EEA and UK Data Protection Notice
Revised October 2024
This Data Privacy Notice describes the practices of ComPsych Corporation, including its affiliate ComPsych International, Inc., (collectively “Company”, “ComPsych”, “we”, or “our”) with respect to the collection, use, storage, and disclosure (“processing”) of Personal Data covered by the General Data Protection Regulation (“GDPR”) of the European Union (“EU”) and the Data Protection Act of 2018 of the United Kingdom (“UK”) (collectively referred to as the “Data Protection Regulations” for purposes of this Notice), about customers or potential customers in the European Economic Area (“EEA”) and the UK when interacting with Company related to services provides in-country by ComPsych’s Global Partners and web-based services which are provided from and hosted in the United States. In this Notice, all the services in relation to our employee assistance programs are collectively referred to as “Services”. Please also see our Data Privacy Framework Policy and Privacy and Terms of Use for additional information related to data privacy.
“Personal Data,” as used in this Notice, means any information that can be used to identify you, whether directly or indirectly, including by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to your physical, physiological, mental, economic, cultural or social identity. ComPsych and its Global Partner where you are receiving services are the controllers of your Personal Data in relation with the processing activities described in this Notice. You can contact ComPsych and/or the relevant Global Partner using the contact details included under “Data Subjects Rights” section below.
Purposes, Legal Bases and Data Types of the Information We Process About You
We process your Personal Data, which we collect from you directly and indirectly when you inquire about, access, and use the Products and Services, and indirectly from third parties, such as your employer, for the purposes set out below. If you do not provide us with Personal Data when registering for Services, we may not be able to offer Services to you.
| Purpose of Processing | Categories of Personal Data | Corresponding Legal Basis |
| To provide you with the information and Services offered by our Employee Assistance Programs, including our library of wellness resources, our “Guide Me” capability, our “Assess Me” capability and to connect you with health care providers where requested via the “Connect Me” capability | Name Contact details Username Password Information about your employer Information you provide on your health and wellbeing Inferences regarding your characteristics Information collected automatically when you access our websites, such as your IP address and internet or other electronic network activity information | This is necessary for us to fulfil our contracts with your employer Where required by applicable laws we will ask for your (explicit) consent, for instance when we process information regarding your health |
| To provide you with a personalized experience when using ComPsych Products and Services | Name Contact details Username Information about your employer Information you provide on your health and wellbeing Inferences regarding your characteristics Information collected automatically when you access our websites, such as your IP address and internet or other electronic network activity information | It is our legitimate business interest to provide you with a personalized experience Where required by applicable laws we will ask for your (explicit) consent, for instance when we process information regarding your health |
| To assess and improve the quality of ComPsych Products and Services, including to assess product use, completion rates and other internal business aspects, as well as the quality of our website. For example to assess how to improve website navigation and user interfaces, to assess what Products and Services are best meeting user interests, and to troubleshoot identified issues. | Username Information about your employer Information you provide on your health and wellbeing Inferences regarding your characteristics Information collected automatically when you access our websites, such as your IP address and internet or other electronic network activity information | It is our legitimate business interest to further develop and improve our Products and Services, including through understanding your use of our Products and Services, amongst others by means of our website Where required by applicable laws we will ask for your (explicit) consent, for instance when we process information regarding your health |
| To provide customers with reports on usage rates, trends and outcomes, based on aggregated data | Information you provide on your health and wellbeing Information collected automatically when you access our websites, such as your IP address and internet or other electronic network activity information | It is our legitimate business interest to provide (potential) customers with information about the value of our Products and Services Where required by applicable laws we will ask for your (explicit) consent, for instance when we process information regarding your health |
| To provide customer friendly Products and Services, including to address security, health and safety concerns and to provide technical support | Name Contact details Username Password Information you provide on your health and wellbeing Inferences regarding your characteristics Information collected automatically when you access our websites, such as your IP address and internet or other electronic network activity information | It is our legitimate business interest to answer your questions and requests, and to provide you with a good (support) experience when using our Products and Services Where required by applicable laws we will ask for your (explicit) consent, for instance when we process information regarding your health |
| To pursue business-related purposes, including to investigate, prevent or take action regarding (suspected) illegal activities, safety concerns, or violations of ComPsych polices, in the context of any litigation, the planning and implementing of potential mergers and acquisitions and the resolving of billing disputes with customers | Name Contact details Information about your employer Information you provide on your health and wellbeing Inferences regarding your characteristics Information collected automatically when you access our websites, such as your IP address and internet or other electronic network activity information | It is our legitimate business interest to pursue certain business-related purposes, including to ensure that our platform is safe and secure, that we can maintain our business and financial administration and to further develop Company Where required by applicable laws we will ask for your (explicit) consent, for instance when we process information regarding your health |
| To comply with our legal obligations under applicable laws and regulations, including with our governmental reporting and tax requirements | Name Contact details Information about your employer Information you provide on your health and wellbeing Inferences regarding your characteristics Information collected automatically when you access our websites, such as your IP address and internet or other electronic network activity information | This processing is necessary for our compliance with our legal obligations Where required by applicable laws we will ask for your (explicit) consent, for instance when we process information regarding your health |
For the processing of information you provide on your health and wellbeing and inferences regarding your characteristics (“Special Category Personal Data”) we will rely on your “explicit consent” where required by applicable laws. You can contact us using the details in the “Data Subject Rights” section below for more information.
Insofar as we process your Personal Data based on our legitimate interests, you have the right to object if there are reasons arising from your particular situation.
Where required by applicable laws, we process (Special Category) Personal Data on the basis of your (explicit) consent, as provided by you by your affirmative action in the form of clicking a checkbox or other form of (explicit) consent When we process your (Special Category) Personal Data on the basis of your (explicit) consent, you may withdraw that (explicit) consent at any time by contacting our Privacy Official.
Such withdrawal of consent will not affect the lawfulness of processing conducted before the time of withdrawal If you withdraw your consent, we may still be required to process your (Special Category) Personal Data to comply with applicable laws, but we will explain to you at the time your consent is withdrawn what processing activities will continue for legal compliance purposes.
You may obtain additional information about the processing of your Personal Data, including Special Category Personal Data, processed while using ComPsych’s website by contacting our Privacy Official at [email protected]. For services provided in country, you may obtain additional information about the processing of your Personal Data, including Special Category Personal Data, by contacting the Global Partner in the country where you received services using the country specific information in the Annex to this Notice. In the event you are receiving services in a country that is not listed in the Annex, please contact [email protected] for information.
We may also deidentify or anonymize your information in such a way that you may not reasonably be re-identified by us or another party, and we may use this deidentified data for the purpose of providing customers with reports on usage rates, trends and outcomes, based on aggregated data as described above To the extent we deidentify any data originally based on (Special Category) Personal Data we will maintain and use such information in deidentified form and will not attempt to reidentify the data.
Recipients of Your Personal Data
Your Personal Data will be received and processed by Company. We may also disclose the Personal Data described above in order to fulfil our obligations and in our legitimate interests above as follows:
- Business Transfers. If (i) we are or may be acquired by, merged with, or invested in by another company, or (ii) if any of our assets are or may be transferred to another company, whether as part of a divestiture, bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected about you to the other company. As part of the business transfer process, we may disclose certain Personal Data with lenders, auditors, and third party advisors, including attorneys and consultants. This applies to the extent we have legitimate interests to do so.
- Where Legally Required. We may disclose your Personal Data with public authorities, justice and law enforcement, fiscal authorities and other authorities assigned with investigative powers or public authority, to the extent we are legally required or have legitimate interests to do so.
- To Protect Us and Others. We disclose your Personal Data where we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of ComPsych policies, or as evidence in litigation in which we are involved, to the extent we have legitimate interests to do so.
- Service providers. We may also share your Personal Data with third party service providers such as, for example, without limitation, cloud providers. Such providers will process the data exclusively for the provision of the services related to the development of the activities of the Company
- Other members of the ComPsych Group. We will share certain information about you with other ComPsych Group companies for internal administrative purposes, and insofar as it is reasonably necessary for the purposes stated in this Notice and relying on the corresponding legal basis.
- Health and wellness experts. We will share certain information about you (mainly your name and contact details) with those health and wellness experts with whom you request that we schedule an appointment and/or put you in contact with.
- Aggregate and De-Identified Information. We may disclose aggregate, anonymized, or de-identified information about you for the purpose of providing customers with reports on usage rates, trends and outcomes, based on aggregated data as described above, to the extent as permitted under applicable local law.
- Consent. We may also disclose your Personal Data with your (explicit) consent, where permitted by applicable local law.
Retention
Your Personal Data will be retained only in an identifiable form for the duration of your interaction with the ComPsych Products and/or Services, unless a shorter retention period is required by applicable laws or the Personal Data is no longer necessary for the purposes for which it was obtained.
If you no longer interact with ComPsych Products and/or Services, we will only retain your Personal Data for as long as it is needed to:
- fulfill ComPsych’s legal obligations, including where retention is required as a matter of law;
- initiate, investigate or defend against legal claims;
- address your questions, requests or complaints;
- keep our records for analysis and audit purposes
If your Personal Data is processed on the basis of your (explicit) consent, Company will only use your Personal Data until you withdraw your consent, or for as long as required to fulfill the purposes set out in this Notice.
Data Subject Rights
You have the right to the following information regarding Company’s processing of your Personal Data:
- the purposes of the processing,
- the categories of Personal Data collected,
- the recipients or categories of recipients to whom the Personal Data has been or will be disclosed,
- where possible, the predicted period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period.
This Notice is intended to provide this information. Any questions about these details may be directed to the Privacy Official as indicated in the Notice.
You may also have the following additional rights with respect to your Personal Data processed by Company:
- The right to access to the Personal Data that Company holds about you
- The right to rectify any of your Personal Data that is inaccurate
- The right to data portability
- The right to object to the processing of your Personal Data, to the extent we process your Personal Data on the basis of a legitimate interest The right to erasure of your Personal Data The right to restriction of processing of your Personal Data
- The right to withdraw consent to the processing of your Personal Data where consent is the legal basis for such processing
- The right to lodge a complaint with the supervisory authority for the country or state where you live or work or where you believe that your rights have been violated
- Company does not operate any automated decision-making systems within the meaning of Article 22 GDPR, so the right to opt-out of such is not applicable
These rights may be subject to certain limitations or restrictions as allowed or imposed by applicable laws. If this is the case, we will let you know in our communications with you.
To exercise your rights or for additional information related to your rights, contact ComPsych’s Privacy Official at [email protected] for inquires related to use of ComPsych’s website or the Privacy Official of the Global Partner in the country where you received services using the country specific information in the Annex to this Notice.
In the event you are receiving services in a country that is not listed on the Annex, please contact [email protected] for information. When contacting the Privacy Official, be sure to provide enough information for us to identify your records and contact you if we need to clarify or discuss your request.
Contact Details
ComPsych Corporation is the Controller of data collected from those who contact us using ComPsych’s website. The company’s corporate headquarters are located at:
ComPsych Corporation
455 N. Cityfront Plaza Drive, 13th Floor
Chicago, IL 60611
USA
The Global Partner or service provider in the country where you received services is the Controller of data collected during such service provision. The Global Partner’s corporate headquarters are listed on the Annex attached to this Notice. In the event you are receiving services in a country that is not listed on the Annex, please contact [email protected] for information.
Links to Other Services or Websites
Company’s Products and Services may contain links to third party services or websites. We are not responsible for the way in which these third parties handle your Personal Data. We advise you to read the privacy notice of the third party when you make use of their service or visit their website in order to understand how this third party collects and uses your Personal Data.
How we protect your Personal Data
We have implemented physical, technical and organizational measures to protect your Personal Data as required by applicable laws. These measures are aimed at ensuring the integrity and confidentiality of your Personal Data, for instance by ensuring that only authorised employees have access to your Personal Data, and to protect it against unlawful or unauthorized destruction, loss, alteration, use or disclosure, or access. We evaluate and update these measures on a regular basis. Please be aware that no information system can be 100% secure. This means that we cannot guarantee the absolute security or availability of your Personal Data.
When using our Services, you acquire these directly from Company, who offers them from the United States. By interacting with our Products and Services you choose to share your Personal Data to be stored or otherwise processed in servers and databases located in the United States. We always process your Personal Data in line with this Notice. As an extra security measure, we are also certified under the EU-US Data Privacy Framework.
When using Services provided by our Global Partners or service providers, in the country you reside, your Personal Data will be stored or otherwise processed in the servers and databases located in that country.
If you require more information on the appropriate security measures in place, please contact our Privacy Official via [email protected] for information related to use of ComPsych’s website or the Global Partner in the country where you reside as listed on Annex A attached to this Notice. In the event you are receiving services in a country that is not listed on the Annex, please contact [email protected] for information.
Questions or Complaints
Our Company welcomes communication from you related to this Notice, your rights and any comments or complaints you may have related to the privacy of the Personal Data we process about you. If you are not satisfied with our response or believe that we are not processing your data in accordance with the law, you may file a complaint with the data protection authority in the UK or in any EEA Member State where you habitually work, live, or believe an infringement of the Data Protection Regulations occurred.
- Please find a list of data protection authorities in the EEA at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- In the United Kingdom, the data protection authority is:
The Information Commissioner’s Office
Tel. +0303 123 1113
Website: https://ico.org.uk/
Company may revise this Notice to ensure compliance with applicable law and regulatory guidance at any time. We advise you to consult this Notice regularly when using our services. To the extent required by applicable laws, we will notify you of material changes made to this Notice. Revised notices will be posted on our website.