Logo Healthy Workers

Privacy Statement Healthy Workers

Last updated: September 2019

Who are we?

We are Healthy Workers. We have a cloud-based workplace data tool which measures the performance of workplaces (in terms of space, amenities and services and well-being of employees) and subsequent the impact of workplace adjustments. The insights generated are used to make quantified decisions on managing adaptive physical spaces where you and your colleagues can thrive. Healthy Workers improves spaces primarily by giving customers insights into how buildings, systems & services are catering to the people that rely on them. We comply with the General Data Protection Regulation / Algemene Verordening Gegevensbescherming (jointly the “GDPR”), which has replaced the different national privacy laws of EU member states as per 25 May 2018.


Our Services include providing insight into the performance of your work environment, your satisfaction and the well-being at your work, based on data about both you and your work environment. We report the results in the form of a summary to your employer so that they can help create an optimal work environment for you and your colleagues.

What is this?

This is a Statement. In this document, we explain what kind of Personal Data we process when you use our product, provide feedback and participate in our questionnaires via our mobile application, hereafter: the App. We also explain how we store, protect and use your personal data and for which purposes.

Personal Data

In this Privacy Statement, Personal Data means information or pieces of information that could allow you, a natural person, to be directly or indirectly identified.

Data Controller

We determine the purpose and means of the processing of the Personal Data. Therefore, we act as Data Controller within the meaning of the GDPR. Our clients (employers) do not receive any Personal Data we have collected. Therefore, our clients do not act as Data Controller or as Data Processor.

Which Personal Data do we process and how do we use it?

We may collect and process the following Personal Data from you as a user, when you use our product:

Personal Data Purpose(s) What do we use it for?
First- and last name We ask for your first- and last name to identify you as an individual employee of our client. It is not possible to use pseudonyms, as this enables employees to create multiple accounts – which would lead to distortion of our data analysis We use this data to make sure you recognise that you are logged in by calling you by your name.
Work email address Identification of our users, your Healthy Workers login name and contact details for service-related emails. You gain access to the product by using your work email address. Besides, you’ll receive the onboarding email, verification emails and other service-related emails on your work email address.
Department and team size To combine data per department, in order to analyse the overall working conditions per department. We need these data to perform our contract with you, i.e. to deliver our Services.
Work environment satisfaction and level of well-being: – Mental well-being – Physical well-being – Overall satisfaction at your work with the current physical environment and all its aspects (e.g. indoor climate, amenities & services) Analysis of employee satisfaction at work and employee physical and mental well- being at work. We ask for your explicit consent to process these data – namely by agreeing to this privacy policy when creating an account with us. This data is used to measure how satisfied you are with the environment, how you are feeling at work (mentally and physically) and to what extent you are engaged and able to perform in your work environment. Without these data, we are not able to analyse the work conditions and make a useful report for your employer.

We also collect non-personal data about the working conditions at the user’s working place, for example:

  • Office data collected by an expert (e.g. WELL AP): for example observations about the type and quality of facilities in the building, the indoor and the outdoor office design and the quality of personal working stations.

  • Office data collected by sensors: for example indoor climate, air quality, light, noise and movement.


These non-personal data can not be traced to an individual and are therefore not Personal Data. The noise sensors only register sound intensity (decibel) and do not register or capture voices. The movement sensors only registers movement, and do not capture images. This means our use of non-personal data falls outside the scope of the GDPR and this Privacy Statement.

For what period will we retain Personal Data?

The Personal Data we process will be deleted when these are no longer necessary for the fulfilment of the purposes mentioned above. In no case we will keep the Personal Data longer than 2 years after the data have been last modified, unless we are legally obliged to keep the data for a longer period. If the user terminates its contract with Healthy Workers, we will remove all personal Data of that users within a month. On request of the user, we may retain the Personal data up to 3 months.

Who do we share your Personal Data with?

In order to render our services, we need to share the personal data with external services. For example, we make use of the services of Google Cloud Services, a global hosting and Web-Application service provider that provides our infrastructure, hosting and security services.

Data Processor Data they process Where they are based Where the data is stored
Google Cloud Services All user- and company-specific data is sent through GCS with TLS encryption. The data is stored encrypted in a cloud-hosted database. USA Europe West 4a (Eemshaven)
Google Analytics Traffic/event analysis on organisational level. USA Europe West 4a (Eemshaven)
Intercom Textual feedback/questions, possible user contact data: email address of logged in users. Ireland AWS US East 1
Product Board We collect feedback from our clients/users in Product Board to manage our product development. USA AWS US East 1
Postmark Transactional emails, possible user contact data: email address, full name, topic content. USA USA
Mailchimp Marketing and service emails, possible user contact data: email address, full name. USA USA

Such external services will solely act as Data Processor within the meaning of the GDPR. This means our Data Processors must strictly follow our instructions and is contractually obliged not to use the data for its own purposes. We do not share data with Google Cloud Services or other external services beyond what is necessary to assist us.

Besides the above, we will not share your data with third parties – unless we are legally obliged to do so.

Export of Data outside the European Economic Area

We may transfer the Personal Data outside the EEA, if one of our Data Processors is located outside the EEA under the following conditions. In case we transfer Personal Data outside the EEA, the Personal Data will only be transferred to countries or organisations that provide an adequate level of data protection meeting EU-standards. For example, we will verify if that organization is a Privacy Shield Participant or is listed as third country whose level of data protection has been considered adequate by the European Commission. We want to ensure that any transfer of Personal Data outside the EEA is in compliance with the GDPR.

Generic (non-personal) data

Tags
For tagged topics (‘Tags’), our clients, i.e. the employers, can only access the data that employees have submitted. Each topic that is tagged is immediately visible. No threshold has to be reached so that your employer can fix any urgent topics faster.


You have the option to tag topics anonymously. In this case, we do not share your name with your employer. Remember, when giving anonymous feedback, anonymity does make it more difficult for your employer to fix and decide upon the prioritization of tagged topics. Although no Personal Data is shown in the employer dashboard when you are tagging a topic anonymously, your employer might find out that you tagged a specific topic. For example, when you are the only one who tagged a topic, and you also mentioned this publicly within the workplace. Please keep this in mind while using our service.


You – all health and wellbeing related information
For health-related data, our clients, i.e. the employers, can only access the combined summaries of anonymized company data. They will never receive any Personal Data related to your health or other questions that are part of our You Program. Thus they can never found out what you answered into the You Program. Our clients cannot see which employees have or haven’t participated in the questionnaire.


We will convert any Personal Data into non-personal data and combine it with information collected from other users. We use a mix of pseudonymization with secret key encryption, aggregation, and K-anonymity to achieve this. Meaning that the data will be fully anonymized: they will not contain any Personal Data.

How do we protect Personal Data?

We work hard to protect your Personal Data from unauthorized or unlawful access, alteration, disclosure, use or destruction. For example, we take the following measures to make sure the Personal Data is safe:

  • We encrypt data-in-motion and data-at-rest in accordance with the industry standards (SLL/AES-246);

  • Our service provider (Google Cloud Service) is ISO 27001, ISO 27017 and ISO 27018 (data security, cloud security and personal information security) certified and is listed on the Privacy Shield List;

  • We apply pseudonymisation to all data before it is sent to our internal analysts;

  • Only personnel authorized by Healthy Workers B.V. may access your data. At this time this is 1 person in a key management position of the company.

Third party websites

You may find advertising or other content on our Website that link to the websites and services of our clients, partners, suppliers, advertisers, sponsors, licensors or other third parties. We do not control the content or the links that Web-Appear on these websites and we are not responsible for the practices employed by websites linked to or from our Website. In addition, these websites or services, including their content and links, may be constantly changing. These websites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites that are linked to our Website, are subject to the terms and policies of that website.

Cookies

We may use the following types of cookies on our Website and Web-App:

  • Technical (functional) cookies: these are cookies that are essential for the operation of our Website / Web-App. They enable you to move around our Website / Web-App and use our features.

  • Analysis cookies: these allow us to analyse access to the different features of our application. This data is never shared with any third party company and is solely used internally to provide better service to our clients.


Analytical (statistical) cookies: we use these cookies to track visitor statistics. We use these statistics to continuously improve the Website / Web-App. These cookies also allow us to recognize and count the number of visitors and to see how visitors navigate when they’re using our Website / Web-App. This