Trewstar Data Protection and Privacy Policy

INTRODUCTION

Trewstar Corporate Board Services (“Trewstar”) is a privately held American search firm that specializes in placing exceptional candidates on corporate boards. Trewstar serves clients of all sizes – from pre-IPO to companies in the Fortune 10, in all industries, across the United States. Clients turn to Trewstar to seek, evaluate and place highly qualified, talented directors for their boards. 

Purpose

The purpose of this Data Protection and Privacy Policy is to provide protection against unauthorized access and consistent safeguards for the processing of Personal Information by Trewstar. This Policy explains which Personal Information concerning you that we collect, when and why we collect the Personal Information, how we use it, the conditions of our disclosure to third parties, as well as how we secure the stored Personal Information.

This Data Protection and Privacy Policy covers information that Trewstar collects:

1. in connection with our search, assessment, evaluation, referral, advisory or placement services, whether we are assessing or recruiting you as a potential director, advising you as a client, or communicating with you as a potential source or referee (collectively “Services”); as well as
2. when you visit our website (Trewstar.com, the “Website”), and in the usual course of business.

Definitions

In this Data Protection and Privacy Policy the following terms have the meanings established below:

A “Candidate” is any applicant, candidate or prospective candidate who is considered, evaluated or assessed for a corporate board or management position in connection with the services provided by Trewstar Corporate Board Services.

“Client” refers to any of our corporate clients, and their employees, who are seeking to recruit directors to their boards.

A “Referee” is an individual who provides a reference for an individual candidate who is being considered or might be considered for a corporate board position.

A “Source” is an individual who either refers candidates to Trewstar or provides market intelligence about a particular candidate.

A “Vendor” is a provider of products or services to Trewstar pursuant to a signed contract.

“Personal Information” is any information originally collected or otherwise used by a Trewstar data controller in the context of a search or assessment assignment, including, but not limited to Candidate name, contact information, professional experience, academic qualifications, skills, etc. Please note that this Data Protection and Privacy Policy does not apply to any Personal Information that has been anonymized and used in the aggregate such as compiling industry and employment statistics, where such data does not involve personally-identifying information and individuals are not identifiable from it.

“Processing” refers to any action performed on Personal Information by Trewstar, including, but not limited to recording, organizing, storing, modifying, disseminating, transferring, disclosing, deleting, and sharing such data among Trewstar employees and third parties as necessary for providing Trewstar Services.

Hereinafter, we will refer to this Data Protection and Privacy Policy as “the Policy.”
 

THE PERSONAL INFORMATION WE COLLECT

Candidate Information

In order to ensure that you are considered as a candidate when the opportunity arises, we must collect and maintain up-to-date information about you. We understand, however, the grave importance of safeguarding your privacy, so this section describes how we collect, use and transfer your Personal Information.

Collection of Information:

You may provide information directly to us through the website, by email, during the course of a telephone or video call, or during an in-person interview. We will consider information given during the course of these Services to be information voluntarily given. There is no obligation to provide information to Trewstar or to participate in our Services. However, we may be unable to give you due consideration for a board role, if you are unwilling to provide us with certain information. We also receive personal information from other people during the course of providing our Services. We explain below how we collect that data and the type of information collected.

Information collected from Candidates:

• Contact and other information that might be contained in a Board Bio, CV, or Resume, including your address and other contact details, your employment history and other professional qualifications, prior military service, your educational background, your skills, your interests, and activities.
• Identification data such as civil or marital status, photograph, birthdate, and gender
• Personality profile and interests, including involvement in non-profit organizations, religious and community groups, hobbies, personality characteristics, and competencies, as well as employment aspirations and board preferences.
• Diversity information (including racial or ethnic origin) may be collected where appropriate and in accordance with local law.
• Other information you may choose to share with us, such as performance history, details of dependents, citizenship or immigration status.
• A record of our contact history with you.

Information collected from Clients:

In the course of providing our services, we may receive from Clients, not only lists containing names of potential candidates, but also personal information which we process on behalf of those Clients. We use that information on behalf of our Clients to provide our Services as we have been contracted to do. If you have concerns about the privacy practices of our Clients, please review their policies or contact them directly. Our practices as set forth in this Policy may differ from theirs, and we are not responsible for their privacy standards and practices.

Information collected from third parties:

In the course of providing our Services and in the normal course of business, Trewstar may collect any of the personal information listed above under the section entitled “Information collected from Candidates” from (1) publicly available sources such as LinkedIn, newspaper and magazine articles, blogs, company websites and press releases (2) our Clients, (3) third-party sources and referees, and (4) subscription-based data providers such as BoardEx. In all circumstances, we only retain such information as those third parties are legally permitted to share.

Client Information

In order to provide Services to our Clients, we need to collect and process information about you and certain individuals working in your organization. Our general practice is to collect directly from you the names and contact details of the individuals whom we will be working with. We also maintain records of the agreements we sign and our contact history with you and the specific individuals we work with. In addition, we keep information provided by you about the company’s strategy and opportunities at the time of our engagement, insofar as these elements are relevant to achieving board refreshment goals.

We also collect information from third-party sources when appropriate to collect due diligence and background information. We may source such information from (1) publicly available media sources such as LinkedIn, newspaper and magazine articles, blogs, company websites and press releases (2) subscription-based data providers such as BoardEx (3) third-party market research.

Referee Information

We will process your contact details, including your name, email address, and telephone number and your professional details, including your employment history, as well as your connection to the Candidate. We may collect this information from you, from a Candidate or a Client, or from publicly available resources.

Vendor Information

We retain the information necessary to ensure that our business relationship (as set forth in our contractual arrangement) is seamless.

HOW WE USE THE PERSONAL INFORMATION WE COLLECT

Candidate Information

Trewstar processes and shares Personal Information only in the context of legitimate business purposes and in accordance with applicable law.

• Sharing Personal Information with Third Parties. Trewstar processes and shares Personal Information in order to match candidates who are qualified for a particular position with Client organizations who have an opening for such a position. Examples of processing for this purpose include, but are not limited to, contacting you and collecting personal information directly from you, verifying the details you have provided by requesting information from third parties (including degree verification providers, Referees or Sources), and sharing your Personal Information with a Client in providing our Services to that Client.

Information Sharing Within Trewstar: Trewstar operates across the United States and collects and disseminates Personal Information on Candidates within and across its team of employees for the purposes of Board (and occasionally Executive and Management) Search,

• Use of your Personal Information for marketing purposes. We may from time to time, and in accordance with your preferences, send you promotions or information such as newsletters, reports, or invitations that we think will be of interest. If you are placed on a corporate board by Trewstar, we may share publicly-available Personal Information with potential Clients for marketing purposes. We may also contact you regarding Services that we think would be of interest to you as a potential Client.
• Diversity & Inclusion. We are committed to diversity in the boardroom, and to ensure that our Services operate in accordance with that mission, we may collect information about your ethnic background, age, sexual orientation, religion or other similar beliefs, disability and/or socio-economic background. Where required by law, we will obtain your explicit consent before we use such information. When appropriate and when requested to do so by our Clients, we may use this information to provide our Clients with slates of diverse candidates. All diversity information will be collected in accordance with applicable local laws as described above. This involves the collection of Personal Information and the storage of that information in our databases housed in secure US-based private cloud servers.

Client Information

Data collected on our Clients is typically used to provide services and to manage our relationship both through our contract term (and in accordance with its provisions) and beyond. We may from time to time, and in accordance with your preferences, send you promotions or information such as newsletters, reports, or invitations that we think will be of interest. We may use information regarding a successful placement for marketing purposes.

Referee Information

We use your information to contact you and obtain your opinion regarding Candidates relevant to the Services we provide. We may also from time to time, and in accordance with your preferences, send you promotions or information such as newsletters, reports, or invitations that we think will be of interest. We may also contact you regarding Services that we think would be of interest to you either as a potential Client or Candidate.

Source Information

We use your information to gather information on potential and actual Candidates in the course of providing Services. We may also contact you regarding Services that we think would be of interest to you either as a potential Client or Candidate.

Vendor Information

We maintain your data to ensure that we can manage our relationship as established in our agreement.

GENERAL INFORMATION

Trewstar currently operates out of our office in Manhattan, New York. We process your Personal Information in the United States, where our offices and servers are located. Irrespective of future expansion (and including any Trewstar employee’s home office) each Trewstar office is subject to this Policy. Each employee of Trewstar, regardless of office location, is required to sign a Declaration binding them to this Policy. 

TREWSTAR STANDARDS FOR PROCESSING PERSONAL

Information

The following Standards must be upheld by Trewstar employees engaged in processing Personal Information:

• Personal Information is processed fairly and lawfully;
• Personal Information is processed for legitimate purposes associated with Trewstar’s Services;
• Personal Information is not processed in any manner incompatible with these Services;
• Personal Information is always relevant to the purposes for which the Personal Information is obtained;
• Personal Information is only used by Trewstar and is not sold or shared for related or unrelated purposes to non-licensed third parties unless otherwise stated at the time of collection or as required by law;
• Personal Information is processed and maintained in a manner that assures reasonable accuracy;
• Personal Information that is inaccurate is corrected, updated, or deleted within a reasonable time of the discovery of the inaccuracy;
• Personal Information is stored for the duration necessary for Services;
• Personal Information is protected by all necessary and appropriate protective measures –both technological and legal.
• Personal Information will not be automatically processed in any manner which will have a significant effect on the data subject, except where authorized by a law that also safeguards the data subject’s legitimate interests.
• Personal Information will not be transferred to third parties without adequate protections in place.

SECURITY, CONFIDENTIALITY AND ENFORCEMENT

Trewstar’s policy is to keep all Personal Information confidential.

The measures we have taken to ensure the protection of your Personal Information and to ensure that all processing of Personal Information is done in accordance with this Policy, including requiring all Trewstar employees to read, sign and abide by the following:

• This Policy
• The Code of Ethics and Employee Conduct: This document, included in the Employee Handbook, outlines the values and commandments of the company, including strict adherence to the confidentiality and integrity of Personal Information.
• Employment Contract: All employees of Trewstar sign an Offer Letter that contains a confidentiality clause.
• Existing Form Covenants agreement: All Trewstar employees sign this document, also incorporated into the Offer Letter by reference, which contains robust and comprehensive confidentiality provisions.

In addition, Trewstar has implemented the following safeguards:

• Access Security: Personal Information is securely stored in databases housed in secure US-based private cloud servers and can only be accessed by Trewstar employees, which access is closely monitored.
• Trewstar’s network and proprietary software are secured by appropriate physical, electronic, and managerial security procedures to prevent unauthorized access, loss, or damage to Personal Information.
• Training: All employees of Trewstar who have permanent or regular access to Personal Information, who are involved in the collection of Personal Information or in the development of tools used to process Personal Information are trained in this Policy and the best practices of handling all data.
• Trewstar.com Safeguards: To safeguard all Personal Information that is submitted by Candidates via Trewstar.com, appropriate physical, electronic, and managerial security procedures have been put in place to prevent unauthorized access, maintain the accuracy of data and ensure proper use of information via Trewstar.com.

DATA PROTECTION RIGHTS AND ENFORCEMENT MECHANISMS

Amendment or Deletion of Personal information

You may access, update, correct or request the deletion of your Personal information at any time by sending an email to info@trewstar.com. Any request made will be promptly honored by Trewstar, If the request is for deletion of a contact record, Trewstar may (consistent with applicable law) maintain minimal contact information, with a note of the request appended to the record, to avoid further unwanted contact. You may also opt-out of any marketing communications we send you at any time by clicking on “unsubscribe.” If we have collected and processed your Personal Information, you may withdraw your consent at any time; that withdrawal will constitute a request to not be considered in future searches conducted by Trewstar and will be considered an opt-out of all further communication.

If any Trewstar employee is contacted directly with such a request, she or he will forward the information to the Data Protection Officer. The Data Protection Officer will contact the individual directly and will remain Trewstar’s liaison while the handling of the request is ongoing. If the Candidate believes his or her Personal Information is being processed in contravention of this Policy, the Candidate may report the concern to their contact at Trewstar, to any Trewstar employee, or via email to contact@Trewstar.com. The matter will then be reported to the Data Protection Officer. Should the Candidate and Data Protection Officer be unable to resolve the dispute within nine months, the Candidate can lodge a complaint before the competent Data Protection Authorities.

Internal Oversight Procedures

Trewstar ensures the enforcement of this Policy through the Data Protection Officer who monitors the processing of Personal Information and conducts periodic data protection compliance audits. The Data Protection Officer is further responsible for investigating any claims related to data processing and may coordinate with Legal Counsel to analyze the scope of the alleged violation. In addition, employees will self-police their actions and the actions of peers regarding the processing of Personal Information. Employees are required to immediately report any violation to their direct superior who will notify and work with the Data Protection Officer to investigate the claim. To the extent that such matters cannot be adequately handled within Trewstar’s own resources, Trewstar may appoint an independent third party to conduct an investigation/audit of any of the procedures or issues involving this Policy. 

Publication

This Policy will be published at Trewstar.com as well as privately for Trewstar employees on its intranet. Employees are trained to adhere to this Policy and to follow the appropriate protocol. Additionally, a copy of this Policy will be distributed to any Candidate who requests one.

Legal Requirements for Data Processing

In situations where Personal Data must be disclosed as a matter of law, Trewstar will use its best efforts to lawfully resist, limit, or delay disclosure and will ensure that only the Personal Data that is necessary and relevant to the request is provided. In the event that Trewstar becomes aware of any legislation applicable to it which is likely to have a substantial adverse effect on the ability of Trewstar to comply with this Policy, Trewstar will determine a suitable course of action aimed at ensuring compliance in consultation with the relevant Data Protection Authority.

Trewstar will respond diligently and appropriately to all requests from data protection authorities regarding this Policy, including consenting to requests by a competent Data Protection Authority to audit Trewstar’s compliance. Trewstar will abide by the advice of the Data Protection Authorities on any issues related to the interpretation and application of Trewstar’s Policy. Upon request, the Data Protection Authority shall receive a copy of any compliance audits conducted by Trewstar regarding this Policy, and Trewstar will further comply with requests by the Data Protection Authorities for additional review of company-wide compliance.

Modification of this Policy

Trewstar may update or modify this Policy as needed in response to business and technological changes and shifts in legal standards. Where local law requires a higher standard for Personal Information it will take precedence over this Policy. Should Trewstar make any substantive modifications to this Policy, the changes will be promulgated via an email announcement, or a posting of the revised Policy to the intranet, and training in accordance with any legal requirements. Candidates will be informed going-forward and have access to the updated Policy at www.Trewstar.com. Trewstar will also take appropriate steps to notify the relevant Data Protection Authorities.