Throughout this Policy, references to “Illumiti” shall include “Illumiti Inc.”, “Illumiti Corp.”, “Illumiti One”, “Illumiti HCM”, “Illumiti Consulting AG” and any other entities within the Illumiti organisational structure from time to time.
Illumiti, its employees and leadership respect and protect the rights of individuals, in particular the right of all individuals to data protection and privacy during the processing and use of Personal Data as well as the right to privacy.
This Policy outlines an Illumiti-wide minimum standard for handling Personal Data in compliance with data protection and privacy laws worldwide, Illumiti’s contracts with employees and subcontractors, and external agreements with other parties. It defines requirements for all operational processes that affect Personal Data, as well as clear responsibilities and organizational structures. As soon as any function or process at Illumiti involves collecting, processing, or using Personal Data, the provisions of this Policy are to be adhered to. Illumiti’s leadership team and the relevant process owners are responsible for ensuring that all processes during which Personal Data is collected, processed, or used are designed such that the provisions of this Policy are fulfilled. It is the duty of all Illumiti employees and contractors to comply with the provisions of this Policy when handling Personal Data in the course of their work or engagement with Illumiti.
Illumiti is a consulting company specializing in SAP technology solutions. It is a North American company headquartered in Toronto, with additional offices in Atlanta, Boston, Calgary, Denver and Zurich.
Illumiti has numerous agreements with clients, employees, subcontractors and partners located within the European Union, including SAP itself. Therefore, the principles established through this Policy are based on the requirements of European data protection and privacy legislation, including but not limited to the EU General Data Protection Regulation 2016/679. If, in a certain case, applicable local law outlines stricter data protection and privacy requirements than this Policy, Personal Data will be handled in compliance with those stricter laws. Additional standards and/or guidelines within Illumiti that are issued as a result of this Policy must also take the applicable law into account in this respect. Questions on applicable law can be directed to Illumiti’s appointed Privacy Officer, who can be contacted at firstname.lastname@example.org.
Data protection and privacy rights of employees must be guaranteed in accordance with the law of the country in which the employment contract with the respective Illumiti entity was concluded, notwithstanding the local law of the country in which the employee data is processed or used. The legal responsibility for collecting, processing, and/or using the Personal Data of Illumiti employees always lies with the respective Illumiti employer. It is this employer’s duty to inform other Illumiti entities (for example, if the manager is an employee of a different Illumiti entity) if within the scope of processing and using Personal Data for their employees, different provisions apply for the protection of Personal Data from those defined in this Policy.
This Policy shall not restrict the right of Illumiti to use any employee’s or subcontractor’s Personal Data to the fullest extent legally possible in order to preserve its position during any actual or potential legal action or official proceedings.
The following definitions, whether capitalized or not as the case may be, apply throughout this Policy:
“anonymized” means, in the context of Personal Data, the outcome of making the direct or indirect identification of an individual person by use of that Personal Data impossible, even with the aid of other data or information; “collecting” means procuring Personal Data on the Person Affected; “Commissioned Data Processing” means the process by which Personal Data is transferred between Illumiti entities, or between Illumiti and a Commissioned Data Processor; “Commissioned Data Processor” means a natural or legal person, authority, institution, or any other office that processes Personal Data on behalf of the Data Controller, for example, an external company or an Illumiti company that is not the Data Controller itself; “consent” means explicit consent or implicit consent, as such terms are defined hereunder; “Data Controller” means the Illumiti entity that makes decisions on the purposes and means of processing Personal Data of individuals. For the avoidance of doubt, where an Illumiti entity cannot be readily identified as the Data Controller, the Data Controller shall be Illumiti Inc., located at 123 Commerce Valley Drive E, Suite 500, Thornhill, Ontario L3T 7W8 Canada; “deletion” means either the physical destruction of certain data or the anonymization of certain data in such a way that makes it impossible to relate such data to a natural person; “EEA” means the European Economic Area; “explicit consent” means an action by the Person Affected through which they allow the processing of Personal Data – for example, the declaration of consent with the sending of e-mails or entering of Personal Data (opt-in); “identifiable” means, the context of a person, one whom can be directly or indirectly identified, in particular, by reference to an identity number or to one or more factors specific to that person’s physical, physiological, psychological, economic, cultural, or social identity e.g. names, telephone numbers, e-mail addresses, postal addresses, user IDs, tax numbers, or social security numbers, or indirectly on the basis of a combination of any such information; “implicit consent” means where an active opt-out is required for processing to cease; “Person Affected” means an identified or identifiable natural person whose Personal Data is affected by a data processing action. A person is deemed identifiable if he or she can be identified directly or indirectly, in particular by reference to an identity number or to one or more factors specific to that person’s physical, physiological, psychological, economic, cultural, or social identity; “Personal Data” means all information on a Person Affected, including data on employees, applicants, former employees, clients, interested parties, suppliers, partners, users of Illumiti websites and services, and any other persons. The data may be contained in an Illumiti system, or in systems of third parties that operate these on behalf of Illumiti. Client systems that Illumiti or third parties on behalf of Illumiti operate are also relevant, as are systems operated by clients themselves if Illumiti employees can access the Personal Data stored in these systems while providing services, support, or consulting services; “Privacy Officer” means the privacy officer appointed by Illumiti; “processing” describes any operation performed with or without the aid of an automatic procedure, or any set of operations connected with Personal Data, for example, collecting, saving, modifying, storing, changing, transferring, locking, or deleting Personal Data; “Special Categories of Personal Data” means categories of Personal Data based on the racial or ethnic origin, political views, religious or philosophical beliefs, union membership, felonies, penal convictions, health, or sexual preferences of persons, as well as Personal Data that can be misused for identity theft. For example, social security numbers, credit card and bank account numbers, as well as passport or driver’s license numbers; “third party” means a natural or legal person, authority, institution, or any other office, except for the following:
Illumiti; the Person Affected; the Commissioned Data Processor; or the persons who, under the direct responsibility of the Data Controller or the Commissioned Data Processor, are authorized to process the data.
For the purposes of this Policy as well as applicable data protection and privacy laws, different companies within the Illumiti organizational structure are classified as third parties in relation to each other; “using” means any use of Personal Data, except for processing.
Role of the Privacy Officer
The Privacy Officer is an appointed position within Illumiti. It reports directly to the Chief Executive Officer.
The Privacy Officer, in consultation with Illumiti’s leadership team, determines Illumiti’s data protection and privacy strategy in accordance with the strategic objectives of Illumiti and ensures that all Illumiti entities adhere to the applicable provisions of the data protection and privacy regulations. The Privacy Officer is to be supported in performing its tasks, in particular with the resources required to perform its tasks and is to be provided with any requested information fully and without undue delay.
The Privacy Officer is free to exercise tasks as he/she sees fit, and must not be hindered or discriminated against for performing their tasks.
If a Privacy Officer’s appointment comes to an end or is otherwise terminated, Illumiti must make all reasonable endeavours to appoint a new Privacy Officer as quickly as possible.
The Privacy Officer shall be provided with reasonable time to administer their duties and suitable resources shall be allocated to the Privacy Officer for them to perform their tasks. To ensure that the Privacy Officer retains and benefits from learning resources to ensure the necessary expertise to fulfill their duties, they shall be permitted to participate in further education and professional development.
Illumiti may further collect and process any information and data that a website user volunteers to us, e.g. when a website user registers for events, subscribes to newsletters, participates in online surveys, discussion groups or forums, or when a website user views or downloads selected information and/or documents.
Illumiti uses IP addresses to help diagnose problems, to administer the Illumiti website, and to gather demographic information.
Illumiti will only gather information related to a website user’s visit to the Illumiti website. Illumiti does not track or collect personal information from a website user’s visits to websites of companies or entities other than Illumiti.
Illumiti may collect information during a website user’s visit to Illumiti’s website through automated tools, which include Web beacons, cookies, embedded Web links, and other commonly used information-gathering tools. These tools collect certain standard information that a website user’s browser sends to Illumiti’s website such as the website user’s browser type and language, access times, and the address of the website from which the website user arrived at Illumiti’s website.
Illumiti’s website may contain links to foreign (meaning non-Illumiti) entities’ websites. Illumiti is not responsible for the privacy practices or the content of websites outside of Illumiti and makes no warranties thereto.
Illumiti will take all reasonable measures to help maintain security of the data transmitted to Illumiti by users of Illumiti’s website.
Basic principles of protecting Personal Data
During every process that includes collecting, processing, or using Personal Data, Personal Data may be processed or used only in accordance with this Policy and to the extent permitted by law.
Processing is only allowed in the following cases:
If a Person Affected freely gave their consent, for example, when registering on a website or entering into a contract with Illumiti that includes the processing of their Personal Data.
In Illumiti’s provision of goods or services requested by a client, prospective client or partner.
In ensuring Illumiti’s compliance with export laws of various countries.
In Illumiti’s legitimate interest, such as questionnaires and surveys, creation of anonymized data sets, recordings for quality assurance purposes, other legitimate industry-related business improvement activities, marketing activities, sales activities or requests for feedback from relevant stakeholders.
If required to fulfill contracts with the Person Affected, for example, for an employment contract or a service contract.
Between Illumiti entities, provided such Personal Data is used only for the same purposes and under the same conditions as originally consented to by the Person Affected.
If legally required or permitted, for example due to tax, employment or social security laws.
Consent given by a Person Affected, as described above, will allow Illumiti to use that person’s Personal Data for the following purposes:
The provision to that person of news about Illumiti’s products and services, and SAP industry developments.
Creation of user profiles on Illumiti’s internal business- and time-management software.
In connection with an event, conference, seminar or webinar, where there is sharing of information for the purpose of communication and/or the exchange of ideas.
In connection with the registration for and access to an event, conference or seminar, Illumiti may ask for information about health for the purpose of being considerate of individuals who have disabilities or special dietary requirements.
Personal Data may be collected and processed for lawful purposes only. The respective purpose must be defined before the time at which the Personal Data is collected. Processing Personal Data for a purpose other than the one defined before the Personal Data was collected is permitted in exceptional circumstances only if the Person Affected consents to the processing or if stipulated by law.
Personal Data may only ever be collected to the extent absolutely necessary for fulfilling the purpose specified before it is processed or used; any other processing is not permitted, unless part of Illumiti’s legitimate business interest as described above.
Personal Data must be accurate at all times and corrected where necessary. Illumiti employees and contractors with access to automated mechanisms or software for the purpose are required to update their Personal Data once changes are known to them and advise their manager or their appropriate Human Resources manager. All other holders of Personal Data must advise their contact person within Illumiti of any changes or corrections required to their Personal Data. Save for these occurrences, Illumiti will be deemed to not be aware of any desired or necessary changes to Personal Data in its possession.
A person must not suffer any detrimental effects if they choose to not consent or provide Personal Data, however in making that choice, that person acknowledges that there are certain circumstances in which Illumiti cannot take action without certain Personal Data, for example because the Personal Data requested is required to process orders or provide access to a web offering or newsletter. In such cases, Personal Data may be retained only for as long as is absolutely necessary for the purposes specified, where otherwise legally required, or until it is objected to by the Person Affected. Thereafter, Personal Data must be deleted or anonymized. For more information, see section 8.3 below.
Responsibilities for Data Protection and Privacy
The legal responsibility for collecting, processing, and using Personal Data within Illumiti lies with the officers and directors of the Illumiti entity that collects, processes, or uses the Personal Data for Illumiti’s business purposes.
Within Illumiti, responsibility can be delegated along the organizational structure of Illumiti by means of documented instructions from management, guidelines, and business processes that involve the explicit transfer of responsibility to managers at different levels as well as employees.
The relevant Illumiti officers and directors are responsible for structuring all processes during which Personal Data is collected, processed, or used in such a way that the requirements of this Policy are fulfilled.
The following tasks are the responsibility of management in every Illumiti entity:
Ensuring that there is continuous monitoring of the applicable privacy law.
Ensuring that processes, during which Personal Data is collected, processed, and/or used, are in line with applicable law and that local and global process owners are informed of necessary changes.
Ensuring that all approvals required by the supervisory authorities for collecting, processing, using, and transferring Personal Data have been granted and that the necessary notifications have been sent to the relevant supervisory authorities.
Global Human Resources
Before commencing an activity during which access to Personal Data cannot be excluded, every employee, contractor and third party acting on behalf of Illumiti whom can be reasonably foreseen to be involved in that activity are to be instructed that they are not permitted to collect, process, or use Personal Data without authorization (data protection) and that this data must be handled confidentially.
Employees and contractors are to be made aware of the consequences of violating this Policy and data protection laws. This Policy and other internal company guidelines that govern the handling of Personal Data are to be brought to employees’ attention upon employment. The instruction must be documented in writing or in another form, and will be available to employees from the Privacy Officer at all times.
It is the duty of all Illumiti employees and contractors to treat Personal Data to which they have access in the course of fulfilling their employee or contractual duties with Illumiti as confidential.
Illumiti employees may collect, process, and/or use Personal Data only to the extent required to fulfill their duties and in accordance with approved processes. If collecting, processing, or using Personal Data is not recognizably prohibited for the employee, he or she can refer to the legality of the relevant Illumiti management’s instructions. In case of doubt, employees may contact the Privacy Officer for clarification.
Storage and Processing
Personal Data will be stored by Illumiti and potentially Illumiti’s third-party service providers within Canada, the USA, the European Union and Switzerland. This policy applies regardless of where Personal Data is stored.
Notification, Accuracy of Personal Data, and Inspection
A Person Affected must be informed in a suitable manner that their Personal Data is being collected, processed, and/or used. Usually, they are to be informed before the time at which Personal Data is collected.
The Person Affected must be informed of the Illumiti entity collecting the Personal Data; the purpose for collecting, processing, or using the Personal Data; and other recipients to whom their Personal Data will be transferred. This information must be provided in a way that is easy to understand.
Stored Personal Data must be accurate. Inaccurate Personal Data must be corrected or deleted as soon as practicably possible.
A Person Affected may, at any time, request information about the Personal Data stored on them, its origin, purpose for storing, a copy of the Personal Data itself, and recipients to whom the Personal Data is passed on. Illumiti will carefully consider such a request and discuss same with the Person Affected. Queries or complaints submitted by a Person Affected must be processed by the responsible Illumiti entity without undue delay or according to those timeframes imposed by local law, whichever is the earlier. Objections from a Person Affected with regard to the processing of Personal Data must be investigated and, if necessary, remedial action must be taken.
A Person Affected may, at any time, lodge a complaint with the data protection authority of the country with which the relevant Personal Data has a necessary connection.
Duration of storage and Personal Data deletion or anonymization
This section applies insofar as it is possible for Illumiti to delete the relevant Personal Data in its possession.
For every process in which Personal Data is collected, processed, or used, a schedule must be defined for the regular deletion of Personal Data after the specified purpose has been fulfilled, if the legal basis for retaining the Personal Data no longer applies, or if the Person Affected objects to the retention of the Personal Data or otherwise withdraws their consent to Illumiti’s retention of the Personal Data.
Instead of being deleted, Personal Data, it may also be irreversibly anonymized. If, for technical or legal reasons (for example, if the retention of Personal Data is legally required for compliance with tax laws), it is not possible to either delete or anonymize Personal Data, such Personal Data must be blocked for any further processing and/or use, as well as for further access.
Where a Person Affected withdraws a consent granted hereunder, Illumiti will not process Personal Data subject to the withdrawn consent unless legally required to do so. In case Illumiti is required to retain Personal Data for legal reasons, such Personal Data will be restricted from further processing and only retained for the term required by law, however a withdrawal of consent has no effect on past processing of Personal Data by Illumiti up to the point in time of the withdrawal.
Additional Rules for Special Categories of Personal Data
Special Categories of Personal Data are to be treated as equal to Personal Data.
In the instances in which Illumiti collects Special Categories of Personal Data, Illumiti must ensure that the Persons Affected have been informed in advance and have given their consent. Provided that applicable law does not determine otherwise, Special Categories of Personal Data may be collected, stored, processed, and transferred only with the explicit consent of the Persons Affected. Increased precautions (for example, physical safety features, encryption, and access restrictions) that are appropriate for the heightened sensitivity of the Special Categories of Personal Data are to be taken for collecting, storing, processing, and transferring such data.
The following additional rules apply for Special Categories of Personal Data:
The collection, processing, and/or use of such data must be transparent for the Persons Affected at all times.
Consent given by persons affected must refer explicitly to these Special Categories of Personal Data.
Processes that involve collecting or using special types of Personal Data may be configured only with a prior check performed by the Privacy Officer.
Transfer of Personal Data and Commissioned Data Processing
If Personal Data is to be exchanged between Illumiti entities or with other companies (Commissioned Data Processors), it must first be checked whether contractual agreements on data protection and privacy, and data security are required. Such a check is always required if an Illumiti entity is to process data on behalf of another Illumiti entity, or if a Commissioned Data Processor is to process Personal Data on behalf of an Illumiti entity (a transfer for processing purposes). A check is also necessary if an Illumiti entity transfers Personal Data to another Illumiti entity or a Commissioned Data Processor (for example, a service provider, partner, or client), and the Commissioned Data Processor wishes to use the Personal Data for its own business purposes (transfer for own purposes).
If Personal Data under the legal responsibility of Illumiti is transferred to a Commissioned Data Processor located outside the EEA, it must also be ensured in advance that a suitable level of protection in accordance with Articles 25 and 26 of the EU Data Protection Directive (95/46/EC) is guaranteed.
If Personal Data is transferred, the following rules apply:
Transfer for commissioned processing:
The Illumiti entity that commissions or instructs another Illumiti entity or a Commissioned Data Processor to collect, process, or store Personal Data is responsible for compliance with the requirements of data protection and privacy regulations.
This responsibility does not cease with the transfer to the other Illumiti entity or the Commissioned Data Processor.
Every Illumiti entity must ensure that Commissioned Data Processors that collect, process, or store Personal Data on their behalf, are reviewed in advance and then regularly to ensure that they comply with the requirements of data protection and privacy regulations and that the necessary contracts with these companies have been concluded.
Transfer for recipient’s own purposes:
The transfer of Personal Data to a Commissioned Data Processor for their own purposes (for the avoidance of doubt, this means any purposes other than those of Illumiti) is allowed only if this is permitted or required by law or if the Persons Affected have given their prior consent.
The transferring Illumiti entity must ensure that the legal requirements are checked before the data is transferred.
Transfer to state agencies (authorities and courts):
Illumiti may transfer Personal Data to governmental agencies only on the basis of applicable law or lawful request.
In the event of a request for information from a governmental authority or a court of competent jurisdiction, Illumiti will inform the Person Affected of this without undue delay.
Transfer of clients’ Personal Data
Illumiti will generally make all reasonable efforts to avoid processing clients’ Personal Data. However, from time to time in the course of its business, Illumiti may be required to process clients’ Personal Data. The transfer and use of such Personal Data must be performed in full compliance with applicable law and those additional obligations agreed in the contract between Illumiti and the client. Personal Data of clients may never be passed on to third parties without an appropriate legal or contractual basis.
Data Protection and Privacy Supervisory Authorities
If required by law or contract, Illumiti must always cooperate with any data protection and privacy supervisory authority irrespective of whether such authoritative entity is based inside or outside the EEA.
If such an authority requests information or otherwise exercises their right of investigation, the Privacy Officer must be informed without delay. The Privacy Officer shall then act as the primary coordinator to formulate an appropriate response to the query, in consultation with relevant Illumiti departments. The Privacy Officer will act as the direct contact with the relevant authorities.
Data Protection and Privacy Standards
This Policy may be specified and enhanced through data protection and privacy standards, upon review and consideration of the Privacy Officer.
Raising Awareness and Training
Illumiti, through the Privacy Officer and other appropriate staff, shall take measures to raise awareness at regular intervals. All employees and third parties acting on behalf of Illumiti are regularly informed about both their duties and their rights within the scope of this Policy and all applicable laws.
Illumiti shall ensure its employees, especially new employees, are adequately trained in this Policy.
This Policy is provided as information only. Illumiti reserves the right to change the Policy at any time without giving notice