Global Data Protection and Privacy Notice for Personnel
Last updated: March 20, 2024
This Global Data Protection and Privacy Notice for Personnel (the “Privacy Notice”) is provided by Rocket Software, Inc. or the affiliate of Rocket Software, Inc. that is your employer (“Rocket Software,” “we,” “us,” or “our”) to help you understand our practices surrounding the collection, use and disclosure of your personal data. This Privacy Notice also applies to certain independent contractors, interns and other individuals who perform work for us (collectively “Non-Employee Workers”).
We respect the privacy of individuals and are committed to handling personal data responsibly and in accordance with applicable law. This Privacy Notice sets out the types of personal data that we collect and process about you, the purposes of the processing and the rights that you may have in connection with our processing, depending on your location.
This Privacy Notice addresses the following topics:
- Categories of Personal Data We Collect About You
- How We May Use Your Personal Data
- How We May Disclose Your Personal Data
- Retention of Your Personal Data
- Security of Your Personal Data
- International Transfers of Your Personal Data
- Jurisdiction-Specific Information
- Changes to this Privacy Notice
- Inquiries and Concerns
If you are located in the European Union, United Kingdom or Switzerland, you should also refer to “Jurisdiction Specific Information,” below, for a description of additional information and rights that you may have. In all other jurisdictions, this Privacy Notice is provided on an informational basis only, and your rights may vary according to applicable local data privacy laws.
This Privacy Notice applies only to information collected for employment purposes, whether through our websites or from other sources. The other sources might include information that you provide in connection with your application for employment as well as information obtained, for example, from prior employers, other references, pre-employment screening providers, and educational institutions.
This Privacy Notice does not form part of any contract of employment or other contract to provide services. It is important that you read and retain this notice, together with any other privacy notice that we provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information.
Categories of Personal Data We Collect About You
A. Categories of Personal Data
The categories of personal data collected may include, but is not limited to, the following:
- Basic identifiers and contact information, such as first name, last name, birth name, previous last name, address, date of birth, home telephone number, work mobile number, personal mobile number, email address, residential address, preferred language, car registration, job title, contact information, including email address, work address and telephone number, languages spoken, and preferences and interests, Internet Protocol (IP) address, and signature.
- Education and professional experience, such as work experiences, level of education, certifications, educational institutions attended, area of study, and training and any other information covered by our Global Applicant Privacy Notice.
- Emergency contacts, next of kin and beneficiary details, such as name, address, telephone number, e-mail address and the individual’s relationship to you.
- Evidence of identity and legal eligibility to work, such as photographs, passport and/or driving license details, marriage certificates (where applicable), professional or regulatory certificates, visas and relevant education certificates.
- Pre-employment or -engagement checks, such as references, interview notes, work visas, records/results of pre-employment checks (including criminal record checks), credit and fraud checks, any information included on your CV/resume and/or any application forms and any other information covered by our Global Applicant Privacy Notice.
- Terms of employment or engagement with us, including records of offer and acceptance of employment or other form of engagement, your contract, agreed hours, length of probation, secondment arrangements or other service contracts, changes to job description or title and reason for changes, reporting line, office location, function, job title, cost center, line manager and hiring manager details.
- Compensation details, and financial and government information, such as salary or fee information, variable or commission pay, bonus details, bank account details, national insurance, social security numbers or other tax identifiers, retirement account details and pension details.
- Benefit and other entitlement details, such as length of service, health and safety information, accessibility and disability information, leave of absence records, sickness records, relocation records, records of hours worked, marital status, and dependent and beneficiary details (which may include details about your dependents where relevant).
- Information included on our IT infrastructure or networks, such as emails (sender, recipient and content), messaging services (sender, recipient and content), recorded video calls (only recorded with consent), metadata, login data, documents, browser history, colleague/employee number, computer or facilities access and authentication information, identification codes, passwords, answers to security questions, and photographs.
- Information relating to your performance at work, such as performance ratings, performance reviews, performance improvement or development plans and related documents, recognition awards, details of outside business activities and directorship(s), and details of previous roles.
- Information relating to discipline, grievance, and other employment-related processes, such as interview/meeting notes, recordings, correspondence, information provided in connection with a whistleblower or other investigation, and any settlement arrangements.
- Information relating to your work travel and expenses, such as bank account details, passport, driving license, vehicle registration and insurance details.
- Promotion, cessation and termination details, including letters of resignation and reasons for termination, and any redundancy or settlement arrangements.
- Information collected using cookies and similar technologies (“Cookies”), such as information regarding your interaction with our website, including through the use of cookies. Please review our Cookies Notice to learn about the information we collect automatically using cookies when you visit the Site. If you visit our offices and use our guest WiFi, we may collect information about that use, such as type of device used and start/stop time.
- Diversity and inclusion information, such as information we collect as part of our commitment to diversity, equity and inclusion (on a purely voluntary basis and as permitted by applicable laws). This information includes data relating to age, gender, gender identity, ethnicity, disability, sexual orientation, religion/belief, caring responsibilities and social mobility.
- Passive capture of CCTV images on our CCTV equipment, limited to entry and exit points, IT storage and IT server rooms, which is only reviewed in the event of a security event (i.e., break in) or for maintenance/CCTV quality purposes.
- Other identifying information that you voluntarily choose to provide, such as any photographs, emails, letters or other personal data you choose to provide to us.
In relation to our monitoring practices, our systems enable us to access and monitor telephone, email, voicemail, internet and other communications. In order to carry out our legal obligations applicable to our business, services and as an employer (such as ensuring compliance with our IT related policies), and for other business reasons, we may monitor your use of our systems including the telephone, computer and other communications and messaging systems, by automated software or otherwise. Monitoring is only carried out to the extent permitted by law and to the extent necessary and justifiable for our legitimate business purposes.
Information About Others: Information that you provide to us relating to other people (e.g. your partner, dependents, etc.) will be processed by us in accordance with this Privacy Notice. You are responsible for the accuracy of such information and for ensuring that those people are aware of the nature of the information you have provided and the way in which it will be processed by us.
We collect some of the categories of personal information listed above for Non-Employee Workers, excluding the categories that apply only to employees (such as compensation and benefits information for employees, characteristics of protected classifications, and non-public educational information).
B. How We Collect Your Personal Data
We collect personal data from you during the application process, either directly from you or sometimes from a referrer, job portal, an employment agency or background check provider, that is integrated into your personnel file upon hire. During your employment, we collect personal data directly from you as well as from authorized employees, for example, through administration of your benefits, performance evaluations and other job-related activities. We may also collect personal data about you from third parties for job-related purposes, for example from your references.
How We May Use your Personal Data
We use personal data, as necessary, for all purposes related to the creation, administration and termination of your employment relationship with us, including as set out below:
| Purpose for Use | Legal Basis |
|---|---|
| Manage talent acquisition and hiring, onboarding and offboarding | Our legitimate interest to manage our workforce, necessary for the purpose of carrying out employer rights and obligations and/or performance of a contract |
| Manage your relationship with us, including payroll, benefits and performance, change in roles/position, promotions, leaves, and disciplinary proceedings | Our legitimate interest to manage our workforce; legal obligations and/or performance of a contract where special categories of personal data are processed (in the event of a sick leave), processing is necessary for the purpose of carrying out employer rights and obligations. |
| Ensure the health, safety, and accessibility for employees | Performance of a contract, legal obligations and/or legitimate interest in operating our business where special categories of personal data are processed, processing is necessary for the purpose of carrying out employer rights and obligations. |
| Provide learning and development tools, and monitor training completion | Our legitimate interest to train our employees |
| Engage employees, including via communications, surveys and statistics. | Our legitimate interest, including to communicate with our employees and obtain feedback from our employees and improve our relationship based on that feedback |
| Manage events, including social events and work-related travel | Our legitimate interest to allow our workers to participate in events organized by us and/or performance of a contract |
| Ensure the security of our IT infrastructure, including networks and communication systems | Our legitimate interest to protect our people, our IT infrastructure and assets as well as for security purposes; performance of a contract and/or to comply with legal obligations |
| Safeguard our business interests, including our intellectual property and confidential information, and the security, availability and resilience of our premises, information systems and technology, and to prevent fraud | Legal obligation and/or legitimate interest in operating our business |
| Network maintenance purposes | Our legitimate interest to protect our people, our IT infrastructure and assets as well as for security purposes; performance of a contract and/or to comply with legal obligations |
| Comply with legal obligations | Our legitimate interest to protect our people, our IT infrastructure and assets as well as for security purposes; performance of a contract and/or to comply with legal obligations |
| Prevent, detect or investigate security threats, incidents or violations of law or our policies (including threats or actual harassment, violence or bullying). | Our legitimate interest to protect our people, our IT infrastructure and assets as well as for security purposes; performance of a contract and/or to comply with legal obligations |
| Safeguard the security of our stored IT assets, IT infrastructure in server-rooms, and property and offices entry and exit points | Our legitimate interest to protect our people, our IT infrastructure and assets as well as for security purposes; to comply with a contract and/or to comply with legal obligations |
| Investigate suspected or reported employee or contractor actions which were in breach of our policies or violation of applicable laws, including where requested or instructed by law enforcement | Our legitimate interest to protect our people, our IT infrastructure and assets as well as for security purposes; performance of a contract and/or to comply with legal obligations |
| Investigate whistleblower complaints and grievances | Our legitimate interest, legal obligation and/or performance of a contract. Where special categories of personal data are processed, processing is necessary (i) in connection with exercising rights or obligations in connection with employment; and/or (ii) to establish, exercise or defend a legal claim (for special categories of personal data); and/or (iii) for the purpose of preventing or detecting unlawful acts (for criminal convictions and offences data) |
| Monitor for diversity and to consider steps that we can take to improve diversity and inclusion | Our legitimate interest to promote a diverse and inclusive workforce, your explicit consent and, where processing is necessary, for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment and/or where necessary for carrying out employer rights and obligations |
| Engage Non-Employee Workers to support us in providing our products and services | Our legitimate interest to protect our people, our IT infrastructure and assets as well as for security purposes; to comply with a contract and/or to comply with legal obligations |
| In connection with an actual or prospective corporate transaction (including a sale, divestment, merger or acquisition of all or any part of our business), restructuring or investment with respect to which we are a party | Legal obligation and/or legitimate interest in operating our business |
| For any other purpose that has been notified, or has been agreed, in writing | Consent |
We may install CCTV technology on our premises for security purposes, where permitted by law. Where CCTV has been installed, we may collect images and other personal data of our employees and other workers, inside, entering or in the immediate vicinity of the CCTV “field of view” area. Our lawful basis for such processing is to comply with a legal obligation and/or in the legitimate interests in operating our business and protecting our people, our IT infrastructure and assets as well as for security purposes. Where necessary or required, this information may be shared with the individuals themselves, employees, agents, services providers, police forces, security organisations and persons making a legitimate inquiry.
We may also use your personal data: (i) where we need to protect your (or someone else’s) vital interests, and (ii) where it its necessary to defend any legal claims that may be brought against us in connection with your employment, or to establish, bring or pursue any claim against you.
Note that we may process your personal data on more than one legal basis depending on the specific purpose for which we are using your personal data.
You are required to provide certain personal data, such as identification data, by law or because the personal data is necessary for us to enter into an employment agreement with you, where applicable, and to perform its obligations under that agreement. Please understand that if you do not provide your personal data when required by law or contract, we may not be able to provide you with certain benefits of employment. For example, we require your national ID number to process payroll. Furthermore, if you do not provide your personal data, we may be prevented from complying with our legal obligations, such as maintaining a safe work environment.
No solely automated decision-making, including profiling, is used when processing your personal data.
How We May Disclose Your Personal Data
Your personal data may be shared with and processed by our affiliates and certain service providers and business partners as necessary to fulfil the purposes set out in this Privacy Notice. We use a number of service providers that provide a wide range of services including legal and financial professional advisors, IT and data security providers, data hosting providers and website managers and other IT service providers, meetings and conference vendors, auditors, marketing agencies, HR firms, and data software providers. We make sure anyone who provides a service to, or for us, enters into an agreement with us and meets our standards for data security.
We may also disclose your data at your direction, to government or administrative agencies or to clients and customers where you require access to their systems or network to perform your job duties (e.g. background check information, nationality, social security number and military status). We may share your data with a third party when we believe it is necessary to protect your health or safety, such as disclosure to emergency medical personnel if you experience a medical emergency in the workplace.
We may disclose your personal information to the public as part of a press release, for example, to announce promotions or awards. If you do not want your personal information in press releases, please contact us at [email protected] and include in the subject line “Request for Exclusion from Press Release.” We do not disclose sensitive personal information to the public.
We reserve the right to disclose your personal data as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator, national security, for the purposes of public importance or any other legal or investigatory process involving us. Should we, or any of our affiliated entities, be the subject of a corporate transaction, including any divestment or acquisition, we may disclose your personal data to the new owner of the relevant business and their advisors (including as part of any preliminary diligence process).
Retention of Your Personal Data
We will retain your personal data throughout the employment relationship and as long thereafter as is reasonably necessary for the purposes set forth in this Privacy Notice, unless a longer period is required by applicable law, legal process or administrative needs. We will not keep more personal data than we need for those purposes. For further information about how long we will keep your personal data, please contact us at the email address at the end of this Privacy Notice, including in the subject line “Request for Personal Data Retention Information.”
Security of Your Personal Data
We have put in place appropriate technical, physical and administrative procedures and means to safeguard and secure the information we may collect or might receive from you in order to prevent unauthorized access or disclosure. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality and required to keep your personal data secure.
International Transfers of Your Personal Data
As we operate at a global level, we may need to transfer personal data to countries other than the ones in which the information was originally collected. When we export your personal data to a different country, we will take steps to ensure that such data exports comply with applicable data privacy laws.
If you are located in the European Union (“EU”), Switzerland, or the United Kingdom (“UK”), we have taken steps to ensure an adequate level of protection for your transferred personal data through Standard Contractual Clauses to which Rocket Software, Inc., its U.S. subsidiaries and its subsidiaries in the EU, India, Switzerland, the UK and other geographies are parties. If you are located in another country with restrictions on cross-border data transfers, such as Brazil, we may rely on your consent for the transfer of your personal data outside your country of residence.
Jurisdiction-Specific Information
The following jurisdiction-specific information may apply to you based on where you reside or are located:
A. European Union, United Kingdom, and Switzerland
This section applies only if our collection, or your provision, or personal data under this Privacy Notice is subject to the European Union (EU), United Kingdom (UK) or Swiss data privacy laws, such as the EU GDPR or the UK or Swiss equivalent.
Rocket Software is a controller of any personal data collected or processed by us when you interact with us in the ways described above (e.g., during the course of your employment, etc.). The types of personal data we collect, and our legal bases for doing so, is set out above.
Your Rights
You may have the right to access the personal data we hold about you and control the way in which and what personal data we store and process about you, as set out below. To exercise these rights and controls, please see “How to Exercise Your Rights” below.
- Access: You have the right to ask for a copy of the personal data that we hold and process about you free of charge, however we may charge a ‘reasonable fee,’ if we think that your request is excessive, to help us cover the costs of locating the information you have requested.
- Correction: You may notify us of changes to your personal data if the information we hold and process about you is inaccurate or it needs to be updated.
- Deletion: If you think that we should not be holding or processing your personal data any more, you may request that we delete it. Please note that the right to deletion is not absolute and it may not always be possible to delete personal data on request, including where the personal data must be retained to comply with a legal obligation. In addition, deletion of personal data may result in the inability for us to fulfil the purposes described in the Privacy Notice.
- Restrictions on use: You may request that we stop processing your personal data (other than storing it), if: (i) you contest the accuracy of it (until the accuracy is verified); (ii) you believe the processing is against the law; (iii) you believe that we no longer need your personal data for the purposes for which it was collected, but you still need your personal data to establish or defend a legal claim; or (iv) you object to the processing, and we are verifying whether our legitimate grounds to process your personal data, override your own rights.
- Object: You have the right to object to processing, including: (i) for direct marketing; (ii) for research or statistical purposes; or (iii) where processing is based on legitimate interests.
- Portability: If you wish to transfer the personal data that we hold and process about you on the legal ground of contractual necessity to another organisation (and certain conditions are satisfied), you may ask us to do so, and we will send it directly if we have the technical means.
- Withdrawal of consent: If you previously gave us, and we rely on, your consent (by a clear affirmative action) to allow us to process your personal data for a particular purpose not specified in this Privacy Notice, but you no longer wish to consent to us doing so, you can contact us to let us know that you withdraw that consent.
More on the Right to Lodge a Complaint: If individuals located in the EU, Switzerland and/ or UK believe that their personal data has been processed in violation of applicable data privacy laws, they may follow the “How to Exercise Your Rights” process below but they also have the right to lodge a complaint with the competent supervisory authority in the country where they reside, where they work, or where the alleged violation occurred.
B. All other locations
To the extent provided by applicable law and subject to any relevant exceptions, you may be able to exercise the following rights and any other rights afforded under applicable law:
- Access: The right to request access to your personal data maintained by Rocket Software.
- Rectification: The right to request that Rocket Software update or correct your personal data that is outdated or inaccurate.
- Deletion: The right to request that Rocket Software to delete/erase your personal data.
- Restrict Processing: The right to request restriction of processing of your personal data in certain situations, such as while a dispute concerning the accuracy of personal data is being resolved.
- Withdraw Consent: The right to withdraw your consent to the processing of your personal data, at any time, where you previously consented to the processing of your personal data.
- More on the right to withdraw consent: Any withdrawal shall not affect the lawfulness of processing based on your consent before its withdrawal, and Rocket Software will continue to retain the personal data that you provided us before you withdrew your consent for as long as allowed or required by applicable law.
If you believe that your personal data has been processed in violation of applicable data privacy laws, you may also have the right to lodge a complaint with the data protection authority where you live, where you work, or where you believe the violation occurred. Individuals in India may make a complaint to Rocket Software by the complaint procedure provided by the Data Protection Board of India.
Please note that if you are a resident of California, your rights are set forth in a separate privacy notice.
C. How to Exercise Your Rights
To exercise the rights described above, you or your validly-appointed authorized agent (“Authorized Agent”) must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected personal data, and (2) describes your request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use personal data provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.
We will work to respond to your Valid Request within the timeframe provided by the laws applicable to your employment location. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request. You may submit a Valid Request by completing this Form. The more risk entailed by the request (e.g., a request for specific pieces of personal data), the more items of personal data we may request to verify your identity. If we cannot verify your identity to a sufficient level of certainty to respond securely to your request, we will let you know promptly and explain why we cannot verify your identity.
You may also authorize an agent to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf. You can obtain an “Authorized Agent Designation” form by contacting us at the email address at the end of this Privacy Notice, including in the subject line “Authorized Agent Request.”
We will respond to requests to exercise individual data rights in accordance with applicable law. We will recognize any additional rights you may have under applicable law, but we may not grant you more rights than applicable law provides.
Changes to this Privacy Notice
We may change this Privacy Notice from time to time in our sole discretion. If we decide to change our Privacy Notice, we will post those changes so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. Please check periodically for changes to this Privacy Notice, and especially before you provide any personal data to us.
Inquiries and Concerns
Please direct any questions or concerns you may have about this Privacy Notice to [email protected], including in the subject line “Privacy Notice Inquiry.”