PERSONNEL AND JOB CANDIDATE PRIVACY NOTICE

I. INTRODUCTION

Okta, Inc. ("Okta" or "we," "us") has prepared this Personnel and Job Candidate Privacy Notice (the "Notice") to describe its practices regarding how we collect, process, use, and protect Personal Data (defined below) about you as a past or present employee, employee applicant, consultant, independent contractor or agent[1], temporary employee, director, or officer (“Personnel”) and the rights that may be available to you as Personnel under applicable law in relation to your Personal Data. As used herein, “Personal Data” means information relating to individuals, and any other information required by relevant laws, as applicable to an individual.

Okta, Inc. is the controller responsible for the Personal Data that we collect and process as described in this Notice. For Personnel in the European Union (EU), the controller of your Personal Data will be the corporate entity that employs you. Please see Exhibit A for a list of affiliate entities for EU, South America, and other select regions.

If you are a California consumer, please review the Notice at Collection for California Consumers, available here.

For information about Okta’s privacy practices generally and regarding other processing activities, see our online Privacy Policy.

 

II. PERSONAL DATA WE COLLECT

We may collect your Personal Data from a variety of sources, including information we collect from you directly (e.g., when you apply for a job, during your employment, following termination of employment, etc.), and, where permitted by law, information we collect about you from other sources.

Certain Personal Data is required as a consequence of the relationship we have with you when we employ you, to enable us to carry out our contractual and legal obligations to you. Failure to provide this information may prevent or delay the fulfillment of these obligations.

Personal Data we collect directly from you

The categories of Personal Data that we may collect directly from you include the following:

• personal details (e.g., name, age, date of birth);
• contact details (e.g., phone number, email address, postal address);
• family contact personal details (e.g., emergency contact details);
• other information about you and your family (e.g., gender, marital status, family status, dietary requirements, hobbies, clothing size, etc.)
• Government national identifier (e.g., National Insurance Number, Social Insurance Number);
• educational and career background (e.g., your curriculum vitae);
• employment or engagement details (e.g., position and title, employee or personnel number, career planning reports, annual review reports, job start and end dates, performance and disciplinary details);
• employment and salary administration information (e.g., salary amount, tax information, bank details, benefit details, equity and other compensation, immigration and visa details, work permit and license and certificate numbers);
• other relevant data with respect to your job application or employment/engagement with us or members of our affiliates (e.g., job location, working conditions, special leave, special needs, holidays, etc.);
• data regarding special agreements (e.g., study allowances, guarantees for mortgage loans, health insurance allowances);
• image and voice data (e.g., audio recordings, visual, electronic, or other similar information, such as photos or audio or video recordings captured during your employment or engagement);
• Internet and other electronic network activity information (e.g., access information, device security configuration and settings, device identifiers, operating system version, device display name, usernames and passwords or other authentication data, closed circuit television recordings, key-cards, browsing history, search history, file downloads and uploads, and information regarding your interaction with our website, workplace applications, intranet site or other applications, including technical information, analytics and metrics related to productivity and development, and emails and electronic content, contained on, collected through, or produced using an Okta or other company-issued device);
• data about your charitable donations and volunteering through Okta (e.g., details about the charities which you gave to, amounts, and volunteer hours);
• personal health information you provide for you and your family (e.g., related to the provision of health benefits or accommodations or office safety protocols, such as vaccination status, health questionnaires, or other similar health information);
• sensitive information (e.g., gender, race, ethnicity, religious or philosophical beliefs, criminal convictions and offenses, or other such information); and
• any other information you provide to Okta or its service providers in connection with your application, including information contained in a cover letter, information disclosed in an interview or other information you volunteer (e.g., through feedback surveys or other methods).

Personal Data we collect from other sources

The following are examples of the categories of Personal Data we may collect from other sources in compliance with local laws:

• personal details (e.g., name, age, date of birth);
• contact details (e.g., phone number, email address, postal address);
• educational, career, and criminal background (e.g., references from former employers¹, performance information, educational qualifications, publicly available information about you related to your career and education, such as your LinkedIn profile);
• other information about you and your family (e.g., gender, marital status, family status);
• employment administration data (e.g., tax payment details); and
• performance details (e.g., interview feedback or feedback from other Personnel).

 ¹Okta treats references provided as part of a job application as confidential.

III. HOW WE USE YOUR PERSONAL DATA AND THE BASIS ON WHICH WE USE IT

We use your Personal Data in relation to your job application and (current or past) employment or engagement with us, to:

• recruit and hire, including to conduct background checks; 
• carry out our obligations to you under your employment contract;
• exercise our rights under your employment contract or relationship with Okta, as applicable;
• provide any services you request from us;
• keep our records accurate and up-to-date;
• monitor compliance with Okta policies and procedures and conduct investigations, such as for responding to complaints, data loss prevention issues, and security incidents, and to conduct other monitoring activities as permitted by applicable law;
• comply with legal and other compliance obligations to which we are subject; and
• otherwise run our business, such as evaluating data for financial planning, managing personnel relations, business intelligence (e.g., for growth and sales analysis, understanding use of business tools, and other similar planning and administration purposes), and preparing analyses and people metrics.

Legal Bases for Individuals in the European Economic Area (“EEA”), United Kingdom (“UK”), and Brazil

In some regions, we must have a legal basis to process your Personal Data. In most cases the legal basis will be one of the following:

• to fulfill our contractual obligations to you, for example, to ensure that your salary is paid correctly, and for ensuring you have appropriate access to our systems and premises;
• to meet our legal obligations to you as your employer, for example, health and safety obligations while you are on our premises, or to other entities (e.g., tax authorities); 
• to meet our legitimate interests, for example, to ensure that we can provide you with any services or to automate business processes, for example, HR services from us, and that our records are kept up-to-date and accurate; and 
• in limited circumstances, we will rely on your consent for various uses of your Personal Data. For example, with your consent, we may collect certain sensitive Personal Data to help us understand the diversity of our workforce. Whenever such consent is granted, you may withdraw your consent at any time.

Sensitive Categories of Personal Data

We collect and process certain sensitive categories of Personal Data about Personnel where necessary and in compliance with applicable local data protection laws. In particular, Okta processes health data, disability, military status, trade union membership, nationality, and racial and/or ethnic data, as required and to the extent permitted under local laws to carry out its obligations in the field of employment, health and safety, social security and social obligations law and, where necessary, for the establishment or defense of legal claims. These categories of data may also be aggregated to produce diversity statistics in order to support internal diversity initiatives. In the event we collect sensitive data from you for other purposes, we will provide you with additional notice or confirm your consent at collection.

IV. HOW WE STORE PERSONAL DATA AND WHO CAN ACCESS IT

Okta maintains an automated record of each individual Personnel’s Personal Data. This automated record contains most of the data held in the individual’s personnel file. Additionally, Okta maintains Personal Data in various human resources applications, including applications for payroll, benefits, talent management and performance management. Okta may maintain individual hard-copy personnel files. The people team maintains these files in a secure environment. Furthermore, Okta also maintains Internet and other electronic network activity information of workplace activities such as emails and of content created through workplace applications such as Slack for various purposes, including but not limited to, security, legal, workplace services, audit, and for business management.

Access to Personal Data is restricted to those individuals who need such access for the purposes listed above or where required by law, including members of the people team, the managers in the individual’s line of business, and to authorized representatives of Okta’s internal control functions such as compliance, internal audit, security, finance, workplace services, and legal. Access may also be granted on a strict need-to-know basis to other managers in the company, where relevant, if the individual is being considered for an alternative job opportunity, or if a new manager appointed in the line of business needs to review files. All Personnel, including managers, are bound by the requirements of this Notice. 

V. PRIVACY RIGHTS OVER YOUR PERSONAL DATA FOR EEA, ARGENTINA, AND BRAZIL RESIDENTS AND OTHER SELECT REGIONS

Please let us know if any of the Personal Data that we hold about you changes, so that we can correct and update the information in our systems. 

Depending on your region, you may have rights permitting you to view, delete, correct, or update the Personal Data you provide to us by reaching out to privacy@okta.com or completing our request form, available at https://preferences.okta.com/privacy/.

In certain circumstances, you may object to specific processing activities, require us to restrict how we process your Personal Data, and ask us to disclose your Personal Data in a usable format with another company. Where you have given your consent to a particular type of processing, you may withdraw that consent at any time.

You also have the right to lodge any complaint or concerns with your local data protection authority. You can find a list of the EU DPAs here.

If you would like to make a request and exercise your rights described above, please complete our online form, or contact us via our toll-free number (USA): 888-655-1161. If you would like to learn about our verification process, including the details that you must provide to us to verify your request, click here.

VI. SHARING OF PERSONAL DATA

In general, we do not disclose your Personal Data with other entities (other than with our affiliates and service providers acting on our behalf or Personnel on a need-to-know basis) unless we have a lawful basis for doing so. We may also disclose select Personal Data about you through internal tools and workplace applications (such as wikis, people management tools, and Slack) to other Personnel, such as your name, department, manager, or other details about your role at Okta.

We rely on third-party service providers to perform a variety of services on our behalf, and we may disclose your Personal Data to such entities. When we disclose your Personal Data in this way, we put in place appropriate measures to make sure that our service providers keep your Personal Data secure and only use it for permitted purposes. Other situations in which we may disclose your Personal Data to another entity are:

• in the course of a sale or an acquisition of Okta, Inc., or any of its affiliates;
• where permitted by law, to protect and defend our rights and property;
• when required by law, and/or public authorities;
• in the course of an audit or for other compliance or legal purposes; and
• for external Okta marketing (e.g., sharing pictures of you at Okta events on social media or recognizing your work via the Okta blog).

VII. INFORMATION SECURITY

We have implemented generally accepted standards of technology and operational security to protect Personal Data from loss, misuse, alteration, or destruction. We require Personnel to keep Personal Data confidential and provide access to this information only to authorized Personnel and to other authorized entities.

VIII. INTERNATIONAL DATA TRANSFERS

Your Personal Data may be transferred to, stored, and processed in a country other than the one in which it was provided. When we do so, we transfer the Personal Data in compliance with applicable data protection laws. Where the transfer is to a country outside the EEA, UK, or from Switzerland, we use the standard contractual clauses or another relevant transfer mechanism. If you wish to see a copy of the relevant mechanism that we use to transfer your Personal Data, please contact us using the contact details set out below.

IX. NOTICE AT COLLECTION FOR CALIFORNIA CONSUMERS

If you are a California consumer under the California Consumer Privacy Act of 2018, as amended (“CCPA”), then this section applies to you. This section describes how Okta processes and discloses your Personal Data within the scope of the CCPA and supplements the rest of the information contained in this Notice.

Categories of Personal Data We Collect

We have collected the following categories of Personal Data about California consumers in the preceding 12 months. We may collect this Personal Data directly from you or from other entities. For additional details about the Personal Data that we collect and the sources from which we collect this Personal Data, please review the details below in addition to Section II above. The Personal Data categories are: 

• identifiers (e.g., name, age, date of birth, email address, postal address, social security number, driver’s license number, passport number, and phone number);
• family contact personal details (e.g., emergency contact details);
• other information about you and your family (e.g., gender, marital status, family status, dietary requirements, hobbies, and clothing size);
• professional or employment-related information (e.g., your resume, position and title, employee or personnel number, career planning reports, annual review reports, job start and end dates, performance and disciplinary details, and publicly available information about you related to your career and education, such as your LinkedIn profile);
• employment and salary administration (e.g., salary amount, tax information, bank details, benefit details, equity and other compensation, immigration and visa details, work permit, and license and certificate numbers.);
• education information and details such as education history, certifications, and qualifications;
• other relevant data in respect of your job application or employment with us or members of our affiliates/group (e.g., job location, working conditions, special leave, special needs, and holidays.);
• data regarding special agreements (e.g., guarantees for mortgage loans, and health insurance allowances,.);
• data for the monitoring of and complying with Okta policies and procedures (e.g., investigations, security, including incident monitoring, and authentication);
• audio, electronic, visual or similar information (e.g., photos, closed circuit television recordings, badge-readers and key cards;
• internet and other electronic network activity information (e.g., access monitoring information, browsing history, search history, and information regarding your interaction with our website, workplace applications, intranet sites or other applications, including technical information, contained on or collected through an Oka-issued device, and, in some cases, emails and content, videoconference, and other communications tools);
• data about your charitable donations and volunteering through Okta (e.g., details about the charities which you gave to, amounts, and volunteer hours);
•  any other information you provide to Okta or its service providers (e.g., in connection with your application, including information contained in a cover letter, information disclosed in an interview or other information you volunteer, as well as through feedback surveys or other methods).

Categories of Sensitive Personal Data We Collect

We may collect certain data that qualifies as sensitive Personal Data, such as:

• Social Security Number, driver’s license, state identification card, or passport number;
• Citizenship or immigration status;
• User ID and password or other authentication credentials;
• Contents of emails or other electronic transmissions;
• Personal Data that reveals racial or ethnic origin, and religious or philosophical beliefs;
• Personal Data collected and analyzed concerning health, which you provide for you and your family (e.g., your disability status or any requests for accommodation during the application process, information related to the provision of health benefits or accommodations or office safety protocols, such as vaccination status, health questionnaires, or other similar health information); and
• biometric data relating to image and voice (e.g., audio recordings, visual, electronic, or other similar information, such as photos or audio or video recordings captured during your employment).

Sources of Personal Data Collected

Other than directly from you, we may collect the above categories of Personal Data from the following categories of sources:

• background check and employee screening agencies;
• former employers, references and/or coworkers;
• educational institutions;
• Okta employees who interview you and who may provide feedback about you;
• publicly-available sources, such as social media accounts, including LinkedIn for identifying candidates;
• recruiting and staffing partners or other jobs websites; and
•  professional licensing and certification bodies

Purposes for which We Collect and Use Personal Data

We collect the above categories of Personal Data in relation to your job application and employment for the purposes described below and as detailed in Section III to:

• recruit and hire, including to conduct background checks; 
• carry out our obligations to you under your employment relationship, such as administering payroll and benefits;
• review work performance and determine performance requirements;
• establish emergency contacts and respond to emergencies;
• compile internal directories, such as employee directories;
• exercise our rights under your employment relationship with Okta, as applicable;
• provide any services you request from us;
• keep our records accurate and up-to-date;
• monitor compliance with Okta policies and procedures and conduct investigations, such as for responding to complaints, data loss prevention issues, and security incidents, and to conduct other monitoring activities as permitted by applicable law;
• with your consent, send you information about positions at Okta that may be of interest to you;
• comply with legal and other compliance obligations to which we are subject; and
• otherwise run our business, such as evaluating data for financial planning, managing personnel relations, business intelligence (e.g. for growth and sales analysis, understanding use of business tools, and other similar planning and administration purposes), and preparing analyses and people metrics.

Purposes for which We Collect and Use Sensitive Personal Data

We collect and process the above categories of Sensitive Personal Data where necessary and in compliance with applicable local data protection laws. In particular, Okta processes health data, disability, military status, trade union membership, nationality, racial and/or ethnic data, and citizenship and immigration status as required and to the extent permitted under local laws to carry out its obligations in the field of employment, health and safety, social security and social obligations law and, where necessary, for the establishment or defense of legal claims. These categories of data may also be aggregated to produce diversity statistics in order to support internal diversity initiatives. In the event we collect sensitive data from you for other purposes, we will provide you with additional notice or confirm your consent at collection.

No Sale/Sharing of Personnel Personal Data

Okta does not sell or share your Personal Data and has not sold or shared any Personal Data including Personal Data of any consumers under 16 years of age, in the 12 months preceding the effective date of this Notice.

Personal Data Disclosed for Business Purposes

We collect all the above categories of Personal Data and may disclose such Personal Data to authorized external service providers to support our recruitment and employment processes. In the past 12 months, Okta has disclosed each of the categories of Personal Data detailed above to authorized external service providers as described in Section VI above and for the following business purposes:

• administering payroll and benefits, managing absence requests, and processing employee claims (e.g., worker compensation and insurance claims);
• verifying references and qualifications for employment, and where permitted by law, administering background checks;
• verifying employment eligibility; 
• facilitating work-related travel and relocation requests, including international transfers;
• providing employee maintenance and support services, such as HR support activities and services;
• distribution of Okta merchandise and team building activities;
• to facilitate collaboration across Okta, such as by use of wikis, people management tools, and Slack; 
• network activity and access monitoring to monitor interactions with our website, premises, workplace applications, intranet sites, or other applications; and
• to provide insight into technical information contained on or collected through an Okta-issued device, and in some cases, emails and content, videoconference, and other communications tools.

Your California Privacy Rights

Under the CCPA, if you are a California consumer, you have rights to understand and request that we disclose how we collect, use, disclose, and sell your Personal Data to the extent permitted by applicable law.

Right to Request Deletion of Personal Data. You have the right to request the deletion of your Personal Data collected or maintained by us as a business, subject to certain exceptions.

Right to Correct Inaccurate Personal Data. You have the right to request that we correct inaccurate Personal Data that we maintain about you.

Right to Know What Personal Data is Being Collected and Access Personal Data. You have the right to know what Personal Data we have collected about you. You have the right to request the specific pieces of Personal Data we have collected about you.

Right to Know What Personal Data is Sold, Shared, or Disclosed and to Whom. You have the right to request that we disclose the categories of Personal Data that we have collected, sold, shared, or disclosed for a business purpose, and the categories of third parties to whom your Personal Data was sold, shared, or disclosed for a business purpose. Okta does not sell or share your Personal Data and has not sold or shared any Personal Data in the 12 months preceding the effective date of this Notice.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.

Authorized Agent. You may designate an authorized agent to make a request under the CCPA on your behalf by us with a copy of your power-of-attorney document granting that right.

Financial Incentives. We do not provide any financial incentives tied to the collection, sale, or deletion of your Personal Data.

Process for Exercising Your CCPA Rights

If you would like to make a request and exercise your rights described above, please complete our online form, or contact us via our toll-free number (USA): 888-655-1161. If you would like to learn about our verification process, including the details that you must provide to us to verify your request, click here.

X. DEPENDENTS’ PRIVACY

We may process Personal Data of your family members, including your children. When we do so, we will do so in compliance with data protection laws as they apply to children.

XI. RETENTION OF YOUR PERSONAL DATA

We will retain your Personal Data for as long as is needed to fulfill the purpose(s) for which it was collected, and other permitted, compatible purposes. We determine the appropriate retention period by considering the purpose(s) for which it was collected; the required retention period of Personal Data pursuant to any applicable legal requirements, especially to comply with employment-related regulatory requirements that require us to retain your Personal Data for a certain period of time; the duration of your employment; to resolve potential disputes; or to preserve evidence within the scope of statutory limitations. We securely retain records of any data requests for at least 24 months in compliance with the CCPA.

XII. CONTACT US

If you have questions or concerns regarding the way in which your Personal Data is being processed, please contact our data protection officer directly (currently, Tim McIntyre - tim.mcintyre@okta.com), or reach out to privacy@okta.com.

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. For some regions, if you believe that we have not been able to assist with your complaint or concern, then you have the right to make a complaint to your local data protection authority. If you are an EU resident, see this link to find your relevant data protection authority.

XIII. CHANGES TO THE PRIVACY NOTICE

You may request a copy of this Notice from us using the contact details set out above. We may modify or update this Notice from time to time. You will be able to see when we last updated the Notice because we will include a revision date. Changes and additions to this Notice are effective from the date on which they are posted. Please review this Notice from time to time to check whether we have made any changes to the way in which we use your Personal Data.