GP Strategies Limited, a wholly owned subsidiary of GP Strategies Corporation (GP Strategies) (“GP Strategies Limited”, “we”, “us” or “our”) is committed to protecting your privacy data and providing a secure online environment to support your learning and development. We provide consulting and blended-learning solutions containing web-based applications, online assessments and surveys created and hosted by GP Strategies Limited on behalf of our Customers (“Customer Sites”).
When you visit the GP Strategies Limited web site, we collect and store information about your visit. We may also engage other companies to do this on our behalf. Examples of the kind of information we, or third parties we engage, track include which pages you view on our site, the site you visited just before coming to ours, keywords you used in your search, your company name and the name of your Internet service provider. We use this information to develop ideas for improving our site, our products and services and for better marketing of our products and services. We do not make any attempts to link this information with you as an individual.
There are also various forms on our web site that ask for personal information about you, such as your name, phone number, and e-mail address. If you tell us any personal information, we use it only to contact you in response to your request or to provide you with information that we think you may be interested in receiving. If you inform us that you do not want to receive any information that you have not specifically requested, we will honor your request. We will not sell or otherwise disclose your information to any other company.
At GP Strategies Limited our Data Privacy and Records Management Policy is a commitment to protecting the privacy of employee, client and web and social media site visitor personal data. We make every reasonable effort to protect the privacy of data collected when individuals visit our sites.
GP Strategies employs professional security personnel and takes technical and organisational measures designed to prevent unauthorised access, use, alteration, or disclosure of privacy data collected via our sites. We try to be both selective and proactive in checking the security background for certain external social media sites and other sites that we come in contact with but do not control. GP Strategies has been in business for over 50 years and has more than 30 years of experience in operating highly secured data repositories with security controls that are continuously updated to meet industry standards and address protective measures for emerging threats. Security practices are described in detail in our internal information technology (IT) policies and procedures. Also see our IT fact sheet on information security practices for more information.
Information We Collect
GP Strategies Limited collects basic contact information, which may include but is not limited to the following: name, email, user-created password, feedback-provider name and feedback provider email address.
This information is used to register programme Participants and is treated as confidential customer information; it is collected on behalf of and in accordance with their instructions. GP Strategies Limited may use this information to contact the Participant, send notifications or reminders in order to facilitate the training process, and conduct research.
Participant information is collected on behalf of and shared with the Customer. GP Strategies Limited does not use Participant information for marketing purposes, and we do not disclose Participant information to any third parties unless expressly directed by the Customer or a court of law.
GP Strategies Web and Social Media Sites
Registration and Profile Information
Using the principle of Data Minimisation, we try to gather only the most necessary information for the involved inquiry or purpose. When you enter or register to use our site, our services, to receive information, to participate in our events, and create or update your forum profiles, we may collect various kinds of information about you. For example, we may collect: your name; postal address; phone number; fax numbers and email address; your log-in ID and password; your title; company; and other event specific profile information you provide; demographic information; and information linked with your profile such as comments you may post. We need this information to be able to respond to you, secure the site and provide services as applicable.
When you visit our site or use GP Strategies Limited site services, as do many companies, some information is collected and recorded automatically such as your computer’s operating system, Internet Protocol (IP) address, access times, browser type and language, and the website you visited before our corporate sites, so we are aware of transfers and linking for security due diligence (blocking and enhancing) of our site and to protect you the user. This is logged automatically and stored in log files.
We also collect information about your usage and activity on our corporate sites. We may tie your IP address to information we automatically collect on our corporate sites. We may also tie information we automatically collect with personal information, such as your login ID and information you give us for a registration. We use our own products, and products of third parties acting on our behalf, to analyse, optimise, securely protect and improve our site.
We will also collect information on your usage to ensure the security of the data we collect on behalf of our clients. You cannot opt-out of this collection and processing as it is necessary to ensure the security of the service we provide for our sites, all site visitors and for our clients.
GP Strategies Limited may also use device-recognition technologies combined with other identifiers to create cross-browsers and cross-devices identities to provide you with better services and security.
As a GP Strategies site visitor does the “GDPR”, Privacy Shield and other similar data privacy and records management requirements apply to my data?
Companies within the EU, or who are externally located controllers and processors of the personal privacy data of EU residents in the context of collecting privacy data while soliciting and providing goods or services, will need to comply with the General Data Protection Regulation (GDPR) of the European Union (EU). GP Strategies Limited and GP Strategies have adopted the GDPR and Privacy Shield as our worldwide standards for data privacy. As a site visitor we do collect your business contact information. However, we may also collect or process privacy data for the purpose of providing additional services. We are very aware that combining multiple data elements, even if not considered personal data when taken alone, may result in them being considered personal privacy data when combined into a listing.
We may move your data within or to locations outside of the European Economic Area (EAA). These data transfers are legal under the GDPR and Privacy Shield as long as we adhere to the requirements for legal processing. We encrypt all data in transit and in storage.
We have evaluated our obligations under the GDPR and Privacy Shield, in part, based on: (1) the type of visitor data that we collect via our sites, and (2) the legal basis on which you rely for the protection of your data. We will exercise data privacy stewardship on all of our sites.
GP Strategies complies with the U.S.-EU Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland.
How will my personal information be used and shared by GP Strategies Limited for internal management of their sites?
The personal information we collect in our various sites allows us to:
respond to your inquiries;
provide the information, products and services you have ordered;
verify your identity and details of your payment method or credit card amount;
administer our sites and provide user services;
meet legal, regulatory and compliance requirements;
monitor and analyse the use of any account to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime;
gather management information to form statistical and trend analysis;
communicate with you;
investigate any complaints about our sites;
personalise your experience of the sites;
contact you about our products and services which we think might be of interest to you (where we have the appropriate permissions to do so);
when warranted, we share your personal information with our GP Strategies affiliate companies and their brands for the above purposes;
employ the services of third party service providers to help us in certain areas, such as site hosting, maintenance and call centre operation. In some cases the third party may receive your information. However, at all times we use third parties, we will control and be responsible for the use of your information and place contractual requirements on privacy data sent to our sub-processors.
If you provide a credit or debit card, we may also use third parties to check the validity of the sort code, account number and card number you submit in order to prevent fraud as well as to process any transaction you attempt via the website.
If false or inaccurate information is provided and fraud is identified, we will follow legal processes if details will be passed to fraud prevention agencies. Law enforcement agencies may access and use this information. We and other organisations may also access and use this information to prevent fraud and money laundering, for example when:
checking details in applications for credit and credit related or other facilities
managing credit and credit related accounts or facilities
checking details on proposals and claims for all types of insurance
checking details of job applicants and employees.
Where does GP Strategies Limited store my privacy information?
GP Strategies, on behalf of GP Strategies Limited, stores privacy data in data centres in the United Kingdom and the United States. These are certified centres: SOC 1 Type 2, SOC 2 Type 2, Lloyd’s Register (LRQA) and ISO (International Standards Organisation) 27001. SOC – Service Organisation Controls reports (1-3) of the AICPA (American Institute of Certified Public Accountants). ISO 27001 is one of the most recognised worldwide information technology security standards. SSAE 16 and ISAE 3402 – 22451 and PCI – Data 2334 Security Standard (SSAE – Statement on Standards for Attestation Engagements (#16 & 18), PCI – Payment Card Industry, Data Security Standard ((PCI-DSS)).
Is GP Strategies Limited organised to manage the data processor obligations imposed by the GDPR, Privacy Shield and other similar laws and regulations?
GP Strategies, as the parent company of GP Strategies Limited, established a Data Protection and Records Management Committee and appointed Data Protection Officers (DPOs) to manage the programme and comply with the GDPR. The Committee is tasked with instituting internal data privacy compliance initiatives.
For GP Strategies Limited, keeping site visitor data secure is a high priority. Along with ensuring data security, it is important that a site visitor’s confidence is always maintained and a high level of security around processes and protection is strongly administered.
We strongly value and base our business on the trust that our site visitors, employees and customers have placed upon us. We will continue to earn and reinforce that trusted relationship by cooperating with requests related to our GDPR, Privacy Shield and other country data privacy obligations.
We are committed to taking advanced measures to support and continuously enhance the security of our systems, to ensure that we collect and process personal data in a manner compliant with GDPR, Privacy Shield or any similar legislation.
Our management strongly believes that information technology security/compliance is a key business service. Information security objectives and strategy must be continually aligned with business strategy and objectives.
Viewing and Correcting Personal Information
We provide you with the means to update or change your Personal Information. Customer Sites have a user profile form to edit Personal Information. Requests to change Personal Information collected on our corporate website, including related surveys, can be directed to firstname.lastname@example.org.
When does GP Strategies Limited delete client data?
GP Strategies Limited deletes client data, including backups based on our records management schedule. In some cases that can be shortly after you leave one of our sites. Web and social media privacy information is deleted after you finish browsing or have opted out of receiving our communications or you have been unresponsive to our inquiry messages for a period of time. If you acknowledge our site use rules to continue browsing or you agree when specifically requested to opt-in, your information is transferred to our secure customer relations management data base. In some cases we are legally and/ contractually required to keep some data for more extended periods of time consistent with the lawful processing provisions of the GDPR. Data is held in various categories in our records management deletion schedules. These data retention categories range from nearly immediate up to seven (7) years unless there is a longer legal requirement. For more information about data retention times please contact us.
What constitutes personal privacy data?
Any personal information related to a natural person (called a ‘data subject’ by the GDPR) that can be used to directly or indirectly identify the person when not encrypted and used individually or in combinations to create a profile.
Personal privacy data is a very broad range of personal information and can be any information item that might be used to create a profile including what GP Strategies Limited considers basic business contact information of name, business address, business phone and business title or business job. Personal privacy information would be: an identifiable photo; identifiable voice recordings; fingerprints; biometric data; a personal email address, home phone number, home address; numbered identifiers – bank account, credit information and credit card, passport, country identification and driver’s license numbers and social security; family member information; medical information; political opinions; sex, sexual preferences; computer IP address; data on children; travel profiles; trade union membership; criminal records. Some countries consider some of these listed items as Sensitive Personal Identification Information (SPII).
Anonymous aggregate survey responses are used for GP Strategies Limited’s ongoing research and analysis as allowed under the GDPR; individual Customer or Participant information is never identified.
What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the accessing of personal data. A controller can be a processor. A site owner is a controller.
A data processor is an entity which processes personal data on behalf of the controller.
GP Strategies Limited is a controller and/ or a processor at varying times in our conduct of business.
Is GP Strategies Limited a data processor or data controller in regard to my personal data?
GP Strategies Limited acts as a data controller and in some cases is also a processor (or sub-processor) for personal data provided to us through our customers, by individuals and other third parties such as partners.
If you as a data subject provide your personal data directly to GP Strategies Limited (such as a site visitor, a forum or conference attendee, a site browser, etc.) we act as the data controller for that personal data. Note, if we also process that personal data in some fashion, we qualify as a data processor in regard to that personal data.
How do you use Web Beacons?
Some of our web pages may contain electronic images known as web beacons (sometimes known as clear gifs) that allow us to count users who have visited these pages. Web beacons collect only limited information which includes a cookie number, time and date of a page view, and a description of the page on which the web beacon resides. We may also carry web beacons placed by third party advertisers. These beacons do not carry any personally identifiable information and are only used to track the effectiveness of a particular campaign.
How do you use Social Media Widgets?
How do you use Blog Information?
Should you choose to add a comment to any posts that we have published on our sites for example in a blog, the name and email address you enter with your comment will be saved to the site’s database, along with your computer’s IP address and the time and date that you submitted the comment. This information is only used to identify you as a contributor to the comment section of the respective blog post and is not passed on to any of the third party data processors. Only your name will be shown on a site that is public-facing. Your posted comment(s) and its associated personal data will remain on this site until we see fit to either 1) remove the comment, or 2) remove the blog post. Should you wish to have the comment and its associated personal data deleted, please email us with your request, list your contact information and the email address that you commented with.
If you are under 18 years of age we request you obtain parental consent before posting a comment on our blog and sites.
NOTE: You should avoid entering personally identifiable information to the actual comment field of any blog post comments that you submit on this site.
How does GP Strategies Limited use Contact Forms and Email Links?
Should you choose to contact us using a contact form on our sites or an email link, the data you supply will be stored in our customer relationship management database or may be passed on to be processed by a contracted third party data processor(s). We do retain information from data requests in our customer relationship management system. Collated and transferred data is encrypted before being sent across the internet. We do not sell nor allow our processers to sell personal information GP Strategies may obtain in conducting business.
The types of cookies GP Strategies and others may place on your device are described below.
GP Strategies will read or set only the types of cookies that are strictly necessary for quality browsing or specifically allowed by your browser preference settings.
GP Strategies only places cookies that set your preferred language, deliver specific content based on visit history, and give access to various sections of the sites.
Cookies set by our sites will remain on your device but GP Strategies will not access or use those non-strictly-necessary cookies. You may remove them using functionality provided by your browser. Please note that cookies are specific to the browser or device you use, as well as to the domain, and you will therefore have to configure your preferences again if you change your browser or device, or visit a different domain.
Any specific questions regarding these cookie settings may be sent to email@example.com
Our websites do not publish content or collect data that is directed at children.
EU-U.S. Privacy Shield Framework
GP Strategies has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints. Such complaints involving GP Strategies human resources, web and social media and client related privacy data transferred to the U.S. will be reviewed in the context of the employment relationship and/or a business services relationship.
In the conduct of our business:
We encrypt our data in transit and in storage.
In our delivery of training activities and consulting services we are sometimes contractually required to conduct business operations processing wherein we collect client employee, vendor and client customer privacy data on behalf of our clients and for our internal services processes. We also may collect limited categories of privacy data from individuals that visit our web and social media sites. This information is stored in secure sites.
We use or intermittently use contracted assistance to process GP Strategies payroll, human resources and related employee services and in doing so we necessarily disclose personal information to accomplish these processing operations.
We acknowledge that individuals have the right to inquire about and access their data.
GP Strategies is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
We make efforts to limit the collection, use and disclosure of personal data to help protect personal privacy. We will discuss with you your specific request to limit use of your data if you choose to restrict the use of privacy data. We most likely cannot make exceptions for required legal, regulatory, contractual and personal public safety contact information erasure requests. The discussions will include the alternate processes and consequences of the alternative processing methods available to accomplish the same necessary services affected by your request, up to and including deleting data if that is an option.
GP Strategies is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
An individual has the possibility, under certain conditions, for the individual to invoke binding arbitration when seeking more restrictive data privacy remedies from GP Strategies.
GP Strategies understands that it may not be absolved of liability in cases of onward transfers of privacy data to third parties.
We reserve the right to modify this Policy at any time without prior notice. Any such change, update or modification will be effective immediately upon posting on this Site. Your continued use of the Site subsequent to changes to this Policy will mean that you accept the changes; therefore, you should bookmark this page and review it frequently.
Any questions or concerns regarding the use or disclosure of Personal Information should be directed to GP Strategies Limited at the address below. We will investigate and attempt to resolve complaints and disputes regarding use or disclosure of Personal Information in accordance with the principles contained in this policy. GP Strategies Limited has also agreed to participate in the dispute-resolution procedures of the European Data Protection Authorities to resolve disputes pursuant to the GDPR or Privacy Shield principles.
Though we make every effort to preserve user privacy, we may need to disclose Personal Information when required by law wherein we have a good-faith belief that such action is necessary to comply with a current judicial proceeding or public safety.
GP Strategies Global Privacy Office, GP Strategies Corporation
70 Corporate Center, 11000 Broken Land Pkwy, Suite 200
Colombia, MD 21044 USA