EU Policy

HERRMANN INTERNATIONAL EU and SWISS DATA POLICY

I. Introduction

The Ned Herrmann Group, operating under the corporate name of Herrmann International, Inc. is headquartered in Lake Lure, North Carolina, USA and has subsidiaries licensees around the world. Herrmann International is the sole and exclusive provider of the HBDI®, also known as the Herrmann Brain Dominance Instrument®, a psychometric survey and scoring system which allows an individual to understand their thinking preferences and to learn the Whole Brain® Model to get better results through better thinking. Herrmann International provides these services, amongst others, for persons residing in the European Union and Switzerland at the time they are taking the HBDI®. The data collected is maintained on Herrmann's servers in the European Union (EU), United States and Canada; and access and transfer of data outside the EU or Switzerland is only made where there is an adequate level of privacy protection. Such data transfers, if made, are consistent with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks, which ensures the principal organizational policies and practices are in compliance with the safe harbor requirements. Herrmann International conducts an annual compliance review to insure that it is operating in compliance with this Privacy Policy.

This policy describes Herrmann's privacy policy and the methods for fulfilling the Safe Harbor requirements. This policy conforms to the Principles of the Safe Harbor Frameworks between the EU, Swiss and U.S. governments as administered by the U.S. Department of Commerce. Should you have any questions about Herrmann's privacy policy please contact dataprivacyeurope@hbdi.com.

In order to complete the HBDI® survey, the respondent must supply some personal information such as: name or pseudonym, email (optional), address (optional), and preferences among various thinking style descriptors, which are stored numerically, and requires the HBDI® algorithm to be comprehensible.

Herrmann International uses this information to calculate the HBDI® Profile. Some additional demographic and research information is optional and is noted as such on the form.

The data resulting from the responses to the questions on the HBDI® survey are used to create a personal "HBDI® profile" transparency page”, "data summary sheet", "narrative explanation" and "mini profile" page, all of which are printed and packaged in a sealed, confidential packet. These packets are provided to the certified HBDI® facilitators, who are Herrmann International employees or certified licensees authorized to administer the HBDI® who then distribute the packet to the participant or, in the case of the online HBDIinteractive™ simulation, the results data can be downloaded and printed directly by the participant.

II. Collection And Usage Of Personal Data

A. Data Collected

Herrmann collects and uses limited personal data from individuals in the EU and Switzerland. This data is not sensitive personal data as defined by the EU and Switzerland. The data collected is necessary to create a profile of the thinking preferences with respect to how they are likely to interact with others. An employer will often provide this information to employees to assist them at being more effective in one-on-one and group interactions within the company and with customers/clients. There are no negative Thinking Preference Profiles identified by the HBDI® survey, but rather, preferences which each person has in their thinking style.

Data is only collected through standardized surveys, either in a paper version or online. Both methods collect the same type and amount of data. Herrmann collects personal information such as name, age, and gender, but only with the knowledge and consent of individuals or as optional data fields which may be left blank.

When an individual identifying themselves as being located within the EU or Switzerland at the time of taking the survey, accesses the online HBDI® server or is located in the EU or Switzerland when completing a paper copy for scoring, that individual is given an opportunity to review Herrmann's privacy policy and opt out of taking the HBDI® survey if he/she does not wish to consent to its terms. In such case, they may not complete the HBDI® online or submit the paper version for scoring.

Sometimes, the data is initially analyzed within the EU or Switzerland, then stored for safekeeping in a server at the company headquarters or other secured location outside the EU and Switzerland.

B. Purpose Of Data Collection

Data is only used for interpretation based on the HBDI® scoring as well as related services. Herrmann creates a personal profile, usually in the form of a table and data on a grid, sometimes compiled with others in the group (company) or vocation, etc. for the creation of a HBDI® Pairs Report™ or HBDI® Team Report™.

From time to time, data is used for ongoing research and improvement of the HBDI® survey. If the data is ever exported to a party not under contractual control by Herrmann, the data used and analyzed is rendered completely anonymous.

C. How The Data Is Used

The answers of the survey are stored with the name of the individual taking the profile, as provided by that individual or, in some case, by an alias name entry, where Herrmann does not know the individual's name. The storage of the individual's name is important because companies who have purchased the HBDI® for their employees may need to obtain group reports for developmental workshops. Further, if an individual's data is not associated with their own name, there is no way to reliably retrieve it when needed. This data is professionally analyzed only by Herrmann employees or licensees who have been certified by Herrmann. Only employees or licensees with the appropriate access rights are able to view and analyze the individual's personal data. After the scoring by the HBDI® certified practitioners/licensees the data is used to create a report. The report prepared in a written and/or e-accessible form which is maintained in a confidential, secure, access controlled system. Information technology (IT) workers who may have access to the database software are either employees of Herrmann or are under contract with provisions which control their use and access to personal data of individuals who took the HBDI® survey from within the EU or Switzerland.

D. Potential Transfer To Third Parties

After taking the HBDI® survey online, the scoring is done by Herrmann and no third party is involved. In the case of paper versions, they may be scored locally within the EU or Switzerland and then the data is transferred to Herrmann's servers. All servers storing data outside the EU and Switzerland are under the full control by Herrmann. The reports are given only to the person who ordered them, Herrmann Certified Practitioners or their staff, unless the participant requests transmittal to a third party.

E. Storage And Retention Of Data

The survey responses, the scored output and personal information are stored together. We keep this data for a minimum of 36 months after sending the report. A person may request the deletion of their personal identifying data but the anonymous remaining data is kept for scientific validations and research purposes. If an individual requests deletion of identifying information (see below), it can never be restored and if their organization (group/company) wants to create a group report, the individual would have to retake the profile at their expense.

III. Security

F. Structure

Herrmann has taken reasonable precautions to protect personal data commensurate with the sensitivity of that data. Herrmann's data operations (IT) operate under security guidelines regarding access and integrity of data. Presently all personal data for individuals residing in the EU or Switzerland when taking the profile, are either stored on servers in the EU, USA or Canada. The Herrmann dedicated servers are maintained and operated at a secure server location and are managed under the general security guidelines. The IT department is responsible for enforcing the necessary measures and for educating staff regarding these measures.

G. Access Control

a) Server Room Protection
The central processing and data storage servers are hosted by Peer1 and managed by Herrmann Representatives in a secured environment and controlled by IT management and specific key employees. Peer1 data centers are physically isolated, monitored by closed circuit television and a 24x7x365 onsite security team guards the facility with military grade pass card access and biometric fingerscan/handscan units for additional layer of security.

b) System Hardware And Application Protection And Access
Herrmann systems are protected by firewall hardware and software. In general the effectiveness of the security settings are tested on an ongoing basis by our IT department. Unique user identification numbers and passwords are required to access all networks and subsystems. All employees must utilize identification numbers and passwords to access central processing and storage systems to subsequently gain entry to sub-systems and databases that house customer specific and/or personal data. Periodic modification of users’ passwords is required, minimum of every 180 calendar days. Only a limited number of Herrmann personnel possess the administrative rights and knowledge to establish permissions and administrative rights of others. A user who forgets a password shall apply to the IT Department for a new password, which the information systems manager shall issue upon confirming the identity of the requesting user.

Access to the personal data (e.g. access to names, age, gender, and responses to HBDI® survey) are only provided to people with established permissions to view the information. Rights behind the permission are determined in light of the individual employee’s job function and relationship to Herrmann, such as in the case of external Certified Practitioners, their administrative staff, and licensees. Only designated Herrmann employees can make decisions about permissions for an employee, Certified Practitioners their administrative staff/affiliate licensees and request that they are expanded or contracted. In the case of Certified Licensees of the HBDI® survey, they can only access the data their participants’ data downloaded to the Herrmann servers

Personal data that is gathered for the purpose of completing the HBDI® survey are gathered via encrypted web pages that are completed by participants. The responses are presently stored in separate data MS SQL server databases on Herrmann servers.

The type of data which is stored:
1) Basic demographic data captured and stored for purposes of identification (e.g. First Name, Last Name, email address, company name (optional).
2) The responses, or keystrokes, that are recorded to the user’s completion of the HBDI® survey. These responses are scored using a proprietary algorithm and then reported on a personalized form called the HBDI® Personal Profile.

H. Onward Transfer Control

Every transfer of personal data between data subject, and Herrmann is submitted via Herrmann's online assessment survey (HBDI®), which captures the subject's responses and provides them to Herrmann in an encrypted manner. When transferring personal data and storage media containing information assets between Herrmann servers and an office in the EU or Switzerland, data is protected against theft and misdirection via an encrypted online connection.

I. Availability Control

All personal data, customer specific data, individual data and subject-specific data is stored on a central server (SQL databases) but not mobile devices

J. Input Control

The changing of settings in configurations, the installation, changing and erasing of access rights for the databases with personal data is controlled by a limited number of specially trained and authorized Herrmann employees or representatives and is recorded.

IV. Rights Of Data Subjects

K. Information To Individuals

The individuals are informed of the privacy protection before the collection of their data. Users of the HBDI® must opt-in to complete the online profile. User of the paper version must initial an equivalent opt-in document or check a box on a form. The opt-in statement also informs the individual about how to contact Herrmann. Herrmann also includes a privacy policy statement on the website

L. Access To Data

Individuals can get access to their data two ways as follows:
1. A hard copy package that contains the individual data profile results and is sealed with a confidential sticker. 2. In some programs, the participants of e-learning/ simulation courses, can see their scored results online with their personal login. The answers to the surveys cannot be changed after submission. Individuals who wish to review, correct, amend or delete their personal data, may request so in writing sent by post to Herrmann International, EU and Swiss Data Security Department, 794 Buffalo Creek Road, Lake Lure, NC 28746 USA. No more than one request per year may be made. Individuals may request an additional copy or e-copy of their HBDI® Profile, for a fee which will be specified by Herrmann at the time of receipt of the request. It is noted, that if personal data is deleted from the Herrmann database, the individual will forever lose access to the HBDI® data and scoring as there will be no way to retrieve it.

M. Complaints

Individuals who feel that their privacy may have been violated based on the Safe Harbor privacy principles should contact their employer who purchased access to the HBDI® or their licensee. After this avenue has been exhausted, and if unsatisfactory responses are still received, the individual may contact Herrmann directly at: Herrmann International, EU and Swiss Data Security Department, 794 Buffalo Creek Road, Lake Lure, NC 28746 USA. The receipt of a complaint will start an investigation.

V. Enforcement

N. Verification

The verification of the privacy policy and the internal organization is carried out through an annual assessment. The assessment is of self-assessment type in the US and elsewhere.

O. Handling Of Complaints

Individuals who feel their privacy is violated should contact the person in charge of the employer who purchased the HBDI® from Herrmann. In the case of persons who purchased HBDI® access from a licensee (not through an employer), they should contact the person that purchased access

P. Dispute Resolution Mechanism

If the individual and Herrmann cannot resolve any dispute regarding implementation of this privacy policy with respect to data privacy, Herrmann has engaged the services of the Direct Marketing Association (DMA) to resolve disputes which is the elected authority to resolve disputes under the Safe Harbor Enforcement Principle. Herrmann will comply with any advice given by the DMA, reserving the right of appeal to the extent provided for in the DMA dispute resolution procedure and so long as such advice or decision of the DMA is not in contravention laws or other obligations of United States or any of its individual states which may have jurisdiction.

In the event of a violation of the Safe Harbor principle, Herrmann is obliged to conform with the DMA dispute resolution decision within 8 weeks.

Contact information for the DMA is as follows;

The Federal Trade Commission (FTC) of the United States has jurisdiction over the Safe Harbor policy implementation.

This policy is available for viewing by the public at www.herrmanninternational.com and on the online version of the HBDI® to those about to take the survey

VI. Effective date

This policy is effective as of March 16, 2009.

VII. Questions And Contact At Herrmann International

For any questions or for further information, please contact:
Dorothy Roche
Herrmann International
dataprivacy@hbdi.com
----
Fax: 828-625-1402