Last modified: February 7, 2020
PDP Global (a DBA of PDP, Inc.) understands that your privacy is important and that you care about how your information is collected, processed, transmitted, stored, used, or shared. We respect and value the privacy of everyone who visits Our Sites and extend the same rights and protections to all visitors and Data Subjects. We will only collect and use information in ways that are useful to you and in a manner consistent with your rights and our obligations under the law.
Scope—What does this policy cover?
In this policy, the following terms shall have the following meanings:
|“Respondent”||The individual taking one of our surveys or completing one of our forms or acting as a student of our PDP eCampus educational material.|
|“Client”||The licensed organization with a my.PDPworks account and certified PDP users.|
|“PDP Representative”||The contracted organization and its users that market, sell and service client accounts. Representatives have access to client accounts and are trained annually on the importance of data confidentiality.|
The questionnaire instruments for measuring the dynamics of behaviors. There are three types of surveys:
Include but not limited to:
PDPglobal.com—Our corporate website my.PDPworks.com—Our web application where users login to process invitations and surveys and to retrieve resulting reports. eCampus.PDPglobal.com—Our Learning Management System (LMS)
|“User”||You, when you log in to any of our websites.|
|“We/Us/Our”||PDP Global, a DBA of PDP, Inc., a C corporation registered in the State of Colorado, USA.|
|“Data Subject”||Survey respondents, account users—anyone providing personally identifiable information (PII).|
|“Data Controller”||A data controller determines the purposes and means of processing personal data.|
|“Data Processor”||A data processor is responsible for processing personal data on behalf of a controller.|
Are we registered with Privacy Shield in the USA?
For purposes of enforcing compliance with the Privacy Shield, we are subject to the investigatory and enforcement authority of the US Federal Trade Commission.
Do we have a way for you to contact us to inquire about or exercise your data privacy rights?
Yes. For any question or request relating to your data and privacy, please email us at firstname.lastname@example.org or call our office at +1 719-785-7300 and we will be happy to assist you in your concerns.
Under certain conditions, more fully described on the Privacy Shield website at How to Submit a Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our EEA/UK Representative:
Attn: PDP Privacy
Southampton, Hampshire SO14 3XB
When do we act as a Data Controller and when do we act as a Data Processor?
We will act in most cases as a Data Processor for our clients. In a small number of cases, we will act as the Data Controller. The following is a straightforward way to understand it:
The Data Controller decides what personal data is collected, how it is collected, and its purpose. The Data Processor acts on the explicit instructions of the Data Controller to complete a defined process involving the personal data that was provided.
In the vast majority of cases, we act as a Data Processor or a sub-processor for clients and we have agreements in place to ensure data security. We act in accordance with our customers’ requests and relevant data protection legislation and best practices.
We will occasionally act as Data Controller with data having to do with our own employees and Representatives, along with those situations involving technical support and testing.
What data do we collect on Our Websites, how does it flow, and how do we use it?
PDP Global is responsible for the processing of personal data it receives, under the Privacy Shield, and subsequently transfers it to a third party acting as an agent on its behalf. PDP Global complies with the Privacy Shield for all onward transfers of personal data from the EU, including the onward transfer liability provisions. With respect to personal data received or transferred pursuant to the Privacy Shield, PDP Global is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
When requesting information on Our Websites about our services, you may use a form where you are asked to provide your name, email address, mailing address, and phone number or other details to help your experience be as beneficial as possible or to provide you with documentation you require.
On the LMS, we may ask for the same information and you may answer test and quiz questions to help you and us to determine your level of knowledge acquisition.
Some data will be collected automatically by Our Websites. Please review our Cookie information. We may collect information about how you use Our Websites to aid us in continually improving their functionality.
This may include information about your originating IP addresses (which may infer your geographic location but not your identity), Internet service providers, the files viewed, and timestamps of activity on Our Websites.
We may also record which operating system, device, and browser version you use to help ensure that you have a positive online experience.
Below are flow charts summarizing the collection and processing of marketing, eLearning, and survey data:
When I complete a Survey at my.PDPworks, how is my personal data collected and used?
The organization (typically Certified Client organizations—generally employers, or Licensed Representatives of PDP Global acting as HR consultants) that has requested that you to complete a survey on my.PDPworks is the Data Controller and we are acting as the Data Processor. The Data Controller decides what data is to be collected and how it will be used. We provide Client organizations with their own unique login to my.PDPworks to manage the data they collect from you. See the flow chart below, which explains the process:
Are the Surveys provided by us considered “Automatic Decision Making,” including “Profiling?”
No. All Surveys provided by us should never be used in isolation in recruitment or human resource processes. Each user from organizations using my.PDPworks.com are trained and instructed in this principle. Our Surveys are provided to Data Controllers as part of a larger decision-making process and structure, which include other information the Data Controller collects.
Do we use personal data from my.PDPworks in research?
As part of continual improvement and validation, we undertake research and analysis, which requires us to process personal data for this clearly defined purpose. When we process such personal data for research purposes, we do so as Data Controller under the lawful basis of Legitimate Interest.
When we process personal data for research, results are presented in group form (e.g., averages). We ensure appropriate safeguards, including anonymization of the data, secure transmittal and storage, and adherence to the principal of least privilege.
In instances where we act as Data Controller, what lawful basis do we have for processing your data?
Based upon the different services we offer and how we provide those services, we rely on the most appropriate lawful basis when processing your data. When the most appropriate lawful basis for processing is Legitimate Interests, we will always ensure that our interests are carefully balanced with and do not adversely impact your rights.
There may also be specific instances where we require your consent for the processing of your personal data. We will ensure the consent obtained is aligned with current applicable legislation that it is specific, informed, and freely given.
How do we ensure the security of our systems and protect my data?
Our employees, associates, and sub-contractors take the security of your personal data seriously.
Do we engage with any sub-processors?
How and where is your data stored?
Your data is stored in cloud-based services in highly secured data centers in the U.S. (see Our Trusted Sub-Processors). Your data is encrypted while it is in transit from your web browser to our data center and when at rest, it is secure behind tightly held authentication and physical security.
How long do we keep personal data?
As prescribed in applicable law, we only keep personal data as long as necessary. When deciding the length of personal data retention, we take into account any minimum retention requirements set out in applicable legislation.
When we act as Data Processor, the client organization acts as the Data Controller. As such, the client organization will decide how long data should be retained and will manage the retention and anatomizing process accordingly.
When using aggregated data for research purposes, we function as Data Controller and follow what is described in the research question above.
What rights do you have as a data subject?
Your rights as a data subject under GDPR are detailed in Chapter 3 – Articles 12 to 23. You have eight fundamental (though not absolute) rights under GDPR.
- Right to Access Personal Data—Under the GDPR, data subjects have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days (Article 15).
- Right to Rectification—Data subjects have the right to request modification of their data, including the correction or errors and the updating of incomplete information (Article 16).
- Right to Erasure—The right to erasure, also referred to as the right to deletion or the right to be forgotten, allows a data subject to stop all processing of their data and request their personal data be erased (Article 17).
- Right to Restrict Data Processing—Data subjects, under certain circumstances, can request that all processing of their personal data be stopped (Article 18).
- Right to be Notified—Data subjects must be informed about the uses of their personal data in a clear manner and be told the actions that can be taken if they feel their rights are being impeded. Data subjects must also be informed of any rectification or erasure of their personal data under articles 16, 17, and 18 (Article 19).
- Right to Data Portability—A data subject can request that their personal data file be sent electronically to a third party. Data must be provided in a commonly used, machine readable format, if doing so is technically feasible (Article 20).
- Right to Object—If a request to stop data processing is rejected by a data controller, the data subject has the right to object to their Article 18 right being denied (Article 21).
- Right to Reject Automated Individual Decision-Making—Data subjects have the right to refuse the automated processing of their personal data to make decisions about them if that significantly affects the data subject or produces legal effects—profiling for example (Article 22).
What if I have a privacy concern or want to exercise my data subject rights?
Please contact us at email@example.com. Or you may write to us at:
13710 Struthers Road, Suite 215
Colorado Springs, CO 80921 USA
We will respond to your request within 30 days. Complex or excessive requests may require a longer period for resolution. In situations where we function as the Data Processor, the first step will be to put you in contact with the client organization that functions as your Data Controller. Together, we will work to address your request or concern. See overview of how requests work:
We reserve the right to charge an administrative fee or refuse a request where requests for data are clearly unreasonable or excessive, particularly if they are repetitive.
We have chosen to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC), respectively, and comply with information and advice the DPAs and the FDPIC may provide in relation to such unresolved complaints (as further described in the Privacy Shield Principles). Please contact us to be directed to the relevant DPA or FDPIC contacts.
You also have the right to refer data privacy issues or concerns to the ICO at any time. You will find details of how to contact the ICO at https://ico.org.uk/.
Reporting a Data Breach
If you believe that a loss of personal data we use or manage has occurred, or an unlawful use or disclosure of the data has occurred contact us at firstname.lastname@example.org, or you may write to us at:
13710 Struthers Road, Suite 215
Colorado Springs, CO 80921 USA
Alternatively, you may contact our EEA/UK Representative:
Attn: PDP Privacy
Southampton, Hampshire SO14 3XB