Additional Languages:
Introduction
Highwire Inc. (“Highwire”) operates a Contractor Assessment Safety Program (the “Program”). Under the Program, a company which offers different construction related services (the “Contracting Partner”) submits certain prescribed business information as well as safety and financial information to Highwire. That information is used by Highwire to create safety and/or financial assessments (“Assessments”) of that Contracting Partner. As described in the Highwire Contracting Partner Participation Agreement (“CPPA”), the Assessments are provided to the Contracting Partners to create and improve their safety scores. If pre-authorized by the Contracting Partner, the Assessments and scores are shared with so-called “Hiring Clients”.
As all our Contracting Partners are businesses, the information provided by them is usually business related and the amount of personal data as defined in the EU General Data Protection Regulation (the “GDPR”) that we collect is limited. However, if the Contracting Partner is a small company, company-related data may be categorized as personal data.
This privacy notice (the “Privacy Notice”) serves to inform Contracting Partners and/or their representatives or contact persons located in the European Economic Area (“EEA”) about the processing of their personal data.
Who is responsible for the data processing?
Highwire, Inc.
700 District Avenue
Burlington, Massachusetts, 01803
United States of America
Email: support@highwire.com
Phone: +1-866-817-2210
You may contact our data protection officer by email at support@highwire.com or by regular mail using the addition “data protection officer”.
What data do we process and where does it come from?
In general, we process the following information (“Personal Data”):
“Identification Data” such as a name if it is part of the Contracting Partner’s company name or if it is the name of Contracting Partner’s representative or contact person;
“Contact Data” such as a business address, telephone number or email address;
“Bank Data” such as an account number, IBAN, etc.;
“Billing Data” such as the annual revenue of a Contracting Partner, a billing statement, invoice amounts and other data necessary for billing;
“Account Data” such as login credentials to access the Program;
“Assessment Data” such as the information necessary to conduct an Assessment.
In general, we only process the Personal Data which you share with us in order to create an account and complete an Assessment. We therefore receive the Personal Data directly from you. In the event the Contracting Partner adds you as a contact person or a Hiring Client asks us to contact you with regard to an Assessment for a particular project, we receive your name, business email address and business phone number from the Contracting Partner or the Hiring Client.
What purposes is the Personal Data used for?
In general, Personal Data is processed in order to enter into the CPPA and to fulfil the obligations under the CPPA, in particular to enrol the Contracting Partner in the Program, provide an Assessment and share the Assessment with the Hiring Clients as authorised by the Contracting Partner.
Personal Data is necessary in order to enter into and fulfil the obligations under the CPPA.
The legal basis for the processing of Personal Data is the performance of our contract with you (Art. 6 (1) b) GDPR) if you are our direct Contracting Partner. If you register as a representative or a contact person of our Contracting Partner, the processing of your Personal Data for the aforesaid purposes serves the performance of our contract with the Contracting Partner and is in the legitimate interests of Highwire, meaning that Art. 6 (1) f) GDPR is the legal basis for our processing of the data.
Furthermore, in the context of performing our contract with the Contracting Partner, Highwire has a legitimate interest in processing your Personal Data to the extent that this is necessary for the following purposes (Art. 6 (1) f) GDPR):
providing information on any changes of our services;
protecting you and other users against fraudulent, unauthorized or illegal activities, preventing criminal offences and conducting compliance reviews;
ensuring IT security and IT operations, including by engaging service providers who support our business processes;
anonymizing and aggregating the data in order to use the aggregate and/or anonymous data for internal purposes.
Highwire is also subject to various legal obligations (Art. 6(1) c) GDPR) that may require the processing of your Personal Data. Such legal obligations may follow, for example, from taxation laws, trade laws or sanctions laws.
Who do we share Personal Data with?
In general, Personal Data is disclosed only to Hiring Clients which have been pre-authorized by the Contracting Partner.
To process and store Personal Data, we can use external service providers within and outside the EEA. For example, we use Amazon Web Services (“AWS”) to facilitate our Program. We carefully select these service providers and instruct them in compliance with applicable data protection laws.
To the extent legally permissible, we may need to disclose the data to national and foreign authorities (such as social security institutions, tax authorities or law enforcement agencies) and/ or courts in order to comply with statutory duties or in order to act in the interests of Highwire.
Data transfer outside the EEA
By choosing the relevant settings with AWS, we ensure that Personal Data from EEA data subjects is stored on AWS servers within the EEA. However, employees of Highwire access and process the Personal Data from within the U.S. to provide you with our services and perform the CPPA.
In countries outside the EEA, data protection regulations may apply that do not guarantee a level of data protection comparable to that in the EEA. However, we protect and secure your Personal Data by storing them within the EEA and implementing an Information Security Management System certified under the ISO/IEC 27001 Standard.
If, for the purposes specified above, your Personal Data is transferred to other recipients outside the EEA, we will implement appropriate measures to ensure that your Personal Data is adequately protected. In particular, where appropriate, we will enter into so-called EU standard contractual clauses to secure the onward transfer.
You may contact our data protection officer for further information.
How do we protect your Personal Data?
Each of our employees and all staff members of external service providers who have access to Personal Data are obliged to treat the Personal Data confidentially. In addition, we have implemented various technical and organisational measures e.g.:
Highwire adheres to the ISO/IEC 27001 Standard;
Any data transfer or download happens via the SSL protocol;
To access data, the user must login with a username/password;
When data is uploaded, files are encrypted (each encrypted file has its own key) and stored;
Stored backups and logs are encrypted;
Highwire does not use any temporary storage.
When do we delete your Personal Data?
We delete Personal Data once it is no longer necessary for the fulfilment of our contractual obligations or the legitimate interests outlined in this Privacy Notice and if no statutory retention obligations apply. In the event that a statutory retention obligation applies, we will restrict the processing of the Personal Data.
What are your rights?
Subject to the statutory requirements, the fulfilment of which must be assessed on a case-by-case basis, you have the right to receive information about your Personal Data, to require rectification or erasure of your Personal Data or the restriction of the processing and to receive your Personal Data in a structured, commonly used and machine-readable format (data portability).
Subject to the statutory requirements, the fulfilment of which must be assessed on a case-by-case basis, you also have the right to object to the processing of your Personal Data.
To the extent that we process your Personal Data in order to inform you about our advisory services and current developments where relevant for your business, you can object to a processing of your Personal Data at any given time and without stating any reasons.
Further, you are entitled to lodge a complaint with a supervisory authority regarding the processing of your Personal Data.
Updating and amending this Privacy Notice
This Privacy Notice is the version of 15 December 2021 and is currently applicable.
As we continue to develop and update our services or as statutory and/or regulatory provisions are amended, it may become necessary to amend this Privacy Notice. You can access, save and print the latest version of this Privacy Notice at any time via our website.
Review and Development
The author of this policy is considered the owner and has the responsibility for updating it whenever changes are dictated by the work. In addition, an annual review of this policy will be conducted by the Vice President of Compliance to ensure that it remains appropriate considering any relevant changes to the law, organizational policies, and/or contractual obligations.
As specified in the CS Administrative Manual, all changes to an ISMS document must be made using “Track changes,” making visible only the revisions to the previous version, either showing them in red text or strikeout. In addition, for reference, all previous versions of an ISMS document are stored on the personal user drive of the CS Vice President of Compliance. The versioning history for this document is defined in the table below: