The Teleperformance Group Privacy and data protection Policy (“the “Policy”) expresses the strong commitment of Teleperformance to respect and protect the privacy of every individual, its employees and clients. All employees of the companies of the Group (“Teleperformance Company/ies” or “Teleperformance”) must abide by this Policy.
2. Safe Harbor
The U.S. Department of Commerce and the European Commission have agreed on a set of data protection principles—and frequently asked questions—enabling U.S. companies to protect personal data transferred from the European Economic Area (“EEA”) to the United States in accordance with laws in the European Union (the “U.S.—E.U. Safe Harbor Framework”). The U.S. Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland have agreed on a similar set of principles—and frequently asked questions—enabling U.S. companies to protect personal data transferred from Switzerland to the United States in accordance with Swiss laws (the “U.S.—Swiss Safe Harbor Framework”).
TPUSA, Inc. (Teleperformance’s U.S. company) adheres to the U.S.—E.U. Safe Harbor Framework and the U.S.—Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce.
For more information about the Safe Harbor Program, see the U.S. Department of Commerce’s website at http://www.export.gov/safeharbor/.
The privacy protection standards and requirements contained in this Policy shall apply to all Teleperformance Companies that deal with the processing, collection, storing, or transfer of personal data, acting as a Data Controller or as a Data Processor.
All Teleperformance Companies must first and foremost comply with their local laws and regulations and in case of a conflict between their local laws and this Policy, local laws shall prevail.
“Data Controller” shall mean the company or person that determines the purposes, content, use and means of the processing of Personal Data.
“Data Subject” the natural person who owns the data undergoing the processing referred to the Processing.
“Data Processor” shall mean the company or person that processes Personal Data on behalf of the Data Controller.
“Consent of the data subject” any free, unequivocal, specific and informed indication of his/her wishes by which the data subject consents to the processing of personal data relating to him/her.
“Friendly Third Country” shall mean, for the purposes of transferring data outside of the EEA, any country that is located outside of the European Economic Area (EEA) but that ensures an adequate level of protection, the list of which being available at: http://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm
“Non-Friendly Country” shall mean, for the purposes of transferring data outside if the EEA, any country not located within the EEA or any country that is not a Friendly Third Country.
“Personal Data” means any information relating to an identified or identifiable natural person (each a ”Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
“Processing”, in relation to information or data, means collection, recording or holding the information or data or carrying out any operation or set of operations on the information or data, whether or not by automatic means, which includes the organization, storage, adaptation or alteration of the information or data; the retrieval, consultation or use of the information or data; the disclosure of the information or data by transmission, dissemination or otherwise making it available; or the alignment, combination, blocking, erasure or destruction of the information or data.
5. Processing of Personal Data
5.1. Purpose of processing Personal Data
Teleperformance may process Personal information and Data that is reasonably adequate for and relevant to the following applicable purposes:
- For human resources and personnel management processes which may include recruitment, workforce planning, training and performance management, compensation and benefits, leave and benefits management, pay slip distribution, employee information and skill management, employee survey, exit interviews and processed, and health and safety. In such a case, Teleperformance Company acts as a Data Controller.
- For Personal Data from personnel of suppliers and vendors, contributors, clients and prospects and visits. In such a case, Teleperformance Company also acts as a Data Controller.
- For business process execution and management processes which may include any activities or services done by Teleperformance Company on behalf of or for the client. In such a case, Teleperformance Company acts as a Data Processor.
5.2. Rules to follow while processing Personal Data
Each Teleperformance Company and its employees, including its suppliers, in processing personal data must observe the following principles:
- Personal Data must be processed fairly and lawfully.
- Personal Data must be collected for one or more specified and lawful purpose(s) and may not be processed incompatibly with those purposes. Further processing of the data for historical, statistical or scientific purposes shall not be considered incompatible.
- Collection of Personal Data must be adequate, relevant and not excessive in relation to the purposes for which the data is processed.
- Personal Data must be accurate and kept up to date in such a way as to give a true picture of the current situation of the data subject.
- Personal Data must not be kept for longer than is necessary. Data shall be erased when they have ceased to be necessary or relevant for the purpose for which they were obtained or recorded.
- Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of Personal Data as well as against accidental loss, destruction of or damage to that data.
- Personal Data must not be transferred outside the country from which it originated unless such transfer complies with Section 5 of this Policy.
- The collection of data by fraudulent, unfair or illicit means is prohibited.
5.3. Additional rules to follow when Teleperformance Companies act as Data Controller
Teleperformance Companies, when acting as a Data Controller, must comply with the following additional requirements:
- The notification or registration requirement with appropriate Data Protection Authority when required by respective local privacy laws;
- Consent to process Personal Data must first be given by the Data Subject before collection, processing, or storage of any Personal Data, unless laid down otherwise by law. Every Data Subject must be informed of the purpose for which Personal Data is collected, stored, or processed;
- Teleperformance Companies shall provide the Data Subject with the identity and address of the Data Controller or his representative, if any; the purposes of the processing, the recipients or categories of recipients of the data, the existence of the right of access to and the right to rectify, erasure and objection the data concerning him/her.
- International Transfer of Personal Data
6. This section covers different hypotheses of transfer of Personal Data:
- a. Transfer within the EEA or from the EEA to a Friendly Third Country;
- b. Transfer of Personal Data from the EEA to a Non Friendly Country;
- c. Transfer across borders (from a country not part of the EEA).
6.1. Transfer within the EEA or from the EEA to a Friendly Third Country
This Section describes the transfer of Personal Data that will be processed by Teleperformance on behalf of a client within the EEA or the transfer of Personal Data from a Teleperformance Company as Data Controller to a third party within the EEA, including the transfer to a third Teleperformance Company. An example may include a Personal Data from a customer (each a Data Subject) of a client (acting as Data Controller) serviced by Teleperformance (acting as Data Processor) in call centers in France, Germany, and Spain. Personal Data may be collected in Spain by a Teleperformance Company in France and may be stored in a server in Germany. The transfer of Personal Data from Spain to France and to Germany is a transfer of Personal Data within the EEA due to the fact that all these countries belong to the EEA.
Consent from the Data Subject to transfer is not necessary when the transfer of Personal Data (between the Data Controller and the Data Processor or between the Data Processor on behalf of the Data Controller to a third Data Processor) is made within member countries of the EEA.
Transfer of Personal Data (between the Data Controller and the Data Processor or between the Data Processor on behalf of the Data Controller to a third Data Processor) to a Friendly Third Country is allowed. The list of the Friendly Third Countries is available at:http://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm. Transfer of Personal Data to the United States of America (US) is permitted if the US Companies have adhered to the (US-EU) Safe Harbor.
6.2. Transfer of Personal Data from the EEA to a Non Friendly Country
This Section describes the transfer of Personal Data that will be processed by a Teleperformance Company or by a service provider on behalf of a Teleperformance Company located in a Non-Friendly Country or the transfer of Personal Data from a Teleperformance Company as Data Controller to a third party, including another third Teleperformance Company in a Non-Friendly Country. An example may include transfer of Personal Data by a Teleperformance Company in France to a Teleperformance Company in Philippines. Another example may include a Teleperformance Company being serviced by a service provider in India.
In cases where Personal Data is to be transferred to a Non Friendly Country, the following principles must be observed:
a. Assess whether the country of destination accords an adequate level of protection to Personal Data using the following factors:
i. extent to which privacy laws are adopted;
ii. ways to make sure the standards are achieved in practice; and
iii. Effective procedure for individuals to enforce their rights or get compensation if things go wrong.
b. Teleperformance Companies must make reasonable efforts to incorporate in their commercial contracts the appropriate standard contractual clauses issued by the European Commission that offer adequate safeguards with respect to (i) the protection of the privacy, and (ii) fundamental rights and freedoms of individuals and as regards the exercise of fundamental rights, and, where necessary, prior authorization from the Local Data Protection Agency.
c. Determine whether there is a need to obtain Consent from the Data Subject to transfer Personal Data.
6.3. Transfer of Personal Data across Borders
a. Any transfer of Personal Data from one country (not belonging to the EEA) to any other country must be in compliance with the local data privacy protection laws of the country of origin.
i. It is necessary to determine the requirements for the processing of personal data under respective local data privacy laws such as registration or notification to local data privacy authority, obtaining Consent from the Data Subject, or compliance to specific security requirements.
ii. It is necessary to determine whether the receiving country also provides for an adequate level of protection to privacy of personal data.
b. The Teleperformance Company must always follow the principles laid in Section 4 of this document in processing Personal Data or information.
c. In all cases, Teleperformance must ensure that the transfer or processing of Personal Data is done with proper and reasonable security and protection. It must be ensured that the receiving entity or any third party provider provides the same adequate level of protection.
7. Retention of Data
Storage of Personal Data by Teleperformance Companies must be made in accordance with the following rules:
a. The reasonable length of time a Personal Data is kept must be reviewed periodically;
b. Such retention must conform to the purpose/s for which it was taken, and must not be kept after the purpose/s has/have been accomplished;
c. All Personal Data must be deleted or anonymized in a secured manner ensuring protection from unlawful or wrongful access;
d. Retained Personal Data must be accurate, archived and updated and it must be securely deleted once it goes out of date. It is the responsibility of the Data Subject to inform Teleperformance of any inaccuracy or update to his/her personal data. However, Teleperformance will exert commercially reasonable effort to maintain its database as accurate and updated as possible.
Where the Teleperformance Company shares Personal Data among its subsidiaries, those subsidiaries must agree what to do with such Personal Data once they no longer need to share the information.
8. Information Security
a. Teleperformance Companies must ensure that only authorized people can access, alter, disclose or destroy Personal Data and that those people only act within the scope of their authority in relation to Personal Data. A system must be created to (i) protect Personal Data from accidental loss, alteration, or destruction and (ii) also make such Personal Data recoverable to prevent any damage or distress to the Data Subjects concerned.
b. Safeguards must be placed to protect Personal Data which safeguards may include physical and environment security such as facilities, workstation and integrity access control; computer security such as security devices and encryption; employee security awareness such as new hire and annual training. Every Teleperformance Company must implement a risk assessment and must be accountable for the organizational, policies and procedures and documentation requirements.
c. Security requirements of local privacy laws may vary from country to country, and so, IT standards must conform to local and contractual requirements. Therefore, Information Security officers must always refer and keep up-to-date in regard to applicable specific or local security standards when addressing security of Personal Data.
d. In case of any Personal Data breach, Teleperformance Companies must engage a breach-management plan which includes at least the following:
i. Breach Containment and Recovery – Teleperformance must resolve the incident by applying a recovery plan and, where necessary, procedures for damage limitation.
ii. Risk Assessment – Teleperformance must assess associated risks, such as the adverse consequences for individuals; seriousness of the breach; and risk of repetition.
iii. Breach Notification – Teleperformance must inform the people concerned about an information security breach, the appropriate data protection authority, and other appropriate parties such as the police and the banks, as the case maybe.
iv. Process Evaluation – An investigation must be conducted to determine the cause of the breach and evaluate the effectiveness of the response made. Policies and procedures must be addressed accordingly.
9. Cooperation with Data Protection Authorities
It is a duty for All Teleperformance Companies and their employees to co-operate with and to respond diligently and appropriately to any inquiry or request made by appropriate local Data Protection Authorities. Such request may include an audit inquiry or a request for Teleperformance Companies to be audited, if deemed necessary, and to comply with the advice of Data Protection Authorities on any issue regarding these standards or compliance with privacy laws.
Any employee who has attempted to breach, or allegedly or has in fact breached, this Policy, whether by negligence or willful misconduct, will be subject to disciplinary sanctions in the Teleperformance Company’s sole discretion up to and including termination of employment, in accordance with applicable laws.