PURPOSE
As a global IT and talent consulting services organization, Nexwave is committed to maintaining levels of protection of Personal Data aligned to best practices in the industry which, as a minimum, comply with the requirements of the Applicable Data Protection Legislation and Nexwave’s contractual obligations. As part of this commitment, Nexwave requires its Members and any third party engaged by Nexwave or providing goods and/or services to Nexwave (including third party suppliers, subcontractors and freelancers) to take appropriate measures to safeguard Personal Data in the execution of their functions.
Being transparent about the data we use, Nexwave has issued this Data Privacy Policy (“Policy”) to inform you about how and why we collect and Process your Personal Data, Nexwave privacy practices and your rights as Data Subjects with respect to the Processing of your Personal Data.
For the purposes of this Policy, the following definitions apply:
“Applicable Data Protection Legislation” refers to (i) the European Data Protection Regulation 2016/679 relating to the Processing of Personal Data and (ii) any implementing laws of the EU Data Protection Regulation and (iii) any applicable local laws relating to the Processing of Personal Data.
“Nexwave Legal Entities” refers to all legal entities controlled directly or indirectly by Nexwave Inc. that handle Personal Data, excluding any legal entities that are within the operational scope of Nexwave Federal.
“Data Controller” refers to any entity (i.e. natural or legal person, public authority, agency or other body) that, alone or jointly with other Data Controllers, determines the purposes and means of the Processing of Personal Data.
“Data Processor” refers to any entity (i.e. natural or legal person, public authority, agency or other body) acting on behalf of and under instructions from a Data Controller or another Data Processor to Process Personal Data.
“Data Subject” refers to an identified or identifiable natural person whose Personal Data is Processed, which could include e.g. a Nexwave member or an external consultant in a Nexwave internal context, or the employees or end users of a client in a business context.
“EEA” refers to European Economic Area, which consists of the European Union (EU) member countries, as well as Iceland, Liechtenstein and Norway, hereinafter also referred to as “Member States”.
“Employee” - for the purpose of this Policy only, this means an employee, staff member, worker, individual consultant, agent, officer or director, and “employment” shall be construed accordingly. Nexwave employees are referred to as “Member” or “Members”.
“Local Legislation” means local regulations, statutes, court orders or mandatory standards.
“Personal Data” refers to any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to identifiers such as the natural person’s name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Sensitive Personal Data.
“Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting (including remote access), using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.
“Sensitive Personal Data” refers to specific categories of Personal Data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.
This Policy sets out the general standard that Nexwave has implemented when Processing Personal Data. This Policy applies when Nexwave acts as a Data Controller or as a Data Processor. It applies to the Processing of all Personal Data, irrespective of the nature or category of the Personal Data, regardless of the media on which that data is stored.
Further details for specific Processing activities are made available in the relevant privacy information notices.
Nexwave is committed to Process Personal Data to the same level of protection regardless of whether it Processes Personal Data for its own needs or for the needs of its clients or any third party. The implementation of this Data Privacy Policy requires that all Members of the Nexwave Legal Entities and any third party engaged by Nexwave fully participate in its application, without any exception.
As part of its operations, Nexwave shall collect and Process Personal Data relating to:
Subject to Applicable Data Protection Legislation, some or all of the following Personal Data categories may be Processed by Nexwave and any third party engaged by Nexwave or providing goods and/or services to Nexwave:
When Processing Personal Data relating to our Members or former employees, acting as Data Controller, we will comply with Applicable Data Protection Laws (including where necessary any requirement to obtain consent from a Data Subject or the competent employee representative body – e.g. Works Council). In addition to this Policy, Nexwave's standard employment contracts, the Nexwave Member Privacy Information Notice, applicable policies and Member communications may specify the precise and detailed purposes for which Nexwave may, from time to time, collect and Process Personal Data.
The main purposes for Processing Personal Data (including Sensitive Personal Data) relating to Members may include the following:
Payroll, Pension, Finance and Shares - Nexwave may share relevant Personal Data with pensions and share scheme administrators, scheme providers, insurance companies, tax authorities and other similar service providers in relation to employment obligations and Member benefits. Nexwave will also Process Personal Data for the purpose of identifying and paying Members.
Commercial Administration and Management - Nexwave may use Personal Data for managing its commercial activities such as paying invoices, communicating with its business partners and potential business partners, arranging meetings, business travel, visa applications, asset management, and complying with and managing business partner contractual obligations (including Member placement/assignment with clients).
Employee Administration and Management - Nexwave may process Personal Data (including where appropriate, and subject to this Policy and the Applicable Data Protection Legislation, Sensitive Personal Data) about Members and (where relevant) their dependents and next of kin, for purposes related to their employment with Nexwave. This may include recruitment, general management, performance management, career development, health and safety compliance, provision of health insurance, life insurance, sickness monitoring/compliance, diversity monitoring, disciplinary procedures, security checks (if and where required), background screening, visa applications and other immigration requirements, communications to and from Members, Member contact directories, sensitive/secure area access controls, IT system administration and management, payment of taxes, expense processing and Member benefits. From time to time, and subject to local requirements, Nexwave may offer its Members a range of benefits and discounts that it has negotiated with other companies and may supply relevant Personal Data to carefully screened third-party organizations to offer and provide such benefits.
Enterprise Security and Quality Control - Nexwave provides its Members with digital equipment (computers, laptops, mobile devices, tablets) enabling access to the Internet, e-mail and social media, Nexwave Intranet and various software applications and tools. Besides this digital equipment, Nexwave may also provide cars and physical workspaces (all being company property). Nexwave trusts that each Member acts responsibly and lawfully when using company property and strictly abides by all applicable codes of conduct that are issued in that respect like, but not limited to, the Code of Ethics and Business Conduct, Security and Acceptable Use Policy and the policy governing the use of third- party software. For security reasons only, Nexwave may monitor its premises with cameras. Nexwave may have good and legally justifiable reasons to monitor the use of digital equipment/devices and digital traffic through the equipment and devices used by Members taking into consideration the necessity for monitoring and the Member’s privacy. Incidental investigations will only be conducted for substantial reasons in targeted situations and Nexwave Global Security will always be involved in such investigations, taking into account the security incident investigation and reporting processes. Nexwave organization-wide monitoring and recording of Internet usage history and e-mail correspondence will only be implemented following a collective consultation process with the Works Council.
Corporate Finance, Mergers and Acquisitions – From time to time, Nexwave buys, sells and/or transfers group companies, business assets, financial instruments/arrangements, and contracts. In relation to such opportunities, operations and arrangements, Nexwave may share relevant Personal Data with potential buyers, sellers, professional advisors and regulatory authorities (incl. make regulatory filings with relevant governmental authorities), subject to obligations of confidentiality and local legal restrictions.
Regulatory, Professional and Membership Requirements – Nexwave may process Personal Data about Members, and transfer Personal Data to relevant regulatory bodies, governmental authorities and professional/trade/industry organizations in relation to membership applications and renewals, regulatory requirements (including security, regulatory/legal reporting requirements), professional standards, etc.
Health, Safety, Law and Insurance – Nexwave may Process and transfer Personal Data to appropriate third parties (including Nexwave facilities’ managers, event organizers, insurers, advisors and business partners) to comply with health, safety, legal, insurance, travel and emergency requirements.
Compliance with local legal requirements and agreed practices – Nexwave may process and transfer Personal Data to other entities within the Nexwave Group and/or appropriate third parties, as and when local laws require or permit it or where local practices have been agreed upon with Members, employee representatives, data protection officers, and/or data protection authorities/regulators.
When Processing Personal Data of our clients, we will act as a Data Processor, following duly documented instructions of the relevant clients for the following purposes:
Management of governance, delivery and closing for client projects and services including recruitment operations, training, suppliers and subcontractor management, billing, invoicing, reporting and audit activities;
Management of client projects and services cross-industries such as banking, utilities, manufacturing, insurance, government, retail, consumer and services, health and life sciences, transportation and logistics, oil and gas or communications and media, including Personal Data entry, correction and consolidation, storage, record-keeping and back-up, data management and analysis, individual enquiry management, application and infrastructure management, development and testing, correspondence, delegated/consolidated/outsourced IT system administration, hosting and management including access control and audit, asset management, expense Processing, marketing and research analysis.
Nexwave may also Process Personal Data relating to other Data Subjects (e.g. enquirers, website visitors, marketing/business contacts, prospective candidates, Nexwave offices’ visitors, etc.) for the purposes described below:
Nexwave will usually act as a Data Controller in relation to such Processing operations and any third party engaged by Nexwave or providing goods and/or services to Nexwave will act as Processor.
Nexwave will Process Personal Data only when strictly necessary and apply further principles on the basis of whether Nexwave acts as a Data Controller or as a Data Processor.
Transparency, fairness and lawfulness: Nexwave will Process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, in accordance with the requirements of this Policy through the use of data privacy notices clearly setting out information necessary for compliance with the Applicable Data Protection Legislation.
Defining a purpose: any Processing of Personal Data by Nexwave, particularly the collection thereof, will be preceded by the identification of the specific purpose for such Processing. Such purpose must be explicit and legitimate. Personal Data cannot be further Processed in a manner that is incompatible with such purpose.
Data minimization: once the purpose for Processing Personal Data has been established, Nexwave will only collect Personal Data to the extent required for accomplishing such purpose. Each instance of Data Processing detail is to be reviewed as part of the early solution design phases and included in the Data Privacy and Security review and approval process or otherwise in order to ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is Processed.
Quality of Personal Data: throughout the life cycle of any Personal Data Processing, Nexwave will ensure that the collected Personal Data remains accurate and up to date. Every reasonable step will be taken to ensure that Personal Data that is inaccurate is erased or rectified without delay including but not limited to self-service options for Data Subjects. In particular, Nexwave will provide adequate means for Data Subjects to inform Nexwave in case of any change in their Personal Data.
Data retention limitation: Nexwave will ensure that it does not keep your Personal Data for a longer period than strictly necessary to achieve the purpose for which your Personal Data is collected. Consequently, Nexwave will determine before the performance of the Processing an appropriate retention period. In doing so, Nexwave will consider the time during which the Personal Data is necessary to achieve the purpose of the Processing while taking into account the following factors:
Defining a legal basis: in addition to the above principles, any Processing may be performed only where it falls under one of the circumstances identified below:
If none of the above legal basis apply, Nexwave will seek and retain the Data Subjects’ prior consent before Processing its Personal Data, being understood that Data Subject’s consent is valid when (i) it is freely given by a clear affirmative act; and (ii) it represents a specific, informed and unambiguous indication of the Data Subject's agreement to the Processing of his/her Personal Data.
Technical and Organizational Measures: Nexwave will implement appropriate technical and organizational measures, at least equivalent to those prescribed in Nexwave’s Enterprise Security Management Framework (ESMF), to guard against unlawful access and/or Processing of Personal Data. In particular, Nexwave will grant access to Personal Data only when it is necessary to accomplish assigned tasks consistent with the purpose for which the Personal Data is Processed. Where Nexwave uses a third party to undertake Processing on its behalf it will ensure that equivalent measures are put in place by that third party through contractual agreements. In the event of unlawful access and/or Processing, Nexwave will comply with its Information Security Policy and related procedures.
Data Protection Impact Assessment (DPIA): Nexwave shall be responsible for monitoring Data Processing compliance with Applicable Data Protection Legislation. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the protection of your data, Nexwave shall implement a data protection impact assessment procedure that shall enable Nexwave to:
Protection Legislation, the competent Data Protection Authority will be consulted prior to the start of the intended Processing.
Data Privacy Impact assessment document will be retained for the duration of Data Processing to which they apply.
Nexwave will ensure that it Processes Personal Data solely in accordance with the documented instructions of the Data Controller.
In particular, such Processing shall be:
The Data Controller remains solely responsible for ensuring a valid legal basis for the Processing performed by Nexwave and that the required Processing complies with Applicable Data Protection Legislation including the retention period to be applied. Nonetheless, Nexwave will promptly inform the Data Controller if, in its opinion, an instruction of the latter infringes the Applicable Data Protection Legislation.
Unless otherwise instructed by the Data Controller, Nexwave will apply (as a minimum) the same security baseline as it applies when it is acting as a Data Controller. Security measures which do not comply with the security baseline (as a minimum) will require the approval of Nexwave Privacy and Security representatives.
Nexwave will provide reasonable assistance to the Data Controller to support it in undertaking its obligations under Applicable Data Protection Legislation. The assistance to be provided by Nexwave to Data Controller for compliance purposes in accordance with this section will be subject to the financial, technical and organizational conditions agreed between Nexwave and Data Controller in the relevant agreement. Upon termination of the relevant Data Processing agreement, Nexwave and any third party engaged by Nexwave will either destroy or return all Personal Data to the client according to its instructions and Applicable Data Protection Legislation. In case of destruction, Nexwave will certify to the Data Controller that such deletion took place. In case of a return, Nexwave will ensure the confidentiality of the Personal Data transferred to the Data Controller by adhering to client’s instructions.
For the avoidance of doubt, nothing in this Policy limits Nexwave’s right to keep Personal Data for the purpose of existing litigation or to bring or defend future claims, in accordance with applicable legal statutes of limitation applicable to Nexwave.
Nexwave, when acting as a Data Controller, will Process Sensitive Personal Data if and only if it is strictly required. In such case, Nexwave shall ensure that at least one of the following conditions is met:
Where Nexwave, as a Data Processor, is required to Process Sensitive Personal Data, Nexwave will follow the Data Controller’s written instructions and apply the measures agreed to between parties, which shall be at least equivalent to the Nexwave Security Baseline.
The Data Controller shall ensure a valid legal basis for the Processing performed by Nexwave.
In any case Nexwave will Process Sensitive Personal Data in accordance with Applicable Data Protection Legislation and comply with any mandatory specific hosting and Processing conditions.
As demonstrated by the commitments made under this Policy, Nexwave is committed to providing the appropriate level of protection for the Personal Data it processes. To ensure that the principles defined in this Policy are effectively considered when Nexwave processes Personal Data, Nexwave will identify and address any data protection constraints at the beginning of a new project so that the principles contained herein are reflected in the design of the project and appropriately implemented.
Where Nexwave acts as Data Processor, the Data Privacy organization, shall review and approve the Privacy aspects of the proposal and / or services developed for a client. Where Nexwave acts as Data Controller, the Data Privacy organization will have to provide approval of any new Nexwave internal project prior to the commencement of its development and subsequently implemented.
Where a solution is developed to become a Nexwave Intellectual Property to be proposed to clients as part of Nexwave’s services, the Data Privacy organization shall provide its approval.
Nexwave has a mature, standards-based security incident response and management process designed to handle all phases of a security incident. Members’ responsibilities are clearly defined at all levels. Incident assessment and prioritization standards are followed to ensure appropriate engagement levels and timely resolution.
Incident records are maintained and reported to senior management as required. High-priority incidents are managed through Nexwave’s 24x7 Global Security Operations Centre (SOC), where highly trained, full-time incident response professionals coordinate response efforts. Nexwave’s Data Privacy team is immediately engaged in the incident management process whenever Personal Data is suspected to be involved.
Whether acting as a Data Controller or as a Data Processor, if Nexwave reasonably believes that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed has occurred, Nexwave will provide security incident notification and status updates to the relevant Data Protection Authority, to Data Subjects and/or to the Data Controller, in accordance with Applicable Data Protection Legislation or any other local applicable laws.
Similarly, and for the sake of clarity, in the event a Personal Data breach is identified by a third party engaged by Nexwave, the third party will have to inform Nexwave as agreed upon in the relevant agreement.
As part of Nexwave operations, we may collect your Personal Data and disclose them to:
Nexwave will disclose your Personal Data if the disclosure is reasonably necessary to protect Nexwave’s rights and pursue available remedies, enforce Nexwave’s terms and conditions, investigate fraud, or protect Nexwave’s operations or users.
Nexwave may also disclose your Personal Data to administrative, judicial or governmental authorities, state agencies or public bodies, strictly in accordance with Applicable Data Protection Legislation and Local Legislation, and after careful review, the legality of any order to disclose data. Nexwave will challenge the order if there are grounds under the law of the country of destination to do so.
Transfer of EU Personal Data shall refer to Personal Data of EU residents or Data Subjects located within the EU being Processed (e.g. accessed, sent, used, viewed, copied, deleted) in a third country outside the EEA.
Nexwave acting as a Data Controller or Data Processor will Transfer EU Personal Data in accordance with the Applicable Data Protection Legislation and in accordance with Nexwaves’ Binding Corporate Rules (“BCR”), approved under GDPR by the French Supervisory Authority on July 22nd, 2021. This means that your rights as Data Subject remain the same no matter where your Personal Data is Processed.
Should you require any information on Nexwave’s BCRs, please consult the Register of the European DataProtection Boardor Nexwave - Privacy policy | nexwaveinc.com.
When Nexwave acts as Data Processor, prior specific or general consent is required in writing from the Data Controller before such transfer may be initiated.
Transfers of non-EU Personal Data shall take place in accordance with the Applicable Data Protection Legislation.
Transfers of Personal Data to third parties shall take place in accordance with the Applicable Data Protection Legislation.
On a regular basis, Nexwave conducts due diligence and third party privacy and security risks assessments with all third parties engaged by Nexwave, to establish their corporate capabilities and maturity with respect to security and data protection.
Whenever Nexwave relies on such third parties to process Personal Data, Nexwave ensures that such third parties provide an adequate level of protection to the Personal Data they process as per Applicable Data Protection Legislation.
Data subjects have several rights under the Applicable Data Protection Legislation to request access to their Personal Data held by Nexwave and/or information about how Nexwave Processes their Personal Data. If you have any requests regarding the processing of your Personal Data, please send your formal request to privacy@nexwaveinc.comor complete the online form.
When acting as a Data Processor, upon request, Nexwave will provide its clients with relevant information enabling such clients to comply with their own obligations toward Data Subjects. Unless otherwise indicated in any contractual agreement, Nexwave shall not be required to inform Data Subjects directly thereof, as this remains the responsibility of the Data Controller.
As per Applicable Data Protection Legislation, where Nexwave acts as the Data Controller, you have the following rights:
Nexwave will act in accordance with the Applicable Data Protection Legislation and other relevant legal and contractual obligations in the search for and provision of relevant Personal Data. Nexwave will require Data Processors that Process Personal Data to do the same. Nexwave may need to ask you further questions in relation to your Personal Data or to verify your identity.
Upon termination of employment contracts for whatever reason, Nexwave shall maintain the Personal Data of former employees for such time as shall be permissible in accordance with applicable laws and regulations and necessary for the provision of appropriate ongoing benefits and services (for example, Member share schemes and pension administration).
Members acknowledge the requirements and annually confirm acceptance of this Policy. In addition to this Policy, Members must also comply with other applicable confidentiality and privacy obligations, including those set out in any Applicable Data Protection Legislation, their employment agreements and Nexwave policies, processes and standards or client’s instructions.
Members must follow any mandatory Nexwave’s privacy training and awareness programs. These include, among other topics, mandatory web-based data privacy, information security, anti-corruption, and records management training, communication campaigns and specific trainings adapted to the different functions within the organization.
These trainings and awareness programs are regularly updated to reflect changes to the Applicable Data Protection Legislation.
Nexwave maintains a dedicated privacy page on Nexwave Intranet where policies, standards, guidance, information and other materials related to the global privacy program are made available to all Members.
In the event that any third party Processes Personal Data on behalf of Nexwave, such third party shall:
Nexwave maintains records of Processing activities carried out as a Data Controller or as Data Processor. Nexwave will make sure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. Nexwave shall make a record(s) of Processing available to the supervisory authority on request.
This Policy may be amended from time to time to comply with Applicable Data Protection Legislation. Nexwave will ensure that Data Subjects are notified of any material changes to the Policy promptly, through an “update” on nexwaveinc.com, by email or other appropriate method of communication. Should you require a status update, you may raise a request by sending an email to privacy@nexwaveinc.com.
Nexwave has designated a Chief Privacy Officer (CPO) overseeing Nexwave’s global data protection strategy, enterprise- wide data protection policies and procedures, and data protection regulatory compliance, and a network of Privacy Business Partners who may also be appointed as Data Protection Officers in accordance with Applicable Data Protection Legislation.
In case of questions related to the interpretation or operation of this Policy, please send an email to info@nexwave.in or contact Nexwave at +49 173 1811211.
Should you require assistance from any competent data protection authority, please reach out to the relevant one by using the useful resources below:
As per the EU-U.S. Data Privacy Framework (EU-U.S. DPF) validated by the European Commission on July 10,2023,the Data Protection Review Courtis the second level of a two-level redress mechanism that provides for the review of qualifying complaints by individuals, filed through appropriate public authorities in designated foreign countries or regional economic integration organizations, alleging certain violations of United States law concerning United States, signals intelligence activities.