Information for Data Subjects
Cubiks is a specialist HR assessment consultancy. We supply HR assessment tools and services to customers around the world to assist with their recruitment, development and assessment programmes to find and develop the right people for their businesses. As part of our services, we act as the data Processors of Personal Data on behalf of our customers, who are the Data Controllers. Cubiks Processes Personal Data in accordance with the written instructions of the Data Controllers. You are the Data Subject and this policy sets out important information as to who will have access to your Personal Data, what it may be used for and your rights.
1. IDENTITY OF DATA CONTROLLER AND DATA PROTECTION OFFICER
The identity and contact details of the Data Controller of your Personal Data are set out in the Schedule below, together with the contact details of the Data Controller’s Data Protection Officer, if any. This is important if you need to obtain more information about your Personal Data or to exercise your rights as a Data Subject. We recommend that you note these details in case of future need. Cubiks will support the Data Controller in responding to such requests.
2. PURPOSES OF PROCESSING
2.1 The Data Controller Group may use your Personal Data for its own human resources purposes. Human resources purposes may include use as part of its pre-contractual processing prior to appointment or assessment of existing employees for promotion or development.
2.2 If a member of the Data Controller Group is carrying out assessments as part of services to its own customers, it may disclose your Personal Data to a customer on paper, email or other medium. A customer of the Data Controller Group may use the information for human resources purposes only.
2.3 If acting on the instructions of the Data Controller, Cubiks may use your Personal Data for human resources purposes and to provide human resources services to the Data Controller Group.
2.4 Cubiks may use your Personal Data to assist the Data Controller Group in the use and understanding of any Cubiks assessment tool and, if necessary, in IT system fault finding.
2.5 Cubiks online assessments may be used for Profiling in order to assess your suitability for a role. Further information about Cubiks generic tools may be seen at https://www.cubiks.com/talent-management-tools
2.6 Personal Data of 360 reviewers (where applicable) is used solely to compile a report about the Subject of the Assessment. This is done on an anonymous basis. However, where there is only one reviewer - for example, manager - he/she will be identifiable.
3 RIGHT TO OBJECT TO PROCESSING
You have a right to object at any time to the Processing of your Personal Data (including Profiling) but this will mean that you will be unable to participate further in the online assessment and may be unable to participate in a selection or development programme operated by the Data Controller. Please see also paragraph 9 below (Data Subject Rights).
4.1 To develop and maintain robust talent assessment solutions, Cubiks needs to use participant details to research and validate the models and theories on which we build our offering, ensuring that the data underpinning our tools is up to date. This helps ensure that employers’ decisions are based on fair, objective and scientifically derived information. Cubiks is authorised by the Data Controller to use your Personal Data for monitoring, validation, statistical research, benchmarking, Product development and management purposes (“Research”). This may include temporary one-time matching of your Personal Data with data from other sources (for example, job performance data) for adding to a pseudonymised database to be used solely for Research.
4.2 Pseudonymisation is a robust process to enhance the privacy of assessment data we collect. Data is stored in a way where it may not be attributed to a specific Data Subject without being combined with additional information, which is kept separately and securely. It uses a one-way hashing algorithm to pseudo-anonymise all personally identifiable data points used for analytics. Each such data point is concatenated with a secure key and then a one-way cryptographic hash algorithm is applied. Whilst the one-way algorithm itself prevents decryption even if the hash method is known, adding a secret key value before hashing prevents a so-called dictionary attack. Without knowing the key, no matches can be achieved. The key is securely stored separately from the data.
4.3 Allowing data to be pseudo-anonymised in this way allows other data to be matched to it by running through the same pseudonymisation process and matching hashed identities only. This would not be possible if relying on full anonymisation as any link would be removed. This method of hashing with a key combines the advantages of one-way hashing and encryption.
4.4 Data that is pseudonymised may be retained for longer periods than Personal Data subject to appropriate safeguards for the rights and freedoms of Data Subjects.
5 LEGAL BASIS FOR PROCESSING
5.1 The legal basis for Processing of your Personal Data is that it is necessary for the legitimate interests pursued by the Data Controller. If EU Law applies, you have the right to object at any time to the Processing of Personal Data as described in this paragraph and the Data Controller should cease the Processing unless there are compelling legitimate interest reasons for continuing.
5.2 Customers of Cubiks operate in some territories where the applicable law requires a Data Subject to give consent to the Processing of Personal Data. If you are asked to give such consent, paragraph 5.1 shall not apply and the lawful Processing of your Personal Data as part of a Cubiks assessment will be based on consent.
6 CATEGORIES OF DATA
On behalf of the Data Controller, Cubiks may Process:
- your e-mail address and bio data. Some limited bio data is necessary (and not optional), for example, in order for us to identify you and generate a report. Otherwise bio data is supplied on a voluntary basis and an absence of reply will have no consequences.
- your responses to questions in online questionnaires and tests. Participation is voluntary but if you do not respond to a questionnaire or test that you are asked to complete, and where this questionnaire and/or test is part of an HR process, your opportunities may be negatively impacted.
- further data provided by you, for example, during live exercises in an assessment centre. Participation is voluntary but failure to provide data may impact on your overall assessment result.
- results of assessment.
- further data which may be provided by the Data Controller, for example, job performance data or length of service. This data is used only for research and not for a decision in relation to any particular individual.
- If the Data Controller accesses our Services through a third-party application programme interface (“API”) supplier, integrator or similar service provider (“Third Party”), Cubiks may only Process one or more categories of data, for example, the results of assessment only. In this case, the Data Controller will be able to provide further information.
7 RECIPIENTS OF DATA
- The Data Controller Group.
- The data processor, which will be the member of the Cubiks Group that has contracted with the Data Controller.
- Cubiks Limited, which manages the data centres where Personal Data is Processed automatically, and acts as the sub-processor for other members of the Cubiks Group.
- Other members of the Cubiks Group acting as sub-processors where required due to the nature and territorial scope of the contract with the Data Controller Group.
- Cubiks’ agents, associates, integration partners, suppliers and other trusted third parties may be involved in the Processing of your Personal Data, where required due to the nature and territorial scope of the contract with the Data Controller Group.
- Integration partners, suppliers and other trusted third parties may be involved in the Processing of Data Subject's Personal Data, on behalf of the Data Controller Group where required due to the nature and territorial scope of their business.
8 PROCESSING AND TRANSFERS TO THIRD COUNTRIES
8.1 Cubiks assesses Data Subjects on a worldwide basis. Irrespective of location, all Processing of Personal Data by Cubiks is carried out in accordance with current EU data protection standards to ensure the security of Processing.
8.2 Where necessary, Personal Data may be exported outside the EEA, subject to adequate measures being in place for the security of the data.
8.3 Your Personal Data may be collected on your first assessment by means of Cubiks tools or assessment services and on subsequent assessments, for example, if you are invited to participate in a Logiks assessment and then subsequently a PAPI assessment or an assessment centre.
9 RETENTION CRITERIA
Personal Data should only be retained for as long as it is required for the Purposes. Please contact the Data Controller for further details as to their policies and procedures.
10 DATA SUBJECT RIGHTS
You, as a Data Subject have the following rights.
Where EU Law applies:
- to request from the Data Controller access, rectification, erasure, restriction of Processing or to object to Processing, and
- to lodge a complaint with a Supervisory Authority.
Where the laws of France apply:
- you have the right to determine guidelines as to the use of your personal data after your death.
Where Non-EU Laws apply:
- your rights will be in accordance with such laws.
If you wish to exercise your Data Subject Rights, you should contact the Data Controller. Contact details are set out in the Schedule.
The Cubiks assessment tools and services contain valuable intellectual property rights and are disclosed to you on a strictly confidential basis. They may not be copied, published or disclosed to any person or organisation without the prior written agreement of a director of a member of the Cubiks Group.
12 DEFINITIVE VERSION
Non-English translations may be provided to assist you in understanding the Information for Data Subjects. The definitive version is in the English language.
Cubiks Group: Cubiks Group Limited and subsidiary companies controlled by it. These companies are listed at https://www.cubiks.com/global-footprint
Data Controller: the person, company or organisation set out in the Schedule.
Data Controller Group: the Data Controller and/or any Data Controller Group Company
Data Controller Group Company: a company which controls the Data Controller, is controlled by the Controller or is controlled by the company that controls the Data Controller.
Data Subject(s): all persons who provide Personal Data as part of the assessment process. This includes the Subject of the Assessment and, in the case of a 360 assessment, includes reviewers, for example the line manager, peers and/or reports of the Subject of the Assessment, whose input is combined into the assessment report.
Data Subject Rights: the rights described in paragraph 10 above.
EEA: the European Economic Area, being the European Union or the European Free Trade Area but excluding Switzerland.
EU Law: (i) European Directive 95/46/EC and (ii) from 25 May 2018, the General Data Protection Regulation (EU 2016/679) and any national implementing laws. The General Data Protection Regulation applies to the Processing of Personal Data by a Controller or Processor within the European Union and/or where the Processing relates to offering goods or services to Data Subjects in the European Union and/or monitoring the behaviour of Data Subjects within the European Union.
Non-EU Law: data protection or other privacy law other than EU Law.
Personal Data: data which relates to an individual who can be identified from such data, or from such data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller. Personal Data refers both to data Processed on a computer and to certain kinds of manually Processed data, such as live assessment data gathered in a live face to face assessment centre.
Processing: any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction. Process and Processed shall be construed accordingly.
Profiling: an automated Process that generates a profile which indicates aspects of likely job performance and behaviour.
Purposes: as referred to in paragraph 2 above.
Subject of the Assessment: the person undergoing assessment.
|Data Controller Contact Details|
|Data Protection Officer (if any)|
© 2018 Cubiks Intellectual Property Limited