TimeClock Plus
Privacy Policy

TimeClock Plus, LLC

Global Data Privacy Policy

Effective June 1, 2018
Last Updated September 3, 2019

TimeClock Plus, LLC (“TCP”), maker of TimeClock Plus, is a Workforce Management (WFM) provider that processes a vast amount of Personal Data. We process the personal data of our Clients’ employees on behalf of our Clients and of our business contacts. In order to provide the highest level of data protection, TCP has adopted the provisions of this Global Data Privacy Policy (“Privacy Policy”) for processing Client employee data and business contact data. In addition, TCP has implemented policies for processing Personal Data of TCP employees.

Please read this Privacy Policy carefully to learn how we collect, use, and otherwise process information relating to individuals ("Personal Data"), and your rights and choices regarding our processing of your Personal Data.

TimeClock Plus, LLC Privacy Policy for Business Contacts

This Privacy Policy explains how TCP, (hereinafter “we”, “our”), use and disclose Personal Data that we collect from Individuals who visit our websites and otherwise engage with us in business activities. This Privacy Policy also incorporates TCP’s Privacy Policy for Business Data, which includes detailed information about how we processes data of our Business Contacts and the commitments we have made to protect that data. If you have additional questions about privacy please contact us at Privacy@TimeClockPlus.com.

For information on how TCP protects the Personal Data we process for Clients, please see the TCP’s Privacy Policy for Client Employees.

  1. Types of Personal Data

    This Privacy Policy explains our practices with regard to Personal Data collected by TCP for its own Business Purposes. Personal Data is any information that can be used to identify, locate or contact you. Some examples of Personal Data collected directly by TCP include:

    1. If you express an interest in obtaining additional information about our services, request customer support, use our "Contact Us" or similar features, sign up for an event or webinar, or download certain content, we generally require you to provide us with your contact information, such as your name, job title, company name, address, phone number, or email address;
    2. If you make purchases of our products or register for an event, we may also require you to provide us with financial information and billing information, such as billing name and address, credit card number, or bank account information;
    3. If you attend an event, we may, upon your consent, scan your attendee badge which will provide us with your name, title and company name, address, country, phone number and email address;
    4. If you use our products we may ask you to provide a first name, last name, username, and password;
    5. If you use and interact with our website or products, we automatically collect log files and other information about your device and your usage of our website and products through cookies, web beacons or similar technologies, such as IP-addresses or other identifiers, which may qualify as Personal Data (view the "What device and usage data we process" section below); and
    6. If you visit our offices, you may be required to register as a visitor and to provide your name, who you are visiting, company name, and time and date of arrivals.

    1.1 We may also collect information about you from other sources, including third parties from whom we have purchased Personal Data, and combine this information with Personal Data provided by you. This helps us to update, expand and analyze our records, identify new customers, and create more tailored advertising to provide services that may be of interest to you. In particular, we collect the following data from third party sources:

    1. Business Contact information, including mailing address, job title, email address, phone number, ‘intent data’ which is web user behavior data, IP addresses, social handles, LinkedIn URL and custom profiles from third party data providers for the purposes of targeted advertising, delivering relevant email content, event promotion, and profiling.

    Personal Data also includes other information that may be associated with your Personal Data.

  2. How TCP Collects Personal Data

    In most cases, we collect Personal Data directly from you. We will ask you for Personal Data when you interact with us, such as registering on our websites, signing up to receive a newsletter, making a purchase, signing up to receive marketing communications, or to provide TCP with services, goods or products. We may collect additional information from Third Party data suppliers who enhance our files and help us better understand our contacts.

    If you interact with us online, we use cookies, web beacons, and other technological tools to collect information about your computer and your use of our website and applications. We treat this information as Personal Data when it is associated with your contact information. For more information about cookies and other technologies, please see the section Cookies and Other Data Collection Technologies below.

  3. How TCP uses Personal Data
    TCP uses your Personal Data for the following Business Purposes:
    1. Personal Data pertaining to Professionals with whom TCP has a business relationship may be processed as needed:
      1. To initiate, assess, develop, maintain, or expand a business relationship, including negotiating, contracting, and fulfilling obligations under contracts;
      2. For due diligence regarding the Individual’s qualifications and eligibility for the relationship, including verifying the identity, qualification, authority, and creditworthiness of the Professional and obtaining publicly-available information from Third Parties (such as publicly-available sanction lists from screening companies); 
      3. To send transactional communications (such as requests for information, responses to requests for information, orders, confirmations, training, and service updates); 
      4. For account management, accounting, finance, and dispute resolution purposes (such as accounts receivable, accounts payable, account reconciliation, cash management, or money movement) and for consolidated management and reporting;
      5. To assure quality control and to enforce company standards and policies; 
      6. For risk management and mitigation, including for audit and insurance functions, and as needed to license and protect intellectual property and other assets; 
      7. For security management, including monitoring Individuals with access to TCP’s websites, applications, systems, or facilities, investigation of threats, and as needed for any Data Security Breach notification; and
      8. To anonymize or de-identify the Personal Data.
    2. Personal Data pertaining to Consumers and other Individuals with whom TCP has a business relationship may be processed as needed:
      1. To provide the information, product, or service requested by the Individual, and as would be reasonably expected by the Individual given the context in which the Personal Data were collected, and the information provided in the applicable privacy statement given to the Individual (such as for personalization, remembering preferences, or respecting Individual rights);
      2. For due diligence, including verifying the identity of the Individual, as well as the eligibility of the Individual to receive information, products, or services (such as verifying age, employment, or account status);
      3. To track job applicants for the purposes of recruiting, interviewing, and onboarding;
      4. To send transactional communications (such as requests for information, responses to requests for information, orders, confirmations, training materials, and service updates); 
      5. To manage the Individual’s account, such as for customer service, finance, and dispute resolution purposes;
      6. For risk management and mitigation, including for audit and insurance functions, and as needed to license and protect intellectual property and other assets, 
      7. For security management, including monitoring Individuals with access to TCP’s websites, applications, systems, or facilities, investigation of threats, and as needed for any Data Security Breach notification; and 
      8. To anonymize or de-identify the Personal Data.
    3. TCP may process Personal Data as needed (i) to protect the privacy and security of the Personal Data it maintains, such as in connection with advanced security initiatives and threat detection; (ii) for treasury operations and money movement activities; (ii) for compliance functions, including screening Individuals against sanction lists in connection with anti-money laundering programs; (iv) for business structuring activities, including mergers, acquisitions, and divestitures; and (v) business activities, management reporting, and analysis.
    4. TCP may process Personal Data to develop and improve TCP’s products and/or services, and for research, development, analytics, and business intelligence.
    5. TCP may process Personal Data for relationship management and marketing. This purpose includes sending marketing and promotional communications to Individuals who have not objected to receiving such messages as may be appropriate given the nature of the relationship, such as product and service marketing, investor communications, Client communications (e.g., compliance alerts, product updates, and training opportunities and invitations to TCP events), customer satisfaction surveys, supplier communications (e.g., requests for proposals), corporate communications, and TCP news.
    6. TCP uses your Personal Data for Secondary Purposes such as:
      1. Disaster recovery and business continuity, including transferring the information to an Archive;
      2. Internal audits or investigations;
      3. Implementation or verification of business controls;
      4. Statistical, historical, or scientific research;
      5. Dispute resolution;
      6. Legal or business counseling;
      7. Compliance with laws and company policies; and
      8. Insurance purposes.
    7. TCP uses systems to store and process your Personal Data such as:
      1. Customer Relationship Management System (CRM);
      2. Applicant Tracking System (ATS);
      3. Mass Marketing Email Tools;
      4. Workforce Management Application (WFM);
      5. Technical Support Ticketing System;
      6. Project Management Tool;
      7. Email and Email Archive Servers;
      8. Phone Call Recording Application;
      9. Public Forums (Online Communities and Social Media);
      10. Instant Messaging Applications; and
      11. Relational Databases.
  4. Why and How Personal Data is Disclosed by TCP

    TCP commits to not provide your Personal Data to Third Parties for their own marketing purposes. We limit our sharing of your Personal Data to:

    1. Our service providers, who are bound by law or contract to protect your Personal Data and only use your Personal Data in accordance with our instructions.
    2. Our business partners, but only to the extent you have purchased product or service from such partner, interacted with such partner, or otherwise authorized the sharing. For example, if you are referred to TCP from a business partner website, we may provide that partner with your contact information and certain economic and financial information to validate the referral.
    3. Enforce our rights, protect our property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions. We will also disclose Personal Data when required to do so by law, such as in response to a subpoena, including to law enforcement agencies and courts in the United States and other countries where we operate.

    Please note that we may also use and disclose information about you that is not personally identifiable. For example, we may publish reports that contain aggregated, anonymized and statistical data about our Clients. These reports do not contain information that would enable the recipient to contact, locate or identify you. These reports also do not contain identifiable company information.

  5. Cookies and Other Data Collection Technologies

    When you visit our website or use our mobile applications, we collect certain information by automated means, using technologies such as cookies, pixel tags, browser analysis tools, server logs and web beacons. For example, when you visit our website, we place cookies on your computer.

    Cookies are small text files that websites send to your computer or other Internet-connected device to uniquely identify your browser or to store information or settings in your browser. Cookies can contain and/or automatically collect information, such as a user identification code or IP address, which a website will use to track the pages and number of times you have visited, allowing us to recognize you when you return. They also help us provide a customized experience and enable us to detect certain kinds of fraud. The data read from these cookies may be linked to personally identifying (PII) and non-personally identifying (non-PII) information. In many cases, you can manage cookie preferences and opt-out of having cookies and other data collection technologies used by adjusting the settings on your browser. All browsers are different, so visit the “help” section of your browser to learn about cookie preferences and other privacy settings that may be available.

    We and our partners use cookies and similar technologies on the website to personalize and optimize your browsing experience and the Website by:

    1. Providing you tailored content and advertisements (see below for more information);
    2. Enabling social media features;
    3. Safeguarding against spam and malware;
    4. Analyzing trends, traffic, and user behavior;
    5. Administering the website;
    6. Gathering demographic information about our user base as a whole;
    7. Tracking web and advertising analytics throughout the Website and its affiliate websites;
    8. Remembering your preferences and voluntarily-submitted information (e.g. custom video playlists, preferences, job title, story ratings, membership status);
    9. Performing location-related functionalities and analytics;
    10. Participating in market research (e.g., website ratings); and
    11. Educating ourselves about how we can continue to improve the Website and its various elements.

    Cookies fall into the subcategories below.

    1. Essential Cookies. Certain cookies are used for specific purposes that are essential to your secure use and navigation of the website. Without them, TCP may not be able to provide core website functions and features to you, and the website would not operate as well as you or TCP would like. These cookies collect and use information such as your server preferences, single-session data and corresponding identifier, web beacons and log files (detailed below), and other credential-related information. For EU individuals, essential cookies also help inform TCP whether you require, or have already been served, an affirmative consent request in connection with the GDPR. Essential cookies include analytics cookies, which provide us data that allows TCP to better understand its users and improve the Website based on what we have learned from that data.
    2. Preference Cookies. Other cookies are used to collect and process information about your preferences and similar choices in connection with the website in order to optimize your browsing. Preference cookies include social media cookies, which collect information about your social media usage and other data you may have provided in connection with such usage (if you access the website through a social media website or mobile application, you may have social media cookies). If you wish to modify or change your social media cookies, please visit and review the settings on your applicable social media account(s).
    3. Advertising Cookies. To help support the website and further tailor your experience, TCP and its advertising partners (and/or their third party analytics providers) also use cookies on the website to personalize the content and advertisements you may be shown. These Third Party advertising companies place advertisements on our website and other websites, and perform tracking and reporting functions for our website and other websites. These Third Party advertising companies may place cookies on your computer when you visit our website or other websites so they can display targeted advertisements to you. These Third Party advertising companies do not collect Personal Data in this process, and we do not give Personal Data to them as part of this process. This Privacy Policy does not cover the collection methods or use of the information collected by these vendors. For more information about Third Party advertising, please visit the Network Advertising Initiative (NAI) at www.networkadvertising.org. You may opt out of being targeted by many Third Party advertising companies by visiting http://bit.ly/2Ig9IgT or http://preferences.truste.com/truste/

    TCP uses Google Analytics as a Third Party vendor. For information on how Google Analytics uses data, please visit “How Google uses data when you use our partners sites or apps”, located at http://bit.ly/2jXZ13Y.

    We encourage you to consider keeping your cookies enabled, as if you choose to disable the receipt of cookies from our website, you may not be able to use or benefit from certain features of the website, particularly the features that are designed to personalize your experience.

    Most web browsers automatically accept cookies, but generally allow users to modify their browser settings to display a warning before accepting a cookie, to accept cookies only from certain websites, and/or to refuse all cookies.

    Pixel tags and web beacons are tiny graphic images placed on website pages or in our emails that allow us to determine whether you have performed a specific action. When you access these pages or open or click an email, the pixel tags and web beacons generate a notice of that action. These tools allow us to measure response to our communications and improve our web pages and promotions.

    In many cases, the information we collect using cookies and other tools is only used in a non-identifiable way, without reference to Personal Data. For example, we use information we collect about website users to optimize our websites and to understand website traffic patterns. In some cases, we do associate the information we collect using cookies and other technology with your Personal Data. This Privacy Policy applies to the information when we associate it with your Personal Data.

    Although our website does not currently have a mechanism to recognize the various web browser Do Not Track signals, we do offer Individuals choices to manage their preferences that are provided in the previous sections above. We do expect our Third Party adverting partners to use reasonable efforts to respect browser Do Not Track signals by not delivering targeted advertisements to website visitors whose browsers have a Do Not Track setting enabled. However, we understand that some companies do not have this capability today. To learn more about browser tracking signals and Do Not Track please visit http://www.allaboutdnt.org/.

  6. Mobile Applications

    TCP offers mobile applications that allow you to access aspects of your Personal Data, interact with our product and receive notifications via your mobile device. Personal Data collected by TCP via our mobile applications is protected by the terms of this Privacy Policy or our Privacy Policy for Client Employees, as applicable.

  7. Communication Preferences

    You may limit the information you provide to TCP. You may also limit the communications that TCP sends to you. To opt-out of commercial emails, simply click the link labeled “unsubscribe” at the bottom of any email we send you. Additionally, you may opt-in or opt-out of communications by calling us at +1 (325) 223-9500.

    Please note that if you are currently receiving services from TCP and you have decided to opt-out of promotional emails, this will not impact the messages we send to you for purposes of delivering such services.

    If you have questions about your choices or if you need assistance with opting-out, please contact us via email to Privacy@TimeClockPlus.com. You may also write us at the address in the How to Contact Us section below. If you send us a letter, please provide your name, address, email address, and detailed information about the communications that you do not wish to receive. If the letter is not clear, we may need to contact you for clarification of your wishes.

  8. Review, Correction, Erasure, and Other Individual Rights

    TCP respects your right to review, correct, and delete your Personal Data, or object to the processing of your Personal Data. You may contact Privacy@TimeClockPlus.com to request access to your data, and to exercise any of the individual rights afforded to you by TCP’s Privacy Policy for Business Data, or by applicable data protection laws and regulations. You may also write to us at the address in the How to Contact Us section below. If you send us a letter, please provide your name, address, email address, and detailed information about the changes you would like to make. TCP will receive, investigate, document, and respond to requests as soon as possible (30 days under GDPR) and in accordance with applicable data protection laws and regulations. These data subject requests will be documented in our ticketing system using relevant information which include name of the requestor, date of request, date and body of response(s) and any supporting documentation. In cases where the request cannot be fulfilled by TCP, any third-party processing relevant data will be contacted and notified of the required correction and/or erasure; however taking into consideration some instances where it may not be possible to complete the request because the third-party is no longer in business or it was acquired by another company and the effort would be disproportionate or impossible.

    Although rights to data erasure are honored, in some cases such requests maybe denied under the following grounds such as the data is still needed for processing, the data subject gave consent but has not withdrawn consent; there has been a previous processing objection that has been granted; the data was processed lawfully, or there is a not a legal requirement to delete the data. However, even if one of these five grounds are valid, TCP may still reject the request if it needs access to the data to comply with a law, defend a legal claim or for research/historic/scientific purposes (a).

    Finally when a request necessitates data to be exported as part of fulfilling a subject’s inquiry, Comma delimited files (CSV) will be generated by TCP unless not possible in which case a suitable alternative maybe presented.

  9. Information Security

    TCP is committed to maintaining the appropriate organizational, technical, and physical controls to protect Personal Data entrusted to TCP. These controls protect Personal Data from the anticipated threats and hazards as well an unauthorized access and use. In each case, TCP will strive to provide security that is proportional to the sensitivity of the Personal Data being protected, with the greatest effort being focused on protecting Sensitive Personal Data and other Personal Data whose compromise could result in substantial harm or inconvenience to the Individual.

    Please note that you should also take steps to protect yourself, especially online. When you register a TCP product, choose a strong password, and do not use the same password that you use on other sites. Do not share your password with anyone else. TCP will never ask you for your password in an unsolicited phone call or in an unsolicited email. Also remember to sign out of the product and close your browser window when you have finished your work. This is to ensure that others cannot access your Personal Data and correspondence if others have access to your computer.

  10. Data Retention

    TCP will only retain your information for as long as necessary for the Purposes for which the Personal Data is processed. TCP has implemented a Data Retention Policy and has established records retention schedules for all types of Personal Data that TCP processes. Personal Data is retained in accordance with the records retention schedules to ensure that records containing Personal Data are retained as needed to fulfill the applicable Business Purposes, to comply with applicable laws, or as advisable in light of applicable statutes of limitations. When the retention period has expired, records containing Personal Data will be securely deleted or destroyed, de-identified, or transferred to archive, in accordance with TCP’s Data Retention Policy.

  11. Prohibition of International Data Transfers

    TCP is headquartered in the United States of America. Your Personal Data may be stored and processed by TCP in the United States but will not be shared, transferred, or stored outside of the United States.

  12. Privacy Statements of Third Parties

    This Privacy Policy only addresses the use and disclosure of information by TCP. Our Suppliers, Business Partners, and other Third Party websites that may be accessible through our TimeClockPlus.com website have their own privacy statements and data collection, use and disclosure practices. We encourage you to familiarize yourself with the privacy statements provided by Third Parties prior to providing them with information or taking advantage of an offer or promotion.

    This Privacy Policy does not address non-affiliated Third Party websites or services that may collect your Personal Information and attempt to sell your Personal Information to TCP. Examples of these websites and services include software advice websites, tradeshow attendee list resellers, and others. We encourage you to familiarize yourself with the privacy statements provided by Third Parties prior to providing them with information or taking advantage of an offer or promotion.

  13. Forums, Product Reviews and Other Public Areas

    Our websites, including social media, may provide forums and other public areas where you may communicate with others and publicly post information. Prior to posting in these areas, please read the Terms of Use carefully. The information you post may be accessible to anyone with Internet access, and Personal Data you include in your posting may be read, collected, and used by others. For example, if you post your email address on a forum or in a public area, you may receive unsolicited messages from Third Parties. Please use caution when posting Personal Data.

  14. Job Applicants

    If you have applied for employment with TCP, the Personal Data submitted with your job application will be added to our applicant tracking system and used for recruitment and other customary human resources purposes in accordance with our TCP Applicant Privacy Policy. In addition we have determined we have a legitimate interest performing recruiting activities which involve data subjects applying for a job posting in order to be considered for a position in our company.

    Upon assessment it is deemed that the rights and freedoms of the data subjects are not overridden during the process of gathering applicant’s information for the purposes of finding qualified candidates. Also individuals submitting a job application do so as part of the application for employment process.

    We conclude that legitimate interest is therefore the most appropriate basis for collecting and processing data subject information as part of the HR recruitment process and we understand the responsibility to protect the individual's interest.

    The processing is necessary and there is no less intrusive manner to proceed and we only use the data in reasonably expected ways. Also it is not used in a way that could cause harm. We will ensure opt out option is always available in addition to the commitments made under the data retention policy in the global data privacy policy. Finally we maintain and keep record of our legitimate interest assessment as part of the justification process.

    TCP respects your right to review, correct, and delete your Personal Data, or object to the processing of your Personal Data. You may contact Privacy@TimeClockPlus.com to request access to your data, and to exercise any of the individual rights afforded to you by TCP’s Privacy Policy for Business Data, or by applicable data protection laws and regulations. You may also write to us at the address in the How to Contact Us section below. If you send us a letter, please provide your name, address, email address, and detailed information about the changes you would like to make. TCP will receive, investigate, document, and respond to requests as soon as possible and in accordance with applicable data protection laws and regulations.

  15. Withdraw of Consent

    TCP respects your right to withdraw consent to collect and process your Personal Data. You may contact Privacy@TimeClockPlus.com to request access to your data, and to exercise any of the individual rights afforded to you by TCP’s Privacy Policy for Business Data, or by applicable data protection laws and regulations. You may also write to us at the address in the How to Contact Us section below. If you send us a letter, please provide your name, address, email address, and detailed information about the changes you would like to make. TCP will receive, investigate, document, and respond to requests as soon as possible and in accordance with applicable data protection laws and regulations.

  16. Your California Privacy Rights: Notice to California Customers

    If you are a California resident, California's "Shine the Light" law, Civil Code sections 1798.80 – 1798.84, includes provisions for securing and disposing of Personal Data, notifying you of a breach of your Personal Data, and for responding to requests by you asking about the businesses' practices related to disclosing Personal Data to Third Parties for the Third Parties' direct marketing purposes. In accordance with this Privacy Policy, TCP complies with California Civil Code sections 1798.80 – 1798.84. TCP does not share your Personal Data with Third Parties for the Third Parties' direct marketing purposes. For more information about your rights under California’s Civils Code sections 1798.80 – 1798.84 please visit https://leginfo.legislature.ca.gov.

  17. Individuals Located in the European Economic Area (EU Data Subjects)

    In addition to the rights already listed in this Privacy Policy under Section 8, you also have the right to data portability, as well as the right to be notified of automated decision making or profiling related to your Personal Data.

  18. Children

    TCP websites, related marketing channels and materials are not directed at children. We do not knowingly collect Personal Data from children under the age of 16. If you are a parent or guardian and believe your child has provided TCP with Personal Data without your consent, please contact us by using the information in the “How to Contact Us” section 20, below, and we will take necessary steps to remove such Personal Data from our systems.

  19. Changes to this Privacy Policy

    From time to time, we may update this Privacy Policy to reflect new or different privacy practices. Please review our website periodically to check for the latest changes. Under “Last Updated” you can see the date on which this Privacy Policy was last posted.

  20. How to Contact Us

    Please contact us if you have questions, or comments, at Privacy@TimeClockPlus.com. You may reach us via mail at address below. If you send us a letter, please provide your name, address, email address, and detailed information about your question, comment, or complaints. Letters can be sent to:

    TimeClock Plus, LLC
    Attn: Legal
    1 Time Clock Dr.
    San Angelo, TX 76904; USA

  21. How to Lodge a Complaint

    If you believe that TCP has not handled your Personal Data properly or that it has breached its privacy obligations, under any applicable data protection laws or the TCP Privacy Policy for Business Data, you may file your complaint in writing to the address above, or via email, to TCP at Privacy@TimeClockPlus.com. TCP will receive, investigate, and document each complaint and respond to the Individual within a reasonable timeframe of the outcome of the investigation. If you are not satisfied with the results of the investigation by TCP, you may lodge a complaint directly with the designated Data Protection Officer.

    By Email:
    Data Protection Officer
    DPO@TimeClockPlus.com

    By Mail:
    TimeClock Plus, LLC
    Attn: Data Protection Officer
    1 Time Clock Dr.
    San Angelo, TX 76904; USA<

    EU Data Subjects See Section Entitled TimeClock Plus, LLC Privacy Policy for Human Resources & Client Data Processing for EU Data Subjects.

    References:

    (a) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

TimeClock Plus, LLC Privacy Policy for Business Data

  1. Introduction

    TCP has adopted a Global Data Privacy Policy (“Privacy Policy”) as a legally binding set of internal rules to be recognized by the European Union (EU) Data Protection Authorities (DPAs). The Privacy Policy ensures a consistent approach to privacy and data protection across TCP.

  2. Scope and Applicability

    The TCP Privacy Policy for Business Data indicates the commitments TCP has implemented for Processing Personal Data pertaining to those Individuals with whom TCP has a business relationship (e.g., Individuals who represent TCP’s Clients, Suppliers and Business Partners, other Professionals, and Consumers) and other Individuals whose Personal Data are processed by TCP in the context of its business activities as a Data Controller.

  3. Implementation

    The effective date of the TCP Privacy Policy for Business Data is June 1, 2018. TCP will implement the TCP Privacy Policy for Business Data across the relevant TCP Departments within six (6) months of the effective date.

  4. TCP Business Data Policy Principles

    The TCP Privacy Policy for Business Data is based on a set of data protection principles outlined below.

    4.1 Business Purposes for Processing Personal Data
    Personal Data may be processed by TCP in the context of its business operations for one or more of the following Business Purposes:

    1. Business Purposes for Processing Personal Data pertaining to Professionals:
      1. Business relationship management;
      2. Business relationship due diligence;
      3. Transactional communications;
      4. Account management;
      5. Quality control;
      6. Risk management;
      7. Security management; and
      8. Anonymize or de-identify Personal Data.
    2. Business Purposes for Processing Personal Data pertaining to Consumers and other Individuals:
      1. Provide requested information, products or services;
      2. Due diligence;
      3. Transactional communications;
      4. Account management;
      5. Risk management;
      6. Security management; and
      7. Anonymize or de-identify Personal Data.
    3. Business-necessary Processing activities.
      1. Protect privacy and security;
      2. Troubleshooting of products and services;
      3. Compliance;
      4. Business structuring activities; and
      5. Reporting and analysis.
    4. Development and improvement of products and/or services; and
    5. Relationship management and marketing.

    4.2 Use for Other Purposes
    Personal Data may be processed for a secondary purpose, similar to the legitimate Business Purpose, provided appropriate additional measures are taken. It is generally permissible to Process Personal Data for the following purposes (even if not listed as a Business Purpose), provided appropriate additional measures are taken:

    1. Disaster recovery and business continuity, including transferring the Information to an Archive;
    2. Internal audits or investigations;
    3. Implementation or verification of business controls;
    4. Statistical, historical, or scientific research;
    5. Dispute resolution;
    6. Legal or business counseling;
    7. Compliance with laws and company policies; or
    8. Insurance purposes.

    4.3 Purposes for Processing Special Categories of Data
    The following Special Categories of Data may be processed by TCP for the purposes specified below:

    1. Special Categories of Data revealed by Photographic Images. Photographic images and video recordings may be processed for security, compliance and other legitimate Business Purposes, such as participating in video conferences.
    2. Racial or ethnic data. TCP may Process racial and ethnic data as needed to facilitate affirmative action, supplier diversity, and other inclusion programs.
    3. Criminal data (including data relating to criminal behavior, criminal records, or proceedings regarding criminal or unlawful behavior). TCP may Process criminal data as needed to conduct appropriate due diligence on Individuals (employees, partners, and contractors) and in connection with security and compliance activities as needed to protect the interests of TCP.
    4. Physical or mental health data. TCP may Process physical or mental health data as needed to accommodate a person’s disability or dietary needs, address emergency health needs, or in similar circumstances.
    5. Biometric data (such as fingerprints). TCP may Process biometric data for the protection of TCP and Staff assets, time and attendance, system and site access, security and fraud prevention reasons.
    6. Religion or beliefs. TCP may Process data pertaining to religion or beliefs as needed to meet an Individual’s specific needs, such as accommodating dietary requests (for kosher or halal meals) or respecting religious holidays.

    Special categories of data may be processed for any other legitimate purpose, if TCP obtains the prior explicit consent of the Individual.

  5. Quantity and Quality of Data

    TCP has established and implemented retention schedules so that records containing Personal Data are only retained as needed to fulfill the applicable Business Purposes, to comply with applicable legal requirements, or as advisable in light of applicable statutes of limitations. For more information see our Data Retention Policy.

    Personal Data should be accurate, complete, and kept up-to-date to the extent reasonably necessary for the applicable Business Purposes. It is the responsibility of Individuals to ensure that their Personal Data is accurate, complete, and up-to-date.

  6. Individual Rights of Access, Rectification and Objection

    Individuals have the right to request a copy of the Personal Data maintained by or on behalf of TCP unless otherwise prohibited by law. If the personal data is incorrect, incomplete, or not processed in compliance with applicable law or the TCP Privacy Policy for Business Data, the Individual has the right to have the personal data rectified, restricted, or erased (as appropriate) unless otherwise prohibited by law.

    Additionally, Individuals have the right to object to a) the Processing of their Personal Data on the basis of compelling grounds related to their particular situation, or b) receiving direct marketing communications (opting-out). Restrictions may be lifted if TCP temporarily restricted processing based on one or more of the following grounds such as dispute about data accuracy, dispute about lawfulness of processing, TCP is in the process of reviewing an objection request, and the basis for restriction has been resolved; the data subject will also be notified about the removal of the restriction via email or mail. In addition once a restriction has been implemented, processing can only resume if explicit consent is granted by the data subject or if the data subject initiates a requests to lift the original restriction and there is no conflict with applicable laws and regulations.

    Information about the process for submitting an Individual Rights Request can be found in Article 8 of the TCP Privacy Policy for Business Contacts.

  7. Security and Confidentiality Requirements

    TCP has implemented commercially reasonable and appropriate technical, physical, and organizational measures to protect Personal Data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access.

    Access to Personal Data will be authorized only to the extent necessary to serve the applicable Business Purposes and TCP Staff with access to Personal Data will be subject to background screenings, confidentiality obligations, and routine data privacy training.

    TCP shall investigate all known or suspected Data Security Breaches and shall document the facts relating thereto as part of a coordinated effort along with its Cybersecurity insurance policy provider, its effects and the remedial actions taken. TCP working in conjunction with its Cybersecurity insurance policy provider shall notify Individuals of a Data Security Breach within a reasonable period of time as documented in our Incident Response and Breach Notification Policy and following determination of such Data Security Breach if (a) the Individual is at a high risk of harm as a result of the Data Security Breach or, (b) (even if the Individual is not at a high risk of harm), if an applicable breach notification law requires Individual notification. TCP complies with all applicable regulatory requirements for any breach notification and have contracted the services of qualified third-party providers to perform incident response and required breach notifications through a comprehensive Cybersecurity insurance policy.

    While TCP takes all reasonable and practical steps to mitigate the risk to individuals, individuals may be subject to risks related to identify theft or fraud, damage to reputation, loss of confidentiality.

  8. Direct Marketing

    TCP respects the choices of Individuals and provides Individuals the choice to opt-in and opt-out of direct marketing. TCP will send direct marketing materials if the Individual has provided opt-in consent or if Applicable Law permits TCP to send marketing communications without explicit consent based on an existing business relationship.

  9. Transfer of Personal Data to Third Parties and Internal Processors

    TCP may transfer Personal Data to a Third Party and to Internal Processors to the extent necessary to serve the applicable Business Purposes. TCP will only transfer Personal Data to a Third Party or to an Internal Processor if a written contract has been entered into with TCP ensuring that the same level of data protection will be applied as described in the TCP Privacy Policy for Business Data. Third Parties may include:

    1. Commercial Data Centers;
    2. Customer Relationship Management System (CRM);
    3. Applicant Tracking System (ATS);
    4. Mass Marketing Email Tools;
    5. Workforce Management Applications (WFM);
    6. Technical Support Ticketing System;
    7. Project Management Tools;
    8. Email and Email Archive Servers;
    9. Public Forums (Online Communities and Social Media); and
    10. Instant Messaging Applications.
  10. Governance

    TCP’s privacy program is managed by TCP’sChief Operating Officer and the Legal team. TCP has implemented a Data Privacy Committee comprised of the Chief Operating Officer, all Privacy Stewards, and the Data Protection Officer, who is in charge of privacy compliance within their respective states, countries, Business Units, or Functional areas.

    Privacy Stewards are Executives who have been appointed by TCP senior leaders to implement and enforce compliance with TCP’s Privacy Policy within their respective Business Units or Functional areas.

  11. Training

    All TCP Staff with access to or responsibilities for Processing Personal Data are required to complete annual Data Privacy Training through TCP’s Learning Management System.

  12. Monitoring and Audit

    TCP audits business processes and procedures that involve the Processing of Personal Data for compliance with the TCP Privacy Policy for Business Data on a regular basis. Additionally, TCP will allow its Processing facilities to be audited by the Lead Data Protection Authority and DPAs of an EEA Country, as defined in the TCP Privacy Policy for Business Data.

    The Global Chief Privacy Officer shall produce an annual report for the TCP Executive Committee on compliance with the TCP Privacy Policy for Business Data, privacy, data protection risks, and other relevant issues.

  13. Complaints Procedure

    Individuals covered by the TCP Privacy Policy for Business Data may file a written complaint if they suspect that TCP has violated the commitments made in the TCP Privacy Policy for Business Data, as further defined in the TCP Privacy Policy for Business Data.

    Complaints must be submitted in writing to TCP. Complaints may be submitted via email to Privacy@TimeClockPlus.com or via mail to:

    TimeClock Plus, LLC
    Attn: Legal
    1 Time Clock Dr.
    San Angelo, TX 76904; USA

    Individuals may also file a complaint or claim with the relevant DPAs or the Courts.

    EU Data Subjects See Section Entitled TimeClock Plus, LLC Privacy Policy for Human Resources & Client Data Processing for EU Data Subjects.

TimeClock Plus, LLC Privacy Policy for Client Employees

TCP’s Global Data Privacy Policy applies to all affiliates and employees worldwide. The Global Data Privacy Policy helps us ensure that Personal Data is handled properly. The Global Data Privacy Policy governs Personal Data collected by TCP for its own purposes as well as information provided to us as a processor for our Clients. It protects information collected online as well as offline. TCP is committed to protecting the privacy and security of Personal Data that we process in order to provide services to our Clients. We receive Personal Data from our Clients about their current, prospective and former employees as well as employee emergency contacts and family members. This Privacy Policy explains our practices with regard to the Personal Data we receive from our Clients as a processor.

  1. TCP Collection and Processing of Client Employees’ Personal Data

    TCP will collect and process your Personal Data only as instructed or permitted by our Client (your employer) or you. TCP maintains appropriate security controls to protect your information.

    For our Client employees located in the European Economic Area and in Switzerland, TCP has established a Global Data Privacy Policy for Client data processing services as required by the European Union Data Protection Authorities.

    TCP will disclose your personal data to your employer and to other entities when instructed by your employer. Examples of other entities include payroll processors, benefits administration providers, enterprise resource planning vendors, and others. We may disclose your personal data to our affiliates and third party processors as needed to provide the services that you and your employer have requested. These entities are contractually bound to limit the use of your personal data as needed to perform the services. We will also disclose personal data when required to do so by law, such as in response to a subpoena, including to law enforcement agencies and courts in the United States and other countries where we operate.

    If you have questions about your privacy rights, please contact your employer’s human resources department.

  2. Types of Personal Data TCP Processes for Clients

    TCP processes information about you from Clients for whom we store and process Personal Data. This data helps our Clients collect and analyze both demographic and time and attendance data for the management of their workforce. In particular, we process the following Personal Data for Clients:

    1. Personal Demographic Data includes username, password, first name, last name, address, email, phone number, job title, employee ID, taxpayer ID, gender, date or birth, hire date, termination date, language preference, payroll classification, employment classification, pay rates, work schedules, employment contracts, and labor union affiliation; and
    2. Personal Activity Data includes clock-in time, clock-out time, clock-in location, clock-out location, leave requests, including vacation, sick, and other third party defined leave reasons, leave accruals, FMLA cases, and hours worked.
  3. International Data Transfers

    Where authorized by your employer, TCP will transfer personal data pertaining to individuals located outside of the United States to our affiliates and suppliers in the United States, as permitted by the TCP Privacy Policy for Client Data Processing and pursuant to applicable data protection laws. Therefore, your Personal Data may be processed outside the European Economic Area (“EEA”), and in countries which are not subject to an adequacy decision by the European Commission and which may not provide for the same level of data protection in the EEA. In this event, we will ensure that such recipient offers an adequate level of protection, for instance by entering into standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or we will ask you for your prior consent to such international data transfers. 

  4. Sensitive Personal Data

    In the ordinary course of its business, TCP processes sensitive personal data on behalf of your employer, such as social security numbers and dates of birth. TCP has implemented reasonable technical, physical and administrative safeguards to help protect the sensitive personal data from unlawful use and unauthorized disclosure. All TCP employees and contractors are required to follow these established procedures, both online and offline. Access to sensitive personal data is limited to those employees and contractors who have a need to access the information to perform tasks for TCP. TCP will only disclose sensitive personal data to those service providers, auditors, and/or advisors who are legally or contractually obligated to protect them or as required or permitted by law.

  5. How to Lodge a Complaint (European Economic Area (EEA), UK, and Switzerland Client Employees only)

    Client employees located in the EEA, UK, and Switzerland, as a third party beneficiary, may file a complaint in respect of a claim they have for violation of the TCP Privacy Policy for Client Data Processing or applicable law, by contacting TCP at Privacy@TimeClockPlus.com. TCP’s Data Protection Officer will receive, investigate, and document each complaint and respond to the Individual within a reasonable timeframe of the outcome of the investigation. 

    By Email:
    Data Protection Officer
    DPO@TimeClockPlus.com

    By Mail:
    TimeClock Plus, LLC
    Attn: Data Protection Officer
    1 Time Clock Dr.
    San Angelo, TX 76904; USA

    For more information on how to submit a complaint under the Privacy Shield Frameworks, please refer to the section entitled TimeClock Plus, LLC Privacy Shield Privacy Policy for Data Transferred to the United States from the EU/Switzerland/UK.

  6. Questions about Your Personal Data

    TCP is committed to transparency. We want individuals to understand how we collect and use personal data so they may interact with TCP with confidence. The materials provided in the Privacy Policy may help you find the information you need about privacy at TCP. If you have questions related to the content of this Privacy Policy, please contact us at Privacy@TimeClockPlus.com. As an employee of a TCP Client, please reach out to your employer for more information regarding the collection and processing of your Personal Data.

Data Retention Policy

  1. Purpose

    In accordance with applicable law, which makes it a crime to alter, cover up, falsify, or destroy any document with the intent of impeding or obstructing any official proceeding, this policy provides for the systematic retention and destruction of Personal Data collected by TCP in connection with the transaction of business and day to day operations.

    This policy covers all Personal Data regardless of physical form, including email, and contains guidelines for how long certain documents should be kept and how records should be destroyed. The policy is designed to ensure compliance with laws and regulations, to limit accidental or innocent destruction of records, and create consistency in the destruction of outdated documents.

  2. Personal Data Retention (All Medias)

    TCP targets the document retention procedures outlined below. Documents that are not listed, but are substantially similar to those listed in the schedule are retained for the associated length of time.

    2.1 Corporate Records

    Contracts 7 years after termination
    Correspondence (general) 3 years

    2.2 Legal, Insurance and Safety Records

    Insurance Policies (with Additional Name Insured) Permanent
    Leases  6 years after termination
    Contracts  7 years after termination
    Safety Records Permanent

    2.3 Accounting and Corporate Tax Records

    Annual Audits and Financial Statements Permanent
    IRS 990 Tax Returns Permanent
    Journal Entries 7 years
    Invoices 7 years
    Sales Records (box office, concessions, gift shop) 5 years
    Cash Receipts 3 years
    Credit Card Receipts 3 years
    Electronic Fund Transfer Documents 7 years

    2.4 Payroll and Employment Tax Records

    Payroll Registers Permanent
    State Unemployment Tax Records Permanent
    Payroll Registers Permanent
    State Unemployment Tax Records Permanent
    Earnings Records 7 years
    Garnishment Records 7 years
    Payroll Tax Returns 7 years
    W-2 Statements 7 years

    2.5 Employee Records

    Employment and Termination Agreements Permanent
    Retirement and Pension Plan Documents Permanent
    Records Relating to Promotion, Demotion or Discharge 7 years after termination
    Accident Reports and Worker’s Compensation Records 5 years
    Employment Applications 3 years
    I-9 Forms 3 years after termination
    Time Cards 2 years
    Biometric Information 1 year (Refer to Biometric Information Section Retention Schedule Clause)

    2.6 Client Records

    Contact Information (email, phone number, address) Permanent
    Correspondence (phone call, email, mail) 3 years
    Sales Notes Permanent
    Marketing Campaign Notes Permanent
    Technical Support Notes Permanent
    Implementation Project Notes  Permanent
    Active Client Data (employee records) Permanent
    Inactive Client Data (employee records) 30 to 45 days after termination
    Service Contracts 7 years after termination
  3. Electronic Documents and Records

    Electronic documents are to be retained as if they were paper documents, without duplicating the effort when a hardcopy of the same documents exist. Our policy for general correspondence generated by TCP email is to archive it and eventually destroy it according to the schedule herein. Backup and recovery methods are reviewed on an annual basis. Where possible, and as the business operation allows, we will make reasonable efforts to reduce hardcopy generation of documents by attempting to convert to a more paperless operation.

TimeClock Plus, LLC Biometric Information Privacy Policy

  1. Introduction

    TCP has instituted the following policy related to the information that is collected and transmitted to TCP as a result of TCP Client’s use of TCP’s devices designed to capture and store biometric information, as well as for use internally to authenticate TCP employees for time and attendance and human resource purposes. 

  2. Biometric Information

    Biometric Information collected by TCP includes biological traits unique to individuals and Biometric Identifiers as defined in the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq., or as may be defined in any other applicable local laws that govern the collection, use, storage or disclosure of biometric data. “Biometric Identifier” means a biological trait, including retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry or photograph. “Biometric Information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s Biometric Identifier used to identify an individual. The capture of such Biometric Information creates a Biometric Identifier in the form of a numeric value which can be stored and used to authenticate the identity of a person while using our products. This numeric value cannot be reverse engineered to reproduce a likeness of your biometric identifier.

  3. Client’s Responsibilities

    Clients are responsible for maintaining their own data collection, disclosure, retention, and storage policies as may apply to them under applicable law. To the extent required by law, Clients will obtain written authorization for the Client, TCP, and/or the licensor of TCP time and attendance software to collect, retain, and use biometric data from each employee prior to collection of such data. Biometric data will be used solely for identification and fraud prevention.

    While the use of Biometric Information is not mandatory to use our products, Clients may encourage employees to participate in biometric authentication. By voluntarily performing the AffirmativeAttestation and Enrollment process, offering your Biometric Information for capture, Client’s employees consent to the resulting and subsequent use of their Biometric Information with our products.

    TCP Clients agree that, in light of the developing nature of the legal requirements that may apply to TCP’s biometric information capture devices, to the extent that they use of TCP’s devices designed to capture and store biometric information in jurisdictions where applicable law so requires, they must:

    1. Inform the employee in writing that biometric data is being collected, stored, and used;
    2. Indicate the specific purpose(s) for collecting the biometric data and length of time for which it is being collected, stored, and used; and
    3. Receive a written release from the employee (or his or her legally authorized representative) of the biometric data authorizing the Client, TCP and/or the licensor of TCP time and attendance software to collect, store, and retain the employee biometric data utilized by TCP’s devices designed to capture and store biometric information, and authorizing the Client to provide such data to TCP and the licensor of TCP time and attendance software.
  4. Disclosure and Sharing of Biometric Information

    TCP will not sell, lease or trade any Biometric Information that it receives from its Clients as a result of their use of TCP’s devices designed to capture and store biometric information. Biometric Information will not be used for any purpose other than that described here.

    TCP will not disclose or disseminate any Client’s employee’s Biometric Information to any person or entity other than the Client and the licensor of TCP time and attendance software without/unless:

    1. First obtaining the Client’s employee’s written consent;
    2. Disclosure is required by state, federal law or other applicable local law; or
    3. Disclosure is required pursuant to a valid warrant or subpoena.
  5. Retention Schedule

    Upon successful Biometric Affirmative Attestation and Enrollment, TCP’s devices designed to capture and store biometric information will retain the Client’s employees Biometric Information. However the Biometric information will continue to be stored until the Client inputs and saves the employee(s) termination date in TimeClock Plus and after the expiration of the Biometric information retention period; which is set to 180 days by default from the employee(s) termination date, the purge process of the Biometric Data will execute during next Close Week cycle.

  6. Biometric Data Storage

    TCP will use a reasonable standard of care to store, transmit and protect from disclosure any paper or electronic Biometric Information collected, and shall store, transmit, and protect from disclosure all Biometric Information in a manner that is the same as or more protective than the manner in which TCP stores, transmits, and protects other Personal Data that can be used to uniquely identify an individual or an individual’s account or property, such as genetic markers, genetic testing information, account numbers, PINs, driver’s license numbers, and social security numbers.

TimeClock Plus, LLC Privacy Policy for Human Resources & Client Data Processing for EU Data Subjects

  1. Introduction

    TCP has adopted the provisions of this Global Data Privacy Policy (“Privacy Policy”) for processing Client employee data and business contact data. In addition, TCP has implemented policies for processing Personal Data of TCP employees. This Privacy Policy is intended to be a legally binding set of internal rules that ensure a consistent approach to privacy and data protection.

    The TCP Privacy Policy for Client Data Processing indicates the commitments TCP has implemented for the processing of personal data pertaining to Client employees by TCP, in connection with providing Client services and Client support activities.

  2. Scope and Applicability

    The TCP Privacy Policy for Client Data Processing addresses the processing of personal data of Client employees by TCP in its role as a data processor for Clients in the course of delivering Client services, where such personal data are:

    1. Subject to EEA Applicable Law;
    2. Collected originally in the context of the activities of an EEA establishment of a Client;
    3. Subject to EEA Data Transfer Restrictions;
    4. Processed by TCP outside the EEA in a country which has not been deemed to provide an adequate level of data protection by competent EEA institutions; and
    5. Processed pursuant to a Service Agreement that specifically provides that the TCP Privacy Policy for Client Data Processing shall apply to such personal data.
  3. Implementation

    The effective date of the TCP Privacy Policy for Business Data is June 1, 2018. TCP will implement the TCP Privacy Policy for Business Data across the relevant TCP Departments within six (6) months of the effective date.

  4. TCP Privacy Policy for Client Data Processing Principles

    The TCP Privacy Policy for Client Data Processing is based on a set of data protection principles outlined below.

    4.1 Data Processing Purposes

    TCP shall Process Client Data on behalf of the Client, only in accordance with the Service Agreement, pursuant to any documented instructions received from the Client, or as needed to comply with Applicable Law.

    TCP processes personal data (including Special Categories of Data) pertaining to Client employees as needed to provide Client services, Client support activities, as required by EEA applicable law and for the following additional purposes:

    1. Hosting, storage, and other processing needed for business continuity and disaster recovery;
    2. System and network administration and security, including infrastructure monitoring, identity and credential management, verification and authentication, and access control;
    3. Monitoring and other controls needed to safeguard the security and integrity of transactions;
    4. Enforcing contracts and protecting TCP, its employees, Clients, Client employees, and the public against theft, legal liability, fraud, or abuse; and
    5. Approved TCP internal business processes.

    Upon termination of the Service Agreement, TCP shall fulfill its obligations to the Client with regard to the returning the data and securely destroying the data, subject to EEA applicable law.

  5. Security Requirements

    TCP has implemented commercially reasonable and appropriate technical, physical, and organizational measures to protect Client Data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access during the Processing, which will meet the requirements of EEA Applicable Law, or any stricter requirements, as imposed under the Service Agreement.

    Access to Client Data will be authorized only to the extent necessary to serve the applicable Data Processing Purposes and requirements of the Service Agreements. TCP staff with access to Client data will be subject to background screenings, confidentiality obligations, and routine data privacy training.

    TCP shall coordinate efforts with its Cybersecurity insurance policy provider to notify the Client of a data security breach without undue delay after becoming aware that such a breach has occurred as documented in our Incident Response and Breach Notification Policy, unless a law enforcement official or supervisory authority determines that notification would impede a criminal investigation, or cause damage to national security or a breach of trust in the relevant industry sector.

  6. Transparency to Client Employees

    TCP shall promptly notify the Client of requests or complaints related to the Processing of Personal Data by TCP that are received directly from Client employees without responding to such requests or complaints, unless otherwise provided in the Service Agreement or instructed by the Client. To facilitate employers fulfilling Data Subject Requests via the software application the following actions are implemented and available: access, information, restriction, rectification, and erasure; these are described in detail under the Help menu in the General Data Protection Regulation (GDPR) section.

  7. Subprocessors

    Third Party Subprocessors may only Process Client Data pursuant to a Subprocessor Contract. The Subprocessor Contract shall impose similar data protection-related Processing terms on the Third Party Subprocessor that will be not less protective than those imposed on the TCP Contracting Entity by the Service Agreement and the TCP Privacy Policy for Client Data Processing Services.

    TCP shall publish an overview of the categories of Subprocessors involved in the performance of the relevant Client Services and TCP shall provide notice to the Client of any new Subprocessors engaged by TCP for the delivery of the Client Services. The current list of Subprocessors involved in the performance of relevant services can be found here https://www.timeclockplus.com/privacy/subprocessors. Clients have 30 days from notification date to object to the use of new Subprocessors engaged by TCP.

  8. Governance

    TCP’s privacy program is managed by TCP’sChief Operating Officer and the Legal team. TCP has implemented a Data Privacy Committee comprised of the Chief Operating Officer, all Privacy Stewards, and the Data Protection Officer, who is in charge of privacy compliance within their respective states, countries, Business Units, or Functional areas.

    Privacy Stewards are Executives who have been appointed by TCP senior leaders to implement and enforce compliance with TCP’s Privacy Policy within their respective Business Units or Functional areas.

  9. Compliance

    TCP shall respond promptly and appropriately to requests for assistance from the Client to enable the Client to comply with its obligations, subject to Applicable Law and in accordance with the Service Agreement. During cases where requests from a data subject are distinctly unsubstantiated or excessive, in particular because of their repetitive character, we may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request altogether.

  10. Training

    All TCP Staff with access to or responsibilities for Processing Personal Data are required to complete annual Data Privacy Training through TCP’s Learning Management System.

  11. Monitoring and Audit

    TCP will address Client audit requests and will answer questions asked by the Client regarding the Processing of Client Data by TCP. If further information is requested, in agreement with Client, TCP will provide the Client with a statement from a third party assessor, indicating TCP’s compliance with the TCP Privacy Policy for Client Data Processing. Additionally, TCP will allow its Processing facilities to be audited by any DPA of an EEA Country which is competent to audit a TCP Client.

    The Data Protection Officer shall produce an annual report for the TCP Executive Team on compliance with the TCP Privacy Policy for Client Data Processing Services, privacy, data protection risks, and other relevant issues.

  12. Complaints Procedure

    Client Employees covered by the TCP Privacy Policy for Client Data Processing may file a complaint if they believe that TCP has not handled their Personal Data properly or that it has breached its privacy obligations, under any applicable data protection laws or the TCP Privacy Policy for Client Data Processing. You may file your complaint in writing to the address below, or via email, to TCP at Privacy@TimeClockPlus.com. TCP’s Data Protection Officer will receive, investigate, and document each complaint and respond to the Individual within a reasonable timeframe of the outcome of the investigation.

    By Email:
    Data Protection Officer
    DPO@TimeClockPlus.com

    By Mail:
    TimeClock Plus, LLC
    Attn: Data Protection Officer
    1 Time Clock Dr.
    San Angelo, TX 76904; USA

    For more information on how to submit a complaint under the Privacy Shield Frameworks, please refer to the section entitled TimeClock Plus, LLC Privacy Shield Privacy Policy for Data Transferred to the United States from the EU/Switzerland/UK.

  13. Contact Us

    For more information about TCP’s Privacy Policies, including the TCP Privacy Policy for Client Data Processing, please contact the Data Protection Officer at Privacy@TimeClockPlus.com.

    VeraSafe has been appointed as TimeClock Plus, LLC’s representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. VeraSafe can be contacted in addition to Privacy@timeclockplus.com, only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative

    Alternatively, VeraSafe can be contacted at:

    VeraSafe Ireland Ltd
    Unit 3D North Point House
    North Point Business Park
    New Mallow Road
    Cork T23AT2P
    Ireland

    References:

    (a) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

    TimeClock Plus, LLC Privacy Shield Privacy Policy for Data Transferred to the United States from the EU/Switzerland/UK

    TimeClock Plus, LLC (“TCP”) complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom, and/or Switzerland transferred to the United States pursuant to Privacy Shield. TCP has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

    With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, TCP is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.

    Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also may correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to Privacy@TimeClockPlus.com. If requested to remove data, we will respond within a reasonable timeframe.

    We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to Privacy@TimeClockPlus.com.

    In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

    TCP’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, TCP remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless TCP proves that it is not responsible for the event giving rise to the damage.

    In compliance with the Privacy Shield Principles, TCP commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact TCP by email at Privacy@TimeClockPlus.com. TCP’s Data Protection Officer will receive, investigate, and document each complaint and respond to the Individual within a reasonable timeframe of the outcome of the investigation.

    By Email:

    Data Protection Officer
    DPO@TimeClockPlus.com

    By Mail:

    TimeClock Plus, LLC
    Attn: Data Protection Officer
    1 Time Clock Dr.
    San Angelo, TX 76904; USA

    TCP has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

    If your complaint involves human resources data transferred to the United States from the EU and/or Switzerland in the context of the employment relationship, and TCP does not address it satisfactorily, TCP commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.

    Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

    If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

    Contact Us

    For more information about TCP’s Privacy Policies, including the TCP Privacy Policy for Client Data Processing, please contact the Data Protection Officer at Privacy@TimeClockPlus.com.