Privacy Statement Healthy Workers
Last updated: September 2019
Who are we?
We are Healthy Workers. We have a cloud-based workplace data tool which measures the performance of workplaces (in terms of space, amenities and services and well-being of employees) and subsequent the impact of workplace adjustments. The insights generated are used to make quantified decisions on managing adaptive physical spaces where you and your colleagues can thrive. Healthy Workers improves spaces primarily by giving customers insights into how buildings, systems & services are catering to the people that rely on them. We comply with the General Data Protection Regulation / Algemene Verordening Gegevensbescherming (jointly the “GDPR”), which has replaced the different national privacy laws of EU member states as per 25 May 2018.
Our Services include providing insight into the performance of your work environment, your satisfaction and the well-being at your work, based on data about both you and your work environment. We report the results in the form of a summary to your employer so that they can help create an optimal work environment for you and your colleagues.
What is this?
This is a Statement. In this document, we explain what kind of Personal Data we process when you use our product, provide feedback and participate in our questionnaires via our mobile application, hereafter: the App. We also explain how we store, protect and use your personal data and for which purposes.
In this Privacy Statement, Personal Data means information or pieces of information that could allow you, a natural person, to be directly or indirectly identified.
We determine the purpose and means of the processing of the Personal Data. Therefore, we act as Data Controller within the meaning of the GDPR. Our clients (employers) do not receive any Personal Data we have collected. Therefore, our clients do not act as Data Controller or as Data Processor.
Which Personal Data do we process and how do we use it?
We may collect and process the following Personal Data from you as a user, when you use our product:
|Personal Data||Purpose(s)||What do we use it for?|
|First- and last name||We ask for your first- and last name to identify you as an individual employee of our client. It is not possible to use pseudonyms, as this enables employees to create multiple accounts – which would lead to distortion of our data analysis||We use this data to make sure you recognise that you are logged in by calling you by your name.|
|Work email address||Identification of our users, your Healthy Workers login name and contact details for service-related emails.||You gain access to the product by using your work email address. Besides, you’ll receive the onboarding email, verification emails and other service-related emails on your work email address.|
|Department and team size||To combine data per department, in order to analyse the overall working conditions per department.||We need these data to perform our contract with you, i.e. to deliver our Services.|
We also collect non-personal data about the working conditions at the user’s working place, for example:
Office data collected by an expert (e.g. WELL AP): for example observations about the type and quality of facilities in the building, the indoor and the outdoor office design and the quality of personal working stations.
Office data collected by sensors: for example indoor climate, air quality, light, noise and movement.
These non-personal data can not be traced to an individual and are therefore not Personal Data. The noise sensors only register sound intensity (decibel) and do not register or capture voices. The movement sensors only registers movement, and do not capture images. This means our use of non-personal data falls outside the scope of the GDPR and this Privacy Statement.
For what period will we retain Personal Data?
The Personal Data we process will be deleted when these are no longer necessary for the fulfilment of the purposes mentioned above. In no case we will keep the Personal Data longer than 2 years after the data have been last modified, unless we are legally obliged to keep the data for a longer period. If the user terminates its contract with Healthy Workers, we will remove all personal Data of that users within a month. On request of the user, we may retain the Personal data up to 3 months.
Who do we share your Personal Data with?
In order to render our services, we need to share the personal data with external services. For example, we make use of the services of Google Cloud Services, a global hosting and Web-Application service provider that provides our infrastructure, hosting and security services.
|Data Processor||Data they process||Where they are based||Where the data is stored|
|Google Cloud Services||All user- and company-specific data is sent through GCS with TLS encryption. The data is stored encrypted in a cloud-hosted database.||USA||Europe West 4a (Eemshaven)|
|Google Analytics||Traffic/event analysis on organisational level.||USA||Europe West 4a (Eemshaven)|
|Intercom||Textual feedback/questions, possible user contact data: email address of logged in users.||Ireland||AWS US East 1|
|Product Board||We collect feedback from our clients/users in Product Board to manage our product development.||USA||AWS US East 1|
|Postmark||Transactional emails, possible user contact data: email address, full name, topic content.||USA||USA|
|Mailchimp||Marketing and service emails, possible user contact data: email address, full name.||USA||USA|
Such external services will solely act as Data Processor within the meaning of the GDPR. This means our Data Processors must strictly follow our instructions and is contractually obliged not to use the data for its own purposes. We do not share data with Google Cloud Services or other external services beyond what is necessary to assist us.
Besides the above, we will not share your data with third parties – unless we are legally obliged to do so.
Export of Data outside the European Economic Area
We may transfer the Personal Data outside the EEA, if one of our Data Processors is located outside the EEA under the following conditions. In case we transfer Personal Data outside the EEA, the Personal Data will only be transferred to countries or organisations that provide an adequate level of data protection meeting EU-standards. For example, we will verify if that organization is a Privacy Shield Participant or is listed as third country whose level of data protection has been considered adequate by the European Commission. We want to ensure that any transfer of Personal Data outside the EEA is in compliance with the GDPR.
Generic (non-personal) data
For tagged topics (‘Tags’), our clients, i.e. the employers, can only access the data that employees have submitted. Each topic that is tagged is immediately visible. No threshold has to be reached so that your employer can fix any urgent topics faster.
You have the option to tag topics anonymously. In this case, we do not share your name with your employer. Remember, when giving anonymous feedback, anonymity does make it more difficult for your employer to fix and decide upon the prioritization of tagged topics. Although no Personal Data is shown in the employer dashboard when you are tagging a topic anonymously, your employer might find out that you tagged a specific topic. For example, when you are the only one who tagged a topic, and you also mentioned this publicly within the workplace. Please keep this in mind while using our service.
You – all health and wellbeing related information
For health-related data, our clients, i.e. the employers, can only access the combined summaries of anonymized company data. They will never receive any Personal Data related to your health or other questions that are part of our You Program. Thus they can never found out what you answered into the You Program. Our clients cannot see which employees have or haven’t participated in the questionnaire.
We will convert any Personal Data into non-personal data and combine it with information collected from other users. We use a mix of pseudonymization with secret key encryption, aggregation, and K-anonymity to achieve this. Meaning that the data will be fully anonymized: they will not contain any Personal Data.
How do we protect Personal Data?
We work hard to protect your Personal Data from unauthorized or unlawful access, alteration, disclosure, use or destruction. For example, we take the following measures to make sure the Personal Data is safe:
We encrypt data-in-motion and data-at-rest in accordance with the industry standards (SLL/AES-246);
Our service provider (Google Cloud Service) is ISO 27001, ISO 27017 and ISO 27018 (data security, cloud security and personal information security) certified and is listed on the Privacy Shield List;
We apply pseudonymisation to all data before it is sent to our internal analysts;
Only personnel authorized by Healthy Workers B.V. may access your data. At this time this is 1 person in a key management position of the company.
Third party websites
You may find advertising or other content on our Website that link to the websites and services of our clients, partners, suppliers, advertisers, sponsors, licensors or other third parties. We do not control the content or the links that Web-Appear on these websites and we are not responsible for the practices employed by websites linked to or from our Website. In addition, these websites or services, including their content and links, may be constantly changing. These websites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites that are linked to our Website, are subject to the terms and policies of that website.
We may use the following types of cookies on our Website and Web-App:
Technical (functional) cookies: these are cookies that are essential for the operation of our Website / Web-App. They enable you to move around our Website / Web-App and use our features.
Analysis cookies: these allow us to analyse access to the different features of our application. This data is never shared with any third party company and is solely used internally to provide better service to our clients.
Analytical (statistical) cookies: we use these cookies to track visitor statistics. We use these statistics to continuously improve the Website / Web-App. These cookies also allow us to recognize and count the number of visitors and to see how visitors navigate when they’re using our Website / Web-App. This helps us to improve user navigation and to ensure users can find what they need more easily.
Tracking cookies: these cookies monitor the clicking behaviour and surfing habits of our visitors. By means of these cookies we can see, for example, whether and when you view your profile and whether you click through to our Website / Web-App. We might use these cookies to show you advertisements based in your interests.
You can change the cookie settings in your web browser if you don’t want cookies to be stored on your device. Please note that some features of our Website / Web-App may not function properly without cookies.
Modifications to this Privacy Statement
We may update our Privacy Statement from time to time. When we change our Privacy Statement in a significant way, we will post a notification on our Website and App along with the updated Privacy Statement.
You have the following rights in regards to your personal information:
You have the right to access information about the personal data we hold about you. We reserve the right to charge a reasonable fee in response to unreasonable or repetitive requests, or requests for further copies of the same information.
Right to object to processing
You have the right to object to the processing of your personal data where that processing is being undertaken by us on the basis of our (or a third party’s) legitimate interest. In such a case we are required to cease processing your data unless we can demonstrate compelling grounds which override your objection. You also have the right to object, at any time, to the processing of your personal data by us for direct marketing purposes.
You have the right to request that we rectify any inaccurate personal data that we hold about you.
You have the right to request that we erase any personal data that we hold about you, based on one of a number of grounds, including the withdrawal of your consent (where our processing of that data is undertaken on the basis of your consent), or if you object to our continued processing (as mentioned above). This right does not extend to information which is not personal data. Please also note that it is likely to be necessary for us to retain your personal data for the purposes of assessing and verifying data that is submitted and/or held on the Platform, and your rights under applicable law to request erasure may be limited accordingly. We also reserve the right to retain your personal data in an anonymised form for statistical and benchmarking purposes.
Request to restriction of processing
This enables you to ask us to restrict the processing of your personal data in certain circumstances, for example if you want us to establish its accuracy or the reason for processing it.
You have the right to obtain copies of your personal data to enable you to reuse your personal data across different services and with different companies. You may also request that your personal data is transmitted directly to another organisation where this is technically feasible using our data processing systems.
Change of preferences
You can change your data processing preferences at any time. For example, if you have given your consent to direct marketing, but have changed your mind, you have the ability to opt out of receiving marketing communications by emailing us at firstname.lastname@example.org or clicking the relevant link in any communication you receive.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Please note that if you exercise any of the above rights to require us to restrict or cease processing or to delete personal data, and this type of processing is required in order to facilitate your use of the Platform, you will no longer be able to use the Platform following the date on which we action your request. This does not include your right to object to direct marketing which can be exercised at any time without restriction.
Please allow at least 21 working days for your request to be actioned.
Save as set out above, your rights detailed above can be exercised free of charge in accordance with applicable data protection laws. Please contact your employer directly if you would like to exercise any of these rights (other than a change to your marketing preferences, which should be notified directly to us as described above).
If for any reason you are not happy with the way that we have handled your personal data, you also have the right to make a complaint to the relevant supervisory authority in your country.
Our contact details
Healthy Workers B.V.
Prins Hendrikkade 21E
Chamber of Commerce (Kamer van Koophandel) number: 67322174
VAT number: NL 8569 30 994 B 01