1. Glossary of Terms
|Anonymity||a characteristic of information that does not permit a Data Subject to be identified directly or indirectly.|
|Anonymization||a process by which Personal Data is irreversibly altered in such a way that a Data Subject can no longer be identified directly or indirectly, either by the Data Controller alone or in collaboration with any other party.|
|Anonymized Data||data that has been produced as the output of a Personal Data anonymization process.|
|Automated Decision-Making (ADM)||when a decision is made solely on the basis of Automated Processing.|
|Automated Processing||any computerized Processing of Personal Data to evaluate certain aspects relating to an individual, including analysis or predictions concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Profiling is an example of Automated Processing.|
|CCPA||the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.|
|Confidential Information||non-public information that derives independent value from not being generally known to the public, but does not include any information that (i) was or subsequently becomes publicly available without breach of any confidentiality obligations, (ii) was known prior to the disclosure of such information, (iii) was or is subsequently obtained from another source without breach of any confidentiality obligation, or (iv) is independently developed without reference to any Confidential Information and/or Personal Data.|
|Consent||a Data Subject’s freely given, specific, and informed agreement to the Processing of their Personal Data.|
|Data Breach||Please refer to the iCIMS Incident Response Policy.|
|Data Controller||the person or organization that determines the purposes and means for Processing Personal Data other than natural persons who use data for personal purposes.|
|Data Processor||the person or organization that Processes Personal Data on behalf of and in accordance with the instructions of a Data Controller.|
|Data Subject||an identified or identifiable natural person to whom the Personal Data relates and whose rights are protected by applicable data protection and privacy laws, including, but not limited to, a “Consumer” as defined in the CCPA.|
|Dispose||the discarding or abandonment of Confidential Information and/or Personal Data; or the sale, donation, or transfer of any medium, including computer equipment, upon which this Confidential Information and/or Personal Data is stored.|
|GDPR||(i) the Regulation (EU) 2016/679 on the protection of natural persons with regard to Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and (ii) the UK GDPR.|
|ISMS||Information Security Management System, which stems from ISO/IEC: 27001:2013|
|Joint Controller||Data Controller that determines the purposes and means of the processing of Personal Data jointly with one or more other Data Controllers.|
|Need to Know Parties (NKP)||iCIMS consultants, vendors, partners, or other third parties that are provided Information by iCIMS on a need-to-know basis subject to confidentiality obligations.|
|Personal Data (also known as PII)||any information relating, directly or indirectly, to an identified or identifiable Data Subject, where such information is protected under applicable data protection or privacy law.|
|Personnel||iCIMS employees (part-time and full-time), interns, directors, and members.|
|PIMS||Privacy Information Management System, which stems from ISO/IEC: 27701:2019|
|Privacy Event||a situation where PII or Personal Data is potentially Processed in violation of one or more relevant iCIMS Privacy Principles.|
|Privacy Incident||a situation where PII or Personal Data is Processed in violation of one or more relevant iCIMS Privacy Principles.|
|Processing of Personal Data (also known as Processing and Processing of PII)||any operation or set of operations performed upon Personal Data.|
|Processor||a specific NKP that Processes Personnel Data with respect to iCIMS’ corporate operations.|
|Security Event or Incident||Please refer to the iCIMS’ Incident Response Policy.|
|Sensitive or Special Category Personal Data (SPD) (also known as Sensitive PII)||category of Personal Data, either whose nature is sensitive, such as those that relate to the Data Subject’s most intimate sphere, or that might have a significant impact on the Data Subject.|
|Subject Access Request (SAR)||a request made by or on behalf of an individual for action on or access to their Personal Data, which they are entitled to ask for under applicable data protection and/or privacy law.|
|Subprocessor||a NKP third-party Data Processor engaged by iCIMS, who has or potentially will have access to or process Subscriber Data (as defined in the iCIMS Subscription Agreement), which may contain Personal Data.|
|Subscriber||Please refer to the iCIMS Subscription Agreement, which may be found at www.icims.com/gc.|
|Subscriber Data||Please refer to the iCIMS Subscription Agreement, which may be found at www.icims.com/gc.|
|Subscription||Please refer to the iCIMS Subscription Agreement, which may be found at www.icims.com/gc.|
|UK GDPR||the EU GDPR as amended and incorporated into United Kingdom (“UK”) law under the UK European Union (Withdrawal) Act 2018, if in force.|
2. OVERVIEW AND BACKGROUND
iCIMS, Inc. and its subsidiaries (collectively, “iCIMS”) recognizes the importance of protecting and ensuring the integrity of Subscriber’s Confidential Information and Personal Data, including SPD. Subscribers’ Confidential Information and Personal Data are gathered, used, stored, shared, secured, retained, and disposed of in accordance with applicable laws and regulations, privacy best practices, and the terms of the agreement between iCIMS and the Subscriber.
This Data Security & Privacy Statement (“Statement”) explains how we process, gather, use, store, share, secure, retain, and dispose of Confidential Information and Personal Data on behalf of our subscribers’ and their users. To this end, iCIMS has adopted this statement to secure and limit unauthorized disclosure of subscribers’ Confidential Information and/or Personal Data.
EU-U.S. and Swiss-U.S. Privacy Shield
iCIMS complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield Frameworks”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area, the UK, and Switzerland to the United States. iCIMS has self-certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles.
Compliance with Applicable Data Protection and Privacy Law
iCIMS complies with applicable data protection and privacy laws and regulations, including the EU GDPR, the UK GDPR, and the CCPA, by and through its information security and privacy information management systems that comply with internationally recognized standards (ISO/IEC 27001 and 27701), as well as other technical and organizational measures, including the Privacy Shield Frameworks and standard contractual clauses, as applicable, regarding the legal safeguards required to protect Personal Data.
3. Types of Information Processed
iCIMS processes Subscriber Data, which may include Confidential Information and/or Personal Data, on behalf of its subscribers, which generally includes the following categories of information:
To this end, iCIMS recognizes that Processing Personal Data varies by country, and we adhere to the below data protection principles based upon our Subscribers’ user’s country of residence, the agreement between the Subscriber and iCIMS, and the Subscriber’s requirements.
3.1 Personal Data
iCIMS Processes Personal Data on behalf of its subscribers. Depending on the subscribers’ instructions and settings, Personal Data may include the following data categories: internal data; external data; financial data; social data; historical data; and tracking data.
Examples of Types of Personal Data
|External Data||Financial Data||Social Data||Historical Data||
4. How We Process Confidential Information and Personal Data
Personnel and NKPs shall only use Confidential Information and Personal Data for a legitimate business purpose in the performance of their duties, including (without limitation):
4.1 Processing of Personal Data
iCIMS recognizes the importance of Processing Personal Data, and values the lawful, accurate, and secure Processing of Personal Data. Therefore, to assist its Subscribers in complying with applicable laws and regulations, iCIMS’ Subscription is enabled to Process Personal Data on behalf of its subscribers and in accordance with the following data protection principles:
These data protection principles must be followed at all times when Processing or using Personal Data. Through appropriate management and strict application of criteria and controls, iCIMS enables subscribers, by and through the iCIMS Subscription, to:
Lastly, where iCIMS processes Personal Data on behalf of its subscribers, iCIMS serves as a Service Provider as defined in CCPA Section 1798.140(v). Under those same circumstances, iCIMS’ subscribers are considered to be a Business as defined in CCPA Section 1798.140(c). Under no circumstances envisioned in the Subscription Agreement is either party considered to be a Third Party as defined in CCPA Section 1798.140(w).
As such, subscribers disclose Personal Data to iCIMS solely for: (i) a valid business purpose; and (ii) iCIMS to provide the Subscription. Except as agreed upon in writing by iCIMS and each Subscriber, iCIMS is prohibited from: (i) selling Personal Data; (ii) retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Subscription; and (iii) retaining, using, or disclosing the Personal Data outside of the Subscription Agreement between iCIMS and Subscriber.
4.1.1 Data Subject Rights
Under the applicable data protection and privacy laws and regulations, a Data Subject may request details about his/her Personal Data which iCIMS Processes on behalf of a Subscriber. These rights may include, for example, the right to be informed that processing is being undertaken, to access one’s Personal Data, to prevent Processing in certain circumstances, or to correct, rectify, block, or erase one’s Personal Data.
iCIMS’ Subscription enables subscribers to fulfill their own Subject Access Requests. Within the Subscription, iCIMS has also implemented appropriate technical and organizational measures, insofar as this is possible, so that subscribers may fulfill their obligations to respond to SARs. In addition, when necessary, iCIMS provides subscribers with reasonable assistance to fulfil SARs in accordance with the terms of the agreement between iCIMS and the Subscriber. Should iCIMS received a SAR outside of the Subscription that names a Subscriber, iCIMS will redirect the Data Subject to the Subscriber and promptly forward the SAR to the Subscriber.
4.2 Privacy by Design & Default
iCIMS embeds privacy considerations into business processes and systems through appropriate physical, technological, and procedural controls reasonably designed to ensure Personal Data is Processed and secured in accordance with applicable data protection and privacy laws and regulations. Through its security policies and procedures, iCIMS implements various information security measures, including that it only processes the minimal amount of Confidential Information and/or Personal Data necessary for a specific purpose, ensuring that unauthorized access or disclosure of Confidential Information and/or Personal Data does not happen by accident or design.
5. Safeguarding of Confidential Information and Personal Data
In addition to processing Personal Data in accordance with the principles provided for in the Section titled, “PROCESSING OF PERSONAL DATA,” iCIMS implements the following physical, procedural, and information security safeguards to protect all subscribers’ Confidential Information and/or Personal Data:
a. Providing visitors a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-Personnel;
b. Asking visitors to surrender the physical token before leaving the facility or at the date of expiration;
c. Documenting procedures to help all Personnel easily distinguish between Personnel and visitors, especially in areas where Personal Data is accessible.
6. Responsibilities of Personnel
iCIMS strictly prohibits unauthorized disclosure of Confidential Information and Personal Data. Personnel, Processors, and Subprocessors should not disclose Confidential Information and Personal Data obtained in the course of their work with iCIMS, or access Confidential Information and Personal Data without appropriate permissions. The agreement between iCIMS and the Subscriber dictates how Subscriber Data are obtained and/or disclosed.
Personnel shall use reasonable efforts to safeguard Confidential Information and Personal Data and keep it private and confidential, including, but not limited to, taking the following actions as appropriate:
If Personnel encounter information, documents, or other materials, whether disclosed in writing or orally, for which there is some doubt as to whether it should be treated as Confidential Information or Personal Data, or how it can be disclosed or used he or she shall:
a. Treat such information, documents, or materials as Confidential Information and/or Personal Data as provided herein; and/or
b.Contact the iCIMS Privacy team, who shall make a joint determination on how best to proceed.
7. Return, Transfer, or Disposal of Information
a. Burning, pulverizing, or shredding of papers or records containing Information so that the Information cannot be practicably read or reconstructed;
b. Destroying or erasing electronic media containing Information so that the Information cannot practicably be read or reconstructed, consistent with reasonable standards
8. Accountability and Liability
9. Data Backup and Disaster Recovery
iCIMS, through its Support & Maintenance Policy conducts a Backup at least daily and prior to any Update to the Subscription. iCIMS maintains daily Backups onsite and moves one of the daily Backups to an off-site storage facility. iCIMS also maintains an Incident Response Policy and Procedure that ensures a consistent and effective approach to the management of Security and/or Privacy Events or Incidents, including a Data Breach.
10. Services Privacy Notice
For more information on iCIMS’ privacy practices with respect to the collection, use, and disclosure of Personal Data obtained in connection with the use of our Subscription, please see its Services Privacy Notice. It also describes iCIMS’ privacy practices with respect to Personal Data processed by iCIMS for Subscriber account, contract, and billing management purposes.
11. Contact Information
To contact iCIMS’ Data Protection Officer, please email firstname.lastname@example.org or write to iCIMS, Inc., Attn: Privacy, Legal Department, 101 Crawfords Corner Road, Suite 3-100, Holmdel, NJ 07733 USA.
Data Security & Privacy Statement 01SEPTEMBER2020