PRIVACY & DATA PROTECTION

INTRODUCTION

This Policy sets out the information and obligations of Exceptional Leadership Ltd incorporated and registered in England and Wales with company number 10663140 whose registered office is at Gold Hill House, Gold Hill West, Chalfont St Peter, Bucks SL9 9HH (“the Company”) regarding data protection and the rights of data subjects in respect of their personal data under the Data Protection Law.

The Company is the sole legal and beneficial owner of, and owns all the intellectual property rights and interests in the App and its related software.

The Company is a partner of Hogan Assessment Systems, Inc (“Hogan”) and it is authorised to run the Hogan Assessment through its Licenced Customers.

The Company has agreed to offer its Customers (“Licenced Customers”) access to this App (by way of an agreed licence), so all Licenced Customers can perform the Hogan Assessment for the benefit of their employees, contractors, agents etc.

Personal data is held and processed on Customers’ employees, agents, contractors and others to provide these services.

This Policy applies to the storage and processing of personal data or sets of personal data in electronic and paper form.

The Personal data is held and processed on the data subjects to provide the Licenced Customer with convincing information concerning the Hogan Assessment.

DEFINITIONS

“client/customer” means company or organisation licenced to use the App

“consent” means the consent of the data controller which must comply with the agreed terms under both the licenced agreement and the data processing agreement, and must be specific, informed, and unambiguous indication of the Licenced Customer wishes by which they, by a statement or by a clear affirmative action, signify their intentions.

“data controller” means the company or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Licenced Customer is the data controller of all personal data relating to the data subject, used in our APP for The Hogan Assessment.

“data processor” means Exceptional Leadership Ltd and its sub processors who both, processes personal data on behalf of a data controller;

“data subject” is a reference to any individual who may be connected to the Licenced Customer, as an employee, agent, contractor or any other individual who has been authorised by the Licenced Customer to take the test, whether past or present. This also includes anyone who can be identified, directly or indirectly, by reference to an identifier defined under “Personal Data” in the ‘Definitions’ section of this Policy.

“personal data” means any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject;

“processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“special category personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data.

SCOPE

The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

The Company is a data processor on behalf of the data controller (Licenced Customers) as defined in General Data Protection Regulation and the Company’s obligations shall also apply to all its employees and sub processors.

This Policy aims to ensure compliance with Data Protection Law. The UK GDPR sets out the following principles with which any party handling and processing personal data must comply. The Company as data processor is responsible for, and must be able to demonstrate, such compliance, and to the fullest extent of the law, support the data controller in carrying out its obligations.

The Company employees are fully trained and all sub processors unequivocal agree to be compliant with Data Protection Law.

BUSINESS PURPOSES

The Company uses personal data entered in the App, by the Licenced Customer and/or the data subjects to help provide decisive information relating to the Hogan Assessment, for the benefit of both the Licenced Customer and data subjects.

DATA PROCESSOR DETAILS

Gold Hill House, Gold Hill West, Chalfont St Peter, Bucks SL9 9HH

Contact: Georgie Fienberg

Email: [email protected]

DATA CONTROLLER DETAILS

Please refer to your data protection officer in your relevant organisation, or contact our team on [email protected] so we can refer you to the appropriate person in your organisation.

DATA PROTECTION OFFICER

The Company’s Data Protection Officer (DPO) is Georgie Fienberg, she is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines. Please use our standard contact information to liaise with our Data Protection Officer.

Our Data Protection Officer administer and work alongside all employees, agents, contractors, or other parties working on behalf of the Company to comply with this Policy and, where applicable, are made to implement such practices, processes, controls, and training as are reasonably necessary to ensure such compliance.

Any questions relating to this Policy, the Company’s collection, processing, or holding of personal data, or to the Data Protection Legislation should be referred to the Data Protection Officer.

DATA PROCESSOR POLICY AND PROCEDURES

The Company only collects, processes, and holds personal data on behalf of the data controller.

The Company has a clear and specific data processing agreement with the data controller to ensure that personal data is kept secure and up to date.

The Company has agreed to:

Only process the personal data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions.

Not process the personal data for any other purpose or in a way that does not comply with this data processing agreement or the Data Protection Legislation.

Comply promptly with any Customer written instructions requiring the Company to amend, transfer, delete or otherwise process the personal data, or to stop, mitigate or remedy any unauthorised processing.

Maintain the confidentiality of the data subject’s personal data and will not disclose the personal data to third-parties unless the Customer specifically authorises the disclosure, or as required by law, court or regulator (including the Commissioner). The Company will inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits the giving of such notice.

Provide all reasonable assistance to its Customers in complying with its obligations under the Data Protection Legislation with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the Commissioner.

BREACH OR COMPLIANCE FAILURE

In the event that the Company suspects an unforeseen compliance failure, security incident, suspected incident or breach, then it will:

implement immediate containment of the breach;
accurately record the details of the incident;
provide an initial assessment of the incident to the data controller within 24 hours;
provide support to the data controller to establish the details surrounding the breach.

DATA TRANSFER

The Company shall not transfer any of the personal data to any third party without the written consent of the Licenced Customer and, in the event of such consent, the personal data shall be transferred strictly subject to the terms of the data processing agreement and/or a suitable legal agreement between the company and agreed sub processors.

No data shall be transferred outside of the UK or EU without it being agreed by the data controller

SUB PROCESSORS

Should the Company choose to engage with any sub processors for the sole purpose of complying with its data processing obligations, then it shall seek out the written permission of the data controller.

All sub processors shall contract with the Company and will be aware of and comply with the contents of this Policy and the Data Protection Law.

DATA SECURITY

The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

The Company’s data security will be maintained at all times by protecting the confidentiality, integrity, and availability of all personal data as follows:

only those with a genuine need to access and use personal data and who are authorised to do so may access and use it;
personal data will be accurate and suitable for the purpose or purposes for which it is collected, held, and processed; and
authorised users will always be able to access the personal data as required for the authorised purpose or purposes.

DATA RETURN AND DESRTUCTION

At the data controller’s request, the Company will give the data controller, a copy of or access to all or part of the personal data in its possession or control in the format and on the media reasonably specified by the Licenced Customer.

On termination of the data processing agreement, the Company will securely delete or destroy or, if directed in writing by the data controller, return and not retain, all or any of the personal data related to this Policy in its possession or control, only.

DATA PORTABILITY

Upon request, a data subject has the right to receive a copy of their data in a structured

format. Where relevant, and where there is no undue burden and it does not compromise the

privacy of other individuals, the Company will assist the data controller in transferring the data directly to another system for the data subject.

IMPLEMENTATION OF POLICY

This Policy shall be deemed effective as of 17 October 2022. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.