Last Updated: February 2023
This Graham Privacy Notice provides a framework of understanding about the personal data that is collected by Graham Inc. and its subsidiaries and affiliates listed here (as applicable, hereinafter each separately and/or jointly called the “Data Controller”). Personal data collected by the Data Controller will be controlled and processed in accordance with the terms of this Privacy Notice.
This Privacy Notice describes the types of personal data or personal information we collect, how we use the information, how we process and protect the information we collect, for how long we store it, with whom we share it, to whom we transfer it and the rights that individuals can exercise regarding our use of their personal data. We also describe how you can contact us about our privacy practices and to exercise your rights. In general, our privacy practices conform with local law and regulation, including where applicable the provisions of the European Union’s General Data Protection Regulation (GDPR). Accordingly, our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements; and you can view specific local terms by visiting our local websites.
Information We Collect
We collect personal information about you in various ways, such as through our Sites and social media channels; at our events and through phone and fax; through job applications and in connection with in-person recruitment; and in connection with our interactions with clients and vendors.
We may collect the following types of personal information (as permitted under local law): contact information (such as name, postal address, email address and telephone number); username and password when you register on our Sites; information you provide about friends or other people you would like us to contact. (The Controller assumes that the other person previously gave an authorization for such communication); and other information you may provide to us, such as in surveys or through the “Contact Us” feature on our Sites
In addition, if you are an associate or job candidate, you apply for a position or create an account to apply for a position, we may collect the following types of personal data (as permitted under local law): employment and education history; language proficiencies and other work-related skills; Social Security number, national identifier or other government-issued identification number; date of birth; gender; bank account information; citizenship and work authorization status; benefits information; tax-related information; information provided by references; and information contained in your resume or C.V., information you provide regarding your career interests, and other information about your qualifications for employment.
We may also collect tie following types of personal data upon receiving your explicit consent (where required by applicable law): disabilities and health-related information; and results of drug tests, criminal and other background checks.
In addition, we may collect information you provide to us about other individuals, such as information related to emergency contacts.
How We Use the Information We Collect
The Data Controller collects and uses the data gathered for the following purposes (as permitted under local law): providing workforce solutions and connecting people to work; creating and managing online accounts; processing payments;managing our business partner, client and vendor relationships;
where permitted under law and consistent with this Privacy Notice, to send promotional materials, alerts regarding available positions and other communications; where permitted under law, for communicating about, and administering participation in, special events, promotions, programs, offers, surveys, contests and market research; responding to individuals’ inquiries and claims; operating, evaluating and improving our business (including developing, enhancing, analyzing and improving our services; managing our communications; performing data analytics; and performing accounting, auditing and other internal functions); protecting against, identifying and seeking to prevent fraud and other unlawful activity, claims and other liabilities; and
complying with and enforcing applicable legal requirements, relevant industry standards, contractual obligations and our policies.
All processing will be carried out based on adequate legal grounds which may fall into a number of categories, including: consent or explicit consent from the data subject, where required by applicable law; to ensure that we comply with a statutory or contractual requirement, or a requirement necessary to enter into a contract (e.g. processing your personal data to ensure that your wages and taxes are paid correctly); or it is essential and necessary for the legitimate interest of the Data Controller, as described in more detail below (e.g. allowing access to a website in order to provide the services offered).
In addition to the activities listed above, if you are an associate or job candidate and you apply for a position or create an account to apply for a position, as permitted under local law, we use the information described in this Privacy Notice for the following purposes: Providing you with job opportunities and work; providing HR services to you, including administration of benefit programs, payroll, performance management and disciplinary investigations or actions; providing additional services to you, such as training, career counselling and career transition services; assessing your suitability as a job candidate and your associate qualifications for positions; and performing data analytics, such as (i) analyzing our job candidate and associate base; (ii) assessing individual performance and capabilities, including scoring on work-related skills; (iii) identifying skill shortages; (iv) using information to match individuals and potential opportunities, and (v) analyzing pipeline data (trends regarding hiring practices). We also may use the information in other ways for which we provide specific notice at or prior to the time of collection.
Use of Automated Data Collection Methods
When you visit our Sites, we may collect certain information by automated means, such as cookies, web beacons and web server logs. The information we may collect in this manner includes IP address, unique device identifier, browser characteristics, device characteristics, operating system, language preferences, referring URLs, information on actions taken on our Sites, dates and times of visits to our Sites and other usage statistics.
A “cookie” is a file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser.
A “web beacon” also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and is used to transmit information collected through cookies back to a web server.
Through these automated collection methods, we may obtain “clickstream data,” which is a log of the links and other content on which a visitor clicks while browsing a website.
Our Sites use these types of cookies:
a) Technical Cookies
Technical cookies are those used exclusively with a view to “carrying out the transmission of a communication on an electronic communications network, or insofar as this is strictly necessary to the provider of an information society service that has been explicitly requested by the contracting party or user to provide the said service.”
b) Profiling Cookies
Profiling cookies are aimed at creating user profiles. They are used to send ads messages in line with the preferences shown by the user during navigation. In light of the highly invasive nature of these cookies, vis-à-vis users’ private sphere, local and European legislation requires users to be informed appropriately on their use so as to give their valid consent.
How We Collect Information by Automated Means
As you click through our Sites, a record of the action may be collected and stored. We link certain data elements we have collected through automated means, such as your browser information, with other information we have obtained about you to let us know, for example, whether you have opened an email we sent to you. Your browser may tell you how to be notified when you receive certain types of cookies or how to restrict or disable certain types of cookies. Your browser will allow you to block cookies, however, you may not be able to use all of the features of our Sites without cookies.
Providers of third-party apps, tools, widgets and plug-ins on our Sites, such as social media sharing tools, also may use automated means to collect information regarding your interactions with these features. This information is collected directly by the providers of the features and is subject to the privacy policies or notices of these providers. Subject to applicable law, Graham is not responsible for these providers’ information practices.
To the extent required by applicable law, we will obtain your consent before collecting information using cookies or similar automated means.
How We Use Information Collected through Automated Means
We use information collected through cookies, web beacons, pixels, web server logs and other automated means for purposes such as
customizing our users’ use of our Sites; delivering content tailored to our users’ interests and the manner in which our users use our Sites; and managing our Sites and other aspects of our business.
We also use third-party analytics services on our Sites, such as those of Google Analytics and Adobe Omniture. The analytics providers that administer these services use technologies such as cookies, web server logs and web beacons to help us analyze your use of our Sites. The information collected through these means (including IP address) may be disclosed to these analytics providers and other relevant third parties who use the information, for example, to evaluate use of the Sites. To learn more about these analytics services and how to opt out, please visit the following sites and any sites contained in the country-specific addenda:
Profiling and Interest-Based Advertising
On our Sites, we may collect information about your online activities to provide you with advertising about products and services tailored to your individual interests. We also may obtain information for this purpose from third-party websites on which our ads are served.
You may see certain Graham ads on other websites because we engage third-party advertising networks. Through such advertising networks, we can target our messaging to users through demographic, interest-based, behavioural and contextual means. Through the ad networks, we can track your online activities over time by collecting information through automated means, including through the use of third-party cookies, web server logs, pixels and web beacons. The networks use this information to show you advertisements that may be tailored to your individual interests and previous activity. The information our advertising networks may collect on our behalf includes data about your visits to websites that serve Graham advertisements, such as the pages or advertisements you view and the actions you take on the websites. This data collection takes place both on our Sites and on third-party websites that participate in these ad networks. This process also helps us track the effectiveness of our marketing efforts. To learn how to opt out of this ad network interest-based advertising, please visit aboutads.info/choices/. To the extent required by applicable law, we will obtain your consent before using your information for interest-based advertising.
Our Sites are not designed to respond to “do not track” signals from browsers.
Information collected through third-party plug-ins and widgets on the Sites (such as information relating to your use of a social media sharing tool) is collected directly by the providers of the plug-ins and widgets. This information is subject to the privacy policies of the providers of the plug-ins and widgets, and Graham is not responsible for those providers’ information practices.
Google Analytics: tools.google.com/dlpage/gaoptout
Adobe Analytics: adobe.com/privacy/analytics.html#1
The Data Controller may process personal data for certain legitimate business purposes, which includes some of all of the following: where the process enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of our clients, candidates and associates; to identify and prevent fraud; to enhance security of our network and information systems; to better understand how people interact with our websites; for direct marketing purposes; to provide postal communications to you which we think will be of interest to you; and
to determine the effectiveness of promotional campaigns and advertising.
Whenever we process data for these purposes we will ensure that we keep your rights in high regard and take account of these rights. You have the right to object to such processing, and may do so by contacting us as described below. Please bear in mind that if you exercise your right to object, this may affect our ability to carry out and deliver services to you for your benefit.
How We Process and Protect Personal Information
We process the personal data we collect, also by automated means, for the purposes defined above and for a specific period of time, which complies with our internal retention policy, in order to ensure that the personal data are not kept longer than necessary.
We maintain administrative, technical and physical safeguards designed to protect the personal data you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. In order to ensure adequate security and confidentiality of the personal data, we may apply the following security measures as appropriate: Encryption of data in transit; Strong user authentication controls; Hardened network infrastructure; and Network monitoring solutions.
How Long We Store Data We Collect
We store in our systems the personal data we collect in a way that allows the identification of the data subjects for no longer than it is necessary in light of the purposes for which the data was collected, or for which that data is further processed.
The necessity to retain the personal data collected, in order to offer services established with the user; The legitimate interest of the Data Controller, as described in the purposes above; and The existence of specific legal obligations that make the processing and related storage necessary for specific period of times.
Information We Share
We do not disclose personal data that we collect about you, except as described in this Privacy Notice or in separate notices provided in connection with particular activities. We may share personal data with vendors who perform services on our behalf based on our instructions. We do not authorize these vendors to use or disclose the information except as necessary to perform services on our behalf or comply with legal requirements. We also may share your personal data (i) with our subsidiaries and affiliates; (ii) if you are a job candidate, with clients who may have job opportunities available or interest in placing our job candidates; and (iii) with others with whom we work, such as job placement consultants and subcontractors, to find you a job.
In addition, we may disclose personal data about you (i) if we are required to do so by law or legal process; (ii) to law enforcement authorities or other government officials based on a lawful disclosure request; and (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity. We also reserve the right to transfer personal data we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution or liquidation).
We also may transfer the personal data we collect about you to countries outside of the country in which the information originally was collected. Those countries may not have the same data protection laws as the country in which you initially provided the personal data. When we transfer your information to other countries, we will protect that data as described in this Privacy Notice and such transfers will be in compliance with applicable law.
Your Rights as a Data Subject
When authorized by applicable law, a data subject may exercise certain specific rights, such as:
- Right of access: A data subject may access his or her personal data in order to verify that his or her personal data is processed in accordance with law.
- Right to rectification: A data subject may request the rectification of any inaccurate or incomplete data held about him or her, in order to protect the accuracy of such information and to adapt it to the data processing.
- Right to erasure: A data subject may request that the Data Controller erases information about him or her and to no longer process that data.
- Right to restriction of processing: A data subject may request that the Data Controller restricts the processing of his or her data.
- Right to data portability: A data subject may request data portability, meaning that the data subject can receive the originally provided personal data in a structured and commonly used format or that the data subject can request the transfer of the data to another data controller.
- Right to object: A data subject who provide a Data Controller with personal data may object, at any time, to the data processing on a number of grounds as set out under GDPR without needing to justify his or her decision.
- Right not to be subject of automated individual decision-making: A data subject may request not to be subject to a decision based solely on automated processing, including profiling, if such profiling produces a legal effect concerning the data subject or similarly significantly affects him or her.
- Right to lodge a complaint with a supervisory authority: Every data subject has the right to lodge a complaint with an applicable supervisory authority; in particular in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR.
Whenever data processing is based on consent as described in Article 7 of the GDPR, the data subject may withdraw his or her consent at any time.
If you require more information about the processing of your personal data, please refer to the How to Contact Us section below.
Updates to Our Privacy Notice
This Privacy Notice (including any addenda) may be updated periodically to reflect changes in our privacy practices and legal updates. For significant changes, we will notify you by posting a prominent notice on our Sites indicating at the top of each notice when it was most recently updated.
How to Contact Us
If you have any questions or comments about this Privacy Notice, or if you would like to exercise your rights, please write to:
7512 Dr. Phillips Blvd. #50-107
Orlando, FL 32819
Alternatively, if you are located outside of the United States, you may contact your local Data Protection Officer, as identified in the Privacy Notice on your local website.