Bright Horizons Data Protection Terms – Frequently Asked Questions

Bright Horizons Data Processing Terms – Frequently Asked Questions

Does Bright Horizons have Data Protection Terms (DP Terms)?

Yes, click here for Bright Horizons’ Data Protection Terms. It sets out the legal framework under which Bright Horizons processes personal information. The DP Terms cover all Bright Horizons’ services and are incorporated into our current client agreement forms. Clients who do not have these DP Terms in place are able to sign the DP Terms as a standalone document. 

What laws do the DP Terms cover?

The DP Terms cover all applicable privacy laws for our services, including by way of example, the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 (UK), and the California Consumer Protection Act. The DP Terms are intended to assist clients with their compliance with applicable privacy laws.

Why can clients not use their own Data Protection Agreement when contracting with Bright Horizons?

The Bright Horizons’ DP Terms cover the specific processes and procedures for our services and privacy and information security framework.  In order to comply with applicable privacy laws, the DP Terms align to Bright Horizons’ services, processing activities, and information technology  infrastructure/systems.  For example, the DP Terms identify and incorporate the transfer mechanisms that Bright Horizons offers to its clients – currently, the Standard Contractual Clauses. The DP Terms also are drafted to seamlessly integrate with the client agreement and other relevant Bright Horizons’ documentation.

How do the DP Terms comply with Art 28 of the GDPR (processor requirements)?

Article 28 of the GDPR sets out the requirements for processors.  The table below identifies the clauses in the DP Terms that comply with Article 28.

Article 28 Clauses

DP Terms Clauses/Annexes

Article 28(1)

Clauses 2, 14 and Annex A

Article 28(2)

Clauses 2 and 12

Article 28(3)(a)

Clauses 2, 5, 6, 8, 13, Annex B, and Annex C

Article 28(3)(b)

Clauses 2 and 3

Article 28(3)(c)

Clauses 2, 14 and Annex A

Article 28(3)(d)

Clauses 2 and 12

Article 28(3)(e)

Clauses 2 and 10

Article 28(3)(f)

Clauses 2, 8, 10, 14 and Annex A

Article 28(3)(g)

Clauses 2 and 9

Article 28(3)(h)

Clauses 2 and 11

Article 28(4)

Clauses 2 and 12

Article 28(5)-(10)

Not Applicable for DP Terms

 

How do clients incorporate the DP Terms into their existing client agreement with Bright Horizons?

The wording in our current client agreement forms incorporates the DP Terms by specific reference and, accordingly, when the client executes the client agreement it is also executing the DP Terms.  

For those desiring to sign the DP Terms as a standalone document, the online DP Terms are pre-signed by Bright Horizons. In order to execute the DP Terms, the client may: either click here to sign using DocuSign or download the DP Terms here and then complete, sign and return it to dataprivacy@brighthorizons.com.  

Please note that where the DP Terms are incorporated into the client agreement, the client will not need to sign and return the DP Terms to dataprivacy@brighthorizons.com

What happens if my organization does not agree to the DP Terms?

Bright Horizons reserves the right to not enter into an agreement (or renew an agreement) for services with the client if the client does not agree to the DP Terms.  For any updates to the DP Terms, if a client objects to them, Bright Horizons reserves the right to terminate the agreement or the provision of relevant services.

How does Bright Horizons lawfully transfer personal information outside of the EU?

On 13 July 2020, the Court of Justice of the European Union confirmed the validity of the European Commission’s standard contractual clauses as a legal mechanism for transferring personal data outside of the European Economic Area but invalidated the EU-US Privacy Shield framework. This means that companies may no longer rely on the EU-US Privacy Shield framework. However, clients may continue to use our services, relying on the European Commission’s standard contractual clauses, which are included in our DP Terms.

What about onward transfers of personal information?

Where the transfer to Bright Horizons constitutes an onward transfer, meaning the client exported personal information from the European Economic Area or the UK before transferring it to Bright Horizons, Bright Horizons has in place written contractual agreements with its processors which covers the obligations required under the Standard Contractual Clauses to the extent relevant. 

Under the DP Terms, how does Bright Horizons notify clients of new sub-processors or notifiable breaches?

If clients register using this form, they will receive notifications on new sub-processors or notifiable breaches as requested.  Clients may register more than one contact. 

How does Bright Horizons validate its information security program?      

  • Bright Horizons is a public company (NYSE: BFAM) and must comply with the Sarbanes-Oxley Act of 2002 (SOX).Section 404 of SOX mandates that all publicly traded companies establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. A third-party auditor reviews and provides an opinion as to the validity of the company’s assertions in this internal control report.

     

  • COBIT (Control Objectives for Information and Related Technologies) is a best practice framework and toolset created by ISACA to support information technology management and governance. As part of Bright Horizons SOX audit, our internal audit team, and an independent third party, conduct annual COBIT audits, validating Bright Horizons’ compliance with our information security programme.

     

  • SOC 2 reporting is an attestation of a company that certain controls are in place to meet as relevant the AICPA’s (American Institute of Certified Public Accountants) SOC Trust Services Criteria and includes the opinion of an independent Certified Public Account. This type of report covers the control systems in place to safeguard unauthorized access (both physical and logical) for data and systems availability for operation and use as committed by the company. A third party auditor conducts a SOC 2 audit on Bright Horizons annually.

Where the GDPR is applicable, when does Bright Horizons act as controller and processor of personal information?

The GDPR determines whether a party is a controller or a processor based on the particular situation in which the party processes personal data.  Depending upon the service and the processing activity, Bright Horizons acts in the capacity of the controller or processor.  Please see the tables below.

 

Services

Controller or Processor

On-Site Child Care, Back-up Care, Elder Care, College Coach, Special Needs, Additional Family Support, Parental Leave Tool Kit, Work + Family Space, and Coaching Services

 

Bright Horizons acts as the controller for all personal information it processes to provide these services (except for the Eligibility File, if applicable). Bright Horizons determines the purpose and how it processes the personal information.

EdAssist Services

Bright Horizons acts as the processor in respect of the personal information it processes to provide these services (except for any coaching services for Eligible Employees). The client determines the purpose and how it processes the personal information.

 

 

Processing Activities

Controller or Processor

Eligibility Files

 

When a client provides Bright Horizons with an eligibility file, it does so in the capacity as the controller. Bright Horizons acts as a processor in respect of the personal information in that file and processes it as agreed with the client.

 

Client Reports

Where Bright Horizons is the controller for the personal information, any personal information it shares with the client for reporting purposes (such as Utilization Reports) is done on a controller to controller basis. Bright Horizons and the client are not joint controllers in relation to these client reports because each party is processing the personal data for different purposes and do not have joint control of the personal data.

 

 

Where does Bright Horizons store its personal information?

  • Electronic

    Some personal information may remain on electronic storage data systems in the country where we provide the service. However, our primary electronic storage facilities and contact centers are located in the United States.


  • Hardcopy

The hardcopy of personal information we collect remains in the country where the individual receive the services or provide the information.

Who are Bright Horizons sub-processors?

Click here for information on Bright Horizons sub-processors.

Download a copy of these FAQs here