EU-U.S. AND SWISS-U.S. PRIVACY SHIELD POLICY
Last revised: April 7, 2023
If Consent cannot be obtained, the Search Service may be performed when a client has a legitimate interest in obtaining the individual’s PD or needs the PD to perform a contract; provided, however, that the client gives notice to the individual of the client’s intention to process the data. Notice can be given in several different ways, including directly to the individual, in an engagement letter or similar document, or by publication on the website. The way the client gives notice is their decision.
SI collects PD in connection with its Search Services only as requested by its clients for a Purpose-specific Background Check such as business transaction due diligence; employment background screening; evaluation of accounting firm engagement acceptance or continuation; corporate governance; and regulatory compliance. Examples of PD collected include identification data; educational and professional licensing credentials; employment information; driving records; criminal records; sex offender registry records; civil litigation; tax lien; judgment; UCC and bankruptcy or insolvency filings; credit history; officer affiliations; public company directorships; securities law violations; industry-specific regulatory and disciplinary actions; various global lists that identify high-risk individuals or politically exposed persons and parties subject to economic sanction programs administered by the Office of Foreign Assets Control; parties excluded from federal procurement and non-procurement programs; and media sources information.
We must disclose PD in response to lawful requests by public authorities and to meet national security or law enforcement requirements.
As provided under the Privacy Shield, in cases where SI discloses public records or publicly available information from the EU without combining that information with non-public information, its general policies regarding Notice, Choice, and Accountability (as noted below) for Onward Transfer may not apply.
The individual is provided with a choice—no PD is processed without the individual’s Consent. As noted above, we do not use PD for a purpose that is materially different from the purpose for which it was originally collected or authorized by the individual. Sensitive information, such as PD specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual, or information designated by the transferring organization as sensitive, is rarely processed, but in instances that may necessitate the processing of such information, SI will provide individuals the opportunity to affirmatively and explicitly opt-in through reasonable mechanisms.
Accountability for Onward Transfer
When transferring PD to a controller – defined as a person or organization which, alone or jointly with others, determines the purposes and means of the processing of the PD (the “Controller”) – or to agents acting on our behalf who are typically retained by SI to perform a part of our Search Services, such as manually searching court records (the “Sub-Processors”), the above Notice and Choice principles apply. SI enters into contracts with such Controllers and Sub-Processors, as applicable, to ensure compliance with the Privacy Shield. For Controllers, the contract terms include provisions that (i) PD may only be processed for limited and specified purposes consistent with the individual’s Consent; (ii) the Controller will provide at least the same level of protection as required by the Privacy Shield Principles; and (iii) the Controller will notify us if it makes a determination that it can no longer meet its obligations; and (iv) when such a determination is made, will cease processing or take other reasonable and appropriate remedial measures to cure the deficiency. In connection with a transfer of PD to a Sub-Processor, the contract terms are materially similar to those of a Controller, with the additional provision that the Sub-Processor will take reasonable and appropriate steps to ensure that it effectively processes the PD transferred in a manner consistent with SI’s obligations under the principles.
In the context of an onward transfer, SI has the responsibility for the processing of the PD it receives under the Privacy Shield and subsequently transfers to a Sub-processor. SI shall remain liable under the Privacy Shield Principles if its Sub-Processor processes such PD in a manner inconsistent with the Privacy Shield principles unless SI proves that it is not responsible for the event giving rise to the damage.
SI has a formal risk management program, which includes reasonable administrative, technical, physical, and managerial procedures and measures to protect PD from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing of and the nature of the PD.
Data Integrity and Purpose Limitation
SI limits the PD it collects to information that is relevant and necessary for the purposes of processing and does not process PD in a way that is incompatible with the purposes for which it has been collected or authorized by the subject. SI takes reasonable steps to ensure that the PD is reliable, accurate, complete, and current. SI will adhere to the Privacy Shield principles for as long as it retains the PD transferred in reliance on the Privacy Shield.
SI takes reasonable and appropriate measures to retain PD only for as long as there is a legitimate legal or business need, which may include needs that reasonably serve compliance and legal considerations, auditing, security, and fraud prevention, preserving or defending SI’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
SI provides access to PD to the individual about whom it has information and will correct, amend, or delete that information where it is inaccurate or has been processed in violation of the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of persons other than the individual would be violated.
Recourse, Enforcement, and Liability
In compliance with the Privacy Shield principles, SI commits to resolving complaints about our collection or use of your PD. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Joann Gold, Executive Vice President and Chief Compliance Officer at 818-227-2571 or via email at firstname.lastname@example.org or by postal mail at Scherzer International Corporation, 21650 Oxnard Street, Suite 300, Woodland Hills, CA 91367.
SI has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive a timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please visit https://www.jamsadr.com/eu-us-privacy-shield. The services of JAMS are provided at no cost to you.
Under certain conditions, binding arbitration for complaints regarding SI’s Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms may be invoked. For further information, visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
As noted in the onward transfer principle, in the context of such a transfer, SI is responsible for processing PD it receives under the Privacy Shield and subsequently transfers to a Sub-Processor. SI shall remain liable under the principle if its Sub-Processor processes such PD in a manner inconsistent with the Privacy Shield Principles unless SI proves that it is not responsible for the event giving rise to the damage.
The Federal Trade Commission (FTC) has jurisdiction over SI’s compliance with the Privacy Shield—SI is subject to its investigatory and enforcement powers. If SI should become subject to an FTC or court order based on non-compliance, SI shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC to the extent consistent with confidentiality requirements.
As noted previously, SI has a formal risk management program and shall monitor its compliance with this Privacy Shield policy internally.