HERRMANN INTERNATIONAL EU and SWISS DATA POLICY
In order to complete the HBDI® survey, the respondent must supply some personal information such as: name or pseudonym, email (optional), address (optional), and preferences among various thinking style descriptors, which are stored numerically, and requires the HBDI® algorithm to be comprehensible.
Herrmann International uses this information to calculate the HBDI® Profile. Some additional demographic and research information is optional and is noted as such on the form.
The data resulting from the responses to the questions on the HBDI® survey are used to create a personal "HBDI® profile" transparency page”, "data summary sheet", "narrative explanation" and "mini profile" page, all of which are printed and packaged in a sealed, confidential packet. These packets are provided to the certified HBDI® facilitators, who are Herrmann International employees or certified licensees authorized to administer the HBDI® who then distribute the packet to the participant or, in the case of the online HBDIinteractive™ simulation, the results data can be downloaded and printed directly by the participant.
II. Collection And Usage Of Personal Data
A. Data Collected
Herrmann collects and uses limited personal data from individuals in the EU and Switzerland. This data is not sensitive personal data as defined by the EU and Switzerland. The data collected is necessary to create a profile of the thinking preferences with respect to how they are likely to interact with others. An employer will often provide this information to employees to assist them at being more effective in one-on-one and group interactions within the company and with customers/clients. There are no negative Thinking Preference Profiles identified by the HBDI® survey, but rather, preferences which each person has in their thinking style.
Data is only collected through standardized surveys, either in a paper version or online. Both methods collect the same type and amount of data. Herrmann collects personal information such as name, age, and gender, but only with the knowledge and consent of individuals or as optional data fields which may be left blank.
Sometimes, the data is initially analyzed within the EU or Switzerland, then stored for safekeeping in a server at the company headquarters or other secured location outside the EU and Switzerland.
B. Purpose Of Data Collection
Data is only used for interpretation based on the HBDI® scoring as well as related services. Herrmann creates a personal profile, usually in the form of a table and data on a grid, sometimes compiled with others in the group (company) or vocation, etc. for the creation of a HBDI® Pairs Report™ or HBDI® Team Report™.
From time to time, data is used for ongoing research and improvement of the HBDI® survey. If the data is ever exported to a party not under contractual control by Herrmann, the data used and analyzed is rendered completely anonymous.
C. How The Data Is Used
The answers of the survey are stored with the name of the individual taking the profile, as provided by that individual or, in some case, by an alias name entry, where Herrmann does not know the individual's name. The storage of the individual's name is important because companies who have purchased the HBDI® for their employees may need to obtain group reports for developmental workshops. Further, if an individual's data is not associated with their own name, there is no way to reliably retrieve it when needed. This data is professionally analyzed only by Herrmann employees or licensees who have been certified by Herrmann. Only employees or licensees with the appropriate access rights are able to view and analyze the individual's personal data. After the scoring by the HBDI® certified practitioners/licensees the data is used to create a report. The report prepared in a written and/or e-accessible form which is maintained in a confidential, secure, access controlled system. Information technology (IT) workers who may have access to the database software are either employees of Herrmann or are under contract with provisions which control their use and access to personal data of individuals who took the HBDI® survey from within the EU or Switzerland.
D. Potential Transfer To Third Parties
After taking the HBDI® survey online, the scoring is done by Herrmann and no third party is involved. In the case of paper versions, they may be scored locally within the EU or Switzerland and then the data is transferred to Herrmann's servers. All servers storing data outside the EU and Switzerland are under the full control by Herrmann. The reports are given only to the person who ordered them, Herrmann Certified Practitioners or their staff, unless the participant requests transmittal to a third party.
E. Storage And Retention Of Data
The survey responses, the scored output and personal information are stored together. We keep this data for a minimum of 36 months after sending the report. A person may request the deletion of their personal identifying data but the anonymous remaining data is kept for scientific validations and research purposes. If an individual requests deletion of identifying information (see below), it can never be restored and if their organization (group/company) wants to create a group report, the individual would have to retake the profile at their expense.
Herrmann has taken reasonable precautions to protect personal data commensurate with the sensitivity of that data. Herrmann's data operations (IT) operate under security guidelines regarding access and integrity of data. Presently all personal data for individuals residing in the EU or Switzerland when taking the profile, are either stored on servers in the EU, USA or Canada. The Herrmann dedicated servers are maintained and operated at a secure server location and are managed under the general security guidelines. The IT department is responsible for enforcing the necessary measures and for educating staff regarding these measures.
G. Access Control
a) Server Room Protection
The central processing and data storage servers are hosted by Peer1 and managed by Herrmann Representatives in a secured environment and controlled by IT management and specific key employees. Peer1 data centers are physically isolated, monitored by closed circuit television and a 24x7x365 onsite security team guards the facility with military grade pass card access and biometric fingerscan/handscan units for additional layer of security.
b) System Hardware And Application Protection And Access
Herrmann systems are protected by firewall hardware and software. In general the effectiveness of the security settings are tested on an ongoing basis by our IT department. Unique user identification numbers and passwords are required to access all networks and subsystems. All employees must utilize identification numbers and passwords to access central processing and storage systems to subsequently gain entry to sub-systems and databases that house customer specific and/or personal data. Periodic modification of users’ passwords is required, minimum of every 180 calendar days. Only a limited number of Herrmann personnel possess the administrative rights and knowledge to establish permissions and administrative rights of others. A user who forgets a password shall apply to the IT Department for a new password, which the information systems manager shall issue upon confirming the identity of the requesting user.
Access to the personal data (e.g. access to names, age, gender, and responses to HBDI® survey) are only provided to people with established permissions to view the information. Rights behind the permission are determined in light of the individual employee’s job function and relationship to Herrmann, such as in the case of external Certified Practitioners, their administrative staff, and licensees. Only designated Herrmann employees can make decisions about permissions for an employee, Certified Practitioners their administrative staff/affiliate licensees and request that they are expanded or contracted. In the case of Certified Licensees of the HBDI® survey, they can only access the data their participants’ data downloaded to the Herrmann servers
Personal data that is gathered for the purpose of completing the HBDI® survey are gathered via encrypted web pages that are completed by participants. The responses are presently stored in separate data MS SQL server databases on Herrmann servers.
The type of data which is stored:
1) Basic demographic data captured and stored for purposes of identification (e.g. First Name, Last Name, email address, company name (optional).
2) The responses, or keystrokes, that are recorded to the user’s completion of the HBDI® survey. These responses are scored using a proprietary algorithm and then reported on a personalized form called the HBDI® Personal Profile.
H. Onward Transfer Control
Every transfer of personal data between data subject, and Herrmann is submitted via Herrmann's online assessment survey (HBDI®), which captures the subject's responses and provides them to Herrmann in an encrypted manner. When transferring personal data and storage media containing information assets between Herrmann servers and an office in the EU or Switzerland, data is protected against theft and misdirection via an encrypted online connection.
I. Availability Control
All personal data, customer specific data, individual data and subject-specific data is stored on a central server (SQL databases) but not mobile devices
J. Input Control
The changing of settings in configurations, the installation, changing and erasing of access rights for the databases with personal data is controlled by a limited number of specially trained and authorized Herrmann employees or representatives and is recorded.
IV. Rights Of Data Subjects
K. Information To Individuals
L. Access To Data
Individuals can get access to their data two ways as follows:
1. A hard copy package that contains the individual data profile results and is sealed with a confidential sticker. 2. In some programs, the participants of e-learning/ simulation courses, can see their scored results online with their personal login. The answers to the surveys cannot be changed after submission. Individuals who wish to review, correct, amend or delete their personal data, may request so in writing sent by post to Herrmann International, EU and Swiss Data Security Department, 794 Buffalo Creek Road, Lake Lure, NC 28746 USA. No more than one request per year may be made. Individuals may request an additional copy or e-copy of their HBDI® Profile, for a fee which will be specified by Herrmann at the time of receipt of the request. It is noted, that if personal data is deleted from the Herrmann database, the individual will forever lose access to the HBDI® data and scoring as there will be no way to retrieve it.
Individuals who feel that their privacy may have been violated based on the Safe Harbor privacy principles should contact their employer who purchased access to the HBDI® or their licensee. After this avenue has been exhausted, and if unsatisfactory responses are still received, the individual may contact Herrmann directly at: Herrmann International, EU and Swiss Data Security Department, 794 Buffalo Creek Road, Lake Lure, NC 28746 USA. The receipt of a complaint will start an investigation.
O. Handling Of Complaints
Individuals who feel their privacy is violated should contact the person in charge of the employer who purchased the HBDI® from Herrmann. In the case of persons who purchased HBDI® access from a licensee (not through an employer), they should contact the person that purchased access
P. Dispute Resolution Mechanism
In the event of a violation of the Safe Harbor principle, Herrmann is obliged to conform with the DMA dispute resolution decision within 8 weeks.
Contact information for the DMA is as follows;
- mail: Safe Harbor Line Direct Marketing Association
1615 L Street, NW - Suite 1100
Washington, DC 20036
- fax: 202.955.0085
The Federal Trade Commission (FTC) of the United States has jurisdiction over the Safe Harbor policy implementation.
This policy is available for viewing by the public at www.herrmanninternational.com and on the online version of the HBDI® to those about to take the survey
VI. Effective date
This policy is effective as of March 16, 2009.
VII. Questions And Contact At Herrmann International
For any questions or for further information, please contact: