Provide Nuance Communications, Inc. (Nuance) and its entities with consistent guidelines for collecting, processing, storing, transferring, disclosing, deleting and using Employment and/or Employee data for employees located in the European Union. The Nuance entities covered in this Policy are Nuance Communications, Inc., a USA corporation, and/or any of its affiliates, subsidiaries and legal entity employers (collectively referred to as "NUANCE").
This policy is effective January 1, 2007 and applies to all NUANCE entities, employees, contractors and third party vendors that collect, process, record, store, transfer, disclose, delete and/or use NUANCE Employment/Employee Data on NUANCE's behalf.
"Employment/Employee Data" means any personal information about an identified or identifiable individual that is received by NUANCE or a third party vendor. Persons protected include job applicants, employees (including temporary, permanent and part-time), contract employees, interns, contingent workers, retirees, and former employees, as well as any dependents or others whose personal data has been given to an NUANCE entity by such persons.
This Policy does not cover data rendered anonymous where individual persons are no longer identifiable; are identifiable only with a disproportionately large expense in time, cost, or labor; or situations in which pseudonyms are used. The use of pseudonyms involves the replacement of names or other identifiers with substitutes, so that identification of individual persons is either impossible or at least rendered considerably more difficult. If data rendered anonymous becomes no longer anonymous (i.e., individual persons are again identifiable), or if pseudonyms are used and the pseudonyms allow identification of individual persons, then this Policy will apply.
On October 6, 2015, the European Court of Justice issued a judgment that declared invalid the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles,” (“Safe Harbor”). Safe Harbor is a legal mechanism to permit transfers of EU residents’ personal information to the United States and to ensure that the information is legally protected at a level that is considered adequate by EU standards. Since the judgment was issued, the EU and US have been in negotiations to determine a path forward for Safe Harbor and it is expected that information will not be available until the end of January 2016. Nuance Communications, Inc. has self-certified to the Safe Harbor principles in the past, but in light of the recent judgment, has executed ‘standard contractual clauses’ with its EU subsidiaries who collect and export personal information in order to allow transfers and the continued protection of EU residents’ data during the interim period while we await further guidance from the European Commission.
Application of Local Law
This policy provides a standard for NUANCE with respect to its protection of Employment/Employee Data globally. Certain local laws may require stricter standards. Therefore, we will handle this data in accordance with applicable laws and regulations at the place where the data is processed. Where applicable local law provides a lower level of protection of Employment/Employee Data than established by this Policy, then the requirements of this Policy apply. Questions about compliance with local law may be addressed to your local Human Resource Manager.
"Sensitive Personal Information" means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of an individual. If NUANCE collects Sensitive Personal Information from you, we will provide you with an affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by you. NUANCE will treat any information you provide and identify as sensitive as Sensitive Personal Information.
Employment/Employee Data Collection & Use Guidelines
NUANCE respects the privacy rights of each individual; therefore, all NUANCE entities, contractors and third party vendors will observe the following guidelines when processing, transferring, analyzing and/or using Employment/Employee Data:
- Data will be collected, stored, transferred, processed, analyzed and used in accordance to NUANCE's established guidelines and in compliance with local laws/regulations in the territory where those activities occur.
- Data will be collected for specified, legitimate purposes and not processed in ways incompatible with those purposes.
- Data will be relevant to and not excessive for the purposes for which they are collected and used.
- Data will be current and accurate with reasonable steps taken to rectify or delete inaccurate Employment/Employee Data.
- Data will be kept only as long as necessary for the purposes for which it was collected and processed.
- Appropriate measures will be taken to prevent unauthorized access, unlawful processing, and unauthorized or accidental loss, destruction, or damage to data.
Employment/Employee Data may be collected, stored, analyzed, shared and used for legitimate human resources, business, and safety/security purposes in accordance with this Policy and applicable law(s). The primary purposes for collection, storage and/or use of data include:
- Human Resources Management: involves the collection, storage, analysis and sharing of data in order to attract, retain and motivate a highly qualified workforce. This includes, but is not limited to, recruiting, compensation planning, succession planning, reorganization needs, performance assessment, training, employee benefit administration, compliance with applicable legal requirements, and communication with employees and/or their representatives.
- Business Processes and Management: involves processes used to run NUANCE's operations to include, but is not limited to, payroll processing, scheduling work assignments, managing company assets, reporting and/releasing public data (e.g., Annual Reports, etc.); and populating employee directories.
- Safety and Security Management: involves activities that ensure the safety and protection of employees, assets, resources, and communities.
If NUANCE introduces a new tool or process that will result in the processing of Employment/Employee Data for purposes that go beyond the above categories, then it must inform the employees of the new tool or process, the purposes for which the Employment/Employee Data will be used, and the categories of recipients of the data.
Sensitive Personal Data Categories
In limited circumstances where NUANCE, or a third party needs to collect Sensitive Personal Data, NUANCE will ensure that the individual is notified of the reason for obtaining this data and with whom it will be shared. Contingent upon applicable law(s), NUANCE will obtain explicit consent from the individual regarding the processing and transfer of such data to non-NUANCE entities. Appropriate protection measures (e.g., physical security devices, encryption, and access restrictions) will be provided depending on the nature of data and the risks associated with the intended use.
Security and Confidentiality
NUANCE is committed to taking appropriate measures to protect Employment/Employee Data and takes reasonable precautions to protect against unauthorized access or disclosure. These measures include:
- Data Protection (Systems): To protect against unauthorized access to Employment/Employee Data by third parties and/or vendors, electronic data held by NUANCE is maintained on systems that are protected by secure network architectures that contain firewalls and intrusion detection devices. The servers holding this data are "backed up" (i.e., the data are recorded on separate media) on a regular basis to avoid the consequences of any inadvertent loss or destruction of data. The servers are stored in facilities with comprehensive security and fire detection and response systems. Employment/Employee Data held in "backed up" systems are secured and retained consistent with this Policy.
- Data Protection (Access): NUANCE limits access to internal systems that hold Employment/Employee Data to a select group of authorized users who are given access to such systems using a unique identifier and password. Access to this data is limited to individuals for the purpose of performing their job duties (e.g., a compensation manager in human resources may need access to an employee's compensation data to make a salary recommendation, etc.). Decisions regarding access are made and approved by the Vice President of Human Resources and are assigned by security administrators. Compliance with these provisions will be required of third-party administrators who may access certain Employment/Employee Data.
Employment/Employees' Rights and Responsibilities
An individual has the right to inquire as to the nature of the Employment/Employee Data stored or processed about him or her by NUANCE or a third party vendor consistent with and subject to the law of the country in which that employee is located. Employees will be provided access to their personal data as is required by law in their home countries, regardless of the location where data is stored or processed. NUANCE will cooperate in providing such access either directly or through the employing entity. All such requests for access may be made to the employee's local human resources manager. If any Employment/Employee Data is inaccurate or incomplete, the employee may request that the data be amended or if necessary, blocked or erased. Local laws that provide for employees to limit use of their personal data (e.g., right to object to marketing) will also be observed.
It is every individual's responsibility to provide the Human Resources Department with accurate data about him/herself and to inform Human Resources of any changes (e.g., new home address or change of name). If access or correction is denied, the reason for the denial will be communicated and a written record will be made of the request and reason for denial.
NUANCE will use the following standards when transferring Employment/Employee Data.
- Transfer to Other NUANCE Entities: NUANCE will use reasonable precautions to ensure adequate protection for Employment/Employee Data processed or transferred between NUANCE entities. The following requirements must be met before a transfer will occur:
- The transfer of the data is based on an operational business requirement for the purpose of Human Resource /payroll administration.
- The receiving entity provides appropriate physical and organizational security for the data; and
- The receiving entity ensures compliance with this Policy for the transfer and any subsequent processing of the data.
- The transfer of data will be consistent with this Policy.
Transfer to Non-NUANCE Entities: NUANCE entities may transfer Employment/Employee Data to selected external third parties that have been engaged to perform certain Human Resource and payroll related services. These third parties may only process the data in accordance with NUANCE's instructions (data processors) or make decisions (e.g., to assess eligibility for supplemental life insurance, short-term disability benefit, etc.) regarding the data as part of the delivery of their services (data controllers). In either instance, NUANCE will select reliable suppliers who undertake, by contract or other legally binding and permissible means, to put in place appropriate administrative, technical, and managerial security measures to ensure an adequate level of protection commensurate with their status as data processors or data controllers consistent with legal requirements of the relevant country from which the data they will receive was originally collected and processed. NUANCE will require external third-party suppliers to comply with this Policy or to guarantee the same levels of protection as NUANCE when handling this data. Such selected third parties will have access to this data solely for the purposes of performing the services specified in the applicable service contract. If NUANCE concludes that a supplier is not complying with these obligations, it will promptly take appropriate actions to remedy such non-compliance or implement necessary sanctions.
Occasionally, NUANCE may also be required to disclose certain Employment/Employee Data to other third parties as a matter of law (e.g., to tax and social security authorities, garnishments, etc.); to protect NUANCE' legal rights (e.g., to defend a litigation suit); or in an emergency where the health or security of an employee is endangered.
NUANCE will not disclose Employment/Employee Data to entities outside NUANCE or use non-work contact data (e.g., home address or telephone number) to offer any products or services to an employee for personal or familial consumption ("direct marketing") without his or her prior consent. Further, NUANCE will not use workplace contact data (e.g., work address or work e-mail address) to conduct direct marketing, unless (1) prior written approval has been obtained from the Vice President of Human Resources; and (2) recipients are given an opportunity to opt-out of receiving further direct marketing communications (at any time). The restrictions in this section apply only to contact data obtained in the context of a working relationship with NUANCE. They do not apply to contact data obtained separately in the context of a consumer or customer relationship to which other applicable legal provisions may apply. In addition where permitted by law NUANCE may communicate information to NUANCE employees about employee benefits or about NUANCE-supported charitable programs or use web-based survey tools to obtain employee feedback as necessary for business operations.
Some countries regulate the making of Automated Decisions, which are decisions about individuals that are based solely on the automated processing of data and that produce legal effects or that significantly affect the individuals involved. Except in very limited circumstances (e.g., the initial screening of some job seekers who express interest through online channels), NUANCE does not make Automated Decisions to evaluate employees or for other purposes. If Automated Decisions are made, affected persons' legal rights will be respected and affected individuals will be given an opportunity to express their views on the Automated Decision in question. If the person demonstrates that the purpose for which the data is being processed is no longer legal or appropriate, the data will be deleted, unless the law requires otherwise.
Enforcement Rights and Processes
NUANCE utilizes the self-assessment approach to assure its compliance with this Policy. NUANCE periodically verifies that the Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the law.
All employees, contractors and third party vendors who have access to Employment/Employee Data must comply with this Policy. In some countries, violations of data protection regulations may lead to penalties and/or claims for damages from the individuals who are adversely affected.
Failure to observe this Policy or deliberate breach of confidentiality or security in relation to Employment/Employee Data may result in disciplinary action against those individuals responsible. If at any time, an individual believes that personal data relating to him or her has been processed in violation of this Policy, he or she may report the concern to the local Human Resources manager or to the Director, International Human Resources in the USA. If the concern relates to an alleged violation of this Policy by an entity located in a country other than that of the individual or the NUANCE entity exporting the Employment/Employee Data in question, he or she may request the assistance of that NUANCE exporting entity. That NUANCE entity will assist him or her in investigating the circumstances of the alleged violation and if necessary take that matter up with the entity importing that data. If the violation is confirmed, the exporting and importing entities will work together with any other relevant parties (including co-operating with competent national data protection authorities) to resolve the matter in a satisfactory manner, consistent with the provisions of this Policy.
To further ensure enforcement of this Policy, the Vice President of Human Resources may identify Employment/Employee Data procedures that should be audited for compliance with this Policy and applicable data protection law. For this purpose, NUANCE will conduct self audits and take such corrective action if necessary to address any issues or problems that such audit reveals.
Communicating the Policy
NUANCE will communicate this Policy to current and new employees by posting it on the intranet.
Modifications to the Policy
NUANCE reserves the right to modify this Policy as needed to reflect changes in laws, NUANCE practices and procedures, or requirements imposed by data protection authorities. The Vice President of Human Resources, the General Counsel or their designee must approve all changes before they become effective. If changes occur, NUANCE will submit the revised Policy for renewed approval where required by law.
In addition, NUANCE will inform employees and other persons (e.g., persons accessing NUANCE websites to enter Employment/Employee Data such as job application information) of any material changes in the Policy by posting all changes to the Policy on relevant internal and external websites.
Effective with the implementation of this Policy, all existing intra-group agreements and applicable company privacy guidelines or practices relating to the processing of Employment/Employee Data will be superseded by the terms of this Policy and modified accordingly.
Data Protection Authorities
NUANCE employees who receive requests and/or inquiries from data protection authorities about this Policy or compliance with applicable data protection and privacy laws should contact the local NUANCE Human Resources manager or NUANCE's Vice President of Human Resources) to ensure NUANCE responds to the request in a timely and appropriate manner. Upon request, NUANCE will provide data protection authorities with the appropriate names and contact details of the relevant contact persons. With regards to Employment/Employee Data transferred between NUANCE entities, the importing and exporting NUANCE entities will each (i) respect the rights of the relevant data subjects under applicable data protection law; (ii) co-operate with inquiries from the data protection authority responsible for the entity exporting the data, and (iii) respect its advice or decisions, consistent with applicable law and due process rights.
In addition to any rights and obligations stated in this Policy or that otherwise exist, the following principles established in light of Directive 95/46/EC ("European Data Protection Directive") will apply to Employment/Employee Data collected NUANCE in the European Union/European Economic Area and processed elsewhere. In jurisdictions where this applies, the enforcement rights and mechanisms mentioned in this Policy also apply. The following are not intended to grant employees further rights or establish further obligations beyond those already provided under the European Data Protection Directive:
- Individuals may object to the processing of Employment/Employee Data about them on compelling legitimate grounds relating to their particular situation. This might occur, for instance, if the person's private or family life is compromised or their life or health is at risk due to the processing of the data. This provision shall not apply if the processing is (i) required by law, (ii) based on the person's individual consent, or (iii) necessary to fulfill a contractual obligation between the person and NUANCE.
- If any of the terms or definitions used in this Policy are ambiguous, the definitions established under applicable local law within the relevant EU/EEA member state shall apply in respect of the data processing activities carried out there or where there are no such definitions under applicable local law; the definitions of the European Data Protection Directive shall apply.
Any questions or concerns regarding the use or disclosure of personal information should be directed to NUANCE's Director, International Human Resources at the address given below. NUANCE will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy. For complaints that cannot be resolved between NUANCE and the complainant, NUANCE has agreed to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Safe Harbor Principles.