Japan
Korea
Candela Corporation, together with its affiliates, (“Candela” or “we”) are committed to protecting your personal data and your privacy. We endeavor to ensure that any personal data we collect about you will be held and processed strictly in accordance with applicable data protection legislation.
If you are resident in the EU or work for one our EU entities (“GDPR Subjects”), this will include the European General Data Protection Regulation (“GDPR”) or the applicable local law implementing or adopting the GDPR (“Applicable Local Laws”). If you are a resident of California, this will include the California Consumer Privacy Act and California Privacy Rights Act (“CCPA” and “CPRA”). If you are a resident of the People’s Republic of China (“PRC” or “China”, excluding Hong Kong, Macau and Taiwan for the purpose of this Privacy Notice), this will include the Personal Information Protection Law (“PIPL”) and other applicable laws and regulations (Chinese privacy laws). Please see the sections “Additional Information for GDPR Subjects”, “Additional Information for Residents of California” and “Additional Information for Residents of China” below, for further information.
The terms Personal Data, Data Controller and processing have the meanings given to them in the GDPR (which can be accessed here), unless otherwise indicated. “Personal Data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Candela has created this Employee Privacy Notice to explain how and why we collect Personal Data about you (“Your Data”), what that data is, under what circumstances we may disclose or transfer it, and how long we store it for. It provides you with certain information that must be provided to you under the GDPR and other applicable data protection legislation.
It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing Personal Data about you, so that you are aware of how and why we are using such information and what your rights are under the data protection legislation.
This Privacy Notice sets out information relating to the Personal Data we collect from or about you when you work for us, whether as an employee, worker or contractor. It applies to current and former employees, workers and contractors.
This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical.
For the purposes of the GDPR and Applicable Local Laws, Candela is the “data controller” of Your Data. This means that we are responsible for deciding how we hold and use Your Data.
If you have any queries regarding this notice or complaints about our use of Your Data, please contact your local Human Resources representative and we will do our best to deal with your complaint or query as soon as possible.
Personal Data, means any information relating to a person who is identified or can be identified. It does not include data where the identity has been removed and cannot be recovered (anonymous data). There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation. Information about criminal convictions also warrants this higher level of protection.
We will collect, store, and use the following categories of Personal Data about you:
We may also collect, store and use the following more sensitive types of Personal Data (known as “Special Category Data”):
We collect Personal Data about employees, workers and contactors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or headhunter. We may sometimes collect additional information from third parties including former employers.
We may also collect Personal Data from the trustees or managers of pension arrangements operated by a group company.
We will collect additional Personal Data in the course of job-related activities throughout the period of you working for us.
We will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Data in the following circumstances:
We may also use your Personal Data in the following situations, which are likely to be rare:
We need all the categories of information in the list in 2.1 above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations such as declarations to tax authorities. In some cases we may use your personal data to pursue legitimate interests, such as to inform your next of kin if you are injured at work, provided your interests and fundamental rights do not override those interests.
For the purposes of the CCPA, CPRA, GDPR and Applicable Local Laws, the table below sets out the purposes for which we are processing or will process Your Data, the legal basis for such processing and the main categories of data involved.
|
Purpose |
Legal Basis |
Categories of data involved |
|
Checking you are legally entitled to work in the relevant jurisdiction |
Legal obligation |
Name, Passport or other form of ID; Right to work documentation. |
|
Paying you and calculating relevant tax |
Performance of contract |
Name, Bank details, payroll details; Tax status, income level of your spouse, number of children/dependants and disability grade of your disabled dependants if applicable |
|
Providing you with benefits |
Performance of contract |
Name, pensions and benefits information, personal details (name, id number, address, phone number) of beneficiaries if other than employee. |
|
Enrolling you in a pension arrangement and administering such pension |
Performance of contract |
Name, pension information, personal details (name, id number, address, phone number) of beneficiaries if other than employee. |
|
Business management and planning, including accounting and auditing |
Legitimate interest of running and managing our business; Consent |
Name, performance information; Salary, annual leave, share entitlements, pension and benefits information; Location of work; Employment Records; |
|
Conducting performance reviews, managing performance and determining performance requirements. |
Legitimate interest of managing our workforce; Consent |
Name, performance information; Salary, annual leave, share entitlements, pension and benefits information; Location of work; Employment Records; |
|
Making decisions about salary reviews and compensation |
Performance of contract |
Name, performance information; Salary, annual leave, share entitlements, pension and benefits information; Location of work; Employment Records; |
|
Assessing qualifications for a particular job or task, including decisions about promotions, continued employment/engagement |
Legitimate interest of managing our workforce; Consent |
Name, performance information; Salary; Employment Records, training history, education. |
|
Gathering evidence for possible grievance or disciplinary hearings |
Legitimate interest of protecting our workforce and following internal policies; Consent |
Name; Performance information; Information about your use of our information and communications systems; Disciplinary and grievance information; Employment Records; Compensation history; |
|
Education, training and development requirements. |
Legitimate interest of improving our workforce; Consent |
Name; Performance information; Employment Records, training history, education |
|
Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work. |
Legal obligation |
Name; Performance Information; Employment Records; Medical data (around work accident only, if applicable). |
|
Ascertaining your fitness to work. |
Legal obligation |
Name; Medical certificate of aptitude |
|
Managing sickness absence. |
Legitimate interest of managing our workforce; Consent |
Name; Medical data; Employment Records |
|
Complying with health and safety obligations. |
Legal obligation |
Name; medical certificate of aptitude (fit to work), certificate of disability and special needs required -if applicable-; Employment Records |
|
To monitor your use of our information and communication systems to ensure compliance with our IT policies. |
Legitimate interest of protecting our business; Consent |
Name; Information about your use of our information and communication systems |
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of Your Data.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
We will use your Special Category Data in the following ways:
Our legal basis for using your Special Category Data in this way is that it is necessary for the purposes of carrying out our obligations under employment law i.e. for accessibility and access to our premises or, in relation to providing benefits, it is necessary to perform your employment contract and enrolment. In relation to biometric data, we rely on your consent, which shall be deemed given through your agreement and execution of our standard onboarding documents.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
We may have to share your data with third parties, including third-party service providers and other entities in the Candela group. We require third parties to respect the security of your data and to treat it in accordance with the law.
We will share Your Data with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
The third parties we may share Your Data with include third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers:
Please note that some of the above may include special category data, such as health data in relation to your healthcare benefits. The special category data that you provide directly to the benefits providers is not shared with Candela.
In the performance of your role, we may also be required to provide some of Your Data to the following types of third parties, where you role requires it:
We will also share personal data regarding your participation in any pension arrangement operated by a group company with the trustees or scheme managers of the arrangement in connection with the administration of the arrangements.
We will share Your Data with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and hosting of data. We will share personal data relating to your participation in any pension arrangements operated by a group company with other entities in the group for the purposes of administering the pension.
As part of the services we provide to our clients, it may be necessary for us to share your contact details, with certain of our customers or prospective customers. We will limit the amount of personal data that we share to that which is strictly necessary for the relevant purpose and all sharing will be done in accordance with the applicable law.
We may share Your Data with other third parties, for example in the context of the possible sale or restructuring of the business or an investment in the business. In this situation we will, so far as possible, share anonymized data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
We may also need to share Your Data with a regulator or to otherwise comply with the law. This may include making returns to relevant tax authorities.
All third-party service providers who are processing Your Data on our behalf and other entities in the group are required to take appropriate security measures to protect Your Data in line with our policies. We do not allow our third-party processors to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Where the third party is a controller of Your Data in its own right, we have a procedure to ensure that Your Data is shared appropriately and in accordance with our legal requirements.
We have put in place appropriate security measures to prevent Your Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to Your Data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process Your Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will only retain Your Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize Your Data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy Your Data in accordance with applicable law.
We have appointed our Vice President of Information Technology to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle Your Data, please contact the IT department using the help desk.
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of Your Data.
Under the GDPR or Applicable Local Laws, you have certain rights with respect to your Personal Data, including those set forth below.
You will not have to pay a fee to access Your Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within the legal timeframe applicable in the country, but in any event within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
In certain circumstances, we may transfer Your Data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject. Any such transfers are, at all times, made in accordance with the GDPR and/or Applicable Local Laws. Details of the circumstances and mechanisms in place to ensure compliance are set out below:
We have offices in North America, Australia, China, Japan and Hong Kong. The European Commission has ruled that Japan offers adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws.
We have also put in place an intercompany agreement which contains the Standard Contractual Clauses approved by the European Commission to ensure that all transfers of Personal Data to any member of the Candela group outside the EEA are protected to the same level as required under European data protection legislation.
Candela is a global service provider and, as such, some of our clients and prospective clients are located outside the EEA. Transfers of your personal data to these organizations is permitted under the GDPR and Applicable Local Laws because it is necessary for the performance of your employment contract with us.
Certain of our third party service providers are located outside the EEA.
Whenever we transfer Your Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
Please contact our Vice President of Information Technology if you want further information on the specific mechanism used by us in each case when transferring Your Data out of the EEA.
Under the CCPA and CPRA, California residents have certain rights with respect to your Personal Data, including those set forth below.
Sensitive personal information includes your social security number, driver license number, state identification card, passport number, financial data, precise geolocation data, genetic data, and information collected about a consumer’s health or sexual orientation.
For additional information about applicable California privacy law and Candela’s data policies concerning California residents, please see the Candela Corporation Privacy Policy, available at https://candelamedical.com/privacy-policy/. This policy contains links to Candela’s web pages to allow you to make the above requests regarding your data. You may also email any complaints, inquiries, or requests concerning your personal information to your local Human Resources representative or Candela’s Head of IT as follows: info@candelamedical.com. To make a request by phone, you may contact us by calling 800-733-8550. We will acknowledge receipt of your request within 10 days and will endeavor to respond within forty-five days of receipt of your request, but if we require more time (up to an additional forty-five days) we will notify you of our need for additional time.
Effective Date: 23/12/2023
Last Update Date: 23/12/2023
This part that is specifically for residents of China (the “China Part”) applies only to natural persons in China. Both the Employee Privacy Notice and this China Part applies to residents of China except that, for such persons (and only for such persons), where the provisions of the Employee Privacy Notice and this China Part cannot be construed consistently, this China Part shall prevail.
The terms Personal Information, Personal Information Handler and processing have given meanings in the PIPL, unless otherwise indicated. For the purpose of the Employee Privacy Notice, this China Part only applies where we are your personal information handler. Under Chinese privacy laws (and in this China Part), personal information generally refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.
In addition to the information relating to the collection of your personal information provided above in the Employee Privacy Notice, we only collect the personal information necessary to fulfill the purposes made aware to you prior to or at the time of collection (as set out above in this Employee Privacy Notice), or any other reasonable and legitimate purposes or as permitted by Chinese privacy laws or other applicable Chinese laws, such as internal investigation and compliance purposes.
We may collect all or part of the following personal information from our employees, former employees, interns, applicants, contractors, and other workers (sensitive personal information refers to personal information that once leaked or illegally used will easily lead to infringement of the human dignity and may harm personal or property safety of a natural person. sensitive personal information has been underlined for your further attention):
|
Data Category |
Type of Personal Information |
|
Basic information |
Chinese name, English name, previous name, title, age, gender, date of birth, nationality, ethnicity, business name and address, and years in business |
|
Contact information |
Personal email address, telephone numbers, mobile phone numbers, addresses, next of kin and emergency contact information |
|
Identification information |
National insurance number or equivalent, passport or other form of ID, ID card number, passport number, passport expiry date |
|
Financial information |
Bank account details, payroll records, tax status information, salary, share entitlements, pension, benefits information, compensation history, social insurance and housing fund information |
|
Biometric information |
Biometric data in the form of fingerprints |
|
Professional or educational information |
Start date/the date of your continuous employment, leaving date and your reason for leaving, location of employment or workplace, recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process), employment records (including job titles, work history, working hours, holidays, training records and professional memberships), performance information, disciplinary and grievance information, annual leave, results of employment status checks, position, direct manager, commencement date, date of start to first work, highest education level, major, related certificates |
|
Physical access information |
Information obtained through electronic means such as door entry mechanisms, information about your use of our information and communications systems |
|
Health, welfare and leisure information |
Health status, information about your health (including any medical condition, health and sickness records) |
|
Other information |
Marital status and details of your dependents, information about your race or ethnicity and religious beliefs, child status (including child’s name, gender, date of birth and ID card number), photographs |
Generally, you have the following rights concerning our processing of your personal information:
Subject to the exceptions provided by Chinese privacy laws, we will satisfy the exercise of your privacy rights in relation to the personal information about you that we have collected, utilized or disclosed, upon your written request. We will make such information available to you in a form that is generally understandable, including explaining any abbreviations or codes and using an alternative format, if required. You may reach us through the contact information listed below. Please be as specific as possible in your request so that we can meet any applicable timelines.
If we are required by Chinese privacy laws or there is another lawful basis on which we are unable to satisfy the exercise of your rights as set out above, we will explain the reasons for the limitation of your rights to you when you contact us.
We use security safeguards appropriate to the sensitivity of personal information to protect it from loss or theft, as well as unauthorized access, disclosure, copying, use or modification. These safeguards include physical measures, such as restricted access to offices and equipment, organizational measures, such as security clearances, and publishing this notice to appropriate personnel with instructions to act in accordance with its principles (for example, limiting access on a “need to know” basis), and technological measures, such as the use of passwords and/or encryption.
We will utilize, disclose, or retain your personal information for as long as necessary to fulfill the purposes for which it was collected and for legal or business requirements. Subject to the exceptions provided by Chinese privacy laws or with your consent, we will retain your personal information for the minimum period necessary for the purposes of processing described above in this Employee Privacy Notice. After such period, we will delete or anonymize your personal information in accordance with Chinese privacy laws unless we are required otherwise by applicable Chinese laws and regulations such as archiving and record-keeping regulations.
In principle, the personal information we collect in China will be stored in China. We may transfer your personal information outside of China based on our lawful business requirements, therefore after obtaining your consent and informing you of the relevant information of the recipient, your personal information may be transferred to locations outside of China, or may be accessed from outside of China (the full list of the affiliates with which we share personal information is available at request). We will provide your personal information outside of China in strict accordance with all requirements of Chinese privacy laws, and ensure the security of your personal information. Since the data protection laws of the destination country or region may be different, it may not be possible to provide the same level of personal information protection as Chinese privacy laws. In such cases, we will take steps to ensure that the personal information we collect is processed in accordance with this China Part and the requirements of Chinese privacy laws.
Please direct all requests or other inquiries regarding personal information and this Employee Privacy Notice to our China Human Resources Department in China as follows.
Syneron/Candela (Beijing) Medical Technologies Co., Ltd.
Unit 2801-2808, 28th Floor, Building 9
No. 91 Courtyard, Jianguo Road, Chaoyang District, Beijing
info.chinahr@candelamedical.com
I acknowledge that I have received and read this Employee Privacy Notice.
Applicable to Residents of China only
◻ By ticking this box, I acknowledge and consent to authorize Candela to process my sensitive personal information in accordance with this Employee Privacy Notice.
◻ By ticking this box, I acknowledge and consent to authorize Candela to disclose my personal information to third parties in accordance with this Employee Privacy Notice.
◻ By ticking this box, I acknowledge and consent to authorize Company to transfer my personal information overseas in accordance with this Employee Privacy Notice.
Employee Name: _________________________________
Employee Signature: _________________________________
Date: ___________________________