HERE Externals Privacy Policy
HERE International B.V. and all the direct and indirect subsidiaries of HERE International B.V. in which HERE International B.V. owns a majority of the shares or exercises effective control (“HERE”), respect the privacy of individuals hired on temporary basis and have adopted this global Externals Privacy Policy (“Policy”) to establish and maintain high standards of data protection for the personal data of individuals hired on a temporary basis, either via an agency, a vendor or as an independent contractor.
This Policy informs you about how HERE process your personal data in the context of your engagement with HERE. It sets out what kind of personal data HERE may process about you, how your personal data are handled and what rights you may have. HERE may provide you with additional privacy information in connection with particular systems or services involved in your engagement.
This Policy applies to the collection and automated or otherwise structured (e.g. paper-based filing system) processing of personal data.
The provisions herein are supplemented by applicable mandatory law that prevails to the extent there is a conflict with this Policy. Also, some HERE entities may have their own local privacy Policies. In case of conflict, such local privacy Policies prevail over this Policy to the extent the conflict is based on applicable mandatory law. HERE asks for your consent to process your personal data if required by law.
Additional information for applicants who are California residents is available in Section 15 below.
2) Collection of your personal data
HERE collects your personal data directly from you as well as from other sources to the extent permitted by applicable local law.
Much of the personal data HERE processes about you will have been collected from you directly during the contracting or onboarding process or shortly after you started working on an engagement with HERE. Other personal data about you, such as performance appraisals, skills records and records of projects you have worked on, are generated by you and HERE management while you are working at HERE.
HERE endeavors only to collect personal data that are necessary for the purpose(s) for which they are collected and to retain such data for no longer than necessary for such purpose(s). Additional information regarding HERE’s storage of personal data, including mandatory retention periods, may be found in HERE’s data retention policy.
3) What personal data does HERE collect?
HERE may need to collect, process and hold various categories of personal data about you in connection with your engagement by HERE in addition to your employer. Subject to variations due to local mandatory law and practice, the categories of personal data that are typically collected and processed in this context are:
- Contact details, such as your name, home address, telephone numbers, email address, date and place of birth, but also contact details of others that you provide (e.g. whom to contact in the event of an emergency, the details of your dependents and other similar information).
- Qualifications and screening information, such as your CV, employment and career history, educational details and qualifications, third party references, background checks and assessments, nationality and/or residence registration information as well as, where permitted by local law, additional information such as credit information, the results of psychometric tests and criminal record files.
- Contract or project administration information, such as photographs, travel and expense records, copies of identifying documents, accident reports, performance information (including any appraisals or other internal communication regarding performance), skills and competences records, training records, records of projects you have worked on, and time and attendance management records.
- If you are engaged directly by HERE, financial information relating to your compensation, such as details of your compensation and any deductions, bank account details, tax codes, and governmental national insurance/social security number.
- Information of technical nature, such as HERE ID, IDs used for security purposes, user IDs and passwords, device and application logs, network traffic logs and location data and other technical information.
- User generated content. Some of HERE’s services may allow you to publish (internally or externally as the case may be) information about yourself and others, such as photos, videos, comments to intranet news stories and blog posts.
- Other information which you provide in connection with a business purpose of HERE.
4) What will HERE do with the Personal Data?
HERE will use, store and otherwise process your personal data for the purpose(s) for which they were originally collected as described in this Policy. Additionally, your personal data may be processed for other purposes you have consented to, or in cases where another legal basis applies or where we are legally allowed to do so. Whenever necessary and subject to statutory record-keeping requirements, HERE will delete personal data that are no longer needed.
HERE will process your personal data for the following purposes:
- Personnel management, including activities related to the recruitment, management, administration and termination of contractor relationships, such as:
- performance evaluation and training;
- contract administration activities, including payment for hours worked and expenses where appropriate; and
- handling complaints and grievances.
- Operations management, including activities related to managing HERE’s business operations, such as:
- deploying contractors on projects or scheduling work;
- organizational planning and development;
- travel and expense management;
- managing company assets; and
- publishing the names, contact information, photographs and job titles and descriptions of individuals in HERE’s internal directories.
- IT management, including activities related to the provision of IT and communication services (e.g. phones, laptops, e-mail, intranet and internet), such as:
- administration and maintenance;
- technical trouble-shooting, technical development, statistical analysis; and
- billing and invoicing.
- Security management, including activities related to ensuring the security and safety of HERE’s premises and individuals at HERE’s premises and on business travel, and the security of assets and information (e.g. personal data, trade secrets, intellectual property and confidential information), such as (all subject to applicable local laws):
- identifying and authenticating individuals;
- managing access to HERE’s buildings;
- locating personnel in emergency situations;
- network or computer monitoring against misuse;
- establishing a network of contacts in case of emergency; and
- preventing and investigating fraud, industrial espionage and other crime as well as violations of HERE policies and procedures.
- Legal and regulatory compliance, including obtaining and releasing personal data as required by law, judicial organizations or practice in order to comply, such as:
- participating in or conducting due diligence activities associated with the purchase, sale or re-organization of a HERE company or business;
- complying with tax, accounting, securities, employment, health and safety rules and other legal obligations placed on HERE.
- Any other purposes directly related to the above-mentioned purposes.
HERE processes your personal data pursuant to several legal bases, depending on the type of data and purpose of the processing. Under most circumstances, HERE’s legal basis for processing your personal data is performance of the contract on which your engagement with HERE is based. HERE will also process this information where required to comply with legal obligations to which it is subject, such as tax or recordkeeping obligations. In some circumstances, HERE will process your personal data pursuant to its own legitimate interests in operating its business, including conducting the above described activities for internal administrative purposes and ensuring network and information security. A different legal basis may be provided at the point where data is collected.
5) How is Sensitive Information treated?
HERE aims to limit the collection of Sensitive Information* and shall only collect Sensitive Information if there is a legal justification for processing it, or if it is collected and processed with your consent.
HERE recognizes the additional need to protect Sensitive Information. All Sensitive Information is processed in strict compliance with applicable local law and only by a restricted number of individuals who have a clear and justified need to know such information.
Sensitive Information may be processed where necessary to enable HERE to exercise its legal rights or perform its legal obligations in the field of employment law or related fields of law. Examples of such obligations include ensuring the health and safety of HERE’s personnel through the provision of a safe working environment or where the processing is carried out by a doctor or similar health professional bound by a duty of confidentiality to you, and is necessary for medical purposes, such as under HERE occupational health schemes.
*“Sensitive Information” means special categories of personal data as defined under applicable law that may be processed only when there is a legal justification (e.g. authorized by law in the field of employment) or with the individual’s consent. Such special categories include but are not limited to personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data which concerns their health or sex life or sexual orientation.
6) Who has access to your data?
It is HERE’s responsibility to implement appropriate access control measures to ensure that your personal data is only accessed by persons having a clear need to know such information.
The extent to which your personal data are made accessible will depend upon the nature of the data concerned. Some personal data may be viewed by anyone working at HERE (e.g. your business contact information in the Intranet). Other personal data are typically only available to HERE management responsible for you and appropriate members of the HERE Human Resources or Sourcing Departments. Access to most of your personal data is restricted to certain experts (e.g. Human Resources, IT or Legal) to the extent necessary to perform their work tasks.
7) Transfer of your personal data?
HERE will not sell, lease, rent or otherwise disclose your personal data unless otherwise stated herein:
(a) Consent: HERE may share your personal data if you have given your consent for HERE to do so.
(b) HERE companies and authorized third parties: HERE may share your personal data with other HERE companies or authorized third parties who process personal data for HERE for the purposes described in this Policy or otherwise provide personnel related services to HERE. In such cases HERE will ensure that there is a genuine need to transfer your personal data.
Authorized third parties include, for example, travel agencies, banks, telecom operators, auditors, professional advisors, external legal counsels, actuaries, medical practitioners, or other third party suppliers.
Authorized third parties may technically have access to your personal data in the course of providing their services but, other than where the authorized third party is acting as an independent data controller, will be contractually restricted from processing your personal data for other purposes. HERE also requires them to act consistently with this Policy and to use appropriate security measures to protect your personal data. Situations where the authorized third party is acting as an independent data controller include engagement of certain professional advisors by HERE, including external legal counsels or management consultants. In the case of professional advisors providing services to HERE, HERE will ensure that there are adequate statutory or contractual protections in place to ensure that the advisor (1) does not use or disclose the data except to provide the service to HERE, or as required by applicable law, and (2) utilizes appropriate security measures to protect your personal data.
(c) International transfers of personal data: HERE is a global company that has affiliates, business processes, management structures and technical systems that cross national borders. This means that your personal data are transferred across international borders to countries other than the one where you are engaged by HERE. Such other countries do not always have equivalent laws providing specific protection for or rights in relation to personal data or they have different rules on privacy and data protection. HERE takes steps to ensure that there is a legal basis for such a transfer and that adequate protection for your personal data is provided as required by applicable law. Such steps include, for example, the use of standard agreements approved by relevant authorities and the requirement to use appropriate technical and organizational security measures to protect your personal data. You may contact the HERE Privacy Office at privacy@HERE.com to obtain additional information about the safeguards taken by HERE in connection with these transfers. A copy of the unchangeable Standard Contractual Clauses can be accessed on the webpage of the European Commission.
(d) Mandatory disclosures: HERE may be required by or under mandatory law to disclose your personal data to certain authorities or other third parties, for example, to government agencies responsible for the collection of tax, statistical information or to the police or other law enforcement agencies.
(e) Mergers and acquisitions: Where HERE takes steps to sell, buy, merge or otherwise reorganize its businesses in certain countries, this may involve disclosing personal data to prospective or actual purchasers and their advisers. In such circumstances, HERE will take all reasonable steps to ensure that appropriate measures to protect personal data are taken by such prospective or actual purchasers and their advisors.
(f) Other: HERE may disclose your personal data if it is necessary to protect your vital interests. HERE may provide a third party (such as a potential customer or supplier) with your professional contact details where this is necessary in the course of HERE’s normal business. HERE may also disclose and otherwise process your personal data in accordance with applicable law to defend HERE’s legitimate interests, for example, in civil or criminal legal proceedings.
Everyone working at HERE has a responsibility to ensure that HERE complies with applicable laws concerning data protection and privacy as well as and the relevant HERE privacy policies, procedures, requirements and guidelines.
During your work, you may have access to, or come into contact with, personal data about others (e.g. HERE employees or other persons). Depending on your role within HERE such personal data may range from individuals’ names to Sensitive Information about their health. You must handle and process all such personal data discreetly, confidentially and in accordance with local laws on data protection and privacy as well as HERE policies, requirements and guidelines, as well as the terms and conditions included in the contract under which you have been engaged with HERE (either directly, or through your employer). This obligation also applies in your private communication (e.g. not disclosing personal data of others). The obligation to respect data protection and privacy does not cease when your engagement with HERE ends.
To assist HERE in maintaining accurate personal data, please advise your line manager at HERE or HERE Human Resources of any changes to your personal data. If you provide personal data about members of third parties (e.g. for emergency contact purposes), it is your responsibility to inform them of the processing of such data and their rights thereto as described in this Policy.
Failure to comply with your responsibilities as set out in this Policy could have serious consequences for you and for HERE. You may be subject to appropriate disciplinary action in accordance with local law, up to and including termination of the contract on which your engagement is based. Furthermore, knowingly or recklessly disclosing personal data in breach of HERE policies, procedures, requirements or guidelines could even make you criminally liable.
With respect to the processing of your personal data, you will always have the rights as provided in the applicable local law. In addition, this Policy provides you the following rights:
- Right to access: You are entitled to be informed of what personal data HERE holds about you, the purposes for which they are being processed and categories of recipients to whom they are being or may be disclosed. There may be certain categories of information prescribed by applicable local law that HERE may lawfully withhold. If HERE declines to provide access to any of the personal data you request, you will be provided with the reasons for such a decision.
- Right to request correction and deletion: Subject to applicable local law, you may be entitled to request HERE to rectify, delete or block (as appropriate) your personal data that is incorrect, incomplete or unnecessary.
- Right to data portability: Subject to applicable local law, you may be entitled to receive a copy of certain personal data in a commonly used machine-readable format.
- Right to object: You may object to HERE’s processing of your personal data on compelling, legitimate grounds relating to your circumstances. Despite your objections, HERE may be required or permitted by law to process your personal data.
- Right to restriction of processing: You have the right to require HERE to restrict its processing of your personal data (1) during verification of whether your right to object applies; (2) if you contest the accuracy of the personal data, for the period enabling HERE to verify the accuracy of the personal data; (3) if HERE’s processing is unlawful; and (4) HERE no longer needs your personal data for the purposes of the processing, but you wish HERE to retain the data for the establishment, exercise, or defense of legal claims. During the restricted processing period, HERE will only process the personal data for storage purposes, with your consent, for the establishment, defense or exercise of legal claims, or other purposes permitted by law.
- Remedies in case of a violation: You are entitled to all rights and remedies provided by local applicable law. Generally, you should seek redress in respect of a violation of this Policy from the HERE company which originally collected the relevant personal data.
- Right to withdraw consent: Where the data processing is based on your consent, you may withdraw that consent at any time. Withdrawal of that consent will not affect the lawfulness of processing based on that consent prior to its withdrawal.
- Right to lodge a complaint with a supervisory authority: If you are located in a European Union member state or within the European Economic Area, you have the right to lodge a complaint about HERE’s data collection and processing actions with the supervisory authority concerned.
There will be no adverse consequences in you exercising your rights as mentioned above.
If you want to exercise your rights as described in Section 10 of this Policy you may make a request personally or send a signed request in writing to the HERE Privacy Office through the contact provided below.
HERE may need to identify you and to ask for additional information to be able to fulfill your request. HERE will fulfill your request within the timeframes required by applicable local law and in absence of law within a reasonable time.
HERE Global B.V. has appointed Emmanuel Salami as its Data Protection Officer. You may contact HERE Global B.V.’s Data Protection Officer if you have any queries or suggestions concerning Privacy matters in HERE or if you believe that a HERE company or business is not complying with this Policy. Such queries, suggestions and concerns may be made or reported in writing to the below address or through contact details disclosed in HERE intranet.
HERE Technologies c/o Privacy Office
Invalidenstraße 116
10115 Berlin
Germany
Email: privacy@here.com
HERE shall investigate non-compliance and take action it considers appropriate.
11) Cooperation with data protection authorities
Subject to applicable law, HERE will respond to all requests for information and cooperate with any investigations by competent national data protection authorities. HERE will also, consistent with the applicable law and in consideration of all relevant stakeholder interests, implement recommendations from national data protection authorities.
HERE will ensure that procedures established to implement this Policy are subject to internal assessment or audit, or to assessment or audit by independent third parties.
13) Controller of your personal data
The controller of your personal data is the HERE entity with which you or your employer have a services agreement. This HERE entity determines alone or occasionally jointly with other HERE entities the purposes and means of processing your personal data. HERE Global B.V. is the controller of your personal data processed in connection with global databases and systems. HERE Global B.V.’s contact information is as follows:
HERE Global B.V. c/o Privacy Office
Kennedyplein 222 -226
5611 ZT Eindhoven
Netherlands
14) Changes to this Privacy Policy
HERE will from time to time review and revise its data protection practices including this Policy. If any amendments are made, HERE will give a prominent notice indicating the existence and nature of the changes on relevant intranet sites or by other more personal means if required by applicable law.
15) California Externals Privacy Notice Supplement
PURPOSE OF THIS NOTICE: If you are a California resident, this California Supplement describes our collection and use of your personal information and is intended to satisfy our applicable notice requirements under the California Consumer Privacy Act (“CCPA”). This California Supplement applies to California residents who are subject to, and should be read in conjunction with, the above HERE Externals Privacy Policy. We may provide you with additional notices about our data collection practices that are covered by other laws (e.g., if we conduct a background check and/or collect health information).
SCOPE OF THIS NOTICE: If you are a California resident, this California Supplement applies to personal information that we collect and use in order to manage work assignments or projects and our relationship with you.
What is personal information? In this California Supplement, “personal information” is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.
What isn’t covered by this notice? This California Supplement does not address or apply to our collection of personal information that is not subject to the CCPA, such as protected health information (or “PHI”), consumer credit reports and background checks, publicly available data lawfully made available from state or federal government records, or other information that is exempt under the CCPA. This California Supplement also does not apply to the personal information we collect from externals in the context of their personal use of our products and services (which is subject to our Privacy Policy at https://legal.here.com/privacy).
Are our practices the same for all externals? The categories of personal information we collect and our use of personal information may vary depending on the circumstances, such as your work assignment or project or the amount or sensitivity of the information or assets you may access as part of your work assignment or project.
CATEGORIES OF PERSONAL INFORMATION COLLECTED: Generally, we may collect the below categories of personal information about you:
- Name, Contact Info and other Identifiers. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Protected Classifications. Characteristics of protected classifications under California or federal law such as race, color, sex, sexual orientation, gender identity, age, religion, national origin, disability, citizenship status, military/veteran status, marital status, medical condition and pregnancy.
- Usage Data. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding an external’s interaction with an internet website, application or advertisement, as well as physical and network access logs and other network activity information related to your use of any HERE device, network or other information resource.
- Geolocation Data. Precise geographic location information about a particular individual or device.
- Audio, Video and other Electronic Data. Audio, electronic, visual, thermal, olfactory or similar information such as CCTV footage, photographs, and call recordings and other audio recordings (e.g., recorded meetings and webinars).
- Employment History. Professional or employment-related information.
- Education Information. Information about education history or background that is not publicly available personally identifiable information as defined in the Federal Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Profiles and Inferences. Inferences drawn from any of the information identified above to create a profile about a contractor reflecting the contractor’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
PURPOSES FOR COLLECTING AND USING PERSONAL INFORMATION: Generally, we may use the above categories of personal information for the following purposes:
- Administering Relationships. To administer your projects or assignments and HERE’s relationship with you, including:
- Reviewing, assessing and administering payments to or for externals
- Reviewing reported time worked, if applicable
- Reviewing and validating qualifications (e.g., credentials and licenses) and experience and approving assignments or projects
- Conducting due diligence and screening of externals
- Monitoring compliance with agreements and HERE policies and procedures, if applicable
- Maintaining records of emergency contact information for use in the event of an emergency
- Granting access to relevant systems and assets
- Otherwise as necessary related to a particular project or assignment
- General Business Operations. In support of our business operations, including:
- Auditing and assessing performance of business operations, including client services and associated activities
- Quality control
- Satisfying client reporting and auditing obligations
- Security and Monitoring. In order to monitor and secure our resources, network, premises and assets, including:
- Monitoring for, preventing and investigating suspected or alleged misconduct or violations of agreements, policies or procedures
- Monitoring for, preventing, investigating and responding to security and privacy incidents
- Providing and managing access to physical and technical access controls
- Monitoring activities, access and use to ensure the security and functioning of our systems and assets
- Securing our offices, premises and physical assets, including through the use of electronic access systems and video monitoring.
- Auditing, Accounting and Corporate Governance. Relating to financial, tax and accounting audits, and audits and assessments of our business operations, security controls, financial controls or compliance with legal obligations, and for other internal business purposes such as administration of our records retention program.
- M&A and Other Business Transactions. For purposes of planning, due diligence and implementation of commercial transactions (e.g., mergers, acquisitions, asset sales or transfers, bankruptcy or reorganization or other similar business transactions).
- Defending and Protecting Rights. In order to protect and defend our rights and interests and those of third parties, including to manage and respond to legal claims or disputes, and to otherwise establish, defend or protect our rights or interests, or the rights, interests, health or safety of others, including in the context of anticipated or actual litigation with third parties.
- Compliance with Applicable Legal Obligations. Relating to compliance with applicable legal obligations (such as responding to subpoenas and court orders) as well as assessments, reviews and reporting relating to such legal obligations, including under employment and labor laws and regulations, social security and tax laws, environmental regulations, workplace safety laws and regulations and other applicable laws, regulations, opinions and guidance.
CONTACTING US ABOUT THIS NOTICE: If you have any questions or concerns regarding our use of personal information as described in this California Supplement, please contact CAprivacy@here.com.