 |
DataCert Safe Harbor Policy
DataCert, Inc. and its parent and affiliates (collectively, "DataCert") respect your concerns about privacy. DataCert has certified that it abides by the Safe Harbor privacy principles as set forth by the U.S. Department of Commerce regarding the collection, storage, use, transfer and other processing of Personal Information (as defined below) transferred from the European Economic Area ("EEA") or Switzerland to the U.S.
DataCert's Safe Harbor certification can be found on the U.S. Department of Commence Safe Harbor List. For more information about the Safe Harbor principles, please visit http://www.export.gov/safeharbor. For more information about DataCert's processing of Personal Information, please visit DataCert's Privacy Policy.
Definitions
For purposes of this Policy:
- "Personal Information" means any information that (i) is transferred from the EEA or Switzerland to DataCert in the U.S.; (ii) is about an identified or identifiable individual; and (iii) is recorded in any form.
- "Data Controller" means an entity that alone or jointly with others determines the purposes and the means of the processing of Personal Information.
- "Data Processor" means an entity that processes Personal Information on behalf of a Data Controller in accordance with the Data Controller's instructions.
Processing of Personal Information by DataCert
DataCert processes Personal Information both as a Data Controller and a Data Processor. Below is a description of how DataCert implements the Safe Harbor privacy principles in its capacity as both a Data Controller and a Data Processor.
Data Controller: DataCert acts as a Data Controller with respect to Personal Information provided to DataCert by the company's customers in connection with payment for DataCert's products and services.
Data Processor: DataCert is a Data Processor with respect to DataCert's processing of Personal Information that may be contained in invoicing data transmitted by or on behalf of DataCert's customers through the company's e-billing service. In these circumstances, DataCert's customers are the Data Controllers. DataCert's customers are solely responsible for the contents of the invoicing data, and any Personal Information is included in the invoicing data at the discretion of DataCert's customers. DataCert does not receive Personal Information from and does not have a direct relationship with individuals in connection with the processing of invoicing data. DataCert processes the invoicing data (and any Personal Information such data may contain) based on the instructions of and for the purposes determined by the company's customers.
DataCert requires its customers by contract to comply with applicable data protection laws. DataCert has informed its customers about the need to take certain actions to comply with applicable data protection laws, including ensuring that individuals are properly informed of the processing of their Personal Information and, if necessary, have provided appropriate consent, in accordance with applicable data protection law.
Safe Harbor Privacy Principles
DataCert's practices regarding the collection, storage, transfer, use and other processing of Personal Information comply with the Safe Harbor principles of notice, choice, onward transfer, access, security, data integrity and enforcement.
Notice
In its capacity as a Data Controller, DataCert notifies individuals located in the EEA and Switzerland about the purposes for which the company collects and processes Personal Information. DataCert also notifies individuals about the types of third parties to whom the company discloses the Personal Information, the choices individuals have for limiting the use and disclosure of their information, and how to contact DataCert about its privacy practices. Individuals may view our Privacy Policy by clicking here.
In its capacity as a Data Processor, DataCert does not have a direct relationship with individuals whose Personal Information the company processes in the U.S. In these circumstances, DataCert's customers are responsible, pursuant to their contractual agreements with the company, for providing the required notice to individuals. The form of such notice is determined by the data protection law applicable to the relevant customer. DataCert has informed its customers that the notice should address, at a minimum: (i) the purposes for which Personal Information is collected and used; (ii) the types of third parties to whom Personal Information is disclosed; and (iii) the choices and means that individuals are offered for limiting the use and disclosure by their Personal Information.
Choice
In its capacity as a Data Controller, DataCert offers individuals the opportunity to choose whether the company may (i) disclose their Personal Information to third parties (other than to DataCert's service providers or as specified in the Onward Transfer section below) or (ii) use their Personal Information for a purpose that is incompatible with the purpose(s) for which the information was originally collected or subsequently authorized by the individual.
Where DataCert acts as a Data Processor, DataCert's customers are responsible, pursuant to their contractual agreements with the company, for providing choice to individuals as to whether their Personal Information may be disclosed to third parties by DataCert or used for a purpose that is incompatible with the purpose(s) for which the information was originally collected or subsequently authorized by the individual. DataCert has informed its customers about the need to (i) provide notice to individuals about DataCert's privacy practices, (ii) obtain consent from individuals with respect to such practices, where required by applicable law, and (iii) inform individuals about the possibility that DataCert may disclose their Personal Information to various categories of third parties, as specified in the Onward Transfer section of this Policy.
DataCert does not process Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual orientation, except where required by law.
Onward Transfer of Personal Information
DataCert may share Personal Information with:
- DataCert affiliates;
- Service providers DataCert has retained to perform services on the company's behalf. We require service providers to whom we disclose Personal Information and who are not subject to laws based on the European Union Data Protection Directive to either (i) subscribe to the Safe Harbor principles or (ii) contractually agree to provide at least the same level of protection for Personal Information as is required by the relevant Safe Harbor principles.
In addition, DataCert may disclose Personal Information without offering individuals an opportunity to opt out or requiring the company's customers to offer such an opportunity to individuals, (i) if DataCert is required to disclose the information by law or legal process; (ii) to law enforcement authorities; or (iii) when DataCert believes disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity. DataCert also reserves the right to transfer Personal Information in the event of a sale or transfer of all or a portion of DataCert's business or assets. Should such a sale or transfer occur, DataCert will use reasonable efforts to direct the transferee to use Personal Information in a manner that is consistent with DataCert's Privacy Policy.
Access to Personal Information
In its capacity as a Data Controller, DataCert provides individuals with reasonable access to the Personal Information that the company maintains about them. DataCert also provides a reasonable opportunity for individuals to correct, amend or delete that information where it is inaccurate. DataCert may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Safe Harbor principles.
Where DataCert acts as a Data Processor, DataCert's customers are responsible, pursuant to their contractual agreements with the company, for providing individuals with access to their Personal Information and allowing individuals to correct, amend and delete their information, as required by applicable law. DataCert requires its customers to maintain appropriate procedures for handling individuals' requests to access, correct or delete their Personal Information, in accordance with applicable law. To exercise these rights, individual should contact the appropriate DataCert customer that transferred their Personal Information to DataCert. DataCert will cooperate fully with its customers in responding to any such request. In the event a request is made directly to DataCert, customers are required to cooperate with DataCert in promptly addressing such requests.
Security
DataCert maintains reasonable administrative, technical and physical safeguards to protect Personal Information from loss, misuse and unauthorized access, disclosure, alternation and destruction.
Data Integrity
In its capacity as a Data Controller, DataCert takes reasonable steps to ensure that the Personal Information the company collects is relevant for the purposes for which the information is to be used and that the information is reliable for its intended use and is accurate, complete and current. DataCert depends on its customers to update and correct relevant Personal Information whenever necessary.
Where DataCert acts as a Data Processor, DataCert's customers are responsible, pursuant to their contractual relationships with DataCert, for taking reasonable steps to ensure that the Personal Information is reliable for its intended use, accurate, complete and current.
Enforcement
DataCert reviews its compliance with this Policy to verify that the assertions made in it are true and that the practices the Policy contains are implemented correctly. DataCert will investigate any breach of this Policy that has been reported to the company.
In circumstances where DataCert acts as a Data Controller, individuals may submit complaints concerning the processing of their Personal Information by DataCert with the company's Compliance Office. If the complaint cannot be resolved through DataCert's internal process, the company will cooperate with JAMS under the JAMS International Mediation Rules.
In circumstances where DataCert acts as a Data Processor, individuals should submit complaints concerning the processing of their Personal Information to the company's customer that originally collected their information in accordance with the customer's relevant dispute resolution mechanism (if available). DataCert will participate in the customer's dispute resolution process at the request of the individual. If the issue cannot be resolved through the customer's internal dispute resolution mechanism, the individual may submit the complaint to JAMS for mediation under the JAMS International Mediation Rules.
JAMS mediation may be commenced as provided for in the JAMS International Mediation Rules, which are accessible on the JAMS website. Mediation will be conducted by telephone, email or other electronic means of communication. DataCert will take steps to remedy any problem arising out of a failure to comply with the Safe Harbor principles. DataCert may not be required, however, to take any action contrary to applicable law.
The mediator or the individual also may refer the matter to the U.S. Federal Trade Commission, which has Safe Harbor enforcement jurisdiction over DataCert.
How to Contact Us
Please address any questions or concerns regarding this Policy or DataCert's practices concerning Personal Information by:
Contacting DataCert's Chief Privacy Officer by telephone at (832) 369-6019 or by email at mark.poag@datacert.com
Contacting us through our website: www.datacert.com
Writing to:
DataCert, Inc.
Attention: Chief Privacy Officer
3040 Post Oak Blvd.
Suite 1900
Houston, Texas 77056
USA
This Safe Harbor Policy was last revised June 25, 2009. DataCert is a registered trademark of DataCert, Inc.
|
|
Print