Data privacy framework notice

INTRODUCTION

Sedgwick Claims Management Services Inc, CareWorks Managed Care Services Inc., York Risk Services Group and EFI Global Inc. (collectively referred to as “Sedgwick”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Sedgwick has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

If there is any conflict between the terms in this Data Privacy Framework Notice and the EU- U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please
visit https://www.dataprivacyframework.gov/.

Sedgwick is responsible for the processing of personal data it receives under the DPF and subsequent transfers to a third party acting as an agent on its behalf. For further information on what personal data we process and the purpose for processing please refer to the Sedgwick privacy notice here. Sedgwick complies with the DPF Principles for all onward transfers of personal data from the EU and UK, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over Sedgwick’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. In certain situations, Sedgwick may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Sedgwick by sending an email to [email protected] or [email protected].

NON HR DATA

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Sedgwick commits to resolve DPF Principles-related complaints about our collection and use of your personal information concerning Non-HR personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, to the ICDR-AAA, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https:/go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICRDR-AAA are provided at no cost to you.

For clarity, Non-HR data includes all personal data processed by Sedgwick on behalf of its customers.

HR DATA

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Sedgwick commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regards to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website here.

Document Control:

Classification: Public
Region: International
Type: Guidance/Standard
Document Owner: Risk & Regulation Last Review Date: 13 February 2024 Next Review Date: 13 February 2025 Version Control: V1.0 Final DRAFT