Privacy Shield Policy

Last Updated: April 20, 2018

As a global company, some of its employees’ European HR Data will be Processed (defined below) and stored at CTG's operations in the United States ("CTG U.S."). CTG recognizes that European privacy law requires “adequate protection” for the transfer of such European HR Data to CTG U.S. To provide this adequate protection, CTG U.S. adheres to the principles of the EU-U.S. Privacy Shield Framework (the “Framework”). To the extent we have received European HR Data in reliance of the Framework, we are committed to subjecting such information to the Framework’s Principles. For more information about the Privacy Shield Principles, please go to https://www.privacyshield.gov.

Scope

This Privacy Shield Policy ("Policy") applies to all European HR Data received by CTG U.S., either directly from employees or from other sources, and in any format whatsoever. This Policy does not apply to information about employees located outside of the EEA. All employees should check with their Human Resources Department for further information about CTG's policies and procedures related to employee information.

Definitions

For the purpose of this Policy, the following definitions shall apply:

  • “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  • "European HR Data” means Personal Data about EEA employees (past or present) collected in the context of the employment relationship.
  • "Sensitive Personal Data” means Personal Data specifying medical, biometric, genetic, or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual or regarding criminal convictions or offenses.
  • "Processing” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

1 Notice

CTG notifies its employees in the EEA ("EEA Data Subjects") covered by this Policy about its data practices regarding their Personal Data received by CTG in the U.S. from the EEA, via additional internal policies and procedures.

2 Choice

CTG U.S. may disclose European HR Data to its third party service providers/agents for the exclusive purpose of enabling them to provide services and/or support to CTG in connection with the above mentioned Human Resources purposes and functions. CTG U.S. will exercise appropriate due diligence in the selection of such third party service providers, and require that such third party service providers maintain reasonable precautions to protect European HR Data and otherwise process European HR Data only as instructed by CTG U.S. and for no other purposes.

If European HR Data covered by this Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, CTG will provide EEA Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to: privacy@ctg.com

3 Accountability for Onward Transfer

Regardless of any other provisions in this Policy, we may also disclose European HR Data when required to do so under law or by legal process or as may be otherwise permitted by the Framework. CTG U.S. remains liable in cases of onward transfers to third parties unless it is established that CTG U.S. is not responsible for the event giving rise to the damage.

4 Security

CTG takes reasonable and appropriate measures to protect personal data from loss, unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the data.

5 Access

Pursuant to the Privacy Shield Principles, and in concurrence with applicable data protection laws, EEA Data Subjects may have the right to: (i) request access to their European HR Data; (ii) request rectification of their European HR Data; or (iii) lodge a complaint with the competent data protection supervisory authority. Please note that these aforementioned rights might be limited under the applicable national data protection law, where the legitimate rights of other persons would be infringed, or where the burden or expense of providing access would be disproportionate.

6 Recourse, Enforcement, and Liability

CTG will remain responsible for collection, use, and disclosure of European HR Data in accordance with the Framework. CTG U.S. will investigate and attempt to resolve complaints and disputes regarding use and disclosure of European HR Data in accordance with the Privacy Shield Principles. CTG encourages interested employees with questions or concerns relating to CTG U.S.' Privacy Shield participation to contact the Privacy Shield Contact using the contact information as follows.

Computer Task Group, Inc 800 Delaware Avenue Buffalo, NY 14209, U.S.A. Attention: Privacy Office

Or

privacy@ctg.com

With respect to any complaints relating to the Privacy Shield Principles that cannot be resolved through CTG U.S.’ internal processes, CTG U.S. has agreed to cooperate with the European data protection authorities and to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Privacy Shield Principles. Such resolution process is available free of charge to the employee. CTG U.S. is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory authority under the EU-U.S. Privacy Shield Framework.

Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, employees have a right to invoke binding arbitration under the Privacy Shield Principles.

7 Changes to this Privacy Shield Policy

This Policy may be amended from time to time consistent with the requirements of the Privacy Shield. Appropriate notice regarding such amendments will be provided.