(Effective December 3, 2024)
CONTENTS
A. GENERAL DATA PROCESSING PRACTICES
Protecting your privacy is important to Boyden World Corporation, 520 White Plains Road, Suite 500, Tarrytown, NY 10591, United States, privacy@boyden.com, +1 914 747 0093 ("Boyden," "we," "us," or "our"). This Privacy Policy explains how Boyden collects, uses, and discloses (“processes”) personal data on its own behalf and in conjunction with individual local Boyden offices, and any additional rights you may have under applicable privacy law. We and/or the local Boyden offices determine the purposes and means of the processing of personal data.
You can exercise your privacy and data protection rights by contacting privacy@boyden.com or your local Boyden office. Additional individual privacy and data protection rights are described in Parts B-F below, depending on the applicable law. Please note that we cannot respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. Thus, we may require that you submit additional personal data so that we can verify your identity. We will use such additional personal data submitted in connection with our verification process only to verify your identity and authority to make the request.
This Part A provides a general description of the processing of personal data by Boyden and local Boyden offices. The following Parts B-F of this Privacy Policy address specific local privacy regulations and amend this general description for the respective region.
Please find below the most important information about our typical data processing sorted by groups of data subjects and types of data processing. For data processing activities that relate only to specific groups, and processing activities controlled only by local Boyden offices, the obligations to provide information are met separately.
The terms “data”, “personal data” and “personal information” are used interchangeably in this policy, and in each case include any information relating to an identified or identifiable natural person.
We process personal information from or about the following categories of individuals, as more fully described in the sections below:
1. |
|
1.1. |
Web server log data |
1.1.1. |
In the past 12 months we have processed, and may continue to process, personal data from website visitors such as the IP address allocated to their device, the date and time of the request, the time zone, the specific page or file accessed, the HTTP status code and the data quantities transmitted; in addition, the website from which their request originated, the browser used, the operating system of their device and the language used. |
1.1.2. |
We obtain these categories of data directly and indirectly from activity on our website. For example, from submissions through our website portal or website usage details collected automatically. |
1.1.3. |
The purpose of the data processing of web server log data is the online presentation of Boyden and Boyden service. |
1.1.4. |
Web server log data is anonymized before storage. Web server log data will be deleted after one year at the latest. |
1.1.5. |
Web server log data are not passed on to third parties except under special circumstances. In the event of the suspicion of a crime or in investigative proceedings, data may be transmitted to the police and the public prosecutor’s office. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain, and support IT systems. |
1.1.6. |
Use of the website without disclosure of web server log data is not possible. |
We use cookies on our website. Cookies are small text files containing information that can be stored on the user's end device via the browser when visiting a website. The information stored in cookies can be read and processed when the website is visited again using the same device. In doing so, we use processing and storage functions of the browser of your device and collect information from the storage of the browser of your device. In the structure of our Privacy Policy, we differentiate between Technically Required Cookies, Analytics Cookies and Third-Party Multimedia Content. For the function of the website, Technically Required Cookies cannot be deactivated via the cookie management function of this website. However, you can deactivate cookies generally in your browser at any time. Different browsers offer different ways to configure the cookie settings in the browser. We would like to point out, however, that some functions of the website may not function or may no longer function properly if you deactivate cookies in your browser in general. |
|
Technically Required Cookies |
|
1.2.1.1 |
Consent Cookies |
We use so-called Consent Cookies to store your consent, possible revocation of consent and opt-out of the use of cookies on our website. |
|
1.2.1.1.1 |
In the past 12 months we have processed, and may continue to process, personal data from website visitors such as HTTP data (HTTP data is protocol data that is technically generated when the website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited) referrer URL, date and time of the visit and User decision on cookies (User's decision on individual cookies or groups of cookies. Time of the decision and of the last visit) |
1.2.1.1.2 |
We obtain these categories of data directly from the user (decision on cookies) and indirectly transmitted by the user's browser (protocol data, time stamp). |
1.2.1.1.3 |
The purpose of data processing is the storage of the user decisions on cookies (consent, revocation, opt-out). |
1.2.1.1.4 |
A negative user decision with regard to cookies is deleted at the end of the session. The other data will be deleted after one year. |
1.2.1.1.5 |
We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain, and support IT systems. |
1.2.1.1.6 |
Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible. |
1.2.1.2 |
Cf_bm Cookie |
We use the Cf_bm Cookie identify and mitigate automated traffic to protect our website from bad bots. |
|
1.2.1.2.1 |
In the past 12 months we have processed, and may continue to process, personal data related to the calculation of a bot score and a session identifier. The information in the cookie (other than time-related information) is encrypted. A separate cookie is generated for each site that an user visits, as we do not track users from site to site or from session to session. The cookie is generated independently by our service provider Cloudflare, and does not correspond to any user ID or other identifiers in our web application. |
1.2.1.2.2 |
We obtain these categories of data indirectly transmitted by the user's browser and how the user is using our website. |
1.2.1.2.3 |
The purpose of data processing is to identify and mitigate automated traffic on our website to protect our website from bots. |
1.2.1.2.4 |
The cookie expires after 30 minutes of continuous inactivity by the user. |
1.2.1.2.5 |
The recipient of the data is Cloudflare Inc., 101 Townsend Street San Francisco, CA 94107 USA. |
1.2.1.2.6 |
Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible. |
1.2.1.3 |
reCAPTCHA Enterprise |
We use the reCAPTCHA Enterprise service (hereinafter "reCAPTCHA") from Google on our website. This tool contains an automated test to check whether the individual users of the website are humans or an automated program (bot or malware). For this purpose, reCAPTCHA analyzes behavior based on different interaction patterns with the website and associated parameters (e.g. time spent on the website, mouse movements made). An "I'm not a robot" checkbox is integrated into the page. By integrating reCAPTCHA, we enable Google to collect personal data on our website. The collection and processing of personal data is the sole responsibility of Google. We have no knowledge of the details of the processing of personal data in Google's area of responsibility. Information about the processing of personal data by Google can be found in Google's privacy policy: https://policies.google.com/privacy Google only provides us with the analysis result created on the basis of this data (human or automated program) in aggregated, anonymized form. We cannot assign the information provided to us to any natural person. |
|
1.2.1.3.1 |
In the past 12 months, we have processed, and in the future may continue to process, personal data about website visitors such as HTTP data (Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your internet browser, operating system used, the page accessed, the page previously visited (referrer URL), date and time of access.), Usage data (Usage data is data about your human interaction with the website and the associated parameters such as clicks on ads, mouse movements made or the time spent on the website.) and reCAPTCHA analysis data (The reCAPTCHA analysis data is the evaluation of the data processed by Google to determine whether the respective user of the website is a human or an automated program. This is completely anonymized analysis data. Google also shows us the number of requests to our website, the reCAPTCHA score distribution, the top 10 actions on our website and the top 10 actions with suspicious traffic.) |
1.2.1.3.2 |
The data is automatically provided by the user's browser and generated independently by Google. We do not know whether Google uses other data sources. |
1.2.1.3.3 |
The purpose of data processing is to enable Google to collect and process usage data on our website in order to ensure the security of our website and its users. There are no plans to change the purposes. The further purposes of processing by Google are determined solely by Google (https://policies.google.com/privacy). |
1.2.1.3.4 |
We do not collect or store this data ourselves. The collection and processing of this data is the responsibility of Google. According to Google, the individual reCAPTCHA tokens are automatically deleted after 2 minutes. We have no knowledge of further details on the storage period. |
1.2.1.3.5 |
The recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. |
1.2.1.3.6 |
Without disclosing personal data, it is not possible for reCAPTCHA to analyze whether you are a human, bot or malicious software. Communication via the website is not technically possible without providing data. |
Analytics Cookies |
|
1.2.2.1 |
Google Analytics |
If you have given your consent, we use the web analysis tool Google Analytics on our website. With the help of Google Analytics, we can analyze the user behaviour of visitors to our website in pseudonymized and anonymised form. It is possible that Google uses other services such as Google Tag manager. You can deactivate the data processing by Google Analytics at any time in our "cookie board“. Alternatively, you can install a browser plug-in from Google which prevents data collection by Google Analytics: |
|
1.2.2.1.1 |
In the past 12 months, we have processed, and in the future may continue to process, personal data about website visitors such as Google Analytics HTTP data (This is protocol data that is generated for technical reasons when using the web analysis tool Google Analytics via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.), Google Analytics device data (Data generated by the web analysis tool Google Analytics and assigned to your device: This includes a unique ID for the (re-)recognition of returning visitors (so-called "client ID") as well as certain technical parameters for controlling data collection for web analysis.), Google Analytics measurement data (Device-related raw data (so-called "dimensions" and " measurement results"), which are collected and analysed by the web analysis tool Google Analytics when using our website: This includes, above all, information about the sources through which visitors reach our website, information about the location, the browser and the device used, information about the use of the website (in particular page views, frequency of visits and length of stay on accessed pages) as well as information about the fulfilment of certain purposes (in particular transactions in the online shop). The data is assigned to the client ID assigned to your device. As a result, device-related usage profiles are created in which all device-related raw data is combined into a client ID. The data that we collect using Google Analytics does not enable us to identify you personally (i.e. by your civil name). We also do not merge the device-related raw data and the resulting device-related usage profiles with data that directly identifies you personally without your consent.) and Google Analytics report data (Data contained in aggregated segment and device-related reports generated by the Google Analytics web analysis tool based on the analysis of device-related raw data.). |
1.2.2.1.2 |
We obtain these categories of data indirectly transmitted by the user's browser and how the user is using our website. |
1.2.2.1.3 |
The purpose of data processing is to analyze user behaviour and to measure the reach of our website and advertisements to optimize our website. |
1.2.2.1.4 |
The data will be deleted after one year. |
1.2.2.1.5 |
The recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. |
1.2.2.1.6 |
The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Google Analytics. |
1.2.2.2 |
Hubspot Analytics Cookies |
If you have given your consent, we use the analytics cookies of Hubspot on our website. The data collection is pseudonymised, unless you provide further personal data such as your name or email address when using the website. In this case, an allocation can take place. You can deactivate the data processing by Hubspot at any time in our "cookie board“. Alternatively, you can disable Hubspot cookies for the browser you are currently using by deactivating the storage of cookies in your browser settings. |
|
1.2.2.2.1 |
In the past 12 months, we have processed, and in the future may continue to process, personal data about website visitors such as Hubspot cookies-HTTP data (This is log data that is technically generated when Hubspot cookies are used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your internet browser, operating system used, the page accessed, the page previously visited (referrer URL), date and time of access.), Hubspot cookies -end device data (Data that is assigned to your end device by Hubspot Cookies: This includes a unique ID for (re)recognising returning visitors.) |
1.2.2.2.2 |
We obtain these categories of data indirectly transmitted by the user's browser and how the user is using our website. |
1.2.2.2.3 |
The purpose of data processing is to analyze user behaviour and to measure the reach of our website and advertisements to optimize our website. |
1.2.2.2.4 |
The cookies that keep track of the relevant session of the user expires after 30 minutes. The cookie which tracks if the user has restarted their browser expires at the end of the session. All other data will be deleted after 6 months at the latest. |
1.2.2.2.5 |
The recipient of the data is Hubspot Germany GmbH, Am Postbahnhof 17, 10243 Berlin. |
1.2.2.2.6 |
The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Hubspot. |
1.2.2.3 |
Matomo Cloud |
If you have given your consent, we use the analytics cookies of Matomo on our website. You can deactivate the data processing with Matomo Cloud at any time in our "cookie board". |
|
1.2.2.3.1 |
In the past 12 months, we have processed, and in the future may continue to process, personal data about website visitors such as HTTP data, type and version of your Internet browser, the operating system used, the web page, the web page visited previously (referrer URL), date and time of the visit, device data regarding information regarding their interaction with an Internet Web site (Data generated by the web analytics tool Matomo Cloud and assigned to their device (“client ID”)), measurement data (device related raw data) and Matomo Cloud report data (reports based on the analysis of the raw data). On our website a so-called IP anonymization is activated for the use of the web analysis tool Matomo Cloud. |
1.2.2.3.2 |
We obtain these categories of data indirectly transmitted by the user's browser and how the user is using our website. |
1.2.2.3.3 |
The purpose of the data processing is to increase the efficiency of our use of resources for our website and our advertising measures and the satisfaction of our visitors by (usage-based) optimization of our website by measuring the use of our website and (usage-based) optimization of our advertising measures by measuring the success of the advertising media we use in our website (monitoring of advertising media success). |
1.2.2.3.4 |
The data is anonymized before storage. The data will be deleted after 14 months. |
1.2.2.3.5 |
The recipient of the data is InnoCraft (Operator of Matomo Cloud), 150 Willis St, 6011 Wellington, New Zealand. Data is processed only in the Matomo Cloud data center in Frankfurt, Germany. |
1.2.2.3.6 |
The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Matomo Cloud. |
1.2.3 |
Third-Party Multimedia Content |
Google Maps and Google Fonts If you have given your consent via the Cookie Board map material of „Google Maps and Google Fonts“ is integrated on certain subpages of the website. With this integration, content of Google Maps and Google Fonts is displayed in parts of a browser window. However, the map content is only retrieved if you have previously given the respective consent. This ensures that no data is transmitted to Google and no cookies are stored on your device before the website visitor gives his or her consent via the Cookie Board. As soon as you give your consent regarding the Google Maps and Google Fonts content via the Cookie board to display the content, the content is loaded from Google. Technically, the same thing happens then as would happen if you would directly access Google Maps through a link: Google receives all information that your browser automatically transmits (including your IP address). Google also sets its own cookies on your device. This also happens if you do not have a Google user account. If you are logged in at Google, your data will be associated directly to your account. If you do not want the association to your Google user account, you must log out of Google before giving your consent. The collection and processing of this data is the sole responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. We have no knowledge of further details of the processing of personal data in the area of data controllership of Google or a data processing in the USA. We have no influence on the data processing of Google. For information about the processing of personal data by Google, please refer to the Google Privacy Policy: https://policies.google.com/privacy. |
|
2. |
|
When we or a local Boyden office identify a potential candidate, we may collect business card data about such potential candidate from publicly accessible sources, and we and the local Boyden office jointly determine the purposes and means of the processing of such data and have entered into an agreement for that purpose. According to that agreement, the local Boyden office is responsible to ensure the fulfilment of the potential candidate’s rights and will inform them in a privacy notice about the contact details of the local office and the publicly accessible sources of the data. However potential candidates may contact either us or the local Boyden office regarding any claims or complaints. |
|
2.1. |
In the past 12 months, we have processed, and in the future may continue to process personal data about potential candidates such as name, postal address, email address, telephone number, employment, employment history and title. |
2.2. |
We collect data about potential candidates from the following publicly accessible sources: Public business websites, services such as LinkedIn, Xing or other business press or publications. |
2.3. |
Data about potential candidates are processed for the purposes of providing executive search services to potential employers worldwide and identifying salary, market and hiring trends by analyzing aggregated data. |
2.4. |
Data about potential candidates will be deleted upon the potential candidate’s request or in accordance with Boyden's global data retention policy. |
2.5. |
Data about potential candidates is shared with Boyden offices worldwide upon request. A full list of Boyden offices is provided here. |
3. |
|
Whenever an individual authorizes Boyden to list them as a candidate for job offerings, we and the local Boyden office jointly determine the purposes and means of the processing of such candidate’s data and have entered into an agreement for that purpose. According to the agreement, the local Boyden offices are responsible to ensure the fulfilment of the candidate’s rights. However all candidates may contact either us or the local Boyden office regarding any claims or complaints. |
|
3.1. |
In the past 12 months, we have processed, and in the future may continue to process personal data about candidates, such as name, signature, postal address, email address, telephone number, education, employment, employment history, bank account number, race, color, age (40 years and older), ancestry, national origin, citizenship, religion or creed, medical condition, physical or mental disability, sex (including gender), sexual orientation, current and/or past employment history including performance evaluations, education records, files, documents, and other materials directly related to a student maintained by an educational agency or institution or by a person acting for such an agency or institution, such as grades, transcripts, personal interests, hobbies and background check information (like identity verification, criminal, civil and regulatory judgements, financial and credit checks), health insurance information, information used to create a profile about a candidate reflecting the candidate’s intelligence and abilities or any other details a candidate may choose to share with us. |
3.2. |
Data about candidates may be collected from the candidate, from publicly accessible sources like websites (e.g. Company or private websites, LinkedIn) and third parties that the candidate or their testimonials have named as potential references. |
3.3. |
Data about candidates are processed for the purpose of providing the candidates with employment opportunities and job or career related information as well as providing executive search services to potential employers worldwide and identifying salary, market and hiring trends by analyzing aggregated data. |
3.4. |
The data retention period is seven calendar years from the last completion of the client engagement or documented contact with the candidate, whichever is later. |
3.5. |
Data about candidates are shared with Boyden offices worldwide and with potential employers to fulfill clients' or candidates' requests. A full list of Boyden offices is provided here. |
3.6. |
Candidates are not obliged to provide personal data. Without such personal data, however, we will not be able to provide candidates with employment opportunities. |
4. |
|
In the case where individuals have given their consent to participate in surveys or studies (“Participants”), Boyden and the local Boyden offices are processing their personal data for surveys and studies. We and the local Boyden office jointly determine the purposes and means of the processing of Participant data and have entered into an agreement for that purpose. According to the agreement, the local Boyden offices are responsible to ensure the fulfilment of Participant rights. However all Participants may contact either us or the local Boyden office regarding any claims or complaints. |
|
4.1. |
In the past 12 months, we have processed, and in the future may continue to process personal data about Participants, such as profile data requested by survey-service providers like Prophet (ID, name, language, due date of the questionnaire, reminder date of the questionnaire, email address, dates invitation sent, dates notifications of reminders sent, date profile sent, profile details) and survey reports (answers to the questionnaires). Some statistical studies are completely anonymous. |
4.2. |
The personal data about Participants is provided by the Participant or assigned by the survey-service provider. |
4.3. |
Participant personal data are processed for the purpose of conducting and evaluating surveys using questionnaires for business development reasons. |
4.4. |
The data retention period is seven calendar years from the last participation of the surveys or studies. |
4.5. |
We use service providers like Prophet Profiling Ltd. as data processors which are creating individual profiles for the participants and are conducting and evaluating the questionnaires on our behalf. |
4.6. |
Participation in surveys and studies is voluntary. Anyone who does not wish to participate in a survey or study can contact Boyden to discuss alternatives. |
5. |
|
When we or a local Boyden office receive personal data from a candidate or other source about the candidate’s reference, we and the local Boyden office jointly determine the purposes and means of the processing of the data about the candidate’s reference and have entered into an agreement for that purpose. According to the agreement, the local Boyden office is responsible to ensure the fulfilment of the rights of the candidate’s reference and will inform the personal reference in a privacy notice about our contact details and source of their data. However all references of candidates may contact either us or the local Boyden office regarding any claims or complaints. |
|
5.1. |
In the past 12 months, we have processed, and in the future may continue to process personal data about references of candidates, such as name, postal address, email address, telephone number, employment, employment history, position, or any other details that the candidate or the candidate’s reference chooses to share with us. |
5.2. |
Sources of data about a candidate’s reference are the candidate, another reference, or publicly accessible sources like public business websites, services such as LinkedIn, Xing or other business press or publications. |
5.3. |
Data about a candidate’s reference are processed for the purpose of providing executive search services to employers and candidates. |
5.4. |
The data retention period is seven calendar years from the last completion of the client engagement or documented contact with the candidate who named the data subject as a reference, whichever is later. |
5.5. |
We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems. |
6. |
|
Boyden and the local Boyden office may process personal data regarding service providers, business partners and their employees. |
|
6.1. |
In the past 12 months, we have processed, and in the future may continue to process personal data about service providers, business partners and their employees, such as name, title, postal address, email address, telephone number, employment, employment history and any other details that they later choose to share. |
6.2. |
Data about service providers, business partners and their employees may be collected from the applicable service provider, business partner, or their employees, or from publicly accessible sources like websites (e.g. Company or private websites, LinkedIn). |
6.3. |
We process data about service providers, business partners and their employees for the purpose of preparation and performance of the contractual relationship and for the fulfilment of legal requirements. |
6.4. |
All contractual data, content of communications and data relevant for accounting are stored in accordance with the Boyden Global Retention Policy. |
6.5. |
Recipients of data about service providers, business partners and their employees may include banks for the processing of payments. Public authorities and offices may receive data within the scope of their duties, insofar as we are obligated or entitled to transmit data. Moreover in specific cases data may be transmitted to a collection of service providers, legal advisors and courts. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems. |
6.6. |
Processing of the contact data from service providers and business partners and their Employees is necessary in order to perform the contract or order. If the data are not provided, the contract cannot be established or carried out. The provision of data is required for prospective service providers, business partners and their employees. The communication is not possible without the data. |
7. |
|
Boyden and the local Boyden office may process personal data regarding Business Contacts and Communication Partners. |
|
7.1. |
In the past 12 months, we have processed, and in the future may continue to process personal data about our business contacts and communication partners, such as name, postal address, email address, telephone number, employment, title or any other details that they later choose to share with us. |
7.2. |
We obtain these categories of personal information from our business contacts and communication partners, from our clients or their agents, and from third-parties that interact with us in connection with the services we perform. |
7.3. |
We process the data from prospective business contacts and communication partners for the purpose of communication with them. |
7.4. |
Inquiries and communication data are automatically deleted after 10 years. |
7.5. |
We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems. |
7.6. |
The provision of data is required for prospective business partners and communication partners. The communication is not possible without the data. |
Users of the Client Portal |
|
|
The local Boyden Offices provide their clients with access to a platform (“Client Portal") as an option for reporting to them through a secure online format. Within the Client Portal the users can share assignments or provide feedback or scorings. The respective local Boyden office is the controller for the data processing with regard to their clients and their clients’ employees using the Client Portal. |
In the past 12 months, the local Boyden Offices have processed, and in the future may continue to process personal data about their client contacts, such as name, postal address, email address, telephone number, employment, title, assignments, comments and feedback or scorings or any other details that they choose to share with the local Boyden Offices. The technical metadata of the communication is also being processed |
|
The local Boyden Offices obtain the data from the data subjects during their use of the Client Portal. |
|
The local Boyden Offices process the data from the users of the Client Portal to provide their clients with a secure communication channel. |
|
The local Boyden Offices may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support IT systems. |
|
Inquiries and communication data are automatically deleted after 10 years. The technical metadata of the communication is deleted after one year at the latest. |
|
The provision of data is required for users of the Client Portal. The communication is not possible without the data. |
|
Recipients of Marketing Communications |
|
|
In the case where individuals have given their consent and registered for the download of marketing brochures and the reception of marketing communication of a local Boyden Office, the relevant local Boyden Office will send them information about the services. The respective local Boyden office is the controller for the data processing with regard to the marketing communications. The local Boyden office can also occasionally invite them to participate in surveys as part of the newsletter. If the recipients of marketing communications participate in such surveys, the information in Section 4 of this Privacy Policy applies. The local Boyden Offices may also monitor the reach and success of the brochures and other marketing communications. |
In the past 12 months, the local Boyden Offices have processed, and in the future may continue to process personal data about recipients of marketing communications, such as name and email address, telephone number, candidate/client, company and title, http Data, subscription and opening rates of the brochures and marketing communications and clicks. |
|
The personal data of recipients of marketing communications is provided by the recipients or via the devices with which the recipient opens the marketing communications. |
|
The local Boyden Office processes the data from recipients of marketing communications for the purpose of sending the marketing communications and monitoring the reach of the marketing communications. |
|
Data regarding marketing communications will be deleted when the recipients of marketing communications unsubscribe from the newsletters by using the unsubscribe button in each marketing communication. Data with regard to opening and reading times, will usually be deleted or anonymized after 18 months. |
|
The local Boyden Office use the service provider Emma, Inc., 11 Lea Avenue, Nashville, TB 37219, USA for the marketing communication management. |
|
Data is required to receive marketing communications. Without providing data, they cannot be sent. A withdrawal of your consent is possible at any time with effect to the future. Please use the unsubscribe function in the marketing communications. |
B. INFORMATION FOR EUROPEAN UNION RESIDENTS
Provided the EU General Data Protection Regulation (GDPR) applies to our processing of your data according to Article 3 GDPR, in particular if your data is processed by a Boyden office in the European Union or if you are in the European Union, the following conditions apply to you:
1. |
|
The Data Protection Officer and data protection representative of Boyden and Boyden’s local offices according to Article 27 GDPR (EU General Data Protection Regulation) is Rechtsanwalt Nikolaus Bertermann (attorney at law), daspro GmbH, Kurfürstendamm 21, 10719 Berlin, Germany, phone +49 30 88 77 41 50, Email: boyden@daspro.de. |
|
2. |
|
2.1. |
The legal basis for the processing of your data under GDPR is as follows:
|
2.2. |
The foregoing legal bases for the processing of your data are defined in GDPR as follows: “consent” is specified in Article 6(1)(a) GDPR, “contract” is specified in Article 6(1)(b) GDPR, “legal obligations” is specified in Article 6(1)(c) GDPR and “legitimate interest” is specified in Article 6(1)(f) GDPR. |
3. |
|
3.1 |
Cross-Border Transfers between Boyden offices |
Data may be shared with some Boyden offices located outside of the EU. All Boyden offices have entered into EU Standard Contractual Clauses (SCC) and set up internal privacy and data collection policies. Boyden and local Boyden offices have updated their contracts and have implemented additional safeguards after the Schrems II decision of the ECJ (SCC plus) to protect the data. You may request a copy of the SCC from us or a Boyden office at any time. Potential employers may be located outside of the EU and may not have adopted appropriate or suitable safeguards. |
|
3.2 |
Cross-Border Transfers in the Context of the Use of Service Providers |
Data may be shared with our service providers which we use as processor within the framework of a data processing agreement. We use Cloudflare, Inc., Hubspot, Inc. and Emma, Inc. as our service providers. We have entered into the EU Standard Contractual Clauses (2021/914) with Cloudflare, Inc. and Emma, Inc. to protect your data. We also use Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. Google has also entered into the EU Standard Contractual Clauses (2021/914) to protect your data. You can request a copy of the essential contractual contents of the standard contractual clauses at any time. In addition, the Google companies (including Google LLC), Cloudflare, Inc., Hubspot, Inc. and Emma, Inc. are certified in accordance with the EU-US Data Privacy Framework. |
|
4. |
|
No change in the processing purposes described in Section A is planned. |
|
5. |
|
No automated decision-making (Article 22 GDPR) takes place. |
|
6. |
|
You have the following rights under GDPR:
|
C. INFORMATION FOR PEOPLE LOCATED IN THE UNITED STATES OF AMERICA
The following section contains data protection regulations that affect you when you are located in the USA. These relate in particular to text messaging and electronic messaging.
Sections D and E below contain further data protection specifics in the USA, particularly with regard to California and Nevada.
SMS and Electronic Messaging: If consent has been obtained (SMS opt-in), we process your phone number to send you SMS or other electronic messages for Boyden marketing purposes. SMS opt-in or phone numbers for the purpose of sending SMS for marketing purposes are not shared by Boyden. You can revoke your consent at any time (opt out) by replying “STOP” to unsubscribe.
D. INFORMATION FOR CALIFORNIA RESIDENTS
Provided that you are a resident of California and the California Consumer Privacy Act (CCPA) applies to our processing of your personal information, the following conditions apply to you:
1. |
|
1.1. |
During the past twelve months, we have collected personal information that falls under the below listed California-designated categories of personal information. For each category listed below, you can find the sources of the data, the purposes for which it is collected, and the third parties with whom it is shared in Part A of this Privacy Policy.
|
2. |
Disclosure or Sale of Personal Information in Past 12 Months |
2.1. |
In the preceding 12 months, we have disclosed or sold to third parties the categories of personal information specified in Part A above. |
2.2. |
We do not sell the personal information of minors under 16 years of age without affirmative authorization. |
3. |
|
3.1. |
Rights to Know. You have the right to request that we disclose to you what personal information we collect, use, disclose, and sell about you. Specifically you have the right to request that we disclose:
|
3.2. |
Right to Request Deletion. You have the right the right to request the deletion of your personal information that we have collected or maintained, subject to certain exceptions; |
3.3. |
Right to Opt-Out of Sale of your Personal Information. You have the right the right to opt-out of the sale of your personal information by us, subject to certain exceptions; |
3.4. |
Right to Non-Discrimination. You have the right the right not to receive discriminatory treatment by us for the exercise of any of the foregoing privacy rights. |
4. |
|
4.1. |
Authority to Make a Request: Only you, or someone legally authorized to act on your behalf, may make a request related to your personal information. You may also make a request on behalf of your minor child. |
4.2. |
How to Submit a Request to Know or Delete: To submit a request under any of your Rights to Know or the Right to Request Deletion, you can write us an email to privacy@boyden.com, or call us at +1 (855) 426-9336. You will also need to satisfy the verification process requirements described below. You may make up to two requests in any 12-month period. Please note that we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you, in accordance with the verification process described below. |
4.3. |
How to Submit a Request to Opt-Out of Sale: To submit a request to Opt-Out of the Sale of your Personal Information, you can visit our website opt-out request page or call us at +1 (855) 426-9336. Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales. However, you may change your mind and opt back in to personal information sales at any time by going to our website. |
4.4. |
Process for Verifying Requests to Know or Delete: As part of our verification process, we may require that you submit additional personal information so that we can verify your identity. If we do so, we will use any additional personal information submitted in connection with our verification process only to verify your identity and authority to make the request. Making a consumer request does not require you to create an account with us. We will only use personal information provided in a consumer request to verify the requestor's identity or authority to make the request. |
E. INFORMATION FOR NEVADA RESIDENTS
Provided that you are a resident of Nevada and the Nevada Consumer Privacy Law applies to our processing of your data, the following conditions apply to you:
1. |
|
Nevada residents have the right to request that we not make any sale (as that term is defined the in the Nevada Consumer Privacy Law) of certain categories of personal data that we have collected or will collect about you. |
|
2. |
|
We do not sell the personal information of any Nevada residents, as that term is defined in the Nevada Consumer Privacy Law. |
F. INFORMATION FOR CANADA RESIDENTS
If you are a resident of Canada, the following applies to you:
1. |
||
Personal data, also called personal information in Canada, refers to any information which relates to a natural person and directly or indirectly allows that person to be identified. |
||
2. |
||
When you provide us with personal data after having been made aware of this Privacy Policy, we assume that you agree to our processing of this personal data as set out in this Privacy Policy and Canadian Addendum. This includes using your personal data for employment opportunities with Boyden or its clients, and communications about current or future employment opportunities. |
||
3. |
||
Consent withdrawal. You may withdraw consent to the use or disclosure of your personal data at any time, subject to legal or contractual restrictions and reasonable notice. If you withdraw your consent, we may not be able to provide you with the requested services, and it may impact the functionality of our website. Right of access. You have the right to access the personal data we hold about you, including confirmation of the personal data we hold about you and the right to obtain a copy. Right to correction. You also have the right to correct or update inaccurate, incomplete or unclear personal data we hold about you, or to request deletion of obsolete or unjustified data. Please note, however, that we may need or be required to keep such data, such as to comply with applicable law. To exercise one of your rights, please contact our Data Protection Team at: privacy@boyden.com. You also have the right to lodge a complaint with the relevant data protection or privacy authority. We may ask you to provide sufficient identification to fulfill your request. Any identifying information will be used only for this purpose. Generally, this process is entirely free. However, we may charge a reasonable fee if you request the transcription, reproduction or transmission of personal data. In any case, we will not charge you any fees to respond to your request without first providing you with an estimate of the approximate fees, if any. |
||
4. |
||
We may share your personal data with the following categories of third parties:
|
||
5. |
||
Data about potential candidates is shared with Boyden offices worldwide upon request and personal data we handle may be stored or processed on our behalf by other Boyden offices. A full list of Boyden offices is provided here. Some of our service providers may also access, process or store your personal data outside of the country, state or province where we are located and where you reside. Such data may therefore be available to government authorities under lawful orders and laws applicable in such foreign jurisdictions. |
||
6. |
||
We keep your personal data for as long as is needed to fulfill the purposes for which it was collected. After such time, we securely delete it. However, we may continue to keep it as necessary to comply with our legal and regulatory obligations, resolve disputes, exercise our rights, and enforce and comply with our agreements. |
||
7. |
||
We are committed to safeguarding our clients’ and candidates’ personal and professional information through robust IT governance practices. Our governance framework is designed to align with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), provincial privacy laws, and industry best practices to ensure the confidentiality, integrity, and availability of personal data. We use a multi-layered security approach that includes access control, multi-factor authentication, third party monitoring and audits, and ongoing training and awareness. Our IT governance practices are regularly updated to address emerging cybersecurity threats, comply with Canadian privacy standards, and safeguard entrusted information. |
||
8. |
||
If you have questions, concerns or complaints about our Privacy Policy and our data-handling practices, you may contact our Data Protection Team at privacy@boyden.com. |
G. INFORMATION FOR TURKEY RESIDENTS
Provided you are a resident of Turkey and the Turkey data protection legislation (TDPL) applies to our processing of your personal information, the following conditions apply to you:
1. |
|
The legal basis for the processing of your data under TDPL is as follows:
The foregoing legal bases for the processing of your data are defined in TDPL as follows: “consent” is specified in Article 5(1) TDPL; processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract according to Article 5 (2) lit. c) TDPL; processing is mandatory for the controller to be able to perform his legal obligations according to Article 5 (2) lit. ç) TDPL (Legal obligations of employment agencies: Art. 17 and 19 of Law No. 4904) ; data concerned is made available to the public by the data subject according to Article 5 (2) lit. d) TDPL; |
|
2. |
|
You have the following rights according to Article 11 TDPL: |
|
3. |
|
Data about Candidates and Potential Candidates are shared with our Business Partners and Prospective Employers for purpose of making an employment agreement according to Articles 9 and 5 TDPL and the legal obligations according to Art. 17 and 19 of Law No. 4904 . Boyden also shares the personal data of the data subjects to global database of Boyden, Filefinder, with the consent of the data subjects, for the storage purposes according to Article 9 TDPL. |
|
4. |
|
If you have questions about this Privacy Policy and our data-handling practices, you may contact our Data Protection Team at privacy@boyden.com. |
H. INFORMATION FOR PERSONS LOCATED IN JAPAN
Provided you are a person located in Japan, the following conditions apply to you:
1. |
|
In accordance with the Act on the Protection of Personal Information of Japan, you have the right to request us to notify you of the purposes of use of the personal data, or to disclose, make any correction to, discontinue the use or provision of, and/or delete any and all of, your retained personal data which is stored by us. |
|
2. |
|
To exercise your rights, you can send an email to privacy@boyden.com. A response will be sent within one (1) month from our receipt of your request. If necessary, this period may be extended by us by up to two months, depending on the complexity and number of requests. In the case of a request for deletion of your data and/or removal of your data, we may nevertheless retain such data in a temporary archived form for the period necessary to satisfy our legal, accounting and tax obligations. |
|
3. |
|
We would jointly use your personal data in the cases we have described in the General Part of this Privacy Policy (Part A). Here you will also find details on the items of personal data to be jointly used, parties to jointly use personal data, purposes of joint use and party responsible for management of jointly used personal data. Since we have thus fulfilled the joint-use requirements prescribed by Japanese law, we do not need to obtain separate consent. |
|
3.1. |
Items of Personal Data to be Jointly Used |
3.1.a. |
Potential Candidates: name, postal address, email address, telephone number, employment, employment history and title. |
3.1.b. |
Candidates: name, signature, postal address, email address, telephone number, education, employment, employment history, bank account number, race, color, age (40 years and older), ancestry, national origin, citizenship, religion or creed, medical condition, physical or mental disability, sex (including gender), sexual orientation, current and/or past employment history including performance evaluations, education records, files, documents, and other materials directly related to a student maintained by an educational agency or institution or by a person acting for such an agency or institution, such as grades, transcripts, personal interests, hobbies and background check information (like identity verification, criminal, civil and regulatory judgements, financial and credit checks), health insurance information, information used to create a profile about a candidate reflecting the candidate’s intelligence and abilities or any other details a candidate may choose to share with us |
3.1.c. |
Participants in surveys and studies: profile data requested by survey-service providers like Prophet (ID, name, language, due date of the questionnaire, reminder date of the questionnaire, email address, dates invitation sent, dates notifications of reminders sent, date profile sent, profile details) and survey reports (answers to the questionnaires) |
3.1.d. |
References of Candidates: name, postal address, email address, telephone number, employment, employment history, position, or any other details that the candidate or the candidate’s reference chooses to share with us |
3.2. |
Party to Jointly Use Personal Data |
BWC and local Boyden Office(s) |
|
3.3. |
Purposes of Joint Use |
3.3.a. |
Potential Candidates: purposes of providing executive search services to potential employers worldwide and identifying salary, market and hiring trends by analyzing aggregated data |
3.3.b. |
Candidates: purpose of providing the candidates with employment opportunities and job or career related information as well as providing executive search services to potential employers worldwide and identifying salary, market and hiring trends by analyzing aggregated data. |
3.3.c. |
Participants in surveys and studies: purpose of conducting and evaluating surveys using questionnaires for business development reasons |
3.3.d. |
References of Candidates: purpose of providing executive search services to employers and candidates |
3.4. |
Party Responsible for Management of Personal Data |
4. |
|
Personal data on potential candidates is shared with Boyden offices worldwide upon request and personal data we handle may be stored or processed on our behalf by other Boyden offices. A full list of Boyden offices is provided here. In addition, personal data on candidates and potential candidates are shared with our business partners and prospective employers for the purpose of making employment agreements. The local Boyden office in Japan has entered into a data transfer agreement with the other Boyden offices located outside Japan (except for Boyden offices established in EU member states or the UK) which ensures that in case the personal data of potential candidates located in Japan is transferred and handled by Boyden offices located outside Japan (except for those located in EU member states or in the UK), such personal data is subject to levels of protection comparable to/meeting the standards applicable under the APPI. |
|
5. |
|
If you have any questions or complaints about this Privacy Policy or our data handling practices, you may contact us at privacy@boyden.com. |
I. INFORMATION FOR PERSONS LOCATED IN THAILAND
Provided that you are a person in Thailand and the Personal Data Protection Act (PDPA) applies to our processing of your data, the following conditions apply to you:
1. |
|
The Data Protection Officer and data protection representative of Boyden and Boyden’s local offices is Rechtsanwalt Nikolaus Bertermann (attorney at law), daspro GmbH, Kurfürstendamm 21, 10719 Berlin, Germany, phone +49 30 88 77 41 50, Email: boyden@daspro.de. |
|
2. |
|
2.1 |
The legal basis for the processing of your data under PDPA is as follows:
|
2.2 |
The foregoing legal bases for the processing of your data are defined in PDPA as follows: “consent” is specified in Section 19 PDPA and in Section 26 PDPA regarding special categories of data, “contract” is specified in Section 24 (3) PDPA, “compliance with law” is specified in Section 24 (6) PDPA and “legitimate interest” is specified in Section 24 (5) PDPA. |
3. |
|
Data may be shared with some Boyden offices located outside of Thailand. All Boyden offices have entered into EU Standard Contractual Clauses (SCC) and set up internal privacy and data collection policies. Boyden and local Boyden offices have updated their contracts and have implemented additional safeguards after the Schrems II decision of the ECJ (SCC plus) to protect the data. Potential employers may be located outside of Thailand and may not have adopted appropriate or suitable safeguards. |
|
4. |
|
No change in the processing purposes described in Section A is planned. |
|
5. |
|
You have the following rights under PDPA:
|
J. INFORMATION FOR SWISS RESIDENTS
Provided the Swiss Federal Act of Data Protection (FADP) applies to our processing of your data according to Article 3 FADP, in particular if your data is processed by a Boyden office in Switzerland or if you are in Switzerland, the following conditions apply to you:
K. INFORMATION FOR PERSONS IN TAIWAN
Provided that you are a person in Taiwan and the Personal Data Protection Act (PDPA) applies to our processing of your data, the following conditions apply to you:
Your request was successful.
Your request was not successful. Please note that web browser cookies must be enabled to opt-out.