Effective Date: May 25, 2018
I. Introduction & Notice
The policy of Lucid is to respect and protect Personal Data collected or maintained by or on behalf of Lucid. In furtherance of the Lucid’s commitment to this Policy, Lucid has certified to adhere to the Privacy Principles set forth in the US-EU & US-Swiss Privacy Shield Frameworks pertaining to Personal Data related to employees of Lucid residing in the European Economic Area (“EEA”) and processed in support of Lucid’s human resources operations. This Policy applies to all Personal Data processed by Lucid (whether in electronic or tangible format) related to employees of Lucid residing in the EEA.
This Policy sets forth the principles under which Lucid manages the processing of Personal Data that it receives from its employees in the EEA in support of its human resources operations. In connection with Lucid human resources operations, Lucid may now and/or in the future transfer or provide access to Personal Data regarding employees of the EEA to the United States.
- “Processor” means any third party that processes personal information pursuant to the instructions of, and solely for the benefit of, Lucid or to which Lucid discloses personal information for processing on Lucid’s behalf.
- “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- “Data Subject” is a natural person resident in the EEA who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. For purposes of this Policy, Data Subject shall be restricted to any current and former Lucid employees, including but not limited to, temporary and permanent employees, retirees, and other former employees as well as dependents of such employees.
- “Personal Data” means any information or set of information in any form that relates to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
- “Processing of Personal Data” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
- “Sensitive Personal Data” means Personal Data that reveals a natural person’s race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, any information that concerns a natural person’s sex life or health, or information relating to the commission of a criminal offense.
c. Regulatory Oversite
Lucid has further committed to cooperate with EU Data Protection Authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.
Lucid shall inform Data Subjects that it participates and subjects itself to the Privacy Shield principles, the purpose for which it collects and uses Personal Data and the types (or identity) of processors to whom Lucid discloses or may disclose that Personal Data. Lucid will provide notice in clear and conspicuous language when Data Subjects are first asked to provide Personal Data to Lucid, or as soon as practicable thereafter, and in any event before Lucid uses or discloses the Personal Data for a purpose other than that for which it was originally collected.
Lucid, in its capacity as Controller, collects Personal Data and Sensitive Personal Data about its employees for human resources or compliance related functions, including, without limitation, recruiting, onboarding, performance appraisals, taxation, travel, equal opportunities monitoring, legal and regulatory compliance, security management, health and safety and payroll or benefit distribution. The legal basis for us processing your Personal Data for these purposes are because the processing is: (i) necessary to fulfill the employment contract we have in place with Data Subjects; and/or because it is necessary for the purposes of our legitimate interests.
If Lucid intends to use Personal Data for purposes outside of the Company’s human resources related functions (such as marketing communications) or uses the Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject, Lucid will offer the Data Subject the opportunity to affirmatively or explicitly consent (opt-out).
IV. Data we collect
Lucid collects various types of Personal Data about Data Subjects for the purposes described in paragraph III above. This includes, but is not limited to the following categories:
- Recruitment information, such as resume and application form.
- Contact information, such as home address, home phone number, and personal email addresses.
- Family information, such as marital status and information about dependents.
- Identification information, such as national identifier, driver license number, date of birth.
- Financial information, such as bank account, salary and employment benefits details (including beneficiary and spousal information).
- Career and job performance information, such as appraisals, details of skills and experience, absence details, and disciplinary records.
- Sensitive personal data, such as medical or health information.
- Automatically collected information, such as information collected via Cookies and web beacons including IP address, browser name, operating system details, domain name, date and time of visit and page(s) viewed. Data Subjects may instruct his or her web browser not to accept cookies; however, this may affect the employee’s use and enjoyment of the Lucid’s intranet site.
V. Third parties
We do not rent, sell, share, or otherwise distribute Personal Data to unrelated third parties except as required by law and in these circumstances:
- We may share, transfer, or disclose Personal Data in our databases and server logs in the event of our sale, merger, reorganization, dissolution, or similar event, protect your vital interests, and/or protect the security or integrity of our databases or services. We will inform you of any such transfer or disclosure as required by law.
- We may be required to disclose your Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
VI. Accountability for Onward Transfer
Prior to disclosing Personal Data to a processor, Lucid shall enter into contracts to ensure that any
processor to whom Personal Data may be disclosed is aware of and adheres to the Principles or is subject to law providing the same level of privacy protection as is required by the Principles and agrees to provide an adequate level of privacy protection. The Company shall also, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing by processors and agrees to provide a summary or a representative copy of the relevant privacy provisions of its contracts with processors to regulators upon request.
Lucid takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of Personal Data, whether in electronic or tangible, hard copy form. Lucid shall take reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
VIII. Data Integrity & Purpose Limitation
Lucid limits the collection, use and retention of Personal Data to that relevant for the intended purposes for which it was collected or authorized by the Data Subject and takes reasonable steps to ensure that all Personal Data is reliable, accurate, complete and current. Lucid depends on its employees to keep Personal Data reliable, accurate, complete and current and will rely on its employees to maintain the integrity of all Personal Data they provide to Lucid. Lucid shall adhere to the Privacy Shield principles for as long as it retains the Data Subject’s Personal Data.
IX. Data Subject Rights
Lucid allows Data Subjects, in accordance with applicable law, to access their Personal Data and to correct, amend or delete inaccurate Personal Data that Lucid holds about them. Lucid also allows Data Subjects to exercise any other applicable rights. Lucid will respond to such requests in accordance with its obligations under the Privacy Shield and applicable law. Please contact the Privacy Program Office for more information Data retention.
X. Data Retention
Lucid will retain Personal Data for the duration of your employment and for a period of time thereafter where required by applicable law or where we have a legitimate and lawful purpose.
XI. Recourse, Enforcement & Liability
Lucid uses a self-assessment approach or outside compliance review to assure compliance with this Policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, is disseminated to its employees, is completely implemented and accessible and is in conformity with the Principles set forth in this Policy. Lucid encourages interested persons to raise any concerns using the contact information provided below and will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles.
In addition, Lucid has agreed to cooperate with the European Data Protection Authorities (http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm) for the purpose of handling any unresolved complaints regarding Personal Data concerns. Data Subjects (employees) may engage their local Data Protection and/or Labor Authority concerning adherence to the Principles and the Company shall respond directly to such authorities with regard to investigations and resolution of complaints. This is provided at no cost to you.
Individuals in the EU have the right to invoke binding arbitration if certain conditions are met. More information about when this is applicable is available at www.privacyshield.gov and from your local EU data protection authority.
As mentioned above, we may disclose Personal Data to third-party service providers that we use to support our business. We remain responsible under the Privacy Shield Principles if these third parties process your personal information in a manner inconsistent with the Privacy Shield Principles (unless we are not responsible for the event giving rise to the damage).
This Policy may be amended consistent with the requirements of Privacy Shield. When Lucid updates the Policy, it will also revise the “Last Updated” date at the top of this document. Any material changes to this Policy will also be posted on the Lucid intranet.
XIII. Contact Information
We maintain procedures to address privacy-related inquiries, complaints, and disputes based on the regulations in the countries where Lucid has employees. For EU Data Subjects, please us our Data Rights Portal to inquire about your rights.
Questions, comments or complaints regarding this Policy or Lucid Personal Data processing practices can be mailed or emailed to:
Lucid Holdings, LLC
365 Canal Street
New Orleans, LA 70130
United States of America