Last Updated - September 2023
HR Policy Association (alternatively “the HRPA” “Association” “we” “us” or “our”) is a global human resources professional members organisation focusing on empowering members to grow and excel in their roles.
Founded in 1968 as the Labour Policy Association we are headquartered in Arlington, Virginia with partner offices in Brussels and consultant staff based in India and Australia.
What we do
We provide Chief Human Resource Officers (CHROs) and their teams with a lifeline of information and targeted support. We offer expert public policy advocacy and analyses, information on HR best practices, and networking opportunities exclusively for our unique community of CHROs and HR executives. Collectively, the Association's approximately four hundred members employ more than twenty million employees worldwide and have a market capitalization of more than $7.5 trillion. In the United States, Association members employ over 9% of the U.S. private sector workforce.
Where we process certain information relating to you, such as your name, date of birth, email address, phone number, address, or location data (‘personal data’), we are responsible for the protection of such data as a “data controller.” In countries with data protection laws, it is a requirement that any organisation processing your personal data needs to tell you how we will manage it.
For the purpose of this global privacy notice HRPA will be using, and in practice applying, standards based on the EU GDPR and where necessary adding to it so as to include all the requirements for prior notice of personal data processing to all users of this site.
A separate, additional data protection notice is applicable and is made available to all staff of HRPA.
For European legislative requirements, the HRPA is registered with the Irish Data Protection Commission as the Associations supervisory authority on data protection for EEA territories.
How to contact us
The HRPA is based at 4075 Wilson Blvd, Suite 8181, Arlington, VA 22203, USA. You can contact us by telephone on +1 202 789 8670 or by email on [email protected]
For any queries related to the management of your personal data please contact our designated Data Protection Officer [email protected]
What personal data we handle
Personal Data provided by you to HRPA
We handle the personal data that you provide to us when you join the HRPA as a member, attend one of our events, when you make a query to us, or simply visit our website. This includes when we receive your information from an authorised colleague of yours. This also includes when you complete a web form, send us an email, exchange information on a phone call with us or allow our website to store cookies.
If you are seeking to develop or explore career opportunities with HRPA you may send us your CV. This could be received by HRPA based on an advertised post or sent speculatively by yourself to HRPA.
Personal Data not provided by you
You or your organisation may have designated a colleague of yours to supply us with certain and necessary biographical and professional information about you to allow us to contact you or process your membership of the HRPA network.
A peer of yours may have suggested to us that you may be interested in receiving information (membership options, research, upcoming events etc) and provided us with work related contact information.
Personal Data processed for support/administrative purposes
We also process personal data not specifically to exercise HRPA stated aims but for other support/administrative purposes. This personal data could include; personal data processed when operating our CCTV systems in our offices; the personal data of visitors to the HRPA; the personal data of visitors to the HRPA website who go through the material on the website and may need to allow cookies in order to use the service; and the personal data of our followers or social media users that leave comments or reactions to our posts on any of our social media channels (currently limited to LinkedIn and X).
What we do with your data
For the purposes of managing and developing our Association the HRPA performs the following processing operations in accordance with applicable data protection laws.
- Provides online services – the HRPA processes personal data such as strictly necessary cookies for any user of our website, www.hrpolicy.org, and any of its subdomains. We do so in order for you to use the web forms we provide for the purpose of handling enquiries, and in order for you to use our online resources. Our lawful basis for processing this data is based on the consent you have provided to us.
- Process your application for Membership of the HRPA – the HRPA will need, limited and strictly necessary, biographical, and professional information about you to process your application for membership of our network. Our lawful basis for processing this personal duty is based on the consent you have provided to us.
- Process your membership fee – if you join HRPAs network and your company is self titled in your own name and that company name is also the billing name it has been deemed that that qualifies as personal data. Therefore, if you paid your membership fee with such a company name or trading name then we would be processing that personal data of yours. Our lawful basis for processing this data is to meet our requirements in our contract with you.
- Inform you of upcoming events and news – should you join the HRPA network or sign up for any newsletter or informational emails we will use the contact details provided to us to email you a schedule of upcoming events and relevant industry related news, topics of interest and developments. Our lawful basis for processing this data is based on the consent you have provided to us or a membership contract you may have with us.
- Process any applications we receive, solicited or unsolicited, for HRPA job or intern opportunities – in this case we will process your data based on the consent you have provided to us, demonstrated by the act of sending us the application.
- Research and member surveys – we may use your details you or a colleague has provided to us for the purpose of gauging your opinion or establishing facts to conduct research that help inform our work. Some of the opinion and facts we will seek may include your personal data. While published research will always be aggregated and anonymous and the surveys will always be anonymous, qualitative surveys carry some risk of reidentification. Our lawful basis for processing this data is based on the consent you have provided to us.
- Interact with you (in general) – The HRPA uses your contact details (including but limited to your name, surname, email address, telephone number, postal address) to communicate with you. Our lawful basis for processing your contact details is based on the consent you have provided to us or to fulfil any contractual obligations we owe to you.
- Respond to your enquiries – the HRPA receives a wide spectrum of queries from its members and some of these queries may contain information that directly, or could indirectly, identify individuals. We have established managerial and technical measures in place to protect the confidentiality of this data. Our lawful basis to process such data is that its is necessary for HRPAs legitimate interest. Where we receive unsolicited personal data from members, and it would not be in our legitimate interest to process it without substantially impacting on the rights and freedoms of others we will delete such personal data and inform the sender of our action and reason as to why.
- Record CCTV footage – at our offices we record footage through the operation of a CCTV system for the purpose of security and safety. Our legal basis for doing so is that the implementation of such recording system is necessary for HRPA’s legitimate interests.
- Comply with legal obligations – we may share information with other public authorities if they are required by law, in particular other statutory agencies. Our legal basis to do so if based on our legal obligations under data protection law. Examples include information on tax, diversity, health and safety etc.
- Performance of a contract we have with you – when we deal with service providers and suppliers in their individual capacity or otherwise deal with personal data from third parties with whom we are dealing by contract, we deal with such data for the purposes of fulfilling our obligations pursuant to the contract as our legal basis for so doing.
- Manage social media accounts – Clicks on links we provide on our website to social media accounts may be counted in aggregate based on the URL and not on any personally identifiable information. We also process personal data when managing our X and LinkedIn social media accounts as individuals interact with our pages on those platforms. We view comments/reactions on our accounts, and these are retained by the social media platform in question. Our lawful basis for processing is that such processing it is in the HRPA legitimate interest to develop its network and online presence.
There may be certain cases where the right to receive information prior to our processing of your personal data is restricted in accordance with the law.
For example, if the information collected from you, (including any personal data of yours), is of assistance for the prevention of a terrorism related offence, we may be obliged by law to report it to police and/or statutory security services. Or, where HRPA is sent an email containing unlawful material, it may be necessary for the HRPA to report the information to the relevant authorities without any prior information provided to the original sender.
What we do not do with your personal data
Sell your personal data – HRPA will not sell/trade/swap to any third party any of your personal data unless you have given prior demonstrable consent to us before hand.
Novel, experimental or beta technology – the HRPA will not use your personal data on products, tools and technologies that are novel, experimental or under tested. This, for the time being, includes the use of your personal data in the training of any Machine Learning data sets and the use of other AI tools for marketing predictions and preferences or triaging and/or screening job applicants.
Automated decision making – the HRPA and the third parties which process personal data on our behalf (“processors”) do not undertake any profiling or automated decision making within the meaning of those activities under data protection laws.
Direct marketing – the HRPA and the third parties which process personal data on its behalf (“data processors”) do not undertake any activity with your data for the purposes of direct marketing, within the meaning of data protection laws.
Registration of telephone conversations – The HRPA does not audio record or retain audio recordings of phone conversations. Where an individual contacts us by phone, caller numbers are automatically stored on the recipient phone in the HRPA for a limited time in a list of inbound and outbound calls, but no further processing of this data (caller numbers) is conducted. We may only record personal data in the form of notes made by our staff during a conversation which then may be transferred onto a electronic record held by us.
How long do we keep your data?
The length of time in respect of which we keep personal data depends on the processing operation conducted with the data and we will retain it for no longer than is necessary.
In practice this means, for example, that if you send your CV in in response to an advertisement and you are not successful, we will retain your CV for 18 months following the deadline for submission of your application noted on the advertisement.
That membership details and correspondence will be retained for as long as you remain a member and for one year following the expiration of your membership.
That attendance at any of our events will be retained for one year following the event, at which point it will be anonymised and aggregated for the purpose of providing business analysis.
CCTV images will be retained for no longer than one month after they are recorded.
Any personal data that could be subject to any legal action or be reasonably assumed it might be required in relation to any legal proceedings will be retained as long as the legal action is ongoing and for two years following the final resolution of the legal action.
For further detail or specific enquires on our data retention schedule which outlines the retention periods for the processing of the personal data controlled by HRPA you can contact our Data Protection Officer with your query on [email protected]
When do we transfer your data to third countries?
Various data protection laws around the globe have certain restrictions and/or rules to follow before personal data can be transferred from one country to another country. Under EU law the countries in the European Economic Area are treated as a single territory (i.e., transferring data from, for example, Ireland to Germany is an internal transfer and not to a ‘third country.’)
Common amongst these laws is the requirements for the data sender to establish the status of the data protection regime in the ‘receiving’ country. Some countries such as Japan, Canada and Argentina are considered by the EU to be “adequate” and so no specific rules exists in sending data to them.
The EU also has an agreement with the US entitled the “Data Privacy Framework Agreement” whereby an organisation that wants to exchange data into the EU must register and self certify its approach to privacy on a database maintained by the US Department of Commerce. HRPA has registered on this database and so uses that mechanism to send and receive personal data to and from the EU. Most of the cross-border transfers of personal data overseen by HRPA will be between the EU and the USA.
Where any cross-border transfers occur not between these two territories (USA & EU) HRPA will review the requirements and rules in place and apply them. In the event we cannot adhere to them we will not transfer the personal data and seek another solution, for instance by using only localised databases.
HRPA is not a member nor has any plan to apply to the EU Commission for inclusion in their Binding Corporate Rules mechanism for the transfer of personal data between HRPA locations and entities.
We will only transfer your personal data to third countries in any event where it is necessary, and we cannot achieve the same purpose of processing without transferring your personal data.
Any transfers of personal data from HRPA, as a controller, to third party processor will only be carried out upon signature of a binding legal instrument between both parties.
Who we share your data with
Personal data processed by the HRPA is held confidentially and is not shared with any third parties, with exceptions outlined below.
Depending on the circumstances of the case, third parties may process personal data on behalf of HRPA (’data processors’) and are therefore under the legal obligation to ensure the same level of security and confidentiality in conducting their processing operations as the HRPA. The Association has in place legally binding agreements with data processors that detail these obligations and respective responsibilities.
These third parties referred to are service providers and suppliers engaged to perform our functions as outlined above. These third parties in particular process personal data on our behalf and we have in place specific arrangements which are mandated by applicable data protection laws. They would include companies that sell software, companies that oversee our IT security and maintenance, facility maintenance companies and recruitment companies if we engaged one.
Your rights on your data
Subject to certain restrictions you can exercise your rights in relation to your personal data that is processed by the HRPA if you are resident in areas where these rights form part of the local data protection or privacy rights enshrined in legislation/constitution or binding international treaties or conventions.
HRPA has decided that it will extend the rights that have become standard in data protection laws over the past decade to all its staff and users globally, the only exception is that we would not do so is where to do would be illegal or where, in the absence of any legislation, that the extension of these rights may cause damage to HRPA or any other individual.
- The right to be informed about the processing of your personal data;
- The right to access your personal data;
- The right to rectification of your personal data;
- The right to erasure of your personal data;
- The right to data portability;
- The right to object to processing of your personal data;
- The right to withdraw consent;
- The right to restrict processing of your personal data.
These rights are not absolute and HRPA may exercise the restrictions as they are articulated in the GDPR in relation to the rights listed above. These restrictions can be reviewed in the text of Articles 12 to 22 of the GDPR. www.gdpr-info.eu
Other restrictions to your rights as a data subject may apply in other circumstances, for example when the HRPA processes personal data in the context of legal proceedings.
How to make a complaint
You have the right to lodge a complaint about how we manage your personal data to the Associations supervisory authority, which in Europe is the Irish Data Protection Commission.
They can be reached at;
21 Fitzwilliam Square South
Tel +353 1 7650100
Or through this weblink www.dataprotection.ie/en/contact/how-contact-us
For the contact details of regulatory authorities in other (non EU) territories please consult this website www.dlapiperdataprotection.com/index.html
Changes to this statement
This statement is kept under review and is subject to change. We recommend that you regularly visit our website to ensure that you are consulting the latest version of the statement. You can find a reference to the date of the last update on the top of this statement.
Questions or feedback?
If you have any questions or comments on this notice, please contact us or our Data Protection Officer at [email protected]