Data Protection Statement
Effective: October 19, 2024
The Myers-Briggs Company group of companies offers products and services relating to individual and organizational development. We work directly, or through international partners, with multinational corporations and public sector bodies, globally.
Under certain privacy and data protection legislation, individuals have rights as to how their personal information is handled and we acknowledge the need to treat such personal information in an appropriate and lawful manner according to the nature and classification of such data, and with processes which ensure data is safe and secure.
We are committed to complying with current privacy and data protection legislation applicable to us, including (without limitation) the California Consumer Privacy Act (CCPA), UK Data Protection Act 2018 (UK DPA), UK GDPR (as incorporated into UK law pursuant to the European Union (Withdrawal) Act 2018), EU GDPR (the General Data Protection Regulation (EU) 2016/679), and the Privacy Act 1988 (Cth) (Australian Privacy Act), together with any applicable, enacting, successor, supplementing, or amending legislation. Recent privacy laws strengthened the rights that individuals have regarding their personal information and we have aligned our Privacy Policy, and unified our privacy, data protection, and information security practices across our global operations, to ensure consistency of operation for our customers, and compliance across all jurisdictions.
Our Approach to Privacy and Data Protection
We are committed to global privacy, data protection, and information security compliance, providing robust privacy and security protections which have been built into our products, services, operations, and contracts.
We adopt a layered approach to privacy and data protection, including our public Privacy Policy which sets out in detail how we process personal information, this summary Data Protection Statement, together with Privacy Notices at various data collection points on our assessment platforms and websites. We also provide mechanisms for customers and other third parties to manage marketing preferences, cookies preferences, and participation in research and other surveys.
Privacy and Data Protection Principles
We adhere to the following data protection principles:
- lawfulness, fairness and transparency – personal information shall be processed when we have a legal basis for doing so and in a manner that is fair and transparent
- purpose limitation – personal information shall be collected only for specific, explicit, and legitimate purposes that we have clearly explained to you, and not used in any way that is incompatible with those purposes (subject to our reasonable archive, back-up and scientific research and product development practices)
- access and choice – where we control your personal information, we will provide you with the opportunity to confirm we are processing your personal information and shall make a copy available to you, with the ability to restrict or object to processing, and the ability to correct and update, within a reasonable period of a valid request you submit to us
- data minimization – personal information processed shall be adequate, relevant to, and necessary for, the purposes we have told you about, and limited only to those purposes
- accuracy and data integrity – personal information shall be accurate and kept up to date; and data subjects will be able to view, correct or modify, and limit the collection of personal information to that relevant to the products and services we provide
- storage limitation – personal information shall be kept in personally identifiable form for only as long as necessary for the purposes we have told you about (subject to our reasonable archive, back-up and scientific research and product development practices)
- confidentiality, integrity, and accessibility – personal information shall be kept securely, using appropriate technical and organization measures
- notice, recourse, enforcement and liability - we will provide notice of our processing activities via a series of methods, including privacy notices at data collection points, statements, and our Privacy Policy, available on our websites and assessment platforms, and we have processes for handling complaints and any enforcement action
Privacy Policies and Notices
Our public Privacy Policy sets out how we handle data including how we collect, use, and retain personal information and special category personal information (sometimes called “sensitive personal data”), our legal bases for processing personal information, detail on transfers to third parties, including transfers of EU personal information internationally, as well as the rights of data subjects, including the right to withdraw consent. Our Privacy Notices at various data collection points include information, and consents where applicable, and signpost to our Privacy Policy.
Technical and Organizational Measures
Our internal policies and procedures, including our Data Protection Policies, Records Retention Policy, and Data Retention and Destruction Policy, explain how our officers, employees, and consultants shall operate in respect of handling of personal information, special category data, and other data protection matters, including collection, storage, processing, and destruction of such data.
These internal policies and procedures set out the technical and organizational measures that we take in order to prevent unauthorized and unlawful processing, or accidental loss, destruction, or damage to personal information that we hold on behalf of our customers and others. We expect all our officers, employees, and consultants to comply with all applicable privacy, data protection, and information security policies and procedures in all aspects of their day-to-day work.
Technical and organizational measures we take include:
- information security management systems and data protection systems detailing policy, governance, process, and procedures; delineation of roles and responsibilities; assurance processes; risk assessment processes; and remedial and improvement plans
- physical security measures at datacenters, our own premises, and in respect of our hardware and software, as well as our data stores and back-ups
- access controls measures including password and log-in management policies, as well as monitoring for account compromise and suspicious activity
- security and privacy technologies including anti-virus scanning
- awareness training and security checks in relation to personnel at induction, on an ongoing basis, and in the event of any specific incident or training need
- incident and response management and business continuity policies including security incident monitoring and training, business continuity plans, testing and review, and
- audit controls and due diligence including ensuring that appropriate security audit arrangements are in place.
In our role as a data controller, we are responsible for implementing such appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with privacy and data protection requirements. Our data controller obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data, together with only using data processors that operate in such a manner that their data processing will also meet the requirements of the applicable privacy and data protection laws.
We enter into contractual agreements with our processors, including data processing agreements (DPAs), international data transfer agreements and addendums (IDTAs), and EU standard contractual clauses (SCCs) where applicable. These include SCCs inter-company, specifically in respect of data transfers between our UK, European and US offices and operations. We conduct data processing impact assessments (DPIAs) and data transfer impact assessments (DTIAs) where transfers of personal information may occur to third parties, to assess and mitigate risk.
Specifically in respect of transfers to the US, we comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) (covering EU transfers to the U.S.), the UK Extension to the EU-U.S. DPF (covering UK transfers to the U.S.) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (covering Swiss transfers to the U.S.) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF.
In our role as a data processor, we are responsible for implementing such appropriate technical and organizational measures to meet the requirements of applicable privacy and data protection laws, ensuring a level of information security appropriate to the risk, and acting in accordance with the relevant data controller’s instructions. We enter into contractual agreements as appropriate with the applicable data controller, and also with sub-processors, to provide sufficient representations to implement appropriate technical and organizational measures to ensure processing will meet the requirements of applicable privacy and data protection laws, including entering into SCCs and IDTAs, where applicable, after conducting DPIAs and DTIAs as appropriate.
Data Retention
As a general principle, we keep data in personally-identifiable form only for as long as necessary to achieve the purposes for which it is being processed (subject to our reasonable archive and back-up practices). In practice, that generally means we may retain personal information: (i) for as long as your assessment platform account remains active; (ii) for as long as you continue to do business with us; or (iii) for as long as we are required or permitted to by applicable law, including for the purposes of satisfying any legal, accounting or reporting requirements. We also keep data in non-personally identifiable form as below and further set out in our Privacy Policy.
The periods that we retain data for are set out in our internal records retention and destruction policies. These set out the types of data that The Myers-Briggs Company collects and the retention periods and destruction methods for such data. To determine the appropriate retention periods for personal information, we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the personal information and whether we can achieve those purposes through other means, together with applicable legal requirements, including certain statutory retention periods. For example, in summary:
(i) in respect of active accounts on Elevate (including MBTIonline Teams on Elevate), we retain Respondent Personal Information (as set out in our Privacy Policy and comprising Respondent Assessment Data and any Demographic Data (each as defined in our Privacy Policy) for a period determined by you, the customer and the data controller, via data retention settings within your Elevate account. These settings range from eighteen (18) months to an indefinite period, and you are able to set and change selection via the data retention settings within your Elevate account whenever you wish (“Customer Retention Period”). If you do not set a retention period within your Elevate account, we will retain Respondent Personal Information for a period from collection to twenty (20) years after completion of applicable Assessment(s) by a Respondent (“Default Retention Period”), as further set forth in Section 11.3 of our Privacy Policy and provided the Elevate account remains active; when an account becomes inactive (where a subscription to our Services on the Elevate Platform lapses) or if a customer ceases doing business with us, we may also retain Personal Information for an additional period for our reasonable archive and back-up purposes, up to six (6) months. For further information specific to Respondents on our Elevate Platform, see our Privacy Policy;
(ii) in respect of active accounts on OPPassessment, we retain Respondent Personal Information (as further set out in Section 11.3 of our Privacy Policy and comprising Respondent Assessment Data and any Demographic Data) for a period from collection to eighteen (18) months after completion of applicable Assessment(s) by a Respondent (“OPPa Retention Period”), as further set forth in Section 11.3 of our Privacy Policy; and you cease doing business with us, we may also retain Personal Information for an additional period for our reasonable archive and back-up purposes, up to six (6) months. For further information specific to Respondents on our OPPassessment Platform, see our Privacy Policy;
(iii) in respect of other sites, including MBTIonline.com, the Myers-Briggs App, MBTItype.com, where the nature of the service is a longer learning journey, we retain personal information in personally identifiable form for the duration that your use of the relevant site is active (with no longer being active deemed as eighteen (18) months of inactivity on the relevant site in the case of MBTIonline.com, the Myers-Briggs App and MBTItype.com, or in relation to other sites not specified, if you cease doing business with us). Note that activity on one Site, including our website, www.themyersbriggs.com, will not be deemed activity on our other sites including MBTIonline.com, the Myers-Briggs App and MBTItype.com. We may also retain your personal information for an additional period for our reasonable archive and back-up purposes, up to six (6) months; and
(iv) by law, we must keep: (a) certain customer and service provider information for seven (7) years for tax and audit requirements or such longer period as is required in other jurisdictions; (b) practitioner qualification records indefinitely; (c) statutory, corporate records indefinitely; and (d) any specific records in respect of applicable jurisdictions.
In addition, in terms of respondent personal information we collect for scientific research and product development purposes, except for those respondents who opt-in to participate in future research opportunities with us, including participating in surveys, the information we use for the purposes of such research and development is held in non-personally identifiable form. In respect of those respondents who opt-in to future research opportunities, we hold personal information in personally identifiable form for a period of 18 months as above, after which it is anonymized and thereafter used only in non-personally identifiable form.
For further information on specific retention periods for business contact personal information, respondent personal information and how retention periods operate in scenarios of multiple reports and multiple assessments for individual respondents, together with how we handle data for scientific research and product development purposes, please see our Privacy Policy.
Reporting of concerns and further information
If you have any questions about our stance on privacy and data protection matters generally or how we process personal information in detail, please refer to our Privacy Policy for further information or you can contact us as follows:
For US inquiries:
The Myers-Briggs Company
By email: support.us@themyersbriggs.com
By phone: +1 800 624 1765 (toll-free when calling from the United States)
or: +1 650 969 8901
For UK and European inquiries:
The Myers-Briggs Company Limited
By email: support.eu@themyersbriggs.com
By phone: +44 1865 404500
For purposes of EU GDPR, the Company’s EU Representative can be contacted on dleurep@themyersbriggs.com.
For Australian inquiries:
The Myers-Briggs Company Pty Ltd
By email: enquiries.ap@themyersbriggs.com
By phone: +61 3 9342 1300
For Singapore inquiries:
The Myers-Briggs Company Pte. Ltd
By email: support.asia@themyersbriggs.com
By phone: +65 6914 1030
For further information on relevant supervisory authorities and for complaints, please see our Privacy Policy.
This Data Protection Statement covers The Myers-Briggs Company, a California benefit corporation; The Myers-Briggs Company Limited, a company registered in England and Wales; The Myers-Briggs Company Pte. Ltd, a company registered in Singapore; and The Myers-Briggs Company Pty Ltd, a company registered in Australia , together with the European branch offices of The Myers-Briggs Company Limited (including The Myers-Briggs Company - France, The Myers-Briggs Company – Netherlands, and The Myers-Briggs Company – Germany, and its European operations in Belgium and Ireland). We are fully committed to ensuring that we act in accordance with privacy and data protection laws as applicable, and will take seriously any data protection concerns you raise with us.