EEA & UK Team Member Privacy Notice
Effective Date: 5 December 2022
Scope and Overview
Mindbody is committed to protecting the privacy and security of your Personal Data (as defined below). This Privacy Notice describes how MINDBODY, Inc., MINDBODY, Ltd. and Mindbody's subsidiaries, affiliates, and related entities (collectively, “Mindbody,” “we,” or “us”) collect and process Personal Data about you during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This Privacy Notice applies to current and former employees, directors, workers, consultants and contractors (“team members”) only. This Privacy Notice applies to team members located in the United Kingdom or the European Economic Area. The following is a list of Mindbody affiliates (with their locations) that jointly process and use Personal Data of Mindbody team members: (1) MINDBODY, Inc. - United States of America; (2) MINDBODY, Ltd. - United Kingdom; and (3) MINDBODY Australia Pty Ltd. - Australia.
This Privacy Notice describes the categories of Personal Data that we collect, how we use your Personal Data, how we secure your Personal Data, when we may disclose your Personal Data to third parties, and when we may transfer your Personal Data outside of your home jurisdiction. This Privacy Notice also describes your rights regarding the Personal Data that we hold about you including how you can access, correct, and request erasure of your Personal Data.
We will only process your Personal Data in accordance with this Privacy Notice unless otherwise required by applicable law. We take steps to ensure that the Personal Data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.
Collection of Personal Data
For purposes of this Privacy Notice, “Personal Data” means any information about an identifiable individual. Personal Data excludes anonymous or de-identified data that is not associated with a particular individual. To carry out our activities and obligations as an employer, we may collect, store, and process the following categories of Personal Data, which we require for the purpose of administering the employment relationship with you:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Date of birth.
- Marital and dependent status, only when needed to administer benefits such as health insurance or pension benefits.
- Beneficiary and emergency contact information.
- Government identification numbers such as social insurance or other national insurance number, driver's license number, or other identification card number.
- Bank account details and payroll information.
- Wage and benefit information.
- Performance information.
- Insurance enrollment information.
- Start date and job titles you have held as a team member.
- Location of employment.
- Education and training.
- Employment records (including professional memberships, references, work history, and proof of work eligibility).
- Photograph for identification and security purposes.
- Other personal details included in a resume or cover letter or that you otherwise voluntarily provide to us.
The Personal Data listed in this Privacy Notice is necessary for us to administer the employment relationship. Failure to provide or allow us to process necessary Personal Data may affect our ability to accomplish the purposes stated in this Privacy Notice. If applicable, you agree to inform your dependents whose Personal Data you provide to Mindbody about the content of this Privacy Notice, and ensure you have the right to provide that information to Mindbody.
Use of Personal Data
We only process your Personal Data where applicable law permits or requires it, including where the processing is necessary for the performance of our employment contract with you, where the processing is necessary to comply with a legal obligation that applies to us as your employer, for our legitimate interests or the legitimate interests of third parties, to protect your vital interests, or with your consent if applicable law requires consent. We may process your Personal Data for the following legitimate business purposes:
- Team Member administration (including payroll and benefits administration).
- Business management and planning.
- Processing Team Member work-related claims (for example, insurance claims).
- Accounting and auditing.
- Conducting performance reviews and determining performance requirements.
- Assessing qualifications for a particular job or task.
- Gathering evidence for disciplinary action or termination.
- Complying with applicable law.
- Education, training, and development requirements.
- Health administration services.
- Complying with health and safety obligations.
We will only process your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to process your personal data for an unrelated purpose, we will provide notice to you and explain the legal basis which allows us to do so. We may process your personal data without your knowledge or consent only where required by applicable law or regulation.
We may also process your personal data for our own legitimate interests, including for the following purposes:
- To prevent fraud.
- To ensure network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution.
You will not be subject to decisions based on automated data processing without your prior consent.
Collection and Use of Special Categories of Personal Data
The following special categories of personal data are considered particularly sensitive under the laws of your jurisdiction and may receive special protection:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data.
- Biometric data.
- Data concerning health.
- Data concerning sex life, sexual orientation or gender identification.
We may collect and process the following special categories of personal data when you voluntarily provide them for the following legitimate business purposes, to carry out our obligations under employment law, for the performance of the employment contract, or as applicable law otherwise permits:
- Trade union membership information to:
- pay trade union premiums; and
- comply with employment law obligations.
- Data relating to leaves of absence to comply with employment law, including sick notes and evidence of fitness to work where necessary.
- Physical or mental health condition or disability status to ensure team member safety in the workplace, provide appropriate workplace accommodations or reasonable adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay and pensions.
- We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
Where we have a legitimate need to process special categories of Personal Data about you for purposes not identified above, we will only do so only after providing you with notice and, if required by law, obtaining your prior, express consent.
Information about Criminal Convictions or Offences
We may only use information relating to criminal convictions or offences where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations. Less commonly, we may use information relating to criminal convictions or offences where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
We will only disclose your Personal Data to third parties where required by law or to our team members, contractors, designated agents, or third-party service providers who require such information to assist us with administering the employment relationship with you, including third-party service providers who provide services to us or on our behalf. Third-party service providers may include, but not be limited to, payroll processors, benefits administration providers, data storage or hosting providers, professional advisors (e.g., accountants, lawyers, bankers), or corporate transactions (i.e., a third party connected to a proposed or actual reorganization, merger, etc.). These third-party service providers may be located outside of your home jurisdiction.
We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your Personal Data consistent with our policies and any data security obligations applicable to us as your employer. We do not permit our third-party service providers to process your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes in accordance with our instructions.
We may also disclose your Personal Data for the following additional purposes where permitted or required by applicable law:
- To other members of our group of companies (including outside of your home jurisdiction) for the purposes set out in this Privacy Notice and as necessary to perform our employment contract with you.
- As part of our regular reporting activities to other members of our group of companies.
- To comply with legal obligations or valid legal processes such as search warrants, subpoenas, court orders, or other lawful requests by public authorities, including to meet national security or law enforcement requirements. When we disclose your Personal Data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum Personal Data necessary for the specific purpose and circumstances.
- To protect the rights and property of Mindbody.
- During emergency situations or where necessary to protect the safety of persons.
- Where the Personal Data is publicly available.
- If a business transfer or change in ownership occurs and the disclosure is necessary to complete the transaction. In these circumstances, we will limit data sharing to what is absolutely necessary and we will anonymize the data where possible.
- For additional purposes with your consent where such consent is required by law.
Cross-Border Data Transfers
Where permitted by applicable law, we may transfer the Personal Data we collect about you to the United States that may not be deemed to provide the same level of data protection as your home country, as necessary to perform our employment contract with you and for the purposes set out in this Privacy Notice. Some of these countries are recognized by the European Commission as providing an adequate level of protection according to EEA standards (the full list of these countries is available here.) We rely on standard contractual clauses (based on the clauses published at Standard contractual clauses for international transfers | European Commission (europa.eu) (for the EEA) and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ (for the UK), a copy of which can be obtained by Contacting Us, see below) for transfers of personal data from the EEA.Team members in the UK and EEA may obtain a copy of these measures by contacting [email protected] or by reaching out to your business partner.Mindbody is responsible for the processing of personal data it has received under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Mindbody complies with the Privacy Shield Principles for all onward transfers of personal data from the UK and the EU, including the onward transfer liability provisions.
Our policy is to respect and protect personal data collected or maintained by us. In furtherance of our commitment to this policy, MINDBODY, Inc. has certified to adhere to the Privacy Principles set forth in the U.S.-EU Privacy Shield Framework regarding personal data related to team members in the European Economic Area ("EEA") and processed in support of our human resources operations. We adhere to the Privacy Shield principles as agreed to by the U.S. Department of Commerce and the European Commission. With respect to personal data received or transferred pursuant to Privacy Shield, Mindbody is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. Our commitment to participate in the Privacy Shield program can be found at the following DOC website located at https://www.privacyshield.gov that officially lists all U.S. entities that have registered for the program. We have further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship. If there is any conflict between the terms in this notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
Recourse, Enforcement, and Liability
We periodically verify that this policy is accurate and comprehensive for the information intended to be covered, is disseminated to its employees, is completely implemented and accessible and is in conformity with the Principles set forth in this Policy. We encourage interested persons to raise any concerns using the contact information provided below and will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles.
- For EU residents, Mindbody has agreed to cooperate with the European Data Protection Authorities [https://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm] for the purpose of handling any unresolved complaints regarding Personal Data concerns. EU Data Subjects (employees) may engage their local Data Protection and/or Labor Authority concerning adherence to the Principles and the Company shall respond directly to such authorities with regard to investigations and resolution of complaints. For UK Data Subjects, (employees) may engage the Information Commissioner's Office (ICO) [https://ico.org.uk/] concerning adherence to the Principles and the Company shall respond directly to such authorities with regard to investigations and resolution of complaints.
- Under certain conditions, more fully described on the Privacy Shield website [https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint], you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Data Security We have implemented appropriate physical, technical, and organizational security measures designed to secure your Personal Data against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to Personal Data to those team members, agents, contractors, and other third parties that have a legitimate business need for such access.
Except as otherwise permitted or required by applicable law or regulation, we will only retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for Personal Data, we consider our statutory obligations, the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data, and whether we can achieve those purposes through other means. We specify the retention periods for your Personal Data in our data retention policy.
Under some circumstances we may anonymize your Personal Data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent. Once you are no longer a team member of Mindbody, we will retain and securely destroy your Personal Data in accordance with our document retention policy and applicable laws and regulations.
Rights of Access, Correction, Erasure, and Objection
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your employment. By law you may have the right to request access to, correct, and erase the Personal Data that we hold about you, or object to the processing of your Personal Data under certain circumstances. You may also have the right to request that we transfer your Personal Data to another party. If you want to review, verify, correct, or request erasure of your Personal Data, object to the processing of your Personal Data, or request that we transfer a copy of your Personal Data to another party, please contact us at [email protected]. Any such communication must be in writing.
We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the Personal Data that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the Personal Data that we hold about you, or we may have destroyed, erased, or made your Personal Data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your Personal Data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
Right to Withdraw Consent
Where you have provided your consent to the collection, processing, or transfer of your Personal Data, you have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, if applicable, contact us at [email protected]line.com.
Data Protection Contact
If you have any questions about this Privacy Notice or how we handle your Personal Data, or would like to request access to your Personal Data, please contact us at: [email protected]. You also may lodge a complaint with a Data Protection Authority for your country or region or in the place of the alleged misconduct https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
Changes to This Privacy Notice
We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice prior to making any updates. If we would like to use your previously collected Personal Data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your Personal Data for a new or unrelated purpose. We may process your Personal Data without your knowledge or consent only where required by applicable law or regulation.
If you have any questions about our processing of your Personal Data or would like to make an access or other request, please contact us at: [email protected]. If you are unsatisfied with our response to any issues that you raise, you have the right to make a complaint with the data protection authority in your jurisdiction.
People & Culture
One Ave - Farringdon - Office 300
16 St John's Lane London, EC1M 4BS