Privacy and Data Protection

Transparency as a Top Priority

Privacy and data security are top priorities for UKG and our customers. We are committed to providing direct, timely, and relevant information about our privacy, security, and compliance practices.

This includes information about:

• The personal information that customers provide us, and that is required for us to execute our agreements, executed with our customers
• The data we collect, both as a controller and as a processor
• Special categories of data, such as biometric data
• The use of artificial intelligence (AI)
• Our use and retention of the personal information entrusted to us
• Any government requests for access to customers’ data that we receive
• Our geographic footprint as a global company with offices in multiple countries, serving customers across the world
• Our cross-border transfers of personal information
• Our robust security practices and ISO 27001,  ISO 27017,  and  ISO 27018 certifications
• Our customers’ ability to make data-subject access requests

In accordance with our values, the UKG Privacy Program is designed to:

• Comply with privacy laws and regulations applicable to our business
• Share information about the data collected by our products
• Maintain transparency and build trust with our customers
• Align with first-class international standards security controls (SOC2/SOC 3, ISO 27001, 27017, 27018)
• Educate UKG employees (U Krewers) to ensure compliance with applicable laws and regulations

We engage with third parties (suppliers and/or service providers) in order to deliver products or services, perform certain functions such as enhancing and/or delivering our product and service offerings, or complete a task that customers request.

We have contracts with  third party providers  (suppliers and/or service providers) to perform certain functions on our behalf, and only at our direction. Our third parties are bound by confidentiality agreements, have access to our customers' personal information only to the extent necessary to provide these contracted services and are permitted to process our customers' personal information only in accordance with our instructions (and for the purposes we disclose).

Subprocessors

UKG operates globally and, as such, may process personal data worldwide to provide customer support; in connection with UKG cloud operations activities (however, UKG database administrators generally do not have reason to access customer data); in connection with UKG subprocessors, a list of which is available below and their own subprocessors where applicable; and in connection with UKG professional services and/or implementation operations.

See the current list of subprocessors.

Affiliates and Subsidiaries

Affiliates and Subsidiaries 

We share our customers’ personal information with our affiliates and subsidiaries in order to deliver a product or service or to complete a task that a customer requests in accordance with our list of subprocessors.

Third Party Commitment to Privacy Laws and Regulations

Third Party Commitment to Privacy Laws and Regulations 

All UKG third parties are required to comply with all applicable laws and regulations. Those processing personal data must agree to the terms in  UKG Supplier Data Processing Addendum  and the  Supplier Standard Contractual Clauses to the extent applicable.

Information We Collect

We market and sell our  products* and  services  exclusively to businesses, not consumers. Our commitments regarding the personal information we collect, use, and disclose about the end-users of those products and services are largely driven by our contracts with our business customers. The information provided below is intended to help our business customers understand our privacy practices. End-users of our products or services are encouraged to contact their employer with questions about how their personal information is being collected, used, and disclosed.

*Except for UKG Employee Vault

Information We Collect as a Controller

Information We Collect As A Controller 

UKG acts a data controller when people visit our website and in other instances as set forth in our Privacy Notice. To learn more about the personal information UKG collects as a Controller, view the UKG Privacy Notice. 

UKG also acts as a data controller in connection with UKG Employee Vault. To learn more about the personal information UKG collects as a Controller with UKG Employee Vault, view the UKG Employee Vault Privacy Notice.

Information We Collect as a Processor

Information We Collect As A Processor 

UKG customers are the controllers of the personal information that they collect, create, communicate, and store in our products*. UKG does not give anyone access to the personal information maintained in those products unless:

• We are permitted to do so in our contract with the customer
• The customer instructs UKG to do so
• The customer consents (e.g., subprocessors used by UKG)
• UKG is legally obligated to do so
• UKG has a legitimate interest (as defined under General Data Protection Regulation (GDPR) and other applicable laws) to do so

For more information about our data-processing practices, including where we store data for our products, how we secure that data, and our data-retention practices, request a copy of our Product Privacy Statements from  [email protected]. To learn more about our obligations as a processor, see the  UKG Customers Data Processing Agreement.

*Except for UKG Employee Vault

Responsible Use of Information We Collect

UKG’s Responsible Use as a Controller

When we act as a controller, we use personal information for several purposes, including communicating with individuals regarding our products and services, improving our website or those products and services, and for managing job applications for people interested in working at UKG. For more information, visit our Privacy Notice.

UKG’s Responsible Use as a Processor

When we act as a processor, the personal information we collect is used to deliver our products and services to customers. In many cases, the personal information we process about our customers’ employees and job applicants (i.e., end-users) is determined by our customers, who control what information they need in order to use our products and services efficiently and effectively. Any personal information we use is done in accordance with our  Customers’ Data Processing Agreement and Product Privacy Statements.

Product Privacy Statements

Product Privacy Statements explain how we collect, use, disclose, or otherwise process the information of our customers’ employees and job applicants (each an end-user) on behalf of our business clients in connection with our products and services. Our Product Privacy Statements are not a substitute for any privacy notice that UKG customers are required to provide to end-users.

Product Privacy Statements are available upon request, please email  [email protected].

Customer Responsible Use as a Controller

 Customer Responsible Use as a Controller As data controllers, our customers must undertake efforts to ensure that information is collected and processed in accordance with data-protection laws. Therefore, if our customers’ employees and job applicants have questions or concerns about the processing of their information as an end-user, they should contact the employer (our customer) directly or refer to its separate privacy policies.

Data Retention

Data Retention

UKG has a data retention policy and a decommissioning procedure that are designed to ensure customer data is disposed of appropriately and in accordance with our commitments to our customers. Our procedures are designed to ensure that the original, archive, backup, and ad hoc copies are properly deleted.

UKG will retain personal information only for the length of time necessary to fulfill the purpose(s) for which the information was collected or as required or permitted by applicable laws, including the resolution of disputes and in accordance with our customer contracts.

Third-Party Disclosure of Personal Information

Third-Party Disclosure of Personal Information

We do not sell personal information to third parties. Please review the Third Parties (Suppliers/Service Providers/Subprocessors) section above to learn more about how we might disclose personal information to third parties.

Additional Disclosures

Additional Disclosures

UKG might disclose your personal information if we in good faith believe that it is necessary:

• To comply with the law or with a legal process.
• For law enforcement purposes. UKG is committed to publishing data regarding requests or demands for customer data received from law enforcement and national security agencies. We publish this data twice per year (covering a reporting period of either January to June or July to December). These reports are published six months after the end of a given reporting period in compliance with restrictions on the timing of publishing those reports.  View the current UKG Transparency Report.
• To protect and defend our rights and property.
• To protect against misuse or unauthorized use of our website.
• To protect the personal safety or property of our users or the public (among other things, this means that, if someone provides false information or attempts to pose as someone else, information about this person may be disclosed as part of any investigation into these actions).
• In connection with, or during negotiations for, an acquisition, merger, asset sale, or other similar business transfer that involves all or substantially all of our assets or functions where personal information is transferred or shared as part of the business assets (provided that such party agrees to use or disclose personal information consistent with our Privacy Notice or gains consent for other uses or disclosures).

We will not cross-reference personal information with that of any other customer or entity. UKG does not support “back door” access to any of its products, services, or operations (including our data stores) by any government or third party. UKG does not share its encryption keys or provide the ability to break our encryption keys with any government or third party.

Our Commitments to Global Laws, Regulations, and Ethics

We commit to comply with all applicable laws and regulations including, but not limited to, the following outlined below.

UKG Commitments to General Data Protection Regulation

UKG Commitments to General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a comprehensive data-protection law that regulates the processing of personal data of European Union (EU) residents and provides individuals rights to empower individuals by giving them more control over their personal data. The GDPR enshrines major principles such as privacy by design, privacy by default, and implementation of strong technical and organizational measures designed to protect personal data.

The GDPR is not limited to the EU. It applies to all organizations that target, collect, or use the personal data of any EU resident and mandates organizations to:

• Know what data they hold and have appropriate rights to use the data
• Be accountable and able to answer questions about what type of data they hold, and, in some cases, delete data they no longer need
• Notify supervisory authorities of data breaches
• Use vendors that comply with the principles of the GDPR
• Offer European Essential Guarantees by challenging governments’ requests to access personal data

UKG is committed to compliance with the GDPR and all applicable laws. We have enhanced processes to prepare to address the rights of people in the EU, we have generated written guidance to help our customers understand how our products collect and use personal data, and we are prepared to answer questions from our customers as well as our employees.

UKG Commitments to the Data Privacy Framework

The Data Privacy Framework (DPF) comes after years of collaboration and negotiation to reestablish a mechanism for transfers of EU personal data to the United States after the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework was invalidated by the Court of Justice of the EU (CJEU) in 2020 due to concerns regarding U.S. signals intelligence. Visit the Working Smarter Cafe to learn about how UKG welcomes the Data Privacy Framework. To learn more about how UKG complies with the Data Privacy Framework, visit our Data Privacy Framework Statement and the UKG Privacy Notice.

UKG Commitments to the California Consumer Privacy Act

UKG Commitments to the California Consumer Privacy Act

The California Consumer Privacy Act (“CCPA”) provides certain privacy-related rights to California residents.  Learn more about UKG privacy practices and compliance with the CCPA.

UKG Commitments to Asian-Pacific Economic Cooperation

UKG Commitments to Asian-Pacific Economic Cooperation

UKG privacy practices comply with the Asian-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System (CBPR). The APEC CBPR system provides a framework for organizations to ensure the protection of personal information transferred among participating APEC economies.  Learn more information about the APEC framework.

International Transfers of Personal Information

Transfer Impact Assessment

Transfer Impact Assessment

In line with the European Court of Justice Decision ECLI:EU:C:2020:559 of 16 July 2020 (commonly known as Schrems II), UKG has conducted a comprehensive assessment of all transfers to countries lacking Essential European Guarantees. This Transfer Impact Assessment (TIA) ensures compliance with regulations and current case law. For detailed insights into UKG's adherence to the requirements of Article 46 of the GDPR, please refer to the UKG Transfer Risk and Impact Statement.

EU Standard Contractual Clauses

EU Standard Contractual Clauses

Strict data protection laws govern the transfer of personal data from the EEA, United Kingdom, and Switzerland to countries deemed by the European Commission as not offering an equivalent standard of protection, including the United States.

To address this requirement for our customers with operations in the EEA, the UK, and Switzerland, UKG has incorporated Standard Contractual Clauses (SCCs) and the UK international data transfer agreement (“UK IDTA“)” into our Customer Data Protection Addendum (DPA) and in our Supplier Data Protection Addendum, and has incorporated the SCCs adopted on June 4, 2021, and the UK IDTA adopted March 21st, 2022 into our current templates.  View full copies of our SCCs and UK IDTA for Suppliers and for Customers.

Beginning September 27, 2021, UKG started using the  new SCCs,  which were adopted on June 4, 2021, for all new agreements, order forms, and other customer and supplier transaction documents.

• If your company entered into an agreement with UKG on or after September 27, 2021, or has already updated your existing agreements with the new SCCs, no action is required. The new SCCs have been incorporated into our  Customer DPA  and  Supplier DPA and will apply to all UKG products and services agreements and to the provision of any products or services to UKG requiring the processing of EU data subjects.
• If your company entered into an agreement with UKG prior to September 27, 2021, the new SCCs are incorporated by default into our Customer and Supplier DPAs and will apply to the provision of any products or services to UKG requiring the processing of EU data subjects and to all UKG products and services agreements. This is a regulatory requirement for all businesses that transfer personal data outside the European Economic Area.
• If your company requires an amendment to include the new SCCs, please reach out to  [email protected].

Note that these changes to our  Customer  and  Supplier  Data Processing Addendums are only necessary if your company shares the personal data of EU data subjects with UKG, if UKG processes it on your company’s behalf, or if your company processes such data on UKG’s behalf. The SCCs creates a contractual mechanism to meet the adequacy requirement to allow for the transfer of personal data from the EEA to a third country.  Learn more about the SCCs.

Data Subject Rights

If you have a question or requesting concerning your personal information held by UKG, including your personal information collected through your use of our products, please email [email protected]. More information on how we respond to data-subject requests is available in the  UKG Privacy Notice.

Cybersecurity

We are our customers’ partner for life: we prioritize safety, accuracy, and reliability.
UKG has many dedicated policies, practices, and protocols to protect our IT infrastructure, networks, devices, and data from unauthorized access, collection, retention, and use of sensitive, confidential, and/or proprietary customer or user data, including personally identifiable information (PII). We are committed to continually improving our incident response, staff training, and additional mechanisms to ensure the security of customer and user data  Learn more.