Privacy Policy

(Effective December 3, 2024)

CONTENTS


  1. GENERAL DATA PROCESSING PRACTICES
    1. Website Visitors
    2. Potential Candidates
    3. Candidates
    4. Participants in surveys and studies
    5. References of Candidates
    6. Service Providers, Business Partners and their Employees
    7. Business Contacts and Communication Partners
    8. Users of the Client Portal
    9. Recipients of Marketing Communications
  2. INFORMATION FOR EUROPEAN UNION RESIDENTS
    1. Data Protection Officer
    2. Legal Basis according to GDPR
    3. Cross-Border Transfers of Data From the EU
    4. Change of processing purposes
    5. Automated decision making
    6. Your Rights according to GDPR
  3. INFORMATION FOR PEOPLE LOCATED IN THE UNITED STATES OF AMERICA
  4. INFORMATION FOR CALIFORNIA RESIDENTS
    1. Collection and Disclosure of Personal Information in Preceding 12 Months
    2. Disclosure or Sale of Personal Information in Preceding 12 Months
    3. Your Rights – California Residents
    4. Instructions for Exercising Your Rights
  5. INFORMATION FOR NEVADA RESIDENTS
    1. Your Rights – Nevada Residents
    2. Sale of Nevada Personal Information
  6. INFORMATION FOR CANADA RESIDENTS
    1. Personal data
    2. Consent
    3. Your Rights
    4. Sharing
    5. Cross-border transfer
    6. Retention
    7. IT Governance Practices
    8. Contact us
  7. INFORMATION FOR TURKEY RESIDENTS
    1. Legal basis according to TDPL
    2. Your Rights – Turkey Residents
    3. Cross-border transfer
    4. Contact us
  8. INFORMATION FOR PERSONS LOCATED IN JAPAN
    1. Your Rights – Japan Residents
    2. Instructions for Exercising Your Rights
    3. Joint Use
    4. Cross-border transfer
    5. Contact us
  9. INFORMATION FOR PERSONS LOCATED IN THAILAND
    1. Data Protection Officer
    2. Legal basis according to PDPA
    3. Cross-Border Transfers of Data from Thailand
    4. Change of processing purposes
    5. Your rights according to PDPA
  10. INFORMATION FOR SWISS RESIDENTS
    1. Legal basis according to FADP
    2. Cross-Border Transfers of Data from Switzerland
    3. Change of processing purposes
    4. Automated decision making
    5. Representative in Switzerland
    6. Your rights according to FADP
  11. INFORMATION FOR PERSONS IN TAIWAN
    1. Legal basis according to PDPA
    2. Your rights according to PDPA

A. GENERAL DATA PROCESSING PRACTICES

Protecting your privacy is important to Boyden World Corporation, 520 White Plains Road, Suite 500, Tarrytown, NY 10591, United States, privacy@boyden.com, +1 914 747 0093 ‎‎("Boyden," "we," "us," or "our"). This Privacy Policy explains how Boyden collects, uses, and ‎discloses (“processes”) personal data on its own behalf and in conjunction with individual local ‎Boyden offices, and any additional rights you may have under applicable privacy law.‎ We and/or the local Boyden offices determine the purposes and means of the processing of personal data.

You can exercise your privacy and data protection rights by contacting privacy@boyden.com or your local Boyden office. Additional individual privacy and data protection rights are described in Parts B-F below, depending on the applicable law. Please note that we cannot respond to your request or provide you with personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. Thus, we may require that you submit additional personal data so that we can verify your identity. We will use such additional personal data submitted in connection with our verification process only to verify your identity and authority to make the request.

This Part A provides a general description of the processing of personal data by Boyden and local Boyden offices. The following Parts B-F of this Privacy Policy address specific local privacy regulations and amend this general description for the respective region.

Please find below the most important information about our typical data processing sorted by groups ‎of data subjects and types of data processing. For data processing activities that relate only to specific groups, and ‎processing activities controlled only by local Boyden offices, the obligations to provide ‎information are met separately.‎

The terms “data”, “personal data” and “personal information” are used interchangeably in this policy, and in each case include any information relating to an identified or identifiable natural person.

We process personal information from or about the following categories of individuals, as more fully described in the sections below:

1.

‎Website Visitors

‎1.1.

Web server log data
Each time a visitor to our website uses their browser to request access to a page on our website, our web server processes a range of data which the visitor’s browser ‎automatically transmits to our web server.

1.1.1.

In the past 12 months we have processed, and may continue to process, personal data from website visitors such as the IP address allocated to their ‎device, the date and time of the request, the time zone, the specific page or file accessed, ‎the HTTP status code and the data quantities transmitted; in addition, the website from ‎which their request originated, the browser used, the operating system of their device ‎and the language used.

1.1.2.

We obtain these categories of data directly and indirectly from activity on our website. For ‎example, from submissions through our website portal or website usage details collected ‎automatically.

1.1.3.

The purpose of the data processing of web server log data is the online presentation of Boyden and Boyden service.

1.1.4.

Web server log data is anonymized before storage. Web server log data will be deleted after one year at the latest.

1.1.5.

Web server log data are not passed on to third parties except under special ‎circumstances. In the event of the suspicion of a crime or in investigative proceedings, ‎data may be transmitted to the police and the public prosecutor’s office. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, ‎maintain, and support IT systems.‎

1.1.6.

Use of the website without disclosure of web server log data is not ‎possible.

‎1.2‎.

Cookies

 

We use cookies on our website. Cookies are small text files containing information that can be stored on the user's end device via the browser when visiting a website. The information stored in cookies can be read and processed when the website is visited again using the same device. In doing so, we use processing and storage functions of the browser of your device and collect information from the storage of the browser of your device.

In the structure of our Privacy Policy, we differentiate between Technically Required Cookies, Analytics Cookies and Third-Party Multimedia Content. For the function of the website, Technically Required Cookies cannot be deactivated via the cookie management function of this website. However, you can deactivate cookies generally in your browser at any time. Different browsers offer different ways to configure the cookie settings in the browser. We would like to point out, however, that some functions of the website may not function or may no longer function properly if you deactivate cookies in your browser in general.

1.2.1.

Technically Required Cookies

1.2.1.1

Consent Cookies

 

We use so-called Consent Cookies to store your consent, possible revocation of consent and opt-out of the use of cookies on our website.

1.2.1.1.1

In the past 12 months we have processed, and may continue to process, personal data from website visitors such as HTTP data (HTTP data is protocol data that is technically generated when the website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited) referrer URL, date and time of the visit and User decision on cookies (User's decision on individual cookies or groups of cookies. Time of the decision and of the last visit)

1.2.1.1.2

We obtain these categories of data directly from the user (decision on cookies) and indirectly transmitted by the user's browser (protocol data, time stamp).

1.2.1.1.3

The purpose of data processing is the storage of the user decisions on cookies (consent, revocation, opt-out).

1.2.1.1.4

A negative user decision with regard to cookies is deleted at the end of the session. The other data will be deleted after one year.

1.2.1.1.5

We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, ‎maintain, and support IT systems.‎

1.2.1.1.6

Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible.

1.2.1.2

Cf_bm Cookie

 

We use the Cf_bm Cookie identify and mitigate automated traffic to protect our website from bad bots.

1.2.1.2.1

In the past 12 months we have processed, and may continue to process, personal data related to the calculation of a bot score and a session identifier. The information in the cookie (other than time-related information) is encrypted. A separate cookie is generated for each site that an user visits, as we do not track users from site to site or from session to session. The cookie is generated independently by our service provider Cloudflare, and does not correspond to any user ID or other identifiers in our web application.

1.2.1.2.2

We obtain these categories of data indirectly transmitted by the user's browser and how the user is using our website.

1.2.1.2.3

The purpose of data processing is to identify and mitigate automated traffic on our website to protect our website from bots.

1.2.1.2.4

The cookie expires after 30 minutes of continuous inactivity by the user.

1.2.1.2.5

The recipient of the data is Cloudflare Inc., 101 Townsend Street San Francisco, CA 94107 USA.

1.2.1.2.6

Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible.

1.2.1.3

reCAPTCHA Enterprise

 

We use the reCAPTCHA Enterprise service (hereinafter "reCAPTCHA") from Google on our website. This tool contains an automated test to check whether the individual users of the website are humans or an automated program (bot or malware). For this purpose, reCAPTCHA analyzes behavior based on different interaction patterns with the website and associated parameters (e.g. time spent on the website, mouse movements made). An "I'm not a robot" checkbox is integrated into the page. 

By integrating reCAPTCHA, we enable Google to collect personal data on our website. The collection and processing of personal data is the sole responsibility of Google. We have no knowledge of the details of the processing of personal data in Google's area of responsibility. Information about the processing of personal data by Google can be found in Google's privacy policy: https://policies.google.com/privacy

Google only provides us with the analysis result created on the basis of this data (human or automated program) in aggregated, anonymized form. We cannot assign the information provided to us to any natural person. 

1.2.1.3.1

In the past 12 months, we have processed, and in the future may continue to process, personal data about website visitors such as HTTP data (Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your internet browser, operating system used, the page accessed, the page previously visited (referrer URL), date and time of access.), Usage data (Usage data is data about your human interaction with the website and the associated parameters such as clicks on ads, mouse movements made or the time spent on the website.) and reCAPTCHA analysis data (The reCAPTCHA analysis data is the evaluation of the data processed by Google to determine whether the respective user of the website is a human or an automated program. This is completely anonymized analysis data. Google also shows us the number of requests to our website, the reCAPTCHA score distribution, the top 10 actions on our website and the top 10 actions with suspicious traffic.)

1.2.1.3.2

The data is automatically provided by the user's browser and generated independently by Google. We do not know whether Google uses other data sources.

1.2.1.3.3

The purpose of data processing is to enable Google to collect and process usage data on our website in order to ensure the security of our website and its users. There are no plans to change the purposes. The further purposes of processing by Google are determined solely by Google (https://policies.google.com/privacy).

1.2.1.3.4

We do not collect or store this data ourselves. The collection and processing of this data is the responsibility of Google. According to Google, the individual reCAPTCHA tokens are automatically deleted after 2 minutes. We have no knowledge of further details on the storage period.

1.2.1.3.5

The recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

1.2.1.3.6

Without disclosing personal data, it is not possible for reCAPTCHA to analyze whether you are a human, bot or malicious software. Communication via the website is not technically possible without providing data.

1.2.2

Analytics Cookies

1.2.2.1

Google Analytics

 

If you have given your consent, we use the web analysis tool Google Analytics on our website. With the help of Google Analytics, we can analyze the user behaviour of visitors to our website in pseudonymized and anonymised form. It is possible that Google uses other services such as Google Tag manager.

You can deactivate the data processing by Google Analytics at any time in our "cookie board“. Alternatively, you can install a browser plug-in from Google which prevents data collection by Google Analytics:
https://tools.google.com/dlpage/gaoptout

1.2.2.1.1

In the past 12 months, we have processed, and in the future may continue to process, personal data about website visitors such as Google Analytics HTTP data (This is protocol data that is generated for technical reasons when using the web analysis tool Google Analytics via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.), Google Analytics device data (Data generated by the web analysis tool Google Analytics and assigned to your device: This includes a unique ID for the (re-)recognition of returning visitors (so-called "client ID") as well as certain technical parameters for controlling data collection for web analysis.), Google Analytics measurement data (Device-related raw data (so-called "dimensions" and " measurement results"), which are collected and analysed by the web analysis tool Google Analytics when using our website: This includes, above all, information about the sources through which visitors reach our website, information about the location, the browser and the device used, information about the use of the website (in particular page views, frequency of visits and length of stay on accessed pages) as well as information about the fulfilment of certain purposes (in particular transactions in the online shop). The data is assigned to the client ID assigned to your device. As a result, device-related usage profiles are created in which all device-related raw data is combined into a client ID. The data that we collect using Google Analytics does not enable us to identify you personally (i.e. by your civil name). We also do not merge the device-related raw data and the resulting device-related usage profiles with data that directly identifies you personally without your consent.) and Google Analytics report data (Data contained in aggregated segment and device-related reports generated by the Google Analytics web analysis tool based on the analysis of device-related raw data.).

1.2.2.1.2

We obtain these categories of data indirectly transmitted by the user's browser and how the user is using our website.

1.2.2.1.3

The purpose of data processing is to analyze user behaviour and to measure the reach of our website and advertisements to optimize our website.

1.2.2.1.4

The data will be deleted after one year.

1.2.2.1.5

The recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

1.2.2.1.6

The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Google Analytics.

1.2.2.2

Hubspot Analytics Cookies

 

If you have given your consent, we use the analytics cookies of Hubspot on our website. The data collection is pseudonymised, unless you provide further personal data such as your name or email address when using the website. In this case, an allocation can take place.

You can deactivate the data processing by Hubspot at any time in our "cookie board“. Alternatively, you can disable Hubspot cookies for the browser you are currently using by deactivating the storage of cookies in your browser settings.

1.2.2.2.1

In the past 12 months, we have processed, and in the future may continue to process, personal data about website visitors such as Hubspot cookies-HTTP data (This is log data that is technically generated when Hubspot cookies are used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your internet browser, operating system used, the page accessed, the page previously visited (referrer URL), date and time of access.), Hubspot cookies -end device data (Data that is assigned to your end device by Hubspot Cookies: This includes a unique ID for (re)recognising returning visitors.)

1.2.2.2.2

We obtain these categories of data indirectly transmitted by the user's browser and how the user is using our website.

1.2.2.2.3

The purpose of data processing is to analyze user behaviour and to measure the reach of our website and advertisements to optimize our website.

1.2.2.2.4

The cookies that keep track of the relevant session of the user expires after 30 minutes. The cookie which tracks if the user has restarted their browser expires at the end of the session. All other data will be deleted after 6 months at the latest.

1.2.2.2.5

The recipient of the data is Hubspot Germany GmbH, Am Postbahnhof 17, 10243 Berlin.

1.2.2.2.6

The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Hubspot.

1.2.2.3

Matomo Cloud

 

If you have given your consent, we use the analytics cookies of Matomo on our website.

You can deactivate the data processing with Matomo Cloud at any time in our "cookie board".

1.2.2.3.1

In the past 12 months, we have processed, and in the future may continue to process, personal data about website visitors such as HTTP data, type and version of your Internet browser, the operating system used, the web page, the web page visited previously (referrer URL), date and time of the visit, device data regarding information regarding their interaction with an Internet Web site (Data generated by the web analytics tool Matomo Cloud and assigned to their device (“client ID”)), measurement data (device related raw data) and Matomo Cloud report data (reports based on the analysis of the raw data). On our website a so-called IP anonymization is activated for the use of the web analysis tool Matomo Cloud.

1.2.2.3.2

We obtain these categories of data indirectly transmitted by the user's browser and how the user is using our website.

1.2.2.3.3

The purpose of the data processing is to increase the efficiency of our use of resources for our website and our advertising measures and the satisfaction of our visitors by (usage-based) optimization of our website by measuring the use of our website and (usage-based) optimization of our advertising measures by measuring the success of the advertising media we use in our website (monitoring of advertising media success).

1.2.2.3.4

The data is anonymized before storage. The data will be deleted after 14 months.

1.2.2.3.5

The recipient of the data is InnoCraft (Operator of Matomo Cloud), 150 Willis St, 6011 Wellington, New Zealand.  Data is processed only in the Matomo Cloud data center in Frankfurt, Germany.

1.2.2.3.6

The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Matomo Cloud.

1.2.3

Third-Party Multimedia Content

 

Google Maps and Google Fonts

If you have given your consent via the Cookie Board map material of „Google Maps and Google Fonts“ is integrated on certain subpages of the website. With this integration, content of Google Maps and Google Fonts is displayed in parts of a browser window. However, the map content is only retrieved if you have previously given the respective consent. This ensures that no data is transmitted to Google and no cookies are stored on your device before the website visitor gives his or her consent via the Cookie Board.

As soon as you give your consent regarding the Google Maps and Google Fonts content via the Cookie board to display the content, the content is loaded from Google. Technically, the same thing happens then as would happen if you would directly access Google Maps through a link: Google receives all information that your browser automatically transmits (including your IP address). Google also sets its own cookies on your device. This also happens if you do not have a Google user account. If you are logged in at Google, your data will be associated directly to your account. If you do not want the association to your Google user account, you must log out of Google before giving your consent.

The collection and processing of this data is the sole responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. We have no knowledge of further details of the processing of personal data in the area of data controllership of Google or a data processing in the USA. We have no influence on the data processing of Google.

For information about the processing of personal data by Google, please refer to the Google Privacy Policy: https://policies.google.com/privacy.

2.

Potential Candidates

 

When we or a local Boyden office identify a potential candidate, we may collect business card data about such potential candidate from publicly accessible ‎sources, and we and the local Boyden office jointly determine the purposes and means of the processing of such ‎data and have entered into an agreement for that purpose. According to that agreement, ‎the local Boyden office is responsible to ensure the fulfilment of the potential candidate’s rights and will ‎inform them in a privacy notice about the contact details of the local office and the ‎publicly accessible sources of the data. However potential candidates may contact either us or the local Boyden office regarding any claims or complaints.‎

‎2.1‎.

In the past 12 months, we have processed, and in the future may continue to process personal data about potential candidates such as name, postal address, email address, telephone number, employment, employment history and title.‎

‎2.2‎.

We collect data about potential candidates from the following publicly accessible sources: Public business websites, ‎services such as LinkedIn, Xing or other business press or publications.‎

2.3.

Data about potential candidates are processed for the purposes of providing executive search services to ‎potential employers worldwide and identifying salary, market and hiring trends by analyzing aggregated data.‎

‎2.4‎.

Data about potential candidates will be deleted upon the potential candidate’s request or in accordance with Boyden's global data retention policy.‎

‎2.5.

Data about potential candidates is shared with Boyden offices worldwide upon request. A full list of Boyden ‎offices is provided here.‎

‎3.

Candidates

 

‎Whenever an individual authorizes Boyden to list them as a candidate for job offerings, we and the local ‎Boyden office jointly determine the purposes and means of the processing of such candidate’s data and have entered into ‎an agreement for that purpose. According to the agreement, the local Boyden ‎offices are responsible to ensure the fulfilment of the candidate’s rights. However all candidates ‎may contact either us or the local Boyden office regarding any claims or complaints.‎

‎3.1.

In the past 12 months, we have processed, and in the future may continue to process personal data about candidates, such as name, signature, postal address, email address, telephone number, education, employment, employment history, bank account number, race, color, age (40 years and older), ancestry, national origin, citizenship, religion or creed, medical condition, physical or mental disability, sex (including gender), sexual orientation, current and/or past employment history including performance evaluations, education records, files, documents, and other materials directly related to a student maintained by an educational agency or institution or by a person acting for such an agency or institution, such as grades, transcripts, personal interests, hobbies and background check information (like identity verification, criminal, civil and regulatory judgements, financial and credit ‎checks), health insurance information, information used to create a profile about a candidate reflecting the candidate’s intelligence and abilities or any other details a candidate may choose to share with us.‎

‎3.2.

Data about candidates may be collected from the candidate, from publicly accessible sources like websites (e.g. ‎Company or private websites, LinkedIn) and third parties that the candidate or their testimonials ‎have named as potential references.

‎3.3.

Data about candidates are processed for the purpose of providing the candidates with employment ‎opportunities and job or career related information as well as providing executive search ‎services to potential employers worldwide and identifying salary, market and hiring trends by analyzing aggregated data.

‎3.4.

The data retention period is seven calendar years from the last completion of the client ‎engagement or documented contact with the candidate, whichever is later.‎

3.5.

Data about candidates are shared with Boyden offices worldwide and with potential ‎employers to fulfill clients' or candidates' requests. A full list of Boyden offices is provided here.

‎3.6.

Candidates are not obliged to provide personal data. Without such personal data, however, we will not be ‎able to provide candidates with employment opportunities.‎

4.

Participants in surveys and studies

 

In the case where individuals have given their consent to participate in surveys or studies (“Participants”), Boyden and the local Boyden offices are processing their personal data for surveys and studies. We and the local ‎Boyden office jointly determine the purposes and means of the processing of Participant data and have entered into ‎an agreement for that purpose. According to the agreement, the local Boyden ‎offices are responsible to ensure the fulfilment of Participant rights. However all Participants ‎may contact either us or the local Boyden office regarding any claims or complaints.‎

4.1.

In the past 12 months, we have processed, and in the future may continue to process personal data about Participants, such as profile data requested by survey-service providers like Prophet (ID, name, language, due date of the questionnaire, reminder date of the questionnaire, email address, dates invitation sent, dates notifications of reminders sent, date profile sent, profile details) and survey reports (answers to the questionnaires). Some statistical studies are completely anonymous.

4.2.

The personal data about Participants is provided by the Participant or assigned by the survey-service provider.

4.3.

Participant personal data are processed for the purpose of conducting and evaluating surveys using questionnaires for business development reasons.

4.4.

The data retention period is seven calendar years from the last participation of the surveys or studies.

4.5.

We use service providers like Prophet Profiling Ltd. as data processors which are creating individual profiles for the participants and are conducting and evaluating the questionnaires on our behalf.

4.6.

Participation in surveys and studies is voluntary. Anyone who does not wish to participate in a survey or study can contact Boyden to discuss alternatives.

‎5.

References of Candidates

 

‎When we or a local Boyden office receive personal data from a candidate or other source about the candidate’s reference, we ‎and the local Boyden office jointly determine the purposes and means of the processing of the data about the candidate’s reference and have ‎entered into an agreement for that purpose. According to the agreement, the local ‎Boyden office is responsible to ensure the fulfilment of the rights of the candidate’s reference and will inform the personal reference ‎in a privacy notice about our contact details and source of their data. However all references of candidates may contact either us or the local Boyden office regarding any claims or complaints.‎

‎5.1.

In the past 12 months, we have processed, and in the future may continue to process personal data about references of candidates, such as name, postal address, email address, telephone number, employment, employment history, position, or any other details that the candidate or the candidate’s reference chooses ‎to share with us.

5.2.

Sources of data about a candidate’s reference are the candidate, another reference, or publicly ‎accessible sources like public business websites, services such as LinkedIn, Xing or other ‎business press or publications.

‎5.3.

Data about a candidate’s reference are processed for the purpose of providing executive search services to ‎employers and candidates.

5.4.

The data retention period is seven calendar years from the last completion of the client ‎engagement or documented contact with the candidate who named the data subject as a reference, ‎whichever is later.‎

‎5.5.

We may also enter into service agreements with other businesses to perform services on our behalf, in particular to ‎provide, maintain and support IT systems.‎

‎‎‎6.

Service Providers, Business Partners and their Employees

 

Boyden and the local Boyden office may process personal data regarding service providers, business partners and their employees.

6.1.

In the past 12 months, we have processed, and in the future may continue to process personal data about service providers, business partners and their employees, such as name, title, postal address, email address, telephone number, employment, employment history and any other details that they later choose ‎to share.‎

6.2.

Data about service providers, business partners and their employees may be collected from the applicable service provider, business partner, or their employees, or from publicly accessible sources like websites (e.g. ‎Company or private websites, LinkedIn).

6.3.

We process data about service providers, business partners and their employees for the purpose of preparation and performance of the contractual ‎relationship and for the fulfilment of legal requirements.

6.4.

All contractual data, content of communications and data relevant for accounting are stored in ‎accordance with the Boyden Global Retention Policy.

‎6.5.

Recipients of data about service providers, business partners and their employees may include banks for the processing of payments. Public authorities ‎and offices may receive data within the scope of their duties, insofar as we are obligated ‎or entitled to transmit data. Moreover in specific cases data may be transmitted to ‎a collection of service providers, legal advisors and courts. We may also enter into service agreements with other businesses to perform services on our behalf, in particular to provide, maintain and support ‎IT systems.‎

‎6.6.

Processing of the contact data from service providers and business partners and their Employees is necessary ‎in order to perform the contract or order. If the data are not provided, the contract ‎cannot be established or carried out. The provision of data is required for prospective ‎service providers, business partners and their employees. The communication is not ‎possible without the data.‎

‎7.

Business Contacts and Communication Partners

 

Boyden and the local Boyden office may process personal data regarding Business Contacts and Communication Partners.

7.1‎.

In the past 12 months, we have processed, and in the future may continue to process personal data about our business contacts and communication partners, such as name, postal address, email address, telephone number, employment, title or any other details that they later choose ‎to share with us.‎

7.2.

We obtain these categories of personal information from our business contacts and communication partners, from our clients or their agents, and from ‎third-parties that interact with us in connection with the services we perform.

7.3.

We process the data from prospective business contacts and communication partners for ‎the purpose of communication with them.‎

7.4‎.

Inquiries and communication data are automatically deleted after 10 years.‎

‎7.5.

We may also enter into service agreements with other businesses to perform services on our behalf, in particular ‎to provide, maintain and support IT systems.‎

‎‎7.6.

The provision of data is required for prospective business partners and communication ‎partners. The communication is not possible without the data.‎

8

Users of the Client Portal

 

The local Boyden Offices provide their clients with access to a platform (“Client Portal") as an option for reporting to them through a secure online format. Within the Client Portal the users can share assignments or provide feedback or scorings. The respective local Boyden office is the controller for the data processing with regard to their clients and their clients’ employees using the Client Portal.

8.1

In the past 12 months, the local Boyden Offices have processed, and in the future may continue to process personal data about their client contacts, such as name, postal address, email address, telephone number, employment, title, assignments, comments and feedback or scorings or any other details that they choose ‎to share with the local Boyden Offices.‎ The technical metadata of the communication is also being processed

8.2

The local Boyden Offices obtain the data from the data subjects during their use of the Client Portal.

8.3

The local Boyden Offices process the data from the users of the Client Portal to provide their clients with a secure communication channel.

8.4

The local Boyden Offices may also enter into service agreements with other businesses to perform services on our behalf, in particular ‎to provide, maintain and support IT systems.

8.5

Inquiries and communication data are automatically deleted after 10 years.‎ The technical metadata of the communication is deleted after one year at the latest. 

8.6

The provision of data is required for users of the Client Portal. The communication is not possible without the data.‎

9

Recipients of Marketing Communications

 

In the case where individuals have given their consent and registered for the download of marketing brochures and the reception of marketing communication of a local Boyden Office, the relevant local Boyden Office will send them information about the services. The respective local Boyden office is the controller for the data processing with regard to the marketing communications. The local Boyden office can also occasionally invite them to participate in surveys as part of the newsletter. If the recipients of marketing communications participate in such surveys, the information in Section 4 of this Privacy Policy applies. The local Boyden Offices may also monitor the reach and success of the brochures and other marketing communications.

9.1

In the past 12 months, the local Boyden Offices have processed, and in the future may continue to process personal data about recipients of marketing communications, such as name and email address, telephone number, candidate/client, company and title, http Data, subscription and opening rates of the brochures and marketing communications and clicks.

9.2

The personal data of recipients of marketing communications is provided by the recipients or via the devices with which the recipient opens the marketing communications.

9.3

The local Boyden Office processes the data from recipients of marketing communications for ‎the purpose of sending the marketing communications and monitoring the reach of the marketing communications.

9.4

Data regarding marketing communications will be deleted when the recipients of marketing communications unsubscribe from the newsletters by using the unsubscribe button in each marketing communication. Data with regard to opening and reading times, will usually be deleted or anonymized after 18 months.

9.5

The local Boyden Office use the service provider Emma, Inc., 11 Lea Avenue, Nashville, TB 37219, USA for the marketing communication management.

9.6

Data is required to receive marketing communications. Without providing data, they cannot be sent. A withdrawal of your consent is possible at any time with effect to the future. Please use the unsubscribe function in the marketing communications.

B. INFORMATION FOR EUROPEAN UNION RESIDENTS

Provided the EU General Data Protection Regulation (GDPR) applies to our processing of your data according to Article 3 GDPR, in particular if your data is processed by a Boyden office in the European Union or if you are in the ‎European Union, the following conditions apply to you:

1.

Data Protection Officer

 

The Data Protection Officer and data protection representative of Boyden and Boyden’s local offices according to Article ‎‎27 GDPR (EU General Data Protection Regulation) is Rechtsanwalt Nikolaus Bertermann ‎‎(attorney at law), daspro GmbH, Kurfürstendamm 21, 10719 Berlin, Germany, phone +49 30 88 ‎‎77 41 50, Email: boyden@daspro.de.‎

2.

Legal basis according to GDPR

2.1.

The legal basis for the processing of your data under GDPR is as follows:

  • Web Server log data – ‎The legal basis for the processing of Web server log data obtained while using the website is our legitimate interest, ‎specifically operation of a website and user interaction.
  • Technically Required Cookies – The legal basis for the processing of data using Technically Required Cookies is our legitimate interest according to GDPR, specifically the interest in the easy and reliable control of cookies settings in accordance with the respective user decisions, the interest in protecting the website from bot attacks. The Technically Required Cookies are also considered necessary according to local privacy regulations like Article 5 (3) E-Privacy-Directive 2002/58/EC.
  • Analytics Cookies – ‎The legal ‎basis for the analysis of user ‎behavior using Analytics Cookies is your consent.
  • Third-Party Multimedia Content – The legal basis for implementing Third-Party Multimedia Content is your consent.
  • Potential Candidate data – The legal basis for the processing of potential candidate data is our legitimate interest to provide our ‎‎services.‎
  • Candidate data – The legal basis for our processing of candidate data is your consent ‎and – as far as only your ‎business card details or data collected from publicly available ‎sources are processed – for our ‎legitimate interest to provide such services.‎
  • Data regarding participants in surveys and studies – The legal basis for our processing of data regarding participants in surveys and studies is your consent.
  • Data regarding references of Candidates – The legal basis for processing data regarding references of candidates is legitimate interest of the ‎candidate to name a reference ‎and legitimate interest of Boyden to evaluate the ‎candidate.‎
  • Data regarding Service Providers, Business Partners and their Employees – ‎The legal bases for processing are in case of contracts with natural persons the contracts, ‎in case of contracts with legal entities the legitimate interest, specifically communication with ‎contact persons relevant to the ‎contract, as well as always the legal obligations, in particular ‎‎commercial and tax provisions. When checking, asserting or rejecting claims, the legal ‎basis is ‎legitimate interest, specifically asserting or defending ‎claims.‎
  • Data regarding Business Contacts and Communication Partners – ‎The legal basis for processing data from actual and prospective business contacts and ‎‎communication partners is legitimate interest, specifically ‎communication with prospective ‎business contacts and communication partners.‎
  • Data regarding Users of the Client Portal – The legal basis for processing data from the users of the Client Portal is legitimate interest, specifically ‎communication with client contacts over a secure communication channel.‎
  • Data regarding Recipients of Marketing Communications – The legal basis for processing data from recipients of marketing communications is consent. The legal basis for the tracking of the opening rates and the clicks within the marketing communications is either consent where the relevant consent is obtained or is legitimate interest, specifically improving the marketing communications and showing the recipients more relevant content.

2.2.

The foregoing legal bases for the processing of your data are defined in GDPR as follows: “consent” is specified in Article 6(1)(a) GDPR, “contract” is specified in Article 6(1)(b) ‎GDPR, “legal obligations” is specified in Article 6(1)(c) GDPR and “legitimate interest” is specified in Article 6(1)(f) GDPR.

3.

Cross-Border Transfers of Data from the EU

3.1

Cross-Border Transfers between Boyden offices

 

Data may be shared with some Boyden offices located outside of the EU. All Boyden offices have entered into ‎‎EU Standard Contractual Clauses (SCC) and set up internal privacy and data collection ‎policies. Boyden and local Boyden offices have updated their contracts and have implemented additional safeguards after the Schrems II decision of the ECJ (SCC plus) to protect the data. You may request a copy of the SCC from us or a Boyden office at any time.‎ Potential employers may be located outside of the EU and may ‎not have adopted appropriate or suitable safeguards.

3.2

Cross-Border Transfers in the Context of the Use of Service Providers

 

Data may be shared with our service providers which we use as processor within the framework of a data processing agreement. We use Cloudflare, Inc., Hubspot, Inc. and Emma, Inc. as our service providers. We have entered into the EU Standard Contractual Clauses (2021/914) with Cloudflare, Inc. and Emma, Inc. to protect your data. We also use Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. Google has also entered into the EU Standard Contractual Clauses (2021/914) to protect your data. You can request a copy of the essential contractual contents of the standard contractual clauses at any time. In addition, the Google companies (including Google LLC), Cloudflare, Inc., Hubspot, Inc. and Emma, Inc. are certified in accordance with the EU-US Data Privacy Framework.

4.

Change of processing purposes

 

No change in the processing purposes described in Section A is ‎planned.

5.

Automated decision making

 

No automated decision-making (Article 22 GDPR) takes place.

6.

Your rights according to GDPR

 

You have the following rights under GDPR:

  • You may withdraw your consent at any time, if your data is processed based on your ‎consent. The withdrawal of consent does not affect the lawfulness of processing before ‎the withdrawal of consent.‎
  • You may at any time object to the further processing of your data if your data is ‎processed based on our legitimate interest.‎
  • You may at any time request access to your personal data processed by Boyden or any Boyden office.‎‎
  • ‎If our processing is based on your consent you have the right to data portability.‎
  • ‎You may request rectification of your personal data at any time.‎
  • ‎You may request erasure of your personal data at any time, provided that no right or legal ‎obligation of Boyden or any Boyden office requires further processing of your personal data.‎
  • You may request restriction of processing for your data at any time.‎
  • You may at any time lodge a complaint with a supervisory authority.‎

C. INFORMATION FOR PEOPLE LOCATED IN THE UNITED STATES OF AMERICA

The following section contains data protection regulations that affect you when you are located in the USA. These relate in particular to text messaging and electronic messaging.

Sections D and E below contain further data protection specifics in the USA, particularly with regard to California and Nevada.

SMS and Electronic Messaging: If consent has been obtained (SMS opt-in), we process your phone number to send you SMS or other electronic messages for Boyden marketing purposes. SMS opt-in or phone numbers for the purpose of sending SMS for marketing purposes are not shared by Boyden. You can revoke your consent at any time (opt out) by replying “STOP” to unsubscribe.

D. INFORMATION FOR CALIFORNIA RESIDENTS

Provided that you are a resident of California and the California Consumer Privacy Act (CCPA) applies to our processing of your personal information, the following conditions apply to you:

1.

Collection of Personal Information in Preceding 12 Months

1.1.

During the past twelve months, we have collected personal information that falls under the below listed California-designated categories of personal ‎information. For each category listed below, you can find the sources of the data, the purposes for which it is collected, and the third parties with whom it is shared in Part A of this Privacy Policy.

  • Category A: Identifiers such as real name, alias, postal address internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
    Data of Category A is processed of Website visitors, Potential Candidates, Candidates, Participants in surveys and studies, References of candidates, Service Providers, Business Partners and their Employees, Business Contacts and Communication Partners, Client Portal Users and Newsletter Recipients.
  • Category B: ‎ Personal ‎information ‎categories listed in ‎the California ‎Customer Records ‎statute, such as name, signature, social security number, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, or health insurance information.
    Data of Category B is processed of Potential Candidates, Candidates, Participants in surveys and studies, References of candidates, Service Providers, Business Partners and their Employees, Business Contacts and Communication Partners, Client Portal Users and Newsletter Recipients.
  • Category C: Characteristics of ‎protected ‎classifications ‎under California or ‎federal law, including age (40 years and older), ancestry, national origin, citizenship, religion or creed, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status.
    Data of Category C is processed of Candidates and Participants in surveys and studies.
  • Category F: ‎ Internet or other ‎electronic network ‎activity ‎information, such as information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
    Data of Category F is processed of Website visitors and Newsletter Recipients.
  • Category I: Professional or ‎employment-‎related ‎information, including current and/or past employment ‎history including performance ‎evaluations.‎
    Data of Category I is processed of Candidates, Potential Candidates, Participants in surveys and studies and References of candidates.
  • Category J: Non-public ‎education ‎information, including Education records, files, documents, and other materials directly related to a student maintained by an educational agency or institution or by a person acting for such an agency or institution, such as grades, and transcripts.
    Data of Category J is processed of Candidates and Participants in surveys and studies.
  • Category K: Inferences drawn from other personal ‎information, such as information used to create a ‎profile about a consumer ‎reflecting the consumer’s ‎preferences, characteristics, ‎psychological trends, ‎predispositions, behavior, ‎attitudes, intelligence, abilities, ‎and aptitudes.
    Data of Category K is processed of Candidates and Participants in surveys and studies and Newsletter Recipients.

2.

Disclosure or Sale of Personal Information in Past 12 Months

2.1.

In the preceding 12 months, we have disclosed or sold to third parties the categories of personal information specified in Part A above.

2.2.

We do not sell the personal information of minors under 16 years of age without affirmative authorization.

3.

Your Rights – California Residents

3.1.

Rights to Know. You have the right to request that we disclose to you what personal information we collect, use, disclose, and sell about you. Specifically you have the right to request that we disclose:

  • the categories of personal information we have collected about you;‎
  • the categories of sources from which we collect personal information about you;‎
  • the business or commercial purposes for collecting or selling your personal information;
  • the categories of third parties with whom we share your personal information; and
  • the specific pieces of personal information we have collected about you.‎

3.2.

Right to Request Deletion. You have the right the right to request the deletion of your personal information that we have collected or maintained, subject to certain exceptions;

3.3.

Right to Opt-Out of Sale of your Personal Information. You have the right the right to opt-out of the sale of your personal information by us, subject to certain exceptions;

3.4.

Right to Non-Discrimination. You have the right the right not to receive discriminatory treatment by us for the exercise of any of the foregoing privacy rights.

4.

Instructions for Exercising Your Rights

4.1.

Authority to Make a Request: Only you, or someone legally authorized to act on your behalf, may make a request related to your personal information. You may also make a request on behalf of your minor child.

4.2.

How to Submit a Request to Know or Delete: To submit a request under any of your Rights to Know or the Right to Request Deletion, you can write us an email to privacy@boyden.com, or call us at +1 (855) 426-9336. ‎You will also need to satisfy the verification process requirements described below. You may make up to two requests in any 12-month period.

Please note that we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority ‎to make the request and confirm the personal information relates to you, in accordance with the verification process described below. ‎

4.3.

How to Submit a Request to Opt-Out of Sale: To submit a request to Opt-Out of the Sale of your Personal Information, you can visit our website opt-out request page or call us at +1 (855) 426-9336.

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales. However, you may change your mind and opt back in to personal information sales at any time by going to our website.

4.4.

Process for Verifying Requests to Know or Delete: As part of our verification process, we may require that you submit additional personal ‎information so that we can verify your identity. If we do so, we will use any additional personal ‎information submitted in connection with our verification process only to verify your identity ‎and authority to make the request.‎

Making a consumer request does not require you to create an account with us.

We will only use personal information provided in a consumer request to verify the requestor's identity or authority to make the request.

E. INFORMATION FOR NEVADA RESIDENTS

Provided that you are a resident of Nevada and the Nevada Consumer Privacy Law applies to our processing of your data, the following conditions apply to you:

1.

Your Rights – Nevada Residents

 

Nevada residents have the right to request that we not make any sale (as that term is defined the in the Nevada Consumer Privacy Law) of certain categories of personal data that we have collected or will collect about you.

2.

Sale of Nevada Personal Information

 

We do not sell the personal information of any Nevada residents, as that term is defined in the Nevada Consumer Privacy Law.

F. INFORMATION FOR CANADA RESIDENTS

If you are a resident of Canada, the following applies to you:

1.

Personal data (or personal information)

 

Personal data, also called personal information in Canada, refers to any information which relates to a natural person and directly or indirectly allows that person to be identified.

2.

Consent

 

When you provide us with personal data after having been made aware of this Privacy Policy, we assume that you agree to our processing of this personal data as set out in this Privacy Policy and Canadian Addendum. This includes using your personal data for employment opportunities with Boyden or its clients, and communications about current or future employment opportunities.

3.

Your Rights

 

Consent withdrawal. You may withdraw consent to the use or disclosure of your personal data at any time, subject to legal or contractual restrictions and reasonable notice. If you withdraw your consent, we may not be able to provide you with the requested services, and it may impact the functionality of our website.

Right of access. You have the right to access the personal data we hold about you, including confirmation of the personal data we hold about you and the right to obtain a copy.

Right to correction. You also have the right to correct or update inaccurate, incomplete or unclear personal data we hold about you, or to request deletion of obsolete or unjustified data. Please note, however, that we may need or be required to keep such data, such as to comply with applicable law.

To exercise one of your rights, please contact our Data Protection Team at: privacy@boyden.com. You also have the right to lodge a complaint with the relevant data protection or privacy authority.

We may ask you to provide sufficient identification to fulfill your request. Any identifying information will be used only for this purpose. Generally, this process is entirely free. However, we may charge a reasonable fee if you request the transcription, reproduction or transmission of personal data. In any case, we will not charge you any fees to respond to your request without first providing you with an estimate of the approximate fees, if any.

4.

Sharing

 

We may share your personal data with the following categories of third parties:

  • To affiliates and subsidiaries for purposes consistent with this Policy. We require our affiliates and subsidiaries to uphold and maintain Boyden’s policies regarding privacy and the treatment of your personal data in accordance with applicable laws and regulations.
  • To clients working with Boyden on current and future employment opportunities.  We require clients to maintain confidentiality and security of your information.
  • To service providers acting on behalf of Boyden (e.g., to maintain computer databases, host the resume submission page, perform marketing and/or recruitment activities, provide security services, conduct analytics, conduct surveys, or provide assessment and testing services). If we transfer your personal data to a service provider, we ensure they maintain confidentiality and security of your information.
  • To potential transaction partners, advisors, and other third parties in connection with the consideration, negotiation, or completion of a business transaction, including any corporate transaction where we are acquired by or merged with another company or sell or transfer all or a portion of our assets or business.
  • To other persons as permitted by applicable law or regulation.
  • To law enforcement personnel and governmental and administrative agencies, including to meet national security requirements, or as part of a legal process.
  • As we deem reasonably necessary to protect the rights, property, or safety of ourselves, you, or others.

5.

Cross-border transfer

 

Data about potential candidates is shared with Boyden offices worldwide upon request and personal data we handle may be stored or processed on our behalf by other Boyden offices. A full list of Boyden ‎offices is provided here. Some of our service providers may also access, process or store your personal data outside of the country, state or province where we are located and where you reside. Such data may therefore be available to government authorities under lawful orders and laws applicable in such foreign jurisdictions.

6.

Retention

 

We keep your personal data for as long as is needed to fulfill the purposes for which it was collected. After such time, we securely delete it. However, we may continue to keep it as necessary to comply with our legal and regulatory obligations, resolve disputes, exercise our rights, and enforce and comply with our agreements.

7.

IT Governance Practices

 

We are committed to safeguarding our clients’ and candidates’ personal and professional information through robust IT governance practices. Our governance framework is designed to align with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), provincial privacy laws, and industry best practices to ensure the confidentiality, integrity, and availability of personal data.

We use a multi-layered security approach that includes access control, multi-factor authentication, third party monitoring and audits, and ongoing training and awareness.

Our IT governance practices are regularly updated to address emerging cybersecurity threats, comply with Canadian privacy standards, and safeguard entrusted information.

 

8.

Contact us

 

If you have questions, concerns or complaints about our Privacy Policy and our data-handling practices, you may contact our Data Protection Team at privacy@boyden.com.

G. INFORMATION FOR TURKEY RESIDENTS

Provided you are a resident of Turkey and the Turkey data protection legislation (TDPL) applies to our processing of your personal information, the following conditions apply to you:

1.

Legal basis according to TDPL

 

The legal basis for the processing of your data under TDPL is as follows:

  • Potential Candidate data – The legal basis for the processing of potential candidate data is that the data was made publicly available data by data subjects from the online channels
  • Candidate data – The legal basis for our processing of candidate data is your consent ‎and – as far as only your ‎business card details or data collected from publicly available ‎sources are processed – that the data was made publicly available data by data subjects from the online channels; Processing of personal data of the Candidates is necessary, if it is directly related to the establishment or performance of the contract with Business Partners and it is needed to perform legal obligations as an employment agency.
  • Data regarding participants in surveys and studies – The legal basis for our processing of data regarding participants in surveys and studies is your consent.
  • Data regarding references of Candidates – The legal basis for processing data regarding references of candidates is their consent
  • Data regarding Service Providers, Business Partners and their Employees – ‎The legal bases for processing are directly related to the establishment or performance of the contract with Business Partners.
  • Data regarding Business Contacts and Communication Partners – ‎The legal basis for processing data from actual and prospective business contacts and ‎‎communication partners is directly related to the establishment or performance of the contract with Business Partners.
  • Data regarding Users of the Client Portal – The legal basis for processing data from the users of the Client Portal is directly related to the establishment or performance of the contract with Business Partners.
  • Data regarding Newsletter Recipients – The legal basis for processing data from newsletter recipients is consent. 

The foregoing legal bases for the processing of your data are defined in TDPL as follows: “consent” is specified in Article 5(1) TDPL; processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract according to Article 5 (2) lit. c) TDPL; processing is mandatory for the controller to be able to perform his legal obligations according to Article 5 (2) lit. ç) TDPL (Legal obligations of employment agencies: Art. 17 and 19 of Law No. 4904) ;  data concerned is made available to the public by the data subject according to Article 5 (2) lit. d) TDPL;

2.

Your Rights – Turkey Residents

 

You have the following rights according to Article 11 TDPL:
You have the right to get information about whether your personal data has been processed; if personal data has been processed, the information about such data processing; information about the purpose for the data processing and whether the data was used for this purpose; information about the identities of natural or legal persons to whom the data is transferred to; correction, erasure, or removal of data; to object to the processing, exclusively by automatic means, of the personal data, which leads to an unfavourable consequence for you and to request compensation for the damage arising from the unlawful processing of personal data.
You can exercise your rights by contacting us at as described under “Contact us” below.

3.

Cross-border transfer

 

Data about Candidates and Potential Candidates are shared with our Business Partners and Prospective Employers for purpose of making an employment agreement according to Articles 9 and 5 TDPL and the legal obligations according to Art. 17 and 19 of Law No. 4904 . Boyden also shares the personal data of the data subjects to global database of Boyden, Filefinder, with the consent of the data subjects, for the storage purposes according to Article 9 TDPL.

4.

Contact us

 

If you have questions about this Privacy Policy and our data-handling practices, you may contact our Data Protection Team at privacy@boyden.com.

H. INFORMATION FOR PERSONS LOCATED IN JAPAN

Provided you are a person located in Japan, the following conditions apply to you:

1.

Your Rights – Japan Residents

 

In accordance with the Act on the Protection of Personal Information of Japan, you have the right to request us to notify you of the purposes of use of the personal data, or to disclose, make any correction to, discontinue the use or provision of, and/or delete any and all of, your retained personal data which is stored by us.

2.

Instructions for Exercising Your Rights

 

To exercise your rights, you can send an email to privacy@boyden.com. A response will be sent within one (1) month from our receipt of your request. If necessary, this period may be extended by us by up to two months, depending on the complexity and number of requests.

In the case of a request for deletion of your data and/or removal of your data, we may nevertheless retain such data in a temporary archived form for the period necessary to satisfy our legal, accounting and tax obligations.

3.

Joint Use

 

We would jointly use your personal data in the cases we have described in the General Part of this Privacy Policy (Part A). Here you will also find details on the items of personal data to be jointly used, parties to jointly use personal data, purposes of joint use and party responsible for management of jointly used personal data. Since we have thus fulfilled the joint-use requirements prescribed by Japanese law, we do not need to obtain separate consent.

3.1.

Items of Personal Data to be Jointly Used

3.1.a.

Potential Candidates: name, postal address, email address, telephone number, employment, employment history and title.

3.1.b.

Candidates: name, signature, postal address, email address, telephone number, education, employment, employment history, bank account number, race, color, age (40 years and older), ancestry, national origin, citizenship, religion or creed, medical condition, physical or mental disability, sex (including gender), sexual orientation, current and/or past employment history including performance evaluations, education records, files, documents, and other materials directly related to a student maintained by an educational agency or institution or by a person acting for such an agency or institution, such as grades, transcripts, personal interests, hobbies and background check information (like identity verification, criminal, civil and regulatory judgements, financial and credit ‎checks), health insurance information, information used to create a profile about a candidate reflecting the candidate’s intelligence and abilities or any other details a candidate may choose to share with us‎

3.1.c.

Participants in surveys and studies: profile data requested by survey-service providers like Prophet (ID, name, language, due date of the questionnaire, reminder date of the questionnaire, email address, dates invitation sent, dates notifications of reminders sent, date profile sent, profile details) and survey reports (answers to the questionnaires)

3.1.d.

References of Candidates: name, postal address, email address, telephone number, employment, employment history, position, or any other details that the candidate or the candidate’s reference chooses ‎to share with us

3.2.

Party to Jointly Use Personal Data

 

BWC and local Boyden Office(s)

3.3.

Purposes of Joint Use

3.3.a.

Potential Candidates: purposes of providing executive search services to ‎potential employers worldwide and identifying salary, market and hiring trends by analyzing aggregated data

3.3.b.

Candidates: purpose of providing the candidates with employment ‎opportunities and job or career related information as well as providing executive search ‎services to potential employers worldwide and identifying salary, market and hiring trends by analyzing aggregated data.

3.3.c.

Participants in surveys and studies: purpose of conducting and evaluating surveys using questionnaires for business development reasons

3.3.d.

References of Candidates: purpose of providing executive search services to ‎employers and candidates

3.4.

Party Responsible for Management of Personal Data

 

local Boyden Office

4.

Cross-border transfer

 

Personal data on potential candidates is shared with Boyden offices worldwide upon request and personal data we handle may be stored or processed on our behalf by other Boyden offices. A full list of Boyden ‎offices is provided here. In addition, personal data on candidates and potential candidates are shared with our business partners and prospective employers for the purpose of making employment agreements. The local Boyden office in Japan has entered into a data transfer agreement with the other Boyden offices located outside Japan (except for Boyden offices established in EU member states or the UK) which ensures that in case the personal data of potential candidates located in Japan is transferred and handled by Boyden offices located outside Japan (except for those located in EU member states or in the UK), such personal data is subject to levels of protection comparable to/meeting the standards applicable under the APPI.

5.

Contact us

 

If you have any questions or complaints about this Privacy Policy or our data handling practices, you may contact us at privacy@boyden.com.

I. INFORMATION FOR PERSONS LOCATED IN THAILAND

Provided that you are a person in Thailand and the Personal Data Protection Act (PDPA) applies to our processing of your data, the following conditions apply to you:

1.

Data Protection Officer

 

The Data Protection Officer and data protection representative of Boyden and Boyden’s local offices is Rechtsanwalt Nikolaus Bertermann ‎‎(attorney at law), daspro GmbH, Kurfürstendamm 21, 10719 Berlin, Germany, phone +49 30 88 ‎‎77 41 50, Email: boyden@daspro.de.

2.

Legal basis according to PDPA

2.1

The legal basis for the processing of your data under PDPA is as follows:

  • Web Server log data – ‎The legal basis for the processing of Web server log data obtained while using the website is our legitimate interest, ‎specifically operation of a website and user interaction.
  • Technically Required Cookies – The legal basis for the processing of data using Technically Required Cookies is our legitimate interest according to PDPA, specifically the interest in the easy and reliable control of cookies settings in accordance with the respective user decisions, the interest in protecting the website from bot attacks.
  • Analytics Cookies – ‎The legal ‎basis for the analysis of user ‎behavior using Analytics Cookies is your consent.
  • Third-Party Multimedia Content – The legal basis for implementing Third-Party Multimedia Content is your consent.
  • Potential Candidate data – The legal basis for the processing of potential candidate data is our legitimate interest to provide our ‎‎services.‎
  • Candidate data – The legal basis for our processing of candidate data is your consent ‎and – as far as only your ‎business card details or data collected from publicly available ‎sources are processed – for our ‎legitimate interest to provide such services.‎
  • Data regarding participants in surveys and studies – The legal basis for our processing of data regarding participants in surveys and studies is your consent.
  • Data regarding references of Candidates – The legal basis for processing data regarding references of candidates is legitimate interest of the ‎candidate to name a reference ‎and legitimate interest of Boyden to evaluate the ‎candidate.‎
  • Data regarding Service Providers, Business Partners and their Employees – ‎The legal bases for processing are in case of contracts with natural persons the contracts, ‎in case of contracts with legal entities the legitimate interest, specifically communication with ‎contact persons relevant to the ‎contract, as well as always the compliance with law, in particular ‎‎commercial and tax provisions. When checking, asserting or rejecting claims, the legal ‎basis is ‎legitimate interest, specifically asserting or defending ‎claims.‎
  • Data regarding Business Contacts and Communication Partners – ‎The legal basis for processing data from actual and prospective business contacts and ‎‎communication partners is legitimate interest, specifically ‎communication with prospective ‎business contacts and communication partners.‎
  • Data regarding Users of the Client Portal – The legal basis for processing data from the users of the Client Portal is legitimate interest, specifically ‎communication with client contacts over a secure communication channel.‎
  • Data regarding Newsletter Recipients – The legal basis for processing data from newsletter recipients is consent. The legal basis for the tracking of the opening rates and the clicks within the newsletter is legitimate interest, specifically improving the newsletters and showing the newsletter recipients more relevant content.  

2.2

The foregoing legal bases for the processing of your data are defined in PDPA as follows: “consent” is specified in Section 19 PDPA and in Section 26 PDPA regarding special categories of data, “contract” is specified in Section 24 (3) PDPA, “compliance with law” is specified in Section 24 (6) PDPA and “legitimate interest” is specified in Section 24 (5) PDPA.

3.

Cross-Border Transfers of Data from Thailand

 

Data may be shared with some Boyden offices located outside of Thailand. All Boyden offices have entered into ‎‎EU Standard Contractual Clauses (SCC) and set up internal privacy and data collection ‎policies. Boyden and local Boyden offices have updated their contracts and have implemented additional safeguards after the Schrems II decision of the ECJ (SCC plus) to protect the data. Potential employers may be located outside of Thailand and may ‎not have adopted appropriate or suitable safeguards.

4.

Change of processing purposes

 

No change in the processing purposes described in Section A is ‎planned.

5.

Your rights according to PDPA

 

You have the following rights under PDPA:

  • You may withdraw your consent at any time, if your data is processed based on your ‎consent. The withdrawal of consent does not affect the lawfulness of processing before ‎the withdrawal of consent.‎
  • You may at any time object to the further processing of your data if your data is ‎processed based on our legitimate interest.‎
  • You may at any time request access to your personal data processed by Boyden or any Boyden office.‎‎
  • If our processing is based on your consent you have the right to data portability.‎
  • You may request rectification of your personal data at any time.‎
  • You may request erasure of your personal data at any time, provided that no right or legal ‎obligation of Boyden or any Boyden office requires further processing of your personal data.‎
  • You may request restriction of processing for your data at any time.‎
  • You may at any time lodge a complaint with a supervisory authority.

J. INFORMATION FOR SWISS RESIDENTS

Provided the Swiss Federal Act of Data Protection (FADP) applies to our processing of your data according to Article 3 FADP, in particular if your data is processed by a Boyden office in Switzerland or if you are in Switzerland, the following conditions apply to you:

1.

Legal basis according to FADP
The legal basis for the processing of your data under FADP is as follows:

1.1.

  • Web Server log data – ‎The legal basis for the processing of Web server log data obtained while using the website is our overriding interest, ‎specifically operation of a website and user interaction.

  • Technically Required Cookies – The legal basis for the processing of data using Technically Required Cookies is our overriding interest according to FADP, specifically the interest in the easy and reliable control of cookies settings in accordance with the respective user decisions, the interest in protecting the website from bot attacks.

  • Analytics Cookies – ‎The legal ‎basis for the analysis of user ‎behavior using Analytics Cookies is your consent.

  • Third-Party Multimedia Content – The legal basis for implementing Third-Party Multimedia Content is your consent.

  • Potential Candidate data – The legal basis for the processing of potential candidate data is our overriding interest to provide our ‎‎services.‎

  • Candidate data – The legal basis for our processing of candidate data is your consent ‎and – as far as only your ‎business card details or data collected from publicly available ‎sources are processed – the fact that you made the data publicly accessible.‎

  • Data regarding participants in surveys and studies – The legal basis for our processing of data regarding participants in surveys and studies is your consent.

  • Data regarding references of Candidates – The legal basis for processing data regarding references of candidates is overriding interest of the ‎candidate to name a reference ‎and overriding interest of Boyden to evaluate the ‎candidate.‎

  • Data regarding Service Providers, Business Partners and their Employees – ‎The legal bases for processing are in case of contracts with natural persons the contracts, ‎in case of contracts with legal entities the overriding interest, specifically communication with ‎contact persons relevant to the ‎contract, as well as always the legal obligations, in particular ‎‎commercial and tax provisions. When checking, asserting or rejecting claims, the legal ‎basis is ‎ overriding interest, specifically asserting or defending ‎claims.‎

  • Data regarding Business Contacts and Communication Partners – ‎The legal basis for processing data from actual and prospective business contacts and ‎‎communication partners is overriding interest, specifically ‎communication with prospective ‎business contacts and communication partners.‎

  • Data regarding Users of the Client Portal – The legal basis for processing data from the users of the Client Portal is overriding interest, specifically ‎communication with client contacts over a secure communication channel.‎

  • Data regarding Newsletter Recipients – The legal basis for processing data from newsletter recipients is consent. The legal basis for the tracking of the opening rates and the clicks within the newsletter is overriding interest, specifically improving the newsletters and showing the newsletter recipients more relevant content.

1.2.

The foregoing legal bases for the processing of your data are defined in FADP as follows: “consent” is specified in Article 31 (1) FADP, “contract” is specified in Article 31(2)(a) ‎ FADP, „data subject makes the personal data generally accessible and has not explicitly prohibited any processing“ is specified in Article 30 (3) FADP, “legal obligations” is specified in Article 31(1)(1) FADP and “ overriding interest” is specified in Article 31(2) FADP.

2.

Cross-Border Transfers of Data from Switzerland

2.1

Cross-Border Transfers between Boyden offices
Data may be shared with some Boyden offices located outside of EU and Switzerland. All Boyden offices have entered into ‎‎EU Standard Contractual Clauses (SCC) and set up internal privacy and data collection ‎policies. Boyden and local Boyden offices have updated their contracts and have implemented additional safeguards after the Schrems II decision of the ECJ (SCC plus) to protect the data. You may request a copy of the SCC from us or a Boyden office at any time.‎ Potential employers may be located outside of the EU and may ‎not have adopted appropriate or suitable safeguards.

2.2

Cross-Border Transfers in the Context of the Use of Service Providers
Data may be shared with our service providers which we use as processor within the framework of a data processing agreement. We use Cloudflare, Inc., Hubspot, Inc. and Emma, Inc. as our service providers. We have entered into the EU Standard Contractual Clauses (2021/914) with Cloudflare Inc. and Emma, Inc. to protect your data. We also use Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. Google has also entered into the EU Standard Contractual Clauses (2021/914) to protect your data. You can request a copy of the essential contractual contents of the standard contractual clauses at any time. In addition, the Google companies (including Google LLC), Cloudflare, Inc., Hubspot, Inc. and Emma, Inc. are certified in accordance with the Swiss-US Data Privacy Framework.

3.

Change of processing purposes

 

No change in the processing purposes described in Section A is ‎planned.

4.

Automated decision making

 

No automated decision-making (Article 21 FADP) takes place.

5.

Representative in Switzerland
Boyden Switzerland, Gotthardstraße 62, CH-8002 Zürich, Switzerland

6.

Your rights according to FADP
You have the following rights under FADP:

  • You may withdraw your consent at any time, if your data is processed based on your ‎consent. The withdrawal of consent does not affect the lawfulness of processing before ‎the withdrawal of consent.‎

  • You may at any time object to the further processing of your data if your data is ‎processed based on our legitimate interest.‎

  • You may at any time request access to your personal data processed by Boyden or any Boyden office.‎‎

  • If our processing is based on your consent you have the right to data portability.‎

  • You may request rectification of your personal data at any time.‎

  • You may request erasure of your personal data at any time, provided that no right or legal ‎obligation of Boyden or any Boyden office requires further processing of your personal data.‎

  • You may request restriction of processing for your data at any time.

  • You may at any time lodge a complaint with a supervisory authority.

K. INFORMATION FOR PERSONS IN TAIWAN

Provided that you are a person in Taiwan and the Personal Data Protection Act (PDPA) applies to our processing of your data, the following conditions apply to you:

1.

Legal basis according to PDPA

1.1

The legal basis for the processing of your data of Boyden as a non-government agency under PDPA is as follows:

  • Web Server log data – ‎The legal basis for the processing of Web server log data obtained while using the website is the fact, that it will not harm the data subject´s rights or benefits.
  • Technically Required Cookies – The legal basis for the processing of data using Technically Required Cookies is the fact, that it will not harm the data subject´s rights or benefits.
  • Analytics Cookies – ‎The legal ‎basis for the analysis of user ‎behavior using Analytics Cookies is your consent.
  • Third-Party Multimedia Content – The legal basis for implementing Third-Party Multimedia Content is your consent. Potential Candidate data – The legal basis for the processing of potential candidate data is the fact, that it will not harm the data subject´s rights or benefits.
  • Candidate data – The legal basis for our processing of candidate data is your consent ‎and – as far as only your ‎business card details or data collected from publicly available ‎sources are processed – we rely on the fact the data is already in the public domain due to disclosure by the data subject or in a legitimate manner;
  • Data regarding participants in surveys and studies – The legal basis for our processing of data regarding participants in surveys and studies is your consent.
  • Data regarding references of Candidates – The legal basis for processing data regarding references of candidates is the fact the data is already in the public domain due to disclosure by the data subject or in a legitimate manner;
  • Data regarding Service Providers, Business Partners and their Employees – ‎The legal bases for processing are the contracts.
  • Data regarding Business Contacts and Communication Partners – ‎The legal basis for processing data from actual and prospective business contacts and ‎‎communication partners is the fact, that it will not harm the data subject´s rights or benefits.

1.2

The foregoing legal bases for the processing of your data are defined in PDPA as follows: “consent” is specified in Article 19 PDPA.

2.

Your rights according to PDPA
You have the following rights under PDPA:

  • You may access your personal data to check and review it;
  • You may have a copy of the personal data;
  • You may supplement or revise the personal data;
  • You may demand the collector to cease collection, processing, or use of the personal data; and
  • You may demand the collector delete the personal data.

Your request was successful.

Your request was not successful. Please note that web browser cookies must be enabled to opt-out.

This website uses cookies to ensure you get the best experience on our website. Learn more