Global Privacy Notice

[Printable version of this information - PDF]

OVERVIEW
Ceridian is committed to protecting your personal data.  As part of this commitment, Ceridian has established a privacy program that demonstrates our due diligence to privacy laws.

SCOPE
This notice applies to the collection, use, sharing, disclosure, retention and deletion of personal data by Ceridian, its affiliates and third-party service providers. 

It applies to all personal data in Ceridian’s control, whether it is stored and/or processed on Ceridian property or stored and/or processed by a third-party service provider.  

If you are an individual whose employer uses a Ceridian application such as human capital management, and your employer has asked you to submit personal data as part of that service, you should review your employer’s separate privacy notice. 

If you are a business that has a contract with Ceridian you should review that contract for information concerning how Ceridian collects, uses, shares, and secures the personal that it collects from you, or your employees.

DEFINITIONS  
Controller
The natural or legal person, public authority, agency or other body which alone or jointly determines the purposes and means of the processing of personal data.

Customer
An organization who has entered into a business relationship with Ceridian to perform a service.

Individual
The natural person about who information is being processed.

Personal Data
Any information relating to an identified or identifiable natural person.  An identifiable natural person is one who can be identified, directly or indirectly by piecing information together.

Processing
Any activity which is performed on personal data or on sets of personal data from collection through use and disposal, including storing and sharing with others.

Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

ACCOUNTABILITY
Ceridian, its employees, and contractors take responsibility for personal data in accordance with Ceridian policies and standards. Ceridian’s Chief Privacy Officer is responsible for defining the requirements of this notice and for ensuring compliance with its provisions. The Chief Information Security Officer is responsible for implementing and maintaining appropriate controls and measures to enable compliance. Ceridian trains its employees with respect to its privacy policies and practices including Ceridian's Ten Privacy Principles.

Ceridian acts as a processor when it processes the personal data of its customers, who are the controllers, in products such as Dayforce, PowerPay, etc. Customer personal data is controlled by the customer and Ceridian manages the personal data at the direction of its customers.  

In some instances, Ceridian acts as a controller, which means that Ceridian controls the personal data that is being processed. Examples include, but are not limited to:

  • Collecting and using personal data for direct marketing purposes of customers and prospective customers
  • Managing Ceridian’s business operations

Ceridian is liable for personal data it processes and for personal data Ceridian provides to third-party service providers for processing. With respect to personal data that has been transferred to a third-party service provider to be processed, contractual requirements are used to provide a comparable level of protection. Ceridian’s liability for a third-party’s performance of its obligations is set forth in each agreement that Ceridian signs with its Customers, and Ceridian assumes liability for the performance of the services and obligations subcontracted to such third-party service providers, including those related to the protection of personal data.

Our services also involve the transfer of personal data to third parties (for example, banks, retirement program providers and tax agencies) as instructed by our customers. In these cases, Ceridian does not have a direct relationship with the third party and is not liable for the processing of personal data in their possession. These third parties have their own independent obligations with respect to the personal data, usually by operation of law or through contracts with Ceridian’s customers. 

Our website, our emails, or our application may link to third parties’ websites. It is also possible that third parties’ websites or emails may link to our website. We are not responsible for the content or the privacy practices employed by third parties and personal data collected by third parties is not governed by Ceridian’s privacy notice. We encourage you to read the privacy policies of these websites before transmitting any personal data to third parties. 

THE PERSONAL DATA WE PROCESS AS A SERVICE PROVIDER
Ceridian’s customers are responsible for notification of purpose and for obtaining appropriate consent when they collect personal data and transfer it to Ceridian.  Personal data that is transferred to Ceridian by our customers to be processed shall be deemed to have been collected with appropriate notification. Ceridian assumes no responsibility for obtaining or validating that appropriate consent has been obtained in respect of personal data transferred to Ceridian by organization(s) and/or customers.

Personal data collected as required to deliver requested services includes the following categories of data: 

  • Personal details such as name, birth date, national ID number, marital status, etc.
  • Contact details such as address, email address, telephone number, etc.
  • Payment details, including bank account number
  • Details of employment, education and training
  • Qualifications, including CV/resume and references
  • Background check information, including criminal record and credit checks
  • Biometric data – See Ceridian’s Biometric Notice
  • Health-related information, such as information regarding benefits programs, sick leave, etc.
  • Website activity through cookies, web beacons and web server logs – See Ceridian’s Cookie Notice
  • Support Center call recordings
  • Images in photographs and videos
  • Social media handles
  • If the customer uses Dayforce Assistant, written transcripts of requests made to the app
  • Authentication Credentials to use the services, such as username, IP address, PC Name, etc.
  • Activities performed by customer users in their use of the services

Personal data may be processed for the following purposes to deliver requested services:

  • Providing the services we offer which includes initiating, maintaining, enhancing and terminating the employee-employer relationship)
  • Customer communications (e.g., product updates, invitations to events, training, service alerts, customer satisfaction surveys)
  • Providing access to information systems and premises
  • Continuous improvement and development of our products, services and software through research, development, analytics and business intelligence
  • Compliance with data protection legislation, information security requirements and other legal requirements

THE PERSONAL DATA WE COLLECTAND USE AS AN ENTITY

Ceridian may collect personal information from you directly via our website, in person at trade shows or other events, through social media, or other interaction with Ceridian.  Sometimes, other companies may provide us with the contact information of businesses or individuals who they think may be interested in our products or services.  We may also collect contact information from publicly available sources.

 

Personal data collected includes the following categories of personal and sensitive personal data:

  • Personal details such as name, birth date, national ID number, driver’s license number, marital status, etc.
  • Contact details such as address, email address, telephone number, etc.
  • Payment details, including bank account number
  • Details of employment, education and training
  • Qualifications, including CV/resume and references
  • Background check information, including criminal record and credit checks
  • Website activity through cookies, web beacons and web server logs – See Ceridian’s Cookie Notice
  • Images, such as photographs or videos
  • Opinions, such as survey responses and testimonials
  • Authentication Credentials to use the services, such as username, IP address, PC Name, etc.
  • Social media handles

Personal data may be processed for the following purposes:

  • Employee administration, payroll, benefits, work planning and organization (See Ceridian Employee Privacy Notice for more details)
    • Applicant administration
  • Marketing communications
  • Planning and management of Ceridian-sponsored events
  • Providing access to information systems and premises
  • Continuous improvement and development of products, services, software and website through research, development, analytics and business intelligence
  • Compliance with data protection legislation, information security requirements and other legal requirements 
  • Claims management with and between the customer, Ceridian, individuals and/or third parties, including beyond termination of the Agreement for any reason whatsoever
  • Management or administration of Ceridian operations
  • Internal audits or investigations
  • Network security
  • Fraud prevention

Ceridian may process personal data on a number of lawful bases, some of which include consent, performance of a contract, compliance with a legal obligation, to protect the vital interests of an individual, performance of a task in the public interest or for legitimate interests.  We may rely on legitimate interests for a number of reasons including, but not limited to, fraud prevention, network security, and direct marketing.

Individuals who seek to vary or withdraw consent that has been obtained by Ceridian directly may do in writing in the manner set out in the “Monitoring and Enforcement” section of this notice. If you decide you do not want to receive commercial emails from Ceridian you can “opt-out” by clicking on the “unsubscribe” link provided at the bottom of every commercial email or by clicking here .  Subject to legal or contractual restrictions, Ceridian shall abide by the withdrawal or variation of consent and shall advise the individual of the consequences of a change in the scope of consent. In cases where consent has been obtained by the customer, the individual will be referred to the customer.  Ceridian will use or disclose personal data for purposes permissible under applicable law.   

If you do not provide Ceridian with the personal data that we have requested, you may be unable to access our full range of services.

Ceridian may de-identify or anonymize, personal data. Such data is no longer considered personal data and individuals cannot seek to have their information removed from any such data set, nor is consent for further use required.

DO NOT TRACK DISCLOSURE
Do Not Track (DNT) is a preference that users can set for their browsers to opt out of the online tracking activities by some websites. Ceridian does not track its customers over time and across third party websites and thus does not respond to Do Not Track (DNT) signals in browsers. 

RETENTION AND DISPOSAL
Ceridian retains personal data only as long as necessary to fulfill the stated purposes or as legally required and thereafter appropriately disposes of such information. When personal data is no longer necessary or relevant for the identified purpose or to fulfill a legal or business requirement, it shall be securely destroyed. Ceridian will either physically or electronically delete the personal data or de-identify it to make it anonymous.

ACCESS AND QUALITY
Unless Ceridian is permitted or required by law to prohibit access, you may view and if necessary, update or correct your personal data by contacting Ceridian in the manner set out in the “Monitoring and Enforcement” section of this notice. We will respond to your request within the time limit set out by the applicable privacy legislation and, if applicable, we will provide you with an estimate of the of the cost to you associated with administering and responding to your request.  Ceridian requires sufficient information to authenticate requests for access.

Unless Ceridian is permitted or required by law to prohibit access, and where feasible, Ceridian makes personal data available for review and updating, either directly through the self-service feature in its products, by directing individuals to their employer for access, or through an access request made to established contacts within Ceridian.  Where such access is not feasible, Ceridian provides a written explanation to individuals.

In delivering services, Ceridian relies on its customers and its customers’ employees to supply Ceridian with accurate, complete and up-to-date personal data that is relevant to Ceridian’s delivery of the services.

Individuals are asked to review their records on a regular basis and make the appropriate updates or notify their employer of errors promptly. Ceridian makes reasonable efforts to maintain the integrity of the personal data within its products as necessary to fulfill the purposes for which the personal data is to be used.   

Where Ceridian collects personal data outside of the performance of its services, Ceridian makes reasonable efforts to keep personal data as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used. Ceridian provides a means for individuals to update or correct the personal data Ceridian possesses.

HOW WE SHARE PERSONAL DATA
Ceridian shares the personal data of its customers’ employees at the direction of customers.  Personal data collected and used for Ceridian’s purposes as described above may be shared with third parties in certain circumstances including in the following situations:

  • Affiliates - We may share information with companies that we own or control, that are owned or controlled by us, or that are under common ownership or control.
  • Behavioral Advertisers - We may participate in behavioral-based advertising. This means that a third party may use technology, such as a cookie on your browser or a web beacon, to identify you on our website so that they can provide advertising about products and services tailored to your interest. That advertising may appear either on our website, or on other websites. If you would like to opt out of receiving behavioral advertising based on your use of this website, you can do so by visiting the Network Advertising Initiative and the Digital Advertising Alliance
  • Blogs, Online Postings, and Testimonials - We may decide to allow users to share comments, postings, testimonials, or other information. If you choose to submit such information to us, the information that you submit may be available generally to the public. Information you provide in these areas may be read, collected, and used by others who access them.
  • Business Transition - In the event that Ceridian, or any portion of our assets, are acquired, sold, or transferred, Ceridian may disclose personal data with the company involved to complete the business transition.
  • On-line Applications and Tools - We may offer tools, widgets, or applications on our website, such as search engine functionalities, that are powered by third parties. If you use those applications or tools, any personal data that you provide may be shared with the third party that provides that functionality.  The third party’s use of that personal data is subject to their privacy notice.
  • Law Enforcement - We may report to law enforcement agencies any activities that we reasonably believe to be unlawful, or that we reasonably believe may aid a law enforcement investigation into unlawful activity. In addition, we reserve the right to release your personal data to law enforcement agencies if we determine, in our sole judgment, that either you have violated our policies, or the release of your personal data may protect the rights, property, or safety of Ceridian HCM, or another person.
  • Legal Process - We may share your personal data with others as required by, or permitted by, law. This may include sharing your personal data with governmental entities, or third parties in response to subpoenas, court orders, other legal process, or as we believe is necessary to exercise our legal rights, to defend against legal claims that have been brought against us, or to defend against possible legal claims that we determine in our sole discretion might be brought against us.
  • Partners - We may share personal data with other companies that provide products or services that we think may be of interest to you.
  • Service Providers - We may share personal data with companies or individuals that provide us with services. These services may include, among other things, providing products or services to you on our behalf, creating or maintaining our databases, researching and analyzing the people who request information from us, preparing and distributing communications, or responding to inquiries.
  • Employer Designated Third Parties – As part of the services Ceridian delivers to employers, Ceridian transfers personal data to third parties such as banks, tax agencies, and benefit providers.

If Ceridian has knowledge that a third party uses or discloses personal data in an unapproved manner, Ceridian takes reasonable steps to prevent or stop the use or disclosure. Ceridian does not sell any personal data to third parties for marketing.

Where applicable, to limit or opt out of the disclosure of personal data, individuals should contact their employer or Ceridian in the manner set out in the “Monitoring and Enforcement” section.

CROSS BORDER TRANSFER
Ceridian transfers personal data outside of a local jurisdiction only with adequate protections in place and in compliance with applicable laws and standards.  Ceridian maintains operations in the United States (US), Canada, Australia, Mauritius and the United Kingdom (UK) and all of its entities process personal data. Ceridian may transfer personal data to service providers located in countries worldwide, depending on the services.  Ceridian also transfers personal data to other countries as directed by its customers.  

Ceridian complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework (Privacy Shield) as set forth by the US Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union, the United Kingdom and Switzerland to the United States in reliance on Privacy Shield.  Ceridian has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield Principles please visit www.privacyshield.gov.  

Ceridian may utilize the adequacy determinations made by the European Commission to transfer personal data to countries with data protection that is adequate to the EU. Ceridian also utilizes Standard Contractual Clauses (SCCs) for the transfer of personal data from the EU and Switzerland to other countries.  
  
HOW WE SECURE PERSONAL DATA
Ceridian has implemented policies, procedures and practices to protect personal data.  Ceridian protects personal data using recognized industry standard security safeguards appropriate to the sensitivity of the personal data. Ceridian reviews its security policies and procedures on a regular basis and updates them as needed to maintain their relevance. Ceridian makes reasonable security arrangements to protect personal data in its custody or under its control from and against risks, such as loss or theft, as well as unauthorized access, collection, use, disclosure, copying, modification, disposal and destruction.

The methods of protection include physical measures, organizational measures and technological measures. 

Ceridian requires all third parties to whom it may transfer personal data to maintain adequate security safeguards in compliance with applicable laws and standards to protect personal data.

MONITORING AND ENFORCEMENT
Ceridian monitors its compliance with privacy policies and procedures and has processes to address access requests, complaints and disputes. Depending on the jurisdiction you are in, you may have one or more of the following data subject rights: access, correction, erasure, portability, restriction or objection. Individuals may submit requests here and raise concerns or complaints herePLEASE NOTE: If Ceridian is processing your personal data on behalf of your employer (i.e., one of Ceridian’s customers), you should first contact your employer directly to submit an access or correction request, concern or complaint.

If an individual files a complaint Ceridian will investigate. It is Ceridian’s practice to respond to the individual within 30 days of receiving the complaint, unless a shorter response time is required by law. Ceridian will take all appropriate action to remedy any such issues. If the matter cannot be settled, Ceridian agrees to cooperate with the dispute resolution system set forth below.
If individuals feel that their complaint was not satisfied, they may file a formal complaint with the regulatory bodies below.

  • In Canada, the Privacy Commissioner of Canada or the Privacy Commissioner in the applicable province
    • Office of the Privacy Commissioner of Canada
    • 30 Victoria Street
    • Gatineau, Quebec
    • K1A 1H3
    • Phone: 1-800-282-1376
  • In the U.S., the Attorney General in the applicable State
  • In the E.U., the United Kingdom’s Information Commissioner’s Officer or their member state Data Protection Authority.
    • Information Commissioner’s Office
    • Wycliffe House
    • Water Lane
    • Wilmslow
    • Cheshire SK9 5AF
    • Phone: +44 0303 123 1113
    • Email: casework@ico.org.uk
  • To contact the DPAs directly see   http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
  • In Switzerland, the Swiss Federal Data Protection and Information Commissioner
    • Office of the Federal Data Protection and Information Commissioner FDPIC
    • CH - 3003 Berne
    • Telephone: +41 (0)58 462 43 95 
    • Telefax: +41 (0)58 465 99 96
  • In Australia, the Office of the Australian Information Commissioner
    • Office of the Australian Information Commissioner
    • GPO Box 5218
    • Sydney New South Wales 2001
    • Email: enquiries@oaic.gov.au

Regarding any Privacy Shield complaints, grievances should be filed with the entities in the following order: Ceridian, the applicable EU or Swiss Data Protection Authority, The Department of Commerce, the Federal Trade Commission (FTC), then the Privacy Shield Panel. The individual may apply to the Privacy Shield Panel to invoke binding arbitration.

Ceridian will conduct periodic assessments to confirm the accuracy of this notice and verify its adherence to Ceridian’s Ten Privacy Principles. In addition, Ceridian will deploy internal auditing measures to monitor its compliance and to address all questions or complaints.

CONTACTING CERIDIAN
For privacy-related questions, comments or concerns, contact Ceridian at:

  • Chief Privacy Officer
  • Ceridian HCM, Inc.
  • 3311 E. Old Shakopee Road
  • Minneapolis, MN  55425
  • Telephone: 1-888-975-7674
  • privacy@ceridian.com

CHANGES TO THIS NOTICE
Ceridian may update this privacy notice periodicaly to reflect changes to our privacy practices. We will provide notice online when we make any material changes to this notice.

Last Updated on Aug 30, 2019

[Printable version of this information - PDF]

Privacy Assistance Form

Ceridian's Ten Privacy Principles

Dayforce
Solutions
Resources
Company
Get Started

Want to talk?
1-800-729-7655

© Ceridian HCM, Inc. All Rights Reserved.    Privacy    Terms
United States
×
Find anything about our product, search our documentation, and more. Enter a query in the search input above, and results will be displayed as you type.