We collect, use and are responsible for certain personal information about you. When we do so we are subject to the General Data Protection Regulation (EU) 2016/679 (commonly known as the “GDPR”), which applies across the European Union and we are responsible as the controller of that personal information for the purposes of those laws.
It would be helpful to start by explaining some key terms used in this policy:
|we, us, our||Great Place To Work (Cyprus) Limited, a limited liability company incorporated under the law of the Republic of Cyprus, with registration number HE 403682, and registered officed at Kosta Misiaouli 36, Kato Deftera, 2540 Nicosia, Cyprus.|
|personal information||Any information relating to an identified or identifiable individual.|
|special categories of personal information||Personal information revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, Genetic and biometric data. Data concerning health, sex life or sexual orientation.|
We may collect and use the following personal information about you:
- first name and last name;
- e-mail address;
- the name of your employer, your job title and department (applies only for individuals that are the contact persons or representatives of the employer which has engaged us); and
- employee survey data, which includes your statements and responses in the surveys you participate in and various demographic data such as your age, gender, years of employment, position, area/field of work and the geographical location of your working place. Please refer to the “Employee Survey Data” section below for more details. As described in that section, this type of information is collected and stored in an anonymised form and neither us nor any other person can associate your answers with you or otherwise identify you through the answers.
Where we need to collect personal information by law, or in order to be able to provide our products or services to your employer and you fail to provide that information when requested, this may prevent or delay us from providing our products or services to your employer.
We collect this personal information either from your employer (in the cases expressly indicated) or directly from you when you communicate with us or you participate in any of our surveys.
5. How and Why we Use your Personal Information
Under data protection law, we can only use your personal information if we have a proper reason for doing so, e.g.:
- to comply with our legal and regulatory obligations;
- for our legitimate interests or those of a third party, which include the proper performance of our contract with your employer, where your interests and fundamental rights do not override our interests or those of a third party;
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
The table below explains what we use (process) your personal information for and the legal bases which we rely on to do so:
|What we use your personal information for||Type of information||Lawful basis for processing|
|To contact you for the purpose of inviting and to allow you to participate in our surveys and to send you and collect the material which must be completed as part of the surveys.||First name and last name, e-mail address We usually collect this data from your employer.||(a) Necessary for our legitimate interests (record and administer our services) (b) Necessary to comply with our legal and regulatory obligations|
|To carry out and administer our surveys, including: to record your answers to the survey; andto assess workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces.||Employee Survey Data.||(a) Necessary for our legitimate interests (record and administer our services) (b) Necessary to comply with our legal and regulatory obligations|
|To run, administer and protect our business, including: (a) Managing our relationship with your employer (b) Contacting you in the course of and for the purposes of this relationship (c) invoicing and billing (d) exercising our legal rights The above only applies if you are a contact person or representative of the organisation which has engaged us to provide our services to it. If you are an employee simply responding to a survey, we will not process your personal data for any of the above reasons.||First name and last name, e-mail address, name of your employer, your job title and department.||(a) Necessary to comply with our legal and regulatory obligations (b) Necessary for our legitimate interests (for running, administering and protecting our business and our rights)|
The above table does not apply to special categories of personal information, which we will usually only process with your explicit consent (unless the law allows to do so without it).
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
- Employee Survey Data
When invited to participate in a survey, you will mainly be asked to respond to a number of statements through multiple choice options and answer a few questions requiring a response in text. These statements and responses contain your opinion on matters relating to employment practices, working conditions and working environment and generally your employer’s treatment towards you.
You will also be asked to provide certain demographic information relating to your employment such as your age, gender, years of employment and position. This information is not required and you can choose not to provide it.
Also, your employer may ask for additional demographic data for a more targeted assessment in certain areas and a better analysis of the survey results. In that case, it is the employer that provides that data either to us or by inputting them directly in the relevant platform. In the latter case we do not have access to such data and in the former we do only for the purposes of inputting them into the system and then we delete them immediately.
You will be invited to complete the survey online. Your responses will be recorded and uploaded to our online platform but will be de-identified and made anonymous, that is it will be processed in such a way as to prevent your personal identity from being revealed.
All survey responses are always aggregated, which means that individual survey responses are combined together and presented as a group, de-identified and anonymised as stated above. Neither we nor anyone else has access to or can view your individual responses to the survey at any stage of the process. We only obtain the anonymous aggregated survey results, which we then analyse collectively in order to carry out our assessments as part of the services which we provide to your employer. Even in the case of further analysis on the basis demographic data as explained above, our system do not process or present data for any demographic segment that is less than five people, thereby excluding the risk of indirect identification of the individual answers of the people belong to the relevant demographic segment.
Therefore, we would like to assure you that neither us nor anyone else have any way of associating any survey response with the person who submitted that response.
7. Who we Share your Personal Information With
We routinely share personal information with service providers such as third parties we use to help deliver our services to your employer, including website hosts and cloud providers.
We may also share personal information with our principal, Great Place to Work® Institute, Inc., in the US, when this is necessary in the course of providing our services, for example when we use their platform for carrying out a survey. However Great Place to Work® Institute, Inc. will have actual access to data only for administration of the survey through their platform, maintenance and support purposes, and will not process them independently to the survey you participate in.
Please keep in mind that the de-identification and anonymisation process described above will apply at all times.
We only allow third parties to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you.
We may disclose and exchange information with law enforcement agencies, authorities and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a restructuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
8. Where your Personal Information is Held
Information is usually held at our offices. However it also may be held by our service providers and Great Place to Work® Institute, Inc as described above (see above: ‘Who we share your personal information with’).
Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal information when this occurs, see below: ‘Transferring your personal information out of the EEA’.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will usually keep your personal information while we are providing services to your employer or company. For employees merely participating in a survey, we will usually delete your personal data within five business days after the survey closes.
If you are a contact person or representative of the organisation who has engaged us to provide our services, we will usually keep your personal information longer, for as long as is necessary:
- to respond to any questions, complaints or claims submitted by you on behalf of your employer and generally to communicate with your employer concerning past, current or future engagements; and
- to keep records required by law.
Different retention periods apply for different types of personal information. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
We will not retain your personal information for longer than necessary for the purposes set out in this policy. When it is no longer necessary to retain your personal information, we will delete or anonymise it.
To deliver our products and services to your employer, it is sometimes necessary for us to share your personal information outside the European Economic Area (EEA), e.g.:
- with our service providers located outside the EEA;
- when we use the services of Great Place to Work® Institute, Inc; or
- where there is an international dimension to the services we are providing to your employer.
These transfers are subject to special rules under European and Cyprus data protection law.
Whenever we transfer your personal information out of the EEA, we ensure a degree of protection similar to that afforded in EEA countries is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission.
- Where we transfer your personal information to countries that have not been deemed to provide an adequate level of protection for personal information by the European Commission, we may use specific contracts approved by the European Commission which give personal information the same protection it has in Europe.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal information shared between the Europe and the US.
If you would like further information please contact us (see ‘How to contact us’ below).
You have the following rights in relation to your personal information:
|Access||The right to be provided with a copy of your personal information.|
|Rectification||The right to require us to correct any mistakes in your personal information. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.|
|To be forgotten||The right to require us to delete your personal information (in certain circumstances). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.|
|Restriction of processing||The right to require us to restrict processing of your personal information (in certain circumstances). This enables you to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the information’s accuracy; (b) where our use of the information is unlawful but you do not want us to erase it; (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.|
|Data portability||The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.|
|To object||The right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.|
|Not to be subject to automated individual decision-making||The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.|
|Withdraw consent||The right to withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.|
For further information on each of those rights, including the circumstances in which they apply, please contact us or visit the website of the Commissioner for the Protection of Personal Data (www.dataprotection.gov.cy).
If you would like to exercise any of those rights, please:
- email, call or write to us—see below: ‘How to Contact Us’;
- let us have enough information to identify you;
- let us have proof of your identity; and
- let us know what right you want to exercise and the information to which your request relates.
You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We have appropriate security measures to prevent personal information from being accidentally lost or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We hope that we can resolve any query or concern you may raise about our use of your information.
The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Cyprus is the Commissioner for Personal Data Protection who can be contacted at 1 Iasonos street, 2nd floor, 1082 Nicosia; tel: 22818456; fax: 22304565; email: firstname.lastname@example.org; www.dataprotection.gov.cy.
Our contact details are shown below:
36 Costa Mishiaouli,
Kato Deftera, 2450 Nicosia, Cyprus