Last updated: 8th March 2023
Purpose
Circana is committed to the principles of ethical and lawful conduct in all of our business activities everywhere in the world that we do business. Virtually all the jurisdictions in which Circanadoes business have privacy and data protection laws which govern how organizations can collect, use, and disclose data relating to our employees. The personal information of our employees is important to us and we respect the privacy rights of all individuals we process information about. We are committed to handling personal information responsibly and in accordance with applicable laws.
This Notice is provided to describe how your personal information is collected, used and shared by the Circana entity that employs (or employed) you and any Circana entity that receives your personal information from your employing entity. This Notice applies to all Circana employees globally and where a market has statutory notice obligations, this Notice is intended to satisfy those notice obligations under applicablelegislation. A full list of local legislation this Notice covers is found at the Appendix.
Additional details regarding privacy and data protection may be found in our company policies
Scope
This Notice applies to the personal information that your employing Circana entity (“Employer”), or any entity within the Circana Group (“Circana,” “the Circana Group”, “the Group”,“we”, “our” or “us”) collects related to its current and former employees, officers, and directors (“Employee” or “you”) and other individuals connected to you, such as emergency contacts, dependents and beneficiaries.
“Personal information” generally includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual.
Whilst this Notice applies to all Employees globally, the categories of personal information that we collect, and our use of personal information, may vary depending upon your position(s) or location, as well as the associated qualifications and responsibilities. The information in this Notice is intended to provide an overall description of our collection and use of personal information about Employees. Where applicable,this Notice should be read in conjunction with your local legislation.
Categories of Personal Information and Sharing with Third Parties
Where required in order for your Employer to perform its obligations to you or to carry out its legitimate interests, or for you to perform your job function, or for the purposes described in this Notice, your Employer will share your personal information with other entities in the Circana Group, third party service providers who maintain reasonable security practices commensurate with applicable law, government agencies and/or other third parties, such as Group customers. These other parties may hold your data either as a service provider/processor or as an independent and autonomous controller.
Wherever required under applicable law, the relevant Group company will enter into data processing or similar agreements with third party service providers that require in particular that such third-party service providers maintain the same level of personal data protection as implemented by the Group. Where these third parties act as a “data processor” they carry out their tasks on our behalf and upon our instructions for the purposes stated in this notice.
The table below identifies the categories of personal information we collect about Employees, as well as the categories of third parties to whom we may disclose this information for a business or commercial purpose:
| Categories of Personal Information | Third Party Disclosures for Business or Commercial Purposes |
| Contact information and Identifiers: such as a real name, alias, home address, personal telephone number, emergency contacts information, date of birth, gender identity, marital status, unique personal identifier, online identifier, Internet Protocol address, email address, account name, professional social media handles, passport details, bank information, social security number, national insurance number, driver’s license number, passport number, tax ID, or other government identifiers. | Circana Group service providers advisors and agents benefit(s) providers regulators, government entities and law enforcement internet service providers, operating systems, and platforms others as required by law |
| Paper and electronic records: records containing personal information, such as name, signature, contact information, education and employment history, Social Security number and other government identifiers, insurance policy number, financial or payment information, medical information, or health insurance information. | Circana Group service providers advisors and agents benefit(s) providers regulators, government entities and law enforcement internet service providers, operating systems, and platforms others as required by law |
| Characteristics of protected classifications or special categories of data: such as race, religion, sex, sexual orientation, gender identity, age, national origin, disability, citizenship status, military/veteran status, marital status, trade union association, medical condition or other characteristics of protected classifications under local legislation. Note: generally, this information is collected on a voluntary basis and is used in support of our equal opportunity and diversity and inclusion efforts and reporting obligations, or where otherwise required by law. Unless required by law, you are not obliged to provide this information). | Circana Groupservice providersbenefit providersregulators, government entities and law enforcement |
| Internet and network information: such as browsing history, search history, and information regarding interactions with an internet website, application, or advertisement, as well as physical and network access logs and other network activity information related to your use of any Circana device, network or other information resource. | Circana Group service providers advisors and agents regulators, government entities and law enforcement others as required by law |
| Location data: location information about a particular individual or device. | Circana Group service providers advisors and agents regulators, government entities and law enforcement others as required by law |
| Sensory data: audio, electronic, visual, thermal, olfactory, or similar information, such as, CCTV footage, photographs, and call recordings and other audio recordings (e.g., recorded meetings and webinars) | Circana Group service providers advisors and agents regulators, government entities and law enforcement others as required by law |
| Resume and Screening information: such as information about education history or background, employment history, your membership of professional bodies and trade groups, descriptions of skills and experience, awards, certificates, licenses, any other information you choose to provide in a resume or application as well as positions applied for internally. We will also collect results of background checks, screening and references | Circana Group service providers advisors and agents regulators, government entities and law enforcement others as required by law |
| Performance Development and Role information: such as date of hire, objectives and appraisals, attendance and reasons for absence, training records, surveys, salary and compensation including commissions, bonuses, equity, stock option awards and exercise information, Employee stock purchase plan information and pension information, termination date, expense related information, benefits information | Circana Groupservice providersbenefit providersregulators, government entities and law enforcement |
| Inferences. Inferences drawn from any of the information identified above to create a profile about an Employee reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. (Note: Such profiling will only be one element of a decision-making process and decisions will never be based solely on such profiling.) | Circana Group service providers advisors and agents |
Sensitive Personal Information
We do not collect biometric or genetic data. We recognize that our collection, use, and disclosure of other types of sensitive personal information such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or a natural person’s sex life or sexual orientation, the commission or alleged commission of a crime or a social security number is subject to local legislation. We only collect such information where necessary. Where we ask for your explicit consent to process such information (such as in support of our equal opportunity and diversity and inclusion efforts) please be aware you are not obliged to give it and it will never be a condition or requirement of your employment to agree to any request for consent from the Circana Group.
Sources of Personal Information
In general, we may collect the categories of personal information identified in the table above from the following categories of sources:
- Directly from you either during your application for employment, the employee on-boarding process, or on an ad hoc basis during the course of your employment. You will usually provide the personal information directly to your managers or local Human Resources contact or enter it into our systems.
- Our service providers, representatives, and agents – During the recruitment process, we may carry out screening and vetting processes using third party sources and retain that personal information after you have been employed (where permitted by applicable law).
- External parties that you have provided as referees.
- In some circumstances, personal information may be collected indirectly from monitoring devices or by other means (for example, building and location access control and monitoring systems, Closed Circuit Television, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws.
In some cases, our collection and processing of your personal information is necessary to enter into your employment relationship with us, or to comply with applicable law. If you do not provide us with, or we are unable to obtain such information, we may not be able to perform our contract with you. We will inform you when providing your personal information is necessary and what the impact will be on your relationship will be if you do not provide it. For example, if you do not provide us with your bank details, we will not be able to pay you. In some cases it may mean that we are unable to continue with your employment or engagement because we will not have the personal information we believe to be necessary for the effective and efficient administration and management of our employment relationship with you.
Where we ask for your explicit consent to process information, you are not obliged to give it and it will never be a condition or requirement of your employment to agree to any request for consent from the Circana Group.
Retention
The Group keeps Employee personal information only for as long as is required to satisfy the purpose for which it was collected by us or provided by you including for the duration of the applicable statute of limitations, which may surpass the term of your employment. In certain cases, legal or regulatory obligations require us to retain specific records for a set period of time, including following the end of your employment.
We maintain a retention policy which we apply to records in our care. In all cases, where your information is no longer required we will ensure it is disposed of in a secure manner and, where required by applicable law, we will notify you when such information has been disposed of.
Purposes For Processing Personal Information
Circana does not sell or share Employee data for the purposes of cross-context behavioral advertising or direct marketing.
Generally, we collect (and use and disclose) the above categories of personal information for the following purposes:
| Onboarding. To complete new hire onboarding, enroll you in our HR system, and set up your personnel file. |
| Compensation and benefits: relating to our administration of compensation and benefits, including: administering Employee payroll, salary and compensation; administering Employee pensions, IRAs and 401K, health insurance, medical plans, and other employee benefits administration (which may include the collection of personal information about others such as beneficiaries, where necessary to administer such benefits); reviewing, assessing and administering Employee salary and compensation increases and bonuses;calculating deductions, issuing tax return-related documents and forms to Employees; reviewing timecards and reported time worked; and monitoring and managing all absence. |
| Management of employment relationship: including: hiring, terminations, relocation, transfers, promotions and disciplinary actions;reviewing performance; conducting performance reviews, compensation and bonus reviews, and headcount and salary reviews; administering and monitoring compliance with our policies and procedures; maintaining records of emergency contact information for use in the event of an emergency; administering or performing employment contracts where applicable; conducting pre-employment and employment screening; for professional development and training purposes; verification and management of applicable credentials, licensing and other qualifications; facilitating Employee communication and collaboration, such as through the corporate directory, Employee bios and other similar; and in support of our equal opportunity employment policy and diversity and inclusion program. |
| Business operations and client services: relating to the organization and operation of our business and our performance of services to clients, including related to: |
| operating our business by developing, producing, marketing, selling and providing goods and services; auditing and assessing performance of business operations, including client services and associated activities; performance, training and quality control; facilitating business development opportunities, as relevant; and facilitating communications in furtherance of the foregoing. |
| Security and monitoring: to monitor and secure our resources, network, premises and assets, including:monitoring for, preventing and investigating suspected or alleged misconduct or violations of work rules; monitoring for, preventing, investigating, and responding to security and privacy incidents; providing and managing access to physical and technical access controls; monitoring activities, access and use to ensure the security and functioning of our systems and assets; and securing our offices, premises and physical assets, including through the use of electronic access systems and video monitoring. |
| Health and safety: for health and safety purposes, such as contact tracing or conducting appropriate screenings of individuals prior to entering or accessing certain locations or premises. |
| Auditing, accounting and corporate governance: relating to financial, tax and accounting audits, and audits and assessments of our business operations, security controls, financial controls, or compliance with legal obligations, and for other internal business purposes such as administration of our records retention program. |
| M&A and other business transactions: for planning, due diligence and implementation of commercial transactions, for example mergers, acquisitions, asset sales or transfers, bankruptcy or reorganization or other similar business transactions. |
| Defending and protecting rights: to protect and defend our rights and interests and those of third parties, including to manage and respond to Employee and other legal disputes, to respond to legal claims or disputes, and to otherwise establish, defend or protect our rights or interests, or the rights, interests, health or safety of others, including in the context of anticipated or actual litigation with third parties. |
| Complying with legal obligations: relating to compliance with applicable legal obligations (such as hiring eligibility, responding to subpoenas and court orders) as well as assessments, reviews and reporting relating to such legal obligations, including under employment and labor laws and regulations, Social security and tax laws, environmental regulations, workplace safety laws and regulations, and other applicable laws, regulations, opinions and guidance. |
Legal Basis For Processing
Where a legal basis is required (under European law for instance) the processing of your personal information will be justified by at least one of the following:
• the processing is necessary to give effect to your contract of employment (for example, collecting bank account details to pay your salary, creating your access rights, responding to grievances, managing beneficiary details, administering termination);
• the processing is necessary for us to comply with a legal obligation (for example, administering benefits schemes, reviewing eligibility for work, creating an Employee record (including absences), addressing occupational health issues, managing professional qualifications, managing IT security, disclosing tax data to a government authority or salary information to a national insurance scheme);
• the processing is in our legitimate interests as a business and as your employer and our interests are not overridden by your interests, fundamental rights or freedoms (for example, assessing new job opportunities, reviewing your performance at work, managing litigation or other legal requests). Specifically, our interests in:
- the effective management, security and operation of the Group;
- our engagement with our workforce;
- developing our business and the business of the Group;
- increasing the efficiency of our processes and practices;
- striving to ensure compliance with applicable laws and business norms;
- avoiding or mitigating harm to you, to our customers, to us and the Group, and to third parties; or
- the processing is based on your prior explicit consent
And the processing of sensitive personal information will always be justified by at least one of:
• the processing is necessary for the purposes of carrying out obligations under employment law and/or the applicable national collective bargaining agreements (notably as they relate to insurance and benefit schemes);
• the processing is carried out with your explicit consent (See Sensitive Personal Information above for more information about your consent)
• the processing is necessary for the establishment, exercise or defence of legal claims; or
• in exceptional circumstances, processing is necessary to protect your vital interests and you are incapable of giving consent.
How We Protect Your Information
We have in place security and organizational measures to protect your personal information from loss, misuse, unauthorized access and disclosure, alteration and destruction. Our measures are implemented and maintained in accordance with legal, organizational and technological developments. We also ensure any personal information is destroyed in accordance with best market practice. More information on this can be found in our Information Security policies.
Transfers To Other Countries
Your personal information may be transferred to other Group entities or to third parties described in this Notice to the extent required for your employer to perform its obligations to you, or for you to perform your job function, or for the purposes described in this Notice. In particular:
• Your professional profile and contact information contained in systems such as Outlook, SharePoint, and Atlas, will be accessible to all employees of Group companies worldwide.
• Your personal information may be transferred to Group headquarters in the U.S or internationally and/or to Group employees located inside or outside your country, and/or to a person or company that is not part of the Group located in or outside your country, on a need-to-know basis. Where personal information is transferred out of the European Economic Area, the transfer will be governed by adequacy decisions or Standard Contractual Clauses and in line with all other EU requirements
• Transfers may be made to respond to law enforcement requests or discovery procedures, or where required or permitted by applicable laws, court orders, government regulations, or government authorities (including tax and employment). Such transfers may entail access by courts or governmental authorities outside your country, after having ensured that only your minimal necessary data is disclosed and transferred, or that such data is de-identified or that, where possible, appropriate stipulative court orders have been issued.
If you require further information on this, please contact privacy@circana.com
Updating Employee Personal information and Your Rights
Employees retain control over most of their information through our internal human resource information system (Atlas for example) and are able to (and expected to) self-serve amending, updating or deleting most information. As an Employee, you have a responsibility to ensure that changes in your personal circumstances are notified to your Employer (through Atlas where applicable), so that we can ensure that your personal information is up-to-date and accurate.
We observe the following rights for all Employee data and you will not to be subject to discriminatory treatment for exercising your rights.
- Right to Access – you have the right to request access to your personal information and additional information about the processing of your personal information (such as which parties it has been transferred to).
- Right to Correction- you are entitled to have any inadequate, incomplete or incorrect personal information corrected.
- Right to Object – you may object to our processing of your data. We only process Employee data where we believe have compelling reasons to process it, but we will always consider your objection and will stop processing it if we cannot demonstrate why we are processing it.
- Right to Withdraw Consent – in the event your personal information is processed on the basis of your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to Deletion – in certain circumstances,you are entitled to have your personal information deleted. This applies where you have withdrawn our consent or where you object to our processing and we have no overriding legitimate reason to continue the processing.
- Right to Restriction – we will restrict the further processing of your data while the above situations are being investigated. We will only process restricted data with your consent or for the establishment, exercise or defense of legal claims.
Employees of entities registered in the European Union and the UK may also be entitled to “Data Portability”, which means you may have the rightto receive certain data which you have provided to us in a structured, commonly used and machine-readable format, and have it transmitted to another controller (where possible).
Employees that reside in or are employed by a Circanaentity in the European Union, the United Kingdom or Brazil also have the right to lodge a complaint about our data collection and processing actions with the supervisory authority concerned. Contact details for the UK’s ICO, Brazil’s ANPD or European data protection authorities are available here. Prior to raising a complaint externally we encourage you to follow our complaints procedure below.
How to Exercise Your Rights
For any right that you are not able to exercise through Atlas, please contact your local HR representative in the first instance. Your request will be processed promptly and (where required by law) within 28 days. We may have a reason why we do not have to respond to your request or respond to it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
If you are a former employee or you are not contacting us through your designated work email address, we will take steps to verify your request by matching the information provided by you with the information we have in our records. You must provide sufficient information to allow us to verify that you are the person about whom we have collected personal information and describe your request in sufficient detail to allow us to understand, evaluate, and respond to it. In some cases, we may request additional information in order to verify your request or where necessary to process your request. If we are unable to adequately verify a request, we will notify you. Authorized agents may initiate a request on your behalf through one of the above methods, but authorized agents will be required to provide proof of their authorization and we may also require you to personally verify your identity and the authority of the authorized agent.
Complaints And Queries
If you are not satisfied with how HR have handled your request, or you have any questions, concerns or complaints regarding this Notice or the handling of your personal information (including any concerns about third parties we have shared your data with) please contact the Chief Privacy Officer at privacy@circana.com.
You can also write to us at our Headquarters: 203 N. LaSalle Street, Suite 1500, Chicago, IL 60601 and our International Headquarters is located at Maxis 1, Western Road, Bracknell Berkshire, RG12 1RT UK.
Our representative in the European Union is the Circana entity registered in Ireland.and can be contacted at privacy@circana.com
If your market has appointed a data protection officer you may also contact them with any complaints or queries.
Updating This Notice
We strive for continuous improvement in our services, processes and protecting employee rights. We will therefore update this privacy notice from time to time. We will notify current employees in advance via internal communications about any changes to this Notice that are material or may impact you. For other changes, please check back frequently here to see any updates or changes to this Notice. We are also happy to provide previous versions of this Notice on request.
Appendix
Applicable Legislation
| Country | Statute |
| Australia | Australian Privacy Principle 5.2, Privacy Act 1988 (Cth) |
| Brazil | Article 9, General Data Protection law (Law No. 13.709/2018) |
| Canada (Federal) | Section 6.1 and Principles 2, 3, and 8, Schedule 1, Personal Information Protection and Electronic Documents Act |
| China | Articles 17, 22, 23, and 39, Personal Information Protection Law (in Chinese) |
| EU Member States | Articles 13 and 14, General Data Protection Regulations 2016/679 |
| Hong Kong | Data protection principle 1(3) and Sections 35(C) and 35(F), Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) |
| India | Sections 4 and 5(3), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 |
| Japan | Articles 15(1), 18(1) and (2), 23(2) and (5), and 27, Act on the Protection of Personal Information.Article 8, Cabinet Order to Enforce the Act on the Protection of Personal Information |
| Mexico | Articles 15,16, and 36 Federal Law on the Protection of Personal Data held by Private Parties (2010)Articles 14, 23, 30, 41 and 112, Regulations of the Federal Data Protection LawChapter 5, Sections 1 and 26, Privacy Notice Guidelines (January 17, 2013) |
| New Zealand | Principle 3, Section 22, Privacy Act 2020 |
| South Africa | Article 18, Protection of Personal Information Act 2013 (No. 4 of 2013) |
| South Korea | Articles 20, 27, and 30, Personal Information Protection Act, as amended by Act No. 16930Article 31, Enforcement Decree of PIPA (in Korean) |
| United Kingdom | EU Regulation (EU) 2016/679 General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act |
| United States | California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended, and its implementing regulations |