GPM Global · Policy Document · Data Protection

GPM® Data Protection Policy

Incorporating GDPR, UK GDPR, PIPEDA, and CCPA / CPRA Requirements

Introduction

As a business and an employer, it is necessary for GPM Ltd. D.B.A. GPM Global and its subsidiaries and affiliates (collectively, “GPM” or the “Company”) to collect, store, and process personal data about our employees, contingent workers, customers, suppliers, and other third parties with whom we engage to provide products or services on our behalf.

This policy applies to all GPM employees, contingent workers, and third parties processing data on behalf of GPM. Unless specified, this policy applies in all countries in which GPM operates and/or conducts business.

Purpose

This policy establishes GPM’s obligations under applicable data protection laws and provides a framework for compliance. It applies alongside GPM’s Privacy Policy, Acceptable Use Policy, and related data security standards. The purpose is to help all personnel comply with legal obligations and to enable individuals about whom GPM holds personal data to have confidence in how that data is handled.

Definitions

Data Controller / PII Controller	The entity that determines the purpose and means of processing personal data.
Data Processor / PII Processor	The entity that processes personal data on behalf of the controller.
Data Protection Laws	All applicable data protection and privacy laws, including the EU GDPR, UK GDPR, Canada’s PIPEDA, and the California Consumer Privacy Act (CCPA) as amended by the CPRA.
Data Subject / PII Principal	The identified or identifiable individual to whom personal data relates.
Data User	Any employee, consultant, contractor, intern, temporary worker, or third party acting on GPM’s behalf whose work involves processing personal data.
Personal Data	Any information relating to an identified or identifiable individual, as defined under applicable Data Protection Laws.
Personal Data Incident	Any situation in which personal data has been or is likely to have been accessed, disclosed, altered, lost, destroyed, or used by unauthorized persons or in an unauthorized manner.
Processing	Any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, transmission, combination, restriction, erasure, or destruction.
Special Category Data	A subset of personal data including information about an individual’s race or ethnic origin, sex life or sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, medical history, or criminal convictions and offenses.

Our Responsibilities

Depending on the circumstances, GPM may act as a data controller or a data processor. As a data controller, GPM demonstrates compliance with Data Protection Laws by:

Implementing policies that enable compliance, including this policy, document retention policies, data security standards, and public-facing privacy statements.

Communicating and training employees, contingent workers, and third parties acting on GPM’s behalf about data protection requirements.

Investigating instances of non-compliance and taking appropriate remedial and/or disciplinary action.

Investigating, remediating, and providing notification of Personal Data Incidents where required.

Conducting data protection impact assessments (DPIAs) where required for new types of processing activities.

Undertaking periodic internal audits of GPM’s data protection policies and procedures.

Considering data protection at the outset of new product development or processing activities (Privacy by Design).

Processing Personal Data

Any personal data that GPM processes, or that is processed on GPM’s behalf, must:

Be processed fairly, lawfully, and in a transparent manner.

Be processed only for specified, explicit, and legitimate purposes.

Be relevant and limited to what is necessary for those legitimate purposes (data minimization).

Be accurate and kept up to date, with inaccurate data erased or rectified without delay.

Not be kept longer than is necessary to fulfil the purposes for which it was collected (storage limitation).

Be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Legal Grounds for Processing Personal Data

GPM may only process personal data where a lawful basis exists under Data Protection Laws. The grounds GPM relies upon are:

Contract performance	Processing necessary to perform a contract with the data subject or to take steps at their request prior to entering into a contract.
Legal obligation	Processing necessary to comply with a legal obligation to which GPM is subject, including lawful requests from law enforcement authorities.
Legitimate interests	Processing necessary to pursue GPM’s legitimate interests, except where overridden by the interests or fundamental rights and freedoms of the data subject.
Consent	Where the data subject has given freely given, specific, informed, and unambiguous consent to one or more specified purposes. Data subjects may withdraw consent at any time.

Special Category Data: Where GPM processes special category data, additional conditions apply. GPM will ensure that at least one of the following applies:

Explicit consent from the data subject for one or more specified purposes.

Processing is necessary to carry out obligations under employment law, social security or social protection law, or a collective bargaining agreement.

Processing is necessary for preventive or occupational medicine or assessment of the working capacity of an employee.

Processing is necessary to protect the vital interests of the data subject or another person where the data subject cannot give consent.

Processing is necessary for establishing or defending legal claims.

Data Records Management

GPM maintains a central record of the types of personal data the Company collects and the purposes for which it is collected. GPM will only process personal data for the purposes recorded in that central record or for purposes specifically permitted by Data Protection Laws.

GPM will notify data subjects of the purposes for which their data is processed at the point of collection or, where not possible, as soon as reasonably practicable thereafter.

GPM will take all reasonable steps to erase, destroy, or amend inaccurate or out-of-date data without undue delay and, in any event, within one month of a data subject’s request (or up to three months where there are documented reasons why one month is not feasible).

Erasure and Destruction of Personal Data

Paper records containing personal data must be shredded and disposed of securely when no longer required. No other disposal method is permitted.

Electronic personal data must be deleted in a manner that puts it beyond use. Where complete deletion is not technically possible, reasonable steps must be taken to ensure deletion to the fullest extent possible.

IT is responsible for destroying or erasing personal data from electronic equipment (laptops, desktops, company-owned mobile devices, and work data on personal devices used for business).

Information Security

GPM takes reasonable measures to ensure personal data remains secure and protected against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

Encrypting personal data where appropriate.

Ensuring the ongoing confidentiality, integrity, availability, and resilience of systems and services used to process personal data.

Ensuring the restoration of access to personal data in a timely manner in the event of a physical or technical incident.

Regularly testing, assessing, and evaluating the effectiveness of technical and organizational security measures.

Requiring third parties who process personal data on GPM’s behalf to do so under written instructions, under a duty of confidentiality, and with appropriate technical and organizational security measures in place.

Data users must keep desks and filing systems clear of personal data when not in use, ensure screens displaying personal data are not visible to unauthorized individuals, and lock or log off computers when left unattended.

AI and Automated Processing

GPM does not use personal data collected from employees, customers, or third parties to train, fine-tune, or otherwise develop artificial intelligence or machine learning systems. GPM does not sell or license personal data to AI companies or data brokers.

Where AI-assisted tools are used internally for operational purposes, they are subject to appropriate data processing agreements. GPM does not engage in automated decision-making that produces legal or similarly significant effects on individuals without human review, in compliance with Article 22 of the GDPR.

Reporting a Personal Data Incident

A Personal Data Incident can occur in many ways, including:

Loss or theft of a device or file containing personal data.

Human error, such as sending personal data to an unintended recipient or accidentally deleting or altering data.

Cyber-attack, including ransomware, phishing, malware, or unauthorized system access.

Unauthorized access to secure areas of GPM offices or systems.

Unforeseen circumstances such as fire, flood, or equipment failure.

Deception by a third party to obtain personal data from GPM.

Signs that a Personal Data Incident may have occurred include unusual login activity, excessive system activity on active accounts, unusual remote access, the presence of spoof wireless networks, equipment failure, or detection of hardware or software key-loggers.

Immediate Reporting Required

Any person who becomes aware of or has reason to suspect a Personal Data Incident must immediately contact their direct manager and email This email address is being protected from spambots. You need JavaScript enabled to view it.. Do not attempt to investigate or remediate independently before reporting.

Personal Data Incident Response

In the event of an actual or imminent Personal Data Incident, GPM will:

Investigate the incident to determine its nature, cause, and extent of potential harm.

Implement steps to stop the incident from continuing or recurring and to limit harm to affected data subjects.

Notify relevant supervisory authorities within 72 hours of becoming aware of the incident where there is a risk to individuals’ rights and freedoms (as required by GDPR Article 33).

Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Record information about the incident and all steps taken in response, including documented reasoning for decisions to notify or not notify.

International Data Transfers

Under the GDPR and UK GDPR, GPM may only transfer personal data to countries outside the European Economic Area (EEA) or UK where there is an adequate level of protection or where GPM has implemented appropriate safeguards.

For transfers of personal data outside the EEA, GPM relies on Standard Contractual Clauses (SCCs) as approved under Commission Implementing Decision (EU) 2021/914 of 4 June 2021. For UK transfers, GPM uses the UK International Data Transfer Agreement or Addendum as appropriate.

GPM may also transfer personal data outside the EEA where:

The data subject has given explicit informed consent to the transfer, having been informed of any risks.

The transfer is necessary to perform a contract with the data subject.

The transfer is necessary to protect the vital interests of the data subject where they cannot give consent.

The transfer is necessary for the establishment or defence of a legal claim.

All entities within the GPM group must enter into an Intra-Group Data Transfer Agreement to ensure appropriate safeguards for intra-group transfers of personal data outside the EEA. Third parties who process personal data for or on behalf of GPM must enter into a data processing agreement with GPM that includes the required technical and organizational safeguards.

Data Subject Rights

Where GPM processes personal data, data subjects may have the following rights under applicable Data Protection Laws:

Right of access	Request information about the personal data GPM holds about them.
Right to rectification	Have inaccurate or incomplete personal data corrected.
Right to erasure	Request deletion of personal data where it is no longer needed for the purposes for which it was collected, subject to GPM’s legal retention obligations.
Right to object	Object to processing carried out on the basis of legitimate interests. GPM may continue processing if its legitimate interests outweigh those of the data subject or if processing is necessary for legal claims.
Right to restriction	Request restriction of processing where accuracy is contested, the data is needed for a legal claim, or an objection to processing is pending.
Right to portability	Receive personal data provided by the data subject in a structured, commonly used, machine-readable format where processing is based on consent or contract.
Right to withdraw consent	Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.

GPM will respond to data subject requests within 30 days of receipt (extendable to 3 months where the request is complex or numerous, with notification to the data subject). GPM may need to verify the identity of the requester before processing the request. Data Subject Access Requests (DSARs) should be submitted to This email address is being protected from spambots. You need JavaScript enabled to view it..

Privacy by Design and Data Protection Impact Assessments

Data protection must be considered during the development of new products, systems, or processing activities. GPM applies privacy by design principles to minimize personal data collection and embed appropriate safeguards from the outset.

A formal Data Protection Impact Assessment (DPIA) is required where processing is likely to result in a high risk to individuals’ rights and freedoms. If you believe a DPIA may be required, contact This email address is being protected from spambots. You need JavaScript enabled to view it. before the processing activity begins.

Training

GPM provides data protection training to all employees and contingent workers at onboarding and at regular intervals thereafter. Completion is mandatory. Failure to complete required training may result in disciplinary action.

Contact

For questions about this policy, to report a data protection concern, or to submit a Data Subject Access Request:

Attention	Compliance Director, GPM Global
Address	41592 Orianna Lane, Novi, MI 48375, USA
Email	This email address is being protected from spambots. You need JavaScript enabled to view it.

GPM Global · Data Protection Policy (GDPR) · This email address is being protected from spambots. You need JavaScript enabled to view it.

Making projects sustainable on a global scale since 2009.

Green Project Management® and GPM® are registered trademarks of GPM Global.
Sustainable Project Management™ is a trademark of GPM Global for training and professional development in project management.
PRiSM™, The GPM P5™ Standard for Sustainability in Project Management, GPM-b™, GPM-m™, PSM3™, and GPM360º™ are trademarks of GPM Global and may be used only with written consent.