Last revised: March 20, 2019
The Hackett Group (NASDAQ: HCKT) is a global intellectual property-based strategic consultancy and leading enterprise benchmarking and best practices implementation firm to global companies, offering digital transformation and enterprise application approaches, including robot process automation and cloud computing. Services include business, transformation, enterprise performance management, working capital management, GBS certifications and global business services. The Hackett Group also provides dedicated expertise in business strategy, operations, finance, human capital management, strategic sourcing, procurement and information technology, including its award-winning Oracle and SAP practices.
The Hackett Group is committed to protecting and respecting your privacy. Our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements (“Applicable Data Protection Laws”). In most cases this will be the law of the country in which you are located.
YOUR DATA CONTROLLER
In general, we may act as a Data Controller in the following circumstances:
- in respect of the learning programmes we provide to our students (“Learning Programmes”)
- where we process orders or requests of information for our goods and services (“Services”) and carryout related business activities such as contract management, supply chain management and customer relationship management; data collection in our benchmarking and quantum leap programs; and
- where we organise seminars, training courses and marketing activities, or invite you to participate instudies or other market intelligence activities.
Unless we notify you otherwise:
- The Hackett Group Limited, a company incorporated in England and Wales with registered number 01341295 whose registered office is at Cannon Green, 27 Bush Lane, London, EC4R 0AN and The Hackett Group, Inc., a Florida corporation in the United States of America are the principal Data Controllers of personal data we receive from students in relation to The Hackett Institute, which includes the CGBSP, CEAP, WCE and RPA programs;
- The Hackett Group, Inc. is responsible for the Site and is the principal Data Controller of personal data we receive via the Site.
In other cases, the relevant Data Controller is likely to be that particular Hackett entity which is named in any relevant correspondence with you, or which is otherwise identified at the point at which the data is collected.
Given the structure and operations of the Hackett Group, it may be necessary, from time to time, for other companies within the Hackett Group to act as your Data Controller in addition to those entities identified above, but in such cases we shall ensure that such companies process your personal data in line with Applicable Data Protection Laws.
If you have any questions in this regard, including confirmation of who your relevant Data Controller is in respect of any specific processing activity, please contact us using the details set out in the Contact section below.
INFORMATION THAT WE COLLECT FROM YOU
We will collect and process the following data about you.
Information you give us. This is information about you that you give us by filling in forms on our Site or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you use our site, subscribe to any of our Services, enroll in one of our Learning Programmes, or otherwise engage with us through our services or systems, and when you report a problem with our Site. The information you give us may include your name, address, e-mail address and phone number, your company, your work email, work address, role and job function, years of experience, any username or password you create to access our Site, Services or Learning Programmes.
Information we collect about you. With regard to each of your visits to our site we will automatically collect the following information: technical information, including browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit, clickstream to and through our site (including date and time), products/services you viewed or searched for’, page response times, download errors, length of visits to certain pages.
Information we receive from other sources. This is information we receive about you if you use any of the other websites we operate or the other Services or Learning Programmes we provide. In this case we will have informed you when we collected that data if we intend to share those data internally and combine it with data collected on this site. We will also have told you for what purpose we will share and combine your data. Where you are receiving our Services or enrolling in one of our Learning Programmes at the request or instruction of your sponsor or employer we may receive information from your sponsor or employer about you. Please refer to your employer if you have any questions regarding what data your employer shares with the Hackett Group in connection with the provisions of our Services or Learning Programmes. In addition, we are working closely with third parties and in some cases, subcontractors relating to the delivery of our Services and Learning Programmes and maintenance and administration of this Site and will use such information that we receive solely in connection with the delivery of Services, Learning Programmes and maintenance of this Site.
USES MADE OF THE INFORMATION
We use information held about you in the following ways:
Information you give to us. We will use this information:
- to administer and improve the Services and this Site;
- to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
- to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
- to provide you, with information about other goods or services which we or our preferred partners can offer you, if we feel these may interest you. Save for where this is not prohibited under Applicable Data Protection Laws, we will only do so where you have “opted in” to receive this information. If you do not want us to use your data in this way, or to pass your details on to third parties for marketing purposes, please indicate this by contacting us as stated in the “Your Rights” section below;
- to notify you about changes to our Services and Learning Programmes;
- to ensure that content from our Site is presented in the most effective manner for you and for your computer.
Information we collect about you. We will use this information:
- to administer and improve the Services and our Learning Programmes;
- to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our Site to ensure that content is presented in the most effective manner for you and for your computer;
- to allow you to participate in interactive features of our service, when you choose to do so; as part of our efforts to keep our site safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
Information we receive from other sources. We will combine this information with information you give to us and information we collect about you, including information we might receive from your employer or sponsor. We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).
OUR LEGAL BASIS FOR PROCESSING
We will only process your personal data when Applicable Data Protection Laws allow us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests andfundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Our legitimate interests in respect of the processing outlined in this Policy include (by way of example) but are not limited to:
- to study how customers use our products/services, to develop them and grow our business;
- to run our business, provision of administration and IT services, network security, and to prevent fraud;and
- to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy.
Where we do not consider that we can rely on a legal basis for processing that is set out above, or which is otherwise provided for under Applicable Data Protection Laws, then we will ask for your consent before processing your information.
If you are unclear about the specific legal basis upon which we process your personal data, and want further information in this regard, please contact us using the details set out in the Contact section below.
DISCLOSURE OF YOUR INFORMATION
We may have to share your personal data with the parties set out below for the purposes set out above in this Policy:
- Any member company of our group, which means our subsidiaries that we own and control including our parent company and its subsidiaries (“the Hackett Group”).
- Selected third parties including: business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you, including in relation to the provision of the Services, and analytics and search engine providers that assist us in the improvement and optimization of our site. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
- Your employer or sponsor, where you are receiving our Services, enrolling in one of our learning programmes, at their request or instruction. This information may include: Name, Date of birth, Contact information (e.g. email and home address, telephone number), Employer’s name and address, Nationality, Gender, Date of Enrolment, Qualification Name and Status, Exam Sitting Date(s) and status(es), Available Exam Credits (if any) and their expiry dates, Course Progress, Service usage information (please refer to your employer if you have any questions regarding how, and for what purposes, your employer will be processing this information).
- Advertisers and advertising networks that require the data to select and serve relevant advertisements to you and others. We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about our users (for example, we may inform them that 500 men aged under 30 have clicked on their advertisement on any given day). We may also use such aggregate information to help our advertisers reach the kind of audience they want to target.
In addition, we will disclose your personal data to third parties:
- In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets.
- If The Hackett Group or any subsidiary thereof, or substantially all of its respective assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
WHERE WE STORE YOUR PERSONAL DATA
The Hackett Group operates a global business. To offer and perform our services, and administer the Services, we may need to transfer your personal data among several countries. The data that we collect from you will be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It will also be processed by staff operating outside the EEA who work for us or for one of our suppliers. This includes staff engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.
The Hackett Group, Inc., a company incorporated in the United States, is the controller and responsible for this Site, therefore by submitting personal data via this Site please be aware that you will be exporting personal data outside of the EEA to the United States.
Whenever a Hackett Group entity based within the EEA acts as your Data Controller and transfers your personal data out of the EEA, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where a transfer is made to another Hackett Group company located in a territory which is not deemed to provide an adequate level of protection for personal data by the European Commission, the transfer shall be made on the basis of an agreement which incorporates the EU Standard Contractual Clauses prepared for transfers from data controllers to data controllers, which is a specific contract approved by the European Commission which give personal data the same protection it has in Europe (“Model Form Agreement”). The template text is available in various languages at this link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts- transfer-personal-data-third-countries_en.]
- Where a transfer is made to one of our service providers located in a territory which is not deemed to provide an adequate level of protection for personal data by the European Commission, we may use a version of the Model From Agreements which is prepared for transfers from data controller to data processors;
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us using the details set out in the Contact section below if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so under Applicable Data Protection Laws.
The Hackett Group utilizes various security measures including but not limited to: Dedicated Servers, .htaccess Authentication and Secure Sockets Layer (SSL), to protect the loss, misuse or alteration of information placed under our control.
All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
Under Applicable Data Protection Law, you may have certain rights regarding the personal data we maintain about you. We also offer you certain choices about what personal data we collect from you, how we use that information, and how we communicate with you.
You can choose not to provide personal data to us. However, if you do not provide your data when requested, or if you exercise your rights set out in this section, you may not be able to benefit from our Services or Learning Programmes, and we may not be able to provide you with information about our products, services and promotions.
To the extent provided by Applicable Data Protection Laws, you may withdraw any consent you previously provided to us, or object at any time to the processing of your data. We will apply your preferences going forward, however this will not affect the lawfulness of any processing carried out before you withdraw your consent. In some circumstances, withdrawing your consent to our use or disclosure of your data will mean that you cannot take advantage of certain Services or Learning Programmes.
In addition you may have the right to: obtain confirmation that we hold personal data about you, request access to and receive information about the personal data we maintain about you (including the purposes and potential recipients of this personal data), receive copies of the personal data we maintain about you (including, in some cases, in a standardized format so it can be provided to another vendor), update and correct inaccuracies in your personal data, object to the processing of your personal data, and have the information blocked, anonymized or deleted, as appropriate. The right to access personal data may be limited in some circumstances by local law requirements including Applicable Data Protection Law. To exercise these rights, or to find out more, please contact us using the details set out in the Contact section below. Under Applicable Data Protection Laws, you have the right to ask us not to process your personal data for marketing purposes. Where required under Applicable Data Protection Laws we will inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. Where applicable, you can exercise your right to prevent such processing at any time by contacting us using the details set out in the Contact section below.
Under Applicable Data Protection Laws, you may have the right to lodge a complaint with your national data protection authority or other public authority governing the protection of your personal information. We would, however, appreciate the chance to deal with your concerns before you approach such regulatory authority, so please contact us using the details set out in the Contact section below in the first instance.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
ACCESS TO INFORMATION
Applicable Data Protection Law may give you the right to access information held about you. Your right of access can be exercised in accordance with these laws. Where you are so entitled, you will not normally have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Any request should be made in writing, and the best way for you to do so is to contact us using the details set out in the Contact section below. As we must be able to identify the person making the request, and because a fee may be due, we request that you confirm any request made by you via different means by contacting us at the address stated below. Due to technological constraints and/or information security considerations, it may be inappropriate to use social media to supply information in response to any request by you for access to information, and so please provide an alternative delivery address for our response. We may reject requests where we are entitled to do so under applicable data protection laws, which may include where the request is repetitive, require disproportionate effort and/or risks the privacy or confidentiality of others.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including contact, identity, financial and transaction data) for seven years after they cease being customers for tax and other regulatory purposes.
In some circumstances you can ask us to delete your data: see the Your Rights section above for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
As Hackett does not process personal data on a large scale, Hackett does not consider itself required to designate a statutory data protection officer under Applicable Data Protection Law. However, we have voluntarily appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below.
The Hackett Group, Inc.
Name or title of Data Privacy Manager: Frank Zomerfeld
Email address: email@example.com with the subject line “privacy”. Postal address: 1001 Brickell Bay Drive, Suite 3000, Miami, FL 33131
Telephone number: (305) 375-8005