Notice to Applicants Pursuant to the EU-U.S. Privacy Shield

Cass Information Systems, Inc., and its subsidiaries and affiliates (collectively, “the Company”) are committed to protecting the privacy and security of personal information and/or personal data (“personal information”) during the application and recruitment process. Due to the global nature of its business, the Company must share certain personal information related to its human resources activities across national boundaries, including transferring personal information from the EU to the United States. The Company has self-certified that it abides by the EU-U.S. Privacy Shield (“Privacy Shield”) agreement between the United States and the European Union, and is committed to subject the Privacy Shield privacy principles to all personal information received from the EU in reliance upon the Privacy Shield as part of our human resources activities.

To learn more about the Privacy Shield program, please visit http://www.privacyshield.gov. To view the Company’s certification under Privacy Shield, please visit http://www.privacyshield.gov/list.

The Company’s subsidiaries and affiliates located in the EU will comply with the national privacy laws adopted pursuant to the EU Privacy Directive 95/46/ec (the “Directive”) regarding the collection, processing and transfer of your personal information.

If you have any questions about this Notice, the Privacy Shield, or the Company’s privacy policies and procedures, please contact the individuals listed in the Recourse, Enforcement, and Liability section of this Notice.

 

Personal Information Processed

“Personal information” is any information relating to you as an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

The Company may process personal information about applicants such as name; contact information (including home and work address; home and work telephone numbers; mobile telephone numbers; home and work email address); marital status; ethnicity; citizenship information; visa information; national and governmental identification information; drivers’ license information; passport information; military service information; religion information; birth date and birth place; gender; disability information; employee identification information; education, language(s) and special competencies; certification information; employment history; work experience information; accomplishment information; training and development information; award information; membership information; information from interviews and phone-screenings you may have, if any; details of the type of employment you are or may be looking for, current and/or desired salary and other job preferences; reference information and/or information received from background checks, including information provided by third parties.

 

Purposes for Processing Personal Information

The Company processes your personal information for the purpose of carrying out its application and recruitment process. “Process” means any operation or set of operations which is performed upon personal information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, transfer, and erasure or destruction.

The Company may process your personal information in the application and recruitment process for various functions, including, but not limited to: assessing your skills, qualifications and interests; verifying your information, carrying out reference checks and conducting background checks; communications with you during the recruitment and application process; compliance with legal requirements or enforceable governmental requests; and other employment related purposes. 

Additionally, the Company may process your personal information in connection with compliance audits, the defense of legal claims, to meet the Company’s legal and public interest requirements, and to meet the Company’s legitimate interests regarding the monitoring of legal obligations and legitimate accounting activities. The Company may also process your personal information to support, maintain, and provide security for its computer systems and mobile devices.

Finally, the Company may be required to disclose your personal information in response to lawful requests by public authorities to comply with national security or law enforcement requirements.

 

Choice

The Company will offer you a clear, conspicuous, and readily available mechanism to choose (opt out) whether your personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of the Company) or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by you.

Additionally, the Company will offer you a similar choice mechanism to give affirmative or explicit (opt in) choice whether your sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by you through opt-in choice. However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of you or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by you.

Finally, the Company will make reasonable efforts to accommodate your privacy preferences such as restricting access to the personal information, anonymizing certain personal information, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand. 

Any questions regarding the choice mechanisms or any privacy preferences regarding your personal information should be directed to the individuals listed in the Recourse, Enforcement and Liability section of this Notice.

 

Disclosure of Personal Information to Third Parties

Transfers from the EU to Processors in the United States

The Company’s EU subsidiaries and affiliates may transfer your personal information to a processor in the United States solely for processing purposes. A “processor” is any third party who processes personal information on behalf of and in accordance with the instructions of the Company. When your personal information is transferred from the EU to the United States solely for processing purposes, the Company’s EU subsidiaries and affiliates will comply with applicable national privacy laws and enter into a contract with the processor to ensure that the processor (1) acts only on instructions of the Company’s EU subsidiary or affiliate; (2) provides appropriate technical and organizational measures to protect the personal information against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and understands whether onward transfers are allowed; and (3) assists the Company’s EU subsidiary or affiliate in responding to individuals exercising their rights under the Privacy Shield principles, taking into account the nature of the processing.

 

Onward Transfers to Third Party Agents

After your personal information is transferred from the EU to the Company in the United States, the Company may thereafter transfer your personal information to third parties acting as agents to perform tasks on behalf of and under the Company’s instructions for the purposes set forth in this Policy. Examples of third party agents may include payroll, benefits, and computer providers. When the Company makes such onward transfers to third party agents, it will comply with the Privacy Shield notice principle, ascertain that the third party agent is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield principles, and enter into a contract with the third party agent that provides: (1) the third party agent will process your personal information only for limited and specified purposes, (2) the third party agent will provide at least the same level of privacy protection as is required by the Privacy Shield principles; (3) the Company will take reasonable and appropriate steps to ensure that the third party agent effectively processes your personal information pursuant to the Privacy Shield privacy principles; (4) the third party agent will notify the Company if the third party agent can no longer provide the same level of privacy protection as required by the Privacy Shield principles; and, (5) upon such notice by the third party agent, the Company will take steps to stop and remediate any unauthorized processing.

 

Access

Upon request, the Company will provide you with confirmation regarding whether it is processing personal information relating to them and will communicate to you within a reasonable time period the personal information the Company processes about you. Further, the Company will provide you with access to your personal information to be able to correct, amend or delete personal information when it is inaccurate or processed in a manner contrary to the Privacy Shield principles; except where the burden or expense of providing access would be disproportionate to the risks to your privacy, where the rights of persons other than you would be violated, or where the personal information of a small number of employees is transferred for occasional employment-related operational needs.

Additionally, access may be limited or denied when granting such access would (1) compromise confidential commercial information; (2) interfere with the execution or enforcement of the law or with private causes of action including the prevention, investigation or detection of offenses or the right to a fair trial; (3) violate the legitimate rights or important interests of others; (4) breach a legal or other professional privilege or obligation; (5) prejudice employee security investigations or grievance proceedings or in connection with employee succession planning or corporate reorganizations; and (7) prejudices the confidentiality necessary in monitoring, inspection or regulatory functions connected with sound management, or in future or ongoing negotiations involving the Company.

The Company’s EU subsidiaries and affiliates will comply with local regulations to ensure that you have access to your personal information as required by national laws regardless of the location of the processing or storage of your personal information. The Company’s U.S. subsidiaries and affiliates will cooperate with its EU subsidiaries and affiliates in providing such access to you.

The Company may charge you a reasonable fee for access to personal information where, for example, the request for access is manifestly excessive or repetitive. Additionally, the Company may set reasonable limitations on the number of times within a given time period that your access requests will be met.

If you wish to access your personal information or becomes aware that the personal information the Company maintains on you is inaccurate or is being processed contrary to this Policy or the Privacy Shield principles, please contact the individuals listed in the Recourse, Enforcement and Liability section of this Policy.

 

Recourse, Enforcement and Liability

 

Recourse Mechanisms

Inquiries or complaints regarding this Policy should be directed to cassrecruiter@cassinfo.com. If the inquiry cannot be answered or the complaint is not resolved locally, please direct the matter to:

Cass Information Systems
Attn: Privacy Officer
12444 Powerscourt Drive
St. Louis, MO 63131 USA
PrivacyOfficer@cassinfo.com

 

If a complaint remains unresolved, you should contact the state or national data protection or labor authority in the jurisdiction where you work for resolution. A listing of the EU Data Protection Authorities (“DPAs”) is located at: http://ec.europa.eu/justice/data-protection/article- 29/structure/data-protection-authorities/index_en.htm. The Company will cooperate with the competent European Union Data Protection Authorities (DPAs) and comply with the advice of such DPAs. In the event that the DPAs determine that Cass Information Systems, Inc. did not comply with this Policy or Privacy Shield principles, the Company will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPAs where the DPAs have determined that the Company needs to take specific remedial or compensatory measures for your benefit because of any non-compliance with this Policy or the Privacy Shield principles, and provide the DPAs with written confirmation that such action has been taken.

 

Enforcement

The Company is also subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

 

Liability

The Company retains responsibility for the processing of your personal information it receives under the Privacy Shield and subsequently transfers to a third party agent. The Company will remain liable under the Privacy Shield principles if its third party agent processes your personal information in a manner inconsistent with the Privacy Shield principles, unless the Company proves that it is not responsible for the event giving rise to the damage.

 

Changes to this Policy

We may change this policy from time to time. We will post any changes to this policy on our website. Each version of this policy will be identified on the bottom of the document by its effective date.

By submitting your application you acknowledge that you have carefully read and sufficiently understood the above Notice and information contained therein.