Overview
G-TECH Services, Inc. (“G-TECH”) complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (collectively, “Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (“EU”) and Switzerland to the United States. G-TECH has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view G-TECH’s certification, please visit https://www.privacyshield.gov/
Definitions
The following terms are used throughout this Policy Statement and are defined as follows:
“Agent” or collectively, “Agents” means any third party that processes Personal Information pursuant to the instructions of, and solely for, G-TECH, or to which G-TECH discloses Personal Information for use on its behalf such as, for example, Blue Cross Blue Shield of Michigan.
“Citizen” or collectively, “Citizens” means a lawful citizen or citizens of the EEA and Switzerland. A Citizen may be a G-TECH Employee or a principal, officer or employee of a Client or Consultant, as all three terms are defined herein.
“Client” or collectively “Clients” means current, prospective and former clients, customers, visitors and guests of G-TECH whose Citizen principal(s), officer(s) or employee(s) may provide Personal Information to G-TECH.
“Consultant” or collectively “Consultants” current, prospective and former consultants, contractors, and/or service providers to G-TECH whose Citizen principal(s), officer(s) or employee(s) may provide Personal Information to G-TECH.
“Controller” or collectively, “Controllers” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.
“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics. For Citizens of Switzerland, a Data Subject also may include a legal entity.
“EEA” means the European Economic Area, composed of the following thirty-one (31) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.
“Employee” or collectively, “Employees,” means any G-TECH employee(s) (and any and all dependents thereof) that is a Citizen, as defined above, including, but not limited to, temporary, permanent, and former employees, directors, contractors, workers and retirees. For purposes of this Statement only, the term “Employee” or “Employees” shall also include job applicants that are Citizens.
“G-TECH” or the “Company” collectively refers to G-TECH and any and all subsidiaries and affiliates thereof that are incorporated in any state or territory of the United States.
“Personal Information” means any information or set of information about an identified or identifiable Citizen, including, but not limited to:
a. Names.
b. Addresses.
c. Telephone numbers.
d. Email addresses.
e. Passwords to access a vPlanner® account.
f. Employee identification numbers.
g. Government-issued identification numbers (e.g., driver’s license, Social Security, or passport numbers).
h. User passwords or PINs.
i. User identification and account access credentials, passwords, PINs and security question answers.
j. Financial account numbers (e.g., bank account numbers, credit and debit card information).
k. Geolocation data (e.g., location data from IP addresses, cellular networks, and GPS).
l. Biometric, medical, health, or health insurance information.
m. Religious or philosophical beliefs or political opinions.
n. Sexual orientation.
o. Criminal records.
The term “Personal Information” does not include anonymized information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).
“Policy Statement” means this Privacy Shield Privacy Policy Statement.
“Privacy Shield Principles” collectively means the following privacy principles as described in the Privacy Shield:
a. Notice;
b. Choice;
c. Accountability for Onward Transfer;
d. Security;
e. Data Integrity and Purpose Limitation;
f. Access; and
g. Recourse, Enforcement and Liability as agreed to by the U.S. Department of Commerce and the European Commission.
“Process” or “Processing” of Personal Information means any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data where Processed to uniquely identify a person, any information that concerns medical or health conditions, social security measures or sex life, or information relating to the commission of a criminal offense.
Non-capitalized use of the foregoing definitions shall have their commonly understood definitions and meanings.
Scope
This Policy Statement describes the principles pursuant to which G-TECH manages Personal Information received. G-TECH receives voluntarily proffered Personal Information, if at all, in the following circumstances:
a. from Employees, in support of G-TECH’s human resources and business operations (“employee-employer” contact);
b. from solicited and unsolicited prospective employees;
c. from Clients/Subscribers and Consultants in the course of G-TECH’s business operations (“business-to-business” contact); and
d. from visitors to G-TECH’s websites.
Responsibilities and Management
G-TECH has designated its Data Privacy and Data Breach Review Committee (“Committee”) to oversee its information security program, including its compliance with the Privacy Shield and this Policy Statement. The Committee shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy Statement also may be directed to privacyshield@gogtech.com.
G-TECH will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Information that it collects. G-TECH personnel will receive training, as applicable, to effectively implement this Policy.
Annual Renewal
G-TECH will renew its Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
Prior to the re-certification, G-TECH will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Personal Information are accurate and that it has appropriately implemented these practices. Specifically, as part of the verification process, G-TECH will undertake the following:
a. Review this Policy Statement policy and its publicly posted website privacy policy to ensure that these policies accurately describe the practices regarding the collection of Personal Information;
b. Ensure that the publicly posted privacy policy informs Employees, Clients, and Consultants of G-TECH’s participation in the Privacy Shield program and where to obtain a copy of additional information (g., a copy of this Policy Statement);
c. Ensure that this Policy Statement continues to comply with the Privacy Shield principles;
d. Confirm that Employees, Clients, and Consultants Customers are made aware of the process for addressing complaints and any independent dispute resolution process; and
e. Review its processes and procedures for training its employees about G-TECH’s participation in the Privacy Shield program and the appropriate handling of Personal Information.
Collection and Use of Personal Information
G-TECH generally does not proactively collect Personal Information. G-TECH collects Personal Information from employees and prospective employees for the following purposes, among others: assessing qualifications for employment; enrollment in various Company benefit/insurance plans/programs; administering payroll; and providing evidence of individual skill and experience to clients and partners. G-TECH collects Personal Information from website visitors, clients/subscribers, and consultants for the following purposes, among others: analyzing website traffic; permitting subscriber access; communicating Company news; marketing Company services; and identifying market demands and trends. G-TECH may provide Personal Information to sub-processors in connection with an employee’s conditions of employment (e.g., providing Personal Information to a medical benefits provider); G-TECH does not provide Personal Information of clients or consultants to sub-processors.
G-TECH’s websites do utilize internet “cookies” and/or other automatic data collection technologies to collect certain information about a website visitor’s equipment, browsing actions, and patterns, including:
a. Details of visits to the Website, including traffic data, location data, logs, and other communication data and the resources that a visitor accesses and uses on the website.
b. Information about a visitor’s computer and internet connection, including IP address, operating system, and browser type.
G-TECH may use these technologies to collect information about online activities over time and across third-party websites or other online services (behavioral tracking). This Personal Information may be provided to sub-processors such as Google Analytics.
Privacy Shield Principles
Notice
In the event that G-TECH collects Personal Information from a Citizen, G-TECH will furnish a notice to the Citizen that describes:
a. the types of Personal Information that it collects about such Citizens;
b. the purposes for which it collects such information;
c. the types of third parties to which it discloses such information, and the purposes for which it does so; and
d. how to contact G-TECH with any inquiries or complaints, including any relevant establishment in the EEA that can respond to such inquiries or complaints.
Notice will be provided in clear and conspicuous language at the time of collection, or as soon as reasonably practicable thereafter. In any event, notice will be provided before G-TECH discloses the Personal Information or uses such information for a purpose other than that for which the Personal Information was originally collected or Processed.
Choice
In the event that Personal Information is to be used for a new purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized, or transferred to a non-Agent third party, Citizens will be provided, where practical and appropriate, with an opportunity to decline to have their Personal Information so used or transferred. In the event that the Personal Information used for a purpose other than that for which it was originally collected or subsequently authorized or transferred to the control of a non-Agent third party is Sensitive Personal Information, the Citizen’s affirmative express consent will be obtained prior to the use or transfer of the Sensitive Personal Information or as otherwise permitted in accordance with the Privacy Shield Principles.
Accountability for Onward Transfer
Typically, only Personal Information of G-TECH employees (as opposed to clients and/or consultants) might be transferred to an Agent. Such Agents may include:
a. employee benefits and payroll providers – for purposes of enrolling and managing an employee’s participation in G-TECH-provided benefit programs, such as medical and disability, as well as facilitating payroll;
b. background, reference, and credit check companies – for purposes of determining initial and continuing eligibility and qualification for (prospective) employment;
c. clients and consultants – for purposes of demonstrating an employee’s capability and skill set for specific client projects; and
d. in the context of administrative/legal proceedings (which may also include the Personal Information of clients and/or consultants).
G-TECH will transfer Personal Information only to an Agent that has given assurances that it provides at least the same level of privacy protection as is required by the Privacy Shield Principles and this Policy Statement and will notify G-TECH if it makes a determination it can no longer meet this obligation. G-TECH will require Agents to implement technical and organization security measures, to commit employees and contractors to confidentiality, to delete or return all Personal Information to G-TECH at the relationship’s conclusion, to submit to audits and otherwise provide information necessary to demonstrate compliance. G-TECH will further require Agents to bind all Sub-Agents to the same required level of privacy and security.
Where G-TECH has knowledge that an Agent or Sub-Agent is using or sharing Personal Information in a way that is contrary to the Privacy Shield Principles and/or this Policy Statement, G-TECH will take reasonable steps to prevent or stop such Processing. With respect to onward transfers to Agents and Sub-Agents, Privacy Shield requires that, to the extent it is responsible for the event, G-TECH shall remain liable should its Agents or Sub-Agents Process Personal Information in a manner inconsistent with the Privacy Shield Principles.
Security
G-TECH takes reasonable and appropriate administrative, technical and physical precautions designed to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, regardless of whether such Personal Information is in electronic or tangible, hard copy form. For example, hard copy employee personnel and benefit files are segregated and kept in locked file cabinets in a secure office space. Access to electronic Personal Information is limited to G-TECH personnel who process such information. G-TECH’s Information Technology Department is notified of any attempted breach of G-TECH’s various hardware and software.
Data Integrity and Purpose Limitation
G-TECH endeavors to limit the collection, usage, and retention of Personal Information to that which is relevant for the intended purposes of Processing, and takes reasonable steps designed to ensure that all Personal Information is reliable for its intended use, accurate, complete and current. G-TECH depends on its Employees, Clients, and Consultants to keep Personal Information reliable, accurate, complete and current.
Access
Citizens may seek confirmation regarding whether G-TECH is Processing Personal Information about them, request access to their Personal Information and ask that G-TECH correct, amend or delete that information, where it is inaccurate or has been Processed in violation of the Privacy Shield Principles. Although G-TECH makes good faith efforts to provide Citizens with access to their Personal Information, G-TECH reserves the right to limit or deny such access where the burden or expense of providing access would be disproportionate to the risks to the Citizen’s privacy, where the rights of Citizens other than the subject Citizen would be violated, where the information is commercially proprietary or where doing so is otherwise consistent with the Privacy Shield Principles. If G-TECH determines that access should be restricted in any particular instance, it will provide Citizens with an explanation of why that determination has been made and a contact point for any further inquiries.
Recourse, Enforcement and Liability
G-TECH has implemented mechanisms to verify its ongoing compliance with the Privacy Shield Principles and this Policy Statement. Any party that violates the Privacy Principles and/or this Statement will be subject to disciplinary procedures in accordance with G-TECH’s disciplinary procedures.
In the event of a dispute, Citizens are able to seek resolution of their questions or complaints regarding use and disclosure of their Personal Information in accordance with the Privacy Shield Principles contained in this Statement. If an Employee, Client, or Consultant feels that G-TECH is not abiding by the terms of this Statement, or is not in compliance with the Privacy Shield Principles, it should contact G-TECH at the contact information provided below. For complaints arising from human resources data transferred from the EEA, G-TECH commits to to cooperating with EEA data protection authorities (“DPAs”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), and comply with the advice given by such authorities with regard to human resources data transferred from the EEA and Switzerland in the context of the employment relationship. In addition, G-TECH has agreed to cooperate with JAMS Privacy Shield Dispute Resolution Program with respect to complaints related Customer and Consultant data. For more information and to submit a complaint to JAMS, visit https://www.jamsadr.com/eu-us-privacy-shield. Such independent dispute resolution mechanisms are available to Citizens free of charge. If any request remains unresolved, Citizens may have a right to invoke binding arbitration under Privacy Shield. The FTC has jurisdiction over G-TECH’s compliance with the Privacy Shield
Limitation on Scope of Privacy Shield Principles
Adherence to these Privacy Shield Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Citizen.
Contact Information
Please direct any questions regarding this Statement or any of G-TECH’s privacy practices to the following email address: privacyshield@gogtech.com.
Changes to this Statement
This Statement may be amended from time to time in a manner that is consistent with the requirements of the Privacy Principles. When this Statement is updated, the “Last Updated” date at the bottom of this document shall be amended accordingly. Any material changes to this Statement will be posted on G-TECH’s websites and available to the general public www.gogtech.com.