Ceridian is committed to protecting your personal data. As part of this commitment, Ceridian has established a privacy program that demonstrates our due diligence to privacy laws.
This notice applies to the collection, use, sharing, disclosure, retention and deletion of personal data of users of our websites, individuals to whom we market directly and of customer’s personal data by Ceridian, its affiliates and third-party service providers.
It applies to all personal data in Ceridian’s control, whether it is stored and/or processed on Ceridian property or stored and/or processed by a third-party service provider.
If you are an individual whose employer uses a Ceridian application such as human capital management, and your employer has asked you to submit personal data as part of that service, you should review your employer’s separate privacy notice.
If you are a business that has a contract with Ceridian you should review that contract for information concerning how Ceridian collects, uses, shares, and secures the personal that it collects from you, or your employees.
The natural or legal person, public authority, agency or other body which alone or jointly determines the purposes and means of the processing of personal data.
An organization who has entered into a business relationship with Ceridian to perform a service.
The natural person about who information is being processed.
Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly by piecing information together.
Any activity which is performed on personal data or on sets of personal data from collection through use and disposal, including storing and sharing with others.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Ceridian, its employees, and contractors take responsibility for personal data in accordance with Ceridian policies and standards. Ceridian’s Chief Privacy Officer, Lisa Clapes, is responsible for defining the requirements of this policy and for ensuring compliance with its provisions. The Chief Information Security Officer, Ron Joyal, is responsible for implementing and maintaining appropriate controls and measures to enable compliance. Ceridian trains its employees with respect to its privacy policies and practices including Ceridian's Ten Privacy Principles.
Ceridian acts as a processor when it processes the personal data of its customers, who are the controllers, in products such as Dayforce, PowerPay, etc. Customer personal data is owned by the customer and Ceridian manages the personal data at the direction of its customers.
In some instances, Ceridian acts as a controller, which means that Ceridian owns and controls the personal data that is being processed. Examples include, but are not limited to:
Ceridian is liable for personal data it processes and for personal data Ceridian provides to third-party service providers for processing. With respect to personal data that has been transferred to a third-party service provider to be processed, contractual requirements are used to provide a comparable level of protection. Ceridian’s liability for a third-party’s performance of its obligations is set forth in each agreement that Ceridian signs with its Customers, and Ceridian assumes liability for the performance of the services and obligations subcontracted to such third-party service providers, including those related to the protection of personal data.
Our services also involve the transfer of personal data to third parties (for example, banks, retirement program providers and tax agencies) as instructed by our customers. In these cases, Ceridian does not have a direct relationship with the third party and is not liable for the processing of personal data in their possession. These third parties have their own independent obligations with respect to the personal data, usually by operation of law or through contracts with Ceridian’s customers.
Our website, our emails, or our application may link to third parties’ websites. It is also possible that third parties’ websites or emails may link to our website. We are not responsible for the content or the privacy practices employed by third parties and personal data collected by third parties is not governed by Ceridian’s privacy notice. We encourage you to read the privacy policies of these websites before transmitting any personal data to third parties.
THE PERSONAL DATA WE COLLECT
Personal data is collected by fair and lawful means. Ceridian provides notice as to the purposes for which personal data is collected, used, retained, and disclosed.
In most cases, Ceridian’s customers are responsible for notification of purpose and for obtaining appropriate consent when they collect personal data and transfer it to Ceridian. Personal data that is transferred to Ceridian by our customers to be processed shall be deemed to have been collected with appropriate notification. Ceridian assumes no responsibility for obtaining or validating that appropriate consent has been obtained in respect of personal data transferred to Ceridian by organization(s) and/or customers.
Ceridian collects personal data from customers and customers’ employees for the purposes of providing, and promoting the services we offer (including initiating, maintaining, enhancing, and terminating the employee-employer relationship), benchmarking and analytics, continuous improvement and development of products, services and software, and for the operation of Ceridian’s business, for example, and needed to comply with legal obligations.
Sometimes, other companies may provide us with the contact information of businesses or individuals who they think may be interested in our products or services. We may also collect contact information from publicly available sources.
Relevant information collected as required to deliver requested services may include, for example, the following categories of data:
In some cases, Ceridian collects personal data directly from the individual, for example, when individuals visit a Ceridian website. In these cases, Ceridian is responsible for obtaining appropriate consent, except where inappropriate or if the collection is required/permitted by law without consent.
Individuals who seek to vary or withdraw consent that has been obtained by Ceridian directly may do in writing in the manner set out in the “Monitoring and Enforcement” section of this policy. If you decide you do not want to receive commercial emails from Ceridian you can “opt-out” by clicking on the “unsubscribe” link provided at the bottom of every commercial email or by clicking here. Subject to legal or contractual restrictions, Ceridian shall abide by the withdrawal or variation of consent, and shall advise the individual of the consequences of a change in the scope of consent. In cases where consent has been obtained by the customer, the individual will be referred to the customer.
On our website, we may collect personal data from you in the following ways:
Unless required by law, Ceridian shall not use or disclose personal data for any purpose other than the purpose for which it was originally collected without first identifying and documenting the new purpose and obtaining the appropriate consent.
DO NOT TRACK DISCLOSURE
Do Not Track (DNT) is a preference that users can set for their browsers to opt out of the online tracking activities by some websites. Ceridian does not track its customers over time and across third party websites and thus does not respond to Do Not Track (DNT) signals in browsers.
HOW WE USE PERSONAL DATA
Ceridian may process personal data on a number of lawful bases, some of which include consent, performance of a contract, compliance with a legal obligation, to protect the vital interests of an individual, performance of a task in the public interest or for legitimate interests. We may rely on legitimate interests for a number of reasons including, but not limited to, corporate governance, fraud prevention, network security, direct marketing and monitoring.
Personal data will be processed for the following purposes:
Ceridian may de-identify or anonymize, personal data. Such data is no longer considered personal data and individuals cannot seek to have their information removed from any such data set, nor is consent for further use required.
RETENTION AND DISPOSAL
Ceridian retains personal data only as long as necessary to fulfill the stated purposes or as legally required and thereafter appropriately disposes of such information. When personal data is no longer necessary or relevant for the identified purpose or to fulfill a legal or business requirement, it shall be securely destroyed. Ceridian will either physically or electronically delete the personal data or de-identify it to make it anonymous.
ACCESS AND QUALITY
Unless Ceridian is permitted or required by law to prohibit access, you may view and if necessary, update or correct your personal data by contacting Ceridian in the manner set out in the “Monitoring and Enforcement” section of this notice. We will respond to your request within the time limit set out by the applicable privacy legislation and, if applicable, we will provide you with an estimate of the of the cost to you associated with administering and responding to your request. Ceridian requires sufficient information to authenticate requests for access.
Unless Ceridian is permitted or required by law to prohibit access, and where feasible, Ceridian makes personal data available for review and updating, either directly through the self-service feature in its products, by directing individuals to their employer for access, or through an access request made to established contacts within Ceridian. Where such access is not feasible, Ceridian provides a written explanation to individuals.
In delivering services, Ceridian relies on its customers and its customers’ employees to supply Ceridian with accurate, complete and up-to-date personal data that is relevant to Ceridian’s delivery of the services.
Individuals are asked to review their records on a regular basis and make the appropriate updates or notify their employer of errors promptly. Ceridian makes reasonable efforts to maintain the integrity of the personal data within its products as necessary to fulfill the purposes for which the personal data is to be used.
Where Ceridian collects personal data outside of the performance of its services, Ceridian makes reasonable efforts to keep personal data as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used. Ceridian provides a means for individuals to update or correct the personal data Ceridian possesses.
HOW WE SHARE PERSONAL DATA
We may share personal data about you with third parties in certain circumstances including in the following situations:
If Ceridian has knowledge that a third party uses or discloses personal data in an unapproved manner, Ceridian takes reasonable steps to prevent or stop the use or disclosure. Ceridian does not sell any personal data to third parties for marketing.
Where applicable, to limit or opt out of the disclosure of personal data, individuals should contact their employer or Ceridian in the manner set out in the “Monitoring and Enforcement” section.
CROSS BORDER TRANSFER
Ceridian transfers personal data outside of a local jurisdiction only with adequate protections in place and in compliance with applicable laws and standards. Ceridian maintains operations in the United States (US), Canada, Australia, Mauritius and the United Kingdom (UK) and all of its entities process personal data. Ceridian also transfers personal data to other countries as directed by its customers.
For personal data transfers to the US from the European Union (EU) and Switzerland (Swiss), Ceridian complies with both the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework regarding the collection, use, retention and disclosure of personal data to the US. Ceridian certifies its adherence to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, enforcement, and the applicable supplemental principles. To learn more about the Privacy Shield Principles please visit www.privacyshield.gov.
Ceridian may utilize the adequacy determinations made by the European Commission to transfer personal data to countries with data protection that is adequate to the EU. Ceridian also utilizes Standard Contractual Clauses (SCCs) for the transfer of personal data from the EU and Switzerland to other countries.
HOW WE SECURE PERSONAL DATA
Ceridian has implemented policies, procedures and practices to protect personal data. Ceridian protects personal data using recognized industry standard security safeguards appropriate to the sensitivity of the personal data. Ceridian reviews its security policies and procedures on a regular basis and updates them as needed to maintain their relevance. Ceridian makes reasonable security arrangements to protect personal data in its custody or under its control from and against risks, such as loss or theft, as well as unauthorized access, collection, use, disclosure, copying, modification, disposal and destruction.
The methods of protection include physical measures, organizational measures and technological measures.
Ceridian requires all third parties to whom it may transfer personal data to maintain adequate security safeguards in compliance with applicable laws and standards to protect personal data.
MONITORING AND ENFORCEMENT
Ceridian monitors its compliance with privacy policies and procedures and has processes to address access requests, complaints and disputes. Where appropriate, individuals may request access and raise concerns or complaints regarding their personal data with Ceridian. PLEASE NOTE: If Ceridian is processing your personal data on behalf of your employer (i.e., one of Ceridian’s customers), you must contact your employer directly to submit an access request, concern or complaint.
If an individual files a complaint Ceridian will investigate. It is Ceridian’s practice to respond to the individual within 30 days of receiving the complaint. Ceridian will take all appropriate action to remedy any such issues. If the matter cannot be settled, Ceridian agrees to cooperate with the dispute resolution system set forth below.
If individuals feel that their complaint was not satisfied, they may file a formal complaint with the regulatory bodies below.
Regarding any Privacy Shield complaints, grievances should be filed with the entities in the following order: Ceridian, the applicable EU or Swiss Data Protection Authority, The Department of Commerce, the Federal Trade Commission (FTC), then the Privacy Shield Panel. The individual may apply to the Privacy Shield Panel to invoke binding arbitration.
Ceridian will conduct periodic assessments to confirm the accuracy of this notice and verify its adherence to Ceridian’s Ten Privacy Principles. In addition, Ceridian will deploy internal auditing measures to monitor its compliance and to address all questions or complaints.
For privacy-related questions, comments or concerns, contact Ceridian at:
CHANGES TO THIS POLICY
Last Updated on Oct. 23, 2018.