Introduction to the Rater and Administrator Data Protection Notice
Please read this Data Protection Notice (“Notice”) to continue. It sets out how and why your Employer and SHL collect your personal information. For any defined terms which are not defined on this page, see the definitions at the end of the Notice.
Please read the entire Notice carefully.
If you have questions about this Notice, please email dpo@shl.com
Rater and Administrator Data Protection Notice
This Notice was last updated on 01 Feb 2023
CHANGES TO THIS NOTICE: This Notice has been updated to address changes required by the product changes
Section 1 - Who we are
This Notice describes how:
(1) your Employer (“Employer”); and
(2) SHL Group Limited of The Pavilion, 1 Atwell Place, Thames Ditton, Surrey KT7 0NE, England including the rest of SHL group of companies (together, SHL or we or us); respectively use your information collected when taking the Assessment.
You are a ‘’Rater’’ if you are providing feedback or a rating for another individual as part of their assessment. You are an ‘’Administrator’’ if you are operating an SHL platform with permission from an employer.
SHL will process and collect information about you, a Rater or as the Administrator of the Platform in accordance with this Notice. Some information is information about you or from which we can identify you (‘‘Personal Information’’).
This Notice sets out what is collected, how it is collected, how it is used, why it is used, who it is shared with and the rights to which you will be entitled.
Section 2 (Employer as the Data Controller) provides further information on processing of your personal information by the Employer as the data controller.
Section 3 (Data Sharing and Your Rights) provides additional information on who SHL and the Employer share your data with and an overview of your rights under data protection law.
Section 2 - Employer as the Data Controller
The Employer will be the data controller in respect of your Personal Information and will decide what data is collected, the purposes for which it is collected and who it is shared with. You will be able to exercise your rights directly against the Employer in respect of this Personal Information (see Section 3 (Data Sharing and Your Rights) for more information)). This section is divided into information on ‘Rater’ and ‘Administrator’.
a. As a Rater:
SHL collects your Personal Information on behalf of your Employer where you evaluate another person as a Rater.
What we collect if you are a Rater
We collect and process the categories of data on behalf of the Employer as set out below. Depending on the Platform, not all the categories of data listed below may be collected about you.
Information that you give us and the Employer when you become a Rater, ("Rater Credentials") including:
- first and last name
- email address
- country/location
- password
- preferred language
What we do with the data
We use your Rater Credentials to:
- allow you to provide feedback or input on another individual as a Rater; and
- manage and administer our services.
Why this data is collected and how long it is retained by us
We hold and process your Rater Credentials, in accordance with the Employer’s instructions. The Employer will instruct us to process your Personal Information because they have a legitimate interest to collect your feedback or input on another individual as part of an assessment.
We will keep your Personal Information on behalf of the Employer in accordance with the Employer’s instructions. The period of time that we are instructed to hold your Personal Information, varies from Employer to Employer, but generally will be for the time that we are instructed to retain the related assessment. We will not delete your Personal Information if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.
You should contact the Employer directly if you require more information on this section.
Data Sharing
We will only share Personal Information processed on behalf of the Employer with the Employer and on the Employer’s instructions. The Employer may share your Personal Information with other third parties including its group companies and those parties listed at section 3. You should contact the Employer for more information to identify with whom they share your Personal Information.
Where your Personal Information is stored
We store your Personal Information in data centres located in Germany and backed up in Ireland. SHL affiliates also transfer your Personal Information within the Europe Economic Area (“EEA”).
Additionally, your Personal Information is transferred to the United States, India, South Africa and United Kingdom (“SHL Non-EEA Processing Locations”) where a limited number of personnel in our SHL Non-EEA Processing Locations, as well as our trusted third-party vendors and service providers, have access to Personal Information in order to provide services. As the SHL Non-EEA Processing Locations are in countries which do not have equivalent data protection laws to those applicable in the EEA we have an Intragroup Agreement in place, signed by all SHL affiliates, which contains the European Union (EU) Standard Contractual Clauses (SCCs) which have been approved by the EU data protection authorities for the transfer of data outside the EEA. Our third-party vendors and service providers are also required to sign up to SCCs in accordance with Article 46 of the General Data Protection Regulation. All SHL affiliates have the same technical, physical, and administrative security controls and are required to comply with our data protection policies and procedures, applicable laws, governing the collection and use of personal information.
We are happy to provide you with copies of the regulator-approved SCCs, which you can request from the SHL Data Protection Officer (DPO) on dpo@shl.com or the contact details included at the end of this Notice
b. As an Administrator:
SHL collects your Personal Information on behalf of your Employer to allow you to operate the Platform where your Employer conducts assessments with candidates and participants.
What we collect if you are an Administrator
We collect and process the categories of data on behalf of the Employer as set out below. Depending on the Platform, not all the categories of data listed below may be collected about you.
Information that you give us and the Employer when you become an Administrator, ("Admin Credentials") including:
- first and last name
- email address
- country/location
- password
- preferred language
- user role
What we do with the data
We use your Admin Credentials to:
- allow you to access the Platform so you can manage the assessments and reports purchased by your Employer; and
- manage and administer our services.
Why this data is collected and how long it is retained by us
We hold and process your Admin Credentials, in accordance with the Employer’s instructions. The Employer will instruct us to process your Personal Information because they have one or more of the following legitimate interests:
- To have a staff member to administer the Platform, and
- To control access to the assessments performed for the Employer.
We will keep your Personal Information on behalf of the Employer in accordance with the Employer’s instructions. The period that we are instructed to hold your Personal Information, varies from Employer to Employer, but generally will be for the time that you are an Administrator. We will not delete your Personal Information if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.
You should contact the Employer directly if you require more information on this section.
Data Sharing
We will only share Personal Information processed on behalf of the Employer with the Employer and on the Employer’s instructions. The Employer may share your Personal Information with other third parties including its group companies and those parties listed at section 3. You should contact the Employer for more information to identify with whom they share your Personal Information.
Where your Personal Information is stored
We store your Personal Information in data centres located in Germany and backed up in Ireland. SHL affiliates also transfer your Personal Information within the Europe Economic Area (“EEA”).
Additionally, your Personal Information is transferred to United States, India, South Africa and United Kingdom (“SHL Non-EEA Processing Locations”) where a limited number of personnel in our SHL Non-EEA Processing Locations, as well as our trusted third-party vendors and service providers, have access to Personal Information in order to provide services. As the SHL Non-EEA Processing Locations are in countries which do not have equivalent data protection laws to those applicable in the EEA we have an Intragroup Agreement in place, signed by all SHL affiliates, which contains the European Union (EU) Standard Contractual Clauses (SCCs) which have been approved by the EU data protection authorities for the transfer of data outside the EEA. Our third-party vendors and service providers are also required to sign up to SCCs in accordance with Article 46 of the General Data Protection Regulation. All SHL affiliates have the same technical, physical, and administrative security controls and are required to comply with our data protection policies and procedures, applicable laws, governing the collection and use of personal information.
We are happy to provide you with copies of the regulator-approved SCCs, which you can request from the SHL Data Protection Officer (DPO) on dpo@shl.com or the contact details included at the end of this Notice.
When do we share Personal Information
For both Rater and Administrator, we will share your data with third parties within our group companies when required to provide maintenance and support services and so that we can continue to improve the services we provide across the group. This will include sharing with our trusted third-party service providers, solely to the extent required to deliver contract services.
Inappropriate Content
To the extent SHL Products allow you to post your own content, SHL is not responsible for any content that you, your Company or a candidate post which is factually inaccurate, unlawful or offensive. That responsibility remains solely with the Company. Accordingly, Company waives any and all legal rights or remedies you have or may have against SHL with respect to any such content. SHL does not monitor the content posted by you, but we reserve the right (but not the obligation) in our sole discretion to remove any content that is available via an SHL Product where we have any grounds to suspect non-compliance with these Terms.
Section 3 - Data Sharing and Your Rights
Data Sharing
The Employer and SHL as data controller will share your data with the following third parties in the below circumstances:
- If we are discussing selling or transferring part or all of our business, Personal Information will be transferred to prospective purchasers under suitable terms as to confidentiality.
- If we are reorganized or sold, Personal Information will be transferred to a buyer who can continue to provide services to you.
- If we are required to by law, or under any regulatory code or practice we follow, or if we are asked by any public or regulatory authority – for example the Police.
- If we are defending a legal claim your Personal Information will be transferred as required in connection with defending such claim.
Data Subject Rights
We’ve listed the rights you have over your Personal Information and how you can use them below. These rights are subject to exemptions in applicable law and will only apply to certain types of information or processing. As described above, the Employer will be data controller so you should contact them directly if you want to exercise a right over data for which they are data controller.
- The right to withdraw consent: Where we or the Employer have obtained consent for some of the ways we use your information you can remove that consent at any time by contacting the Employer or the SHL Data Protection Officer (DPO) on dpo@shl.com or the contact details included at the end of this Notice.
- You can ask us to confirm if we are processing your Personal Information and, if we are, you can ask for access to that Personal Information as well as further details including why your data is being used and for what purposes.
- You can ask to correct your Personal Information held by us and the Employer if it is wrong.
- You can ask us and the Employer to delete your Personal Information.
- You can ask us and the Employer to restrict how we use your Personal Information.
- You can ask us and the Employer to help you move certain Personal Information to other companies. To help with that you have a right to ask that we or the Employer provide your Personal Information in a machine-readable format to another company.
- You can ask us and the Employer to stop using your Personal Information, but only in certain cases. This applies where we are processing your personal information based on a legitimate interest (or those of a third party) and you can object to processing on this ground. However, we will be entitled to continue processing your information based on our compelling legitimate interests.
You also have a right to make a complaint to a Supervisory Authority. Where we are the data controller you can contact the UK Information Commissioner’s Office, or the local data protection regulator in your jurisdiction.
Where the Employer is the data controller, you can contact the regulator in the location where the Employer is based.
Questions or Complaints
Questions about the Employer’s use of your Personal Information should be sent directly to the Employer at whose request you are taking the assessment.
If you have any questions about this Notice, please contact the SHL Data Protection Officer (DPO) on dpo@shl.com or the contact details included at the end of this Notice.
Changes to the Notice
This Notice will be changed from time to time. If we change anything important about this Notice (the information we collect, how we use it or why) we will provide a prominent notice to bring your attention to such importance changes for a reasonable length of time following the change.
If you would like to access previous versions of this Notice, please contact the SHL Data Protection Officer (DPO) on dpo@shl.com or the contact details included at the end of this Notice.
Other policies
Security
We are committed to keeping your personal information safe. We have implemented physical, technical and administrative measures to help prevent unauthorized access or use of your information. For more information about the security measures, we have please see our: Security Policy.
Sanctions
SHL products and services are subject to US sanctions law. As a result, prohibited individuals, or those located in certain countries (Cuba, Iran, North Korea, Sudan and Syria), are not authorized to take assessments on our systems. Please contact us at dpo@shl.com with any questions.
SHL Data Protection Officer Contact Details:
Email: dpo@shl.com
Postal Address: Data Protection Officer, SHL Group Ltd, The Pavilion, 1 Atwell Place, Thames Ditton, Surrey, KT7 0NE, England.
Definitions:
‘Assessment’ means systematic methods of gathering data under standardized conditions and reaching a conclusion regarding the knowledge, qualification, and potential of a candidate.
‘Consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
‘Controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
‘Platform’ means the digital service that facilitates the process of delivering assessments.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.