1. PURPOSE
CGI Nederland B.V. (“CGI”) is committed to the appropriate and lawful treatment of personal data which CGI collects, stores and processes on its own behalf as well as on behalf of its clients. CGI believes that this is important for effective, efficient and responsible operations and necessary to sustain successful business operations. CGI respects the privacy of its business partners, clients and members and has prepared this statement to inform them of the purposes for which CGI will processes their personal data as well as the obligations on CGI, its employees and its third party processors when processing personal data.
This Privacy Statement gives CGI employees and its clients guidance on how to provide adequate and consistent safeguards when processing personal data. It also establishes the expectations that data subjects and their controllers can have in relation to the processing of their own personal data in the CGI workplace and when their personal data is processed on CGI’s behalf by third party processors.
This Privacy Statement applies when CGI acts as a data controller as well as a data processor.
This Privacy Statement applies to the processing of personal data, irrespective of the nature or category of the personal data, relating to:
- Employment candidates
- Employees (members)
- Clients
- Client employees
- Client customers
- Shareholders
- Suppliers and subcontractors
2. SCOPE
This Privacy Statement sets out the minimum standard that CGI has implemented when CGI, its employees and third party processors process personal data. It has been approved under the authority of the CGI board of directors. CGI’s Corporate Legal Services (NL) owns this Privacy Statement. Any questions or concerns about the interpretation or operation of this Privacy Statement should be raised in the first instance with the CGI NL Privacy Lead or HR representative. In addition to this Privacy Statement, CGI has also, in compliance with the Applicable Data Protection Legislation, implemented an internal procedure on how to deal with loss of data and reporting obligations in that respect.
3. INTERPRETATION
In this Privacy Statement the terms personal data, processing, controller and processor have meanings ascribed to these in the European Data Protection Directive 95/46/EC, as amended from time to time, and implemented in “Applicable Data Protection Legislation”
“Applicable Data Protection Legislation” refers to (i) the EU Directive 95/46 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (EU Data Protection Directive), (ii) any implementing laws of the EU Data Protection Directive, (iii) the European Regulation 2016/679 relating to the Processing of Personal Data as of its date of application, and (iv) any applicable local laws relating to the Processing of Personal Data.
For the purpose of understanding this Privacy Statement, the following definitions are relevant:
- Data controller
-
The person, company or organization which determines the purposes for which, and the manner in which, personal data is processed. The data controller has a responsibility to establish practices and policies in line with applicable law.
- Data processor
-
A person, company or organization which processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include third party companies which process personal data on CGI’s behalf.
- Data subject
- The individual who is the subject of personal data that is being processed by CGI or a CGI data processor.
- EEA
- The European Union (“EU”) together with the countries that are members of the European Economic Area from time to time.
- Employee
- for the purpose of this Privacy Statement only, this means an employee, staff member, worker, individual consultant, agent or director, and “employment” shall be construed accordingly.
- CGI
- CGI Nederland B.V..
- Notification
- The notification or registration of CGI's data processing activities (where required) to the applicable data protection authority/regulator.
- Personal data
-
Any information from which a living individual can be identified directly or indirectly, either on its own or together with other information which is in, or is likely to come into, the possession of CGI or CGI’s data processor. Personal data includes (but is not limited to) information such as telephone numbers, names, identification number, addresses (including email addresses), sound and image data (for example photographs, video and voice recordings), indications of status and title, as well as recorded remarks about individuals. Personal data includes sensitive personal data.
- Process
-
Obtain, record, access or store personal data or carry out any operation on the personal data including: organization, adaptation or alteration of the personal data; or retrieval, consultation (including remote access) or use of the personal data; or disclosure of the personal data by transmission or otherwise making available; or alignment, blocking, combining, restricting, erasure or destruction of the personal data. Examples of how processing can occur include the use of personal data in the following situations:
-
In an automated way, for example, by mainframe computers, servers, PCs, email or filing systems, laptops, PDAs, pads, mobile/cellular/smart telephones; and/or
-
In a manual way, which includes a set of information relating to individuals which is structured according to criteria which allows access to specific personal data, for example, card indices or manual files of client, employee or supplier data which is stored in a structured way.
- Sensitive personal data
- Personal data that contains information relating to: racial or ethnic origin; political opinions; religious beliefs or beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; information relating to the commission, or alleged commission of an offence, or proceedings for offences committed or allegedly committed by a data subject; or any other category of personal data which is stated to be “sensitive personal data”.
4. PURPOSE AND BASIS OF PERSONAL DATA PROCESSING
4.1. Defining a legal basis
Any processing is deemed legal where it falls under one of the following circumstances:
-
processing is necessary for compliance with any applicable legislation; or
- processing results from the execution of a contract with a data subject (e.g. employment contract); or
-
processing is based on a legitimate interest of CGI, which must be assessed against the interests of the data subject; or
-
processing with data subject’s prior consent. A data subject’s consent is valid when (i) given by a clear affirmative act, (ii) freely given, and representing a specific, informed and unambiguous indication of the data subject’s agreement to the processing of his/her personal data. A data subject’s consent can always be withdrawn in writing to CGI at dpo@cgi.com.
4.2. Data retention limitation
CGI must ensure that it does not keep personal data for a longer period than strictly necessary to achieve the purpose for which the personal data is collected. Consequently, CGI will determine before the performance of the processing an appropriate retention period. In doing so, CGI shall consider the following factors:
-
time during which the personal data is necessary to satisfy CGI’s corporate interests
-
period after which keeping such personal data may have an impact on data subjects’ rights to be forgotten
-
any legal obligations imposing a minimum data retention period as may be defined in the CGI internal Records Retention Policy and record retention obligations in the relevant processing agreements or otherwise.
4.3. Processing of Client Personal Data
CGI will usually be a data processor (or in certain specific, limited circumstances, a data controller) in client contracts which require it to process personal data controlled by its clients. Such personal data may relate to the client’s employees for the purposes of payroll processing, individual consumers who purchase the client’s products, individual account holders with clients that are financial institutions etc.
When CGI acts as a data processor, it shall commit to process client’s personal data solely in accordance with the client’s instructions and, in particular, with respect to the nature, method, purpose and duration of processing.
CGI’s Privacy Statement endeavors compliance with Applicable Data Protection Legislation in relation to personal data it processes while executing client contracts, including making any necessary notifications as well as the use of appropriate technological and organizational measures to protect against unlawful processing, accidental loss, damage or destruction of personal data. CGI may agree contractual provisions with its client to ensure compliance with such applicable data protection law, including but not limited to EU model contractual clauses if required to allow a transfer from within the EEA to a country outside the EEA, or to any country not designated as adequate by the European Commission.
On certain occasions CGI will, only for its internal business purposes, internal reporting and analysis, auditing and customer management (e.g. customer satisfaction / reporting ), transfer personal data to specific companies within the CGI Group. This allows CGI to improve the products and services it offers to clients. The protection of the personal data to be transferred within CGI Group and compliance with the technological and organizational protective measures which are to be met, is secured by specific data transfer agreements between the receiving entity and CGI or the CGI Intra Group Transfer Agreement both employing the EU model clauses.
4.4. Processing of Personal Data relating to Enquirers, Website Users, Marketing Contacts, Visitors etc.
CGI will process personal data relating to data subjects who contact CGI for various purposes, for example through CGI websites, by email, telephone, letter and other means of communication. CGI may process personal data relating to visitors to CGI controlled premises. For security reasons only, all CGI offices are security camera controlled. CGI may also process personal data for marketing purposes. For further reference see: www.cgi.com/en/global-privacy that applies to www.cgi.com/nl.
CGI will usually be designated as a data controller in relation to such personal data. CGI’s Privacy Statement endeavors compliance with the Applicable Data Protection Legislation with respect to personal data it processes in relation to such data subjects, including making appropriate notifications as well as the use of appropriate technological and organizational measures to protect against unlawful processing, accidental loss, damage or destruction of personal data.
CGI may collect and process personal data that is provided voluntarily to CGI when information is requested about CGI’s services, questions are submitted, when subscription to newsletters occurs or when résumé’s are submitted for career opportunities at CGI.
On certain occasions CGI will, only for its internal business purposes, internal reporting and analysis, auditing and customer management (e.g. customer satisfaction / reporting ), transfer personal data to specific companies within the CGI Group. This allows CGI to improve the products and services it offers to clients. The protection of the personal data to be transferred within CGI Group and compliance with the technological and organizational protective measures which are to be met, is secured by specific data transfer agreements between the receiving entity and CGI or the CGI Intra Group Transfer Agreement both employing the EU model clauses.
4.5. Processing of CGI Employee “ Member” Personal Data
General
For personal data relating to members CGI Nederland B.V. is the data controller. CGI will comply with applicable laws (including where necessary any requirement to obtain consent from a data subject or the competent employee representative body – NL Works Council) regarding the processing of any personal data relating to members. In addition to this Privacy Statement, CGI's standard contracts, applicable policies and member communications may specify the purposes for which CGI may, from time to time, collect and process personal data. On certain occasions CGI will, only for its internal business purposes, global HR services, payroll services, internal reporting, auditing, member management and security reasons, transfer personal data to specific companies within the CGI Group. The protection of the personal data to be transferred within CGI Group and compliance with the technological and organizational protective measures which are to be met, is secured by specific data transfer agreements between the receiving entity and CGI or the CGI Intra Group Transfer Agreement both employing the EU model clauses.
Purposes for Processing
Subject to applicable legal requirements and restrictions, including but not limited to the general requirement to collect and process only what is necessary to achieve the relevant purpose, CGI may process some or all of the following personal data categories: name, address (including email address), telephone number, emergency contact details, next of kin details, marital status, date of birth, nationality, gender, referee details, education details, work permit details, passport number or similar document number, national identity number, taxation reference number, bank account details, credit/debit card details, other financial details, employee number, IP address, driving license, car registration number, image and sound.
The main purposes for processing personal data relating to members may include the following:
-
Payroll, Pension, Finance, Shares - CGI may share relevant personal data with pensions and share scheme administrators, scheme providers, insurance companies, tax authorities and other similar service providers in relation to employment obligations and employee benefits. CGI will also process personal data for the purpose of identifying and paying members.
-
Commercial Administration and Management - CGI may use personal data for managing its commercial activities such as paying invoices, communicating with its business partners and potential business partners, arranging meetings, business travel, visa applications, asset management and complying with and managing business partner contractual obligations (including employee placement/assignment with clients).
-
Employee Administration and Management - CGI may process personal data (including where appropriate, and subject to this Privacy Statement and the Applicable Data Protection Legislation, sensitive personal data) about members and (where relevant) their dependents and next of kin, for purposes related to their employment with CGI. This may include recruitment, general management, performance management, career development, health and safety compliance, provision of health insurance, life insurance, sickness monitoring/compliance, diversity monitoring, disciplinary procedures, security checks (if and where required), visa applications and other immigration requirements, communications to and from members, member contact directories, sensitive/secure area access controls, IT system administration and management, payment of taxes, expense processing and employee benefits. From time to time, and subject to local requirements, CGI may offer its members a range of benefits and discounts that it has negotiated with other companies and may supply relevant personal data to carefully screened third party organizations to offer and provide such benefits.
-
Enterprise Security and Quality Control– CGI provides its members pc’s laptops and (mobile) telephones enabling access to internet, e-mail, social media, CGI Group’s intranet and various software applications and tools, Besides these digital equipment, CGI also provides cars and physical workspaces (all of the latter being company property). CGI trusts that each member acts responsibly when using company property and to strictly abide by all applicable codes of conduct that are issued in that respect like, but not limited to, the Code of Ethics and Business Conduct, Security and Acceptable use policy and the policy on the use of third party software. For security reasons only, CGI may monitor its premises with cameras. CGI may have good and legally justifiable reasons to monitor the use of digital equipment / devices and digital traffic through the equipment and devices by members taking into consideration the necessity of the monitoring and the member’s privacy. Incidental investigations will only be done for substantial reasons in targeted situations and NL Security Office will always be involved in such investigation and taking the security incident investigation and reporting processes into account . CGI organization wide monitoring and recording internet usage history and e-mail correspondence will only be implemented following a collective consultation process with the NL Works Council.
-
Corporate Finance, Mergers and Acquisitions – from time to time, CGI buys, sells and/or transfers group companies, business assets, financial instruments/ arrangements, and contracts. In relation to such opportunities and arrangements, CGI may share relevant personal data with potential buyers, sellers, professional advisors and regulatory authorities, subject to obligations of confidentiality and local legal restrictions.
-
Regulatory, Professional and Membership Requirements – CGI may process personal data about members, and transfer personal data to relevant regulatory bodies and professional/trade/industry organizations, in relation to membership applications and renewals, regulatory requirements (including regulatory/legal reporting requirements), professional standards etc.
-
Health, Safety, Law and Insurance – CGI may process personal data and transfer to appropriate third parties (including CGI’s facilities managers, event organizers, insurers, advisors and business partners) to comply with health, safety, legal, insurance, travel and emergency requirements.
-
Compliance with Local Legal Requirements and Agreed Practices – CGI may process personal data, and transfer personal data to other entities within the CGI Group and/or appropriate third parties, as and when local laws require or permit it or where local practices have been agreed with members, employee representatives, data protection officers, and/or data protection authorities/regulators.
4.6. Internal Transfer and Third Party Processing
In order to manage the CGI Group’s business efficiently, and to work as a global organization with standardized systems and processes, personal data of members (including where appropriate, in accordance with this Privacy Statement and local legal requirements, sensitive personal data) may be transferred by CGI to other entities within the CGI Group and their designated third party processors for processing worldwide (both inside and outside the EEA). The protection of the personal data to be transferred within CGI Group is secured by the CGI Intra Group Transfer Agreement employing the EU model clauses.
5. REQUESTS RELATING TO PERSONAL DATA
Data subjects have certain rights under the Applicable Data Protection Legislation to request access to their personal data held by CGI and/or information about how CGI processes their personal data. Such a formal request from a data subject must be made in writing to CGI at dpo@cgi.com – or using the “Contact Us” page, with as many details as possible of the type of personal data requested, relevant dates of personal data collection/processing and any other information which can reasonably assist in the search for the personal data.
Where CGI acts as the data controller, data subjects always may:
-
have access to their personal data;
-
request the rectification or deletion of any inaccurate or incomplete personal data;
-
object to the processing of their personal data at any time, unless such processing is required by applicable laws, provided that the data subject has a legitimate ground to object;
-
request the restriction of the processing where the personal data is no longer accurate or necessary;
-
receive their personal data in a structured, commonly used and machine-readable format.
CGI members who wish to make such a request should do this in writing to the NL Privacy Lead at dpo@cgi.com or the HR representative. Any member who receives a written request for personal data should forward it to the NL Privacy Lead at dpo@cgi.com immediately. CGI will act in accordance with the Applicable Data Protection Legislation and other relevant legal obligations and its contractual obligations in the search for and provision of relevant personal data and requires data processors which process personal data to do the same. CGI may need to ask the data subject further questions in relation to the personal data or to verify the data subject’s identity. Personal data must also be accurate and, where necessary, up to date. CGI may create systems and procedures to allow members to access and update their personal data directly, and members should use these methods wherever possible. Members can also contact their HR representative for further details. On termination of employment for whatever reason, CGI shall maintain the personal data of former members for such time as shall be necessary and permissible in accordance with applicable law and regulations and necessary for the provision of appropriate ongoing benefits and services (for example, employee share schemes and pension administration).
6. COMPLIANCE BY CGI MEMBERS
General Good Practice
Members with access to personal data have a responsibility to treat it with care and discretion. Members should put into place good practice measures, follow management guidelines, comply with contractual obligations such as the controller’s instructions and utilize relevant CGI training courses as are available from time to time to ensure the protection of personal data against misuse and loss. Examples of good practice include (but are not limited to) the following:
-
Care should be taken when processing personal data to avoid unauthorized disclosure, such as to co-workers, visitors and other third parties;
-
Members should avoid leaving computer screens unattended while work is in progress and must give attention to the safe and secure storage of all disks, storage devices, print-outs and manual files;
-
Members should not disclose their “User IDs” for any system to any unauthorized individuals, including co-workers, and should ensure that CGI’s password and security/confidentiality policies are followed;
-
Members should use common-sense security controls and good practice, such as displaying their own security badge at all times, reporting to the NL Security Office at security.nl@cgi.com or their manager any stranger/unusual activity seen in an entry-controlled area, locking away confidential information including personal data, and disposing of documents in accordance with their level of sensitivity;
-
Members should, pursuant to the procedure Melden Datalekken, report any data leakage incident immediately as described in this procedure at security.nl@cgi.com.
7. PRIVACY BY DESIGN / PRIVACY BY DEFAULT
As demonstrated by the commitments made under this Privacy Statement, CGI is committed to providing the appropriate level of protection for the personal data it processes. To ensure that the principles defined in this Privacy Statement are effectively taken into account when CGI processes personal data, business units must identify and address any data protection constraints at the beginning of a new project so that the principles contained herein are reflected in the design of the project and are appropriately implemented.
8. PRIVACY IMPACT ASSESSMENT
When acting as a data controller, CGI shall be responsible for monitoring data processing compliance with Applicable Data Protection Legislation. Consequently, CGI shall implement a privacy impact assessment procedure that will enable CGI to:
-
identify which processing presents any specific risk for the protection of personal data;
-
assess the level of compliance with the Applicable Data Protection Legislation principles;
-
assess the level of severity or likelihood of risk associated with the processing;
-
determine the corrective measures to be implemented to ensure that personal data is processed with risks that are mitigated and performed in compliance with the Applicable Data Protection Legislation.
9. REVISIONS AND CHANGES TO THIS STATEMENT
This Privacy Statement may change from time to time, so CGI's business partners, clients and members should refer to this Statement on a frequent basis. With respect to material changes, CGI will comply with applicable law (including where necessary any requirement to obtain consent from the competent employee representative body – NL Works Council). CGI will ensure that members are notified of any changes to the Privacy Statement promptly, by posting as an “update” on the internet/intranet, by email or other appropriate method of communication. CGI’s business partners and clients should request a status update on a periodic basis.
Download PDF