Privacy Statement CGI Nederland

1. PURPOSE

CGI Nederland B.V. (“CGI”) is committed to the appropriate and lawful treatment of personal data which CGI collects, stores and processes on its own behalf as well as on behalf of its clients. CGI believes that this is important for effective, efficient and responsible operations and necessary to sustain successful business operations. CGI respects the privacy of its business partners, clients and members and has prepared this statement to inform them of the purposes for which CGI will processes their personal data as well as the obligations on CGI, its employees and its third party processors when processing personal data.

This Privacy Statement gives CGI employees and its clients guidance on how to provide adequate and consistent safeguards when processing personal data. It also establishes the expectations that data subjects and their controllers can have in relation to the processing of their own personal data in the CGI workplace and when their personal data is processed on CGI’s behalf by third party processors.

2. SCOPE

This Privacy Statement sets out the minimum standard that CGI has implemented when CGI, its employees and third party processors process personal data. It has been approved under the authority of the CGI board of directors. CGI’s Corporate Legal Services (NL) owns this Privacy Statement. Any questions or concerns about the interpretation or operation of this Privacy Statement should be raised in the first instance with the CGI NL data protection officer or HR representative. In addition to this Privacy Statement, CGI has also, in compliance with the Dutch act “Wet Melding Datalekken” and in anticipation of the EU General Data Protection Regulation, implemented an internal procedure on how to deal with loss of all data and reporting obligations in that respect.

3. INTERPRETATION

In this Privacy Statement the terms personal data, processing, controller and processor have meanings ascribed to these in the European Data Protection Directive 95/46/EC, as amended from time to time, and implemented in the Netherlands as the “WPB” (Wet Bescherming Persoonsgegevens).

For the purpose of understanding this Privacy Statement, the following definitions are relevant:

  1. “data controller” - the person, company or organization which determines the purposes for which, and the manner in which, personal data is processed. The data controller has a responsibility to establish practices and policies in line with applicable law.
  2. “data processor” - a person, company or organization which processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include third party companies which process personal data on CGI’s behalf.
  3. "data subject" - the individual who is the subject of personal data that is being processed by CGI or a CGI data processor.
  4. "EEA" - the European Union (“EU”) together with the countries that are members of the European Economic Area from time to time.
  5. “employee” - for the purpose of this Privacy Statement only, this means an employee, staff member, worker, individual consultant, agent or director, and “employment” shall be construed accordingly.
  6. "CGI" - CGI Nederland B.V..
  7. "notification" - the notification or registration of CGI's data processing activities (where required) to the applicable data protection authority/regulator.
  8. "personal data" - any information from which a living individual can be identified directly or indirectly, either on its own or together with other information which is in, or is likely to come into, the possession of CGI or CGI’s data processor. Personal data includes (but is not limited to) information such as telephone numbers, names, addresses (including email addresses), sound and image data (for example photographs, video and voice recordings), indications of status and title, as well as recorded remarks about individuals.
  9. "process" - obtain, record, access or store personal data or carry out any operation on the personal data including: organisation, adaptation or alteration of the personal data; or retrieval, consultation or use of the personal data; or disclosure of the personal data by transmission or otherwise making available; or alignment, blocking, erasure or destruction of the personal data.
     
    Examples of how processing can occur include the use of personal data in the following situations:
    1. In an automated way, for example, by mainframe computers, servers, PCs, email or filing systems, laptops, PDAs, pads, mobile/cellular/smart telephones; and/or
    2. In a manual way, which includes a set of information relating to individuals which is structured according to criteria which allows access to specific personal data, for example, card indices or manual files of client, employee or supplier data which is stored in a structured way.
  10. "sensitive personal data" - personal data that contains information relating to: racial or ethnic origin; political opinions; religious beliefs or beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; information relating to the commission, or alleged commission of an offence, or proceedings for offences committed or allegedly committed by a data subject; or any other category of personal data which is stated to be “sensitive personal data”.
     

4. PURPOSE AND BASIS OF PERSONAL DATA PROCESSING

4.1. Processing of Client Personal Data

CGI will usually be a data processor (or in certain specific, limited circumstances, a data controller) in client contracts which require it to process personal data controlled by its clients. Such personal data may relate to the client’s employees for the purposes of payroll processing, individual consumers who purchase the client’s products, individual account holders with clients that are financial institutions etc.

CGI’s Privacy Statement endeavors compliance with the WPB in relation to personal data it processes while executing client contracts, including making any necessary notifications as well as the use of appropriate technological and organizational measures to protect against unlawful processing, accidental loss, damage or destruction of personal data. CGI may agree contractual provisions with its client to ensure compliance with such applicable data protection law, including but not limited to EU model contractual clauses if required to allow a transfer from within the EEA to a country outside the EEA, or to any country not designated as adequate by the European Commission.

On certain occasions CGI will, only for its internal business purposes, internal reporting and analysis, auditing and customer management (e.g. customer satisfaction / reporting ), transfer personal data to specific companies within the CGI Group. This allows CGI to improve the products and services it offers to clients. The protection of the personal data to be transferred within CGI Group and compliance with the technological and organizational protective measures which are to be met, is secured by specific data transfer agreements between the receiving entity and CGI or the CGI Intra Group Transfer Agreement both employing the EU model clauses.

4.2. Processing of Personal Data relating to Enquirers, Website Users, Marketing Contacts, Visitors etc.

CGI will process personal data relating to data subjects who contact CGI for various purposes, for example through CGI websites, by email, telephone, letter and other means of communication. CGI may process personal data relating to visitors to CGI controlled premises. CGI may also process personal data for marketing purposes. For further reference see: www.cgi.com/en/global-privacy that applies to www.cginederland.nl.

CGI will usually be designated as a data controller in relation to such personal data. CGI’s Privacy Statement endeavors compliance with the WBP with respect to personal data it processes in relation to such data subjects, including making appropriate notifications as well as the use of appropriate technological and organizational measures to protect against unlawful processing, accidental loss, damage or destruction of personal data.

CGI may collect and process personal data that is provided voluntarily to CGI when information is requested about CGI’s services, questions are submitted, when subscription to newsletters occurs or when résumé’s are submitted for career opportunities at CGI.

On certain occasions CGI will, only for its internal business purposes, internal reporting and analysis, auditing and customer management (e.g. customer satisfaction / reporting ), transfer personal data to specific companies within the CGI Group. This allows CGI to improve the products and services it offers to clients. The protection of the personal data to be transferred within CGI Group and compliance with the technological and organizational protective measures which are to be met, is secured by specific data transfer agreements between the receiving entity and CGI or the CGI Intra Group Transfer Agreement both employing the EU model clauses.

4.3. Processing of CGI Employee “ Member” Personal Data

General

For personal data relating to members CGI Nederland B.V. is the data controller. CGI will comply with applicable laws (including where necessary any requirement to obtain consent from a data subject or the competent employee representative body – NL Works Council) regarding the processing of any personal data relating to members. In addition to this Privacy Statement, CGI's standard contracts, applicable policies and member communications may specify the purposes for which CGI may, from time to time, collect and process personal data.

On certain occasions CGI will, only for its internal business purposes, global HR services, payroll services, internal reporting, auditing, member management and security reasons, transfer personal data to specific companies within the CGI Group. The protection of the personal data to be transferred within CGI Group and compliance with the technological and organizational protective measures which are to be met, is secured by specific data transfer agreements between the receiving entity and CGI or the CGI Intra Group Transfer Agreement both employing the EU model clauses.

Purposes for Processing

Subject to applicable legal requirements and restrictions, including but not limited to the general requirement to collect and process only what is necessary to achieve the relevant purpose, CGI may process some or all of the following personal data categories: name, address (including email address), telephone number, emergency contact details, next of kin details, marital status, date of birth, referee details, education details, work permit details, passport number, national identity number, taxation reference number, bank account details, credit/debit card details, other financial details, employee number, IP address, driving license, car registration number, and photograph.

The main purposes for processing personal data relating to members may include the following:

  1. Payroll, Pension, Finance, Shares - CGI may share relevant personal data with pensions and share scheme administrators, scheme providers, insurance companies and other similar service providers in relation to employment obligations and employee benefits. CGI will also process personal data for the purpose of identifying and paying members.
  2. Commercial Administration and Management - CGI may use personal data for managing its commercial activities such as paying invoices, communicating with its business partners and potential business partners, arranging meetings, business travel, visa applications, asset management and complying with and managing business partner contractual obligations (including employee placement/assignment with clients).
  3. Employee Administration and Management - CGI may process personal data (including where appropriate, and subject to this Privacy Statement and the WBP, sensitive personal data) about members and (where relevant) their dependents and next of kin, for purposes related to their employment with CGI. This may include recruitment, general management, performance management, career development, health and safety compliance, provision of health insurance, life insurance, sickness monitoring/compliance, diversity monitoring, disciplinary procedures, security checks (if and where required), visa applications and other immigration requirements, communications to and from members, member contact directories, sensitive/secure area access controls, IT system administration and management, payment of taxes, expense processing and employee benefits. From time to time, and subject to local requirements, CGI may offer its members a range of benefits and discounts that it has negotiated with other companies and may supply relevant personal data to carefully screened third party organizations to offer and provide such benefits.
  4. Enterprise Security and Quality Control– CGI provides its members pc’s laptops and (mobile) telephones enabling access to internet, e-mail, social media, CGI Group’s intranet and various software applications and tools, Besides these digital equipment, CGI also provides cars and physical workspaces (all of the latter being company property). CGI trusts that each member acts responsibly when using company property and to strictly abide by all applicable codes of conduct that are issued in that respect like, but not limited to, the Code of Ethics and Business Conduct, Security and Acceptable use policy and the policy on the use of third party software. CGI may have good and legally justifiable reasons to monitor the use of digital equipment / devices and digital traffic through the equipment and devices by members taking into consideration the necessity of the monitoring and the member’s privacy. Incidental investigations will only be done for substantial reasons in targeted situations and NL Security Office will always be involved in such investigation and taking the security incident investigation and reporting processes into account . Monitoring and recording internet usage history and e-mail correspondence will only be implemented following a collective consultation process with the NL Works Council.
  5. Corporate Finance, Mergers and Acquisitions – from time to time, CGI buys, sells and/or transfers group companies, business assets, financial instruments/ arrangements, and contracts. In relation to such opportunities and arrangements, CGI may share relevant personal data with potential buyers, sellers, professional advisors and regulatory authorities, subject to obligations of confidentiality and local legal restrictions.
  6. Regulatory, Professional and Membership Requirements – CGI may process personal data about members, and transfer personal data to relevant regulatory bodies and professional/trade/industry organizations, in relation to membership applications and renewals, regulatory requirements (including regulatory/legal reporting requirements), professional standards etc.
  7. Health, Safety, Law and Insurance – CGI may process personal data and transfer to appropriate third parties (including CGI’s facilities managers, event organizers, insurers, advisors and business partners) to comply with health, safety, legal, insurance, travel and emergency requirements.
  8. Compliance with Local Legal Requirements and Agreed Practices – CGI may process personal data, and transfer personal data to other entities within the CGI Group and/or appropriate third parties, as and when local laws require or permit it or where local practices have been agreed with members, employee representatives, data protection officers, and/or data protection authorities/regulators.
     

4.4. Internal Transfer and Third Party Processing

In order to manage the CGI Group’s business efficiently, and to work as a global organization with standardized systems and processes, personal data of members (including where appropriate, in accordance with this Privacy Statement and local legal requirements, sensitive personal data) may be transferred by CGI to other entities within the CGI Group and their designated third party processors for processing worldwide (both inside and outside the EEA). The protection of the personal data to be transferred within CGI Group is secured by the CGI Intra Group Transfer Agreement employing the EU model clauses.

5. REQUESTS RELATING TO PERSONAL DATA

Data subjects have certain rights under the WBP to request access to their personal data held by CGI and/or information about how CGI processes their personal data. Such a formal request from a data subject must be made in writing to CGI at dpo@cgi.com – or using the “Contact Us” page, with as many details as possible of the type of personal data requested, relevant dates of personal data collection/processing and any other information which can reasonably assist in the search for the personal data.

CGI members who wish to make such a request should do this in writing to the NL data protection officer at dpo@cgi.com or the HR representative. Any member who receives a written request for personal data should forward it to the NL data protection officer at dpo@cgi.com immediately.

CGI will act in accordance with the WBP and other relevant legal obligations and its contractual obligations in the search for and provision of relevant personal data and requires data processors which process personal data to do the same. CGI may need to ask the data subject further questions in relation to the personal data or to verify the data subject’s identity.

Personal data must also be accurate and, where necessary, up to date. CGI may create systems and procedures to allow members to access and update their personal data directly, and members should use these methods wherever possible. Members can also contact their HR representative for further details.

On termination of employment for whatever reason, CGI shall maintain the personal data of former members for such time as shall be necessary and permissible in accordance with applicable law and to continue to provide appropriate ongoing benefits and services (for example, employee share schemes and pension administration).

6. COMPLIANCE BY CGI MEMBERS

General Good Practice

Members with access to personal data have a responsibility to treat it with care and discretion. Members should put into place good practice measures, follow management guidelines and utilize relevant CGI training courses as are available from time to time to ensure the protection of personal data against misuse and loss. Examples of good practice include (but are not limited to) the following:

  • Care should be taken when processing personal data to avoid unauthorized disclosure, such as to co-workers, visitors and other third parties;
  • Members should avoid leaving computer screens unattended while work is in progress and must give attention to the safe and secure storage of all disks, storage devices, print-outs and manual files;
  • Members should not disclose their “User IDs” for any system to any unauthorized individuals, including co-workers, and should ensure that CGI’s password and security/confidentiality policies are followed;
  • Members should use common-sense security controls and good practice, such as displaying their own security badge at all times, reporting to the NL Security Office at security.nl@cgi.com or their manager any stranger/unusual activity seen in an entry-controlled area, locking away confidential information including personal data, and disposing of documents in accordance with their level of sensitivity;
  • Members should, pursuant to the procedure Melding Datalekken, report any data leakage incident immediately as described in this procedure at security.nl@cgi.com.
     

7. REVISIONS AND CHANGES TO THIS STATEMENT

This Privacy Statement may change from time to time, so CGI's business partners, clients and members should refer to this Statement on a frequent basis. With respect to material changes, CGI will comply with applicable law (including where necessary any requirement to obtain consent from the competent employee representative body – NL Works Council). CGI will ensure that members are notified of any changes to the Privacy Statement promptly, by posting as an “update” on the internet/intranet, by email or other appropriate method of communication. CGI’s business partners and clients should request a status update on a periodic basis.