DAYFORCE PRIVACY NOTICE

The Dayforce Privacy Notice was updated on December 30, 2019.

OVERVIEW

Ceridian is committed to protecting your personal data. As part of this commitment, Ceridian has established a privacy program that demonstrates our due diligence to privacy laws.

SCOPE

This notice applies to the collection, use, sharing, disclosure, retention, and deletion of personal data within the Dayforce HCM product suite, including mobile applications and the recruiting portal by Ceridian, its affiliates and third-party service providers.

It applies to all personal data in Ceridian’s control, whether it is stored and/or processed on Ceridian property or stored and/or processed by a third-party service provider.

If you are an individual whose employer uses the Dayforce suite of products, you should understand that the contract between Ceridian and your employer/prospective employer ultimately governs the use of your data by Ceridian. Notwithstanding, this notice provides transparency into that arrangement.

Other Ceridian products and services are covered by the following privacy notices:

DEFINITIONS

Controller

The natural or legal person, public authority, agency or other body which alone or jointly determines the purposes and means of the processing of personal data.

Customer

An organization who has entered into a business relationship with Ceridian to perform a service.

Individual

The natural person about whom information is being processed.

Personal Data

Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly by piecing information together.

Processing

Any activity which is performed on personal data or on sets of personal data from collection through use and disposal, including storing and sharing with others.

This policy replaces and supersedes all other prior policies regarding the same or similar subject matter, as of the Policy Version Effective Date set forth below. Ceridian reserves the right to alter, amend or discontinue this policy at any time without notice.

Processor

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

ACCOUNTABILITY

Ceridian, its employees, and contractors take responsibility for personal data in accordance with Ceridian policies and standards. Ceridian’s Chief Privacy Officer is responsible for defining the requirements of this policy and for ensuring compliance with its provisions. The Chief Information Security Officer is responsible for implementing and maintaining appropriate controls and measures to enable compliance. Ceridian trains its employees with respect to its privacy policies and practices including Ceridian's Ten Privacy Principles.

Ceridian acts as a processor when it processes the personal data of its customers, who are the controllers. Customer personal data is controlled by the customer and Ceridian manages the personal data at the direction of its customers.

In some instances, Ceridian acts as a controller, which means that Ceridian controls the personal data that is being processed. Examples include, but are not limited to:

Ceridian is liable for personal data it processes and for personal data Ceridian provides to third-party service providers for processing. With respect to personal data that has been transferred to a third-party service provider to be processed, contractual requirements are used to provide a comparable level of protection. Ceridian’s liability for a third-party’s performance of its obligations is set forth in each agreement that Ceridian signs with its Customers, and Ceridian assumes liability for the performance of the services and obligations subcontracted to such third-party service providers, including those related to the protection of personal data.

As a controller our services may involve the transfer of personal data to third parties (for example, background screening).

Our services also involve the transfer of personal data to third parties (for example banks, retirement program providers, and tax agencies) as instructed by our customers. In these cases, Ceridian does not have a direct relationship with the third party and is not liable for the processing of personal data in their possession. These third parties have their own independent obligations with respect to the personal data, usually by operation of law or through contracts with Ceridian’s customers.

Our application may link to third parties’ applications. It is also possible that third parties’ applications may link to our application. We are not responsible for the content or the privacy practices employed by third parties and personal data collected by third parties is not governed by Ceridian’s privacy notice. We encourage you to read the privacy policies of these applications before transmitting any personal data to third parties.

Ceridian will conduct periodic assessments to confirm the accuracy of this notice and verify its adherence to Ceridian's Ten Privacy Principles. In addition, Ceridian will deploy internal auditing measures to monitor its compliance and to address all questions or complaints.

THE PERSONAL DATA WE PROCESS AS A SERVICE PROVIDER

As part of the services we offer, Ceridian’s customers provide personal data that Ceridian processes on their behalf. In some cases, another service provider of a Ceridian customer may send personal data to Ceridian on the customer’s behalf or you may provide personal data to Ceridian directly through the application. While Ceridian provides transparency into its practices, ultimately, Ceridian’s customers are responsible for notifying employees and for obtaining appropriate consent when they collect personal data and transfer it to Ceridian. An organization may contact you to obtain your specific consent to contact references, to conduct background checks, to obtain sensitive information, and/or for employment verification. Ceridian assumes no responsibility for obtaining or validating that appropriate consent has been obtained in respect of personal data transferred to Ceridian by organization(s) and/or customers.

Personal data collected as required to deliver contracted services includes the following categories of personal and sensitive data:

Information for California Residents. California Civil Code Sections 1798.115(c), 1798.130(a)(5)(c), 1798.130(c), and 1798.140 indicate that organizations should disclose whether certain categories of personal data are collected, “sold” or transferred for an organization’s “business purpose” (as those terms are defined under California law). Ceridian does not sell personal data. You can find a list of the categories of personal data that we collect and share here. Please note that because this list is comprehensive it may refer to types of personal data that we share about people other than yourself. If you would like more information concerning the categories of personal data (if any) we share with third parties or affiliates, please submit a written request to us using the information in the “Exercising Your Rights” or "Contact Us" sections below. We do not discriminate against California residents who exercise any of their rights described in this Privacy Notice.

We may collect personal data from you in the following ways:

Personal data may be processed for the following purposes to deliver services:

THE PERSONAL DATA WE PROCESS AS AN ENTITY

Ceridian may collect personal data from you directly via our product suite, including our mobile app.

Personal data data collected includes the following categories of personal and sensitive personal data:

Information for California Residents. California Civil Code Sections 1798.115(c), 1798.130(a)(5)(c), 1798.130(c), and 1798.140 indicate that organizations should disclose whether certain categories of personal data are collected, “sold” or transferred for an organization’s “business purpose” (as those terms are defined under California law). Ceridian does not sell personal data. You can find a list of the categories of personal data that we collect and share here. Please note that because this list is comprehensive it may refer to types of personal data that we share about people other than yourself. If you would like more information concerning the categories of personal data (if any) we share with third parties or affiliates, please submit a written request to us using the information in the “Exercising Your Rights” or "Contact Us" sections below. We do not discriminate against California residents who exercise any of their rights described in this Privacy Notice.

We may collect personal data from you in the following ways:

Personal data may be processed for the following purposes:

Ceridian may process personal data on a number of lawful bases, some of which include consent, performance of a contract, compliance with a legal obligation, to protect the vital interests of an individual, performance of a task in the public interest or for legitimate interests. We may rely on legitimate interests for a number of reasons including, but not limited to, fraud prevention, network security and employee personal data processing.

Ceridian will use or disclose personal data for purposes permissible under applicable law. If you do not provide Ceridian with the personal data that we have requested, you may be unable to access our full range of services.

Ceridian may de-identify or anonymize, personal data. Such data is no longer considered personal data and individuals cannot seek to have their information removed from any such data set, nor is consent for further use required.

DO NOT TRACK DISCLOSURE

Do Not Track (DNT) is a preference that users can set for their browsers to opt out of the online tracking activities by some applications. Ceridian does not track its customers over time and across third party applications and thus does not respond to Do Not Track (DNT) signals in browsers.

RETENTION AND DISPOSAL

Ceridian retains personal data only as long as necessary to fulfill the stated purposes or as legally required and thereafter appropriately disposes of such information. Ceridian maintains and complies with an internal Corporate Records Retention Policy and Schedule. When personal data is no longer necessary or relevant for the identified purpose or to fulfill a legal or business requirement, it will be securely destroyed. Ceridian will either physically or electronically delete the personal data or de-identify it to make it anonymous.

ACCESS AND QUALITY

Ceridian makes reasonable efforts to maintain the integrity of the personal data within its products as necessary to fulfill the purposes for which the personal data is to be used.

Individuals are asked to review their records on a regular basis and make the appropriate updates or notify the prospective employer of errors promptly. Ceridian relies on its customers and the prospective employers’ applicants to supply Ceridian with accurate, complete and up- to-date personal data that is relevant to Ceridian’s delivery of the services.

HOW WE SHARE PERSONAL DATA

Ceridian shares the personal data of its customers’ employees at the direction of customers. Personal data collected and used for Ceridian’s purposes as described above may be shared with third parties in certain circumstances including in the following situations:

If Ceridian has knowledge that a third party uses or discloses personal data in an unapproved manner, Ceridian takes reasonable steps to prevent or stop the use or disclosure. Ceridian does not sell any personal data to third parties for marketing.

Where applicable, to limit or opt out of the disclosure of personal data, individuals should contact their employer or Ceridian in the manner set out in the “Exercising Your Rights” section.

CROSS BORDER TRANSFER

Ceridian transfers personal data outside of a local jurisdiction only with adequate protections in place and in compliance with applicable laws and standards. Ceridian maintains operations in the United States (US), Canada, Australia, Mauritius, and the United Kingdom (UK) and all of its entities process personal data. Ceridian may transfer personal data to service providers located in countries worldwide, depending on the services. Ceridian also transfers personal data to other countries as directed by its customers.

Ceridian complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework (Privacy Shield) as set forth by the US Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union, the United Kingdom and Switzerland to the United States in reliance on Privacy Shield. Ceridian has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy noticepolicy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Principles please visit www.privacyshield.gov.

Ceridian may utilize the adequacy determinations made by the European Commission to transfer personal data to countries with data protection that is adequate to the EU. Ceridian also utilizes Standard Contractual Clauses (SCCs) for the transfer of personal data from the EU to other countries.

HOW WE SECURE PERSONAL DATA

Ceridian has implemented policies, procedures and practices to protect personal data. Ceridian protects personal data using recognized industry standard security safeguards appropriate to the sensitivity of the personal data. Ceridian reviews its security policies and procedures on a regular basis and updates them as needed to maintain their relevance. Ceridian makes reasonable security arrangements to protect personal data in its custody or under its control from and against risks, such as loss or theft, as well as unauthorized access, collection, use, disclosure, copying, modification, disposal and destruction.

The methods of protection include physical measures, organizational measures and technological measures.

Ceridian requires all third parties to whom it may transfer personal data to maintain adequate security safeguards in compliance with applicable laws and standards to protect personal data.

In the event that we are required by law to inform you of a breach to your personal data, we will notify you electronically, in writing or by telephone, if permitted to do so by law.

EXERCISING YOUR RIGHTS

Depending on the jurisdiction you are in, you may have one or more of the following data subject rights: access, correction, erasure, portability, restriction or objection. Individuals may submit requests here or by using the information in the "Contact Us" section below.

PLEASE NOTE: If Ceridian is processing your personal data on behalf of your employer (i.e., one of Ceridian’s customers), you should first contact your employer directly to submit an access or correction request, concern or complaint.

Individuals may raise concerns or complaints here. Ceridian will investigate and it is our practice to respond to the individual within 30 days of receiving the complaint, unless a shorter response time is required by law. Ceridian will take all appropriate action to remedy any such issues. If the matter cannot be settled, Ceridian agrees to cooperate with the dispute resolution system set forth below.

If individuals feel that their complaint was not satisfied, they may file a formal complaint with the regulatory bodies below.

Regarding any Privacy Shield complaints, grievances should be filed with the entities in the following order: Ceridian, the applicable EU Data Protection Authority, The Department of Commerce, the Federal Trade Commission (FTC), then the Privacy Shield Panel. The individual may apply to the Privacy Shield Panel to invoke binding arbitration.

CONTACT US

For privacy-related questions, comments, or concerns, contact Ceridian at:

CHANGES TO THIS POLICY

Ceridian may update this privacy notice periodically to reflect changes to our privacy practices. We will provide notice online when we make any material changes to this notice.

This policy replaces and supersedes all other prior policies regarding the same or similar subject matter, as of the Policy Version Effective Date set forth below. Ceridian reserves the right to alter, amend or discontinue this policy at any time without notice.

Policy Version Effective Date: December 30, 2019 | Policy Owner: Privacy