Privacy and Data Protection

Transparency as a Top Priority

Privacy and data security are top priorities for UKG and our customers. We are committed to providing direct, timely, and relevant information about our privacy, security, and compliance practices.

This includes information about:

• The personal information customers provide us, and which is required for us to execute our agreements, executed with our customers.
• The data we collect, both as a controller and as processor.
• Special categories of data, such as biometric data.
• The use of Artificial Intelligence.
• Our use and retention of the personal information entrusted to us.
• Any government requests for access to customers’ data that we receive.
• Our geographic footprint as a  global company with offices in multiple countries, serving customers across the world.
• Our cross-border transfers of personal information.
• Our robust security practices and ISO 27001,  ISO 27017,  and  ISO 27018 certifications.
• Our customers’ ability to make data-subject access requests.

In accordance with our values, the UKG Privacy Program is designed to:

• Comply with privacy laws and regulations applicable to our business;  
• Share information about the data collected by our products; 
• Maintain transparency and build trust with our customers; and 
• Align with first-class international standards security controls (SOC2/SOC 3, ISO 27001, 27017, 27018).

We engage with third parties (suppliers and/or service providers) in order to deliver products or services, perform certain functions such as enhancing and/or delivering our product and service offerings, or complete a task that you request.

We have contracts with  third party providers  (suppliers and/or service providers) to perform certain functions on our behalf, and only at our direction. Our third parties are bound by confidentiality agreements, only have access to your personal information to the extent necessary to provide these contracted services and are only permitted to process your personal information in accordance with our instructions (and for the purposes we disclose).

Subprocessors

UKG operates globally and, as such, may process personal data worldwide to provide customer support; in connection with UKG cloud operations activities (however, UKG database administrators generally do not have reason to access customer data); in connection with UKG subprocessors, a list of which is available below and their own subprocessors where applicable; and in connection with UKG professional services and/or implementation operations.

The current list of subprocessors is available  here.

Affiliates and Subsidiaries

Affiliates and Subsidiaries 

We share your personal information with our affiliates and subsidiaries in order to deliver a product or service or to complete a task that you request in accordance with our list of subprocessors.

Third Party Commitment to Privacy Laws and Regulations

Third Party Commitment to Privacy Laws and Regulations 

All UKG third parties are required to comply with all applicable laws and regulations. Those processing personal data must agree to the terms in  UKG Data Processing Addendum  and the  Supplier Standard Contractual Clauses to the extent applicable.

Information We Collect

We market and sell our  products* and  services  exclusively to businesses, not consumers. Our commitments regarding the personal information we collect, use, and disclose about the end users of those products and services are largely driven by our contracts with our business customers. The information provided below is intended to help our business customers understand our privacy practices. If you are an end user of one of our products or services, you are encouraged to contact your employer with questions about how your personal information is being collected, used, and disclosed.

*Except for UKG Employee Vault

Information We Collect as a Controller

Information We Collect As A Controller 

UKG acts a data controller when you visit our website and in other instances as set forth in our Privacy Notice. To learn more about the personal information UKG collects as a Controller, view the UKG Privacy Notice. 

UKG also acts as a data controller in connection with UKG Employee Vault. To learn more about the personal information UKG collects as a Controller with UKG Employee Vault, view the UKG Employee Vault Privacy Notice.

Information We Collect as a Processor

Information We Collect As A Processor 

UKG customers are the controllers of the personal information that they collect, create, communicate, and store in our products*. UKG does not give anyone access to the personal information maintained in those products unless:

• We are permitted to do so in its contract with the customer. 
• The customer instructs UKG to do so. 
• The customer consents (e.g., subprocessors used by UKG). 
• UKG is legally obligated to do so. 
• UKG has a legitimate interest (as defined under General Data Protection Regulation (GDPR) and other applicable laws) to do so.

For more information about our data-processing practices, including where we store data for our products, how we secure that data, and our data-retention practices, request a copy of our Product Privacy Statements from  [email protected].  To learn more about our obligations as a processor, see the  UKG Customers Data Processing Agreement.

*Except for UKG Employee Vault

Responsible Use of Information We Collect

UKG’s Responsible Use as a Controller

When we act as a controller, we use personal information for several purposes, including communicating with individuals regarding our products and services, improving our website or those products and services, and for managing job applications for people interested in working at UKG. For more information, visit our  Privacy Notice.

UKG’s Responsible Use as a Processor

When we act as a processor, the personal information we collect is used to deliver our products and services to customers. In many cases, the personal information we process about our customers’ employees and job applicants (i.e., end users) is determined by our customers, who control what information they need in order to use our products and services efficiently and effectively. Any personal information we use is done in accordance with our  Customers’ Data Processing Agreement  and Product Privacy Statements.

Product Privacy Statements

Product Privacy Statements explain how we collect, use, disclose, or otherwise process the information of our customers’ employees and job applicants (each an end user) on behalf of our business clients in connection with our products and services. Our Product Privacy Statements are not a substitute for any privacy notice that UKG customers are required to provide to end users.

Product Privacy Statements are available upon request, please email  [email protected].

Customer Responsible Use as a Controller

As data controllers, our customers must undertake efforts to ensure that information is collected and processed in accordance with data-protection laws. Therefore, if you have questions or concerns about the processing of your information as an end user, you should contact your employer directly or refer to its separate privacy policies.

Data Retention

Data Retention

UKG has a data retention policy and a decommissioning procedure that are designed to ensure customer data is disposed of appropriately and in accordance with our commitments to our customers. Our procedures are designed to ensure that the original, archive, backup, and ad hoc copies are properly deleted.

UKG will only retain personal information for the length of time necessary to fulfill the purpose(s) for which the information was collected or as required or permitted by applicable laws, including the resolution of disputes and in accordance with our customer contracts.

Third-Party Disclosure of Personal Information

Third-Party Disclosure of Personal Information

We do not sell your personal information to third parties. Please review the Third Parties (Suppliers/Service Providers/Subprocessors) section above to learn more about how we might disclose personal information to third parties.

Additional Disclosures

Additional Disclosures

UKG might disclose your personal information if we in good faith believe that it is necessary:

• To comply with the law or with a legal process.
• For law enforcement purposes. UKG is committed to publishing data regarding requests or demands for customer data received from law enforcement and national security agencies. We publish this data twice per year (covering a reporting period of either January to June or July to December). These reports are published six months after the end of a given reporting period in compliance with restrictions on the timing of publishing those reports.  View the current UKG Transparency Report.
• To protect and defend our rights and property.
• To protect against misuse or unauthorized use of our website.
• To protect the personal safety or property of our users or the public (among other things, this means that, if you provide false information or attempt to pose as someone else, information about you may be disclosed as part of any investigation into your actions).
• In connection with, or during negotiations for, an acquisition, merger, asset sale, or other similar business transfer that involves all or substantially all of our assets or functions where personal information is transferred or shared as part of the business assets (provided that such party agrees to use or disclose of personal information consistent with our Privacy Notice or gains your consent for other uses or disclosures).

We will not cross-reference your personal information with that of any other customer or entity. UKG does not support “back door” access to any of its products, services, or operations (including our data stores) by any government or third party. UKG does not share its encryption keys or provide the ability to break our encryption keys with any government or third party.

Our Commitments to Global Laws, Regulations, and Ethics

We commit to comply with all applicable laws and regulations including, but not limited to, the following outlined below.

UKG Commitments to GDPR

UKG Commitments to GDPR

The GDPR is a comprehensive data-protection law that regulates the processing of personal data of European Union (EU) residents and provides individuals rights to empower individuals by giving them more control over their personal data. The GDPR enshrines major principles such as privacy by design, privacy by default, and implementation of strong technical and organizational measures designed to protect personal data.

The GDPR is not limited to the EU. It applies to all organizations that target, collect, or use the personal data of any EU resident and mandates organizations to:

• Know what data they hold and have appropriate rights to use the data. 
• Be accountable and able to answer questions about what type of data they hold, and, in some cases, delete data they no longer need. 
• Notify supervisory authorities of data breaches. 
• Use vendors that comply with the principles of the GDPR. 
• Offer European Essential Guarantees by challenging governments’ requests to access personal data.

UKG is committed to compliance with the GDPR and all applicable laws. We have enhanced processes to prepare to address the rights of people in the EU, we have generated written guidance to help our customers understand how our products collect and use personal data, and we are prepared to answer questions from our customers as well as our employees.

UKG Commitments to the Data Privacy Framework

The Data Privacy Framework (“DPF”) comes after years of collaboration and negotiation to reestablish a mechanism for transfers of EU personal data to the United States after the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework was invalidated by the Court of Justice of the EU (CJEU) in 2020 due to concerns regarding U.S. signals intelligence. Visit the Working Smarter Cafe to learn about how UKG welcomes the Data Privacy Framework. To learn more about how UKG complies with the Data Privacy Framework visit our Data Privacy Framework Statement and the UKG Privacy Notice.

UKG Commitments to CCPA

UKG Commitments to CCPA

The California Consumer Privacy Act (“CCPA”) provides certain privacy-related rights to California residents.  Learn more about UKG privacy practices and compliance with the CCPA.

UKG Commitments to Asian-Pacific Economic Cooperation (APEC)

UKG Commitments to Asian-Pacific Economic Cooperation (APEC)

UKG privacy practices comply with the APEC Cross-Border Privacy Rules System (CBPR). The APEC CBPR system provides a framework for organizations to ensure the protection of personal information transferred among participating APEC economies.  Learn more information about the APEC framework.

International Transfers of Personal Information

Transfer Impact Assessment (TIA)

Transfer Impact Assessment (TIA)

UKG has further assessed all transfers to countries deemed by the European Commission as not offering Essential European Guarantees in accordance with the European Court of Justice Decision ECLI:EU:C:2020:559 of 16 July 2020 (known as Schrems II). To learn more about how UKG complies with Schrems II, see the  UKG Transfer Risk and Impact Statement.

EU Standard Contractual Clauses

EU Standard Contractual Clauses

Strict data protection laws govern the transfer of personal data from the EEA, United Kingdom, and Switzerland to countries deemed by the European Commission as not offering an equivalent standard of protection, including the United States.

To address this requirement for our customers with operations in the EEA, the U.K., and Switzerland, UKG has incorporated the European Commission’s approved standard contractual clauses, also referred to as the “SCCs,” into our Customer Data Protection Addendum and in our Supplier Data Protection Addendum, and has incorporated the SCCs adopted on June 4, 2021, into our current templates.  View full copies of our SCCs for Suppliers and for Customers.

Beginning September 27, 2021, UKG started using the  new SCCs,  which were adopted on June 4, 2021, for all new agreements, order forms and other customer and supplier transaction documents.

• If your company entered into an agreement with UKG on or after September 27, 2021, or have already updated your existing agreements with the new SCCs, no action is required. The new SCCs have been incorporated into our  Customer  and  Supplier DPAs and will apply to all UKG products & services agreements and to the provision of any products or services to UKG requiring the processing of EU data subjects.
• If your company entered into an agreement with UKG prior to September 27, 2021, the new SCCs are incorporated by default into our Supplier and Customer DPAs and will apply to the provision of any products or services to UKG requiring the processing of EU data subjects and to all UKG products & services agreement. This is a regulatory requirement for all businesses who transfer personal data outside the European Economic Area.
• If you require an amendment to include the new SCCs, please reach out to  [email protected].

Note that these changes to our  Customer  and  Supplier  Data Processing Addendums (“DPA”) are only necessary if your company shares the personal data of EU data subjects with UKG, if UKG processes it on your company’s behalf, or if your company processes such data on UKG’s behalf. The SCCs creates a contractual mechanism to meet the adequacy requirement to allow for the transfer of personal data from the EEA to a third country.  Learn more about the SCCs.

Data Subject Rights

If you have a question or requesting concerning your personal information held by UKG, including your personal information collected through your use of our products, please email  [email protected].  More information on how we respond to data-subject requests is available in the  UKG Privacy Notice.

Cybersecurity

We are our customers’ partner for life: we prioritize safety, accuracy, and reliability.         
UKG has many dedicated policies, practices, and protocols to protect our IT infrastructure, networks, devices, and data from unauthorized access, collection, retention, and use of sensitive, confidential, and/or proprietary customer or user data, including Personally Identifiable Information (PII). We are committed to continually improving our incident response, staff training, and additional mechanisms to ensure the security of customer and user data.  Learn more.