Employees, temporary staff, candidates, independent contractors, and trainees, for human resources and personnel management processes, which may cover any type of Processing, and include recruitment, workforce planning, training and performance management, compensation and benefits, leave and benefits management, pay slip distribution, employee information and skill management, employee survey, exit interviews and process, and health and safety. Such Processing covers HR Personal Data, including, but not limited to, basic personal details (e.g., full name; age and date of birth); education, professional experience and affiliations (e.g., education and training history; languages; trade union membership); employee travel and expenses information (e.g., travel booking details; dietary requirements; passport and visa details); family, lifestyle and social circumstances (e.g., marital status; emergency contact details; religion or religious beliefs); basic HR details (e.g., job title, role; office location; start date); health, welfare and absence related (e.g., reason for absence; disability, access, special requirements details); employee training and performance related (e.g., disciplinary action, performance rating; call recording); financial details (e.g., bank account information; national insurance number; bonus payments); photographic, video and location information (e.g., CCTV images; tracking data); identification checks and background vetting (e.g., results of criminal checks; proof of eligibility to work); system access (e.g. access logs, tracking information); account credentials (e.g., username, password, security questions).

Clients, for Client relationship management, which may cover any type of Processing, and include developing new business relationships, sales, marketing, negotiating contracts, market research, managing existing business relationships, invoicing, Client services, handling enquiries, and to meet legal and regulatory obligations. Such Processing covers Client Personal Data, including, but not limited to, basic personal details (e.g., full name); photographic, video and location information (e.g., CCTV images); identification checks and background vetting (e.g., results of criminal checks; credit check related); system access (e.g. access logs, tracking information); account credentials (e.g., username, password, security questions).

Any other party, for ensuring any other business operations, which may cover any type of Processing, and include supplier and vendor management, compliance, reporting, due diligence, buildings and facilities management, IT, customer surveys, and to meet legal and regulatory obligations.  Such Processing covers third-party Personal Data including, but not limited to, basic personal details (e.g., full name); business activities (e.g., goods or services provided); financial details (e.g., bank account information); photographic, video and location information (e.g., CCTV images); identification checks and background vetting (e.g., results of criminal checks); system access (e.g. access logs, tracking information); account credentials (e.g., username, password, security questions).

TP Companies shall always rely on a lawful basis for Processing your Personal Data and Sensitive Data, in accordance with applicable local laws and regulations. When the Processing of your Personal Data is subject to laws and regulations applicable in EEA/UK countries, TP Companies shall rely on one of the following grounds:

• You have given your consent to the Processing of your Personal Data for one or more specific purposes;
• The Processing is necessary for the performance of a contract between you and the Data Controller, or in order to take steps at your request, prior to entering into a contract;
• The Processing is necessary for compliance with a law or regulation applicable in an EEA/UK country to which the TP Company is subject;
• The Processing is necessary to protect your vital interests or those of another natural person;
• The Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the TP Company or in a third party to whom your Personal Data are disclosed; or
• The Processing is necessary for the purposes of the legitimate interests pursued by the TP Company or by the third party to whom your Personal Data are disclosed, except when such interests are overridden by your interests or fundamental rights and freedoms.

When the Processing of your Sensitive Data is subject to laws and regulations applicable in EEA/UK countries, TP Companies shall rely on one of the following grounds:

• You have given your explicit consent to the Processing of your Sensitive Data for one or more specific purposes, except when prohibited by the laws and regulations applicable to the TP Company in an EEA/UK Country;
• The Processing is necessary for the purposes of carrying out your obligations and specific rights or those of the TP Company in the field of employment law and social security and social protection law, and insofar it is authorized by the laws and regulations applicable to the TP Company in an EEA/UK country, which laws and regulations provide for adequate safeguards;
• The Processing is necessary to protect your vital interests or those of another person, in each case when you are physically or legally incapable of giving your consent;
• The Processing is carried out in the course of the legitimate activities, with appropriate safeguards, by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim, and on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that your Personal Data are not disclosed to a third party without your consent;
• The Processing relates to Personal Data you manifestly made public;
• The Processing is necessary for the establishment, exercise or defense of legal claims, or whenever courts are acting in their judicial capacity; or
• The Processing of your Sensitive Data is required for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of laws and regulations applicable to EEA/UK countries, and when those Sensitive Data are Processed pursuant to contract with a health professional subject to the obligation of professional secrecy under laws and regulations applicable in EEA/UK countries, or by another person also subject to an equivalent obligation of secrecy.

For the Processing of your Personal Data relating to criminal convictions and offences or related security measures subject to laws and regulations applicable in EEA/UK countries, TP Companies shall only Process such Personal Data under the control of an official authority, or when the Processing is authorized by laws and regulations applicable in EEA/UK countries providing for appropriate safeguards for your rights and freedoms.

When a Processing is based on your consent, TP Companies shall:

• Ensure that your consent is freely given, specific, informed and an unambiguous indication of your wishes (by a statement or clear affirmative action) to agree to the Processing;
• Ensure that you are able to withdraw your consent easily at any time, and that you receive information of such ability prior to giving consent;
• Implement and maintain processes to record the giving and withdrawal of your consent; and
• Ensure that if your consent is given as part of a written declaration also concerning other matters, it is presented in a manner which is clearly distinguishable from other matters, in an intelligible form, using clear and plain language.

Before collecting Personal Data, TP Companies shall provide you with any information required by applicable laws and regulations, and at least with the identity and contact details of the Data Controller and of its representative, if any; the purposes of the Processing; the recipients or categories of recipients of your Personal Data; and the existence of your rights of access to, and to rectify your Personal Data.

In addition, TP Companies shall provide you with the information set out below in writing or by other means, including, when appropriate, in electronic form.  It shall be provided in a concise, transparent, and easily accessible form, using clear and plain language:

• The contact details of the SVPP and/or DPO, when applicable;
• The lawful basis for the Processing;
• The legitimate interest pursued by the TP Company or by a third party, when such interest provides the lawful basis for the Processing;
• In case of transfers to non-EEA/UK countries, the fact that the TP Company intends to transfer your Personal Data to non-EEA/UK countries, the measures implemented to protect your Personal Data transferred, and the means by which you can obtain a copy of them or where they have been made available;
• The period for which your Personal Data will be stored, or if not possible, the criteria used to determine this period;
• The existence of your rights to:
  • Access to and erase your Personal Data, restrict Processing, data portability, and to object to Processing. This objection right shall be explicitly brought to your attention, clearly and separately from any other information, when the Processing is based on the Data Controller’s legitimate interest, or when your Personal Data are Processed for direct marketing purposes;
  • Withdraw consent at any time when it provides the lawful basis for the Processing of your Personal Data or Sensitive Data. Such withdrawal shall not affect the lawfulness of the Processing carried out before your request for withdrawal of your consent; and
  • Lodge a complaint before the applicable EEA/UK DPA;
• Whether the provision of your Personal Data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether you are obliged to provide your Personal Data and the possible consequences of failure to provide them; and
• The existence of automated decision-making, including Profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such Processing for you.

TP Companies intending to Process your Personal Data for a purpose other than the initial purpose shall inform you prior to the further Processing with information on that other purpose, and with any relevant information as listed above.

When your Personal Data are not obtained directly from you, you should be provided with the same information as listed in Section 1.2.2.1 above, as well as the categories of Personal Data concerned, the source from which your Personal Data originate, and whether your Personal Data came from publicly accessible sources.

If you have not already received such information before, you should receive it within 1 month of obtaining your Personal Data, having regard to the specific circumstances in which your Personal Data are Processed, or, if your Personal Data are to be used to communicate with you, at the latest at the time of first communication with you, or, if a disclosure to a third party is envisaged, no later than the time when your Personal Data are first disclosed.

Such information is not required if its provision proves impossible or would involve a disproportionate effort, if collection or disclosure is expressly required by applicable laws and regulations, or if your Personal Data shall remain confidential subject to an obligation of professional secrecy required by laws and regulations applicable in EEA/UK countries.

TP Companies intending to Process your Personal Data for a purpose other than the initial one shall inform you prior to the further Processing with information on that other purpose, and with any relevant information as listed above.

When required by applicable laws and regulations, any notification or registration with a DPA shall be performed by TP Companies.

An up-to-date public version of this Policy and an up-to-date list of the TP Companies bound by the Policy shall be made easily accessible to you on the Group’s website https://teleperformance.com/en-us/data-privacy-information-and-inquires/.

TP Companies shall only collect your Personal Data for one or more specified, explicit and lawful purposes, and not further Process them incompatibly with those purposes.

Your Personal Data shall be adequate, relevant, and not excessive in relation to the purposes for which your Personal Data are Processed.

It is your responsibility to inform Teleperformance of any inaccuracy or update of your Personal Data.  However, Teleperformance will exert reasonable effort to ensure its databases are as accurate and up to date as possible, including deleting your inaccurate Personal Data.

Your Personal Data shall not be kept for longer than is necessary, and retention shall be in accordance with the following rules:

• The retention period during which your Personal Data are kept shall be reviewed periodically;
• This retention period shall be adequate for the purpose/s of the Processing, and your Personal Data shall not be kept once the purpose/s has/have been accomplished; and
• Once they are no longer required, your Personal Data shall be deleted or anonymized in a secure manner ensuring protection from unlawful or wrongful access.

When required by applicable laws and regulations, TP Companies shall provide you with the right to access your Personal Data Processed by the TP Company.

When required by applicable laws and regulations, TP Companies shall also provide you with the ability to correct, without undue delay, your Personal Data when it is incomplete or inaccurate, including by means of providing a supplementary statement.

TP Companies shall adhere to the procedure provided in Annex 1 of the Policy when responding to your requests to access, correct, erase, and object.

You shall be given access to the following:

• Confirmation as to whether the TP Company processes your Personal Data;
• Explanation of the purposes of the Processing, the categories of Personal Data, and the recipients or categories of recipients to whom your Personal Data are disclosed (particularly recipients in non-EEA/UK countries) and the appropriate safeguards provided to such transfers;
• When possible, the period for which your Personal Data will be stored, or, if not possible, the criteria used to determine that period;
• Communication of your Personal Data which are undergoing or have undergone Processing, and of any available information as to their source when your Personal Data are not obtained from you;
• The existence of your right to request from the TP Company rectification or erasure of your Personal Data, or restriction of Processing of your Personal Data, or to object to such Processing;
• The right to lodge a complaint with an applicable EEA/UK DPA; and
• When the TP Company makes decisions based solely on automated Processing of your Personal Data, including Profiling, meaningful knowledge of the logic involved in such automatic Processing, as well as the significance and the envisaged consequences of such Processing for you.

TP Companies may only reject an access request when they can prove that:

• The TP Company is unable to verify your identity;
• Your right to such request is specifically limited by a law or regulation applicable in an EEA/UK country; or
• Your request would impinge on the protection of the rights and freedoms of third parties, when redaction of your Personal Data and/or other measures to mitigate such effects are not reasonably feasible.

TP Companies shall give you the ability to request the erasure of your Personal Data without undue delay if:

• Your Personal Data are no longer necessary in relation to the purpose(s) for which they were collected or otherwise Processed;
• You withdraw your consent on which the Processing is based, and there is no other lawful basis for the Processing;
• You object to Processing performed on the basis of the Data Controller’s legitimate interests when there are no overriding legitimate grounds for the Processing, or you object to the Processing for direct marketing purposes;
• Your Personal Data have been unlawfully Processed; or
• Your Personal Data shall be erased for compliance with laws and regulations applicable in EEA/UK countries to which the Data Controller is subject.

When your Personal Data that are subject to your request for erasure have been made public by the TP Company acting as a Data Controller, it shall, having regard to available technology and cost of implementation, inform other Data Controllers which are Processing your Personal Data of your request to erase any links to, or copies or replication of, those Personal Data.

TP Companies may only reject your erasure request when they can prove that:

• The TP Company is unable to verify your identity;
• Your right to such request is specifically limited by a law or regulation applicable in an EEA/UK country;
• Your request would impinge on the protection of the rights and freedoms of third parties, when redaction of your Personal Data and/or other measures to mitigate such effects are not reasonably feasible; or
• The Processing is necessary for (i) exercising the right of freedom of expression and information; (ii) compliance with a legal obligation that requires Processing by laws and regulations applicable in EEA/UK countries to which the Data Controller is subject; or for (iii) the establishment, exercise, or defense of legal claims.

You have the right to object at any time to the Processing of your Personal Data based on a TP Company’s legitimate interests, including Profiling, unless that Processing is allowed by laws and regulations applicable in EEA/UK countries.  When the objection is justified, the Processing shall cease, unless TP Companies can demonstrate compelling legitimate grounds for continuing the Processing that override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

In addition, you have the right to object at any time, on request and free of charge, to the Processing of your Personal Data for the purpose of direct marketing (including Profiling, to the extent that it is related to direct marketing).  Such Processing shall stop as soon as reasonably possible.

TP Companies may only reject a request when they can prove that:

• The TP Company is unable to verify your identity;
• Your right to such request is specifically limited by a law or regulation applicable in an EEA/UK country; or
• The request would impinge on the protection of the rights and freedoms of third parties, when redaction of the Personal Data and/or other measures to mitigate such effects are not reasonably feasible.

You have the right to restrict the Processing of your Personal Data, and to have your Personal Data segregated accordingly, if:

• You contest the accuracy of your Personal Data, for a period enabling the TP Company acting as a Data Controller to verify the accuracy of your Personal Data;
• The Processing is unlawful, and you oppose the erasure of your Personal Data and request the restriction of their use instead;
• The TP Company acting as a Data Controller no longer needs your Personal Data for the purposes of the Processing, but you require them for establishing, exercising, or defending legal claims; or
• You have objected to Processing carried out on the basis of the Data Controller’s legitimate interests, pending the verification whether the legitimate grounds of the Data Controller override yours.

When the Processing is restricted, TP Companies may only Process your Personal Data, with the exception of storage:

• With your consent;
• For establishing, exercising or defending legal claims;
• For protecting the rights of another natural or legal person; or
• For reasons of important public interest as defined under laws and regulations applicable in EEA/UK countries.

When TP Companies have restricted the Processing further to your request, they shall inform you of such Processing restriction before it is lifted.

TP Companies may only reject a restriction request when they can prove that:

• The TP Company is unable to verify your identity;
• Your right to such request is specifically limited by a law or regulation applicable in an EEA/UK country; or
• Your request would impinge on the protection of the rights and freedoms of third parties, when redaction of your Personal Data and/or other measures to mitigate such effects are not reasonably feasible.

TP Companies shall adhere to the procedure provided in Annex 1 of the Policy when responding to your requests for restriction.

When the Processing is based on your consent or on a contract, and carried out by automated means, you have the right to request to:

• Receive the Personal Data you have provided to a TP Company acting as Data Controller, in a structured, commonly used and machine-readable format; and
• Transmit your Personal Data to another Data Controller without hindrance from the initial Data Controller, or to have them transmitted directly from one Data Controller to another, when technically feasible.

TP Companies may only reject a portability request when they can prove that:

• The TP Company is unable to identify you;
• Your right to such request is specifically limited by a law or regulation applicable in an EEA/UK country; or
• Your request would impinge on the protection of the rights and freedoms of third parties, when redaction of the Personal Data and/or other measures to mitigate such effects are not reasonably feasible.

Your request to portability of your Personal Data is without prejudice to your right to request erasure under Part 2, Section 2.1.2 of the Policy, and shall not adversely affect the rights and freedoms of others.

TP Companies shall adhere to the procedure provided in Annex 1 of the Policy when responding to your requests for data portability.

You have the right to object to any decision based solely on automated Processing of your Personal Data, including Profiling, which produces a legal effect concerning you, or which otherwise significantly affects you.

TP Companies may only reject such requests when they can prove that the decisions are:

• Necessary for entering into or for the performance of a contract between you and a TP Company acting as a Data Controller or based on your explicit consent. In such cases, TP Companies shall implement suitable measures to safeguard your rights, freedoms, and legitimate interests, at least the right to obtain human intervention from TP Companies, to express your point of view, and to contest the decision; or
• Authorized by laws and regulations applicable in EEA/UK countries, which also lay down measures to safeguard your rights, freedoms, and legitimate interests.

TP Companies shall only make decisions based solely on the automated Processing of your Sensitive Data if they have put in place suitable measures to safeguard your rights, freedoms, and legitimate interests, and when you have given your explicit consent, or when the Processing is necessary for reasons of substantial public interest on the basis of laws and regulations applicable in EEA/UK countries.

TP Companies shall adhere to the procedure provided in Annex 1 of the Policy when responding to your objections to decisions affecting you based on automated Processing, including Profiling.

This describes the situation when a TP Company based in the EEA transfers your Personal Data to one of the following:

• To another TP Company or third party also based in the EEA. An example would be a transfer of your Personal Data by a TP Company in France to a TP Company in Italy; or
• To another TP Company or third party based in an Adequate Country. An example would be a transfer of your Personal Data by a TP Company in Spain to a third party in Argentina.

Laws and regulations applicable in EEA countries authorize transfers of your Personal Data between organizations based in the EEA, or from an organization based in the EEA to another organization based in an Adequate Country.  Therefore, Teleperformance does not need to implement any additional measures in such cases.

This describes the situation when a TP Company based in the EEA transfers your Personal Data to another TP Company or a third party located in a non-Adequate Country.  An example would be a transfer of your Personal Data by a TP Company in Ireland to a TP Company in the Philippines, or a TP Company in Germany being serviced by a third party in Turkey.

When an EEA TP Company transfers your Personal Data to another TP Company located in a non-Adequate Country, such transfer is allowed insofar as that recipient TP Company has implemented the Policy and complies with its requirements, including with those marked with “BCR”.

When an EEA TP Company acting either as a Data Controller or as a Data Processor on behalf of a TP Company acting as a Data Controller transfers your Personal Data to a third party located in a non-Adequate Country, or to another TP Company which has not implemented the Policy (including the requirements of the Policy marked with “BCR”), the sending TP Company shall implement additional measures to protect your Personal Data transferred (e.g., by incorporating into the contract signed with the third party the appropriate Standard Data Protection Clauses issued by the European Commission or an EEA DPA), or shall ensure that the transfer matches with one of the conditions set forth by laws and regulations applicable in EEA countries (e.g., you have explicitly given your consent to the transfer (after having been informed of the possible risks of such transfers for you due to the absence of adequacy decision and appropriate safeguards); or the transfer is necessary for the performance of a contract between you and the Data Controller or the implementation of pre-contractual measures taken in response to your request).

If this is not possible, the sending TP Company can operate a transfer if it is necessary for the purposes of compelling legitimate interests pursued by the TP Company acting as a Data Controller, provided that:

• The transfer or the set of transfers of your Personal Data is not repetitive and concerns only a limited number of Data Subjects;
• The legitimate interests of the TP Company acting as a Data Controller are not overridden by your interests or rights and freedoms;
• The TP Company acting as a Data Controller has assessed all the circumstances surrounding the transfer and, on the basis of that assessment, has provided suitable safeguards with regard to privacy and data protection; and
• The TP Company acting as a Data Controller informs you and the applicable EEA DPAs of the transfer and the compelling legitimate interests.

UK & BCR - This describes the transfer of your Personal Data by a non-EEA/UK TP Company to another TP Company or third party based in another country.  An example would be a transfer of your Personal Data by a TP Company in Albania to a TP Company in China, or a TP Company in Mexico being serviced by a third party in Argentina.

UK & BCR - Any transfer of your Personal Data from a non-EEA/UK country to any other country shall be done with appropriate and reasonable protection, and in compliance with the laws and regulations applicable to the TP Company at the origin of the transfer, in particular, but not limited to, any legal requirement on transfers of your Personal Data or pertaining to security.

BCR - When your Personal Data transferred from the EEA to non-EEA TP Companies or third parties are further transferred to other non-EEA TP Companies or third parties, the EEA TP Company at the origin of the transfer shall ensure that such onward transfers comply with the rules set out in Part 2, Section 3.2 and 3.5.

This describes the situation when a TP Company based in the UK transfers your Personal Data  to one of the following:

• To another TP Company or third party also based in the UK; or
• To another TP Company or third party based in an Adequate Country. An example would be a transfer of your Personal Data by a TP Company in the UK to a third party in France.

Laws and regulations applicable in the UK authorize transfers of your Personal Data between organizations based in the UK, or from an organization based in the UK to another organization based in an Adequate Country.  Therefore, Teleperformance does not need to implement any additional measures in such cases.

This describes the situation when a TP Company based in the UK transfers your Personal Data to another TP Company or a third party located in a non-Adequate Country. 

When a UK TP Company transfers your Personal Data to another TP Company located in a non-Adequate Country, such transfer is allowed insofar as that recipient TP Company has implemented the Policy and complies with its requirements, including with those marked with “BCR”.

When a UK TP Company acting either as a Data Controller or as a Data Processor on behalf of a TP Company acting as a Data Controller transfers your Personal Data to a third party located in a non-Adequate Country, or to another TP Company which has not implemented the Policy (including the requirements of the Policy marked with “BCR”), the sending TP Company shall implement additional measures to protect your Personal Data transferred (e.g., by incorporating into the contract signed with the third party the appropriate Standard Data Protection Clauses issued by or approved by the ICO), or shall ensure that the transfer matches with one of the conditions set forth by laws and regulations applicable in the UK countries (e.g., you have explicitly given your consent to the transfer (after having been informed of the possible risks of such transfers for you due to the absence of adequacy decision and appropriate safeguards); or the transfer is necessary for the performance of a contract between you and the Data Controller or the implementation of pre-contractual measures taken in response to your request).

If this is not possible, the sending TP Company can operate a transfer if it is necessary for the purposes of compelling legitimate interests pursued by the TP Company acting as a Data Controller, provided that:

• The transfer or the set of transfers of your Personal Data is not repetitive and concerns only a limited number of Data Subjects;
• The legitimate interests of the TP Company acting as a Data Controller are not overridden by your interests or rights and freedoms;
• The TP Company acting as a Data Controller has assessed all the circumstances surrounding the transfer and, on the basis of that assessment, has provided suitable safeguards with regard to privacy and data protection; and
• The TP Company acting as a Data Controller informs you and the ICO of the transfer and the compelling legitimate interests.

Teleperformance shall implement appropriate technical and organizational security measures to protect your Personal Data from accidental loss, alteration, unauthorized disclosure or access, in particular when the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the severity and likelihood of the risks represented by the Processing to your rights and freedoms, by the nature of your Personal Data to be protected, as well as the scope, context and purposes of the Processing.  Such measures can include, as appropriate:

• The pseudonymization and encryption of your Personal Data;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
• The ability to restore the availability and access to your Personal Data in a timely manner in the event of a physical or technical incident; or
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

Security standards shall conform to local privacy and data protection laws and regulations, as well as to any contractual requirements.

In case of Personal Data breach, Teleperformance should implement an incident response plan.

When the Personal Data breach is likely to result in a high risk to your rights and freedoms, TP Companies shall inform you of the breach without undue delay, describing in clear and plain language:

• The nature of the breach;
• The name and contact details of the SVPP and/or DPO, when applicable, or other contact point from whom further information can be obtained;
• The likely consequences of the breach; and
• The measures taken or proposed to be taken by the TP Company to address the breach, including, when appropriate, measures to mitigate its possible adverse effects.

Communication to you may not be required when:

• The TP Company has implemented appropriate technical and organizational protection measures, and those measures were applied to the Personal Data affected by the breach, particularly those that render your Personal Data unintelligible to any person who is not authorized to access it (e.g., encryption);
• The TP Company has taken subsequent measures to ensure that the high risk to your rights and freedoms is unlikely to materialize; or
• It would involve disproportionate effort, in which case TP Companies shall issue a public communication or similar measure whereby you are informed in an equally effective manner.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the Processing, as well as the risks of varying likelihood and severity for your rights and freedoms posed by the Processing, TP Companies shall, both at the time of the determination of the means for Processing and at the time of the Processing itself, implement appropriate technical and organizational measures (e.g., pseudonymization) to enshrine privacy and data protection principles (e.g., data minimization) into prospective new or amended products, processes, technologies, systems, programs, and devices, when applicable, in an effective manner, and to integrate the necessary safeguards into the Processing of your Personal Data.

TP Companies shall implement appropriate technical and organizational measures to ensure that, by default, only your Personal Data which are necessary for each specific purpose of Processing are Processed. Such requirement applies to the amount of your Personal Data collected, the extent of their Processing, the period of their storage and their accessibility. In particular, by default, your Personal Data shall not be made accessible to an indefinite number of natural persons without your intervention.

TP Companies acting on behalf of Teleperformance’s Clients may Process your Personal Data for the purpose of servicing those Clients.  The nature and categories of your Personal Data, and the purposes of the Processing are determined by Teleperformance’s Clients, and will vary depending on both their instructions and the services provided by TP Companies.

Based on Teleperformance’s business activities, the anticipated purposes, expected nature and categories of Personal Data covered by the Policy include, but are not limited to, the following:

1. Clients' customers, as the Group's core business activities are the provision of outsourced customer relationship management services. Such Processing may cover any type of Processing, and any categories of Personal Data relating to Clients' customers, in accordance with Clients' instructions, which may include, but are not limited to, basic personal details (e.g., full name, age and date of birth); business activities (e.g., services provided by the Clients); family, lifestyle and social circumstances (e.g., dependents, spouse, partner, family details; religion or religious beliefs; criminal convictions and offences); health related (e.g., details of physical and psychological health or medical condition); financial details (e.g., bank account information; national insurance number); photographic, video and location information (e.g., CCTV images); identification checks and background vetting (e.g., results of criminal checks; credit check related).
2. Visa applicants, as TP Companies may provide outsourced services for visa applications. Such Processing may cover any type of Processing, and any categories of Personal Data relating to visa applicants, in accordance with Clients’ instructions, which may include, but are not limited to basic personal details (e.g., full name; age and date of birth; passport details; biometric data); business activities (e.g., business activities of the Data Subject); family, lifestyle and social circumstances (e.g., dependents, spouse, partner, family details; religion or religious beliefs; criminal convictions and offences); health related (e.g., details of physical and psychological health or medical condition); financial details (e.g., bank account information; national insurance number); photographic, video and location information (e.g., photographic imaging); identification checks and background vetting (e.g., results of criminal checks; credit check related).
3. Any Personal Data Processed in relation with outsourced interpretation or translation services, which can include, without being limited to: Clients’ customer, patient, business partner, or public service user Personal Data. Such Processing may cover any type of Processing, and any categories of Personal Data Processed in the context of interpretation and translation services, which may include, but are not limited to, basic personal details (e.g., full name; age and date of birth; biometric data); education, professional experience and affiliations (e.g., education and training history; languages; trade union membership); employee travel and expenses information (e.g., travel booking details; dietary requirements; passport and visa details); family, lifestyle and social circumstances (e.g., marital status; emergency contact details; religion or religious beliefs); health and welfare related (e.g., disability, access, special requirements details; genetic data); financial details (e.g., bank account information; national insurance number); identification checks and background vetting (e.g., results of criminal checks; proof of eligibility to work).
4. Customers and individuals participating in surveys, as TP Companies may provide outsourced customer survey services. Such Processing may cover any type of Processing, and any categories of Personal Data Processed in the context of conducting surveys, which may include, but are not limited to, basic personal details (e.g., age); family, lifestyle and social circumstances (e.g., family details; religion or religious beliefs); health, related (e.g., details of physical and psychological health or medical condition).

When acting on behalf of a Client, each TP Company and its employees shall respect the instructions regarding the Processing of your Personal Data and the security and confidentiality measures as provided in the contract with each Client, and shall observe the following principles:

TP Companies acting as Data Processors will reasonably assist Clients in complying with laws and regulations, such as by ensuring transparent Processing of your Personal Data and data quality.

In particular, Clients shall be informed about Sub-processors and/or Third-Party Data Processors relevant for their respective Processing.

An up-to-date public version of the Policy and an up-to-date list of the TP Companies bound by the Policy shall be made easily accessible to Data Subjects on the Group’s website https://teleperformance.com/en-us/data-privacy-information-and-inquires/.

BCR - When Clients rely upon the Policy for the transfers performed by Teleperformance on their behalf, Parts 1 and 3 of the Policy will be incorporated into the contract with such Clients.  

TP Companies shall Process your Personal Data only on behalf of the Clients, and in compliance with their instructions.

In particular, Teleperformance shall undertake any necessary measures as instructed by Clients in order to update, correct, delete or anonymize any Personal Data Processed on their behalf.  Each Sub-processor and Third-Party Data Processor to whom your Personal Data have been disclosed shall be informed of such instructions and shall comply with them.

EEA/UK & BCR - TP Companies shall comply with the Client’s documented instructions, including with regard to transfers of your Personal Data to a non-EEA/UK country, unless not required to do so by laws and regulations applicable in EEA/UK countries to which the TP Companies are subject.  In such a case, TP Companies shall inform the Clients of that legal requirement before Processing takes place, unless the laws and regulations applicable in EEA/UK countries prohibit such information on important grounds of public interest.

EEA/UK & BCR - If a TP Company is not in a position to comply with a Client’s reasonable instructions, it shall promptly inform both the Privacy Office and the Client, and Teleperformance will try to accommodate the Client’s instructions taking into consideration local laws and regulations applicable in EEA/UK countries and the Policy.  If the Client reasonably rejects Teleperformance’s attempts to accommodate the Client’s instructions, and neither Teleperformance nor the Client can find a solution to accommodate the Client’s instructions, Teleperformance will allow the Client to suspend, for a legitimate privacy and data protection reason in accordance with laws and regulations applicable in EEA/UK countries, the transfer of your Personal Data impacted until the TP Company can comply with the Client’s reasonable instructions, and/or terminate the specific portion of services impacted under the applicable work order or statement of work in accordance with the contractual remedies provided in the contract signed with that Client, but only to the extent such situation substantially disrupts Teleperformance’s ability to provide services to that Client.

EEA/UK & BCR - When the provision of services to a Client terminates, all your Personal Data Processed on behalf of that Client by Teleperformance and any Third-Party Data Processor shall, at the choice of the Client and in accordance with the relevant terms of its contract with Teleperformance, be either safely returned (including all copies) to the Client, or destroyed (including all copies), in which case Teleperformance shall certify to that Client that it has done so.  Such return or destruction should be done within a 90-day timeframe after the termination of the contract between the Client and Teleperformance, which can be extended with the CPO’s agreement, depending on the timeframe agreed in that contract.

EEA/UK & BCR - When laws and regulations require storage by Teleperformance of your Personal Data transferred, it shall inform the Client and warrant that it will guarantee the confidentiality of your Personal Data and will not actively process that Personal Data anymore.

Teleperformance shall assist Clients with handling any requests when you exercise your rights, including requests to access, correct or delete your Personal Data in accordance with applicable laws and regulations.

In particular, TP Companies, as well as any Sub-Processor and any Third-Party Data Processor, when relevant, will execute any appropriate technical and organizational measures, insofar as this is possible, when requested by the Clients, for the fulfilment of their obligations to respond to your requests for exercising your rights, including by providing any useful information in order to fulfil your requests.

EEA/ UK & BCR - When Teleperformance directly receives a request from you, it will promptly communicate it to the relevant Client, in which case the Client remains responsible for handling it, unless it has specifically authorized Teleperformance to do so.  In such cases, Teleperformance shall follow the instructions contained in the Client’s contract.  The costs of requests directly handled by Teleperformance shall be borne by the Client, except if provided otherwise in the contract signed with such Client.

Teleperformance can use Sub-processors or Third-Party Data Processors only after notifying the Client, and if the latter has not objected to the use of such Sub-processor or Third-Party Data Processor within 30 days of receiving the notification, except if provided otherwise in the contract signed with such Client.

In the case of a Sub-processor, the latter shall Process your Personal Data in accordance with the Client’s instructions and Teleperformance’s privacy and data protection obligations set forth in the contract signed between Teleperformance and the Client.

In the case of a Third-Party Data Processor, Teleperformance shall only appoint third parties who provide sufficient guarantees in respect of Teleperformance’s commitments under Part 3 of the Policy.  In particular, such Third-Party Data Processors shall commit by way of a contract or other legal act under laws and regulations applicable in EEA/UK countries to Process your Personal Data in accordance with the Client’s instructions and Teleperformance’s privacy and data protection obligations set forth in the contract signed between Teleperformance and its Client, and to adduce appropriate technical and organizational measures to ensure appropriate protection having regard to Part 3, Section 3.1 of the Policy.

If the Client objects to the addition or replacement of a Sub-processor or a Third-Party Data Processor, Teleperformance will (i) offer not to progress with the change, or (ii) offer an alternative solution to the Client, including the use of another Sub-processor or Third Party Data Processor.  If the Client rejects the alternative solution offered by Teleperformance for a legitimate privacy & data protection reason in accordance with laws and regulations applicable in EEA/UK countries, the Client may terminate the specific portion of services impacted under the applicable work order or statement of work, in accordance with the contractual remedies provided in the contract signed with that Client.

This describes the situation in which a Client or TP Company based in the EEA transfers your Personal Data to one of the following:

• Client to a TP Company (Processor or Sub-processor) based in the EEA or Adequate Country. An example would be a transfer of Personal Data by a Client in France to a TP Company (Sub-Processor) in Italy, or Client in Germany to TP Company (Processor) in Canada.
• TP Company to a Sub-processor or Third-Party Data Processor also based in the EEA. An example would be a transfer of Personal Data by a TP Company in France to a Sub-processor in Italy; or
• TP Company to a Sub-processor or Third-Party Data Processor based in an Adequate Country. An example would be a transfer of Personal Data by a TP Company in Spain to a Third-Party Data Processor in Argentina.

Laws and regulations applicable in EEA countries authorize transfers of your Personal Data between organizations based in the EEA, or from an organization based in the EEA to another organization based in an Adequate Country.  Therefore, Teleperformance does not need to implement any additional measures in such cases.

This describes the situation in which either a Client transfers your Personal Data to a TP Company (Processor or Sub-Processor), or a TP Company based in the EEA transfers your Personal Data to a Sub-processor or a Third-Party Data Processor located in a non-Adequate Country.  An example would be a transfer of your Personal Data by a TP Company in Ireland to a Sub-processor in the Philippines, or by a TP Company in Germany to a Third-Party Data Processor in Turkey, or by a Client in Spain to TP Company in the Philippines.

When either a Client transfers your Personal Data to a TP Company (Processor or Sub-Processor), or an EEA TP Company transfers your Personal Data to a Sub-processor located in a non-Adequate Country, such transfer is allowed insofar as that recipient Processor or Sub-processor has implemented the Policy and complies with its requirements, including with those marked with “BCR”.

When an EEA TP Company transfers your Personal Data to a Third-Party Data Processor located in a non-Adequate Country, or to a Sub-processor which has not implemented the Policy (including the requirements of the Policy marked with “BCR”), the sending TP Company shall implement additional measures to protect your Personal Data transferred (e.g., by incorporating into the contract signed with the Third-Party Data Processor the appropriate Standard Data Protection Clauses issued by the European Commission or an EEA DPA), or shall ensure that the transfer matches with one of the conditions set forth by laws and regulations applicable in EEA countries (e.g., you have given your consent to the transfer; or the transfer is necessary for the performance of a contract between you and the Client or the implementation of pre-contractual measures taken in response to your request).

If this is not possible, the sending TP Company can operate a transfer if it is necessary for the purposes of compelling legitimate interests pursued by the Client, provided that the transfer or the set of transfers of your Personal Data is not repetitive and concerns only a limited number of Data Subjects; the legitimate interests of the Client are not overridden by your interests or rights and freedoms, the Client has assessed all the circumstances surrounding the transfer and on the basis of this document assessment, has provided suitable safeguards with regard to privacy and data protection, and the Client informs the EEA DPAs and you of the transfer and the compelling legitimate interests.

This describes the transfer of your Personal Data by a non-EEA/UK TP Company to a Sub-processor or Third-Party Data Processor based in another country.  An example would be a transfer of your Personal Data by a TP Company in Albania to a Sub-processor in China, or by a TP Company in Mexico to a Third-Party Data Processor in Argentina.

Any transfer of your Personal Data from a non-EEA/UK country to any other country shall be done with appropriate and reasonable protection, and in compliance with the laws and regulations applicable to the TP Company at the origin of the transfer, in particular, but not limited to, any legal requirement on transfers of your Personal Data or pertaining to security.

BCR - When your Personal Data transferred from the EEA/UK to non-EEA/UK Sub-processors or Third-Party Data Processors are further transferred to other non-EEA/UK Sub-processors or Third-Party Data Processors, the EEA TP Company, or non-EEA TP Company at the origin of the transfer shall ensure that such onward transfers comply with the rules set out in Part 3, Section 2.2 and 2.4.

This describes the situation in which a Client or TP Company based in the UK transfers your Personal Data to one of the following:

• Client to a TP Company (Processor or Sub-processor) based in the UK or Adequate Country. 
• TP Company to a Sub-processor or Third-Party Data Processor also based in the UK.
• TP Company to a Sub-processor or Third-Party Data Processor based in an Adequate Country. 

Laws and regulations applicable in the UK authorize transfers of your Personal Data between organizations based in the UK, or from an organization based in the UK to another organization based in an Adequate Country.  Therefore, Teleperformance does not need to implement any additional measures in such cases.

This describes the situation in which either a Client transfers your Personal Data to a TP Company (Processor or Sub-Processor), or a TP Company based in the UK transfers your Personal Data to a Sub-processor or a Third-Party Data Processor located in a non-Adequate Country. 

When either a Client transfers your Personal Data to a TP Company (Processor or Sub-Processor), or a UK TP Company transfers your Personal Data to a Sub-processor located in a non-Adequate Country, such transfer is allowed insofar as that recipient Processor or Sub-processor has implemented the Policy and complies with its requirements, including with those marked with “BCR”.

When an UK TP Company transfers your Personal Data to a Third-Party Data Processor located in a non-Adequate Country, or to a Sub-processor which has not implemented the Policy (including the requirements of the Policy marked with “BCR”), the sending TP Company shall implement additional measures to protect your Personal Data transferred (e.g., by incorporating into the contract signed with the Third-Party Data Processor the appropriate Standard Data Protection Clauses issued by or approved by the ICO), or shall ensure that the transfer matches with one of the conditions set forth by laws and regulations applicable in the UK (e.g., you have given your consent to the transfer; or the transfer is necessary for the performance of a contract between you and the Client or the implementation of pre-contractual measures taken in response to your request).

If this is not possible, the sending TP Company can operate a transfer if it is necessary for the purposes of compelling legitimate interests pursued by the Client, provided that the transfer or the set of transfers of your Personal Data is not repetitive and concerns only a limited number of Data Subjects; the legitimate interests of the Client are not overridden by your interests or rights and freedoms, the Client has assessed all the circumstances surrounding the transfer and on the basis of this document assessment, has provided suitable safeguards with regard to privacy and data protection, and the Client informs you and the ICO of the transfer and the compelling legitimate interests.

TP Companies shall implement appropriate technical and organizational security measures to protect your Personal Data from accidental loss, alteration, unauthorized disclosure or access, in particular when the Processing performed on behalf of Clients involves the transmission of data over a network, and against all other unlawful forms of Processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the severity and likelihood of the risks represented by the Processing performed on behalf of Clients to your rights and freedoms, by the nature of your Personal Data to be protected, as well as the scope, context and purposes of the Processing.  Such measures can include, as appropriate:

• The pseudonymization and encryption of your Personal Data;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
• The ability to restore the availability and access to your Personal Data in a timely manner in the event of a physical or technical incident; or
• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

BCR - In addition, TP Companies shall comply with security and organizational measures which at least meet the requirements of the Client’s applicable privacy and data protection laws and regulations.

In case of Personal Data breach, Teleperformance should implement an incident response plan, in co-operation with the relevant Chief Information Officer, the Global Chief Information Security Officer, the Country Privacy Lead, and the Privacy Office, which includes the following:

• Breach Containment and Recovery – Teleperformance shall use its best efforts to resolve the incident by applying a recovery plan and, when necessary, procedures for damage limitation.
• Risk Assessment – Teleperformance will assess associated risks, such as the adverse consequences for Data Subjects and the affected Client; seriousness of the breach; and risk of repetition.
• Breach notification - In accordance with and in the timelines provided by local laws and regulations, Teleperformance shall inform the affected Client, and any other relevant stakeholder (e.g., the police, or banks, as the case may be), about the Personal Data breach, when required under applicable law.
• Process Evaluation – An investigation will be conducted to determine the cause of the breach and evaluate the effectiveness of the response made. Policies and procedures will be addressed accordingly.

EEA/UK & BCR - In case of Personal Data breach, TP Companies shall also promptly inform the Clients impacted by the Personal Data breach after becoming aware of it (no later than 48 hours), as well as the Privacy Office, including when the breach concerns a Third-Party Data Processor servicing such Clients.  In addition, Teleperformance shall ensure that Sub-processors and Third-Party Data Processors shall have the duty to inform the TP Companies acting as a Data Processor without undue delay after becoming aware of any breach, who in turn will promptly inform the Clients of such breach.

Subject to Part 3, Section 7, first paragraph of the Policy, Teleperformance SE accepts responsibility for and agrees to take the necessary actions to remedy an infringement of the requirements contained in the Policy by non-EEA/UK TP Companies and to pay compensation for any material or non-material damages resulting from such infringement.  In this case, you will have the same rights and remedies against Teleperformance SE as if an infringement had taken place in the EEA/UK.

Subject to Part 3, Section 7, second paragraph of the Policy, when the Client has factually disappeared, ceased to exist in law or has officially become insolvent without any successor entity, Teleperformance SE accepts responsibility for and agrees to take the necessary actions to remedy an infringement of the requirements contained in the Policy by non-EEA/UK TP Companies or non-EEA/UK Third-Party Data Processors, and to pay compensation for any material or non-material damages resulting from such infringement.  In this case, you will have the same rights and remedies against Teleperformance SE as if the infringement had taken place in the EEA/UK.

Such liability extends only to Data Subjects whose Personal Data subject to laws and regulations applicable in EEA/UK countries were transferred to non-EEA/UK TP Companies or non-EEA/UK Third-Party Data Processors in accordance with the Policy.

Teleperformance SE may not rely on an infringement by another TP Company or a Third-Party Data Processor of its obligations in order to avoid its own liabilities.

When the TP Company and the Client involved in the same Processing are found responsible for any damage caused by such Processing, you shall be entitled to receive compensation, for the entire damage, directly from the TP Company.

When Teleperformance SE can prove that neither a non-EEA/UK TP Company nor a non-EEA/UK Third-Party Data Processor is responsible for the act, or if the act results from the Client, it may discharge itself from any responsibility as described above.

The Policy is made legally enforceable by Clients which rely on the Policy for the transfers by Teleperformance on their behalf through a specific reference to it in the contract with Clients.  Subject to any provisions contained in a contract between Teleperformance and a Client, a Client shall have the right to enforce Parts 1 and 3 of the Policy against any TP Company for infringements caused by such TP Company servicing that Client.

In addition, Teleperformance SE shall be responsible for any damage arising out of an infringement of:

• Parts 1 and 3 of the Policy or of the contracts signed with Clients by non-EEA/UK TP Companies; or
• The written contract signed with a non-EEA/UK Third-Party Data Processor, in accordance with Part 3, Section 1.2.4 of the Policy.

The Client shall have the right to judicial remedies and the right to receive compensation.

The burden of proof to demonstrate that Teleperformance is not responsible for any damage shall lie with Teleperformance SE.  When Teleperformance SE can prove that the non-EEA/UK TP Company or non-EEA/UK Third-Party Data Processor is not responsible for the act, it may discharge itself from any responsibility as described above.

Teleperformance SE or any TP Company’s liability is limited to infringements of the Policy and of a written contract signed with a non-EEA/UK Third-Party Data Processor, in accordance with Part 3, Section 1.2.4 of the Policy.

When a TP Company receives your request or complaint, it shall be documented and communicated to the Privacy Office without undue delay and not later than 2 (two) days from the receipt.

If your request or complaint is sent directly to the Privacy Office, it shall be logged within the same timeframe from receipt.

The Privacy Office shall acknowledge receipt of your request or complaint within 1 (one) week and inform you that you will receive more information on your request or complaint within 30 (thirty) days of receipt.

Within 1 (one) week, the Privacy Office shall validate your request or complaint, and determine whether it will handle your request or complaint directly, or delegate it to a designated local contact point.

When the Privacy Office delegates your request or complaint to a designated local contact point, it shall provide additional instructions to such local contact point on how to handle your request or complaint to the extent necessary.

The Privacy Office or, when appropriate, the local contact point, under supervision of the Privacy Office, will then handle your request or complaint.

The Privacy Office or, when appropriate, the local contact point, under supervision of the Privacy Office, shall respond to your request or complaint within the timeframe set out in the section ‘Resolution Timeframe’.