Privacy Around Data Collected By Our Products

Effective: June 8, 2021

About us (the “Data Processor”)

WorkForce Software, LLC

38705 Seven Mile Road, Suite 300

Livonia, MI 48393

United States of America

+1‐877‐493‐6723

[email protected]

…including subsidiaries:

WorkForce Software processes personal data relating to our role as a provider and processor of workforce management solutions, along with related services such implementation and support.

Data Protection Officer

We have contracted with IT Governance in the UK for Data Protection Officer Services. The Data Protection Officer (DPO) provides advice and guidance around our General Data Protection Regulation Compliance. Generally, questions you may have around privacy should be sent first to [email protected] and we will escalate to the DPO as necessary. Our Data Protection Officer is:

GRCI Law
Unit 3 Clive Court
Bartholomews Walk
Cambridgeshire Business Park
Ely, Cambridgeshire
CB7 4EA, UK
[email protected]
+44 (0) 333 800 7000

EU Representative

We have appointed GRCI Law to act as our EU Representative and all requests, questions and comments should either be emailed to [email protected] or addressed to:

c/o Head of Data Privacy Manager Service
GRCI Law Limited
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely, Cambridgeshire, CB7 4EA, UK

or:

Head of Data Privacy Manager Service
IT Governance Europe
Third Floor, The Boyne Tower, Bull Ring,
Lagavooren, Drogheda, Co. Louth, A92 F682, Ireland

UK Representative

WorkForce Software Limited
Precedent Drive, Rooksley
Milton Keynes
Buckinghamshire MK13 8PP
United Kingdom
Phone: +44-1908-242-042
[email protected]

What information is collected in our products?

Personal Information stored and processed using our cloud-based products, such as WorkForce Suite, WorkForce Forecasting & Scheduling, EmpLive, Experience, and Enterprise are uploaded and processed by the Customer and the customer’s employees. The customer owns all title, rights, and interest to that data. WorkForce may collect personal data such as IP address and other information that is normally found in system and application logs for use in application performance monitoring and troubleshooting purposes.

Each customer requires different personal information to be processed. Common types of information include (but not limited to):

• Employee ID, name, work hours/schedules, and pay rates/salary.
• Optional fields the customer may use if necessary include:
  • employee photograph,
  • corporate logon ID,
  • work address, location, e-mail address, etc.
  • home address, phone numbers, email address, etc.
• Special categories of optional and potentially sensitive data include:
  • Health information may be optionally collected to ensure compliance with leave regulations
  • Trade union membership to ensure pay and absence rules conform to collective bargaining agreements
  • Biometric data to authenticate or to identify an employee (See our Biometric Privacy Policy for more information)
  • Geolocation data to determine if a time registration is “valid” and that an employee is registering their time where their employer expects them to be working (See our Geolocation Data Collection – Technical Information for more information
• IP address, browser information, device information and other personal information from above may be collected as part of normal system and application logging. This information is used to troubleshoot problems or detect security events.
• There are open text fields within our products that customers may use to collect any other data. Customers should ensure this data collection complies with applicable regulations.

Why do we process personal data in our products?

The personal data is collected based on the performance of a contract with our customer (the Data Controller).  Data is only processed by Workforce Software (the Data Processor) per the instructions from the customer (contractual agreement). The customer may use their data to perform time and attendance processing, to create and maintain labor schedules, to manage employee leave, allow employees to manage tasks and communicate with other employees, or for other purposes the customer may identify in their privacy notice.

We have a legitimate interest to protect personal information from customers and to ensure our solution are available and performing well, and we use monitoring to detect security, performance and availability events on our systems and networks. Personal data (e.g., IP address) may be included in such monitoring.

Who has access to your data in our products?

We do not sell your information or provide it to other organizations so they can sell it. Data stored in our products is not used for marketing purposes.

Personal information stored and processed by our products may be accessed by:

• Authorized members of the customer (your employer);
• Authorized staff at WorkForce Software who are responsible for delivering, maintaining and supporting the services we provide to the customer;
• Third party consulting and contracting services we use to help configure, maintain, and test the solution for the customer.
• Third-parties we use to provide additional product features that may be used by you. Examples include SMS or voice interactive response services, help and tutorial systems, data analytics, and user engagement surveys.
• Third-parties used by us to help us analyze user experience with our interfaces so we can improve the product.

Third parties work under our instruction and are not allowed to use data for other purposes.

WorkForce Software is subject to the investigatory and enforcement powers of the FTC and is required to disclose personal information in response to lawful requests by public authorities to meet national security or law enforcement requirements.

Data Transfer

Your personal information may be transferred out of your home country. For example, we host your data from the processing facility selected by the customer from a list of WorkForce Software global processing facilities. We may also employee third parties to help customers configure and test business rules and import/export functionality. Data is only transferred outside the EEA or UK based on a declaration of adequacy, the Standard Contractual Clauses, or EU-US Privacy Shield Certification. You may request more details about those safeguards by sending an email to [email protected]).

How do we protect data in our products?

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by authorized employees and partners in the performance of their duties. We are ISO 27001 certified and use independent third parties to perform security and privacy audits (SOC 1, ISAE 3402, SOC 2, and GDPR compliance), vulnerability scanning, network penetration testing, and web application security testing.

Where we engage third parties, they process your data based on written instructions from us, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of your data. We have a third-party risk management program. We are responsible for any data that is transferred to third parties.

You may request more details about those safeguards by sending an email to [email protected]).

How long do we store data in our products?

The contract we hold with the customer specifies how long we retain personal information stored in our products. The customer determines the retention period. We delete personal information at the end of the contract. Deletion occurs based on the contractual agreement, but no longer than 90 days after contract termination. The customer, if they request, will receive a copy of the data.

Cookies

Cookies are used to maintain session state. No cookies, pixels, web beacons or other technologies are used for marketing purposes.

Your rights

Individuals whose data is processed by our products have several privacy rights. You can:

• access and obtain a copy of your data on within one month via a written request and free of charge;
• require changes incorrect or incomplete data;
• require delete to be deleted or to stop processing your data, for example, when processing is found to be unlawful or your data is no longer needed for the purpose of processing;
• object to the processing of your data where we rely on legitimate interests as the legal ground for processing; and
• ask that processing your data be stopped for a period if data is inaccurate or there is a dispute about whether your interests override the company’s legitimate grounds for processing data.
• provide a copy of your data to you in an industry-standard format.

If you would like to exercise any of these rights, you should contact the Human Resource Department or Data Privacy Officer for your organization. If you have any questions or issues, please contact

Privacy Officer
WorkForce Software, LLC
38705 Seven Mile Road, Suite 300
Livonia, MI 48152
United States of America
+1‐877‐493‐6723 (Toll Free)
[email protected]

Do we use automated decision-making?

The data processing may make automated decision-make around payrolls, schedules, and leave.

What do I do if I have a dispute?

If you believe we have not complied with your data protection rights, please contact

Privacy Officer
WorkForce Software, LLC
38705 Seven Mile Road, Suite 300
Livonia, MI 48152
United States of America
+1‐877‐493‐6723
[email protected]

If the Privacy Officer is not able to provide a satisfactory response, you may escalate to:

People in the European Economic Area (EEA)

Supervisory Authority: You may seek resolution by contacting the Supervisory Authority in your country or our lead Supervisory Authority:

The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Phone: +44 1625 545 745
Email: [email protected]

Privacy Shield: You may also seek resolution through Privacy Shield. WorkForce Software complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom ,  and Switzerland to the United States.  WorkForce Software has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, WorkForce Software commits to resolve complaints about our collection or use of your personal information.  EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact:

Privacy Officer
WorkForce Software, LLC
38705 Seven Mile Road, Suite 300
Livonia, MI 48152
United States of America
+1‐877‐493‐6723
[email protected]

WorkForce Software has further committed to refer unresolved Privacy Shield complaints to International Centre for Dispute Resolution, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://go.adr.org/privacyshield.html for more information or to file a complaint (https://go.adr.org/rs/294-SFS-516/images/PrivacyShield_Notice_of_Arbitration.pdf). The services of International Centre for Dispute Resolution are provided at no cost to you. Under certain conditions, you may invoke binding arbitration.

People who are not in the European Economic Area

Disputes that cannot be resolved between WorkForce Software and you will be handled, free of charge, in accordance with applicable dispute resolution procedures through the American Arbitration Association, which are available for review at https://go.adr.org/privacyshield.html.