Submitted by david.pothier on Tue, 05/17/2022 - 09:31
Our ESG Program
Privacy and Data Protection

Earning and maintaining our customers’ trust is critically important to us. We care deeply about our customers’ long-term success and building meaningful partnerships that evolve with their needs and priorities.

Privacy and Data Protection
Building Meaningful Partnerships

We build products and services designed to inspire people and support business.

Trust starts with transparency.
As a lifelong partner, earning and maintaining our customers’ trust is critically important to us.


We are committed to providing direct, timely, and relevant information about our privacy, security, and compliance practices.

This includes information about:

  • The personal information customers provide us, and which is required for us to execute our agreements, executed with our customers

  • The data we collect, both as a controller and as processor, and about special categories of data, such as biometric data

  • Our use and retention of the personal information entrusted to us

  • Our geographic footprint as a global company with offices in multiple countries, serving customers across the world

  • Our cross-border transfers of personal information

  • Our robust security practices and ISO 27001, ISO 27017, and ISO 27018 certifications

  • Our customers’ ability to make data-subject access requests

We generally market and sell our products and services to businesses, not consumers. Our commitments regarding the personal information we collect, use, and disclose about the end users of those products and services are largely driven by our contracts with our business customers. The information provided below is intended to help our business customers understand our privacy practices. If you are an end user of one of our products or services, you are encouraged to contact your employer with questions about how your personal information is being collected, used, and disclosed.

Information We Collect

Information We Collect as a Controller
UKG acts a data controller in connection with UKG Employee Vault, when you visit our website, and in other instances as set forth in our Privacy Notice. To learn more about the personal information UKG collects as a Controller, view the UKG Privacy Notice.

Information We Collect as a PROCESSOR
Other than in the instances listed above, UKG customers are the controllers of the personal information that they collect, create, communicate, and store in our products. UKG does not give anyone access to the personal information maintained in those products unless:

  • It is permitted to do so in its contract with the customer.

  • The customer instructs UKG to do so.

  • The customer consents (e.g., subprocessors used by UKG).

  • If UKG is legally obligated to do so.

  • If UKG has a legitimate interest (as defined under GDPR and other applicable laws) to do so.

For more information about our data-processing practices, including where we store data for our products, how we secure that data, and our data-retention practices, request a copy of our Privacy Product Statements from [email protected]. To learn more about our obligations as a processor, see the UKG Customers Data Processing Agreement.

Use of Information We Collect

Why We Use Personal Information
When we act as a controller, we use personal information for several purposes, including communicating with individuals regarding our products and services, improving our website or those products and services, and for managing job applications for people interested in working at UKG. For more information, visit our Privacy Notice.

When we act as a processor, the personal information we collect is used to deliver our products and services to customers. In many cases, the personal information we process about our customers’ employees and job applicants (i.e., end users) is determined by our customers, who control what information they need in order to use our products and services efficiently and effectively. Any personal information we use is done in accordance with our Customers’ Data Processing Agreement and Privacy Product Statements.

These Product Privacy Statements explain how we collect, use, disclose, or otherwise process the information of our customers’ employees and job applicants (each an end user) on behalf of our business clients in connection with our products and services. If you are an end user using our services on behalf of, or as allowed by, one of our business clients that has engaged us to provide services to them and their employees and/or job applicants, we act as the data processor and UKG business clients are the data controllers with respect to your personal information.

Because our business clients are data controllers, it is primarily them who must undertake efforts regarding how information is collected and processed in accordance with data-protection laws. Therefore, if you have questions or concerns about the processing of your information as an end user, you should contact your employer directly or refer to its separate privacy policies.

Our processing of your information in connection with the services is governed by our Product Privacy Statement and the applicable business client agreement. Our Product Privacy Statements are not a substitute for any privacy notice that UKG customers are required to provide to end users.

Data Retention
UKG has a data-retention policy and a decommissioning procedure that are designed to ensure customer data is being disposed of appropriately and in accordance with our commitments to customers. Our procedures are designed to ensure that the original, archive, backup, and ad hoc copies are properly deleted.

UKG will only retain personal information for the length of time necessary to fulfill the purpose(s) for which the information was collected or as required or permitted by applicable laws, including the resolution of disputes and in accordance with our customer contracts.

Disclosure of Personal Information

We do not sell your personal information to third parties. Please review the sections below to learn more about how we might disclose personal information.

Affiliates and Subsidiaries
We might share your personal information with our affiliates and subsidiaries in order to deliver a product or service or to complete a task that you request.

Third Parties (Vendors/Service Providers)
We might engage with third parties (vendors and/or service providers) in order to deliver a product or service, perform certain functions such as enhancing and/or delivering our product and service offerings, or complete a task that you requested.

We have contracts with third-party providers (vendors and/or service providers) to perform certain functions on our behalf, and only at our direction. Our third parties are bound by confidentiality agreements, only have access to your personal information to the extent necessary to provide these contracted services, and are only permitted to process your personal information in accordance with our instructions (and for the purposes we disclose).

Additional Disclosures
UKG might disclose your personal information if we in good faith believe that it is necessary:

  • To comply with the law or with a legal process.

  • To protect and defend our rights and property.

  • To protect against misuse or unauthorized use of our website.

  • To protect the personal safety or property of our users or the public (among other things, this means that, if you provide false information or attempt to pose as someone else, information about you may be disclosed as part of any investigation into your actions).

  • In connection with, or during negotiations for, an acquisition, merger, asset sale, or other similar business transfer that involves all or substantially all of our assets or functions where personal information is transferred or shared as part of the business assets (provided that such party agrees to use or disclose of personal information consistent with our Privacy Notice or gains your consent for other uses or disclosures).

We will not cross-reference your personal information with that of any other customer or entity. UKG does not support “back door” access to any of its products, services, or operations (including our data stores) by any government or third party. UKG does not share its encryption keys or provide the ability to break our encryption keys with any government or third party.

Global Laws and Regulations

We commit to comply with all applicable laws and regulations including, but not limited to, the following outlined below.

General Data Protection Regulation (GDPR)
The GDPR is a comprehensive data-protection law that regulates the processing of personal data of European Union (EU) residents and provides individuals rights to empower individuals by giving them more control over their personal data. The GDPR enshrines major principles such as privacy by design, privacy by default, and implementation of strong technical and organizational measures designed to protect personal data.

The GDPR is not limited to the EU. It applies to all organizations that target, collect, or use the personal data of any EU resident and mandates organizations to:

  • Know what data they hold and have appropriate rights to use the data.

  • Be accountable and able to answer questions about what type of data they hold, and, in some cases, delete data they no longer need.

  • Notify supervisory authorities of data breaches.

  • Use vendors that comply with the principles of the GDPR.

  • Offer European Essential Guarantees by challenging governments’ requests to access personal data.

UKG Commitments to GDPR
UKG is committed to compliance with the GDPR and all applicable laws. We have enhanced processes to prepare to address the rights of people in the EU, we have generated written guidance to help our customers understand how our products collect and use personal data, and we are prepared to answer questions from our customers as well as our employees.

California Residents — California Privacy Notice
The California Consumer Privacy Act (“CCPA”) provides certain privacy-related rights to California residents. Learn more about UKG privacy practices and compliance with the CCPA.

Transfers of Personal Information

International Transfers of Personal Information
Our hyper-connected world is reliant on data transfers. But this cannot come at the expense of privacy. Individuals, companies, regulators, and policymakers must be able to trust that data stored or accessed across borders does not result in a diminishing level of protection. Secure and seamless personal data transfers are essential for the sake of building trust, delivering growth, and firing up innovation. UKG is committed to high standards of data protection, not just in the EU but also to when that data is transferred worldwide.

UKG operates globally and, as such, may process personal data worldwide to provide customer support; in connection with UKG cloud operations activities (however, UKG database administrators generally do not have reason to access customer data); in connection with UKG subprocessors, a list of which is available below and their own subprocessors where applicable; and in connection with UKG professional services and/or implementation operations.

Asian-Pacific Economic Cooperation (APEC)
UKG privacy practices comply with the APEC Cross-Border Privacy Rules System (CBPR). The APEC CBPR system provides a framework for organizations to ensure the protection of personal information transferred among participating APEC economies. Learn more information about the APEC framework.

European Economic Area (EEA), United Kingdom, and Switzerland Cross-Border Data Transfers
Strict data protection laws govern the transfer of personal data from the EEA, United Kingdom, and Switzerland to countries deemed by the European Commission as not offering an equivalent standard of protection, including the United States.

To address this requirement for our customers with operations in the EEA, the U.K., and Switzerland, UKG has incorporated the European Commission’s approved standard contractual clauses, also referred to as the “SCCs,” into our Data Protection Agreement, and has incorporated the SCCs adopted on June 4, 2021 into our current template. View full copies of our SCCs.

The SCCs creates a contractual mechanism to meet the adequacy requirement to allow for the transfer of personal data from the EEA to a third country. Learn more about the SCCs.

UKG has further assessed all transfers to countries deemed by the European Commission as not offering Essential European Guarantees in accordance with the European Court of Justice Decision ECLI:EU:C:2020:559 of 16 July 2020 (known as Schrems II). To learn more about how UKG complies with Schrems II, see the UKG Transfer Risk and Impact Statement and UKG Schrems II Statement. For more information about Schrems II, please see our FAQs.

Data Subject Rights

If you have a question or requesting concerning your personal information held by UKG, including your personal information collected through your use of our products, please email [email protected]. More information on how we respond to data-subject requests is available in the UKG Privacy Notice.

Subprocessor List
The current list of subprocessors is available here.

Get the latest ESG report from UKG

Get a more detailed look at our comprehensive ESG program, policies, and practices, as well as our progress from the past year.