Privacy notice to California employees and applicants regarding the collection of personal data

PRIVACY NOTICE TO CALIFORNIA EMPLOYEES REGARDING THE COLLECTION OF PERSONAL DATA

PRIVACY NOTICE TO CALIFORNIA EMPLOYEES AND APPLICANTS REGARDING THE COLLECTION OF PERSONAL DATA

Effective August 2024

TigerRisk Partners LLC d/b/a Howden Re (“Howden Re”) and its subsidiaries and affiliates, (“the Company”) are committed to protecting the privacy and security of personal information of its current and former employees, job applicants, temporary employees, and contractors (collectively, “Personnel”). The Company therefore provides this Howden Re Privacy Notice (“Privacy Notice”) to provide information to California Personnel – and other individuals whose Personal Data is collected for Human Capital purposes (such as qualified dependents) – regarding how the Company collects and uses Personnel’s Personal Data in connection with their employment and other relationship with the Company. In this Privacy Notice, “Personal Data” means data relating to identified or identifiable individuals and households. 

The Company does not sell, share, or otherwise disclose this personal information for monetary consideration or a business purpose to any third parties except the Company may share the categories of information listed below with vendors the Company uses to perform necessary functions to facilitate employee payment, benefits, health and safety, and insurance.

The Company is committed to complying with the California Consumer Privacy Act (CCPA”), as amended, and all data privacy and laws in the jurisdictions in which it employs employees. Employees, emergency contacts, and beneficiaries may access this notice in an alternative format by contacting howdenrehc@howdenre.com.

What is the Company’s Privacy Policy?

The Company’s consumer Privacy Policy (“Consumer Privacy Policy” available at https://howdenre.com/privacy-policy/) describes how the Company collects, uses, and protects the Personal Data of individuals who use the Company’s website and other online services. The Company’s Consumer Privacy Policy will apply to the extent Personnel use any products or services subject to the Consumer Privacy Policy.

What is the Company’s contact information?

If you have any questions or concerns regarding this Privacy Notice, the Company’s Privacy Policy, or the collection of your personal information, please contact legal@howdenre.com.

See below for information relating to how to submit requests to exercise Personnel’s rights in the Personal Data the Company processes.

What Categories of Employee Information Do We Collect and How Do The Company uses This Information?

This chart describes the categories of Personal Data that the Company may collect in connection with its employment and contractual work relationships. Note: all Personal Data may be used and disclosed in connection with our Business Purposes.

Category of Personal Data & Representative Data ElementsCommon Purposes for Collecting & Sharing
Contact Data ·       Honorifics and titles, preferred form of address ·       Mailing address ·       Email address ·       Telephone number ·       Mobile numberThe Company uses your Contact Data to communicate with Personnel by mail, email, telephone, or text about their employment, including sending them work schedule information, compensation and benefits communications, and other company information. Contact Data is also used to help the Company identify Personnel and personalize the Company’s communications, such as by using Personnel’s preferred name.
Identity Data ·       Full name, nicknames or previous names (such as maiden names) ·       Date of birth ·       Language ·       Employee ID number ·       Company account identifiers and passwords ·       Benefits program identifiers ·       System identifiers (e.g., usernames or online credentials)The Company uses Personnel’s Identity Data to identify Personnel in the Company’s Human Capital records and systems, to communicate with Personnel (often using their Contact Data) and to facilitate the Company’s relationship with Personnel, for internal record-keeping and reporting (including for data matching and analytics), to track Personnel’s use of company programs and assets, and for most processing purposes described in this Privacy Notice, including governmental reporting, employment/immigration verification, background checks, etc.
Government ID Data ·       Social security/national insurance number ·       Driver’s license information ·       Passport information ·       Other government-issued identifiers as may be needed for risk management or compliance (e.g., if you are a licensed professional, we will collect your license number)The Company uses Personnel’s Government ID Data to identify Personnel and to maintain the integrity of the Company’s Human Capital records, enable employment verification and background screening, such as reference checks, license verifications, and criminal records checks (subject to applicable law), enable the Company to administer payroll and benefits programs and comply with applicable laws (such as reporting compensation to government agencies as required by law), as well as for security and risk management (such as collecting driver’s license data for Personnel who operate company vehicles, professional license verification, fraud prevention and similar purposes).

 

What Are The Sources of Personal Data? 

The Company collects Personal Data from various sources, which vary depending on the context in which the Company processes that Personal Data.

  • Data Personnel provide to the Company – The Company will receive Personnel’s Personal Data when Personnel provide them to the Company, apply for a job, complete forms, provide Personal Data via Workday, or otherwise direct information to the
  • Data from a third party – The Company will receive Personnel’s Personal Data from third parties such as recruiters, credit reporting agencies, or employment screening
  • Data from publicly available sources – The Company may collect data that is publicly available on the Internet (e.g. through a Google search of a candidate’s name).
  • Data the Company automatically collects– The Company may also collect information about or generated by any device Personnel have used to access internal IT services, applications, and networks.
  • Data the Company receives from Service Providers – The Company receives information from service providers performing services on our behalf.
  • Data the Company creates or infer – The Company (or third parties operating on the Company’s behalf) create and infer Personal Data such as Inference Data based on its observations or analysis of other Personal Data processed under this Privacy Notice, and the Company may correlate this data with other data the Company processes about Personnel. The Company may combine Personal Data about Personnel that it receives from Personnel and from third parties. We do not infer Sensitive Personal Data.

How Does the Company Disclose Personal Data? 

The Company generally process Personal Data internally; however, it may be shared or processed externally by third party service providers, when required by law or necessary to complete a transaction, or in other circumstances described below. Categories of Internal Recipients The Personal Data identified below collected from the Company’s Personnel may be disclosed to the following categories of recipients in relevant contexts:

  • Personnel of Human Capital Departments – All Personal Data relating to Human Capital resources and Recruitment.
  • Personnel of Finance Departments – Personal Data to the extent related to payroll, compensation, expense reimbursements, etc.
  • Supervisors and Managers – Elements of Personal Data, to the extent permitted in the jurisdiction, to the extent necessary to evaluate, establish, and maintain the employment or contractual relationship, conduct reviews, handle compliance obligations, and similar
  • Department Managers searching for new employees or contractors – Personal data of job candidates contained in job applications to the extent allowed by relevant laws and departmental needs.
  • IT Administrators of the Company and/or third parties who support the management and administration of Human Capital processes may receive Personal Data as necessary for providing relevant IT related support services (for example, conducting IT security measures and IT support services).
  • Peers and colleagues – Elements of Personal Data in connection with company address books, intracompany and interpersonal communications, and other contexts relevant to the day-to-day operation of company business.

Categories of External Recipients The Company may provide Personal Data to external third parties as described below. The specific information disclosed may vary depending on context, but will be limited to the extent reasonably appropriate given the purpose of processing and the reasonable requirements of the third party and The Company. The Company generally provide information to:

  • The Company’s Service providers, vendors, and similar data processors that process Personal Data on the Company’s behalf (e.g., analytics companies, financial analysis/budgeting, trainings, benefits administration, payroll administration, background checks, etc.) or that provide other services for Personnel or for the Company.
  • To prospective seller or buyer of such business or assets in the event the Company sells or buys any business or assets.
  • To future Company affiliated entities, if the Company or substantially all of its assets are acquired by a third party, in which case Personal Data held by it about its employees and contractors may be one of the transferred assets.
  • To Personnel’s employment references, to inform them that the Personnel applied with the Company as part of its recruiting process.
  • To future prospective employers seeking to confirm Personnel’s relationship with the
  • To government agencies or departments, or similar parties in connection with employment- related matters.
  • To any public authority in relation to national security or law enforcement requests, if the Company is required to disclose Personal Data in response to lawful requests by a public
  • To any other appropriate third party, if the Company is under a duty to disclose or share Personnel’s Personal Data to comply with any legal obligation or to protect the rights, property, health, or safety of the Company, Personnel, customers, or others.

  Locations of Recipients The Company and The Company affiliates are located in the United States. Any Personal Data collected under this Privacy Notice will likely be processed in the United States. The Company collects this information to contact the Employee’s designated emergency contact persons in the event of an emergency.

What are the Purposes of collecting, using, and disclosing personal Data?

The Company collects Personal Data about its prospective, current, and former Personnel and other individuals as appropriate in the context of an employment or contractual work relationship (such as dependents) for various general Human Capital and business purposes, as described below. The Company does not sell to or “share” (as defined in the California Consumer Privacy Act, as amended) Personal Data with third parties in exchange for monetary consideration or for advertising purposes.

General Human Capital Purposes 

The Company collects Personal Data about its prospective, current, and former Personnel and other individuals as appropriate in the context of an employment or contractual work relationship, including for recruitment and IT/technical support services, and as needed for using internal software, networks and devices. The categories of Personal Data the Company processes, along with representative data elements, are listed in the chart below. The Company may not collect from Personnel or process all of the Personal Data identified below, depending on Personnel’s position or the nature of Personnel’s relationship with the Company.

The Company generally processes Personal Data for the following purposes:

Personal Data pertaining to prospectivePersonnel may be processed for:·       Recruitment and staffing, including evaluation of skills and job placement. ·       Hiring decisions, including negotiation of compensation, benefits, relocation packages, etc. ·       Risk management, including reference and other background checks. ·       The Company’s Business Purposes (defined below).
Personal Data pertaining to currentPersonnel may be processed for:·       Staffing and job placement, including scheduling and absence management. ·       Verification of eligibility to work and compliance with immigration laws, rules and regulations. ·       Administration of compensation, employee recognition, insurance and benefits programs. ·       Time and attendance tracking, company vehicle use, expense reimbursement, other workplace administration and facilitating relationships within the Company. ·       Technology support uses, such as managing our computers and other assets, providing email and other tools to Company workers. ·       EEO/Affirmative Action programs. ·       Internal and external directories of Personnel. ·       Health and wellness programs. ·       Reasonable accommodations. ·       Occupational health and safety programs (including drug and alcohol testing, required injury and illness reporting, disaster recovery and business continuity planning, and workers’ compensation management).

 

Business Purposes

“Business Purposes” means the following purposes for which Personal Data may be collected, used and shared:

  • Maintaining comprehensive and up-to-date Personnel
  • Establishing, managing, or terminating the employment or other working
  • Maintaining a safe and respectful workplace and improving Personnel satisfaction and
  • Identity and credential management, including identity verification and authentication, issuing ID card and badges, system administration and management of access
  • Security, safety, loss prevention, information security, and
  • Legal and regulatory compliance, including without limitation all uses and disclosures of Personal Data that are required by court orders and applicable laws, regulations, orders and ordinances, and for compliance with legally-mandated policies and procedures, such as anti-money laundering programs, security and incident response programs, intellectual property protection programs, and corporate ethics reporting system, and other processing in connection with the establishment and defense of legal claims.
  • Corporate audit, analysis, and consolidated
  • To enforce the Company’s contracts and to protect the Company, its workers, its customers and their employees, and the public against injury, theft, legal liability, fraud or abuse, to people or property.
  • As needed to de-identify the data or create aggregated datasets, such as for consolidating reporting, research, or analytics.
  • Making back-up copies for business continuity and disaster recovery purposes, and other IT support, debugging, security, and operations.
  • For the operations, analysis, upgrade, enhancement, development, or improvement internal IT or other services, operations, and similar matters.
  • As needed to facilitate corporate

 

How is Data Administration Handled?

Security

The Company requires that Personal Data be protected using technical, administrative, and physical safeguards, as described in the Company’s various security policies. Company staff must follow the security procedures set out in applicable security policies at all times.

Retention and Disposal

The Company intends to retain Personal Data or Sensitive Personal Data (as defined above) for no longer than is reasonably necessary and proportionate to achieve the legitimate business purpose for which it was collected or to satisfy a legal requirement. What is necessary may vary depending on the context and purpose of processing. The Company generally considers the following factors when it determines how long to retain data (without limitation):

  • Retention periods established or necessary under applicable law;
  • Industry and Human Capital best practices;
  • Whether the purpose of processing is reasonably likely to justify further processing;
  • Risks to individual privacy in continued processing;
  • Applicable data protection impact assessments;
  • IT systems design considerations/limitations; and
  • The costs associated continued processing, retention, and

Company staff must follow any applicable records retention schedules and policies and destroy any media containing Personal Data in accordance with applicable company policies, including the Company Data Retention Policy. Personal Data shall not be further processed in a manner that is incompatible with these purposes.

What Are Personnel’s Rights and Choices?

Personnel Rights, Including Personnel California Privacy Rights

Under the California Consumer Privacy Act (“CCPA”) and other comprehensive state privacy laws, Personnel may have the following rights, subject to Personnel’s submission of an appropriately verified request (see below for verification requirements):

Right to KnowPersonnel may request any of following, for the 12-month period preceding the request: (1) the categories of Personal Data the Company collected about that Personnel, or that the Company sold, or disclosed for a commercial purpose; (2) the categories of sources from which that Personnel’s Personal Data was collected; (3) the business or commercial purpose for which the Company collected, sold or shared that Personnel’s Personal Data; (4) the categories of third parties to whom the Company sold or shared that Personnel’s Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data the Company collected about that Personnel.
Right to DeletePersonnel have the right to delete certain Personal Data that the Company holds about that Personnel, subject to exceptions under applicable law.
Right to CorrectPersonnel have the right to correct certain Personal Data that the Company holds about that Personnel, subject to exceptions under applicable law.
Right of Non- retaliationPersonnel have the right to not to receive discriminatory treatment as a result of that Personnel’s exercise of rights conferred by the CCPA.

 

Submission of Requests 

Current Company employees and contractors can review and update much of their Personal Data via Workday.

Current Company employees can send an email to howdenrehc@howdenre.com to submit requests to review and update their Personal Data and to exercise their rights in Personal Data subject to this Privacy Notice, to the extent those rights are available under applicable law. Current Company employee may also contact the Human Capital Office for assistance. Contractors, applicants, former employee, beneficiaries, dependents, and family members, may contact legal@howdenre.com or at (855) 378-8203. For all other questions or comments about this Privacy Notice or the Company’s privacy practices, please contact howdenrehc@howdenre.com or at (855) 378-8203.

Verification of Requests

Requests to receive a copy of Personal Data, and requests to delete or correct Personal Data, must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of the Personal Data. The Company may require the individual to provide the email address the Company has on file for the individual (and verify that the individual can access that email account) as well as an address, phone number, or other data the Company has on file, to verify the individual’s identity. If an agent is submitting the request on an individual’s behalf, the Company reserves the right to validate the agent’s authority to act on the individual’s behalf.

32127915.1