HR Data Privacy Statement
HR Data Privacy Statement

CYLANCE® INC. GLOBAL HR PRIVACY SHIELD DATA PRIVACY STATEMENT

1. Introduction

This document sets forth the Cylance Inc. HR Privacy Shield Data Privacy Policy (the “Policy”) governing the Company’s use of Personal Data (as defined below). This Policy is applicable to all employees of Cylance and its subsidiaries. This group of companies is referred to in this Policy document variously as Cylance or as the “Company”.

This HR Privacy Policy is effective September 28, 2016. This HR Privacy Policy was last revised on September 28, 2016.

2. Scope

The policy of Cylance is to respect and protect Personal Data collected or maintained by or on behalf of the Company. In furtherance of the Company’s commitment to this Policy, Cylance has certified to adhere to the Privacy Principles set forth in the US-EU Privacy Shield Framework (alternatively, "Accord") regarding Personal Data related to employees of Cylance resident in the European Economic Area ("EEA") and processed in support of Cylance human resources operations. Cylance adheres to the Privacy Shield principles as respectively agreed to by the U.S. Department of Commerce and the European Commission. With respect to Personal Data received or transferred pursuant to Privacy Shield, Cylance is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. The Company’s commitment to participate in the Privacy Shield program can be found at the following DOC website located at https://www.privacyshield.gov/list that officially lists all U.S. entities that have registered for the program. Cylance has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.

This Policy sets forth the principles under which Cylance manages the processing of Personal Data that it receives from its employees in the EEA in support of its human resources operations. In connection with Cylance human resources operations, Cylance may now and/or in the future transfer or provide access to Personal Data regarding employees of the EEA to the United States.

In accordance with the Privacy Shield framework, this Policy contains provisions relating to the following data privacy principles, all of which are described in greater detail in Section 4 of this Policy and which are hereinafter referred to as the “Principles”:

  • Notice
  • Choice
  • Accountability For Onward Transfer
  • Security
  • Data Integrity and Purpose Limitation
  • Access
  • Recourse, Enforcement, and Liability

This Policy outlines Cylance's general position and its practices about its commitment to implement the Principles set forth in this Section 2, including the types of Personal Data Cylance collects, the purpose and use of the Personal Data and the notice and choice affected Data Subjects have regarding Cylance's use of their Personal Data, their ability to correct that information, and the internal contact mechanism to correct information as well as to make inquiries and/or lodge a complaint about adherence to the Principles. This Policy does not address additional local privacy requirements that the Company may need to adhere to.

This Policy applies to all Personal Data processed by Cylance related to employees of Cylance resident in the EEA whether in electronic or tangible format.

3. Definitions

a. Agent. “Agent” means any third party that processes personal information pursuant to the instructions of, and solely for the benefit of Cylance or to which Cylance discloses personal information for processing on Cylance’s behalf.

b. Controller. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

c. Data Subject. “Data Subject” is a natural person resident in the EEA who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. For purposes of this Policy, Data Subject shall be restricted to any current and former Cylance employees, including but not limited to, temporary and permanent employees, retirees, and other former employees as well as dependents of such employees.

d. Personal Data. (“Personally Identifiable Data”). “Personal Data” means any information or set of information in any form that relates to a Data Subject.

e. Processing of “Personal Data”. Processing of “Personal Data” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

f. Sensitive Personal Data. “Sensitive Personal Data” means Personal Data that reveals a natural person’s race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, any information that concerns a natural person’s sex life or health, or information relating to the commission of a criminal offense.

g. Third Party Agent. “Third Party Agent” shall mean any natural or legal person that is not a subsidiary, employee or director of Cylance or its subsidiaries.

4. Principles

a. Notice. Cylance shall inform Data Subjects that it participates and subjects itself to the Principles of the Privacy Shield program, the purpose for which it collects and uses Personal Data and the types (or identity) of Third Party Agents to whom the Company discloses or may disclose that Personal Data. Cylance will provide notice in clear and conspicuous language when Data Subjects are first asked to provide Personal Data to the Company, or as soon as practicable thereafter, and in any event before the Company uses or discloses the Personal Data for a purpose other than that for which it was originally collected.

b. Choice. Cylance collects Personal Data about its employees for human resources or compliance related functions, including, without limitation, recruiting, onboarding, performance appraisals and payroll or benefit distribution. If Cylance intends to use Personal Data for purposes outside of the Company’s human resources related functions (such as marketing communications) and (i) discloses Personal Data to a Third Party or (ii) uses the Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject, the Company will offer the Data Subject the opportunity to affirmatively or explicitly consent (opt-out) whether their Personal Data is (1) to be disclosed to a Third Party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject.

c. Accountability for Onward Transfers. Prior to disclosing Personal Data to a Third Party, Cylance shall notify the Data Subject of such disclosure and allow the Data Subject the choice to opt-out of such disclosure unless the disclosure meets an employment requirement or is made to an Agent. Cylance shall enter into contracts to ensure that any Third Party to whom Personal Data may be disclosed is aware of and adheres to the Principles or is subject to law providing the same level of privacy protection as is required by the Principles and agrees to provide an adequate level of privacy protection. The Company shall also, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing by Third Party Agents and agrees to provide a summary or a representative copy of the relevant privacy provisions of its contracts with agents to the DOC upon request.

The storage by Company of Personal Data on servers and/or on software made available or hosted by Third Party vendors shall not be considered disclosures of Personal Data to a Third Party so long as the Third Party vendor does not have direct access to the Personal Data stored or hosted. In all events, Cylance shall ensure by contract that any such Third Party vendor (a) is aware of the Principles or (b) is subject to laws providing the same level of privacy protection as is required by the Principles or (c) has contractual safeguards in place to protect the Personal Data.

Cylance is not required to identify the sources of Personal Data when such identification is not possible through reasonable efforts, or where the rights of persons other than the affected Data Subject would be violated. If there are compelling grounds to doubt the legitimacy of a Data Subject’s request for rectification, amendment or deletion of his or her Personal Data, Cylance may require further justifications before performing the Data Subject’s request. Cylance is not required to notify Third Parties to whom the Personal Data has been disclosed of any rectification, amendment or deletion when such notification involves a disproportionate effort or unreasonable burden.

d. Security. Cylance takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of Personal Data, whether in electronic or tangible, hard copy form. Cylance shall take reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction.

e. Data Integrity and Purpose Limitation. Cylance limits the collection, use and retention of Personal Data to that which is germane for the intended purposes for which it was collected or authorized by the Data Subject and takes reasonable steps to ensure that all Personal Data is reliable, accurate, complete and current. Cylance depends on its employees to keep Personal Data reliable, accurate, complete and current and will rely on its employees to maintain the integrity of all Personal Data they provide to the Company. The Company shall also adhere to the Principles for as long as it retains such Personal Data.

f. Access. Cylance allows Data Subjects to access their Personal Data and to correct, amend or delete inaccurate information or information that is processed against the Principles, except (i) where the burden or expense of providing access would be disproportionate to the risks to the privacy of the Data Subject in the case in question, (ii) for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature.

g. Recourse, Enforcement, and Liability. Cylance uses a self-assessment approach or outside compliance review to assure compliance with this Policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, is disseminated to its employees, is completely implemented and accessible and is in conformity with the Principles set forth in this Policy. Cylance encourages interested persons to raise any concerns using the contact information provided below and will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles. In addition, Cylance has agreed to cooperate with the European Data Protection Authorities (http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm) for the purpose of handling any unresolved complaints regarding Personal Data concerns. Data Subjects (employees) may engage their local Data Protection and/or Labor Authority concerning adherence to the Principles and the Company shall respond directly to such authorities with regard to investigations and resolution of complaints.

5. Limitation on Scope of Principles

Cylance adheres to the Principles except, as required or allowed by law, to meet legal, governmental, law enforcement or national security obligations, or to protect the health or safety of an individual.

6. Changes to this Policy

This Policy may be amended consistent with the requirements of Privacy Shield. When Cylance updates the Policy, it will also revise the “Last Updated” date at the top of this document. Any material changes to this Policy will also be posted on the Cylance website or intranet.

7. Contact Information

Questions, comments or complaints regarding this Policy or Cylance Personal Data processing practices can be mailed or emailed to:

Office of the Chief People Officer
Cylance Inc.
18201 Von Karman Ave., Suite 700
Irvine, CA 92612
privacy@cylance.com