Safe Harbor Policy
If there is any conflict between the policies in this statement and the Principles, the Principles will govern. This statement outlines the general policy and practices for implementing the Principles, including the types of information HOK gathers, how the information is used, and the choices affected individuals have regarding HOK’s use of, and their ability to correct, that information.
The use of EU Personal Data will include global enterprise headcount reporting, statistical analysis, compensation planning and related transactions, career development, staffing, international personal security issues, internal investigations, ethics investigations, law enforcement inquiries, U.S. Government agency inquiries, disaster recovery and business continuity efforts, mergers, acquisitions, and divestitures, and performing services required by contract.
The EU adopted the Directive on Data Protection (“EU Directive”), which requires EU member states to adopt laws protecting Personal Data collected or processed within their borders. These laws must, among other provisions, restrict the transfer of Personal Data only to countries that have data protection laws deemed “adequate” under standards established in the EU Directive. The U.S. Department of Commerce and the European Commission have agreed on the Principles to enable U.S. Companies to satisfy the requirement under EU law that adequate protection be given to Personal Data transferred from the EU to the U.S.
Identifiable Person means a natural person that is or can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity. Identifiable Persons may include any employee, applicant, former employee, or retiree of HOK, its operating divisions, or subsidiaries in the EU or of its clients.
Personal Data is any information about an Identifiable Person that
- is within the scope of the EU Directive,
- is received by HOK in the U.S. from the EU,
- is recorded in any form and
- is about, or pertains to, a specific individual; and
- can be linked to that individual.
Personal Data does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public Personal Data.
Processing means any online or offline, manual or automatic processing and includes such activities as copying, filing, and inputting Personal Data into a database.
Sensitive Data is data that pertains to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation. We will also treat as Sensitive Data any information received from a third-party the third-party treats and identifies as sensitive data.
Where HOK collects Personal Data directly from Identifiable Persons in the EU, it will inform such persons about the type of Personal Data collected, the purposes for which it collects and uses the Personal Data, the types of non-agent third parties to which HOK discloses or may disclose that information, and the choices and means, if any, HOK offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to HOK, or as soon as practicable thereafter, and in any event before HOK uses or discloses the information for a purpose other than that for which it was originally collected.
Where HOK receives Personal Data from its subsidiaries or operating divisions in the EU, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to which the Personal Data relates.
To the extent practical and appropriate, HOK collects Personal Data directly from the Identifiable Person. In those cases where HOK collects Personal Data from other persons, it takes measures to respect the privacy preferences of the Identifiable Persons. Examples of when HOK may seek information from others include, without limitation, evaluating employees, recruiting, benefit administration and succession planning.
HOK’s collection and use of Personal Data in the employment context is essential to the conduct of HOK’s human resources and business functions. Examples of the purposes for which HOK collects and uses Personal Data include, without limitation, recruitment, payroll, and personnel management, such as compensation, promotion, evaluation, benefit administration and succession planning.
While recognizing that all Personal Data deserves to be protected, HOK exercises special precautions and safeguards for Sensitive Data.
HOK will offer Identifiable Person(s) the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. In addition, where consent of Identifiable Persons or their representatives is required by law, contract, or agreement for the collection, use, or disclosure of Personal Data, HOK will request such consent and respect the Identifiable Person’s choice in such matters.
In certain limited or exceptional circumstances, in accordance with the Safe Harbor Principles, HOK may disclose Personal Data without notice or the consent of the Identifiable Person. For example, this may occur when HOK is required to disclose information by law or legal process or in the vital interests of the Identifiable Person, such as when life or health are at stake.
Except as provided by the Safe Harbor Principles or applicable law, an Identifiable Person must give affirmative permission (opt-in consent) before HOK will disclose Sensitive Data to a third party or use Sensitive Data for a purpose other than those for which it was originally collected or subsequently authorized by the Identifiable Person.
HOK will provide Identifiable Persons with reasonable mechanisms to exercise their choices.
3. Onward Transfer
To enable HOK to provide employees with certain services such as payroll direct deposit, personnel benefits, or other human resource services, HOK may disclose Personal Data without consent to sub-contractors, vendors or other third parties, if the third party (i) subscribes to the Safe Harbor Principles, (ii) is subject to laws meeting the minimum standards required by the EU Directive or (iii) enters into an agreement with HOK obligating the third party to provide at least the same level of privacy protection as required by Safe Harbor Principles.
HOK takes reasonable precautions to protect Personal Data against loss, misuse and unauthorized access, disclosure, alteration, destruction and theft.
These precautions include password protections for online information systems and restricted access to Personal Data. All inquiries from outside HOK, whether written or oral, concerning the identity, employment record or performance of an employee or former employee must be referred to the Human Resources Department.
Employees are responsible for helping maintain security through safeguarding Personal Data, e.g., by protecting passwords used to access HOK computer systems, by keeping paper records under lock and key when not in use, and by disposing of files and reports no longer needed in a secure manner.
5. Data Integrity
HOK takes reasonable steps to keep Personal Data relevant and reliable for the purposes for which it is to be used, accurate, complete, and up-to-date. Each Identifiable Person is responsible for informing HOK or its EU subsidiaries of any changes in Personal Data so that the information that HOK holds about him or her is relevant and reliable for the purposes for which it is to be used, accurate, complete and up-to-date.
HOK retains Personal Data only as long as necessary to meet the purposes for which it was collected or as required by law, contractual agreement, or the Safe Harbor Principles.
Certain Personal Data may be archived to administer post-employment benefits, to meet legal requirements, to provide evidence in cases of litigation, for statistical purposes, or to assist in decision relating to re-employment.
HOK uses reasonable procedures, following retention guidelines, to ensure that it archives or destroys Personal Data no longer required for the purposes for which it was originally collected, unless otherwise agreed to by the Identifiable Person.
HOK provides Identifiable Persons with a reasonable opportunity to examine their Personal Data, to challenge its accuracy and to have it corrected, amended or deleted as appropriate, subject to certain exceptions as set out below. Upon request, Identifiable Persons will be given reasonable access to the Personal Data HOK holds about them. Reasonable access means that requests for access are made during normal business hours, following standard procedures, and that the frequency of access requests is not excessive.
If an Identifiable Person is denied access to Personal Data, HOK will provide such Identifiable Person with the reason(s) for denying access and a contact point for further inquiries.
If the Identifiable Person notifies HOK that the Personal Data on file is incorrect and provides HOK with appropriate supporting documentation, HOK will either correct the Personal Data or direct the Identifiable Person to the source of the information for correction.
If, upon review, HOK believes that the existing Personal Data is correct, HOK will inform the Identifiable Person. If the Identifiable Person continues to dispute the accuracy of the Personal Data, HOK will note that dispute in the record of the Identifiable Person upon written request.
The Safe Harbor Principles provides for some exceptions to the obligation to provide access to Personal Data. Access to confidential or proprietary information, such as business reorganization or succession plans, or where granting access has to be balanced against the privacy interests of others, may be restricted. In addition, access may be denied
- when the information requested relates to an ongoing investigation, litigation or potential litigation,
- where the burden or expense of providing access would be disproportionate to the risks to the privacy of the Identifiable Person or
- when the rights of persons other than the Identifiable Person would be violated.
7. Enforcement and Dispute Resolution
For complaints that cannot be resolved between HOK and the complainant, HOK has agreed to participate in the dispute resolution procedures of the U.S. Department of Commerce for Safe Harbor companies. HOK further agrees to cooperate with the European Data Protection Authorities.
HOK’s privacy practices are self-certified annually to the U.S. Department of Commerce. The HOK Director of Human Resources is responsible for:
- Overseeing responses to inquiries and resolutions of complaints relating to the privacy of Identifiable Persons;
- Working with HOK’s legal department to ensure HOK’s ongoing compliance with applicable privacy laws and agreements, as well as any obligations HOK may enter into voluntarily, such as the Safe Harbor Principles; and