Ceridian is committed to protecting your personal data. As part of this commitment, Ceridian has established a privacy program that demonstrates our due diligence to privacy laws.
This notice applies to the collection, use, sharing, disclosure, retention and deletion of personal data by Ceridian, its affiliates and third-party service providers.
It applies to all personal data in Ceridian’s control, whether it is stored and/or processed on Ceridian property or stored and/or processed by a third-party service provider.
If you are an individual whose employer uses a Ceridian application such as human capital management, and your employer has asked you to submit personal data as part of that service, you should review your employer’s separate privacy notice.
If you are a business that has a contract with Ceridian you should review that contract for information concerning how Ceridian collects, uses, shares, and secures the personal that it collects from you, or your employees.
The natural or legal person, public authority, agency or other body which alone or jointly determines the purposes and means of the processing of personal data.
An organization who has entered into a business relationship with Ceridian to perform a service.
The natural person about who information is being processed.
Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly by piecing information together.
Any activity which is performed on personal data or on sets of personal data from collection through use and disposal, including storing and sharing with others.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Ceridian, its employees, and contractors take responsibility for personal data in accordance with Ceridian policies and standards. Ceridian’s Chief Privacy Officer is responsible for defining the requirements of this notice and for ensuring compliance with its provisions. The Chief Information Security Officer is responsible for implementing and maintaining appropriate controls and measures to enable compliance. Ceridian trains its employees with respect to its privacy policies and practices including Ceridian's Ten Privacy Principles.
Ceridian acts as a processor when it processes the personal data of its customers, who are the controllers, in products such as Dayforce, PowerPay, etc. Customer personal data is controlled by the customer and Ceridian manages the personal data at the direction of its customers.
In some instances, Ceridian acts as a controller, which means that Ceridian controls the personal data that is being processed. Examples include, but are not limited to:
Ceridian is liable for personal data it processes and for personal data Ceridian provides to third-party service providers for processing. With respect to personal data that has been transferred to a third-party service provider to be processed, contractual requirements are used to provide a comparable level of protection. Ceridian’s liability for a third-party’s performance of its obligations is set forth in each agreement that Ceridian signs with its Customers, and Ceridian assumes liability for the performance of the services and obligations subcontracted to such third-party service providers, including those related to the protection of personal data.
Our services also involve the transfer of personal data to third parties (for example, banks, retirement program providers and tax agencies) as instructed by our customers. In these cases, Ceridian does not have a direct relationship with the third party and is not liable for the processing of personal data in their possession. These third parties have their own independent obligations with respect to the personal data, usually by operation of law or through contracts with Ceridian’s customers.
Our website, our emails, or our application may link to third parties’ websites. It is also possible that third parties’ websites or emails may link to our website. We are not responsible for the content or the privacy practices employed by third parties and personal data collected by third parties is not governed by Ceridian’s privacy notice. We encourage you to read the privacy policies of these websites before transmitting any personal data to third parties.
THE PERSONAL DATA WE PROCESS AS A SERVICE PROVIDER
Ceridian’s customers are responsible for notification of purpose and for obtaining appropriate consent when they collect personal data and transfer it to Ceridian. Personal data that is transferred to Ceridian by our customers to be processed shall be deemed to have been collected with appropriate notification. Ceridian assumes no responsibility for obtaining or validating that appropriate consent has been obtained in respect of personal data transferred to Ceridian by organization(s) and/or customers.
Personal data collected as required to deliver requested services includes the following categories of data:
Personal data may be processed for the following purposes to deliver requested services:
THE PERSONAL DATA WE COLLECTAND USE AS AN ENTITY
Ceridian may collect personal information from you directly via our website, in person at trade shows or other events, through social media, or other interaction with Ceridian. Sometimes, other companies may provide us with the contact information of businesses or individuals who they think may be interested in our products or services. We may also collect contact information from publicly available sources.
Personal data collected includes the following categories of personal and sensitive personal data:
Personal data may be processed for the following purposes:
Ceridian may process personal data on a number of lawful bases, some of which include consent, performance of a contract, compliance with a legal obligation, to protect the vital interests of an individual, performance of a task in the public interest or for legitimate interests. We may rely on legitimate interests for a number of reasons including, but not limited to, fraud prevention, network security, and direct marketing.
Individuals who seek to vary or withdraw consent that has been obtained by Ceridian directly may do in writing in the manner set out in the “Monitoring and Enforcement” section of this notice. If you decide you do not want to receive commercial emails from Ceridian you can “opt-out” by clicking on the “unsubscribe” link provided at the bottom of every commercial email or by clicking here . Subject to legal or contractual restrictions, Ceridian shall abide by the withdrawal or variation of consent and shall advise the individual of the consequences of a change in the scope of consent. In cases where consent has been obtained by the customer, the individual will be referred to the customer. Ceridian will use or disclose personal data for purposes permissible under applicable law.
If you do not provide Ceridian with the personal data that we have requested, you may be unable to access our full range of services.
Ceridian may de-identify or anonymize, personal data. Such data is no longer considered personal data and individuals cannot seek to have their information removed from any such data set, nor is consent for further use required.
DO NOT TRACK DISCLOSURE
Do Not Track (DNT) is a preference that users can set for their browsers to opt out of the online tracking activities by some websites. Ceridian does not track its customers over time and across third party websites and thus does not respond to Do Not Track (DNT) signals in browsers.
RETENTION AND DISPOSAL
Ceridian retains personal data only as long as necessary to fulfill the stated purposes or as legally required and thereafter appropriately disposes of such information. When personal data is no longer necessary or relevant for the identified purpose or to fulfill a legal or business requirement, it shall be securely destroyed. Ceridian will either physically or electronically delete the personal data or de-identify it to make it anonymous.
ACCESS AND QUALITY
Unless Ceridian is permitted or required by law to prohibit access, you may view and if necessary, update or correct your personal data by contacting Ceridian in the manner set out in the “Monitoring and Enforcement” section of this notice. We will respond to your request within the time limit set out by the applicable privacy legislation and, if applicable, we will provide you with an estimate of the of the cost to you associated with administering and responding to your request. Ceridian requires sufficient information to authenticate requests for access.
Unless Ceridian is permitted or required by law to prohibit access, and where feasible, Ceridian makes personal data available for review and updating, either directly through the self-service feature in its products, by directing individuals to their employer for access, or through an access request made to established contacts within Ceridian. Where such access is not feasible, Ceridian provides a written explanation to individuals.
In delivering services, Ceridian relies on its customers and its customers’ employees to supply Ceridian with accurate, complete and up-to-date personal data that is relevant to Ceridian’s delivery of the services.
Individuals are asked to review their records on a regular basis and make the appropriate updates or notify their employer of errors promptly. Ceridian makes reasonable efforts to maintain the integrity of the personal data within its products as necessary to fulfill the purposes for which the personal data is to be used.
Where Ceridian collects personal data outside of the performance of its services, Ceridian makes reasonable efforts to keep personal data as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used. Ceridian provides a means for individuals to update or correct the personal data Ceridian possesses.
HOW WE SHARE PERSONAL DATA
Ceridian shares the personal data of its customers’ employees at the direction of customers. Personal data collected and used for Ceridian’s purposes as described above may be shared with third parties in certain circumstances including in the following situations:
If Ceridian has knowledge that a third party uses or discloses personal data in an unapproved manner, Ceridian takes reasonable steps to prevent or stop the use or disclosure. Ceridian does not sell any personal data to third parties for marketing.
Where applicable, to limit or opt out of the disclosure of personal data, individuals should contact their employer or Ceridian in the manner set out in the “Monitoring and Enforcement” section.
CROSS BORDER TRANSFER
Ceridian transfers personal data outside of a local jurisdiction only with adequate protections in place and in compliance with applicable laws and standards. Ceridian maintains operations in the United States (US), Canada, Australia, Mauritius and the United Kingdom (UK) and all of its entities process personal data. Ceridian may transfer personal data to service providers located in countries worldwide, depending on the services. Ceridian also transfers personal data to other countries as directed by its customers.
Ceridian complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework (Privacy Shield) as set forth by the US Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union, the United Kingdom and Switzerland to the United States in reliance on Privacy Shield. Ceridian has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Principles please visit www.privacyshield.gov.
Ceridian may utilize the adequacy determinations made by the European Commission to transfer personal data to countries with data protection that is adequate to the EU. Ceridian also utilizes Standard Contractual Clauses (SCCs) for the transfer of personal data from the EU and Switzerland to other countries.
HOW WE SECURE PERSONAL DATA
Ceridian has implemented policies, procedures and practices to protect personal data. Ceridian protects personal data using recognized industry standard security safeguards appropriate to the sensitivity of the personal data. Ceridian reviews its security policies and procedures on a regular basis and updates them as needed to maintain their relevance. Ceridian makes reasonable security arrangements to protect personal data in its custody or under its control from and against risks, such as loss or theft, as well as unauthorized access, collection, use, disclosure, copying, modification, disposal and destruction.
The methods of protection include physical measures, organizational measures and technological measures.
Ceridian requires all third parties to whom it may transfer personal data to maintain adequate security safeguards in compliance with applicable laws and standards to protect personal data.
MONITORING AND ENFORCEMENT
Ceridian monitors its compliance with privacy policies and procedures and has processes to address access requests, complaints and disputes. Depending on the jurisdiction you are in, you may have one or more of the following data subject rights: access, correction, erasure, portability, restriction or objection. Individuals may submit requests here and raise concerns or complaints here. PLEASE NOTE: If Ceridian is processing your personal data on behalf of your employer (i.e., one of Ceridian’s customers), you should first contact your employer directly to submit an access or correction request, concern or complaint.
If an individual files a complaint Ceridian will investigate. It is Ceridian’s practice to respond to the individual within 30 days of receiving the complaint, unless a shorter response time is required by law. Ceridian will take all appropriate action to remedy any such issues. If the matter cannot be settled, Ceridian agrees to cooperate with the dispute resolution system set forth below.
If individuals feel that their complaint was not satisfied, they may file a formal complaint with the regulatory bodies below.
Regarding any Privacy Shield complaints, grievances should be filed with the entities in the following order: Ceridian, the applicable EU or Swiss Data Protection Authority, The Department of Commerce, the Federal Trade Commission (FTC), then the Privacy Shield Panel. The individual may apply to the Privacy Shield Panel to invoke binding arbitration.
Ceridian will conduct periodic assessments to confirm the accuracy of this notice and verify its adherence to Ceridian’s Ten Privacy Principles. In addition, Ceridian will deploy internal auditing measures to monitor its compliance and to address all questions or complaints.
For privacy-related questions, comments or concerns, contact Ceridian at:
CHANGES TO THIS NOTICE
Ceridian may update this privacy notice periodicaly to reflect changes to our privacy practices. We will provide notice online when we make any material changes to this notice.
Last Updated on Aug 30, 2019