Last Updated: May 1, 2019
The EU-US Privacy Shield framework (the “Privacy Shield”) was designed by the U.S. Department of Commerce (DOC) and the European Commission (EC) to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data (“PD”) [of any natural person located in the EU] from the EU to the US in support of transatlantic commerce. On July 12, 2016, the EC deemed the Privacy Shield adequate to enable data transfers under EU law (see the adequacy determination). (PD means any information related to an identified or identifiable natural person.)
As provided herein, Scherzer International Corporation (“SI”) complies with the Privacy Shield principles regarding the collection, use, and retention of personal information transferred from the EU to the US, and has certified its compliance to the DOC accordingly. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
SI hereby confirms its commitment to subject to the Privacy Shield principles all PD received from the EU (including the United Kingdom) in reliance on the Privacy Shield.
By reviewing the disclosure and completing the authorization (the “Consent”) documents for the purpose-specific background check, the individual expressly agrees to the use of his/her PD and consents to SI’s use of that information in accordance with this Policy. In the event that the individual opts-out or revokes the Consent, the PD will be deleted, unless its retention is required by law or sound business judgment.
SI collects PD in connection with its Search Services only as requested by its clients for business transaction due diligence, employment background screening, evaluation of accounting firm engagement acceptance/continuation, corporate governance, and regulatory compliance. Examples of PD collected include identification data, educational and professional licensing credentials, employment information, driving records, criminal records, sex offender registry records, civil litigation, tax lien, judgment, UCC and bankruptcy/insolvency filings, credit history, officer affiliations, public company directorships, securities law violations, industry-specific regulatory and disciplinary actions, various global lists that identify high risk individuals/politically exposed persons and parties subject to economic sanction programs administered by the Office of Foreign Assets Control, parties excluded from federal procurement and non-procurement programs, and media sources information.
Accordingly, to perform our Search Services, which involve searching public records either manually or through contracted databases and the Internet, and contacting sources provided by the subject, we may disclose the PD to our reasonably vetted agents, who for example, may be conducting court record searches upon our direction; to an educational institution; professional licensing body; or other records’ keeper.
We are also required to disclose PD in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements.
As provided under the Privacy Shield, in cases where SI discloses public records or publicly available information from the EU without combining that information with non-public information, its general policies regarding Notice, Choice, and Accountability (as noted below) for Onward Transfer may not apply.
The individual is provided with a choice—no PD is processed without the individual’s Consent. As noted above, we do not use PD for a purpose that is materially different from the purpose(s) for which it was originally collected or authorized by the individual. Sensitive information, i.e., PD specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual or information designated by the transferring organization as sensitive, is rarely processed, but in instances that may necessitate the processing of such information, SI will provide individuals the opportunity to affirmatively and explicitly opt-in through reasonable mechanisms.
- Accountability for Onward Transfer
When transferring PD to a controller, defined as a person or organization which, alone or jointly with others, determines the purposes and means of the processing of the PD (the “Controller”) or to agents acting on our behalf who are typically retained by SI to perform a part of our Search Services, such as manually searching court records (the “Sub-Processors”), the Notice and Choice Principles apply. SI enters into contracts with such Controllers and Sub-Processors, as applicable, to ensure compliance with the Privacy Shield. For Controllers, the contract terms include provisions that (i) PD may only be processed for limited and specified purposes consistent with the individual’s Consent; (ii) the Controller will provide at least the same level of protection as required by the [Privacy Shield] principles; and (iii) the Controller will notify us if it makes a determination that it can no longer meet its obligations; and (iv) when such a determination is made, will cease processing or take other reasonable and appropriate remedial measures to cure the deficiency. In connection with a transfer of PD to a Sub-Processor, the contract terms are materially similar to those of a Controller, with the additional provision that the Sub-Processor will take reasonable and appropriate steps to ensure that it effectively processes the PD transferred in a manner consistent with SI’s obligations under the principles.
In the context of an onward transfer, SI has the responsibility for the processing of the PD it receives under the Privacy Shield and subsequently transfers to a Sub-Processor. SI shall remain liable under the principles if its Sub-Processor processes such PD in a manner inconsistent with the principles, unless SI proves that it is not responsible for the event giving rise to the damage.
SI has a formal risk management program, which includes reasonable administrative, technical, physical and managerial procedures and measures to protect PD from loss, misuse, unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing of and the nature of the PD.
- Data Integrity and Purpose Limitation
SI limits the PD it collects to information that is relevant and necessary for the purposes of processing, and does not process PD in a way that is incompatible with the purposes for which it has been collected or authorized by the subject. SI takes reasonable steps to ensure that the PD is reliable, accurate, complete, and current. SI will adhere to the Privacy Shield principles for as long as it retains the PD transferred in reliance on the Privacy Shield.
SI takes reasonable and appropriate measures to retain PD only for as long as there is a legitimate legal or business need, which may include needs that reasonably serve compliance and legal considerations, auditing, security and fraud prevention, preserving or defending SI’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
SI provides access to PD to the individual about whom it has information, and will correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Privacy Shield principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of persons other than the individual would be violated.
- Recourse, Enforcement and Liability
In compliance with the Privacy Shield principles, SI commits to resolve complaints about our collection or use of your PD. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Joann Gold, Executive Vice President and Chief Compliance Officer at 818-227-2571 or via email at firstname.lastname@example.org or by postal mail at Scherzer International, 21650 Oxnard Street, Suite 300, Woodland Hills, CA 91367.
SI has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive a timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please visit https://www.jamsadr.com/eu-us-privacy-shield. The services of JAMS are provided at no cost to you.
Under certain conditions, binding arbitration for complaints regarding SI’s Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms may be invoked. For further information, visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
As noted in the onward transfer principle, in the context of such a transfer, SI has the responsibility for the processing of PD it receives under the Privacy Shield and subsequently transfers to a Sub-Processor. SI shall remain liable under the principle if its Sub-Processor processes such PD in a manner inconsistent with the principles, unless SI proves that it is not responsible for the event giving rise to the damage.
The Federal Trade Commission (the “FTC”) has jurisdiction over SI’s compliance with the Privacy Shield—SI is subject to its investigatory and enforcement powers. If SI should become subject to an FTC or court order based on non-compliance, SI shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
As noted previously, SI has a formal risk management program, and shall monitor its compliance with this Privacy Shield policy internally.