Notice to Applicants Pursuant to the EU-U.S. Privacy Shield
Cass Information Systems, Inc., and its subsidiaries and affiliates (collectively, “the Company”) are committed to protecting the privacy and security of personal information and/or personal data (“personal information”) during the application and recruitment process. Due to the global nature of its business, the Company must share certain personal information related to its human resources
activities across national boundaries, including transferring personal information from the EU to the United States. The Company has self-certified that it abides by the EU-U.S. Privacy Shield (“Privacy Shield”) agreement between the United States and the European Union, and is committed to subject the Privacy Shield privacy principles to all personal information received from the EU in reliance upon the Privacy Shield as part of our human resources activities.
To learn more about the Privacy Shield program, please visit http://www.privacyshield.gov. To view the Company’s certification under Privacy Shield, please visit http://www.privacyshield.gov/list.
The Company’s subsidiaries and affiliates located in the EU will comply with the national privacy laws adopted pursuant to the EU Privacy Directive 95/46/ec (the “Directive”) regarding the collection, processing and transfer of your personal information.
If you have any questions about this Notice, the Privacy Shield, or the Company’s privacy policies and procedures, please contact the individuals listed in the Recourse, Enforcement, and Liability section of this Notice.
Personal Information Processed
“Personal information” is any information relating to you as an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
The Company may process personal information about applicants such as name; contact information (including home and work address; home and work telephone numbers; mobile telephone numbers; home and work email address); marital status; ethnicity; citizenship information; visa information; national and governmental identification information; drivers’ license information; passport
information; military service information; religion information; birth date and birth place; gender; disability information; employee identification information; education, language(s) and special competencies; certification information; employment history; work experience information; accomplishment information; training and development information; award information; membership information; information from interviews and phone-screenings you may have, if any; details of the type of employment you are or may be looking for, current and/or desired salary and other job preferences; reference information and/or information received from background checks, including information provided by third parties.
Purposes for Processing Personal Information
The Company processes your personal information for the purpose of carrying out its application and
recruitment process. “Process” means any operation or set of operations which is performed upon
personal information, whether or not by automated means, such as collection, recording, organization,
storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, transfer, and
erasure or destruction.
The Company may process your personal information in the application and recruitment process for
various functions, including, but not limited to: assessing your skills, qualifications and interests;
verifying your information, carrying out reference checks and conducting background checks;
communications with you during the recruitment and application process; compliance with legal
requirements or enforceable governmental requests; and other employment related purposes.
Additionally, the Company may process your personal information in connection with compliance
audits, the defense of legal claims, to meet the Company’s legal and public interest requirements, and
to meet the Company’s legitimate interests regarding the monitoring of legal obligations and
legitimate accounting activities. The Company may also process your personal information to
support, maintain, and provide security for its computer systems and mobile devices.
Finally, the Company may be required to disclose your personal information in response to lawful
requests by public authorities to comply with national security or law enforcement requirements.
The Company will offer you a clear, conspicuous, and readily available mechanism to choose (opt
out) whether your personal information is (1) to be disclosed to a third party (other than a third party
acting as an agent to perform tasks on behalf of and under the instruction of the Company) or (2) to
be used for a purpose that is materially different than or incompatible with the purpose for which it
was originally utilized or subsequently authorized by you.
Additionally, the Company will offer you a similar choice mechanism to give affirmative or explicit
(opt in) choice whether your sensitive personal information is to be disclosed to a third party or used
for a purpose other than the purposes for which it was originally collected or subsequently authorized
by you through opt-in choice. However, explicit (opt in) choice is not required when the disclosure
of the sensitive personal information is (1) in the vital interests of you or another person; (2)
necessary for the establishment of legal claims or defenses; (3) required to provide medical care or
diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or
(5) related to personal information that is manifestly made public by you.
Finally, the Company will make reasonable efforts to accommodate your privacy preferences such as
restricting access to the personal information, anonymizing certain personal information, or assigning
codes or pseudonyms when the actual names are not required for the management purpose at hand.
Any questions regarding the choice mechanisms or any privacy preferences regarding your personal
information should be directed to the individuals listed in the Recourse, Enforcement and Liability
section of this Notice.
Disclosure of Personal Information to Third Parties
Transfers from the EU to Processors in the United States
The Company’s EU subsidiaries and affiliates may transfer your personal information to a processor
in the United States solely for processing purposes. A “processor” is any third party who processes
personal information on behalf of and in accordance with the instructions of the Company. When
your personal information is transferred from the EU to the United States solely for processing
purposes, the Company’s EU subsidiaries and affiliates will comply with applicable national privacy
laws and enter into a contract with the processor to ensure that the processor (1) acts only on
instructions of the Company’s EU subsidiary or affiliate; (2) provides appropriate technical and
organizational measures to protect the personal information against unlawful destruction or accidental
loss, alteration, unauthorized disclosure or access; and understands whether onward transfers are
allowed; and (3) assists the Company’s EU subsidiary or affiliate in responding to individuals
exercising their rights under the Privacy Shield principles, taking into account the nature of the
Onward Transfers to Third Party Agents
After your personal information is transferred from the EU to the Company in the United States, the
Company may thereafter transfer your personal information to third parties acting as agents to
perform tasks on behalf of and under the Company’s instructions for the purposes set forth in this
Policy. Examples of third party agents may include payroll, benefits, and computer providers. When
the Company makes such onward transfers to third party agents, it will comply with the Privacy
Shield notice principle, ascertain that the third party agent is obligated to provide at least the same
level of privacy protection as is required by the Privacy Shield principles, and enter into a contract
with the third party agent that provides: (1) the third party agent will process your personal
information only for limited and specified purposes, (2) the third party agent will provide at least the
same level of privacy protection as is required by the Privacy Shield principles; (3) the Company will
take reasonable and appropriate steps to ensure that the third party agent effectively processes your
personal information pursuant to the Privacy Shield privacy principles; (4) the third party agent will
notify the Company if the third party agent can no longer provide the same level of privacy protection
as required by the Privacy Shield principles; and, (5) upon such notice by the third party agent, the
Company will take steps to stop and remediate any unauthorized processing.
Upon request, the Company will provide you with confirmation regarding whether it is processing
personal information relating to them and will communicate to you within a reasonable time period
the personal information the Company processes about you. Further, the Company will provide you
with access to your personal information to be able to correct, amend or delete personal information
when it is inaccurate or processed in a manner contrary to the Privacy Shield principles; except where
the burden or expense of providing access would be disproportionate to the risks to your privacy,
where the rights of persons other than you would be violated, or where the personal information of a
small number of employees is transferred for occasional employment-related operational needs.
Additionally, access may be limited or denied when granting such access would (1) compromise
confidential commercial information; (2) interfere with the execution or enforcement of the law or
with private causes of action including the prevention, investigation or detection of offenses or the
right to a fair trial; (3) violate the legitimate rights or important interests of others; (4) breach a legal
or other professional privilege or obligation; (5) prejudice employee security investigations or
grievance proceedings or in connection with employee succession planning or corporate reorganizations;
and (7) prejudices the confidentiality necessary in monitoring, inspection or regulatory
functions connected with sound management, or in future or ongoing negotiations involving the
The Company’s EU subsidiaries and affiliates will comply with local regulations to ensure that you
have access to your personal information as required by national laws regardless of the location of the
processing or storage of your personal information. The Company’s U.S. subsidiaries and affiliates
will cooperate with its EU subsidiaries and affiliates in providing such access to you.
The Company may charge you a reasonable fee for access to personal information where, for
example, the request for access is manifestly excessive or repetitive. Additionally, the Company may
set reasonable limitations on the number of times within a given time period that your access requests
will be met.
If you wish to access your personal information or becomes aware that the personal information the
Company maintains on you is inaccurate or is being processed contrary to this Policy or the Privacy
Shield principles, please contact the individuals listed in the Recourse, Enforcement and Liability
section of this Policy.
Recourse, Enforcement and Liability
Inquiries or complaints regarding this Policy should be directed to firstname.lastname@example.org. If the
inquiry cannot be answered or the complaint is not resolved locally, please direct the matter to:
Cass Information Systems
Attn: Privacy Officer
12444 Powerscourt Drive
St. Louis, MO 63131 USA
If a complaint remains unresolved, you should contact the state or national data protection or labor
authority in the jurisdiction where you work for resolution. A listing of the EU Data Protection
Authorities (“DPAs”) is located at: http://ec.europa.eu/justice/data-protection/article-
29/structure/data-protection-authorities/index_en.htm. The Company will cooperate with the
competent European Union Data Protection Authorities (DPAs) and comply with the advice of such
DPAs. In the event that the DPAs determine that Cass Information Systems, Inc. did not comply with
this Policy or Privacy Shield principles, the Company will take appropriate steps to address any
adverse effects and to promote future compliance, comply with any advice given by the DPAs where
the DPAs have determined that the Company needs to take specific remedial or compensatory
measures for your benefit because of any non-compliance with this Policy or the Privacy Shield
principles, and provide the DPAs with written confirmation that such action has been taken.
The Company is also subject to the investigatory and enforcement powers of the United States
Federal Trade Commission.
The Company retains responsibility for the processing of your personal information it receives under
the Privacy Shield and subsequently transfers to a third party agent. The Company will remain liable
under the Privacy Shield principles if its third party agent processes your personal information in a
manner inconsistent with the Privacy Shield principles, unless the Company proves that it is not
responsible for the event giving rise to the damage.
Changes to this Policy
We may change this policy from time to time. We will post any changes to this policy on our
website. Each version of this policy will be identified on the bottom of the document by its effective
By submitting your application you acknowledge that you have carefully read and sufficiently
understood the above Notice and information contained therein.