Randstad information on joint controllership pursuant to Art. 26 of the General Data Protection Regulation (GDPR)

Pursuant to Art. 26 GDPR, with the following information we provide you with a summary of the processing activities where Randstad UK and other entities belonging to the Randstad Group jointly determine the purposes and means of processing your personal data. The following information also clarifies their roles and how you can exercise your rights under the GDPR in relation to the jointly-controlled processing of your personal data.

who could be the joint-controllers processing your personal data?

-        Randstad UK, with Randstad UK Holding Ltd and registered office in the UK, 450 Capability Green, Luton, Bedfordshire, United Kingdom, LU1 3LU;

-        Randstad B.V, registered at the Chamber of Commerce under number 34126765 and registered office in the Netherlands, Diemermere 25, 1112 TC Diemen; and,

-        Randstad N.V, registered at the Chamber of Commerce under number 33216172 and registered office in the Netherlands, Diemermere 25, 1112 TC Diemen, specifically for the Misconduct Report Procedure;

(hereinafter referred to as "the Parties")

what have the Parties agreed to?

The Parties have defined in an agreement the principles for the processing of your personal data and their respective responsibilities for the jointly controlled processing activities. In particular, the Parties have agreed on who is responsible for handling any requests by you when exercising your rights under Articles 15 to 22 GDPR and for adequately informing you on the processing of your personal data in accordance with Articles 13 and 14 GDPR.

The essential content of this agreement and the concerned processing activities are explained in the following sections.

how is the cooperation organized between the Parties?

In the agreement, the Parties have specifically defined their responsibilities and obligations for the jointly controlled processing activities. The competent data protection authority(ies) is also defined.

The Parties that have appointed data protection officers, these officers will act as internal contacts for all data protection issues related to the jointly controlled processing activities.

who assumes which obligations under the GDPR?

The Parties have contractually committed themselves to ensuring GDPR compliance within their area of responsibility and influence, in particular the distribution of responsibility covers the general data principles, legal basis, security measures, data breach notifications obligation, data protection impact assessments, the use of processors, third country transfers and contacts with data subjects and supervisory authorities. In particular, each Party within its respective area of responsibility and influence is responsible for the following obligations:

 a)  General Data Protection Principles: obligations for the data processing activities to comply with the following data protection principles under the GDPR:

—            Lawfulness, fairness and transparency

—            Purpose limitation

—            Data minimisation

—            Accuracy

—            Storage limitation

—            Integrity and confidentiality;

1.  Legal Basis: obligation to ensure there is a lawful basis for the jointly controlled data processing activities;
2. Accountability: obligation to implement technical and organisational measures to ensure and to be able to demonstrate compliance;
3. Privacy by design and privacy by default obligations;
4. Data Processor: obligation to conclude written agreement with processors; manage processors; monitor the processors’ compliance with their obligations under the GDPR and under the data processing agreement; and that each Party is responsible for managing its own processors;
5. Record Keeping: Obligation to keep records of processing activities/data mapping;
6. Personal Data Breach Notification: obligation to (jointly or individually) notify personal data breaches, as defined under the GDPR, to the competent data protection authority and/or to the data subjects;
7. Data Protection Impacts Assessment: obligation to carry out a data protection impact assessment (jointly or individually);
8. Data Protection Officer: obligation to designate a data protection officer; and,
9. Data Transfers: obligation to comply with restrictions on international data transfers.

b. Randstad UK is responsible for the following obligations:

1. Obligation to provide information to the data subjects in accordance with the Articles 13 and 14 GDPR;
2. Obligation to handle and respond to requests from data subjects exercising their rights under the GDPR;
3. Obligation to make the essence of the joint controllership arrangement available to the data subjects; and,
4. Possibly - the notification of a personal data breach with the competent supervisory authority.

which are the jointly controlled processing activities under scope of this summary?

The Parties are jointly responsible for the processing of the following activities:

Misconduct Report Procedure

joint-controllers

 -     Randstad UK and Randstad N.V.

purpose

In order to assist in the reporting of concerns related to serious misconduct within the Randstad Group, we have established dedicated channels through which stakeholders may voice concerns, either through local reporting mechanisms in place at the operating company level or through our Randstad Group reporting procedure, where the processing is jointly-controlled.

The personal data obtained as part of any report, communication/complaint and investigation, will be used by the Parties for the purpose of: (i) carrying out the appropriate investigations into the alleged inappropriate/illegal behaviors that it has been reported; (ii) guarantee the protection against reprisals of any natural person involved in the procedure and, especially, of the informants (with the exceptions indicated in the Procedure); (iii) adoption of corrective measures or any other action relevant to a specific inappropriate/illegal conduct (eg reporting to the competent authorities) and; (iv) comply with applicable regulations and, in particular, those governing the protection of individuals who report violations of regulations and the fight against corruption.

which categories of personal data?

Depending on the nature of the reports or investigations to be carried out, the Parties may process all or some of the following categories of personal data: identification and contact data, data relating to personal characteristics, academic data and professionals, employment details, data relating to business information or social circumstances, economic, financial or insurance data, property or insurance transactions, special categories of data (e.g. health data, criminal records, political opinions, etc.) and, in general, all the personal data that may be included in a complaint derived from inappropriate/illegal conduct.

which are the concerned data subjects?

Depending on the reports or investigations, the data subjects whose personal data can be processed may be: Randstad employees, clients and prospective clients, candidates, temporary workers and vendors.

what is the legal basis for this jointly controlled activity?

Processing is necessary for the purpose of the compliance with a legal obligation to which the Parties are subject to. In the case of Randstad companies with fewer than fifty workers or those to which the

Sanction Checks

joint-controllers

-     Randstad UK and Randstad B.V.

purpose

With the purpose of either protecting national security interests, international law, and/or defend against threats to international peace and security, governments of individual countries, international organizations (e.g., United Nations) or political and economic groupings implement political and economic decisions against countries, territories, regimes or organizations, and businesses and/or individuals (“Designated Parties”).

In order to comply with such decisions and rules, the Parties screen individuals against “Freeze lists” which are issued by international organizations and economic groupings, such as the United Nations Security Council and the European Union, respectively, as well as by individual states, through a process supported by the local sanctions team of each Randstad Group entity, and subject to confidentiality as much as possible. The purpose and means of such screening of individuals is jointly determined by the Parties.

For the purposes mentioned above, the Parties may transfer personal data to other Randstad entities that provide services on behalf of the concerned Randstad entity.

which categories of personal data?

For sanction checks, the following categories of personal data may be processed: name, e-mail, contact details, company, role, identification number, date of birth, work location, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and criminal or administrative convictions and offences, in accordance with applicable laws.

which are the concerned data subjects?

Business partners and contracted individuals (e.g., freelancers, independent contractors or consultants); and contracted talent and corporate staff.

what is the legal basis for this jointly controlled activity?

Processing is necessary for the purpose of compliance with laws and regulations, including but not limited to employment law, tax and social security and national and international sanctions regulation compliance that the Parties are subject to.