Company Name: 1WorldSync Holdings, Inc. and its subsidiaries and affiliates, including
(“1WS” or the “Company”).
Company Address: 300 South Riverside Plaza, Suite 1400, Chicago, IL 60606, United
States of America
GDPR Compliance Manager: Julio DalMonte, DPO
Contact Details: email@example.com
The Company collects and processes personal data relating to job applicants (in so far as any
sections of this
privacy notice apply), current and former employees, workers, volunteers, apprentices, interns, and
consultants to manage the employment or contractor relationship (“Workforce Data”).
The Company is committed to being transparent about how it collects and uses that data and to meeting
data protection obligations. To the extent that this Workforce Data includes the personal data
subject to EU
Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such
repealing Directive 95/46/EC, including the United Kingdom’s substantially similar law as it takes
effect in the
United Kingdom by virtue of the Data Protection Act 2018 (collectively the “GDPR”), this Privacy
summarises your rights and our responsibilities to you. Nothing in this Privacy Notice forms part of
contract, whether of employment, for services or otherwise and may be amended at any time.
1. What Information Does the Company Collect?
The Company collects and processes a range of information about you which is likely to include (as it
applies to either an employment, worker or contractor relationship) but is not limited recruitment
information such as your application form and CV, references, skills, experience, qualifications,
employment history, information provided by recruitment agencies, from social media, membership of
professional bodies and details of any pre-employment assessments and interview notes. Specifics may
- a record of having carried out a background check with a log of applicable government
(but not the details of that check showing any criminal record)
- your address, contact details and date of birth
- information about your marital status, next of kin, dependants and the contact details for your
- your gender
- your marital status and family details
- information about your contract of employment (or services) including start and end dates of
employment, role and location, working hours, details of promotion, salary (including details of
previous remuneration), pension, benefits and holiday entitlement
- your bank details and information in relation to your tax status including your national
- your identification documents including passport and driving licence and information in relation
your nationality, immigration status and right to work for us
- your work schedule, flexible working arrangements, attendance at work, holiday, sickness and
- information relating to disciplinary or grievance investigations, other internal processes and
proceedings involving you (whether or not you were the main subject of those proceedings)
any warnings issued to you and related correspondence
- information relating to your performance and behaviour at work, including appraisals,
reviews and ratings, performance improvement plans and related correspondence
- training records
- electronic information in relation to your use of IT systems/swipe cards/telephone systems and
- your images (whether captured on CCTV, by photograph or video)
- information about medical or health conditions, including whether or not you have a disability
which the Company needs to make reasonable adjustments or assess your fitness for work
- equal opportunities monitoring information
- any other category of personal data which we may notify you of from time to time
The Company may collect this information in a variety of ways. For example, data might be collected
application forms, CVs or resumes; obtained from your passport or other identity documents such as
driving licence; from forms completed by you at the start of or during employment or contract; from
correspondence with you; or through interviews, meetings or other assessments.
In some cases, with your consent, the Company may collect personal data about you from third parties,
as references supplied by former employers and information from criminal records checks or credit
agencies as permitted by law. The Company will seek information from third parties only once a job
contract offer has been made to you and will inform you that it is doing so.
Data will be stored in a range of different places (as it applies to either an employment, worker or
relationship), including in your application record, personnel or contractor file, and electronic
cloud-based HR Management systems and in other IT systems, including the Company’s email system. As
well as having data stored in the UK and EU, we will also have data stored in our US HR system.
2. Why Does The Company Process Personal Data?
The Company needs to process data to enter into or to be in a contract with you and to meet its
under your employment or worker contract or your contract for services.
For example, it needs to process your data in order to receive your application for employment or a
contract, and assess your suitability for the role, to provide you with the contract, to pay you in
with your contract and to administer benefits, pension and insurance entitlements where these are
In some cases, the Company needs to process data to ensure that it is complying with its legal
and to defend against legal claims. For example, it is required to check an individual’s entitlement
in the applicable country, to deduct tax, to make reasonable workplace adjustments in the case of
disability, to comply with health and safety laws and to enable employees or workers to take periods
leave to which they are entitled.
In other cases, the Company has a legitimate interest in processing personal data before, during and
the end of the employment, worker or contractor relationship.
In some cases more than one reason may apply
Processing data allows the Company to (as it applies to either an employment, worker or contractor
- operate and keep a record of recruitment and promotion processes (legitimate interest, perform
- maintain accurate and up-to-date employment records and contact details (including details of
to contact in the event of an emergency), and records of employee contractual and statutory
(legitimate interest, perform contractual obligation)
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct
within the workplace (legitimate interest)
- operate and keep a record of employee performance and related processes, to plan for career
development, and for succession planning and workforce management purposes (legitimate
- operate and keep a record of absence and absence management procedures, to allow effective
workforce management and ensure that employees are receiving the pay or other benefits to
which they are entitled (legitimate interest, perform contractual obligation, comply with legal
- obtain occupational health advice, to ensure that it complies with duties in relation to
with disabilities, meet its obligations under health and safety law, and ensure that employees
receiving the pay or other benefits to which they are entitled (legitimate interest, perform
contractual obligation, comply with legal obligation)
- operate and keep a record of other types of leave (including maternity, paternity, adoption,
parental and shared parental leave), to allow effective workforce management, to ensure that the
Company complies with duties in relation to leave entitlement, and to ensure that employees are
receiving the pay or other benefits to which they are entitled (legitimate interest, perform
contractual obligation, comply with legal obligation)
- operate systems for and keep a record of pay, pension and benefits including PAYE or other
required deductions (perform contractual obligation, comply with legal obligation)
- operate and keep a record of necessary Health and Safety provisions and arrangements (legitimate
interest, perform contractual obligation, comply with legal obligation)
- ensure effective general HR and business administration (legitimate interest) to prevent and
crime (legitimate interest)
- ensure compliance with IT security and [acceptable use policies] (legitimate interest)
- provide references on request for current or former employees (legitimate interest)
- respond to and defend against legal claims (legitimate interest)
Within the broad range of information which can be personal data, the following are “special
personal data” which are subject to a greater degree of protection:
- physical or mental health
- racial or ethnic origin
- political opinions
- trade union membership
- religious beliefs
- sexual life
- genetic and biometric data
Some special categories of personal data, such as information about health or medical conditions, is
processed to carry out legal obligations, such as those in relation to individuals with disabilities
In the case of information about your physical or mental health (including information contained in
records) this is to allow the Company to monitor sick leave, assess your working capacity,
and insurance benefits, take decisions as to an employee’s working capacity and for occupational
We may process sensitive data relating to your criminal record where the nature of is necessary to
with a legal or statutory obligations or under your employment contract (e.g. for insurance) or
have consented (e.g. background check). Further information about the safeguards applied may be
the Data Protection Policy.
Where the Company processes other special categories of personal data, such as information about
origin, sexual orientation or religion or belief, this is done for the purposes of equal
Individuals are entirely free to decide whether or not to provide such data and there are no
failing to do so. Equal opportunities monitoring data is usually anonymised, at which point it
ceases to be
personal data as no specific living individual can be identified from it.
We do not take automated decisions about you using your personal data or use profiling in relation to
3. Who Has Access To The Data?
Data may be shared internally, with HR (including payroll), your line manager, managers in the
area in which you work, those involved in the recruitment activity, and other personnel as necessary
them to carry out their role or for the conduct of our business.
The Company shares your data with third parties in order to obtain references from other employers,
obtain background and credit checks from third-party providers and to obtain necessary criminal
checks from the Disclosure and Barring Service.
We are also required by law to share personal data with statutory bodies such as, but not limited to,
revenue and customs authorities, national pensions authorities, when applicable the local authority
safety or other worker injury reporting, and when requested to do so the police, court services and
The Company may also share your data with third parties in the context of a sale of some or all of
business. In those circumstances the data will be subject to confidentiality arrangements.
The Company also shares your data with third parties (as it applies to either an employment, worker
contractor relationship) that process data on its behalf, in connection with HR services, payroll,
provision of benefits and the provision of occupational health services as required. These may
are not limited to:
- 1WS affiliates;
- training and HR services providers to manage employment and contractor matters
- Professional advisers (life assurance trustees, auditors, insurers and brokers, accountants and
- Vistra, NetSuite, or Ceridan to administer certain HR record keeping, payroll, and similar
- Plan administrators for your applicable insurance and other work benefits
- Health Care Providers as related to your employment or work if applicable
- Tax authorities
The data that we collect from you may be transferred to, and stored at, a destination outside the
may also be processed by staff operating outside the EU/UK who work for one of the third parties we
with and may be engaged in, among other things, processing of HR-related data.
If your personal data is transferred outside of the EU/UK, we do our best to ensure a similar degree
protection in respect of your personal information, as we will take all steps reasonably necessary
that your data is treated securely and in accordance with the provisions set out in the EU and UK
implementations of General Data Protection Regulation and any other company policy in effect at any
during or after your employment with us. In particular, 1WS has implemented appropriate cross-border
transfer solutions in accordance with the GDPR, such as European Commission Standard Contractual
(also known as Model Contractual Clauses) and the UK’s International Data Transfer Addendum (UK
Addendum) as the legal basis for transferring personal data to third countries, including the United
In respect of the transfer of personal data to 1WS in the United States, this is done under the EU-US
Privacy Framework as set out in Commission Implementing Decision of July 10, 2023 pursuant to the
on the adequate level of protection of personal data under the EU-US Data Privacy Framework.
1WS complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the
DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department
Commerce. 1WS has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data
Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data
from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension
the EU-U.S. DPF. 1WS has certified to the U.S. Department of Commerce that it adheres to the
Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of
received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the
terms in this
privacy notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles
To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please
In all cases where 1WS transfers personal information to a third party acting as a controller, 1WS
with the Notice and Choice Principles. 1WS. will enter into a contract with the third-party
provides that such data may only be processed for limited and specified purposes consistent with the
provided by you and that the recipient will provide the same level of protection as the Principles
notify 1WS if it makes a determination that it can no longer meet this obligation. The contract also
that when such a determination is made the third party controller will cease processing or takes
reasonable and appropriate steps to remediate.
In all cases where 1WS transfers personal data to a third party acting as an agent (processor for
purposes), 1WS will: (i) transfer such data only for limited and specified purposes; (ii) ascertain
that the agent is obligated to provide at least the same level of privacy protection as is required
by the Principles; (iii) take
reasonable and appropriate steps to ensure that the agent effectively processes the personal
transferred in a manner consistent with the organization’s obligations under the Principles; (iv)
agent to notify 1WS if it makes a determination that it can no longer meet its obligation to provide
level of protection as is required by the Principles; (v) upon notice, including under (iv), take
appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a
representative copy of the relevant privacy provisions of 1WS’ contract with that agent to the U.S.
Department of Commerce upon request.
When we transfer your information to third parties we comply with the requirements of the legal
that cover your information. For example, when we perform an onward transfer of your information
protected under the GDPR, we remain responsible for the processing of your personal information. For
information subject to an onward transfer by us under the Data Privacy Framework, we will remain
under the Data Privacy Framework Principles if a recipient of your protected personal information
such personal information in a manner inconsistent with the Principles, unless we are able to prove
are not responsible for the event giving rise to the damage.
4. How Does The Company Protect The Data?
The Company takes the security of personal data seriously. The Company has internal policies,
technologies and controls in place, from the point of collection to the point of destruction, to
personal data against loss, malicious or accidental destruction, misuse or disclosure, and to ensure
data is not accessed, except by individuals in the proper performance of their duties.
5. How Long Does The Company Keep Data For?
If your application for employment is unsuccessful, the Company will hold your data on file for six
after the end of the relevant recruitment process. If you agree to allow the Company to keep your
data on file, the Company may hold your data on file for a further six months for consideration for
employment opportunities. At the end of that period, or if you withdraw your consent earlier, your
will be deleted or destroyed.
The Company will hold your personal data for the duration of your employment or contract and
for as long as necessary for the purposes for which we collected it and in accordance with the data
retention periods set out in this document.
The Company shall not retain any personal data for any longer than is necessary considering the
for which that data is collected, held, and processed.
When establishing and/or reviewing retention periods, the following shall be considered:
The objectives and requirements of the Company
- The type of personal data in question
- The purpose(s) for which the data in question is collected, held, and processed
- The Company’s legal basis for collecting, holding, and processing that data
- The category or categories of data subject to whom the data relates
We are required to keep some personal data for specified time periods in order to comply with legal
obligations or in order to protect the business; it is therefore our intention to retain your
personal data as
- Contracts – while employment (or contract) continues and for a period of 6 years after this
- Financial data which we might be required to produce for audits or to the HMRC – while
employment (or contract) continues and for a period of 6 years after the end of the last
financial year after this terminates
- Records establishing your identity for AML– while employment (or contract) continues and for
a period of 6 years after this terminates
- Personnel and training records – while employment (or contract) continues and for a period of
6 years after this terminates
- Consent for the processing of sensitive data – while employment (or contract) continues and for
a period of 6 years after this terminates
- Accident and Injury records while employment (or contract) continues and for a period of 3
years after this terminates or longer if any such records may or could be required in any
ongoing claims for personal injury
- Records establishing your identity for Eligibility to Work in the applicable EU/UK jurisdiction
purposes– while employment (or contract) continues and for a period of 3 years after this
- Working Time Opt Out Forms (Employees & Workers) – a minimum of 2 years from the dates to
which they were applicable
- Details of unsuccessful applicants for job roles or contract positions – 6 months after the
recruitment process for that individual concludes
- Background checks – document to be held by the employee, worker or contractor and a copy of
the information only to be held by the Company – record be deleted 4 months after
employment (or contract) is terminated
- Bank details – 4 months after all final payments have been made
6. What Are Your Rights?
As a data subject, you have a number of rights – you can:
- Know what data we hold about you, why we hold it, the lawful basis for processing it basis and
we share it with
- access and obtain a copy of your data on request, and to request a transfer of data to another
- require the Company to change incorrect or incomplete data
- require the Company to delete or stop processing your data, for example where the data is no
longer necessary for the purposes of processing
- object to the processing of your data where the Company is relying on its legitimate interests
legal ground for processing
not to be subject to automated decision making (with some exceptions)
- to be notified of a data security breach in some circumstances
- to withdraw consent processing where this was the legal basis relied upon for any such
- to complain to your data protection authority
If you would like to exercise your rights under this Policy or the GDPR, or would like to lodge a complaints
with respect to the implementation of this policy and our processing of your personal data, please contact:
VP Technology Operations
Please note that we may request official identification information, such as a copy of your ID card, drivers’
license, etc. from you when you submit a complaint.
You have the right to make a compliant to: in the case of individuals habitually resident in the United
Kingdom, to the Office of the Information Commissioner; for those habitually resident in EU member states
to the applicable supervisory authority in the country of habitual residence; and for those habitually
resident in Switzerland, to the FDPIC. This is in addition to your right to complain to the Federal Trade
Please note that we are subject to the investigatory and enforcement powers of the Federal Trade
In respect on a complaint about 1WS and in compliance with the EU-U.S. DPF and the UK Extension to the
EU-U.S. DPF and the Swiss-U.S. DPF, 1WorldSync Inc. commits to cooperate and comply respectively with the
advice of the panel established by the EU data protection authorities (DPAs) and the UK Information
Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC)
with regard to unresolved complaints concerning our handling of human resources data received in reliance
on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the
employment relationship.You may, subject to its terms, invoke binding arbitration against 1WS in accordance with Annex I of the DPF
This provides that you may invoke binding arbitration by delivering notice to 1WS and following the
procedures and subject to conditions set forth in Annex I of the Principles.
What Happens If You Do Not Provide Personal Data?
Applicants for employment or a contract are under no statutory or contractual obligation to provide data to
the Company during the recruitment process. However, if you do not provide the information, the
Company may not be able to process your application properly or at all.
Once offered a position you have some obligations under your employment contract or contract for
services to provide the Company with data. You are required to report absences from work and may be
required to provide information about disciplinary or other matters under the implied duty of good faith.
Failing to do so may breach the terms of your contract with the Company.
Where applicable, you may also have to provide the Company with data in order to exercise your statutory
rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are
unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the applicable EU/UK jurisdiction, and
payment details, have to be provided to enable the Company to enter into a contract with you and for us to
meet our legal obligations. If you do not provide this information, and update it as necessary, this will
hinder the Company’s ability to administer the rights and obligations arising as a result of the employment
or contractor relationship efficiently.