Effective Date: September 26, 2016
The EU-US Privacy Shield framework (the “Privacy Shield”) was designed by the U.S. Department of Commerce (the “DOC”) and the European Commission (the “EC”) to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data [of any natural person who is located in the EU] from the EU to the US in support of transatlantic commerce. On July 12, 2016, the EC deemed the Privacy Shield adequate to enable data transfers under EU law (see the adequacy determination).
As provided herein, Scherzer International Corporation (“SI”) complies with the Privacy Shield principles regarding the collection, use, and retention of personal information transferred from the EU to the US, and has certified its compliance to the DOC accordingly. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
SI also complies, as applicable, with US laws, and particularly the Fair Credit Reporting Act (“FCRA” 15 U.S.C. §§ 1681 et seq.) and its state counterparts, which provide privacy protection for consumer personal data in connection with consumer reports. In the event of a conflict between this Privacy Shield policy and the FCRA or other applicable laws, SI will comply with its obligations under the FCRA or other applicable US law.
SI hereby confirms its commitment to subject to the Privacy Shield principles all personal data received from the EU in reliance on the Privacy Shield.
SI will include a link to this policy when individuals are first asked to provide personal information to SI or as soon thereafter as it is practicable, but in any event before SI discloses it for the first time to a third party. Disclosure is made only as necessary in connection with performing our Search Services. SI does not use personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual.
If any information in connection with our Search Services necessitates a transfer from the EU, we require the subject’s explicit, specific, voluntary and unambiguous written consent.
SI collects personal information in connection with its Search Services only as requested by its clients for business transaction due diligence, employment background screening, evaluation of accounting firm engagement acceptance/continuation, corporate governance, and regulatory compliance. Examples of personal information collected include identification data, educational and professional licensing credentials, employment information, driving records, criminal records, sex offender registry records, civil litigation, tax lien, judgment, UCC and bankruptcy filings, credit history, officer affiliations, public company directorships, securities law violations, industry-specific regulatory and disciplinary actions, various global lists that identify high risk individuals/politically exposed persons and parties subject to economic sanction programs administered by the Office of Foreign Assets Control, parties excluded from federal procurement and non-procurement programs, and media sources information.
Accordingly, to perform our Search Services, which involve searching public records either manually or through contracted databases and the Internet, and contacting sources provided by the subject, we may disclose the personal information to our trusted agents, who for example, may be conducting court record searches upon our direction; to an educational institution; professional licensing body; or other records keeper.
We are also required to disclose personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements.
As provided under the Privacy Shield, in cases where SI discloses public records or publicly available information from the EU without combining that information with non-public information, its general policies regarding Notice, Choice, and Accountability (as noted below) for Onward Transfer may not apply.
The individual is provided with a choice—no data is processed without the individual’s explicit, voluntary and unambiguous written consent, as provided in a disclosure/authorization form that is specific to the particular purpose of the background check. As noted above, we do not use personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual. Sensitive information, i.e., personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual or information designated by the transferring organization as sensitive, is rarely processed, but in instances that may necessitate the processing of such information, SI will provide individuals the opportunity to affirmatively and explicitly opt-in through reasonable mechanisms.
- Accountability for Onward Transfer
When transferring personal data to our clients or other third-party controllers, the Notice and Choice Principles apply. Consistent with the Privacy Shield’s timing requirements for onward transfer compliance, SI will enter into contracts with the third-party controllers that provide such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Privacy Shield and will notify us if it makes a determination that it can no longer meet this obligation. The contract additionally will provide that when such a determination is made, the third-party controller shall cease processing or take other reasonable and appropriate remedial measures.
SI may also transfer personal data to its agents retained to perform some part of its Search Services, such as manually searching court records. In such cases, consistent with the Privacy Shield timing requirements for onward transfer compliance, SI will:
- transfer such data only for limited and specified purposes;
- require the service provider to ensure at least the same level of privacy protection as is required by the Privacy Shield principles;
- take reasonable and appropriate steps to ensure that the service provider effectively processes the personal data transferred in a manner that is consistent with SI’s obligations under the Privacy Shield;
- require the service provider to notify SI if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield;
- upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- provide a summary or a representative copy of the relevant privacy provisions of its contract with that service provider to the DOC upon request.
In the context of an onward transfer, SI has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. SI shall remain liable under the Privacy Shield principles if its agent processes such personal information in a manner inconsistent with the principles, unless SI proves that it is not responsible for the event giving rise to the damage.
SI has a formal risk management program, which includes reasonable administrative, technical, physical and managerial procedures and measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing of and the nature of the personal data.
- Data Integrity and Purpose Limitation
SI limits the personal data it collects to information that is relevant and necessary for the purposes of processing, and does not process personal data in a way that is incompatible with the purposes for which it has been collected or authorized by the subject. SI takes reasonable steps to ensure that personal data is reliable, accurate, complete, and current. SI will adhere to the Privacy Shield principles for as long as it retains the personal data transferred in reliance on the Privacy Shield.
SI takes reasonable and appropriate measures to retain personal data only for as long as there is a legitimate legal or business need, which may include those that reasonably serve compliance and legal considerations, auditing, security and fraud prevention, preserving or defending SI’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
SI provides access to personal information to the individual about whom it has information, and will correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Privacy Shield principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
- Recourse, Enforcement and Liability
In compliance with the Privacy Shield principles, SI commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Joann Gold, Executive Vice President and Chief Compliance Officer at 818-227-2571 or via email at firstname.lastname@example.org or by postal mail at Scherzer International, 21650 Oxnard Street, Suite 300, Woodland Hills, CA 91367.
SI has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive a timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim. The services of JAMS are provided at no cost to you.
Under certain conditions, binding arbitration for complaints regarding SI’s Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms may be invoked. For further information, visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
As noted in the onward transfer principle, in the context of such a transfer, SI has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third-party acting as an agent on its behalf. SI shall remain liable under the principle if its agent processes such personal information in a manner inconsistent with the Privacy Shield principles, unless SI proves that it is not responsible for the event giving rise to the damage.
The Federal Trade Commission (the “FTC”) has jurisdiction over SI’s compliance with the Privacy Shield—SI is subject to its investigatory and enforcement powers. If SI should become subject to an FTC or court order based on non-compliance, SI shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
As noted previously, SI has a formal risk management program, and shall monitor its compliance with this Privacy Shield policy internally.