PRIVACY SHIELD POLICY

Global Data Consortium Inc. (“GDC”) has adopted this Privacy Shield Policy (“Policy”) to establish and maintain an adequate level of Personal Data privacy protection. This Policy applies to the processing of Personal Data that GDC obtains from Customers located in the European Union and Switzerland.

GDC complies with the US-EU Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from Individual Customers in the European Union member countries. GDC has certified that it adheres to the Privacy Shield Privacy Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Privacy Principles, the Privacy Shield Privacy Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov.

The Federal Trade Commission (FTC) has jurisdiction over GDC’s compliance with the Privacy Shield.

GDC complies with the US-Swiss Safe Harbor Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from Switzerland. GDC has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. If there is any conflict between the policies in this privacy policy and the Safe Harbor Privacy Principles, the Safe Harbor Privacy Principles shall govern. To learn more about the Safe Harbor program, and to view our certification page, please visithttp://2016.export.gov/safeharbor/swiss/index.asp .

All GDC employees who handle Personal Data from Europe and Switzerland are required to comply with the Principles stated in this Policy.

Capitalized terms are defined in Section 14 of this Policy.

I. SCOPE

This Policy applies to the processing of Individual Customer Personal Data that GDC receives in the United States concerning Individual Customers who reside in the European Union and Switzerland. GDC provides products and services to businesses and consumers.

This Policy does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. (The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.)

II. RESPONSIBILITIES AND MANAGEMENT

GDC has designated the Legal Department to oversee its information security program, including its compliance with the EU Privacy Shield program and Swiss Safe Harbor. The Legal Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to support@globaldataconsortium.com.

GDC will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. GDC personnel will receive training, as applicable, to effectively implement this Policy. Please refer to Section 7 for a discussion of the steps that GDC has undertaken to protect Personal Data.

III. RENEWAL / VERIFICATION

GDC will renew its EU Privacy Shield and US Swiss Safe Harbor certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.

Prior to the re-certification, GDC will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Individual Customer Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, GDC will undertake the following:

A. Review this Privacy Shield policy and its publicly posted website privacy policy to ensure that these policies accurately describe the practices regarding the collection of Individual Customer Personal Data

B. Ensure that the publicly posted privacy policy informs Individual Customers of GDC’s participation in the EU Privacy Shield and US Swiss Safe Harbor programs and where to obtain a copy of additional information (e.g., a copy of this Policy)

C. Ensure that this Policy continues to comply with the Privacy Shield and the Swiss Safe Harbor principles

D. Confirm that Individual Customers are made aware of the process for addressing complaints and any independent dispute resolution process (GDC may do so through its publicly posted website, Individual Customer contract, or both)

E. Review its processes and procedures for training Employees about GDC’s participation in the Privacy Shield and Swiss Safe Harbor programs and the appropriate handling of Individual’s Personal Data

GDC will prepare an internal verification statement on an annual basis.

IV. COLLECTION AND USE OF PERSONAL DATA

GDC provides various solutions to its Individual Customers who purchase its products. GDC collects Personal Data from Individual Customers when they purchase its products, register with our website, log-in to their account, request information or otherwise communicate with us.

The Personal Data that we collect may vary based on the Individual Customer’s interaction with our website and request for our services. As a general matter, GDC collects the following types of Personal Data from its Individual Customers: contact information, including, a contact person’s name, email address, mailing address, telephone number, date of birth, ID number.

We also may collect Personal Data from persons who contact us through our website to request additional information; in such a situation, we would collect contact information (as discussed above) and any other information that the person chooses to submit through our website.

The information that we collect from Individual Customers is used for selling the products and services they buy from us, managing transactions, reporting, invoicing, renewals, other operations related to providing services and products to the Individual Customer.

For certain products, GDC serves as a service provider. In our capacity as a service provider, we will receive, store, and/or process Personal Data. In such cases, we are acting as a data processor and will process the personal information on behalf of and under the direction of our partners and/or agents. The information that we collect from our Individual Customers in this capacity is used for managing transactions, reporting, invoicing, renewals, other operations related to providing services to the Individual Customer, and as otherwise requested by our partner and/or agent.

GDC uses Personal Data that it collects directly from its Individual Customers and for its partners indirectly in its role as a service provider for the following business purposes, without limitation:

  1. maintaining and supporting its products, delivering and providing the requested products/services, and complying with its contractual obligations related thereto (including managing transactions, reporting, invoices, renewals, and other operations related to providing services to an Individual Customer);
  2. satisfying governmental reporting, tax, and other requirements (e.g., import/export);
  3. storing and processing data, including Personal Data, in computer databases and servers located in the United States;
  4. verifying identity (e.g., for online access to accounts);
  5. as requested by the Individual Customer;
  6. for other business-related purposes permitted or required under applicable local law and regulation;
  7. and as otherwise required by law.

V. DISCLOSURES  / ONWARD TRANSFERS OF PERSONAL DATA

Except as otherwise provided herein, GDC discloses Personal Data only to Third Parties who reasonably need to know such data only for the scope of the initial transaction and not for other purposes. Such recipients must agree to abide by confidentiality obligations.

GDC may provide Personal Data to Third Parties that act as agents, consultants, and contractors to perform tasks on behalf of and under our instructions. For example, GDC may store such Personal Data in the facilities operated by Third Parties. Such Third Parties must agree to use such Personal Data only for the purposes for which they have been engaged by GDC and they must either:

  1. comply with the Privacy Shield principles or another mechanism permitted by the applicable EU & Swiss data protection law(s) for transfers and processing of Personal Data;
  2. or agree to provide adequate protections for the Personal Data that are no less protective than those set out in this Policy;

GDC also may disclose Personal Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure. Please be aware that GDC may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. GDC is liable for appropriate onward transfers of personal data to third parties.

VI. SENSITIVE DATA

GDC does not collect Sensitive Data from its Individual Customers.

VII. DATA INTEGRITY AND SECURITY

GDC uses reasonable efforts to maintain the accuracy and integrity of Personal Data and to update it as appropriate. GDC has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Data is stored on a secure network with firewall protection, and access to GDC’s electronic information systems requires user authentication via password or similar means. GDC also employs access restrictions, limiting the scope of employees who have access to Individual Customer Personal Data.

Further, GDC uses secure encryption technology to protect certain categories of personal data. Despite these precautions, no data security safeguards guarantee 100% security all of the time.

VIII. NOTIFICATION

GDC notifies Individual Customers about its adherence to the EU-US Privacy Shield and US Swiss Safe Harbor principles through its publicly posted website privacy policy, available at: http://globaldataconsortium.com/privacy-policy/ and take Individual customers approval and adherence to the current policy when they provide their information to us in the transactional process.

IX. ACCESSING PERSONAL DATA

GDC personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.

X. RIGHT TO ACCESS, CHANGE OR DELETE PERSONAL DATA

A. Right to Access. Individual Customers have the right to know what Personal Data about them is included in the databases and to ensure that such Personal Data is accurate and relevant for the purposes for which GDC collected it. Individual Customers may review their own Personal Data stored in the databases and correct, erase, or block any data that is incorrect, as permitted by applicable law and GDC policies. Upon reasonable request and as required by the Privacy Shield principles, GDC allows Individual Customers access to their Personal Data, in order to correct or amend such data where inaccurate. Individual Customers may edit their Personal Data by logging into their account profile or by contacting GDC by phone or email. In making modifications to their Personal Data, Data Subjects must provide only truthful, complete, and accurate information. To request erasure of Personal Data, Individual Customers should submit a written request to local GDC office.

B. Requests for Personal Data. GDC will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arise: (a) legally binding request for disclosure of the Personal Data by a law enforcement authority unless prohibited by law or regulation; or (b) requests received from the Data Subject. If GDC receives a request for access to his/her Personal Data from an Individual Customer, then, unless otherwise required under law or by contract with such Individual Customer, GDC will refer such Data Subject to the Individual Customer.

C. Satisfying Requests for Access, Modifications, and Corrections. GDC will endeavor to respond in a timely manner to all reasonable written requests to view, modify, or inactivate Personal Data.

XI. CHANGES TO THIS POLICY

This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. We will make employees available of changes to this policy either by posting to our intranet, through email, or other means. We will notify Customers if we make changes that materially affect the way we handle Personal Data previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.

XII. QUESTIONS OR COMPLAINTS

EU Individual customers may contact GDC with questions or complaints concerning this Policy at the following address:

support@globaldataconsortium.com

XIII. ENFORCEMENT AND DISPUTE RESOLUTION

In compliance with the US-EU Privacy Shield Principles, GDC commits to resolve complaints about your privacy and our collection or use of your personal information. EU individuals with questions or concerns about the use of their Personal Data should contact us at: support@globaldataconsortium.com

If a Customer’s question or concern cannot be satisfied through this process GDC has further committed to refer unresolved privacy complaints under US-EU Privacy Shield to an independent dispute resolution mechanism operated by the Council of Better Business Bureaus.

If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed by GDC, EU individuals may bring a complaint before the BBB EU Online Privacy Shield. Information about how to file a complaint before the BBB EU Privacy Shield program can be found at:www.bbb.org/EU-privacy-shield/for-eu-consumers/. Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

GDC commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship.

In compliance with the US Swiss Safe Harbor Principles, GDC commits to resolve complaints about your privacy and our collection or use of your personal information. Swiss individuals with a question or concern about the use of their Personal Data should contact us at: support@globaldataconsortium.com.

If a Customer’s question or concern cannot be satisfied through this process GDC has further committed to refer unresolved privacy complaints under the US-Swiss Safe Harbor to an independent dispute resolution mechanism operated by the Council of Better Business Bureaus.

If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed please visit: http://www.bbb.org/EU-privacy-shield/bbb-eu-safe-harbor-dispute-resolution/ for more information and to file a complaint.

XIV: DEFINED TERMS

Capitalized terms in this Privacy Policy have the following meanings:

“Individual Customer” means an Individual customer or client of GDC from EU or Switzerland. The term also shall include any individual agent, representative, of an individual customer of GDC and all employee of GDC where GDC has obtained his or her Personal Data from such Individual Customer as part of its business relationship with GDC.

“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics. For Customers residing in Switzerland, a Data Subject also may include a legal entity.

“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of GDC or any of its affiliates or subsidiaries, who is also a resident of a country within the European Economic Area.

“Europe” or “European” refers to a country in the European Union.

“Personal Data” as defined under the European Union Directive 95/46/EC means data that personally identifies or may be used to personally identify a person, including an individual’s name in combination with country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password, and identification numbers. Personal Data does not include data that is de-identified, anonymous, or publicly available. For Switzerland, the term “person” includes both a natural person and a legal entity, regardless of the form of the legal entity.

“Sensitive Data” means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership.

“Third Party” means any individual or entity that is neither GDC nor an GDC employee, agent, contractor, or representative.

Version 1 – August 1, 2016

GDC SAFE HARBOR PRIVACY POLICY STATEMENT & DATA PROTECTION COMPLIANCE POLICIES

GDC respects individual privacy and values the confidence of its customers, employees, consumers, business partners and others. Not only does GDC strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices. This Safe Harbor Privacy Policy Statement and Data Protection Compliance Policies (together, the “Policy”) sets forth the privacy principles GDC follows with respect to transfers of personal information from Switzerland to the United States; as well as all other personal information and data received by GDC.

SAFE HARBOR

The United States Department of Commerce and the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland have agreed on a set of principles and frequently asked questions to enable U.S. companies to satisfy the requirement under Swiss law that adequate protection be given to personal information transferred from Switzerland to the United States (the “U.S.-Swiss Safe Harbor”). Consistent with its commitment to protect personal privacy, GDC adheres to the principles set forth in U.S.-Swiss Safe Harbor (the “Safe Harbor Principles”).

SCOPE

This Safe Harbor Privacy Policy Statement and Data Protection Compliance Policies (the “Policy”) applies to all personal information received by GDC in the United States from Switzerland, and all other locations, in any format, including electronic, paper or verbal.

DEFINITIONS

For purposes of this Policy, the following definitions shall apply:

“Agent” means any third party that collects or uses personal information under the instructions of, and solely for, GDC or to which GDC discloses personal information for use on GDC’s behalf.

“GDC” means Global Data Consortium, Inc., its predecessors, successors, subsidiaries, divisions and groups in the United States.

“Personal information” means any information or set of information that identifies or could be used by or on behalf of GDC to identify an individual. Personal information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

“Sensitive personal information” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, views or activities, that concerns health or sex life, information about social security benefits, or information on criminal or administrative proceedings and sanctions other than in the context of pending proceedings. In addition, GDC will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.

PRIVACY PRINCIPLES

The privacy principles in this Policy have been developed based on the Safe Harbor Principles.

NOTICE: Where GDC collects personal information directly from individuals in Switzerland, it will inform them about the purposes for which it collects and uses personal information about them, the types of non–agent third parties to which GDC discloses that information, the choices and means, if any, GDC offers individuals for limiting the use and disclosure of personal information about them, and how to contact GDC. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to GDC, or as soon as practicable thereafter, and in any event before GDC uses or discloses the information for a purpose other than that for which it was originally collected.

Where GDC receives personal information from its subsidiaries, affiliates or other entities Switzerland, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.

CHOICE: GDC will offer individuals the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

For sensitive personal information, GDC will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

GDC will provide individuals with reasonable mechanisms to exercise their choices.

DATA INTEGRITY: GDC will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. GDC will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.

TRANSFERS TO AGENTS: GDC will obtain assurances from its agents that they will safeguard personal information consistently with this Policy. Examples of appropriate assurances that may be provided by agents include: a contract obligating the agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to Swiss Federal Act on Data Protection, Safe Harbor certification by the agent, or being subject to Swiss FDPIC adequacy finding (e.g., companies located in Canada). Where GDC has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy, GDC will take reasonable steps to prevent or stop the use or disclosure.

ACCESS AND CORRECTION: Upon request, GDC will grant individuals reasonable access to personal information that it holds about them. In addition, GDC will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.

SECURITY: GDC will take reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.

ENFORCEMENT: GDC will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that GDC determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment.

DISPUTE RESOLUTION: Any questions or concerns regarding the use or disclosure of personal information should be directed to the GDC compliance representative at the address given below. GDC will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information by reference to the principles contained in this Policy. For complaints that cannot be resolved between GDC and the complainant, GDC has agreed to participate in the following dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Safe Harbor Principles:

for disputes involving all personal information received by GDC from Switzerland, GDC has agreed and to cooperate with the Swiss FDPIC.

LIMITATION ON APPLICATION OF PRINCIPLES

Adherence by GDC to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.

INTERNET PRIVACY

GDC sees the Internet and the use of other technology as valuable tools to communicate and interact with consumers, employees, business partners, and others. GDC recognizes the importance of maintaining the privacy of information collected online and has created a specific Internet Privacy Policy Statement (the “IPP”) governing the treatment of personal information collected through web sites that it operates. With respect to personal information that is transferred from the European Economic Area or Switzerland to the U.S., the IPP is subordinate to this Policy. However, the IPP also reflects additional legal requirements and evolving standards with respect to Internet privacy.

CONTACT INFORMATION

Questions or comments regarding this Policy should be submitted to the GDC compliance representative by mail to:

Global Data Consortium
Global Data Consortium, Inc.
19 W. Hargett Street, Suite 809
Raleigh, NC 27601

Or by e-mail to the GDC Privacy Office

 

CHANGES TO THIS SAFE HARBOR PRIVACY POLICY

This Policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. A notice will be posted on the GDC’s web page (www.globaldataconsortium.com) for 60 days whenever this Safe Harbor Privacy Policy is changed in a material way.

EFFECTIVE DATE: NOVEMBER 1, 2014

GDC INTERNET PRIVACY POLICY

GDC respects the privacy of visitors to its websites; as a result, we have developed this Internet privacy Policy (the “IPP”). This IPP applies only to the operation of websites that directly link to this policy when you click on “privacy statement” in the website footer.

Through this website GDC may collect information that can identify you, such as your name, address, telephone number, e-mail address, and other similar information (“Your Information”) when it is voluntarily submitted to us (however, see discussion below about “IP Addresses” if you have a broadband connection). We will use Your Information to respond to requests you may make of us, and from time to time, we may refer to Your Information to better understand your needs and how we can improve our websites, products and services. We may also use Your Information to contact you with information about our products and services. We may also enhance or merge Your Information with data obtained from third parties for the same purposes.

Any other information transferred by you in connection with your visit to this site (“Other Information” – that is, information that cannot be used to identify you) may be included in databases owned and maintained by GDC or its agents. GDC retains all rights to these databases and the information contained in them. Other Information we collect may include your IP Address and other information gathered through our weblogs and cookies (see below).

This site may use a technology known as web beacons – sometimes called single- pixel gifs – that allow this site to collect web log information. A web beacon is a graphic on a web page or in an e-mail message designed to track pages viewed or messages opened. Web log information is gathered when you visit one of our websites by the computer that hosts our website (called a “webserver”). The webserver automatically recognizes some non-personal information, such as the date and time you visited our site, the pages you visited, the website you came from, the type of browser you are using (e.g., Internet Explorer), the type of operating system you are using (e.g., Windows 2000), and the domain name and address of your Internet service provider (e.g., AOL). We may also include web beacons in promotional e-mail messages in order to determine whether messages have been opened.

This website may use a technology called a “cookie”. A cookie is a piece of in- formation that our webserver sends to your computer (actually to your browser file) when you access a website. Then when you come back our site will detect whether you have one of our cookies on your computer. Our cookies help pro- vide additional functionality to the site and help us analyze site usage more accurately. For instance, our site may set a cookie on your browser that keeps you from needing to remember and then enter a password more than once during a visit to the site.

This website may use Internet Protocol (IP) Addresses. An IP Address is a number assigned to your computer by your Internet service provider so you can access the Internet. Generally, an IP address changes each time you connect to the Internet (it is a “dynamic” address). Note, however, that if you have a broadband connection, depending on your individual circumstance, it is possible that your IP Address that we collect, or even perhaps a cookie we use, may contain information that could be deemed identifiable. This is be- cause with some broadband connections your IP Address doesn’t change (it is “static”) and could be associated with your personal computer. We use your IP address to report aggregate information on use and to help improve the website.

You should be aware that this site is not intended for, or designed to attract, individuals under the age of 18. We do not collect personally identifiable information from any person we actually know is an individual under the age of 18.

Areas of this website that collect Your Information use industry standard secure socket layer encryption (SSL); however, to take advantage of this your browser must support encryption protection (found in Internet Explorer re- lease 3.0 and above).

We may share Your Information with agents, contractors or partners of GDC in connection with services that these individuals or entities perform for, or with, GDC. These agents, contractors or partners are restricted from using this data in any way other than to provide services for GDC, or services for the collaboration in which they and GDC are engaged (for example, some of our products are developed and marketed through joint agreements with other companies).

GDC reserves the right to share Your Information to respond to duly authorized information requests of governmental authorities or where required by law. In exceptionally rare circumstances where national, state or company security is at issue (such as with the World Trade Center terrorist act in September, 2001), GDC reserves the right to share our entire database of visitors and customers with appropriate governmental authorities.

We may also provide Your Information to a third party in connection with the sale, assignment, or other transfer of the business of this website to which the information relates, in which case we will require any such buyer to agree to treat Your Information in accordance with this Privacy Policy.

To be removed from our contact lists, please write to GDC at the following address:

Global Data Consortium
Global Data Consortium, Inc.
19 W. Hargett Street, Suite 809
Raleigh, NC 27601

Or by e-mail to the GDC Privacy Office

Please note that you may continue to receive materials while we are updating our lists.

We may update this Web site Privacy Policy from time to time. When we do update it, for your convenience, we will make the updated policy available on this page.

Last Updated: November 1, 2014