Background
This Privacy Notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when ORCID, Inc (“ORCID”), processes your personal information (“Personal Information”). The Personal Information processed by ORCID (which may be held on paper or in electronic format or in any other format) is subject to certain legal safeguards specified in the applicable national and international data protection laws, including the European Union’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. These regulations impose restrictions on how ORCID may process Personal Information. This notice should be considered supplemental to any other privacy agreements between ORCID and any members of its staff.
ORCID’s Data Processing Activities
In the course of its activities, ORCID will collect, store and process Personal Information related to you in the employment context, and it recognizes that the correct and lawful treatment of this information will maintain confidence in the organization and will provide for successful business operations. ORCID processes your Personal Information in the role of a controller under the GDPR.
Information That We Collect
ORCID processes your Personal Information to meet its legal, statutory and contractual obligations and to enable ORCID to employ and train you in the course of your employment. ORCID will not collect any unnecessary Personal Information from you and does not process your information in any way, other than as specified in this notice.
In particular, ORCID may collect and process the following categories of Personal Information:
- identification and contact details (name and surname, gender, date of birth, place of birth, marital status, telephone number, personal identification number, employee number, passport number, e-mail address, permanent and temporary residence address, mailing address, nationality, visa status, emergency contacts of close persons, dietary preferences, links to social media profiles, languages spoken, education);
- information related to the employee’s position and salary information (employment contracts, employment amendments, CVs, interview notes, information regarding salary of an employee, tax and insurance information, information related to benefits, work position, department, education, income from employment, number and type of bank account, including banking institution), business trip information, days and hours of work, absentee records, performance reviews, training certificates and disciplinary related information.
ORCID further processes the following categories of Personal Information for the purposes of the controller’s legitimate interests to protect its property in operating its business:
- Information about employee’s activity in information systems for the purpose of detecting and preventing unauthorized activities in such systems, and
- Information related to the ordinary course of business and related employment activities (photographs, videos).
The above information is collected in the following methods listed below:
- Job applications (hard copy or electronic copy)
- Electronic job applications (submitted via online form)
- Resume(s)/curriculum vitae(s) and any other application materials
- Information provided during job forums and recruitment events
- Information forwarded by recruitment agencies
- Information provided directly from employee
- Performance reviews
- Training and certifications
- Usage information from our and our vendors’ IT systems
- The general onboarding process and submission of all relevant forms and data within our Human Resources Information System (HRIS).
Note, the above information is received by ORCID in various forms including hard-copy and electronic form delivered in-person or via email, fax, website, social media, etc.
How We Use Your Personal Data
ORCID takes your privacy very seriously and will never disclose, share or sell your data without your knowledge, unless required to do so by law. ORCID only retains your data for as long as is necessary and for the purpose(s) specified in this notice. The Personal Information is processed for the following purposes and reasons:
OBJECTIVES OF THE PROCESSING | TYPE OF PERSONAL INFORMATION | BASIS FOR PROCESSING |
Recruitment/Employee Management Managing the workforce: recruiting managing work evaluating the work performance of employees developing and managing the company’s organizational structure managing staff and team management, business trips talent management and work growth counseling training managing and approving work leave succession planning provision of references on request. | data related to the employee’s work and educational history identification data data related to the employee’s position salary data and related financial data notification of employee absence related to sickness | Processing: is necessary for the implementation of pre-competitive measures taken prior to the conclusion of a contract of employment or other contract to which the employee as a data subject is a party. may at the same time be necessary for the purposes of the legitimate interests of ORCID or of a third party, for which an interest in the proper assessment of a potential candidate in a competitive tendering procedure. it is necessary, after recruiting an employee to fulfill the employment or other contract to which the employee is a party as a data subject. |
OBJECTIVES OF THE PROCESSING | TYPE OF PERSONAL INFORMATION | BASIS FOR PROCESSING |
Benefits Salary Agenda, Employee Benefits and Payments: salary, rewards, and all other incentives and benefitscompliance with statutory social security and tax regulations. | work addresswork/educational experienceidentification data data related to the employee’s position salary data and related financial data info on insurance and indemnityinfo on the social security system | Processing: • is necessary to comply with the legal obligations applicable to ORCID; and • may at the same time be necessary to fulfill the employment or other contract to which the employee is a data subject as a party. |
Emergency Communication with employees and their contact persons in case of urgency | identification data of employeeidentification data of employee emergency contact(s)data related to the employee’s urgent situation | Processing is necessary to protect the vital interests (health) of the employee in the event of an emergency. |
Legal Obligations The fulfillment of our legal obligations, including obligations arising from employment and immigration laws, tax laws and regulations relating to health and safety at work | identification data data related to the employee’s position salary data and related financial data info on insurance and indemnity, info on the social security system health data | Processing is necessary in order to comply with the legal obligations applicable to ORCID. |
OBJECTIVES OF THE PROCESSING | TYPE OF PERSONAL INFORMATION | BASIS FOR PROCESSING |
Protective Measures Detection or prevention of any inappropriate behavior or violation of the ORCID rules, including the protection of our intellectual property, confidential information and other tangible and intangible property. | identification data data related to the employee’s position info on asset use and company systems | Processing is necessary for the purposes of the legitimate interests of ORCID, for which an interest in the protection of the assets of a company. |
Legal Proceedings For the purposes of any potential and / or ongoing litigation or inquiries concerning us or one of our Group companies, representatives of the company | identification data data related to the employee’s position info on asset use and company systems | Processing is necessary for ORCID’s legitimate interests to claim ORCID’s rights against third parties or to defend against third party claims against ORCID in a possible litigation or to defend and meet the requirements of an administrative inquiry. |
Data Sharing With Third-Parties and Third-Party Processors
The Personal Information will be processed by the ORCID manually and automatically by third-parties engaged by the ORCID to process employee Personal Information. ORCID may share your Personal Information with the third parties who need to perform these processing activities.
The current list of recipients of personal data is available upon request from the People Operations Manager.
Transfers of Personal Information Outside of the EU
In order to keep the headquarters of ORCID informed, all categories of Personal Information outlined in this Privacy Notice may be transferred to ORCID’s HRIS, located within the United States of America.
ORCID takes commercially reasonable measures to confirm that Personal Information transferred outside of the EU is provided with adequate security measures and protected from unauthorized access. Further, to the extent that ORCID uses any third-party processors (see above), ORCID will enter into appropriate standard contractual clauses or other contractual arrangements to ensure appropriate protection as required under the GDPR.
Security Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ORCID (and any of its affiliates) shall in relation to the Personal Information implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
How Long We Maintain Your Data (i.e., Duration of Processing and Data Retention)
ORCID will not maintain your Personal Information longer than is necessary for the purpose for which it was collected. ORCID will process Personal Information of the employee for the duration of the employment relationship between ORCID and the employee and furthermore for the period of six (6) years from the date of termination of the employment relationship, unless required to maintain the Personal Information for a longer period under any legal obligation. The employee’s Personal Information and documents may further be processed if necessary, for the determination, exercise or defense of ORCID’s legal claims or for a period that is required by law.
Your Rights
Under various data privacy regulations, employees (as data subjects) have various rights regarding the Personal Information that is processed by ORCID.
Right to Access
Employees have the right to access their personal data processed by ORCID. Specifically, you have the right to access any Personal Information that ORCID processes about you and to request information about:
- What personal data we hold about you;
- The purposes of the processing;
- The categories of personal data concerned;
- The recipients to whom the personal data has/will be disclosed;
- How long ORCID intends to store your personal data for; and
- If we did not collect the data directly from you, information about the source.
You have the right to obtain from ORCID personal data relating to you, which was provided to ORCID by you. ORCID shall, upon your request, provide you with data without an undue delay in a structured, commonly used and machine-readable format. This right does not apply to Personal Information which is not processed automatically.
Furthermore, in addition to the right to access personal data, you have the rights of rectification or erasure, or limitation of processing, and the right to object to the processing of such data.
Right to Rectification
If you believe that ORCID holds any incomplete or inaccurate data about you, you have the right to ask ORCID to correct and/or complete the information and ORCID will strive to do so as quickly as possible unless there is a valid reason for not doing so, at which point you will be notified.
Rights to Erasure (Delete), Restrict or Object
You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to any direct marketing from ORCID.
Other Rights
Where applicable, you have the right to data portability of your information and the right to be informed about any automated decision-making ORCID may use.
Data Subject Requests
In order to exercise your rights under this Privacy Notice and applicable data protection laws, you may send an email to ORCID’s People Operations Manager.
If ORCID receives a request from you to exercise any of the above rights, ORCID may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.
Data Subject Complaints
You have the right to file a complaint with a Supervisory Authority regarding any of the rights outlined above. The Supervisory Authorities are charged with ensuring compliance with the applicable data protection laws. To find the contact information for your EU Supervisory Authority, please visit the European Commission’s website, found here: https://edps.europa.eu/data-protection_en.
Consequences of Not Providing Your Data
You are not obligated to provide your Personal Information to ORCID. However, as this information is required for ORCID to employ you, ORCID may not be able to extend an offer of employment or employ you without the provision of certain Personal Information.
Keeping Your Personal Information Secure
ORCID uses commercially reasonable security measures to prevent Personal Information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your Personal Information to those who have a genuine business need to know it. Those processing your Personal Information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Privacy Contact Information
ORCID has appointed/designated a Data Protection Officer/Appointed Person that is responsible for data protection:
Name: Will Simpson
Title: Director, Technology
Email: w.simpson@orcid.org
Address: ORCID Inc., 10411 Motor City Drive, Suite 750, Bethesda MD 20817, USA
Changes
This Privacy Notice was published on 20 August 2021 and last updated on 20 August 2021. We may change this Privacy Notice from time to time, when we do we will inform you via e-mail.