and Liability

CTG will remain responsible for collection, use, and disclosure of European Personal Data in accordance with the Framework. CTG U.S. will investigate and attempt to resolve complaints and disputes regarding use and disclosure of European Personal Data in accordance with the Privacy Shield Principles. CTG encourages interested employees with questions or concerns relating to CTG U.S.' Privacy Shield participation to contact the Privacy Shield Contact using the contact information as follows.

In the EEA        All Other Regions
Privacy Office
Computer Task Group NV
Woluwelaan 140A
1831 Diegem, Belgium
  Privacy Office
Computer Task Group, Inc
800 Delaware Avenue
Buffalo, NY 14209
United States of America

Or

privacy@ctg.com

With respect to any complaints relating to the Privacy Shield Principles that cannot be resolved through CTG U.S.’ internal processes, CTG U.S. has agreed to cooperate with the European data protection authorities and to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Privacy Shield Principles. Such resolution process is available free of charge to the employee. CTG U.S. is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory authority under the EU-U.S. Privacy Shield Framework.

Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, employees have a right to invoke binding arbitration under the Privacy Shield Principles.

7 Changes to this Privacy Shield Policy

This Policy may be amended from time to time consistent with the requirements of the Privacy Shield. Appropriate notice regarding such amendments will be provided.