Assemble Privacy Practices
Effective Date: June 16, 2020
This policy applies to Assemble Inc. and its affiliated companies (collectively “Assemble”).
Assemble understands that your privacy is important to you and is committed to safeguarding the confidentiality and privacy of personal information entrusted to it.
Scope of this policy
This policy applies to personal information which is collected and/or used by Assemble in its capacity as a controller as that term is defined in the EU data protection laws. The contexts in which this might occur are explored under "When do we collect personal information" below.
Assemble collects personal information from and on behalf of its clients (e.g. about their employees and customers) to provide business advisory services to those clients. It also processes client personal information to manage its relationship with those clients. Further, Assemble also collects some personal information from visitors to this website, recruitment applicants, and attendees at Assemble events.
Assemble uses personal information to deliver its Services to clients. For its own purposes, it also uses personal information to analyze and improve how it delivers those services, to contact representatives of its clients or prospective clients and to market to them, and to administer recruitment and events.
If Assemble uses your personal information, you may have certain important rights which you can exercise. The rights you will be able to exercise will depend on how and why Assemble uses your information.
The primary point of contact at Assemble for questions regarding your personal information is firstname.lastname@example.org.
Who is your controller?
The Assemble entity responsible for your personal information will be the entity that originally collected information from or about you. If you have a direct interaction with Assemble (for example, you attend an Assemble hosted event), the identity of your controller may be disclosed to you in connection with that interaction. If we process your personal information in the course of providing our Services to clients, your controller will be the Assemble entity providing the Services (assuming those Services are provided as a controller, see above for an explanation). Please note that the contact details for all Assemble entities in respect of data protection or privacy issues are the same, and are as set out below.
When do we collect personal information?
We collect information about you if:
- you use this (or any other Assemble) website;
- you enquire about, or engage Assemble to provide, its Services (either in a personal capacity, or as a representative for your employer or client);
- the use of your personal information is reasonably necessary to provide our Services (in these circumstances, your personal information may be disclosed to us by our client who may, for example, be your employer or service provider, or we may obtain your personal information from a range of public or subscription sources, directly from you, or from your associates or persons known to you);
- you apply for a position with Assemble;
- you attend an Assemble hosted or sponsored event or webinar;
- you contact us with any other enquiry, complaint or notice.
What types of personal information are collected and what do we use it for?
The following is a summary of the types of personal information we collect, and the purposes for which that information is used.
Assemble collects your name, address, e-mail address, telephone number and any other personally-identifiable information which you voluntarily provide as "comments" when you submit an inquiry through the "Contact Us" tool. Assemble also collects other background information about you in connection with career-related inquiries that you submit through its website.
Assemble's Former, Current and Prospective Clients
If you submit an enquiry to Assemble about our Services (either over the website, or by emailing, telephoning or meeting with one of our colleagues), then we will process information such as your name, job title and contact information in order to respond to your enquiry.
If you attend an Assemble event or webinar, or if you associate with an Assemble colleague at, for example, an industry event, then Assemble may collect basic personal information, such as contact details, which you voluntarily provide (for example, by filling in a form or handing over a business card) in order to facilitate your participation in the event, and for the management of our relationship with you as an actual or prospective client.
If you or the organization you are associated with becomes an Assemble client, then we may process your personal information in order to:
- carry out "Know Your Client" checks and screening prior to starting a new engagement (as well as basic contact information, this may mean processing compliance related information such as proof of your identity, information about your professional background, history of directorships and, in some circumstance, details of any criminal convictions or adverse media coverage);
- carry out background checks for the purposes of complying with anti-money laundering and terrorist financing laws;
- carry out client communication, service, billing and administration;
- deal with client complaints; and
- administer claims.
Taking account of applicable marketing laws, we also process personal information about our clients (former, current and prospective) in order to:
- send our clients newsletters, know-how, promotional material and other marketing communications;
- invite our clients to events (and arrange and administer those events).
Performing Services for Our Clients
As discussed above, many of our Services involve the processing of personal information from our clients. In the majority of cases, personal information is provided to us in strict confidence, subject to restrictive undertakings on its use / disclosure.
If you apply for a position with Assemble we will need to collect personal information in order to consider your application, and during any interview and assessment phase.
Finally, if you contact us for any other reason, we will collect basic contact details, as well as any other personal information relevant to the reason for your enquiry, in order to resolve that enquiry.
What is our legal basis for collecting personal information?
All processing (i.e. use) of your personal information is justified by a "lawful basis" for processing. In the majority of cases, processing will be justified on the basis that:
- the processing is necessary for the performance of a contract to which you are a party, or to take steps (at your request) to enter into a contract (e.g. where you request certain Services as an individual client, or where we help advise your employer or service provider on fulfilling an obligation to you under a contract);
- the processing is necessary for us to comply with a relevant legal obligation (e.g. where we are required to collect certain information about our clients for tax or accounting purposes, or where we are required to make disclosures to courts or regulators); or
- the processing is necessary for the performance of a task carried out in the public interest (e.g. background checks for anti-money laundering and terrorist financing purposes); or
- the processing is in our legitimate interests, subject to due consideration for your interests and fundamental rights (this is the basis we rely upon for the majority of the processing of personal information in connection with the provision of our Services, and also for the purposes of most client on-boarding, administration and relationship management activities).
In limited circumstances, we will use your consent as the basis for processing your personal information, for example, where we are required by applicable law to obtain your prior consent in order to send you marketing communications.
Before collecting and/or using any special categories of data (as that term is defined in the GDPR), or criminal record data, we will establish a lawful exemption which will allow us to use that information. This exemption will typically be:
- your explicit consent;
- the establishment, exercise or defense by us or third parties of legal claims; or
- other uses allowed by applicable law including context specific exemptions provided for under local laws of EU Member States and other countries implementing the GDPR, such as in relation to the processing of special category data for the purposes of preventing or detecting fraud in relation to instructions from potential clients.
Disclosure of Personal Information to Third Parties
Assemble may also disclose your personal information for the purposes of:
- responding to requests from law enforcement agencies, regulators or courts, or to subpoenas, search warrants, or other legal requests;
- the prevention and/or detection of crime;
- establishing legal rights or to investigate or pursue legal claims;
- a merger, acquisition or corporate restructuring to which Assemble is subject;
- preventing risk of harm to an individual.
International Transfer of Information
Transfers of personal information to Assemble's US offices are protected by Assemble's certification under the EU-US Privacy Shield schemes. A link to Assemble’s EU-US Privacy Shield Policy is available here. Transfers to US based service providers may also be protected through reliance on Privacy Shield.
When we transfer your personal information outside Assemble to third parties who help provide us with any of the activities described in this policy, we obtain contractual commitments (such as the Standard Contractual Clauses) from them in order to protect your personal information.
When we receive requests for information from law enforcement, courts or regulators (who may be based overseas), we carefully validate these requests before any personal information are disclosed.
You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal information when this is transferred as mentioned above.
Assemble has reasonable technical safeguards, security policies and procedures in place to protect personal information from unauthorized loss, misuse, alteration, or destruction. Measures we take include placing confidentiality requirements on our staff members and service providers, limiting access to your personal information on a "need to know" basis, and providing training to appropriate Assemble personnel. We also maintain comprehensive policies addressing data incident response protocols. Our IT Security Program is audited on a regular basis.
Despite Assemble's best efforts, however, security cannot be absolutely guaranteed against all threats
Retention of your personal information
Assemble retains your personal information for the period of time required for the purposes for which it was collected, any compatible purposes which we subsequently establish, or any new purposes to which you subsequently consent, or to comply with legal, regulatory and Assemble policy requirements. This period of time will usually be the period of your, or the relevant client's, relationship or contract with Assemble plus a period reflecting the length of time for which legal claims may be made following the termination of such relationship or contract. Some information (such as call recordings, tax records and certain information required to demonstrate regulatory compliance) may need to be kept for longer. Personal information will be kept for a shorter or longer period of time if so required by law or an Assemble policy, if the information becomes subject to a legal hold (for example, following a communication from our regulator) or if we have identified through a data protection impact assessment that a different retention period is appropriate.
Your EEA Rights
If your personal information is processed by an Assemble entity in the EEA then, subject to certain exemptions, and dependent on how and why we use it, you have certain rights in relation to your personal information. We may ask you for additional information to confirm your identity before disclosing any personal information to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfill your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Right to Access
You have the right to access personal information which Assemble holds about you, together with certain information about how and why your personal information is processed.
Right to Rectification
You have a right to request us to correct your personal information where it is inaccurate or out of date.
Right to be Forgotten (Right to Erasure)
You have the right under certain circumstances to have your personal information erased. Your information can only be erased if it is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the information.
Right to Restrict Processing
You have the right to restrict the processing of your personal information, but only where:
- its accuracy is contested, to allow us to verify its accuracy; or
- the processing is unlawful, but you do not want it erased; or
- it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
- you have exercised the right to object, and verification of overriding grounds is pending.
Right to Data Portability
You have the right to data portability, which requires us to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party. Please note that Assemble rarely relies upon consent as a legal basis, and the performance of a contract basis will only be relevant to the extent that you, as an individual, are party to a contract with Assemble or a client, and our use of your personal information is necessary for the performance of that contract.
Right to Object to Processing
You have the right to object to the processing of your personal information at any time, but only where that processing is based on our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
If you reside in the European Economic Area (EEA) and would like to exercise your right to access, review, correct or discuss how your personal information is processed by Assemble please contact us at email@example.com.
If you reside outside of the EEA you can also make a request to update or remove information about you by contacting firstname.lastname@example.org. Assemble will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards.
In addition, under applicable local law you may have the legal right to lodge a complaint with the relevant supervisory authority or local data protection authority.
Assemble will offer EU and Swiss individuals whose personal information has been transferred to us the opportunity to choose whether the personal information it has received is to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. An individual may opt-out of such uses of their personal information by contacting us at email@example.com.
Your California Rights
If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your PII by Assemble to a third party for the third party's direct marketing purposes. Assemble does not share, sell, rent or trade your PII with any third parties for promotional purposes. To make such a request, please contact Assemble using the contact information provided below.
Assemble may send you information related to its services, products and events that we believe are of interest to you. This information may be sent by post or via email. If at any point you no longer prefer to receive marketing communications from Assemble you can (i) unsubscribe from Assemble communications sent by email using a link provided in marketing emails sent from Assemble; or (ii) contact us to exercise your right to prevent all forms of marketing (both post and email).
Assemble’s websites are not intentionally designed for or directed at children under the age of 13. It is Assemble’s policy never to knowingly collect or maintain information about anyone under the age of 13, except as part of an engagement to provide professional services.
Changes to this Policy
If you have questions or concerns regarding this policy or Assemble’s personal data processing policies, please contact Assemble at: firstname.lastname@example.org.
If you reside in the EEA and have questions or concerns regarding this policy or processing of your personal information by Assemble please contact us at email@example.com.
EU-US/Swiss-US PRIVACY SHIELD POLICY
EU-US and Swiss-US Privacy Shield
Assemble complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the member countries of the European Union (EU) and Switzerland, respectively, to the United States. Assemble has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view Assemble’s certifications, please visit www.privacyshield.gov.
Assemble’s participation in the Privacy Shield applies to personal data received from the EU/EEA and Switzerland. Assemble will comply with the Privacy Shield Principles in respect of such personal data. Some types of Personal Information may be subject to additional privacy-related requirements and policies, which are consistent with the Privacy Shield Principles. For example:
- Personal Information regarding and/or received from clients is also subject to any specific agreement with, or notice to, the client, as well as additional applicable laws and professional standards.
- Personal Information regarding Assemble personnel is subject to internal human resource policies.
Types of Personal Information Collected and Purpose for Collection
Personal Information from Client Engagements
Assemble provides professional consulting services to its clients. Assemble’s clients may send Personal Information to it for processing on their behalf as part of the consulting services they have purchased. For example, Assemble may receive Personal Information such as name, email address, employment information, or financial data. Assemble uses any such Personal Information to perform services for its clients and to administer and manage its relationships with its clients.
In the event that a client engagement involves a transfer of Personal Information from the EU to the United States, the relevant clients are responsible for providing appropriate notice, where required, to the individuals whose Personal Information may be transferred to Assemble including providing individuals with certain choices with respect to the use or disclosure of their Personal Information, and obtaining any requisite consent. Assemble handles such Personal Information in accordance with its clients’ instructions.
Personal Information from Assemble Website Use
Personal Information Regarding Assemble Employees
Assemble may transfer Personal Information regarding Assemble personnel. This Personal Information may include, without limitation, business contact information, employee ID, job role and reporting line, demographic information, work history, compensation and performance ratings. Assemble uses such information to administer and manage its business.
Choice and Accountability for Onward Transfer
Information Security and Data Integrity
Assemble has reasonable security policies and procedures in place to protect Personal Information from unauthorized loss, misuse, alteration, or destruction.
Despite Assemble's best efforts, however, security cannot be absolutely guaranteed against all threats. To the best of Assemble’s ability, access to your Personal Information is limited to those who have a need to know.
Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query as specified below. This right applies only to personal information about the individual making the request and is subject to other limitations as defined by law.
Individuals can request access via email at firstname.lastname@example.org or postal mail:
Attention: Privacy Advocate
2 Nickerson Street, Ste 101
Seattle, WA 98109
Recourse, Enforcement and Liability
In compliance with the Privacy Shield Principles, Assemble commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. Individuals who wish to file a complaint or who take issue with Assemble’s Privacy Shield policy should contact Assemble’s consumer advocate. Assemble’s consumer advocate will explain the process to be followed when filing a complaint. Filing a complaint in English will speed-up the request process. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact Assemble by email at email@example.com or via postal mail at:
Attention: Privacy Advocate
2 Nickerson Street, Ste 101
Seattle, WA 98109
Assemble has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your complaint involves human resources data transferred to the United States from the EU and/or Switzerland in the context of the employment relationship, and Assemble does not address it satisfactorily, Assemble commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Assemble is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Changes to this Policy
Assemble reserves the right to make changes to this EU–US and Swiss-US Privacy Shield Policy from time to time. Assemble will notify you by posting amendments on this website.
Questions and Comments
If you have questions or concerns regarding this policy or Assemble’s Personal Information processing policies, please contact Assemble at: firstname.lastname@example.org