HR Privacy Notice

The key points of this notice that you should know are:

• For potential, existing, and former employees, the controller for your personal data is generally the entity to which you are applying, by which you are employed, or by which you were formerly employed.  For contractors, the controller for your personal data is generally the entity to which you are providing services.
• We collect various types of personal data, including some special categories of personal data (often called sensitive personal data), to manage our relationship with you and to operate our business.
• Depending on the circumstances, we rely on different legal bases to process your data.  These include processing data to fulfill a contract with you, to comply with applicable laws, to fulfill our legitimate interests and your legitimate interests, and to fulfill other purposes for which you give your explicit consent.
• Most of your personal data will remain with your local employer, but some data will be shared with ACCO Brands’ affiliates around the world.  Your personal data will also be shared with other companies and service providers, such as payroll providers, IT service providers, and insurance companies.  We do not sell your personal data.
• Whenever we transfer your personal data to another country, we protect the data using various mechanisms, such as governmental adequacy decisions, standard contractual clauses, or government-recognized certifications.
• You have rights over how your personal data is used, such as asking to access your data, delete your data, or have it corrected.  These rights are limited in some cases.
• You can reach out to DataPrivacy@acco.com any time if you have questions or concerns about your privacy. You can also contact your local Human Resources team.

This notice describes how we collect and use your personal data as part of your recruitment, employment, or contracting relationship with our company. 

In some regions, different legal requirements may apply, and we may also collect different types of personal data.  Country-specific information is described in Annex 1 to this notice.

For potential, existing, and former employees, the controller for your personal data is generally the entity to which you are applying, by which you are employed, or by which you were formerly employed. 

For contractors, the controller for your personal data is generally the entity to which you are providing services.

For a limited number of purposes, our ACCO Brands US entity, ACCO Brands USA LLC (“ABUL”) and the respective local entity will act as joint controllers. This means that each of ABUL and the local entity is responsible for deciding how we hold and use personal information about you, but that ABUL and the local entity will also cooperate to ensure data protection compliance. Additional details on this topic are available in the “With whom do we share personal data?” section below.

We will collect and use the following personal data to manage your recruitment, employment, or contracting relationship:

• Personal Details – your name, maiden name, date of birth, gender, home address, personal email address, personal phone number, emergency contact details, marital status, family member information, tax ID numbers, national ID numbers, citizenship and immigration status, copies of identity documentation;
• Pre-Employment Details – curriculum vitae, job title, professional experience, past employment history, education, training, skills, certifications, languages spoken, background check results (only where permitted by local law and subject to any necessary consents), and statements from references;
• Employment Details – hire date, employee ID, payroll number, work phone, work email, work mailing address, travel preferences, company vehicle details, personal vehicle details (only if required for parking passes), manager, department, benefits, pay grades, employment status, employment category, performance history, training records, assessment results, information regarding skills and development, career plans, records of disciplinary action, internal investigation records, reports of potential or suspected misconduct, and termination date and reason;
• Financial Information – salary, incentives, benefits, bank account routing and account number, expense records, beneficiaries’ name, date of birth, gender, and any other information needed for payment and taxation purposes;
• Computer and Network Information – ACCO Brands computer and network credentials, emails, instant messages, other electronic communications, firewall logs, system use data, and system access data;
• Photography and Video – photographs, video recordings, and social media information you voluntarily share with us; and
• CCTV Recordings – closed-circuit television video recordings outside of and within our offices and factories.

We also collect the following special categories of personal data (often called sensitive data):

• Health Information – medical certification, medical leave information, work-related injuries and illnesses, work restrictions, pregnancy status, any required reasonable accommodations, health insurance coverage, and information you voluntarily share with us (only where permitted by local law and subject to any necessary consents).

We collect personal data from you directly as well as from third parties, such as recruiting agencies.  We use that data for the purposes listed below in the “How do we use your information and what is the legal basis?” section.

We use your personal data for the purposes and under the legal bases described below.  We have broadly grouped the “Types of Personal Data Processed” for each purpose to make this Notice easier to read; however, we only process the types of personal data necessary to achieve the respective listed purpose. 

The legal bases we rely on are:

• Legitimate Interests – this means that the processing of data is necessary for ACCO Brands’ or a third party’s legitimate interests, which are not overridden by individuals’ privacy rights;
• Entering into and Performing Contract – this means that the processing of data is necessary to enter into or perform a contract with the individual;
• Compliance with Law – this means that the processing of data is necessary to fulfil a legal obligation
• Consent – this means that the processing is done pursuant to an individual’s freely given, specific, informed, unambiguous, and demonstrable consent.

If you have any questions or want additional information about the purposes, legal bases or types of data processed, please contact us at DataPrivacy@acco.com.

ACCO Brands USA LLC (ABUL)

Most of your personal data will remain with your local data controller, though personal data processed for the purposes listed below may be transferred to ABUL in the United States to comply with legal obligations or for the legitimate interests of your local data controller and ABUL. 

For the following purposes, ABUL and your local entity will act as joint controllers:

• Benefits Administration – ABUL works with your local data controller to provide stock grants and insurance benefits;
• Communications – any information posted on the ACCO Brands Corporate Intranet is managed by the ACCO Brands Corporate Communications team, which works for ABUL;
• Administration of Business – to efficiently manage the entire ACCO Brands company group, ABUL processes personal data to provide central budgeting, expense management, planning, calibration, headcount, auditing, IT systems, and IT infrastructure;
• Cyber Security – the corporate Cyber Security team (which works for ABUL) processes personal data to provide central multi-factor authentication support, spam and virus filtering of emails, URL and firewall filtering, investigating cyber security incidents. The Cyber Security team also performs periodic phishing campaigns to measure employees’ ability to identify and properly respond to potential phishing emails;
• Promoting Compliance with Company Policies and the Law – the Corporate Compliance team (which works for ABUL) processes personal data as part of managing ACCO Brands’ compliance program (communications, training, auditing, and investigations) relating to anti-corruption, trade sanctions, money laundering, antitrust/fair competition, conflicts of interest, data protection, and other topics covered in the Code of Conduct;
• Responding to Lawful Governmental Requests and Voluntarily Providing Information to the Government – in the event ACCO Brands receives a request for information from a governmental body, ABUL may be required to or may voluntarily provide to the government personal data, such as to demonstrate compliance with applicable laws; and
• Making and Defending Legal Claims – significant litigation or legal actions are centrally managed by the ACCO Brands Legal and Compliance Department (which works for ABUL) and processes personal data in connection with making or responding to legal claims.

Potential Purchasers

We do not sell your personal data, though we may transfer that information to a potential purchaser of our business, including the potential purchaser’s consultants, attorneys, or financial advisers.

Service Providers

Finally, we also share personal data with the following categories of third parties:

• ACCO Brands affiliates (list of ACCO Brands affiliates);
• IT service providers;
• payroll service providers;
• travel agencies and travel service providers;
• medical service providers, doctors, and third-party administrators for workers’ compensation claims;
• recruiters, social media platforms, and career websites;
• insurance and benefit providers;
• auditors, accountants, and actuaries;
• banks, credit card companies, payment service providers, financial brokers, and electronic stock trading platforms;
• training, survey, and assessment providers;
• attorneys, consultants, and investigators;
• local, state, federal, or other government authorities or law enforcement officials; and
• other individuals, organizations, or associations as necessary in furtherance of the interests of employees, contractors, or ACCO Brands.

We require third-party data processors to implement adequate technical and organizational measures to protect personal data, to notify us of a potential data breach, and not to use personal data for purposes other than providing services to us.

Personal data may be transferred to ABUL and service providers in the United States as described above.  Personal data regarding employees in the European Economic Area (“EEA”) may be transferred to service providers and regional HR management located in the EEA and the United Kingdom.

Whenever data is sent to third-party countries, we take steps to ensure it is adequately protected.  This is done through government-approved adequacy decisions, certifications, Binding Corporate Rules, or Standard Contractual Clauses.  If you have questions about the methods we use to ensure adequate data protection, you can reach out to DataPrivacy@acco.com at any time.

You have rights over how your personal data is used, including:

• to request details regarding the processing of your personal data;
• to request a copy of your personal data;
• to have your personal data transferred to another data controller;
• to correct or delete your personal data;
• to withdraw your consent, where we rely on that consent to process your data;
• to object to or restrict the processing of your personal data; and
• to submit a complaint with your regional data protection authority.

Exercising Rights

You can exercise your rights by contacting your local Human Resources team or by contacting us using the information in the “Whom do I contact with any questions or concerns about my personal data?” section below. 

Limitations

These rights may be limited, for example, if during the fulfilment of your request, information about another individual would be disclosed or if you ask us to delete data that we are legally required to store or need to operate our business.  They may also be limited by legal privileges and protections.

Also, if you revoke your consent or refuse to give consent, we will be unable to process your data for that specific purpose.  The revocation of consent will apply to all processing after the date of revocation but not to processing that occurred before that date.

Complaints

If you have a privacy concern, you can reach out using the contact details in the “Whom do I contact with any questions or concerns about my personal data?” section below.    You also have the right to lodge a complaint with the relevant data protection authority for your region.

We will keep your personal data for as long as needed to fulfil the purpose for which it was collected.  We will also maintain your information as needed to establish compliance with our legal obligations.  For more details, please see the ACCO Brands Record Retention Policy and Schedule, available on the corporate intranet.

As our business evolves and new processes are implemented or changed, we may need to update this notice.  If there are any significant changes to this notice, we will notify you in writing, such as by email.  We will also update the Effective Date to show the most recent revision date.

If you have any concerns about this notice or your personal data, we recommend you contact your local Human Resources team.  You can also reach out to DataPrivacy@acco.com at any time. 

For certain regions, ACCO Brands has appointed local data protection officers.  Any questions or concerns about your personal data can be sent to the relevant data protection officer using the contact details below:

• Brazil – DataPrivacy@acco.com
• Germany – DataPrivacy@acco.com

ABUL has appointed the following data protection representative in the EU:

Leitz ACCO Brands GmbH & Co KG
Siemensstraße 64,
70469 Stuttgart, Germany
DataPrivacy@acco.com

ABUL has appointed the following data protection representative in the UK:

ACCO UK Limited
Millennium House, 65 Walton Street
Aylesbury, Buckinghamshire, HP21 7QG
DataPrivacy@acco.com

In some regions, additional legal requirements may apply, and we may also collect other types of personal data.  Below is a list of country-specific provisions.

Austria

• Religion Information – information regarding your religion to pay religious taxes on your behalf (subject to your consent); and
• Trade Union Information – information regarding your membership to a works council to pay membership dues on your behalf (subject to your consent).

Belgium

• Trade Union Information – information regarding your membership to a works council to pay membership dues on your behalf (subject to your consent).

Brazil

• Biometric Information – fingerprint data to manage attendance, timekeeping, and access to our facilities (subject to your consent);
• Race and Ethnicity Information – race details for government reporting purposes, as required by law (subject to your consent);
• Disability Status Information – disability status details for government reporting purposes, as required by law; and
• Trade Union Membership – trade union membership details in order to deduct and pay union dues from your payroll (subject to your consent).

France

• Copy of Your Work Permit to Verify Right to Work – a copy of your work permit is stored by HR to verify your right to work; the legal basis is compliance with law Article R. 620-3 of the Labour Code;
• Trade Union Information – names and details of union representatives, employee representatives, and representatives of the Social and Economic Committee (CSE) are processed in order to provide representatives with benefits in connection with those activities; the legal basis is compliance with law, in line with Articles L2411-5 and L2142-1-3 of the Labour Code;
• Personal Information for Election of Employee Representatives - a list of eligible candidates and voting employees, including their name, date of birth and seniority is posted and made available to employees to conduct employee representative elections; the legal basis is compliance with law, in line with Articles L2314-18 et seq. of the Labour Code;
• Personal Information for the Provision of Social and Cultural Services – employee names and details are shared with the Social and Economic Committee (CSE) to provide social and cultural services and benefits; the legal basis is your consent; and
• Disability Status and Other Personal Information – disability status, veteran status, and other categories of personal data are processed in order to provide additional support to which you may be legally entitled; the legal basis is consent and compliance with Law n° 87-517 July 10, 1987, Recognition of the Status of Disabled Worker (RQTH)” and article L5213 of the Labour Code.

Germany

• Copy of Residence Permit to Verify Your Right to Work – copy of your residence permit stored by HR to verify your right to work; the legal basis under German law is Section 26(1) of the Bundesdatenschutzgesetz;
• Information for Relocation Services – information necessary to assist you with moving from one location to another; the legal basis under German law is Section 26(1) of the Bundesdatenschutzgesetz;
• Personal Email Address and Phone Number – personal contact details; the legal basis under German law is Section 26(1) of the Bundesdatenschutzgesetz; and
• Religion Information – information regarding your religion to pay religious taxes on your behalf; the legal basis under German law is Section 26(1) of the Bundesdatenschutzgesetz.

Italy

• Trade Union Information – information regarding your membership to a works council to pay membership dues on your behalf (subject to your consent).

Poland

• Personal Information for the Administration of Employee Capital Plan – personal information as required to comply with Act of 4 October 2018 on Employee Capital Plans; the legal basis is compliance with law;
• Health Information – disability status and other categories of health data are processed in order to provide additional support and benefits to which you may be legally entitled; the legal basis is compliance with law;
• Copy of Your Work Permit to Verify Right to Work – a copy of your work permit stored by HR to verify your right to work; the legal basis is compliance with law, in line with 2 and 3 of the Act of 15 June 2012;
• Bank Account Details – bank account details are processed in order to make payments to your bank account, unless you have requested for payments to be paid directly to you in cash; the legal basis is consent;
• Car Details – information about your private car is processed to arrange permits and car allowances where applicable; the legal basis is legitimate interests; and
• Trade Union Information – trade union membership details in order to deduct and pay union dues from your payroll (subject to your consent) and to provide representatives with benefits in connection with those activities; the legal basis is compliance with Labour Law.

Portugal

• Biometric Information – fingerprint data to manage attendance, timekeeping, and access to our facilities, only as permitted by national law; and
• Trade Union Information – information regarding your membership to a trade union to pay membership dues on your behalf (subject to your consent).

Spain

• Trade Union Information – information regarding your role as an employee representative (subject to your consent).

Sweden

• Trade Union Information – information regarding your membership to a trade union to pay membership dues on your behalf (subject to your consent).

Switzerland

• Religion Information – information regarding your religion to pay religious taxes on your behalf (subject to your consent).

United Kingdom

• Health Information – As permitted under the UK Data Protection Act 2018, we collect information regarding the reason for an employee’s absence from work as well as the medical advice or treatment sought to determine whether an adjustment is needed or whether the employee is fit to work.
• Copy of Identity Card to Verify Right to Work – copy of your identity card stored by HR to verify your right to work; the legal basis under UK law is the Immigration, Asylum and Nationality Act 2006.

United States

• Race and Ethnicity Information – race details for promoting diversity and government reporting purposes, per our legitimate interests and legal obligations;
• Social Media Information – social media information you voluntarily share with us such as when you apply for a position with our company via LinkedIn, per our legitimate interests; and
• Past Address History – past address history collected during the recruitment process, per our legitimate interest.
• Privacy Rights – the rights mentioned in the “What rights do you have?” section are only available to individuals in the state of California.