Oyster EOR Team Member and Staff Privacy Notice
Effective Date: December 11, 2024
Table of Contents
- Oyster EOR Team Member and Staff Privacy Notice
- Welcome
- Definitions
- Oyster's Role in Processing Your Personal Data
- Data Protection Principles
- Information Oyster Collects
- Why Oyster Collects and Processes Information
- Change of Purpose
- Oyster's Processing of Sensitive Information
- Information about Criminal Convictions
- Information Sharing with Third-Party Data Processors
- Information Sharing with Third-Party EORs
- Information Sharing with Independent Data Controllers (Including Customers) and Third-Party Integrations
- Information Sharing with Other Third Parties
- Aggregate Data Sharing
- Advertising
- How Oyster Stores and Protects Your Data
- Oyster's Data Retention Policies
- Data Privacy Framework (DPF)
- International Data Transfers
- Your Data Protection Rights
- Changes to this Notice
- Contact Information
Welcome
At Oyster, Trust is one of our core values. Whether with Staff, Team Members, Customers, or Website Visitors, we believe that mutual trust is a key ingredient to our success. So we maintain an active flow of information and communication, and we practice transparency in all that we do.
To that end, we respect the privacy of everyone we do business with, and we are committed to protecting their Personal Data. We believe that everyone should know what information we collect, what we do with their information, who we share it with, and why it is shared. This practice allows us to comply with privacy and data-protection regulations around the globe. But more importantly, it fosters trust and builds relationships. After all, our business is bringing meaningful employment to talented people everywhere, not selling information.
Who should read this Notice, and Why?
This EOR Team Member and Staff Privacy Notice (the “Notice”) is intended for all Oyster Employer-of-Record (EOR) Team Members and all Oyster Staff Members.
This Notice explains everything you need to know about your Personal Data as an Oyster EOR Team Member or Staff Member. It explains what information we collect, process, and share about you. It describes the information we collect, how we collect it, and why we collect it. It describes how and why we use and share that information. And it describes the rights and choices you have regarding your information.
Please note that if you are an Oyster EOR Team Member employed through a Third-Party EOR, the Third-Party EOR will also collect or have access to your Personal Data. The section below titled “Data Sharing with Third-Party EORs” includes more information on how and why Oyster shares this data, but the Third-Party EOR should provide you with its own privacy notice explaining its data practices.
Important: If you are an Oyster EOR Team Member, you may also be a Website Visitor or an Oyster Academy User (see the Definitions below for more detail). If so, please note that we may collect additional Personal Data about you in that role. For more information on our privacy practices related to each of these roles, please review the applicable Privacy Notice(s):
- Website Privacy Notice
- Payroll Team Member Privacy Notice
- Contractor Privacy Notice
- Oyster Candidate Privacy Notice
- Oyster Academy Privacy Notice
- Oyster Connect Privacy Notice
- People Builders Community Privacy Notice
Summaries
Transparency only works when you understand the information. Each section of this Notice includes a Summary explaining the information in clear and concise terms. These Summaries are intended to help readers understand this document, but they do not form a part of the Notice itself.
| Summary: Oyster cares about people and wants them to understand what we do with their personal information. This Notice explains what information we collect about EOR Team Members and Staff and what we do with it. We have separate Privacy Notices for other user types, like Oyster Website Visitors. Summaries (like this one) are intended to make things easier to understand, but they aren’t part of the Notice itself. |
Definitions
Unfortunately, legal documents (like Privacy Notices) contain a lot of definitions. To make our Privacy Notices more readable (and to ensure consistency), we have created a page dedicated to Privacy Notice Definitions, which defines all of the capitalized terms used in this Notice.
| Summary: Most of the terms in this Notice should be easy to understand, but if there is a term that needs more explanation, click here for some definitions. |
Oyster's Role in Processing Your Personal Data
In general, Oyster acts as a “data controller” (or its equivalent) under Applicable Law. We control what information we collect and how and why we process that information. In some cases, Oyster and an Oyster Customer or Oyster and an Oyster subsidiary may be independent data controllers. Our role depends on both the applicable Data Subject and the nature of the data at issue:
-
For Oyster Staff Personal Data, we generally act as a data controller because we determine what information we need to collect and how we will process that information. Oyster is the sole data controller for this information.
-
For Oyster EOR Team Member Personal Data, we act as a data controller, but Oyster Customers, Oyster subsidiaries, Third-Party EORs may also act as independent data controllers. Oyster Customers that engage Oyster EOR Team Members through the Oyster Platform may determine what information they need to collect and process independently from Oyster. Similarly, Oyster subsidiaries and Third-Party EORs may have certain legal obligations that require them to collect and process specific data.
| Summary: Oyster acts as a data controller for the data that we collect and process about you. But for Oyster Team Member Personal Data, our Customers, Subsidiaries, and Third-Party EORs also act as independent data controllers. |
Data Protection Principles
While Oyster acts in accordance with Applicable Law, we follow globally accepted principles of data protection:
-
Lawfulness, Fairness, and Transparency: Personal Data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.
-
Purpose Limitation: Personal Data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes;
-
Data Minimization: Personal Data collection and processing is adequate, relevant, and limited to what is necessary in relation to the purposes for the processing;
-
Accuracy: Personal Data is accurate and, where necessary, kept up to date; every reasonable step is taken to ensure that inaccurate Personal Data is erased or rectified without delay;
-
Storage Limitation: Personal Data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes of processing; but Personal Data may be stored for longer periods for archiving purposes in the public interest, scientific or historical research purposes, statistical purposes where appropriate technical and organizational measures are in place as required by Applicable Law, or where retention is required by law;
-
Integrity and Confidentiality: Personal Data is processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures;
-
Accountability: The data controller is responsible for, and can demonstrate, compliance with these data protection principles.
| Summary: We believe that treating all our users’ data with the respect and transparency afforded by globally accepted data-protection principles is the best way to foster Trust and build relationships. |
Information Oyster Collects
We collect, store, and use the following categories of Personal Data to provide and market our services. Most of this data is collected directly from you. But in many cases, Oyster Customers provide us with Personal Data about the Team Members they wish to engage through the Oyster Platform. In some cases, the data is submitted to the Oyster Platform from a third-party service used by the Oyster Customer. We refer to these connections as “Third-Party Integrations.” And finally, we may collect information directly from Third Parties (for example, the results of background checks). Where an Oyster Customer provides Oyster with your Personal Data through a Third-Party Integration, we require the Customer to affirm that they have the right to do so under Applicable Law.
| Summary: Oyster collects Personal Data either directly from you or indirectly from Customers or Third Parties. When Oyster receives Personal Data from a Third Party, that Third Party must affirm that they have a right to provide Oyster with the Personal Data. |
The tables below set forth the information we may collect about you and the source of the information.
EOR Team Members
| Category | Data Elements | Obtained From . . . |
|---|---|---|
| Contact Information | Name, Personal Postal Address, Personal Email Address, Phone Number, Corporate Email Address, Emergency Contact, Dependents’ Details, Maiden Name, Father’s/Husband’s Name, Preferred Pronoun | You Oyster Customers Third-Party Integrations Third Parties |
| Personal Details | Residence History, Resume or CV, Sex Assigned at Birth, Previous Employer Letters, Place of Birth, Photographs, Nationality, Letter of Experience, Date of Birth, Disability Status, Education Certificate, Education Details, Marital Status, Visa Status, Recruitment Information, including copies of RTW documentation and references, Performance Information, Disciplinary and Grievance Information, and Sensitive Information, including: Trade Union Membership, Information about Race or Ethnicity, Religious Beliefs, Sexual Orientation, or Political Opinion, and Information about Criminal Convictions and Offenses. | You Oyster Customers Third-Party Integrations Third Parties |
| Employer Information | Customer Service Agreement Details and Customer Postal Address | You Oyster Customers Third-Party Integrations Third Parties |
| Position Details | Job Description, Job Title, Role Type, Salary Package Details, and Business Transportation Preference | You Oyster Customers Third-Party Integrations Third Parties |
| Contract Terms | Employment Agreements, Offer Letters, Start Date, Onboarding Forms | You Oyster Customers Third-Party Integrations Third Parties |
| Identity Documents and Related Information | ID Cards, National Identity Documents, National Identity Numbers, National Insurance Numbers, Social Security Numbers, Passports, and Drivers Licenses | You Third-Party Integrations |
| Pension Information | Pension Contribution Details | You Oyster Customers Third Parties |
| Personal Bank and Tax Information | Bank Documents, Tax Documents, Personal Tax Information, Bank Details | You Oyster Customers Third-Party Integrations |
| Student Loan Information | Student Loan Details | You Third Parties |
| Medical Information | Health Insurance Card, Medical Certificate, Blood Group, and Health and Safety Training Status | You Oyster Customers Third-Party Integrations Third Parties |
| Messaging Data | Email messages, Instant Messages, and Support Tickets sent to, from, or about you. | You Oyster Customers Third Parties |
| User Profile Data | Login Name (or email address) Password Profile Picture |
You Third-Party Integrations |
Oyster Staff
| Category | Data Elements | Obtained From . . . |
|---|---|---|
| Contact Information | Name, Personal Postal Address, Personal Email Address, Phone Number, Corporate Email Address, Emergency Contact, Dependents’ Details, Maiden Name, Father’s/Husband’s Name, Preferred Pronoun | You |
| Personal Details | Residence History, Resume or CV, Sex Assigned at Birth, Previous Employer Letters, Place of Birth, Photographs, Nationality, Letter of Experience, Date of Birth, Disability Status, Education Certificate, Education Details, Marital Status, Visa Status, Recruitment Information, including copies of RTW documentation and references, Performance Information, Disciplinary and Grievance Information, and Sensitive Information, including: Trade Union Membership, Information about Race or Ethnicity, Religious Beliefs, Sexual Orientation, or Political Opinion, and Information about Criminal Convictions and Offenses. | You Third Parties |
| Position Details | Job Description, Job Title, Role Type, Salary Package Details, and Business Transportation Preference | You |
| Contract Terms | Employment Agreements, Offer Letters, Start Date, Onboarding Forms | You |
| Identity Documents and Related Information | ID Cards, National Identity Documents, National Identity Numbers, National Insurance Numbers, Social Security Numbers, Passports, and Drivers Licenses | You Third-Party Integrations |
| Pension Information | Pension Contribution Details | You Third Parties |
| Personal Bank and Tax Information | Bank Documents, Tax Documents, Personal Tax Information, Bank Details | You |
| Student Loan Information | Student Loan Details | You Third Parties |
| Medical Information | Health Insurance Card, Medical Certificate, Blood Group, and Health and Safety Training Status | You Third Parties |
| Messaging Data | Email messages, Instant Messages, and Support Tickets sent to, from, or about you. | You Third Parties |
| User Profile Data | Login Name (or email address) Password Profile Picture |
You Third-Party Integrations |
| Biometric Data | Photographs, Audio Recordings, and Video Recordings | You |
| Summary: Oyster collects various types of about you, and we want you to know exactly what we collect and where we obtain it. |
Why Oyster Collects and Processes Information
At Oyster, data is at the heart of what we do; we cannot provide meaningful employment in compliance with local regulations if we do not collect relevant Personal Data. But certain regulations, including the EU-GDPR, require that we specify the legal basis for our processing. For that purpose, with regard to Oyster EOR Team Members and Oyster Staff, we process data on the following legal bases:
-
Contractual Necessity (CN) – Oyster needs to process the at-issue Personal Data, either to perform under a contract to which you are a party or to take steps at your request before entering a contract with you.
-
Legitimate Interest (LI) – Oyster has a legitimate interest in processing the at-issue Personal Data, there is no less intrusive way to achieve the same results, and Oyster’s interests outweigh your interests, rights, and freedoms.
-
Legal Obligation (LO) – Oyster is required to process the at-issue Personal Data to comply with a legal obligation.
-
Consent (C) – You have the choice and control over whether or how Oyster processes your Personal Data.
-
Vital Interests (VI) – Oyster may process certain Personal Data if it feels it is essential for the protection of an individual’s life.
| Summary: The Keys defined above (CN, LI, LO, C and VI) are attached to the types of processing below, so that you can clearly understand the legal bases under which we collect Personal Data. |
Under these bases, Oyster collects the following categories of Personal Data for the following purposes (letters in parenthesis indicate the legal bases for processing related to a specific purpose):
| Processing Activities | Data Categories and Legal Bases for Processing |
|---|---|
| To Provide Our Services, including Account Setup and Creation (Updating the Oyster Platform, Sending Welcome Emails, Collecting Employment-Related Information), Creating and Signing Employment-Related Agreements, Communicating with Third-Party EORs, Setting up and Processing Payroll, Conducting Right to Work Checks, Conducting Medical and Health and Safety Checks, Enrolling in Benefits, Pension Processing, Processing Time and Travel, Contract Management, and Compliance Checks. | Contact Information (CN) Personal Details (CN) Employer Information (CN) Position Details (CN) Contract Terms (CN) Identity Documents and Related Information (CN) Personal Bank and Tax Details (CN) Student Loan Information (CN) Medical Information (CN) Messaging Data (CN) User Profile Data (CN) Biometric Data (C) |
| For Internal Business Purposes, including Making Employment-Related Decisions and Addressing Employment-Related Matters, Creating and Signing Employment-Related Agreements, Communicating with Third-Party EORs, Setting up and Processing Payroll, Conducting Right to Work Checks, Conducting Medical and Health and Safety Checks, Enrolling in Benefits, Pension Processing, Processing Time and Travel, Contract Management, and Compliance Checks. | Contact Information (CN) Personal Details (CN) Position Details (CN) Contract Terms (CN) Identity Documents and Related Information (CN) Pension Information (CN) Personal Bank and Tax Details (CN) Student Loan Information (CN) Medical Information (CN) Messaging Data (CN) User Profile Data (CN) Biometric Data (C) |
| For Security | Contact Information (LI) Personal Details (LI) Employer Information (LI) Position Details (LI) Contract Terms (LI) Identity Documents and Related Information (LI) Messaging Data (LI) User Profile Data (LI) |
| For Customer Support | Contact Information (CN) Personal Details (CN) Employer Information (CN) Position Details (CN) Contract Terms (CN) Identity Documents and Related Information (CN) Pension Information (CN) Personal Bank and Tax Details (CN) Student Loan Information (CN) Medical Information (CN) Messaging Data (CN) User Profile Data (CN) |
| For Research and Development | Employer Information (LI) Position Details (LI) Contract Terms (LI) Penson Information (LI) Messaging Data (LI) User Profile Data (LI) |
| For Non-Marketing Communications | Contact Information (CN) Messaging Data (CN) |
| For Legal Proceedings and Requirements | Contact Information (LO) Personal Details (LO) Employer Information (LO) Position Details (LO) Contract Terms (LO) Identity Documents and Related Information (LO) Pension Information (LO) Personal Bank and Tax Details (LO) Student Loan Information (LO) Medical Information (LO) Messaging Data (LO) User Profile Data (LO) Biometric Data (LO) |
| For the Protection of an Individual's Life | Contact Information (VI) Personal Details (VI) Medical Information (VI) |
| Summary: Due to the nature of Oyster’s core services, the Personal Data we collect is primarily collected out of Contractual Necessity. But we do collect some Personal Data for other reasons. This list explains those reasons. |
Change of Purpose
We will only use the Personal Data we collect for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.
| Summary: We’ll tell you if we ever change why we’re processing your Personal Data. |
Oyster's Processing of Sensitive Information
“Special categories” of particularly sensitive personal information, such as information about a Data Subject’s health, racial or ethnic origin, sexual orientation, or trade union membership, require higher levels of protection. That means we need to have further justification for collecting, storing, and using this type of Personal Data. We may process the special categories of Personal Data described above in the following circumstances:
-
In limited circumstances, with explicit, written consent;
-
Without consent, where we need to carry out our legal obligations or exercise rights in connection with employment; or
-
Without consent, where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our occupational pension scheme.
Less commonly, we may process this type of information where it is needed in relation to legal claims; where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving consent; or where you have already made the information public.
| Summary: Due to the nature of the services we provide, there are times when we have to collect and process particularly sensitive information. When that happens, we’ll only do it (a) with consent; (b) if we’re legally obligated; or (c) if it is needed to serve a public interest. |
Examples of situations in which we may process particularly sensitive Personal Data are listed below:
-
We will use information about a Data Subject’s physical or mental health, or disability status, to ensure their health and safety in the workplace and to assess their fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits including statutory maternity pay, statutory sick pay, pensions, and permanent health insurance.
-
If a Data Subject leaves their employment and under any share plan operated by a group company the reason for leaving is determined to be ill-health, injury, or disability, we will use information about their physical or mental health or disability status in reaching a decision about their entitlements under the share plan.
-
If a Data Subject applies for an ill-health pension under a pension arrangement operated by a group company, we will use information about their physical or mental health in reaching a decision about their entitlement.
-
We will use information about a Data Subject’s race or national or ethnic origin, religious, philosophical or moral beliefs, sexual life or sexual orientation, or disability status to ensure meaningful equal opportunity monitoring and reporting and to comply with legal obligations.
-
We will use trade union membership information to pay trade union premiums, register the status of a protected employee, and to comply with employment law obligations.
Information about Criminal Convictions
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and only where we do so in line with our privacy standard.
We will only collect information about criminal convictions if it is appropriate given the nature of the Data Subject’s role and where we are legally able to do so. We have in place an appropriate policy and safeguards, which we are required by law to maintain when processing such data.
| Summary: We may need to collect and process information related to a Team Member, Staff Member, or Candidate’s criminal convictions. We will protect that information, like we do with all Personal Data. |
Information Sharing with Third-Party Data Processors
We share Personal Data about Team Members and Oyster Staff Members with third-party service providers and with Oyster subsidiaries in accordance with our contractual obligations (CN), for the purpose of providing our Services to facilitate our legitimate interests (LI), or where required by law (LO). We review all third-party services providers and require them to respect the security of your data and to treat it in accordance with the law. The services provide by these third parties may include:
-
Hosting and Storage
-
Payroll Processing
-
Human Resources Management
-
Pension and Benefits Administration
-
Billing
-
Customer Support and Management
-
Email Services
-
Data Analytics and Predictive Analysis
-
Information Security and Privacy
-
Advertising and Marketing
Where we are a data controller, these third parties are our processors. Where we are a data processor, these third parties are our sub-processors. We require all third parties that may have access to Personal Data to enter Data Processing Agreements with us that only permit them to process such Personal Data for the specified purpose and in accordance with our instructions. You can find a list of our Data Sub-Processors here.
| Summary: As a globally distributed organization with no physical location, Oyster relies on third parties to provide us with the services listed above. When we engage these service providers, we ensure that they keep Personal Data secure and that their use of such data is limited. |
Information Sharing with Third-Party EORs
Where Oyster EOR Team Members are engaged through a Third-Party EOR, the Third-Party EOR needs access to EOR Team Members’ Personal Data to provide them with employment. Oyster provides the connection between our Customers and the Third-Party EORs. As part of this service, in most cases, Oyster collects the Personal Data described above and shares with the Third-Party EOR any Personal Data that may be required for employment by the Third-Party EOR. In some cases, a Third-Party EOR may collect EOR Team Member Personal Data directly from the Team Member, either instead of or in addition to obtaining data from Oyster.
In any case, Third-Party EORs are obligated to comply with Applicable Law and, if required, should provide their employees with legally compliant contracts and privacy notices explaining their own data practices. Any EOR Team Members with questions related to a Third-Party EOR’s data practices should direct their questions to the Third-Party EOR.
| Summary: To provide employment for EOR Team Members where Oyster does not have a local subsidiary, we work with Third-Party EORs. Those Third-Party EORs need Team Member Personal Data for employment purposes. In most cases, as part of our services, Oyster collects that information and shares it with the Third-Party EOR directly. |
Information Sharing with Independent Data Controllers (Including Customers) and Third-Party Integrations
As part of our provision of services, Oyster may share data with independent data controllers, for example, Oyster Customers. Where Oyster shares Personal Data with independent data controllers, Oyster will only share the Personal Data that is necessary to provide services. Personal Data shared in this manner may include Contact Information, Personal Details, Employer Information, Position Details, Contract Terms, Pension Information, Messaging Data, User Profile Data, and Website Usage and Technical Data.
Please note that in some cases, Personal Data may be shared through Third-Party Integrations. For example, an Oyster Customer may use a Third-Party Integration to connect its account on the Oyster Platform to a third-party Human Resources Information System (HRIS). If this integration includes the sharing of Oyster Team Member Personal Data, Oyster would be the data controller for any information stored on the Oyster Platform, and the Customer would be an independent data controller for any information stored on the third-party HRIS. Oyster Customers are required to assert that they have a lawful basis under which to transfer any such Personal Data before they can activate a Third-Party Integration.
| Summary: To provide our services, Oyster shares Team Member Personal Data with Customers. Sometimes this is done directly, and sometimes it is done through a Third-Party Integration. Plainly stated, we try to keep this sharing limited, but Oyster cannot provide services to Customers without sharing Team Member Personal Data. |
Information Sharing with Other Third Parties
Please note that Oyster may also share Personal Data with other third parties, for example in the context of the possible sale or restructuring of our business. In this situation we will, where possible, share anonymized data with the other parties before the transaction is complete. Once the transaction is complete, we will share Personal Data with the other parties if and only where required under the terms of the transaction. We may also need to share Personal Data with a regulator or to otherwise comply with the law. Additionally, where you are a member of a works council, union, or equivalent, Oyster will share your personal data as legally required.
| Summary: If Oyster sells its business, we may have to share Personal Data with the new owner before, during, or after the sale. But we will attempt to minimize the shared data. Oyster may also share your data with a works council or union where required by law. |
Aggregate Data Sharing
Oyster may aggregate or otherwise strip data of all personally identifying characteristics and may share the aggregated, anonymized data with third parties. In such cases, we may use the information without further notice to you.
| Summary: Oyster may anonymize data and share it with third parties. |
Advertising
We partner with third party ad servers, ad networks, and social media platforms (like Facebook, Google, LinkedIn, X) to deliver personalized advertisements (“ads”) that may be of interest to our Website Visitors or to measure the effectiveness of our advertising. While we do not directly target Oyster Team Members or Staff for advertising, please note that if you visit the Oyster Website to interact with the Oyster platform, our Website Privacy Notice and Cookie Policy will apply.
| Summary: Oyster may use some of the data we collect from Website Visitors to show them relevant ads on other sites, like Facebook, Google, LinkedIn, and X. |
How Oyster Stores and Protects Your Data
Oyster cares about the security of Personal Data and has put measures in place to preserve the confidentiality, integrity, and availability of all the Personal Data we collect. We have also put in place appropriate security measures to prevent Personal Data from being accidentally lost, used, accessed in an unauthorized way, altered, or disclosed. We limit access to Personal Data to those employees, agents, contractors, and third parties that have a business need to know, based on the purposes and as described above. Additionally, we have put procedures in place to deal with any suspected data security incidents and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
If you suspect a security incident related to your Personal Data at Oyster, please fill out our Security Incident Reporting Form.
For more information about Oyster’s security program, please visit the Oyster Trust Center or the Oyster Security Dashboard.
| Summary: We take the protection of Personal Data very seriously at Oyster. Find out more by visiting our Trust Center or our Security Dashboard. If you become aware of a suspected Security Incident, please submit an Incident Report. |
Oyster's Data Retention Policies
We will only retain your Personal Data for as long as necessary to fulfill the purposes for which we collected it and to satisfy any legal, accounting, or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of the Personal Data, the purposes for which we process the Personal Data and whether we can achieve those purposes through other means, and all applicable legal requirements. In general, we retain the following record types for the following time periods in accordance with our Data Retention Policy. In general, we retain the following record types for the following time periods in accordance with our Data Retention Policy:
- Employment Records: 6 years following termination of employment.
- Health and Safety Records: 20 years following the date of any incident; if no incident, 6 years following termination of employment.
| Summary: Oyster only retains Personal Data for as long as necessary. For EOR Team Members and Staff, this means that we retain employment records for 6 years following a termination of employment. |
Data Privacy Framework (DPF)
Oyster complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Oyster has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S.
DPF. Oyster has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Oyster commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Oyster at: privacy@oysterhr.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Oyster commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints
regarding DPF compliance not resolved by any of the other DPF mechanisms. See Annex I of the DPF Principles for additional information:
https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
Oyster has responsibility for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. Oyster shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless Oyster proves that it is not responsible for the event giving rise to the damage.
The Federal Trade Commission has jurisdiction over Oyster’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Oyster may disclose personal information in response to lawful requests by US public authorities, including to meet national security or law enforcement requirements.
| Summary: Oyster is compliant with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). |
International Data Transfers
Information stored on the Oyster Platform is stored on Amazon AWS Servers in Ireland. In general, we try to ensure that Personal Data related to a particular Data Subject is stored on the Oyster Platform and processed using third-party providers in that Data Subject’s country of employment. Due to the nature of Oyster’s Services, though, and because Oyster is a globally distributed organization with Oyster Staff seated in more than 30 countries, Personal Data may be stored or processed on a limited basis in any of the following countries.
|
|
|
As a result, we may transfer your Personal Data to a country and jurisdiction that does not have the same data protection laws as your home jurisdiction. But when doing so, we always take steps to ensure that your Personal Data remains protected and that it is stored and processed in accordance with applicable law.
For this reason:
-
Where contractual necessity or legitimate interests may provide a basis for such transfers, this Privacy Policy provides notice of such transfer based on contractual necessity or legitimate interest for each processing activity, as described above. This includes but is not limited to the transfer of Personal Data relating to EOR Team Members engaged through Third-Party EORs.
-
Where consent is required for such transfers, as part of this Notice’s incorporation into your Employment Agreement with Oyster, you affirmatively and explicitly consent to the transfer of information to any of the countries listed above for the purposes disclosed above. Please note that while you may withdraw your consent at any time, doing so may preclude Oyster from being able to provide you with services, including but not limited to employment.
For any additional information on international data transfers, please fill out our Privacy Rights Request Form or contact privacy@oysterhr.com.
| Summary: Personal Data Stored in the Oyster Platform is stored in Ireland. But because Oyster is a globally distributed organization, Oyster Staff Members and our data processors (including our own subsidiaries) are located around the globe. This means that for limited purposes, Personal Data may be transferred to any of the jurisdictions above. For example, an Oyster Staff Member located in Nigeria may assist a US-based Customer with a Team Member onboarding in Germany. In general, though, Oyster attempts to ensure that Personal Data remains at rest in Ireland and is processed through data processors located in the Data Subject’s home country. For example, German Team Member Personal Data is processed by Oyster’s German Subsidiary, and we use a German Payroll Provider and a German Benefits Provider. |
Your Data Protection Rights
Under certain circumstances, and under Applicable Law, Data Subjects have individualized rights based on certain factors, such as their location, citizenship, or residence. At Oyster, we’re a global company, and Trust is one of our core values, so we believe that all users should be given the broadest privacy rights possible, regardless of where they are based or where they are from. For that reason, regardless of where you are located, you have the right to:
-
Request Access to your Personal Data (commonly known as a “data subject access request” or “DSAR”). This allows you to receive a copy of your Personal Data and to ensure that we are lawfully processing it.
-
Request Correction of your Personal Data. This allows you to have any incomplete or inaccurate records completed or corrected.
-
Request Erasure of your Personal Data (commonly known as a “deletion request”). This allows you to ask us to delete or remove Personal Data where there is no reason for us to retain or continue processing it.
-
Object to Processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is some reason you object to our processing on that basis. You can also object to our processing of your Personal Data where we are doing so for direct marketing purposes.
-
Request the Restriction of processing of your Personal Data. This allows you to ask us to suspend the processing of your Personal Data, for example if you want us to establish its accuracy or our reason for processing it.
-
Request the Portability of your Personal Data in a machine readable format and the transfer to another party.
If you want to review, verify, correct, or request erasure of your Personal Data, object to the processing of your Personal Data, or request that we transfer a copy of your Personal Data to another party, you can do so by filling out our Privacy Rights Request Form.
No Fee (Usually) Required
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). But we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What We May Need
In some cases, we may need to request specific information from you to help us confirm your identity and to ensure their right to access the information (or to exercise any of your other rights). This security measure is in place to ensure that Personal Data is not disclosed to any person who has no right to receive it.
RIGHT TO WITHDRAW CONSENT
In the limited circumstances where you may have provided your consent to the collection, processing, or transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent to that specific processing at any time. In most cases, a way to withdraw consent should be readily apparent; for example, you can opt out of marketing emails by unsubscribing or can change your cookie settings at any time. Any questions or requests to withdraw consent that are not apparent should be directed to privacy@oysterhr.com. Once we have received notification that you have withdrawn their consent, we will no longer process your information for the purpose or purposes to which you originally agreed, unless we have another legitimate basis under the law for doing so.
Summary: At Oyster, we comply with all Applicable Laws and ensure that Data Subjects are afforded their rights under those laws. But we also believe that all Data Subjects, regardless of location, should be afforded those same rights. For that reason, no matter where you are, you have the following rights at Oyster:
To exercise these rights, you should submit a Privacy Rights Request Form For questions, email privacy@oysterhr.com. |
Changes to this Notice
We may change this Notice from time to time. If we make any material changes, we’ll provide notice on the Oyster website homepage or the account portal sign-in page. We will comply with applicable law with respect to any changes we make to this Notice and will seek your consent to any material changes if required by applicable law.
| Summary: We won’t make any material changes to this policy without letting you know. |
Contact Information
We have appointed a Data Protection Officer to oversee compliance with this Privacy Policy. For any questions about this Policy or how we handle Personal Data, please contact our Data Protection Officer at dpo@oysterhr.com or at:
Data Protection Officer
Oyster HR, Inc.
307 W. Tremont Avenue, Suite 200
Charlotte NC 28203, USA
You may also lodge a complaint with your country’s (or State’s) proper oversight agency. We would, however, appreciate the chance to deal with any concerns directly before such a complaint is filed.
A Privacy Rights Request Form can be accessed here: Privacy Rights Request Form