GoFundMe Inc., GoFundMe Ireland Limited, and GoFundMe Australia Pty Limited (collectively “GoFundMe”) and Classy Inc. (“Classy”) have prepared this Personnel Privacy Notice (“Notice”) to be provided to their respective employees, independent contractors and job applicants (collectively “Personnel”). In connection with your employment, services or otherwise, we have to process your Personal Data. We think that it is very important that you understand how we use your Personal Data, and we take our obligations in this regard very seriously. The purpose of this Notice is therefore to give you information about how GoFundMe and Classy (collectively “Company”) collects, processes, stores and otherwise uses information about you, and your rights in relation to that information.

Company needs to process your personal data in order to enter into our contract of employment and independent contractor services with you and to continue to perform crucial aspects of your contract such as paying you and providing you with benefits. There are also statutory requirements and other contractual requirements we have to comply with in relation to your employment or engagement as well as business and operational needs we have to meet. If we are not able to carry out the processing activities, we describe in this Notice we may not be able to comply with your contract, and in certain very exceptional cases, may not be able to continue your employment or engagement. Of course, we hope it would never come to that, and this is simply information we are required by law to provide to you as part of this Notice. Company also needs to process your personal data for purposes of filling a job posting.

In certain limited circumstances we may need to ask for your specific consent to process your personal data in a particular way. Where we do so, you will be entitled to withdraw your consent at any time by contacting us as set out at the end of this Notice. However, in most cases we will process your personal data for the reasons set out in this Notice and it won’t be appropriate or necessary for you to provide consent. Some Company employees may have clauses in their terms and conditions of employment asking you to consent to the processing of your personal data and sensitive personal data (in most contracts this clause is entitled Data Protection). The law has changed, and we have taken the decision that any such clause seeking consent to process your personal data will cease to apply. From now on, the way in which we process your personal data will be on the basis described in this non-contractual Notice.

As with many other GoFundMe and Classy policies, this document is not part of your contract of employment and independent contractor services, and we may update it from time to time, for example if we implement new systems or processes that involve the use of personal data.

What Types of Personal Data Does Company Collect about Me?

“Personal data” is any data that can be used in itself or with another piece of data to identify a specific person.

Company will collect, process and use the following categories and types of Personal data about you:

  • identification data, such as your name, signature, employee/Staff ID, your photo (if voluntarily provided by you), payroll ID, business email address, business address, business landline, citizenship, passport/ID data, social security number, and drivers’ license information;
  • personal information, such as your date and place of birth, emergency contact details, next of kin details, gender, details of family members (in relation to relocations);
  • contact details, such as your home address, telephone number and email address;
  • information about your job, such as your position, business title, employee type, management level, time type (full or part time and percentage), working time information, work location, division, department, position level, manager (name & ID), support roles, start and end date, contract status reference, job history (including position history, title history, effective dates and past pay groups), education history and qualifications, worker history (including log-files of changes in HR databases) and reason for leaving;
  • information about your salary and benefits, such as your basic salary, bonus and commission entitlements, raise amounts and percentages, allowances, insurance benefits (including information about you and your dependents that we provide to the insurer), pension plans, tax code, your bank account details and payment dates, accrued salary information, employee pay group, information relating to your pension;
  • information about your equity compensation, such as units of stock or directorships held, details of all restricted stock units or any other entitlement to shares of stock awarded, canceled, exercised, vested, unvested or outstanding in your favor;
  • time, and systems / buildings access monitoring information, such as CCTV images, swipe card access, fingerprints, time recording software, internet, email and telephone usage data;
  • performance and disciplinary information, such as performance reviews, evaluations and ratings, information about disciplinary allegations (including customer complaints), the disciplinary process and any disciplinary warnings, details of grievances and any outcome;
  • absence information, such as dates of leave of absence/vacation, maternity/paternity/shared parental leave, confirmation of a birth of a child, training/educational leave, family care leave, medical leave; and
  • organizational data including IDs for IT systems, company details, cost center allocations, and organizations.

When we collect Personal Data from our employees, independent contractors or applicants (collectively “Personnel”), we refer to such data as “Personnel Data.”

In addition to the collection, processing and use of the Personnel Data, Company collects, processes and uses the following additional categories of personal information about you which we describe as “Sensitive Personnel Data”:

  • health and medical data, such as the number of sick days and the information contained in a doctor’s certificate/medical certificate for purposes of salary payment, workforce planning, and compliance with legal obligations; information on work-related accidents for purposes of insurance compensation, work safety and compliance with legal obligations (such as reporting obligations); information on disability for purposes of accommodating the workplace and compliance with legal obligations; information on maternity leave for purposes of workforce planning and compliance with legal obligations;
  • criminal records data, in the event that Company has conducted or received the results of criminal records background checks in relation to you, where relevant and appropriate to your role; and
  • race or ethnicity data, such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes and compliance with laws and regulations.
  • other data, such as race/ethnicity, gender identity, pronouns, veteran status, disability and sexuality data, which you may provide voluntarily to us to help further our Diversity, Equity, Inclusion and Belonging (DEIB) efforts.

Why Does Company Need to Collect, Process and Use My Personnel and Sensitive Personnel Data?

We collect and use Personnel Data for a variety of reasons linked to your employment or engagement. To help clarify these we have set out below a list of reasons why we collect and use this data (the “Processing Purposes”).

  1. Administering and providing compensation, including payroll, invoices for services, expenses, bonus, stock options, and other applicable incentives which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information and organizational data.
  2. Administering and providing applicable benefits and other work-related allowances, including reporting of benefit entitlements and take-up of benefits which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information and organizational data.
  3. Administering our workforce and managing the relationship including managing work activities, tracking working hours, tracking internet, email and telephone usage, providing performance evaluations and promotions, producing and maintaining corporate organization charts, entity and intra-entity staffing and team management, managing and monitoring business travel, carrying out workforce analysis, conducting talent management and career development, leave management/approvals, providing references, administering ethics and compliance training, and recruitment for other roles both during and after the end of your employment or engagement which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information; and organizational data.
  4. Providing IT systems and support to enable you and others to perform their work, to enable our business to operate, and to enable us to identify and resolve issues in our IT systems, and to keep our systems secure which involves processing almost all categories of Personnel Data.
  5. Complying with applicable laws, regulatory, and employment-related requirements along with the administration of those requirements, such as income tax, national insurance deductions, health and safety, employment and immigration laws, which involves the processing of identification data, contact details, information about your job, performance and disciplinary information; absence information and organizational data.
  6. Monitoring and ensuring compliance with applicable policies and procedures and laws, including conducting internal investigations, which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information and organizational data.
  7. Communicating with you, other Company employees and third parties (such as existing or potential business partners, suppliers, platform users, government officials, recruiters), which involves the processing of identification data, contact details, information about your job and organizational data.
  8. Communicating with your designated contacts in the case of an emergency which involves the processing of contact details, personal information, information about your job and organizational data.
  9. Responding to and complying with requests and legal demands from regulators or other authorities in or outside of your home country which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information, absence information and organizational data.
  10. Complying with corporate financial and regulatory responsibilities, including audit requirements (both internal and external) and cost/budgeting analysis and control which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information, absence information and organizational data.

We may also collect and use Sensitive Personnel Data for a variety of reasons linked to your employment or engagement including:

  1. Salary payment, invoice payment, workforce planning, compliance with legal obligations, insurance compensation and providing an accommodating and inclusive workplace may require health and medical data, such as the number of sick days and the information contained in a doctor’s certificate/medical certificate, information on work-related accidents, information on disability, and information on maternity leave.
  2. Criminal records background checks, in relation to you, where relevant and appropriate to your role.
  3. Right to work checks or visa and immigration checks may involve us using race or ethnicity data such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes.

What Rights Do I Have Regarding Personnel Data?

We rely on Personnel Data being accurate, complete, up‐to‐date, and reliable for the intended use. We expect you to inform Company of any changes to your Personnel Data, such as changes to contact details, beneficiaries, or any information affecting benefits or services we provide to you.

You are permitted to review, delete, and, where inaccurate, correct or update your Personnel Data, with some exceptions. For example, we may be required to retain certain Personnel Data pursuant to our legal obligations.

You can exercise certain rights, by either logging into your benefits account or submitting a written request to the Data Protection team, DPO@gofundme.com. Company will not disclose any information in response to a rights request that may compromise the privacy of other persons unless required to do so by law.

For more information about your rights, please refer to the Country/Region‐Specific Disclosures section of this Notice.

For How Long Will Company Keep My Personnel Data?

It is our policy not to keep Personal Data for longer than is necessary. We may, for example, keep your Personal Data for a reasonable time after you have left to ensure that Company has the records it needs in the event of a dispute or regulatory investigation and to ensure that any ongoing obligations can be complied with, such as complying with requests from regulators, and to contact you about future work opportunities at Company. Where Personal Data is kept, that period will be determined based on the applicable local law or our reasonable business purpose. For further information, please refer to the Data Retention Policy of your employer (GoFundMe Retention policy is here, and Classy retention policy is here) or contact us as set out below to request further details on how long the appropriate company will retain different categories of personal information.

How Will Company Protect Personnel Data?

Company implements administrative, technical, and physical controls to reasonably and appropriately safeguard Personnel Data against loss, misuse, unauthorized access, theft, modification, disclosure and destruction. Company will restrict access to Personnel Data under our control to those employees, service providers, agents, and contractors of Company who have a legitimate business need for such access. Company will provide training to Employees and third parties where relevant to promote awareness of Company’s requirements and policies surrounding protection and security of Personnel Data.

Does Company Disclose My Personnel Data?

Where we disclose your Personnel Data it is our policy to limit the categories of individuals who have access to that data.

Company may transfer Personnel Data to third parties, including to entities within and outside the Company located in any jurisdictions where Company entities are located, for the Processing Purposes as follows:

  • With GoFundMe Inc. GoFundMe is part of a wider group headquartered in the USA. GoFundMe Inc. carries out the primary share of management, human resources, legal, compliance, finance and audit responsibility with GoFundMe Inc. For this reason, GoFundMe may transfer the Personnel Data and Sensitive Personnel Data to, or otherwise allow access to such data by GoFundMe Inc., which may use, transfer, and process the data for the following purposes: to maintain and improve effective administration of the workforce; to communicate information about GoFundMe; to maintain a corporate directory; to maintain IT systems; to monitor and assure compliance with applicable policies and procedures, and applicable laws; and to respond to requests and legal demands from regulators and other authorities.
  • Regulators, authorities, and other third parties. As necessary for the Processing Purposes described above, Personnel Data may be transferred to regulators, courts, and other authorities (e.g., tax and law enforcement authorities), independent external advisors (e.g., auditors), insurance providers, pensions and benefits providers, internal compliance and investigation teams (including external advisers appointed to conduct internal investigations).
  • Acquiring entities. If the Company business for which you work is sold or transferred in whole or in part (or such a sale or transfer is being contemplated), your Personnel Data may be transferred to the new employer or potential new employer as part of the transfer itself or as part of an initial review for such transfer (i.e., due diligence), subject to any rights provided by applicable law, including jurisdictions where the new employer or potential new employer are located.
  • Data processors. As necessary for the Processing Purposes described above, Personnel Data may be disclosed with one or more third parties, whether affiliated or unaffiliated, to process Personnel Data under appropriate instructions (“Data Processors”). The Data Processors may carry out instructions related to workforce administration, IT system support and maintenance, payroll and compensation, training, compliance, and other activities, and will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the personal information, and to process the personal information only as instructed.

For a full list of the Company entities and third parties that we may disclose your data with, please contact us as set out below.

How Does Company Address Data Privacy Concerns?

The respective Human Resources Department is responsible for implementing and overseeing the administration of this Notice. All employees whose responsibilities include the collection, use, and processing of Personnel Data are required to adhere to this Notice and any implementing policies. Failure to do so is deemed a serious offense, for which disciplinary action may be taken, potentially resulting in termination of employment. Equally, the misuse of Personnel Data by an individual or organization acting as agent or service provider to Company is deemed a serious issue for which action may be taken, potentially resulting in the termination of an agreement, or other action.

In order to provide you with an opportunity to raise questions or concerns about the processing of your Personnel Data, you may contact our Data Protection team at DPO@gofundme.com. Any submitted questions or concerns will be considered and responded to in accordance with Company’s formal complaints procedures.

For further country/region specific information for Personnel located in California or outside the United States, please refer to the Country/Region‐Specific Disclosures section of this Notice.

Country/Region-Specific Disclosures

California (US)

Personal Information Collection and Use

Personal Information” means information about a California Employee, independent contractor or applicant (collectively “California Personnel” that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with the California Personnel or the household of California Personnel. In accordance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively “CCPA”), Company processes the following categories of Personal Information as set forth below. For more information on examples of the type of Personal Information Company processes, please see the sections above.

Category of Personal Information

  1. Identifiers
  2. Personal Information Described in Cal. Civ. Code § 1798.80(e)
  3. Characteristics of Protected Classifications under California or Federal Law
  4. Professional or Employment-Related Information
  5. Internet or other Electronic Network Activity Information
  6. Commercial Information
  7. Biometric information
  8. Geolocation information
  9. Audio, Electronic, Visual, Thermal, Olfactory or Similar Data
  10. Inferences Drawn from Personal Information Above
  11. Sensitive Personal Information

Disclosures of Personal Information

We do not currently, and have not within the preceding twelve months, sold or shared for cross-context behavioral advertising the Personal Information of California Personnel that we collect in relation to your employment or engagement.

Company may disclose Personal Information to the following categories of recipients:

  • Compensation and Benefits: 401K administration, medical and dental benefits, insurance benefits, employee assistance programs, relocation services, payroll administration, and workplace incident management.
  • Government Reporting: Unemployment benefits, EEO reporting, tax reporting, and other regulatory reporting.
  • Business Administration: Recruiting firms, executive coaching, language training, rewards and recognition programs, law firms, and background checks.
  • Other Third Parties: Potential business partners, acquiring entities, suppliers, customers, or government bodies.

Company has disclosed during the last twelve months, the following categories of Personal Information:

Category of Personal Information Categories of Recipients
Identifiers Company; Compensation and Benefits service providers; Business Administration service providers; Government Reporting parties; and Other Third Parties
Personal Information Described in Cal. Civ. Code § 1798.80(e) Company; Compensation and Benefits service providers; Business Administration service providers; Government Reporting parties; and Other Third Parties
Characteristics of Protected Classifications under California or Federal Law Company; Compensation and Benefits service providers; Business Administration service providers; Government Reporting parties; and Other Third Parties
Professional or Employment-Related Information Company; Compensation and Benefits service providers; Business Administration service providers; and Other Third Parties
Internet or Other Electronic Network Activity Company; Business Administration service providers; and Other Third Parties
Audio, Electronic, Visual, Thermal, Olfactory, or Similar Data Company and Other Third Parties
Inferences Drawn from Personal Information of Personnel Company; Government Reporting parties
Sensitive Personal Information Company; Compensation and Benefits service providers; Business Administration service providers; and Other Third Parties

 

How to Exercise Your Rights

Company takes steps to keep Personal Information accurate. If you are a resident of California, you have certain rights to the Personal Information that we have collected about you pursuant to the CCPA. To exercise any of your rights to your Personal Information, please submit a request via email to your Data Protection team, DPO@gofundme.com, via the company’s confidential, independent and secure web portal at www.convercent.com/report or via the company’s hotline at 1-800-461-9330.

Please note that, if you submit a request to know, request to delete, or request to correct, we may request additional information to verify your identity (e.g., through logging into your account or providing Personal Information we will match against our records). You may designate an authorized agent to make a request on your behalf; however, you will still need to verify your identity directly with us before your request can be processed.

Your Rights

  • Right to Know: You have the right to know what Personal Information we have collected about you, subject to certain exceptions. You may request:
    • (1) The categories of Personal Information we have collected about you, including:
      • The categories of sources from which the Personal Information was collected
      • Our business or commercial purposes for collecting, selling, or sharing Personal Information
      • The categories of recipients to which we disclose Personal Information
      • The categories of Personal Information that we sold, and for each category identified, the categories of third parties to which we sold that particular category of Personal Information
      • The categories of Personal Information that we disclosed for a business purpose, and for each category identified, the categories of recipients to which we disclosed that particular category of Personal Information
    • (2) The specific pieces of Personal Information we have collected about you.
  • Right to Delete Your Personal Information: You have the right to request that we delete Personal Information we collected from you, subject to certain exceptions.
  • Right to Correct Inaccurate Information: If you believe that the Personal Information we maintain about you is inaccurate, you have the right to request that we correct that information.
  • Right to Opt Out of Sales and Sharing of Personal Information: Although CCPA permits you to opt out of the sale/share of Personal Information, we do not sell or share the Personal Information of California consumers under 17 years of age.
  • Right to Limit Use and Disclosure of Sensitive Personal Information: You may direct us to limit the use and disclosure of your Sensitive Personal Information to certain uses and disclosures that are permitted under the CCPA. We only use Sensitive Personal Information as permitted by applicable law or the CCPA.
  • Rights Related to Automated Decision-Making: Although CCPA permits you to opt out of automated decision-making, including profiling, that is used to evaluate certain personal aspects relating to your performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements we do not use automated decision-making to process Personnel Data.
  • Right to Non-Discrimination for the Exercise of Your Privacy Rights: If you choose to exercise any of your privacy rights under applicable California privacy law, you also have the right not to receive discriminatory treatment by us, including retaliation against you as Personnel.

European Union/European Economic Area (EU/EEA), Switzerland, and United Kingdom (UK)

In this Notice you will see reference to “GDPR” – that refers to the European Union’s General Data Protection Regulation, which is a European law governing your rights in relation to your Personal Data, and how organizations should protect it. The reference also includes that portion of the law of England and Wales, Scotland and Northern Ireland (collectively “United Kingdom”) by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018. This is primarily intended for GoFundMe personnel.

We comply with European data principles, which means Personnel Data will be used lawfully, fairly and in a transparent way; collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes; relevant to the purposes we have told you about and limited only to those purposes; accurate and kept up to date; kept only as long as necessary for the purposes we have told you about; and kept securely.

Company will provide this Notice to Personnel through appropriate communication channels to inform them about the identity of the respective Company entity acting as controller of Personnel Data, the purposes for which we collect and use Employee Data, the types of third parties with which we disclose Personnel Data, the choice and means Company offers Personnel for limiting the use and disclosure of their Personnel Data, and how to contact Company where they have issues or concerns about their Personnel Data.

Company may hold and may in the future collect Personnel Data for employment or engagement purposes. As an Employee, you are contractually required to provide us with certain Personal Data that we need in order to process your employment and to comply with our legal duties as an employer. Without your Personnel Data, we are not able to enter into an employment relationship with you.

Data Transfer

As you may expect, some of the recipients we may share Personnel Data and Sensitive Personnel Data with may be located in countries outside of Europe. In some cases, this may include countries located outside the United Kingdom or the European Union and/or European Economic Area (“EEA”).

Some countries where recipients may be located already provide an adequate level of protection for Personnel Data, and transfers to other countries may be protected under arrangements such as the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR. For GoFundMe, transfers to GoFundMe Inc. are subject to the Standard Contractual Clauses and the UK International Data Transfer Agreement to ensure that your data is protected adequately. This does not apply to Classy.

If recipients are located in other countries without adequate protections for Personal Data, Company will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. This will include using appropriate safeguards such as the Standard Contractual Clauses.

You can ask for a copy of the safeguards we employ to provide an adequate level of protection for your Personal Data by contacting us as set out below (Who Can I Contact About This Notice?).

How to Exercise Your Rights

Company takes steps to keep Personnel Data accurate and up‐to‐date. If you reside in Europe, you have certain rights to the Personnel Data that we have collected about you. To exercise your rights to your Personnel Data, please contact the Data Protection team at DPO@gofundme.com.

Your Rights

  • Right of Access: You have the right to confirm with us whether your Personal Data is processed, and if it is, to request access to that Personal Data including the categories of Personal Data processed, the purpose of the processing and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right, and if you want to request more than one copy we may charge a fee.
  • Right to Rectification: You may have the right to rectify inaccurate or incomplete personal data concerning you.
  • Right to Erasure (right to be forgotten): You may have the right to ask us to erase Personal Data concerning you.
  • Right to restriction of processing: In limited circumstances, you may have the right to request that we restrict processing of your personal data, however where we process Personnel Data and Sensitive Personnel Data for the Processing Purposes we think that we have a legitimate interest in processing which may override a request that you make.
  • Right to data portability: You may have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity.
  • Right to object and rights relating to automated decision-making: Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling, by us and we can be required to no longer process your personal data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.

You also have the right to lodge a complaint with the Information Commissioner’s Office or competent data protection supervisory authority. The relevant data protection supervisory authority for each country we operate in is set out below:

Country Data Protection Authority
Germany Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (the “BfDI”)
Ireland Data Protection Commissioner (the “DPC”)
Italy The Italian Data Protection Authority (Garante per la protezione dei dati personali)
UK Information Commissioner’s Office (the “ICO”)

 

Legal Basis for Processing under the GDPR

The Processing Purposes for our collection of Personnel Data and Sensitive Personnel Data, and mapped these against the different legal bases that allow us to do so, are as follows:

Processing Purposes Legal Bases
1. administering and providing compensation, including invoices for service, payroll, expenses, bonus, stock options, and other applicable incentives which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information and organizational data.
  • Necessary for performing a contract with you as the data subject;
  • Legitimate interests of Company;
  • Compliance with legal obligations which Company is subject to in relation to employment law and tax law.
2. administering and providing applicable benefits and other work-related allowances, including reporting of benefit entitlements and take-up of benefits which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information and organizational data.
3. administering our workforce and managing the employment or independent contractor relationship including managing work activities, tracking working hours, tracking internet, email and telephone usage, providing performance evaluations and promotions, producing and maintaining corporate organization charts, entity and intra-entity staffing and team management, managing and monitoring business travel, carrying out workforce analysis, conducting talent management and career development, leave management/approvals, providing references, administering ethics and compliance training, and recruitment for other roles both during and after the end of your employment or engagement which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information; and organizational data.
  • Legitimate interests of Company;
  • Compliance with legal obligations which Company is subject to; and
  • Necessary for performing a contract with you as the data subject.
4. providing IT systems and support to enable you and others to perform their work, to enable our business to operate, and to enable us to identify and resolve issues in our IT systems, and to keep our systems secure which involves processing almost all categories of Personnel Data.
  • Necessary for performing a contract with you as data subject;
  • Legitimate interests of Company;
  • Compliance with legal obligations which Company is subject to in relation to data protection law.
5. complying with applicable laws, regulatory, and employment-related requirements along with the administration of those requirements, such as income tax, national insurance deductions, health and safety, employment and immigration laws, which involves the processing of identification data, contact details, information about your job, performance and disciplinary information; absence information and organizational data.
  • Compliance with legal obligations which Company is subject to, particularly in relation to tax law, employment law, social security law and immigration law; and
  • Legitimate interests of Company.
6. monitoring and ensuring compliance with applicable policies and procedures and laws, including conducting internal investigations, which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information; absence information and organizational data.
7. communicating with you, other Company employees and third parties (such as existing or potential business partners, suppliers, platform users or government officials), which involves the processing of identification data, contact details, information about your job and organizational data.
  • Necessary for performing a contract with you as data subject;
  • Legitimate interests of Company;
  • Compliance with legal obligations which Company is subject to.
8. communicating with your designated contacts in the case of an emergency which involves the processing of contact details, personal information, information about your job and organizational data.
  • Necessary to protect your vital interests as data subject;
  • Legitimate interests of Company.
9. responding to and complying with requests and legal demands from regulators or other authorities in or outside of your home country which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information, absence information and organizational data.
  • Compliance with legal obligations which Company is subject to;
  • Legitimate interests of Company.
10. complying with corporate financial and regulatory responsibilities, including audit requirements (both internal and external) and cost/budgeting analysis and control which involves the processing of identification data, contact details, information about your job, salary and benefits and equity compensation, performance and disciplinary information, absence information and organizational data.

 

Below are the Processing Purposes and corresponding Legal Bases for Sensitive Personnel Data:

Processing Purpose Legal Bases
1. Salary payment, workforce planning, compliance with legal obligations, insurance compensation and providing an accommodating workplace may require health and medical data, such as the number of sick days and the information contained in a doctor’s certificate/medical certificate, information on work-related accidents, information on disability, and information on maternity leave.
  • Necessary to carry out the obligations and to exercise specific rights of Company or you in the field of employment and social security and social protection law as permitted by local data protection law.
2. Criminal records background checks, in relation to you, where relevant and appropriate to your role.
  • Necessary to carry out the obligations and to exercise specific rights of Company or you in the field of employment and social security and social protection law as permitted by local data protection law; and
3. Right to work checks or visa and immigration checks may involve us using race or ethnicity data such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes.
  • Necessary for reasons of substantial public interest as permitted by local data protection law.
4. Diversity, Equity, Inclusion and Belonging efforts (“DEIB efforts”) at the company may require us to use race/ethnicity, gender identity, pronouns (which would be public on Slack/GSuite if shared), sexuality, veteran status and disability status.
  • Explicit Consent submitted by Personnel for use in DEIB efforts.

 

We appreciate that there is a lot of information there, and we want to be as clear with you as possible over
what this means. Where we talk about legitimate interests of Company or third parties, this can include:

  • Management of employee relations including performance, disciplinary and grievance issues;
  • Assessing your suitability for other roles within Company;
  • Allocating resource and monitoring workload;
  • Protecting your health and safety in the workplace;Implementation and operation of a group-wide organizational structure and group-wide information sharing;
  • Right to freedom of expression or information;
  • Charitable organization and individual relationship management and other forms of marketing;
  • Prevention of fraud, misuse of company IT systems, or money laundering;
  • Physical security, IT and network security;
  • Internal investigations;
  • Proposed mergers and acquisitions.

When relying on the legitimate interests basis for processing your personal data, we will balance the legitimate interest pursued by us and any relevant third party with your interest and fundamental rights and freedoms in relation to the protection of your personal data to ensure it is appropriate for us to rely on legitimate interests and to identify any additional steps we need to take to achieve the right balance.