Privacy Policy
Data Privacy Framework Compliant
Date last updated: February 29, 2024
This Privacy Policy (“Policy”) describes G. H. Smart & Company, LLC’s (“ghSMART,” “we,” or “us”) practices regarding our collection, use, and disclosure of the personal data of data subjects located in the European Union (such data, “EU Personal Data”), the United Kingdom and Gibraltar (such data, “UK Personal Data”) and Switzerland (such data, “Swiss Personal Data”). This Policy applies to the following affiliated entities: G. H. Smart & Company Canada, ULC, G. H. Smart & Company, LLC and G. H. Smart & Company Pty Ltd.
ghSMART recognizes that the EU, UK (and Gibraltar) and Switzerland (collectively, the “Subject Geographies”) have established certain protections regarding the handling of personal data, including requirements to provide adequate protection for personal data transferred outside of the jurisdiction from which it derives. To provide adequate protection for the personal data we collect, ghSMART complies with the EU-US Data Privacy Framework, (“EU-U.S. DPF”), the UK extension to the EU-US Data Privacy Framework, and Swiss-US Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce (collectively the, “Data Privacy Framework”). ghSMART has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (the “EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. ghSMART has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles” and together with the EU-US DPF Principles, the “DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit Data Privacy Framework website.
ghSMART commits to subject all personal data received from the Subject Geographies to the DPF Principles. The DPF Principles are: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
The U.S. Federal Trade Commission has jurisdiction over ghSMART’s compliance with the Data Privacy Framework. For more information about the Data Privacy Framework, see the U.S. Department of Commerce’s Data Privacy Framework website located at: https://www.dataprivacyframework.gov/. To review ghSMART’s representation on the Data Privacy Framework list, see the U.S. Department of Commerce’s Data Privacy Framework self-certification list located at: https://www.dataprivacyframework.gov/list.
Types of Personal Data Collected
ghSMART collects personal data from our contractors, vendors, clients, business partners, employment candidates, and employees. The personal data we collect from these sources in the Subject Geographies varies based on the underlying purpose for the data collected. The specific information we collect may include: name, contact details (e.g., telephone, email, address), employment history (e.g., employment dates, name of employer, location of employment, tenure, job title, performance appraisals/assessments, and salary and benefits), education and training history (e.g., institutions attended, degrees earned, qualifications, grades and courses attended), standardized test scores, other specifics regarding job qualifications, professional memberships/organizations, and other professional or personal information voluntarily provided during an assessment process. In the course of performing our leadership advisory services (“Services”), ghSMART may generate email correspondence with data subjects, meeting notes, expressions of opinion or future intentions, and assessment of strengths and weaknesses regarding data subjects.
Purposes for Collection and Use of Personal Data
ghSMART accesses and uses personal data derived from data subjects in the Subject Geographies in ways that are compatible with the purposes for which ghSMART, or its third-party data sources, collected it, or for purposes the data subject later authorizes. The legal bases for which we process personal data include:
- To comply with contractual obligations or to take steps at your request before entering into a contract. When you contract to receive Services from ghSMART, or to provide services to us, we will process your personal data in order to fulfill our obligations under the agreement. We also process personal data when responding to inquiries about our Services to prospective clients and other interested parties.
- As a result of your consent. In certain cases, you consent to the processing of your personal data by us (e.g., when you participate in an employee, candidate or board assessment, participate in executive coaching or training sessions, apply for employment with ghSMART, or provide services to us.) When consent is the basis on which we process your personal data, we will inform you if we need to carry out further processing for purposes other than those for which you provided us with your consent and obtain your further consent. You may withdraw your consent at any time. For further information on the right of withdrawal, please contact us via email at dataprotection@ghsmart.com.
- When necessary to comply with legal obligations. If ghSMART receives a lawful request from public authorities, including to meet national security or law enforcement requirements, ghSMART may be required to disclose personal data.
- For purposes of our legitimate interests. ghSMART processes personal data for various legitimate interests including administrative purposes relating to processing transactions with our clients; accounting, audit, tax, legal, regulatory, compliance, vendor management; analysis and research of data in order to provide training to our consultants and to improve our consulting business practices and products core activities, and; analysis and research of aggregated and deidentified data in the context of writing articles and white papers.
Disclosures of Personal Data to Third Parties
Third-Party Agents or Service Providers. ghSMART discloses personal data from the Subject Geographies to certain third-party agents and service providers that perform services on our behalf and with whom we have entered written agreements that incorporates guarantees from the recipient that they will apply the same level of protection as the DPF Principles and implement appropriate technical and organizational measures that meet the requirements of applicable law and ensure the protection of the rights of the data subject.
Affiliated Entities. We may also transfer personal data derived from data subjects in the Subject Geographies to our affiliated entities for administrative purposes (e.g., accounting, financial reporting) after guarantying that they apply the same level of protection as the DPF Principles and implement appropriate technical and organizational measures that meet the requirements of applicable law and ensure the protection of the rights of the data subject.
Disclosures for National Security or Law Enforcement. Under certain circumstances, we may be required to disclose personal data derived from data subjects in the Subject Geographies in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. However, to date, no such request has been received by ghSMART or its affiliated entities.
ghSMART remains liable under the Data Privacy Framework if a third-party to whom we disclose personal data processes such data in a manner inconsistent with the DPF Principles and / or applicable law, unless ghSMART proves that it is not responsible for the event giving rise to the damage.
Security
ghSMART maintains reasonable and appropriate security measures designed to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with applicable law.
Data Subject Rights
Under the GDPR, you have the following rights:
- Right of Access: You have the right to ask us for copies of your personal data. The law provides for some exemptions, which means you may not always receive all the personal data we process.
- Right to Rectification: You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete personal data you think is incomplete.
- Right to Restrict Processing: You have the right to ask us to restrict the processing of your personal data in certain circumstances.
- Right to Withdraw Consent: You have the right to revoke your consent to our processing of your personal data at any time by contacting us at dataprotection@ghsmart.com. Withdrawing consent will not affect the lawfulness of the processing performed based on your consent before its withdrawal.
- Right to Erasure: You have the right to ask us to erase your personal data in certain circumstances.
- Right to Data Portability: This only applies to personal data you have given to us and that is held electronically. You have the right to ask that we transfer this information from ghSMART to another organization or give it to you.
If you wish to exercise your rights above, you may contact us at dataprotection@ghsmart.com You are not required to pay any charge for exercising your rights. We have one month to respond to you.
Changes To This Policy
It is our policy to post any changes we make to our Privacy Policy on this website. Please visit our website and this Privacy Policy to check for any changes. The “Date last updated” at the top of this page will indicate the last time the Privacy Policy was updated.
Questions and Complaints: In compliance with the Data Privacy Framework, ghSMART commits to resolve DPF Principles-related complaints about our collection and use of personal data. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the Data Privacy Framework should first contact ghSMART at: dataprotection@ghSMART.com. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your personal data within 45 days of receiving your complaint. In compliance with the Data Privacy Framework, ghSMART commits to refer unresolved complaints concerning our handling of personal data received in reliance on the Data Privacy Framework to JAMS Data Privacy Framework, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint. The services of JAMS Data Privacy Framework are provided at no cost to you.
Under certain circumstances, data subjects have the possibility of invoking binding arbitration for complaints regarding Data Privacy Framework compliance that are not resolved by any of the other Data Privacy Framework mechanisms. Details regarding invoking this right can be found at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.