Qubole HR Privacy Policy

Personal privacy is very important to Qubole, Inc (“Qubole”), whose principal address is at 469 El Camino Real, Suite 205, Santa Clara, CA 95050, USA (“Qubole”). We are committed to safeguarding the personal data of our customers and the data we manage on behalf of our customers. And we are equally committed to safeguarding your personal data if:

• You are a current Qubole employee
• You work for us as a contractor, consultant or agency staff
• You are an applicant interested in joining our team

This Human Resources Privacy Policy (hereafter: “Policy”) describes the framework for honoring our privacy commitments. If you have any questions related to this Policy, please contact the Qubole Privacy team at [email protected], or by calling us at (855) 423-6674.

You can contact our EU representative, European Data Protection Office (“EDPO”), regarding matters pertaining to the GDPR by:

• Sending an email to [email protected]
• Using EDPO’s online request form at https://edpo.com/contact/
• Writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

If you would like to reach Qubole’s Data Protection Officer you can contact us by phone at +1 (855) 423-6674, by email at [email protected], or by post to:

Qubole Inc.

469 El Camino Real, Suite 205

Santa Clara, CA 95050

USA

This policy applies to the following stakeholders (hereafter: “you”/ “your”):

• Applicants to Qubole and its subsidiaries;
• Current employees of Qubole and its subsidiaries; and
• Contractors, Consultants and Agency Staff contracted by Qubole.

This Policy outlines the obligations of Qubole and its subsidiaries (hereafter: “we”/ “our”/ “us”) as an employer or principal towards you, and your obligations towards us, in terms of data protection and how privacy protection is applied. By accepting the terms of your employment contract, contractor agreement and/or your confidentiality agreement with us, or when applying to work with us, you are consenting to this Policy. We expect that you honor this commitment to security and privacy after the completion of your contract.

1. Personal data will be processed lawfully and fairly.
2. Personal data will be kept only for specific, explicit and lawful purposes as outlined in our policies and guidelines. Personal data will be used and disclosed only when compatible with those purposes.
3. Personal data collection will be adequate and relevant, not excessive.
4. Personal data will not be retained for longer than is necessary for the purposes for which they were obtained.
5. Personal data will be accurate, complete and up to date.
6. Copies of personal data we hold on an individual will be provided to them on request in line with our commitments under the EU GDPR.
7. Personal data will be kept secure using technical measures and organizational measures which are grounded in the principle of privacy by design.

“Personal Data” means: any information relating to an identified or identifiable natural person (data subject). An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (Art.4(1) EU GDPR)

With the increasing priorities around personal privacy and transparency throughout the regions Qubole operates in, Qubole strives to comply with all relevant regional and regulatory requirements concerning privacy and data protection of Qubole employees, contractors, consultants and agency staff employees where Qubole operates. We abide by regulations and national laws and we fully comply with and support activities that seek to verify our compliance in the form of investigations and audits, whether they are from supervisory authorities or companies for due diligence. We are committed to ensuring the security of any personal data processed by us. We report data breaches as quickly as possible and take a result-oriented approach to effectively and efficiently resolve any issues resulting from an unintentional or unforeseen data breach.

When and why may your data be collected/stored?

Your personal data is collected and processed for the purposes of enabling us to comply with applicable employment laws and to execute necessary employment functions such as HR and payroll. The examples in this section provide an overview of the principal purposes for which we are required to collect your personal data. Specifically, for compliance with our obligations as an employer, we must collect the following:

• Maternity/paternity/parental leave
• Employment Benefits (ex. Healthcare Insurance, 401K, Stock Option plans, etc.)
• Diversity requirements
• Working hours
• Sick leave
• Payroll
• Health and Safety – accident or injuries at work

In specific cases, the following collection of personal data may apply, but are not limited to these examples:

• Checking of qualifications during recruitment
• Provision of employee benefits such as health insurance, pensions or lunch vouchers
• Performance management to facilitate career development through periodic appraisals
• Security and monitoring access to our premises (badge controls), video surveillance
• Resource management for the allocation and maintenance of resources (access rights to office buildings, IT systems, databases)
• Training for the organization of training sessions
• International mobility in cases where employees are relocated

Under the above obligations and specific cases, we may collect the following kinds of personal data:

• Identification data: name, surname, contact information
• Work entitlement data (e.g. for the purpose of verifying if you are entitled to work in the country)
• Family status (e.g. for the purpose of health insurance and pension provision)
• Education and career development data
• Professional life: contracts, working time, absence, paid holidays
• Economic situation: tax and source deductions, pay grade, salary and other compensation elements, pension fund contributions, bank account details
• Military status: military situation in countries where there is compulsory military service
• Police records: criminal records check or security background checks for those working in confidential environments or subject to Customer Required Security Clearance
• Marketing information: employee photos for those included in our external marketing or other materials

Other information required for us to comply with our obligations as an employer under local laws.

Under the GDPR, the legal bases for this processing of your personal data (including sensitive personal data) are the performance of our employment contract with you, compliance with our legal obligations stated within this privacy policy, and our legitimate interests in executing necessary employment functions, which have been balanced against your interests, fundamental rights, and freedoms. Reach out to us through the contact information listed above for more detail.

Who has access to your personal data?

Your data may be handled by our HR Department, Payroll and managers. However, in all cases, access to your data is restricted to those who need it and closely monitored and reviewed by the Qubole Privacy team. Your personal data is securely stored and processed using technical and organizational measures which are regularly reviewed to ensure they are state of the art and they remain up to date. Some personal data, including electronic identities, is handled by the IT Department for the purposes of resource management. To fulfil our contractual obligations, we may provide your personal data to our vendors and suppliers for the purposes of service support. These vendors and suppliers provide services like human resource data management, payroll processing, benefits and claims processing, background verification, identification of candidates for recruitment and so on. These data transfers are governed by Data Processing Agreements, which are monitored regularly by the Qubole Privacy team.

We disclose your personal data to any authority to which we are required by law (e.g. Tax Authorities, Social Security Services, Child Benefits Agencies). In some cases, your personal data may be requested by judicial authorities or law enforcement agencies in the context of legal investigations. In most cases (unless it will prejudice the outcome of the investigation) you will be notified about such requests. In all cases, the Qubole Privacy team will be involved to ensure privacy principles are upheld in a lawful manner and the identity and authority of the person/agency making the data access request will always be verified.

At the time of the merger/acquisition the personal data will be transferred using secure means and governed by a Data Processing Agreement, which is monitored by the Qubole Privacy team.

How long is your personal data stored?

Your personal data is kept for the duration of your employment with us. We may retain your data for a certain period after your employment as long as it is necessary for us to comply with our legal and regulatory obligations, to resolve disputes, to respond to any employment inquiries, make and defend legal claims, conduct audits, to respond to tax, accounting or administrative matters, pursue legitimate business purposes and/or enforce our agreements. When we no longer have continuing legitimate business need to process your personal data, we will either delete or anonymize it.

Sensitive Personal Data

Sensitive data (or “special categories of personal data” under the GDPR) includes personal data revealing your: racial/ethnic origins; political opinions; religious beliefs; membership of a trade union; sexuality; physical or mental health conditions; or, criminal offenses or convictions. (Art. 9 EU GDPR).

Qubole processes sensitive data for the following purposes:

(a) Statutory Obligations:

We may be required to process sensitive personal data to comply with our statutory obligations. For example, to demonstrate non-discriminatory practices, we might be asked for figures relating to gender, age or ethnic background. In these cases, we ensure any sensitive personal data we hold, or process is kept to a minimum, in accordance with our Privacy Principles.

(b) Occupational Health:

Health data is a sensitive category and must be subject to stricter access controls and security measures. The principles of “need to know” are applied here. The processing of health data is governed by the HR operational processes which place restrictions on who has access to this data and how it is stored or processed.

(c) Security Background Checks:

Security background checks for those working in confidential environments or subject to customer required security clearance may be necessary. In the event of a security background check, this will be conducted in close cooperation with the staff member undergoing the check and comply fully with local legislation. We will never pass the content or details of this check to third parties. They will be informed only that a check has been conducted and whether the member of staff has passed.

(d) Video Surveillance:

For the purposes of physical security, the buildings of our offices may have video surveillance to monitor and secure entrances or other important environments. Where video surveillance is in use, this will be signposted clearly. It may be necessary to access and provide this data to local police in criminal investigations, and then it is subject to local legislation and careful monitoring by Qubole Information Security that relevant privacy rules are applied.

(e) Sensitive Data Conditions:

Sensitive personal data may only be processed where you have given explicit consent or where another exemption to the prohibition on processing special categories of personal data applies. It is our policy to ensure that any sensitive personal data we hold, or process is kept to a minimum. To the extent we regularly process such sensitive personal data, we do so because the processing is necessary for us to carry out our obligations and exercise our specific rights in the field of applicable employment, social security and social protection law.

(f) What Data We Do NOT Collect:

Under no circumstances do we collect sensitive personal data relating to political opinions; religious beliefs; membership of a trade union; sexuality.

International Data Transfers

Employee personal data shared as above may be shared with third parties, or stored, outside of the region collected (for example, the European Economic Area) in which case we will ensure that the data transferred is limited to only data required, there is an appropriate legal basis for such transfer, and that appropriate safeguards are in place to protect your personal data, in accordance with applicable data protection regulations.

For example, see below the appropriate safeguards which Qubole has implemented with regard to international transfer of your personal data:

Adequacy Decisions

Personal data covered by GDPR may be transferred to countries outside the EU if the European Commission has decided that the third country in question ensures an adequate level of protection for personal data (Article 45 GDPR). In certain cases, Qubole may transfer employee personal data to such third countries.

Standard Contractual Clauses

Personal data covered by GDPR may be transferred to countries outside the EU and to countries that do not have laws that provide specific protection for personal data by using the approved Standard Contractual Clauses (Article 46.2 GDPR). Qubole has taken steps to ensure all personal data is provided with adequate protection and that all transfers of personal data outside the EU are done lawfully and securely. We have contractual clauses embedded in our vendor agreements to ensure that vendors who work with EU nationals’ personal data meet the adequacy and security requirements for such data.

What additional measures have we taken to safeguard your data?

EU-US Privacy Shield

For personal data processed in the scope of this Policy, Qubole complies with the EU-U.S. Privacy Shield Framework (the “Privacy Shield”), as adopted and set forth by the U.S. Department of Commerce, which requires Qubole to maintain high standards for its use and treatment of personal data. To learn more about the Privacy Shield, and to view our certification, please visit https://www.privacyshield.gov and https://www.privacyshield.gov/list, respectively.

If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  With respect to personal data received or transferred pursuant to the Privacy Shield Framework (as permitted by GDPR Article 45), Qubole is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Qubole remains liable under the Privacy Shield Principles if a third-party that it engages to process personal information on its behalf does so in a manner inconsistent with the Privacy Shield Principles, except where Qubole is not responsible for the event giving rise to the damage.

You have the right to a) know what personal data we collect and store about you b) to correct and amend your personal information if it is inaccurate or c) to request for  personal information to be deleted if it has been processed in violation of our privacy principles.

You are entitled to receive a copy of your personal data held by us in accordance with the California Consumer Privacy Act (“CCPA”), GDPR, and guidelines issued by the applicable national supervisory authorities. Data access requests may be made on our toll free number or by contacting the Qubole privacy team (email: [email protected]) with a clear description of the information you seek. Once we receive a request, you will be required to provide your full name, registered email ID and company name to verify your identity. If your identity is successfully verified by us, your request will be processed, and we will respond within 10 business days.

You have the right to opt-out when your personal information is disclosed to third parties or used for a purpose that is different from the purpose(s) for which it was originally collected or subsequently authorized by you. You can opt-out of your personal data processing by sending an email to [email protected].

If GDPR applies to our processing of your personal data, you may also ask to rectify it, restrict its processing, object to its processing, delete it, and port it to another provider. Your request to restrict the processing of your personal data or to delete your personal data may be denied to the extent that we are processing your personal data on any of the lawful bases for processing indicated within this privacy policy.

If you are a California resident, under the CCPA, you have the right to request that we delete any of the personal information we collected from you as a data controller. Your request for data deletion may be denied by us if (1) your identity could not be verified successfully or (2) if the data is required to:

1. Perform and honor the contract that we have with you (or our customers),
2. Detect and respond to security incidents and breaches,
3. Debug errors and ensure intended functionality is provided,
4. Exercise free speech and to ensure the right of another party to exercise their free speech rights,
5. Comply with the California Electronic Communications Privacy Act and with any other legal obligation,
6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent,
7. Enable solely internal uses that are reasonably aligned with our employees, customers or clients expectations based on your relationship with us, or
8. Use internally, in a lawful manner, that is compatible with the context in which you provided the information.

The following obligations apply if you are a current or former employee, contractor, consultant, agency staff, or applicant:

Confidentiality and Data Protection

As Employees, contractors, and/or consultants, you are obliged to uphold strict confidentiality and security regulations in the processing and handling of personal data. You are obligated to follow Qubole’s Technology Acceptable Use and Data Governance Policies provided as part of the Qubole onboarding process and published on Qubole’s intranet. The use of electronic communications, devices, internet, phones, etc. is covered in our Technology Acceptable Use and Data Governance Policies that are published on Qubole’s intranet.

You are obliged to attend information security and data protection training. We will also provide awareness materials to keep you regularly updated and provide you with dedicated training which is tailored to your role in processing personal data.

During employment and after termination you are obliged to maintain data protection and professional confidentiality regarding all matters relating to us and our business, as laid down in your confidentiality agreement that you entered into with us as part of the onboarding process.

Breaches of confidentiality, both in terms of data protection and professional confidentiality constitute a material breach of your employment agreement, which may result in additional training for corrective actions. Breaches resulting from malicious actions or gross negligence may result in termination of employment or legal action, whereby you may be required to pay compensation to us for civil or business liabilities arising as a result of such actions.

To ensure accuracy of records, you must notify HR within 30 days of any changes to personal data or circumstances. For example: a change of address, marriage, etc. This ensures that your personnel records are kept accurate and up to date.

End of Employment/Contract: Termination or Resignation

Upon end of employment, contract or the replacement of assets, it is your responsibility to ensure that :

• You return all hardware belonging to Qubole (i.e. devices, peripherals etc.).
• You erase your personal data from all hardware used during your employment with Qubole.
• You erase all Qubole confidential electronic data or materials in your possession.
• You return all keys which enable access to personal data (i.e. access cards, passcodes, etc.).
• You return any Qubole confidential printed documents or materials in your possession.

In compliance with the international privacy requirements, Qubole commits to resolve questions and complaints about our collection or use of your personal information in a timely manner. All individuals with inquiries or complaints regarding our Privacy Policy should first contact the Qubole Privacy team at: [email protected].

Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted with relations to concerns around our privacy practices.

If you are an EU national who has an unresolved concern related to data privacy you have the right to lodge a complaint with your local data protection authority or the UK Information commissioner’s office (ICO), which is Qubole’s lead supervisory authority in the EU. Click on this link to know who our local data protection supervisory authority is: https://edpb.europa.eu/about-edpb/board/members_en