Introduction
This Colleague Privacy Policy Statement (the “Privacy Policy”) contains the policies, procedures, and practices to be followed by Conga Corporation and any of its present or future subsidiaries (the “Company”) pertaining to the collection, use, and disclosure of Personal Information (the “Personal Information”) of an identifiable person that is a present, future or former colleague of the Company (“Individual”). Please read this Privacy Policy carefully because it explains important information about the processing of your Personal Information, including your rights with respect to your Personal Information. We may amend this Privacy Policy at any time and advise you to consult this Privacy Policy regularly to ensure you stay informed of any such amendments. If you are a California resident, please be sure to review the information provided in Annex 1: California Privacy Notice.
The Company recognizes the confidential nature of the Personal Information in its care and is accountable for the compliance of itself and its directors, officers, management, colleagues, representatives, and agents including consultants and independent contractors (the “Staff”) in protecting this Personal Information.
For the purpose of this Privacy Policy, the term “Personal Information” has the meaning of any information or collection of information in any form, whether oral, electronic, or written that pertains to the Individual excluding information that is publicly available in its entirety. Personal Information will also include any publicly available information that is combined with non-publicly available information.
Categories of Information Collected
Personal Information includes but is not limited to name, home address, home phone number, home email address, identity verification information, Social Security Number or National ID Number, physical description, age, date of birth, gender, salary, education, professional designation, medical history, employment history, credit history, bank details for payroll, contents of the resume, references, interview notes, performance review notes, beneficiaries under any insurance policy, and emergency contact information. We may also collect information such as details of health and disability, including mental health, medical leave, and maternity, paternity, or compassionate leave.
Personal Information will not include the Individual's business title, and business address, and contact information when used or disclosed for the purposes of reasonable business communication.
Corporate Privacy Policies and Staff Training
The Company and the Staff will respect the confidentiality of the Personal Information placed in its care. The Company will endeavor to ensure that the policies affecting the collection, storage, and disclosure of Personal Information reflect the confidential nature of the information.
The Company will comply with all applicable privacy legislation and regulations in force now and in the future related to protecting the confidentiality of Personal Information.
The Company will implement policies and procedures that give effect to this Privacy Policy including procedures to protect and secure Personal Information, procedures to receive, investigate and resolve complaints, procedures to ensure adequate training of the Staff concerning the Company's privacy policies, and procedures to distribute new and current information pertaining to the Company's Privacy Policy. Please contact hr@conga.com if you have questions about the procedures mentioned herein.
Purposes for Which Personal Information Is Collected
Personal Information will be collected, used, and disclosed for purposes pertaining to the Individual's employment relationship with the Company, including but not limited to the following purposes:
- Workflow management, assigning, managing, and administering projects
- Human Resources administration and communication
- Payroll and the provision of benefits
- Compensation, including bonuses and long-term incentive administration, stock plan administration, compensation analysis, including monitoring overtime and compliance with labor laws, and company recognition programs
- Job grading activities
- Performance and colleague development management
- Organizational development and succession planning
- Benefits and personnel administration
- Absence management
- Helpdesk and IT support services
- Regulatory compliance
- Internal and/or external or governmental compliance investigations
- Internal or external audits
- Litigation evaluation, prosecution, and defense
- Diversity and inclusion initiatives
- Restructuring and relocation
- Emergency contacts and services
- Colleague safety
- Compliance with statutory requirements
- Processing of colleague expenses and travel charges
- Acquisitions, divestitures, and integrations
The purposes for collecting Personal Information will be documented by the Company. Personal Information will only be used for the stated purpose or purposes for which it was originally collected. The purposes for which Personal Information is being collected will be identified orally or in writing to the Individual before it is collected.
The Company may use Personal Information for a purpose other than the originally stated purpose where the new purpose is required by law or where the Company has obtained consent in writing from the affected Individual for each new purpose.
Knowledge and Consent
Knowledge and consent are required from the affected Individual for the collection, use, and disclosure of all Personal Information subject to exceptions noted elsewhere in the Privacy Policy statement.
Consent will not be obtained through deception or misrepresentation.
Subject to legal and contractual obligations, an Individual may withdraw their consent on reasonable notice.
Legislation and Regulation
Where the Company has Individuals living and working in different jurisdictions the specific rights and obligations of Individuals may vary between jurisdictions.
The Company is subject to the privacy legislation in all jurisdictions in which the Company operates. If any term, covenant, condition, or provision of this Privacy Policy is held by a court of competent jurisdiction to be invalid, void, or unenforceable, it is the intent of this Privacy Policy that the scope of the rights and obligations of the Privacy Policy be reduced only for the affected jurisdiction and only to the extent deemed necessary under the laws of the local jurisdiction to render the provision reasonable and enforceable and the remainder of the provisions of the Privacy Policy statement will in no way be affected, impaired or invalidated as a result.
Where this Privacy Policy provides greater rights and protections to the Individual than the available governing law, the terms of this Privacy Policy will prevail wherever allowed by law.
Scope and Application
The rights and obligations described in this Privacy Policy will apply to all Individuals. The Company and the Staff must comply with the policies, procedures, and practices described in the Privacy Policy.
Collection of Personal Information
The type and amount of Personal Information collected by the Company will be limited to the minimum necessary to accomplish reasonable business purposes. Personal Information will not be collected maliciously, indiscriminately, or without a reasonable business purpose.
Personal Information will be collected using fair and lawful means.
Access by Authorized Company Representatives
All Personal Information will be released internally only on a need-to-know basis. In the course of normal and reasonable business practices, it is the policy of the Company to grant designated Company representatives access to Personal Information files. This access will not exceed that necessary to accomplish the specific business function of the Company representative nor the purpose for which the information was originally collected.
Accuracy of Personal Information
The Company will endeavor to ensure that all Personal Information collected is accurate and validated using reasonable business practices and procedures. The Company is also committed to ensuring that the Personal Information remains accurate for the purpose for which it was collected.
Rights of Access and Correction
An Individual may request access to their Personal Information by submitting a request in writing via email along with adequate proof of identity to an authorized personnel officer at hr@conga.com. Where the request is made in person the requirement for proof of identity will be at the discretion of the human resources representative. The Individual will be provided with a copy of all available information that is not subject to the restriction as described in this Privacy Policy. All Personal Information and Medical Information will be provided at no cost or at a minimal cost that is not prohibitive.
Upon request, the Company will also provide a specific summary of how the Personal Information has been used and to whom it has been disclosed. Where a detailed account of disclosure is not available, the Company will provide a list of organizations to which the Personal Information may have been disclosed.
The Personal Information disclosed to an Individual must be in a form that is reasonable and understandable.
Where individual suspects that an error exists in their Personal Information, the Individual may submit a request in writing for correction. This request should include any relevant information substantiating the error and should describe the correction to be made. The Company will make all reasonable efforts to address any request for correction.
Where the Individual successfully demonstrates an error in their Personal Information the Company will make appropriate corrections. Any modifications, additions, or deletions to the Individual's Personal Information will be made only by a human resources representative.
Where a request for correction is not successful, the details and substantiating evidence of the request will be recorded and retained by the Company.
The Company will endeavor to respond promptly to any reasonable request for disclosure and correction made by an Individual to ensure the continued accuracy of Personal Information.
In some instances, the Company may be required to limit access to Personal Information because of statutory or regulatory requirements. In all instances however the Company will make all reasonable efforts to comply with the individual's request for access and correction to the extent of what is allowed by statute or regulation.
The Company may refuse access to portions of the Personal Information of an Individual where it is found to contain Personal Information pertaining to another Individual.
If you are located in the European Economic Area, you may also have the right to: restrict or to object to the processing of your Personal Information, to have the information anonymized or deleted, as appropriate, or to exercise your right to data portability to easily transfer your Personal Information to another company. In addition, you may also have the right to lodge a complaint with a supervisory authority, including in your country of residence, place of work, or where an incident took place. You may also withdraw any consent you previously provided to the Company regarding the processing of your Personal Information, at any time and free of charge. The Company will apply your preferences going forward and this will not affect the lawfulness of the processing before your consent withdrawal. These rights may be limited in some circumstances by local law requirements. You may exercise these rights at any time by contacting hr@conga.com. You may be required to provide documentation to the Company on request to demonstrate your identity.
Use and Disclosure of Personal Information
The Company and the Staff will keep confidential all Personal Information in its control except where one or more of the following conditions apply:
- Where the individual who is the subject of disclosure has provided written consent (ex. background check)
- Where the disclosure is for human resources systems used by Company human resources department to store and manage Personal Information
- Where the disclosure is in accord with the purposes for which the Personal Information was originally collected (ex. payroll services)
- Where the disclosure is for the purpose of providing employment references to prospective employers and where the Personal Information disclosed is limited to information considered reasonably necessary for the purpose of providing employment references
- Where the Company is permitted or required to do so by applicable legislation or regulation
- Where the disclosure is directed to health benefit providers and where the purpose of the disclosure is in accord with the purposes for which the Personal Information was originally collected
- Where the disclosure is required by authorized government representatives who are acting to enforce any federal or state law or carrying out an investigation relating to the enforcement of any federal or state law or gathering information for the purpose of enforcing any federal or state law
- Where the Company is required to comply with valid court orders, warrants or subpoenas, or other valid legal processes
- In an emergency to protect the physical safety of any person or group of persons
Retention and Disposal of Personal Information
Any Personal Information collected by the Company will be retained by the Company during the period of active employment of the Individual as well as during the post-employment period only as long as the Personal Information is required to serve its original purpose or as directed by applicable legislation or regulation.
Personal Information that is no longer needed for its stated purpose will be destroyed, erased, or made anonymous.
The Company will ensure that all practices and procedures relating to the disposal of Personal Information will respect the fundamental policy of confidentiality. All Personal Information disposal procedures, including the disposal of computerized data storage devices, will ensure the complete destruction of Personal Information so that there will be no risk of subsequent unauthorized disclosure of Personal Information.
Deceased Individuals
The rights and protections of the Company's Privacy Policies will extend to deceased Individuals.
Data Security
The Company will take and enforce all reasonable security measures appropriate for the sensitivity of the information to ensure that all Personal Information for every Individual is protected against any form of unauthorized use including but not limited to accidental or malicious disclosure, unauthorized access, unauthorized modification, unauthorized duplication or theft.
The Company will maintain administrative, technical and physical safeguards designed to protect the Personal Information you provide or we collect against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. Methods of security will include but not be limited to the following:
- Physical security including locked filing cabinets and secure-access offices
- Organizational security including security clearances and access limited on a “need-to-know” basis
- Technological security including passwords and encryption
The Company will educate and inform all Staff regarding the Privacy Policy and related procedures and on the importance of confidentiality of Personal Information and will monitor compliance with the Privacy Policy and may observe and investigate the information management practices of all Staff having care of Personal Information.
Knowledge of Unauthorized Disclosure
Responsibility for the security of Personal Information is a responsibility that the Company holds in very serious regard. Any Staff having knowledge of an impending unauthorized disclosure, whether intentional or unintentional and who fail to act to prevent the unauthorized breach will be subject to sanction as described in the Enforcement section of this document.
Enforcement
All Staff having care over Personal Information must comply with the policies, procedures, and practices described in the Privacy Policy. Any breach of any term or condition of this Privacy Policy, whether intentional or unintentional, including but not limited to the unauthorized disclosure of Personal Information is grounds for disciplinary action.
Transfer of Information Across Borders
Conga Corporation is a U.S.-based, global company. Conga affiliates, subsidiaries and their Websites and Services are available around the globe. This means Personal Information may be processed in the country where it was collected, as well as in other countries (including the United States) where laws regarding processing of Personal Information may be less stringent. In such cases, we have put in place organizational and legal measures to ensure that data transfers are lawfully conducted. Such measures include:
- Standard Contractual Clauses
- Data Processing Addenda or Agreements, incorporating the Standard Contractual Clauses, as approved by the European Commission and incorporating stringent requirements of Article 28 of the EU General Data Protection Regulation 2016/679.
The Standard Contractual Clauses apply only to the Personal Data that is transferred from the EEA and/or Switzerland and the United Kingdom to outside the EEA and Switzerland or the United Kingdom, either directly or via onward transfer, to any country or recipient:
- Not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive or its successors)
- Not covered by a suitable framework (e.g. Binding Corporate Rules for Processors, EU-US and Swiss-US Privacy Shield, etc.) recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data
In the event the United Kingdom is no longer considered or effectively part of the EU or EEA then such transfers of Personal Data to and from the United Kingdom will be treated as a non-EU or EEA country and the Standard Contractual Clauses apply accordingly.
The Standard Contractual Clauses apply to:
- The legal entity that has executed the Standard Contractual Clauses as a Data Exporter
- All Affiliates (as defined in the Agreement) of Customer established within the EEA and Switzerland or the United Kingdom that have licensed the Service
For the purpose of the Standard Contractual Clauses the aforementioned entities shall be deemed “Data Exporters”.
Data Privacy Framework
Conga Corporation and its affiliate AppExtremes, LLC dba Conga (together "Conga") comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce.
Conga Corporation has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) regarding the processing of personal data received from the European Union (EU) and the United Kingdom (UK) in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Additionally, Conga Corporation has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) regarding the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
In the event of any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program and view our certification, please visit https://www.dataprivacyframework.gov/ and search for Conga Corporation.
- In compliance with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Conga Corporation commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) regarding unresolved complaints related to the handling of human resources data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF in the context of the employment relationship.
- Conga is responsible for the processing of personal data it receives under the Data Privacy Framework and subsequently transfers to a third-party acting as an agent on its behalf. Conga complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, UK, or Switzerland, including the onward transfer liability provisions. With respect to personal data received or transferred pursuant to the Data Privacy Framework, Conga is subject to the investigatory and regulatory enforcement powers of the U.S. Federal Trade Commission (FTC). In certain situations, Conga may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- In compliance with the Data Privacy Framework Principles, Conga commits to resolve complaints about the collection or use of your Personal Information. EU, UK, and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact Conga’s Privacy Office by emailing privacy@conga.com.
- Additionally, Conga commits to cooperate with the EU Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) (as applicable) and comply with the advice given by such authorities regarding human resources or other data transferred from the EU, UK, and Switzerland in the context of the employment relationship. Under certain conditions, more fully described on the Data Privacy Framework website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Your Rights as a Data Subject
You may request to access, rectify, or update your inaccurate or out-of-date Personal Information by contacting our HR Business Partner and/or Privacy Office at privacy@conga.com.
If you are from certain territories (such as the EEA), you may have the right to exercise additional rights available to you under applicable laws, including:
- The right to request erasure of your Personal Information
- Restriction of processing as it applies to you
- Object to processing
- The right to data portability
You may always object to the use of your Personal Information for direct marketing purposes or withdraw any consent previously granted for a specific purpose at no cost to you. You may also have the right to lodge a complaint with a supervisory authority.
Compliance With Privacy Policy
The Company will have a procedure that will allow Individuals to challenge the Company's compliance with this Privacy Policy. The Company will also have procedures to promptly respond to Privacy Policy compliance challenges. Please submit any questions about this Privacy Policy to hr@conga.com and privacy@conga.com.
The Company will make all reasonable efforts to investigate and respond to compliance challenges relating to this Privacy Policy.
Annex 1: California Privacy Notice
This California Privacy Notice applies to Individuals residing in California from whom the Company collects Personal Information as a business under California law.
Personal Information Collection
For the purposes of this notice, Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or as otherwise defined by the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (“CCPA”). Personal Information does not include information that is:
- Lawfully made available from government records
- Deidentified or aggregated
- Otherwise excluded from the scope of the CCPA
The chart below provides the categories of Personal Information (as defined by the CCPA) the Company collects from Individuals. The examples of Personal Information provided for each category reflect each category’s statutory definition and may not reflect all the specific types of Personal Information associated with each category.