1. PURPOSE OF THIS PRIVACY NOTICE
1.1 This Privacy Notice (“Notice”) details the Personal Information (defined below) that Hellman & Friedman LLC, a limited liability company incorporated in Delaware with a principal place of business at 415 Mission Street, Suite 5700, San Francisco, CA 94105, Hellman & Friedman LLP, a limited liability partnership incorporated in England and Wales with registered address The Brunel Building, 2 Canalside Walk, London, W2 1DG and/or any other entity in the Hellman & Friedman Group (as further defined below) or its portfolio companies (collectively “H&F”, the “Firm”, “we”, “us” or “our”) collects about independent contractors or personnel of vendors to the Firm and any of their Restricted Persons (defined below) and any other of the Firm’s business contacts (hereinafter, “Business Contact(s)”, as applicable), how we collect, use, disclose and retain their Personal Information and their rights and obligations in relation to such Personal Information, where applicable. This Notice also applies to Personal Data we collect regarding any Restricted Persons (defined below), including but not limited to certain Business Contacts’ dependents and household members. This Notice and the rights contained in it apply to individuals located outside the United States and to individuals who are California residents, unless otherwise noted. This Notice uses the terms Personal Information and Sensitive Personal Information to describe certain information practices applicable to California residents and Special Category Data, as applicable to individuals in Europe. The term Personal Information may be used as applied to any individual covered by this Notice. If you are an individual covered by this Notice located in a location outside the United States and Europe, your Personal Data may be subject to similar laws as individuals located in Europe.
2. FIRM AND DATA CONTROLLER CONTACT DETAILS
2.1 The Firm may be contacted at the below for all questions relating to this Notice:
E-mail: [email protected]
Phone: +1 (415) 788-5111
Post: Hellman & Friedman LLC, 415 Mission Street, Suite 5700, San Francisco, CA
2.2 Depending on who your or your employer’s relationship is with (or for Restricted persons, your related person’s relationship), the data controller is either Hellman & Friedman LLC (having the above contact information) or Hellman & Friedman LLP with the following contact information:
E-mail: [email protected]
Phone: +44 (0)20 7839 5111
Post: Hellman & Friedman LLP, The Brunel Building, 2 Canalside Walk, London, W2 1DG
3. SCOPE
3.1 This Notice applies only to Hellman & Friedman Business Contacts and their Restricted Persons, where applicable, whose Personal Information (defined below) is collected and used by the Firm.
3.2 “Hellman & Friedman Group” means Hellman & Friedman LLC and any entity controlled by or under common control with Hellman & Friedman LLC, excluding any Portfolio Companies. “Portfolio Companies” means any portfolio companies in which funds affiliated with any members of the Hellman & Friedman Group are invested or propose to invest.
3.3 “Personal Information” or “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or other equivalent term under privacy and data protection laws but which is not publicly available.
4. WHICH CATEGORIES OF PERSONAL INFORMATION DOES THE FIRM COLLECT PURSUANT TO THIS NOTICE AND FOR WHAT PURPOSES?
4.1 The Firm may collect the following Personal Information about Business Contacts and where applicable, their Restricted Persons (defined below), and their emergency contacts, employers and/or references, as related to their relationship with the Firm. If any of your Personal Information changes, please let us know at the earliest opportunity so that our records can be updated (see Section 10 (Your Obligations in Relation to Personal Information) below for more details).
4.2 Some of this Personal Information may be considered by Law (defined below) to be Sensitive Personal Information or Special Category Data.
4.3 Below are the categories of Sensitive Personal Information, pursuant to the California Consumer Privacy Act of 2018, as amended from time to time (the “CCPA”), that Firm may collect pursuant to this Notice and the purposes for their collection and use:
- Citizenship — Which may determine eligibility of contractors to work;
- Government ID — Social Security, driver’s license, state identification card or passport number, for the purposes of determining eligibility to work;
- Accounts — Account log-in, in combination with any required security or access code, password, or credentials allowing access to the account for use with any Firm system or application;
- Geolocation — Through the use of Firm-enabled devices for device tracking purposes;
- Race and ethnicity — Racial or ethnic origin, which may be revealed by a Government ID or when disclosed to us, for the purposes of enhancing diversity and inclusion initiatives and as may be requested by our existing or potential investors or required by applicable Law (defined below);
- Communications — Mail, email, and text messages (including through SMS, WhatsApp and similar channels) communicated through Firm devices or otherwise to the extent we have access, for the purposes of monitoring and retention (where permitted by Law, as defined below);
- Biometrics — Thumbprints (where required for access to Firm devices, if any);
- Health — such as vaccination-related information, reasonable accommodations, food allergies, meal preferences and Personal Information related to accident reporting to maintain health and safety and/or to meet reporting obligations, should you visit our offices or attend a Firm event.
4.4 A few of the above categories of information are also considered Special Category Data under the General Data Protection Regulation (the “GDPR”), as amended from time to time, namely, race/ethnicity information, biometrics and data related to health.
4.5 The following are categories and uses of other Personal Information that the Firm may collect pursuant to this Notice and the purposes for their collection and use:
- Identity information — such as title, employer, full name, preferred name, previous names, other unique ID numbers and Government ID. The Firm uses this information, where relevant, for eligibility and engagement purposes, including, verifying eligibility to perform services, obtaining professional and personal references and screening of educational and professional background data prior to and during the course of a relationship with the Firm, including carrying out background checks (where permitted under applicable Law, as defined below), for monitoring compliance with Firm policies as well as to manage the engagement and services provided to the Firm.
- Contact information — such as home and work address, phone number(s), email address(es) and emergency contact information. The Firm uses this information to communicate with its Business Contacts and with respect to independent contractors and vendors, for engagement management and administrative purposes, as well as managing engagements, for work scheduling (both administratively and organizationally), and for planning, drafting and managing working schedules and tasks.
- Financial and Transactional Information — including wire instructions, engagement details, bank account details, and Tax Identification or Social Security Number, as applicable. The Firm uses this information for the administration of payment of invoices and the reimbursement of expenses, where applicable; for monitoring compliance with Firm policies as well as to manage the engagement and services provided to the Firm. Depending on your relationship with the Firm, we may also collect data in relation to insider trading compliance policies, including details of personal trading, accounts, holdings or other transactions, details of bank or brokerage account and other financial information (such as name of broker, transaction and securities details, account holdings and balances, positions, amounts, account holder information and other account information), in each case in respect of the contractor, the contractor’s spouse, registered domestic partner (or the equivalent), any child under the age of 18, any child under the age of 25 for whom the contractor contributes materially to their support or any other relative residing with you (“Restricted Persons”);
- Commercial Information — such as data with respect to relationship management and development, including date of engagement, relationship category, full/part-time status, where applicable, travel for the purposes of the services provided, including credit card details, special meal requests and travel preferences, for the purposes of maintaining the relationship and scheduling any engagement-related travel;
- Professional and Education Information — such as data with respect to qualifications, references, resumé(s) or curriculum vitae and language(s) spoken, where applicable. The Firm uses this information for engagement eligibility purposes, including verifying eligibility to provide services, obtaining professional and personal references and screening of educational and professional background data prior to and during course of your relationship with Firm, and background checks (as explained further below and where permitted under applicable Law, as defined below), for engagement management and administrative purposes;
- Background information — such as proof of eligibility to work, such as citizenship status and details of any visa or work permit application, background checks (including education, professional licenses, litigation and criminal records, regulatory matters, including sanctions screening, directorships or other outside affiliations, social media and credit checks, where permitted by Law, as defined below) and membership in professional bodies or associations;
- Communications – mail, email, text messages (including through SMS, WhatsApp and similar channels), calls, voicemail and other messages communicated to us or otherwise to the extent we have access (e.g., through our Wi-Fi, as applicable), including for the purposes of monitoring or surveillance (where permitted by Law, as defined below), quality, business, regulatory analysis, and legal and regulatory compliance (including compliance with requirements applicable to members of the Hellman & Friedman Group or the Firm).
- Audio, electronic, visual, and similar information — such as data related to use of building access control systems, including time and location of entry and exit, license plate number, access to restricted zones and security camera footage, data related to access to and usage of office equipment and resources including but not limited to telephones, soft phones (and mobile phones where issued by the Firm), voice messaging, Wi Fiinternet and other communication systems, cost recovery systems, document management systems, contact management systems and online databases, and other computer systems, where applicable. The Firm uses this information for management of access controls of premises and usage of the building and facilities of the Firm (including CCTV and parking lot data which may be accessed by the Firm), for management of access to and usage of office equipment, systems and resources including but not limited to telephones, soft phones, (mobile phones, laptops and portable devices, where issued by the Firm) and more generally the computer network and applications, for maintaining the security of the Firm’s network, for physical security, and to manage the engagement and services provided to the Firm;
- Inferences — based on information concerning an individual to create a summary about, for example, skills and preferences; and
- Voluntary information — Any personally identifiable information about you that is shared with us, for example, during engagement pitches and meetings.
Under certain privacy laws, we must have a legal basis to process Personal Information. In most cases our legal basis will be one of the following:
- to fulfil our legitimate interests as described above, for example to manage engagements and the services provided to the Firm, to communicate with Business Contacts, and for administration purposes. Where we rely on legitimate interest, we put in place, when needed, safeguards designed to protect your privacy interests, freedoms, and rights under applicable Law;
- to comply with our legal and/or regulatory obligations, for example to comply with regulatory requirements to monitor and retain communications; and
- to fulfil our contractual obligations, for example to ensure that invoices are paid correctly.
In certain cases, we may also ask for your consent to collect and use certain types of Personal Information where required to do so by law, for example should we decide to use cookies or request that you complete a demographic survey. Where you provide consent, you may withdraw it at any time using the details at the end of this Notice.
If you fail to provide certain Personal Information to us on request, we may not be able to perform the contract we have entered into with you or your employer, and/or may not be able to provide you with information or services you may have requested.
5. FROM WHOM DO WE COLLECT PERSONAL INFORMATION COVERED BY THIS NOTICE?
5.1 Depending on the nature of the engagement or your relationship with the Firm, we may receive Personal Information from the following categories of sources:
- directly from you, your employer or agency;
- other entities in the Hellman & Friedman Group or the Firm;
- other of our suppliers, for example:
- background and verification check providers;
- training and communication providers;
- compliance monitoring and other compliance service providers;
- information security providers;
- physical security providers;
- emergency contact, emergency management and health and safety service system providers;
- where applicable, your (and your Restricted Persons’) financial advisors, brokerage firms, banks or other financial institutions (including through trading data feeds);
- public sources, such as publicly available media, including social media; and
- government agencies and regulatory bodies.
6. FOR HOW LONG DO WE RETAIN PERSONAL INFORMATION COVERED BY THIS NOTICE?
6.1 We retain Personal Information for so long as we need it to fulfil our business purposes, in accordance with schedules contained in Firm policies and procedures, including for effective management of firm practices (“Policies”).
6.2 We may retain Personal Information for a longer period than as stated in our Policies:
- Where required by law, regulation, legal or judicial process or audit, decision of a court or arbitral tribunal, decision of a governmental authority with relevant powers, by the rules of applicable stock exchange or recognized marketplace, or by a regulator, bank examiner or self-regulatory organization or pursuant to mandatory ethics rules applicable to the Firm or its affiliates (collectively, “Law”); or
- As reasonably required in relation to any claim or investigation pursuant to any Law and/or any matter which may lead to such a claim or investigation.
7. TO WHOM DO WE DISCLOSE PERSONAL INFORMATION COVERED BY THIS NOTICE?
7.1 Depending on the nature of the engagement or your relationship with the Firm, the categories of third parties to whom we may disclose Personal Information for our business purposes and to comply with Law are:
- other entities in the Hellman & Friedman Group or the Firm;
- our service providers such as cloud and other data management and storage providers, IT asset managers, information security and desktop support providers; and IT consultants;
- physical security providers (e.g., office security);
- compliance monitoring agencies and other compliance service providers;
- invoicing, reimbursement and payment tracking services and other payment systems;
- our professional advisors, such as tax advisors and law firms;
- emergency contact, emergency management and occupational health and safety service system providers;
- existing or potential investors in funds affiliated with the Hellman & Friedman Group;
- financial institutions, business partners of and other vendors to the Firm; and
- corporate services providers to the Firm.
7.2 Where the Firm is under an obligation to do so by Law, it will disclose Personal Information to regulators, courts, law enforcement or tax authorities, or in the course of litigation or other legal or regulatory matters. The Firm will use reasonable efforts to disclose the minimum Personal Information necessary in such cases.
7.3 Personal Information may also be disclosed to other third parties, upon your request.
7.4 We do not, and will not, sell or share Personal Information, as those terms are used in the CCPA, including on residents under age 16, pursuant to this Notice.
8. SAFEGUARDING PERSONAL DATA; INTERNATIONAL DATA TRANSFERS
To protect your personal data from unauthorized access, use and disclosure, we use security measures that comply with applicable Law.
Where we transfer your personal data to our group entities that are outside the UK or the European Economic Area, this will be done, to the extent appliable to you, under the European Commission’s standard contractual clauses (the “SCCs”) for the transfer of personal data to third countries, pursuant to Decision the Commission Decision of 16 December 2016, as amended by the implementing Decision 2021/914/EU of 4 June 2021, and the UK Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, including Section 119A of the UK Data Protection Act 2018 and the associated UK Addendum to the SCCs, each as amended from time to time, or other appropriate safeguard which complies with applicable data protection Law. You can contact us for more information about this.
9. PERSONAL DATA REQUESTS
We detail below certain rights in relation to Personal Information, which may apply to you under applicable Law, depending on your location.
9.1 Under the GDPR and similar international Laws, depending on your location:
- Right to Access: You may have the right to ask us to access your Personal Information and be provided with certain information about how we use your Personal Information and who we disclose it to.
- Right to Correct: You may have the right to ask us to correct your Personal Information where it is inaccurate or incomplete.
- Right to Delete: In certain circumstances, you may have the right to ask us to delete your Personal Information:
- where you believe that it is no longer necessary for us to hold your Personal Information;
- where you have withdrawn your consent to particular processing and there is no other legal ground available;
- where we are processing your Personal Information on the basis of legitimate interests and you object to such processing and we cannot demonstrate an overriding legitimate ground for the processing; or
- where you believe your Personal Information which we hold is being unlawfully processed by us.
- Right to Restrict Certain Processing: In certain circumstances, you may have the right to ask us to restrict (stop any active) processing of your Personal Information:
- where you believe your Personal Information is inaccurate and while we verify accuracy;
- where we want to erase your Personal Information as the processing is unlawful, but you want us to continue to store it;
- where we no longer need your Personal Information for the purposes of our processing, but you require us to retain the data for the establishment, exercise or defence of legal claims; or
- where you have objected to us processing your Personal Information based on our legitimate interests and we are considering your objection.
- Right to Object: You can object to our processing of your Personal Information based on our legitimate interests and we may no longer process your Personal Information unless we can demonstrate an overriding legitimate ground.
- Right to Portability: In certain circumstances, you may have the right to ask us for a copy of your Personal Information in a structured, machine-readable format and to ask us to share (port) this data to another data controller.
- Right regarding Automated Processing: While you may contest a decision made about you based solely on automated processing, we do not currently use automated decision making with respect to you.
- Right to Withdraw Consent: Where you have provided your consent to us processing your Personal Information, you may withdraw your consent, but this does not affect the validity of processing carried out prior to your withdrawal.
How to Exercise these Rights: To exercise any of these rights above, please email us at [email protected]. This is without prejudice to your right to raise a concern with the applicable data protection supervisory authority.
9.2 Under the CCPA, if you are a California resident:
- Request to Know: You have the right to request that we disclose Personal Information that we have collected, sold or shared about you. Subject to verification and any limitations under the CCPA, we will disclose the following:
- The categories of Personal Information we have collected;
- The categories of sources from which the Personal Information was collected;
- The business or commercial purpose for which we collected the Personal Information;
- The categories of third parties to whom we disclose Personal Information; and
- Specific pieces of Personal Information that we have collected about you.
- Right to Delete: You have the right to ask us to delete Personal Information that we collected from you, subject to exceptions.
- Right to Correct: You have the right to request that we correct inaccurate Personal Information that we maintain about you.
- Right to Limit Use of Sensitive Personal Information: You have the right to request that we limit the use and disclosure of your Sensitive Personal Information. However, we do not use or disclose your Sensitive Personal Information other than as permitted for purposes specified in section 7027, subsection (l) of the CCPA. Accordingly, this right is inapplicable.
- Right to opt-out of sale/sharing: You have the right to opt out of the sale/sharing of your Personal Information. However, we do not sell or share your Personal Information with third parties as those terms are used in section 7013, subsection (g) of the CCPA. Accordingly, this right is inapplicable.
- Right to Equal Treatment: If you are a California resident, you have the right not to receive discriminatory treatment by us for the exercise of privacy rights conferred by the CCPA.
- How to Exercise these Rights: To exercise any of the above rights, you may submit a request by:
- We will verify your identity prior to addressing or fulfilling a request made pursuant to the CCPA. The request must provide sufficient information that allows us to reasonably verify that you are the individual about whom we hold the Personal Information.
Only you or someone legally authorized to act on your behalf, may make a verifiable request under the CCPA. Any such authorization must be in accordance with California Civil Code section 1633.1 et seq., the Uniform Electronic Transactions Act. To act on such request, your authorized agent must provide sufficient information that allows us to reasonably verify that they have been authorized by you to act on your behalf.
10. YOUR OBLIGATIONS IN RELATION TO PERSONAL INFORMATION AND THIS NOTICE
10.1 It is important that changes in personal circumstances are conveyed to us as soon as possible by contacting your contact at the Firm. These include changes to the following:
- name;
- contact details (address, phone number(s), email address(es)) and emergency contact information;
- any bank details for payment of invoices; and
- any of your Restricted Persons.
10.2 Any Business Contact that has personnel interacting with us is to provide a copy of this notice to such personnel.
10.3 Should you have Restricted Person(s), as defined above, you are to provide a copy of this Notice to them.
10.4 You may have access to Personal Information about other people and use this data during the course of your relationship with the Firm. Under the CCPA, the Firm must ensure that the Personal Information it holds about its investors, employees, contractors, vendors and other third parties are held securely. Accordingly, you must take all reasonable steps to maintain the security of all Personal Information held by the Firm to which you may have access and always use such Personal Information appropriately.
10.5 Failure to comply with this Notice may result in termination of your relationship with the Firm without notice.
11. CHANGES TO THIS NOTICE
11.1 We may update this Notice from time to time. This Notice was last updated on October 11, 2024. Any updated Notice will be available at hf.com.