Privacy and Personal Information

Northland Controls Privacy Notice

Please read this Privacy Notice (“Notice”) carefully as it contains important information related to your Personal Data under Data Protection Laws.

This Notice applies to all of our legal entities which operate globally as a part of our group, Northland Controls and detailed as followed:

Northland Control Systems Inc, USA
Northland Control Systems Inc (Taiwan)
Northland Control Systems Inc (India)
Northland Controls Limited, UK
Northland Controls Ireland Ltd
Northland Controls Information Technology (Shanghai) Co Ltd
Northland Controls Pte Ltd (Singapore)
Northland Controls Sdn Bhd (Malaysia)
Norhtland Controls (HK) Ltd
Northland Controls (Japan) K.K
Northland Controls (India) Private Limited
Northland Controls Germany GmBH

This Notice explains how and why we collect, store, use, and share your Personal Data. It also explains your rights related to your Personal Data, including how to contact us in the event you have a complaint.

1. Glossary

To help you understand our Privacy Notice, we have put together a glossary of the key terms we use and their meanings.

Consent: Refers to when an individual gives agreement which is freely given, specific, informed and is an unambiguous indication of their wishes. It is done by a statement or by a clear positive action in respect of the Processing of any Personal Data relating to them.

Business: Refers to any legal entity that operates for profit in California and determines the purposes and means of the Processing of Personal Data and meets one of three thresholds outlined by the California Consumer Privacy Act 2018 (“CCPA”) (and as amended by the California Privacy Rights Act 2023 (“CPRA”)).

Data Controller: Refers to any legal entity that determines when, why and how to Process Personal Data. It is responsible for establishing policies and procedures in line with Data Protection Laws.

Data Processor: Refers to any legal entity that Processes Personal Data on behalf of a Data Controller. It is responsible for establishing policies and procedures in line with Data Protection Laws and also its contractual obligations with Data Controllers.

Data Protection Laws: Refers to the CCPA, CPRA, UK GDPR, UK Data Protection Act 2018, UK Privacy and Electronic Communications Regulations, the European Union’s General Data Protection Regulation (GDPR) 2016/679, Privacy and Electronic Communications (EC Directive) Regulations 2003, Singapore Personal Data Protection Act 2012, China Personal Information Protection Law 2021 and India Digital Personal Data Protection Act 2023 as well as any other applicable laws relating to Personal Data.

Data Subject: Refers to a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Legitimate Interest: Refers to when an organization’s interests are legitimate (as they need to do something to operate) and these interests do not override an individual’s interests or fundamental rights and freedoms.

Personal Data: Refers to any information identifying an individual or information relating to an individual that an organization can identify (directly or indirectly) from that data alone or in combination with other identifiers that it Processes. Personal Data includes Special Category Data and pseudonymised Personal Data. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed.

Process, Processing and Processed: Refers to any activity that involves the use of Personal Data. It includes obtaining, recording or holding the Personal Data, or carrying out any operation or set of operations on the Personal Data including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Service Provider: Refers to any legal entity that operates under a service provider contract and fulfils the following characteristics: operates for profit, receives consumers’ personal information from a business and Processes the Personal Data on behalf of a business under the CCPA and CPRA.

Special Category Data: Refers to more sensitive information including that which reveals racial or ethnic origin, religious or similar beliefs, physical or mental health conditions and biometric or genetic data of an individual.

UK GDPR: Refers to the retained version of the European Union’s General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

2. What is our approach to data protection compliance?

As we believe that protecting the confidentiality and integrity of Personal Data is a critical responsibility that we must take seriously at all times, we have built a robust data protection compliance program. Our data protection compliance program includes a governance framework, record of processing of activities / data register, notices, policies and procedures, technical security controls as well as training and communications material for employees.

Our data protection compliance program is built on the following principles:

•Personal Data must be Processed lawfully, fairly and in a transparent manner.
•Personal Data must be collected only for specified, explicit and legitimate purposes.
•Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
•Personal Data is accurate and where necessary, kept up to date.
•Personal Data should not be kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the Personal Data is Processed.
•Personal Data must be Processed in a manner that ensures its security using appropriate technical and organizational measures to protect it against unauthorized or unlawful Processing and against accidental loss, destruction or damage.

3. How is Northland Controls categorised under Data Protection laws?

Data Protection Laws have created the concepts of a Data Controller (also known as a Business) and a Data Processor (also known as a Service Provider). All of the entities within the Northland Controls act as Data Controllers and Businesses as defined under Data Protection Laws.

The reasons for which our entities are Data Controllers are outlined below:

•We decide what to collect in respect of the Personal Data, whether it be from our websites or from third parties where we source data including Personal Data.

•We determine what the purpose and outcome of the Processing will be and do this through our bespoke and value-driven consultancy services for our customers.

•We decide which Data Subjects to collect Personal Data about and on what specifically. We do this again, through our bespoke and value-driven consultancy services whereby we engage with customers and identify how best to support them in growing their business.

•We make decisions about the Data Subjects as part of the Processing in that we determine whether those Data Subjects would find benefit and interest in a specific campaign that we are supporting our customers with at the time.

•We exercise professional judgement in the Processing of the Personal Data as we are not a data broker and instead a thought-driven consultancy service which evaluates, assesses and critically considers Personal Data that it has obtained and formulates a strategy on how to utilize relevant part of that Personal Data for the benefits of our customers and Data Subjects.

•We have complete autonomy as to how the Personal Data is Processed. This is because we have built proprietary tools and determine how to operate our business and how to support and advise our customers in the best manner possible. We are not directed by our customers in how we must Process the Personal Data.

•Where applicable, the Northland Controls has registered with the appropriate data protection supervisory authorities. Examples of the authorities which govern the Northland Controls are listed as follows - Federal Trade Commission in the United States of America (“USA”) and Information Commissioner’s Office (“ICO”) in the United Kingdom (“UK”).

4. What Personal Data do we collect about you?

(a) Applicants for employment

Personal Data Categories
Identification Data (including Special Category Data under some Data Protection Laws) •
• Name
• Address
• Telephone number
• Email address
• Social security number (USA or Canada), National Insurance number (UK) or Personal Public Service number (Republic of Ireland) or other such government or tax identification number (where applicable)
• Drivers license number (where applicable)
• Passport number and information
• Date of birth

Special Category Data
• Disability, biometric (such as photographs and video footage) and genetic information where you choose to provide it as part of the recruitment process (such as in order to inform of us of any reasonable adjustments that we need to put in place during the interview process)

Pre-Employment Data
• Background screening information (including checks on criminal offences and convictions, credit, drug screening results/toxicology and past employment checks)
• Academic and professional qualifications and certificates (including dates)
• Current and past employers (including dates)

Technical and Usage Data
• Internet protocol (“IP”) address (if you are submitting your application via our website)
• Google Advertiser ID or other identifiers for advertising
• Browsing history on our website, application or advertisement
• Search history on our website, application or advertisement

(b) Potential and existing customers

Personal Data Categories Examples of Personal Data Processed
Identification Data (including Special Category Data under some Data Protection Laws)
• Name
• Address
• Telephone number
• Email address
• Online account name

Financial Data
• Bank account details
• Tax numbers
• Invoices

Invoices
• IP address
• Google Advertiser ID or other identifiers for advertising
• Browsing history on our website, application or advertisement
• Search history on our website, application or advertisement

(c) Potential and existing third-party suppliers

Personal Data Categories Examples of Personal Data Processed
Identification Data (including Special Category Data under some Data Protection Laws)
• Name
• Address
• Telephone number
• Email address
• Online business account name

Financial Data
• Bank account details
• Tax numbers
• Invoices

Technical & Usage Data
• IP address
• Google Advertiser ID or other identifiers for advertising
• Browsing history on our website, application or advertisement
• Search history on our website, application or advertisement

5. Why do we Process your Personal Data?

Under Data Protection Laws, we can only use your Personal Data if we have a proper legal reason for doing so.

Data Subject type
Applicants for employment, legal reasons:
• For the performance of our contract with you or to take steps before entering into a contract with you.
• For our Legitimate Interests or those of a third party.
• Where you have given Consent.

Potential and existing customers, legal reasons:
• For the performance of our contract with you or to take steps before entering into a contract with you.
• For our Legitimate Interests or those of a third party.
• Where you have given Consent.
• To comply with our legal and regulatory obligations.

Generated leads, legal reasons:
• For our Legitimate Interests or those of a third party.
• Where you have given Consent.

Website visitors, legal reasons:
• For our Legitimate Interests or those of a third party.
• Where you have given Consent.

Potential and existing third-party suppliers, legal reasons:
• For the performance of our contract with you or to take steps before entering into a contract with you.
• For our Legitimate Interests or those of a third party.
• Where you have given Consent.
• To comply with our legal and regulatory obligations.

6. Where do we collect your Personal Data from?

We collect most Personal Data directly from you when you provide such information directly to us and when such information is collected in connection with your application for employment, through our lead generation techniques – in person, by telephone, text, email, web applications, and/or via our websites.

Other sources from which we may collect your Personal Data are outlined below:

• From publicly accessible sources (e.g., property records).
• Directly from our third-party suppliers (e.g., background screening providers).
• Our subsidiaries and affiliates.
• From our Information Technology (“IT”) systems, including automated monitoring of our websites and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems, CCTV and security systems.

7. Where do we store your Personal Data?

Personal Data may be held at our offices and those of our representatives, agents, and third-party suppliers including Service Providers. For generated leads, your Personal Data may also be held at the offices and technology of our customers that purchased your generated lead data.

If you are a Data Subject of the UK or EEA, the Personal Data that we collect from you and Process as a result of an application for employment, lead generation, use of our services, or use of our websites may be transferred to, and stored at, a destination in the UK, Ireland, the USA, India, Singapore, China or other countries. It may also be Processed by staff who work for us or our third-party suppliers operating in the UK, Ireland, the USA, India, Singapore, China or other countries.

8. Who do we share your Personal Data with?

We routinely share Personal Data and have explained more information on who we share itwith below.

Data Subject type

• Our third-party applicant tracking system.
• Our HR team including, but not limited to, our hiring managers, operational leaders responsible for any role(s) that you have applied and for future positions that may become available, and other employees that may interview or consider you for employment for either a position that you have applied or future positions that may become available.
• Service Providers necessary for pre-employment screening.
• Other third parties we use to help run our business and necessary for pre-employment screening, including customers in the instance where we plan to place an employment applicant at a customer’s location for a significant time. However, when we share your Personal Data with customers for pre-employment screening purposes, we only share the applicant’s name and employment history — we do not share any Special Category Data.
• Our subsidiaries and affiliates.

Potential and existing customers
• Our employees necessary to provide our services and customer support.
• Service Providers necessary to provide and help deliver our services.
• Other third parties we use to help run our business and necessary to provide our services and support customers.
• Our subsidiaries and affiliates.

Generated leads
• Our employees to generate leads, provide leads to our customers, provide our services and customer support.
• Service Providers necessary to provide and help deliver our services.
• Customers if they are Qualified Leads.
• Other third parties we use to help run our business and necessary to provide our services and support customers.
• Our subsidiaries and affiliates.
Website visitors • Service Providers we use to help deliver our services and maintain our website.
• Other third parties we use to help us run our business, such as social media sites, search engines, marketing agencies or website hosts.
• Our subsidiaries and affiliates.

Potential and existing third party suppliers
• Our employees necessary to engage with you and utilize your services.
• Our subsidiaries and affiliates.

We may also share Personal Data with the organizations listed below:
• External auditors.
• Law enforcement agencies including national security agencies such as the Federal Trade Commission in the United States or other U.S authorized statutory bodies.
• Courts as required by court order or required by litigation.
• Regulatory bodies to comply with our legal and regulatory obligations.

9. How long do we store your Personal Data?

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting, or reporting requirements.

We will hold Personal Data for the period we are required to retain this information by applicable tax and contract law plus one year (currently 7 years). In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

10. Where do we transfer your Personal Data?

We may transfer your Personal Data to other Northland Controls businesses which are located outside the European Economic Area (EEA) in order to respond to any queries submitted to us via our website or social channels.

You can see the full list of the countries where Northland Controls operates using the country sites selector in the top navigation of our website.

Whenever we transfer your Personal Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where required, we may use Standard Contractual Clauses approved by the EU Commission, or similar contractual clauses in other jurisdictions, along with other appropriate supplemental measures to protect the data being transferred. This includes transfers to suppliers or other third parties.

11. What are your rights relating to your Personal Data?

Under Data Protection Laws, you have rights including:

• Your right of access – you have the right to ask us for copies of your personal data.
• Your right to rectification - you have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure – you have the right to ask us to erase your personal data in certain circumstances.
• Your right to restriction of processing – you have the right to ask us to restrict the processing of your personal data in certain circumstances.
• Your right to object to processing – you have the right to object to the processing of your personal data in certain circumstances.
• Your right to data portability – you have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.
• Your right to withdraw consent – when we use consent as our lawful basis you have the right to withdraw your consent.

You don’t usually need to pay a fee to exercise your rights. If you make a request, we have one calendar month to respond to you.

To make a data protection rights request, please contact us using the contact details at the bottom of this privacy notice.

12. Where can I make a complaint regarding the use of my Personal Data?

If you are a resident of the European Economic Area or United Kingdom or Switzerland, in the event you consider our processing of your Personal Data not to be compliant with the applicable data protection laws, you can lodge a complaint directly with us by sending an email to dpo@northlandcontrols.com and providing specific details of the complaint, including the name of your company if applicable.

You may also be eligible to lodge a complaint with the competent data protection authority in the following jurisdictions:

Jurisdiction Competent Authority
European Union countries Various http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

United Kingdom Information Commissioner’s Office https://ico.org.uk/global/contact-us/.

United States of America Federal Trade Commission https://www.ftc.gov/ or to the State’s Office of the Attorney General
Singapore Personal Data Protection Commission https://www.pdpc.gov.sg/

China No single authority (sectoral regulation.) The PIPL notes that the Cyberspace Administration of China (CAC) is responsible for planning and coordination of personal information protection and related supervision
India Data Protection Board of India (yet to be established)

13. Links to and from our website
    Our website has external links to press releases and other relevant webpages and resources provided by third parties. These are provided for information only. We have no control over the content of these websites or resources and do not accept responsibility for them, or any materials found upon them. Northland Controls will not be liable for any loss or damage that may arise from your use of these external links.

14. Our contact details

Write to us at: Northland Controls Ltd, Northland House, Fifth Avenue, LETCHWORTH GARDEN CITY, SG6 2TS, UK
Email us at: dpo@northlandcontrols.com

Last Revision: June 2024