PSI Services LLC, a Delaware, USA limited liability company, and the PSI Group Companies (collectively “PSI”, “us”, “we”, “our”) provide assessment and talent management solutions (“Services”) and products (“Products”) to a range of private and public sector organizations. PSI has acquired leading testing technology and workforce assessment companies around the globe that now operate under the PSI brand.
By visiting our Site, or using any of our Services, you agree that your Personal Data will be handled as described in this Policy unless agreed upon otherwise in your contract with PSI. If you do not agree to the terms in this Policy, you must not use our Sites. Your use of our Site or Services, and any dispute over privacy, is subject to this Policy and our terms of service, including its applicable limitations on damages and the resolution of disputes or any service-specific terms made available to you when you sign up for the Services. Our terms of service are incorporated by reference into this Policy. If you have any questions or complaints in relation to this Policy, you may contact our Data Protection Officer here.
Information We Collect
Based on the Services provided to you or our Clients, we may process the following categories of Personal Data about you as necessary to provide such Services. You can obtain details of the specific categories of information collected by contacting us. Please refer to the Your Legal Rights section below.
- Identity Information, including, but not limited to first and last name, address, phone number, date of birth, email address, nationality, state identification number, social security number, digital photographs, video, audio and signatures, and optionally ethnicity;
- Remote Proctoring: We may collect Identity Information through remote proctoring. We provide a service whereby Clients who conduct examinations outside of our examination centers use our remote proctoring service. This service requires the users to log onto our Remote Proctoring platform. The user takes the examinations while being monitored through their webcam, microphone and through their computer’s desktop which are all accessible to a remote examiner. We collect Identity Information for identity verification, conducting the examination, fraud prevention, security and integrity, and as otherwise required by law.
- Contact Information, including, but not limited to email address, phone number, billing address and delivery address; or
- Financial Information, including, but not limited to bank account and payment card details.
- When strictly required for the purposes of providing the Services, we may also collect the following:
- Sensitive Information, including age, race, religion, creed, sex, gender identity and expression, sexual orientation, and criminal convictions and offences;
- Biometric Information, including fingerprint images and facial images; or
- Medical Information, including exam results or examination candidates’ requests for examination accommodations.
- Professional or Employment-related Licensure Information, including, but not limited to: license application information, license activity, license history, information relating to continuing education credits, public complaints, board actions taken against a licensee, or any public actions taken against a licensee by regulatory boards or agencies (“Licensee Updates”).
- Transaction Information, including, but not limited to details about payments to and from you by us and other details about Products and Services you have purchased from us.
- Usage Information, including information about how you use our Site, Products and Services.
- Marketing and Communications Information, including your preferences in receiving marketing information from us and our third parties along with your communication preferences.
- Recruitment Data, including your curriculum vitae, information on references and other information you provide us during the recruitment process, and results of any reference checks and background checks conducted as part of the recruitment process.
- Assessment Data, including your responses to assessments and the resulting reports.
Purposes of Processing
We may use your Personal Data for one of the following activities:
- Provide Services to you and our Client as agreed in the contract;
- For recruitment purposes in cases where you have applied for a job with us;
- When you have opted-in, for marketing purposes;
- For internal analysis and research to help us improve our Products and Services;
- Keeping accounts and financial records related to any business or other activity carried on by us; and
- Sending relevant administrative information such as notices related to product, service, or policy changes.
Third Party Disclosures
We do not share your Personal Data with third parties for their own marketing purposes.
We may disclose your Personal Data internally, within entities of the PSI Group, and externally, with the Client, and other third parties as set forth below. When we disclose Personal Data, the recipient is required to keep that Personal Data confidential, secure and process the Personal Data only for the specific purpose for which they are engaged:
- Clients: We share your information, including results of your assessment, job demographics, and other information about you with the Client who engaged us to provide the Services.
- Government and Professional Licensing Agencies: We disclose Personal Data, Exam Information, Licensure Updates and other information relating to regulatory boards or state governments for inclusion in their files and records. In addition, we may also disclose such information to licensing agencies or professional associations, for a fee, for inclusion in their files and records. In certain states, licensees’ Personal Data, Exam Information, and Licensure Updates are considered information that is in the public domain.
- Sub-Processors/Service Providers: We share information with our sub-processors, including PSI Group companies and other third-party providers who provide services to us. A list of our sub-processors can be found here: https://wwwdemo.psionline.com/privacy/gdpr-compliance/sub-processors.
- Law Enforcement/Public Authorities: We may be required to disclose information to public authorities, regulators or governmental bodies, as required by the applicable law or regulation, under a code of practice or conduct, where necessary to facilitate any investigation, or where we believe that disclosure is appropriate to protect our rights and interests or the rights and interests of third parties.
- Corporate Transactions: If we are acquired by, or merge with another company, any of our assets are transferred to another company, or bankruptcy proceeding ensues, we may transfer the information we have collected from you to the other party.
We have put in place various electronic safeguards and managerial processes designed to prevent unauthorized access or disclosure, maintain data integrity, and ensure the appropriate use of Personal Data. We use industry best practices and guidance from sources such as the National Institute of Standards and Technology (“NIST”), Payment Card Industry (“PCI”), standards promulgated by the Center for Internet Security (“CIS”), and International Standards Organization (“ISO”), ISO/IEC 27001:2013 (Security techniques — Information security management systems — Requirements) to design and maintain our information security program. We maintain Personal Data, exam data, and Licensee Updates on secured computers and all Clients, exam candidates, and employer accounts are password protected. No such security or safeguards are 100% effective, but we will take commercially reasonable efforts to employ security measures designed to protect the information. No Personal Data is knowingly disclosed to third parties except as described herein. Unfortunately, since data transmission over the internet cannot be completely secure, we cannot ensure or warrant the security of any information transmitted to us.
We limit access to your Personal Data to those employees, agents, contractors, sub-processors and other third parties who have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.
We have procedures put in place to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Location and Retention
The location of the servers where your Personal Data is stored will be dependent on the specific Services provided by us to the Client and governed by the contract between us and the Client. Please refer to our list of sub-processors for further information on the locations where your Personal Data may be processed by our sub-processors.
We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you or our Client.
To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data, whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other retention requirements.
You have the right to request that we delete your information. Please see “Your Legal Rights” below for further information.
Unless agreed otherwise, we may use your Personal Data after anonymization (so that it can no longer be identified as your information) for research or statistical purposes, in which case we may use this information for a reasonable period of time without further notice to you. We may also use your Personal Data as part of statistical, aggregated data for research purposes in a pseudonymized form, if approved by our Client.
We may share your Personal Data within the PSI Group for the purposes stated above. This may involve transferring your information outside the European Economic Area (“EEA”). Whenever we transfer your Personal Data outside of the EEA, we ensure a similar degree of protection is afforded to it by implementing the following safeguards:
EU-U.S. & Swiss-U.S. Privacy Shield Certification. We recognize that a number of countries have established strict protections regarding the handling of Personal Data which have requirements to provide adequate protection for such Personal Data transferred outside of the EU, Switzerland and the United Kingdom. PSI Group Companies comply with the Privacy Shield frameworks, and particularly, as agreed to between the U.S. Department of Commerce, the European Commission, the Swiss Administration and the United Kingdom, respectively, regarding its collection, use, and retention of Personal Data from EU member countries, Switzerland and the United Kingdom. Specifically, we have certified that the PSI Group Companies adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement, and liability. To learn more about the Privacy Shield program, and to view our certification, please visit the Privacy Shield website at www.privacyshield.gov. As a Privacy Shield participant, we have agreed to abide by the investigatory and enforcement powers of the U.S. Federal Trade Commission or any other U.S. authorized statutory body.
Intra-Group Transfer Agreement. In addition to the Privacy Shield frameworks, all relevant PSI Group Companies across the globe have entered into an intra-group transfer agreement committing to compliance with the General Data Protection Regulation 2016/679 (“GDPR”) as set out in the European Commission’s standard contractual clauses for data transfers.
Other International Transfers. Personal Data may be processed outside your jurisdiction by our sub-processors. Please refer to our list of sub-processors and the locations where Personal Data may be processed by the sub-processors. We ensure that our sub-processors offer an adequate level of protection to the Personal Data by entering into appropriate agreements committing them to compliance with GDPR and other applicable laws.
Legal Bases for Processing
We process your Personal Data in accordance with the contract with our Client, the GDPR and the California Consumer Privacy Act (“CCPA”). Based on the specific circumstances, the legal basis for our processing is one of the following:
- Performance of a Contract. We collect and process Personal Data for the purposes of the performance of a contract with you or our Client.
- Consent. In certain cases where required under the law, we process your Personal Data based on your specific and informed consent. For example, where you have opted-in to receive our marketing information, we may use your information to send you news and newsletters, special offers, and promotions, or to otherwise contact you about Products or Services or information we think may interest you.
- Legitimate Interest. We process Personal Data where it is necessary for our legitimate interests (or those of a third party). This includes activities related to everyday business operations, such as invoice processing, business planning, and handling client service-related queries and complaints, and other activities such as recruitment.
- Legal Obligation. We process your Personal Data when we need to comply with a legal obligation, meet our on-going regulatory and compliance obligations, including in relation to recording and monitoring communications, disclosures to tax authorities, financial service regulators and other regulatory and governmental bodies, and to investigate security incidents and prevent crime.
- Other bases. We may rely on other legal bases for processing as set out in the contract with the Client.
Your Legal Rights
Privacy Rights for Data Subjects in the European Union
The GDPR sets forth certain rights to EU residents. PSI is committed to full compliance with the GDPR.
Under the GDPR, we are a data processor of a candidate’s Personal Data with respect to most Services provided to our Clients. Our Client or the relevant organization in the supply chain determines the purposes and means of the processing and is the data controller. The contract with our Client sets out our mandate to process your Personal Data in such instances. We may also act as data controllers in instances where we provide Services directly to you and where we determine the purposes and means of processing your Personal Data.
If you are a data subject under the GDPR, you have the following rights in relation to your Personal Data.
- Request access to your Personal Data
- Request correction of your Personal Data
- Request erasure of your Personal Data
- Object to processing of your Personal Data
- Request restriction of processing of your Personal Data
- Request transfer of your Personal Data
- Right to withdraw consent
To exercise any of these rights, please submit a request to us by emailing our Data Protection Officer through our Privacy Portal. In cases where we are a data processor, we can only forward your request to our Client for instructions on how best to respond to your request. We encourage you to contact the data controller directly to exercise your rights.
Privacy Rights for California Citizens
PSI is committed to full compliance with the CCPA. Any terms defined in the CCPA have the same meaning when used in this section.
Generally, we are a “Service Provider” as defined under the CCPA with respect to our practices in managing your Personal Data. The organization that has engaged us to provide the Services is the “Business” (as defined under the CCPA) and our mandate to process your Personal Data is based on the contract between us and the Business. For example, if you are taking a licensing examination, the licensing agency is the Business that has contracted with PSI, the Service Provider, to deliver your examination. In such cases, we encourage you to contact the Business to exercise your rights with respect to such Personal Data.
The CCPA provides California residents with specific rights regarding their Personal Data:
- Request access to your Personal Data and data portability.
- Request deletion of your Personal Data.
- Right to Opt-Out of the Sale of Personal Data.
To exercise any of these rights, please submit a verifiable consumer request by either:
We will not discriminate against you for exercising any of the foregoing rights under CCPA. You will not have to pay a fee to access your Personal Data or to exercise any of the other rights under CCPA. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request. You may only make such a request twice within any 12-month period. Your request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Data. As a security measure, we may need to request specific information from you to help us confirm your identity.
We try to respond to all legitimate requests under CCPA within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you.
Personal Data Sales Opt-Out and Opt-In
We may engage in marketing campaigns in order to introduce new products or services that may be of interest to our current or prospective Clients. Where required by applicable law, we will only engage in such marketing communications if the individual has opted into these communications. Individuals may opt-out of the processing of their Personal Data by exercising their right to withdraw consent and the right to object to the processing of their information. To opt-out of commercial emails, simply click the link labelled “unsubscribe” at the bottom of any email sent by us. Please note that even if you opt-out of commercial emails, we may still need to contact you with important transactional information about your account or a scheduled exam in order to fulfil a contractual obligation. For example, we will still send assessment confirmations and reminders, information about center changes and closures, and information about assessment results even if commercial emails have been opted-out (or not opted-in).
Our Site may provide links to third-party websites. We have no control over third parties and we assume no responsibility for the availability, content, accuracy or privacy practices of other websites, services or goods that may be linked to, or advertised on, such third-party websites. We suggest that you review the privacy policies and the terms and conditions of the third-party websites to get a better understanding of what, why and how they collect and use any personally identifiable information.
Our Site is not designed to attract anyone under the age of 16 and children under the age of 16 are not permitted to access or use our Site. In limited circumstances and in specific markets, a Client may contract with us to provide examinations to candidates under the age of 16. Additional relevant information will be provided to such candidates through the Client or at the time of or prior to the provision of Services.
We reserve the right to amend or change this Policy from time to time. We encourage you to visit and review this Policy periodically. We will post our revised Policy on our website and update the revision date below to reflect the date of the changes. By continuing to use our website after we post any such changes or updates, you accept the Policy as modified.