Great Place to Work® Institute, Inc.
Global Privacy Notice
Updated March, 2021
Table of Contents
- Information Collected
- Purposes of Processing Your Personal Information and Potential Uses
- Your Right to Access, Rectify, and Object to Your Personal Information
- Safeguarding Your Personal Information
- Links to Other Sites
- International Data Transfers
- GPTW EU-U.S. and Swiss-U.S. Privacy Shield Notice
- Emprising™ Complies with All Global Data Security and Data Privacy Laws
- Updates to Our Global Notice
- How to Contact GPTW
Great Place To Work Institute Inc. (GPTW) and its licensed affiliates (collectively, "GPTW Network") respect your privacy. This Global Privacy Notice describes the types of personal information we collect, how we use the information, with whom we share it, and the choices you can make about our use of the information. We also describe the measures we take to protect the security of the information and how you can contact us about our privacy practices. Our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements.
1. Information Collected
GPTW collects information from you when you choose to share it with us through or in connection with, but not limited to, our websites, events, conferences, client engagements, survey and assessment tools, workplace accreditations, and business development activities. For example, when you share your personal information with us to submit an inquiry through our websites, sign-up for our e-mail lists or newsletters, register for an event or conference, apply for one of our Best Companies to Work For lists, receive information about our events, products and services, and/or contact you regarding a potential or actual future, existing or current project or engagement. The information we collect may include name, address, telephone number, mobile telephone number, e-mail address, company name, job function, company industry, company size, nature of your inquiry, the types of information you want to receive, event information, dietary restrictions and meal preferences, and if you make a purchase, credit/debit card number or other financial information.
You can set your Internet browser or operating system settings to stop accepting new cookies, to receive notice when you receive a new cookie, to disable existing cookies, to omit images (which will disable pixel tags) or adjust your tracking preferences. Note that the opt-out will apply only to the browser that you are using when you elect to opt out of advertising cookies. Without cookies or pixel tags though, you may not be able to take full advantage of our sites’ features. Check the “Tools” or “Help” tab on your browser to learn how to change your cookie and other tracking preferences.
Our website may host various blogs, forums, wikis, and other social media applications or services that allow you to share content with other users (collectively “Social Media Applications”). Any personal information or other information that you contribute to any Social Media Application can be read, collected, and used by other users of that Social Media Application over whom we have little or no control. Therefore, we are not responsible for any other user’s use, misuse, or misappropriation of any personal information or other information that you contribute to any Social Media Application.
GPTW may also use Google Analytics and other service providers to collect information regarding visitor behavior and visitor demographics on our Services. For more information about Google Analytics, please visit www.google.com/policies/privacy/partners/. You can opt out of Google’s collection and processing of data generated by your use of the Services by going to http://tools.google.com/dlpage/gaoptout.
3. Purposes of Processing Your Personal Information And Potential Uses
GPTW processes your information for the following purposes or may use your information in the following ways:
- Respond to your inquiries or requests via the contact information you provide, including but not limited, e-mail;
- Sign you up for, and provide you with, our newsletters and informative e-mail messages, as well as those of other licensed affiliates within the GPTW Network;
- Register you for our events and conferences, as well as those of other licensed affiliates within the GPTW Network;
- Promote our events and conferences, as well as those of other licensed affiliates within the GPTW Network;
- Provide you with information regarding our events, conferences, products and services, as well as those of other licensed affiliates within the GPTW Network;
- Register and consider your company for one of our Best Companies to Work For lists;
- Communicate and/or coordinate with you regarding potential or actual future, current or past projects and engagements;
- Facilitate the purchase of our books, products, services or other offerings, as well as those of other licensed affiliates within the GPTW Network;
- Develop new products and services;
- Address problems and review the usage and operations of our websites or business, and improve our content, products, and services;
- Manage our telecommunications networks, as well as those of other licensed affiliates within the GPTW Network;
- Process and archive scientific and historical research and statistical analysis assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces;
- Protect the security or integrity of our sites and our business, as well as those of other licensed affiliates within the GPTW Network;
- Facilitate or consider the sale of GPTW or one of our licensed affiliates to another company;
- Investigate or prevent an actual or suspected crime or injury to ourselves or others; and
- Respond to a request from law enforcement authorities or other government officials, or as otherwise required by law.
4. Your Right to Access, Rectify, and Object To Your Personal Information
You have the right to obtain the following information from us:
- Confirmation as to whether or not your personal information is being processed by GPTW and
If we are processing your personal information:
- Purposes of the processing;
- Categories of data concerned;
- Recipients or categories of recipients to whom the personal information is disclosed, including the identity of any service providers we use to process your personal information on our behalf;
- Details of any transfers of your personal information to non-European countries; and
- Copy of the personal information being processed and of any available information as to the source of the information, except where prohibited by law.
You have the right to obtain this information from us at reasonable intervals and without excessive delay, unless we are prohibited by law from sharing such information or where it is necessary to protect the rights and freedoms of others.
GPTW takes reasonable care to ensure that your personal information is accurate, and where necessary, kept up to date. If it is determined that your personal information is inaccurate or out of date, we take every reasonable step to correct it.
You can object to the processing of your personal information if it is processed unlawfully. Further, if you allow us to process your personal information as described in this Global Privacy Notice, you can later withdraw your consent at any time (in which case, we will no longer process your personal information, anonymize it or delete it, as appropriate).
To exercise any of these rights, please contact us as provided below.
5. Safeguarding Your Personal Information
GPTW employs commercially reasonable technical, physical, administrative and organizational safeguards designed to protect the confidentiality, security and integrity of your personal information, including measures aimed at protecting personal information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
In addition, we contractually require all service providers that process your personal information on our behalf to implement and maintain commercially reasonable technical, physical, administrative and organizational safeguards designed to protect your personal information.
6. Links To Other Sites
GPTW tries to make sure that any links on our websites send you to a helpful and reliable place on the Internet, but we are not responsible for the content of these other websites or their privacy practices. We may also have “plugins” (such as the Facebook “Like” button) to third-party sites or offer login (such as log in with Facebook) through a third-party account. Third-party plugins and login features, including their loading, operation and use, are governed by the privacy notice and terms of the third-party providing them.
GPTW also provides links to the websites of other affiliates within the GPTW Network. These websites are governed by the privacy notice and terms of the GPTW Network affiliate providing them.
7. International Data Transfers
We may transfer the personal information we collect about you to recipients in countries other than the country in which the information was originally collected, including the United States of America. Those countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer your information to other countries, we will protect that information as described in this Global Privacy Notice or as otherwise disclosed to you at the time the data is collected (e.g. via program specific privacy notice).
GPTW is a global business. To offer our services, we may need to transfer your personal information among several countries, including the United States, where we are headquartered. We comply with applicable legal requirements providing adequate safeguards for the transfer of personal information to countries outside of the European Economic Area ("EEA") or Switzerland.
8. GPTW EU-U.S. and Swiss-U.S. Privacy Shield Privacy Notice
Chief Data Protection Officer
Great Place To Work® Institute, Inc.
1999 Harrison Street, Suite 2070, Oakland, CA 94612
GPTW has further committed to cooperate with the panel established by the EU Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data and non-human resources data transferred from the EU and Switzerland.
GPTW receives and processes personal information from or relating to GPTW Affiliates and other legally separate entities in the context of the provision of products, services and support to these entities. Personal information received by GPTW will be treated in accordance with their instructions or pursuant to GPTW contractual arrangements with them consistent with the Privacy Shield requirements. GPTW acts as a data processor with respect to this information.
Individuals have rights under the Privacy Shield to access their personal information and to limit use and disclosure of their personal information. Please contact us if you wish to exercise these rights and we will refer any requests to relevant data controllers and support them as needed in responding to your request.
As a data processor, GPTW will disclose personal information only as authorized by the relevant data controller. We may use a limited number of third-party service providers to assist us in providing our services or in meeting internal business operation needs. These third parties will access information only to perform tasks on our behalf.
GPTW is accountable for the onward transfer of data to third party service providers or agents who assist us in providing services. GPTW maintains contracts with these third parties in compliance with our Privacy Shield obligations and other obligations and accepts liability if those parties fail to meet these obligations and we are responsible for the event giving rise to the damages.
Personal Information may also be disclosed as part of a corporate transaction such as a sale, divestiture, reorganization, merger or acquisition.
Disclosures of personal information may also be required to law enforcement, regulatory, or other government agencies, professional bodies or to other third parties, in each case to comply with legal or regulatory obligations or requests and professional standards. GPTW will notify the applicable data controller of any such request unless prohibited by law.
GPTW is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Should you believe that your rights have been infringed, you have the possibility, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
GPTW Privacy Shield Update
On July 16, 2020 the Court of Justice of the EU issued a Decision invalidating the use of the Privacy Shield as a means to transfer personal data from the EU to the US. The Decision did not invalidate the Privacy Shield itself and GPTW continues to comply with its requirements. The Decision affirmed the use of the 2010 Standard Contractual Clauses (SCC) as a means of transferring personal data from the EU to the US if the Company performs a two part “assessment” of GPTW. First, GPTW must inform Company if it is unable to comply with the SCC, which GPTW so warrants. Second, GPTW has put in place what is referred to in the Court decision as “supplementary measures.” GPTW has incorporated all of the SCC into the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement and will sign the SCC separately, if desired. One of the supplementary measures implemented by GPTW is a Transparency Report. Initially pursuant to an agreement with the U.S. Department of Justice and later Section 604 of the 2015 USA Freedom Act, a number of tech companies have published statistics in “Transparency Reports” about the production orders received from national security and law enforcement authorities. Providers are allowed to disclose aggregated statistics about the number of requests received pursuant to various criminal and national security authorities, but given the non-disclosure orders that generally accompany FISA and National Security Letters, disclosures are limited to a preset number of data points and the use of general ranges of numbers (“bands”). Since its incorporation as a business and through the date of this Policy, GPTW has never received or been notified of a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information pursuant to the national security laws of the United States or any other country.” Such a declaration further bolsters the proposition that reliance on SCC can ensure adequate protection for EU citizen data, despite the existence of EO 12333, PPD 28 and FISA Section 702.
9. Emprising™ and All Global Data Security and Data Privacy Laws
The GPTW Emprising™ survey and analytics software platform operates by uploading to Emprising an Employee Data File (EDF) containing an email address list for the Company’s Employees taking the survey and, optionally, other information such as pre-coded demographics etc. of the Company’s Employees. The EDF can be uploaded to Emprising either GPTW or directly by the Company. The EDF is stored encrypted in a separately partitioned area from the Company Employee Data which contains the Survey Responses from the Company’s Employees. When the Company Survey starts running, the email list from the EDF is used to generate a Personalized Invite to each Company Employee which is a log-in identifier unique to each Company Employee. When the Company Survey closes, the link is broken between the EDF and the Company Employee Data containing the Survey Responses of the Company Employees which disassociates and physically separates the EDF from the Company Employee Data. After the survey closes, the Company Employee Data does not contain the Company name, nor the name or email address of the Company Employee, nor any Personal Information that can be used to identify the Company Employee. As a result, the Company Employee Data is immediately de-identified and made anonymous when the survey closes. Within five business days after closing the Company Survey, the functionality of the survey is confirmed by GPTW and the EDF is deleted.
The types and categories of Company Personal Data to be processed are found in the demographic section and Trust Index questions of the survey. If the Company chooses to include demographic data in the survey responses, that demographic data is made part of the EDF which then populates the Survey Responses when the Company Employee uses their unique log-in identifier to take their survey. After the Company Survey closes, any demographic data remains a part of both the EDF and the Company Employee Data. To protect the confidentiality of the Company Employee Data, GPTW uses a suppression algorithm. GPTW will not report on Assessment results in which fewer than five (5) people in a Company demographic group have responded.
The Personalized Invite explains that the results of this survey will be used to determine if the Company can be Great Place to Work-Certified, qualify to be on one of the GPTW Best Workplaces lists and to potentially publish an unbiased review of your workplace on our Great Place to Work Reviews website. The Company Employee is assured that their participation is completely confidential and voluntary. The Survey Responses come directly to GPTW. Besides responding to statements, there are two open-ended questions soliciting an essay style response. The Company has the option to add additional open-ended questions. The Company Employee is advised that should they choose to use their name or the names of others in the essay style responses to the open-ended questions, they will appear verbatim and the Company may read them. Comments you supply may also be quoted in GPTW articles or reviews, but they will never be associated with your name or other personally identifying information.
The nature and purpose as well as the subject matter and duration of the Processing of the Company Personal Data is to collect Company employee survey data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces. This exact language is found in Article 89 of the GDPR.
The GPTW analytical survey platform named Emprising is hosted by the cloud provider Microsoft Azure. GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times. This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below. The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs: https://servicetrust.microsoft.com/and other compliance offerings: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. A general article about Azure compliance is here: https://www.communicationsquare.com/news/everything-about-gdpr-compliance-in-microsoft-cloud/and a blog here: https://azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/There are some country specific compliance resources as well. For example, compliance in Germany is addressed at the following URL: https://servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3. To offer an abundance of legal protection to GPTW clients, contractual warranties and representations are provided for the GPTW computer network even though Emprising is hosted by Azure and not the GPTW computer network. Any communication between Emprising hosted on Azure and the GPTW computer network is strictly limited to an end-to-end secure VPN connection using IPSec protocol. GPTW provides the highest standard of legal protection by warranting to our clients that during the entire term of the engagement, GPTW has not received notice of non-compliance by the firm Abbott, Stringham & Lynch with the following industry standards: CPA-audited financial statements, Service Organization Controls (SOC) Report 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS) through a third party provider. This warranty is stated in Section 7 (Data Security) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement.
GPTW considers the third-party financial and security audits of the GPTW computer network to be for “restricted use” and confidential. Accordingly, GPTW does not release them to any company. There are several reasons for this policy. First, a “restricted use” provision is recited in every valid SOC 2 Report. Second, the audits are static in time and may not cover the entire term of the company’s engagement. Third, the audits provide no legal protection to a company. Fourth, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach.
GPTW uses commercially reasonable efforts consistent with industry standards to collect, transmit, store, protect and maintain the Data and Company Data obtained through the Services. GPTW represents and warrants that during processing or the term of the client’s engagement that it complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 AB 375 (CCPA), the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules, and the Data Protection Laws of all other country, state, or regulating bodies. This warranty is stated in Section 8 (Data Privacy) of the GPTW Products and Services Agreement which governs the terms of the engagement with GPTW clients and which has the following link on the bottom of the GPTW homepage: https://www.greatplacetowork.com/products-services-agreement. GPTW DOES NOT SELL PERSONAL DATA to any third party.
In an abundance of caution, GPTW also provides the same warranties and representations for the GPTW Network even though it does not support Emprising. Any communication between Emprising hosted on Azure and the GPTW Network is strictly limited to an end-to-end secure VPN connection using IPSec protocol. Accordingly, GPTW considers the third-party security/financial audits of the GPTW Network to be confidential and does not release them to any company. There are several reasons for this policy. First, the audits are static in time and may not cover the entire term of the company’s engagement. Second, the audits provide no legal protection to a company. Third, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach. Instead, GPTW provides the highest standard of legal protection by warranting to all GPTW clients that during the entire term of the engagement GPTW will comply with the following industry standards: Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS). This warranty is found on the GPTW website in Section 7 (Data Security) of the of the GPTW Products and Services Agreement (PSA).
As advised in the GDPR, GPTW maintains a full-time Chief Data Protection Officer (CDPO) and staff to ensure compliance with all Data Protection Laws. The CDPO reports directly to the CEO of GPTW. GPTW also employs full-time Certified Information Privacy Practitioner (CIPP) and staff who is certified under the NIST standard as administered by the International Association of Privacy Professionals at www.iapp.org.
10. Updates To Our Global Policy Notice
11. How To Contact GPTW
Timothy H. Gens | Vice President, Director Legal Affairs
Chief Data Protection Officer, Certified Information Privacy Practitioner
1999 Harrison Street, Suite 2070 Oakland, CA 94612