The Federal Trade Commission (“FTC”) has jurisdiction over ASG’s compliance with the Privacy Shield.
All ASG employees who handle Personal Data from Europe and Switzerland are required to comply with this Policy.
Capitalized terms are defined in Section 16 of this Policy.
This Policy does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. (The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.) This Policy does not cover information collected the ASG Group regarding its employees or contractors.
II. RESPONSIBILITIES AND MANAGEMENT
ASG has designated its Legal Department to oversee its information security program, including its compliance with the EU-U.S. Privacy Shield program and Swiss Safe Harbor. The Legal Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to email@example.com.
ASG will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. ASG personnel will receive training, as applicable, to effectively implement this Policy. Please refer to Section 7 for a discussion of the steps that ASG has undertaken to protect Personal Data.
III. RENEWAL / VERIFICATION
ASG will renew its EU Privacy Shield and U.S. Swiss Safe Harbor certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
Prior to the re-certification, ASG will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Individual Customer Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, ASG will undertake the following:
- 3. Update this Policy such that it continues to comply with the Privacy Shield and the Swiss Safe Harbor principles
- 4. Confirm that Individual Customers are made aware of the process for addressing complaints and any that the Better Business Bureau is available for an independent dispute resolution process (ASG may do so through its publicly posted website, Individual Customer contract, or both)
- 5. Review its processes and procedures for training Employees about ASG’s participation in the Privacy Shield and Swiss Safe Harbor programs and the appropriate handling of Individual’s Personal Data
ASG will prepare an internal verification statement on an annual basis.
IV. COLLECTION AND USE OF PERSONAL DATA
ASG collects Personal Data and Personally Identifiable Information from users of its websites and from Individual Customers when they purchase its products, register with our website, log-in to their account, request support, complete surveys, request information or otherwise communicate with ASG. For example, ASG Individual Customers may choose to seek live support or post to a message board.
The Personal Data and Personally Identifiable Information that we collect may vary based on the Individual Customer’s interaction with our website and request for our services. As a general matter, ASG collects the following types of Personal Data from its Individual Customers: contact information, including, a contact person’s name, work email address, work mailing address, invoice address, work telephone number, title or role, company name, products purchased, estimated deal value, services provided, as well as payment information (which might include credit card and/or bank account information). Some Individual Customers have the option to log into their accounts online and to request service online, including through a live support option. We will collect information that they choose to provide to us through these portals.
When Individual Customers use our services online, we will collect their IP address and browser type. We may associate IP address and browser type with a specific customer. We also may collect Personal Data and Personally Identifiable Information from persons who contact us through our website to request additional information; in such a situation, we would collect contact information (as discussed above) and any other information that the person chooses to submit through our website.
The information that we collect from Individual Customers is used for selling the products and services they buy from us, managing transactions, reporting, invoicing, renewals, providing services and products to the Individual Customer, improving our products and services, defending our rights, and investigating fraud.
For certain products, ASG serves as a service provider providing software maintenance and/or hosting of software as a service. In our capacity as a service provider, we will receive, store, and/or process Personal Data and Personally Identifiable Information. In such cases, we are acting as a data processor and will process the personal information on behalf of and under the direction of our Individual Customers and/or agents. The information that we collect from our Individual Customers in this capacity is used for managing transactions, reporting, invoicing, renewals, providing services to the Individual Customer, and as otherwise requested by our Individual Customer and/or agent.
ASG uses Personal Data and Personally Identifiable Information that it collects directly from its Individual Customers and for its agents indirectly in its role as a service provider for the following business purposes, without limitation:
- 1. maintaining and supporting its products, delivering and providing the requested products/services, and complying with its contractual obligations related thereto (including managing transactions, reporting, invoices, renewals, and other operations related to providing services to an Individual Customer);
- 2. satisfying governmental reporting, tax, and other requirements (e.g., import/export);
- 3. storing and processing data, including Personal Data, in computer databases and servers located in the United States;
- 4. verifying identity (e.g., for online access to accounts);
- 5. as requested by the Individual Customer;
- 6. for other business-related purposes permitted or required under applicable local law and regulation, including protecting our business or our Individual Customers or investigating fraud or misconduct; and
- 7. as otherwise required by law or court order.
Special Note Regarding Children Under 13. ASG cares about protecting the privacy of children. We will not specifically market to or knowingly collect Personal Data or Personally Identifiable Information from children under 13 for marketing purposes. Because some information is collected online, it may not appear to be the Personal Data or Personally Identifiable Information of a child under 13. If a child under 13 submits Personal Data or Personally Identifiable Information to us and we learn that the Personal Data or Personally Identifiable Information is the information of a child under 13, we will attempt to delete the Personal Data as soon as possible. If you are under 13, please do not register for any of our services or provide us any information about yourself (such as your name, email address or phone number).
V. DISCLOSURES / ONWARD TRANSFERS OF PERSONAL DATA
Except as otherwise provided herein, ASG discloses Personal Data or Personally Identifiable Information to Third Parties who reasonably need to know such data only for the scope of the initial transaction and not for other purposes. Such recipients must agree to abide by confidentiality obligations.
ASG may provide Personal Data or Personally Identifiable Information to Third Parties that act as agents, consultants, and contractors to perform tasks on behalf of and under our instructions. For example, ASG may store such Personal Data or Personally Identifiable Information in the facilities operated by Third Parties. Such Third Parties must agree to use such Personal Data only for the purposes for which they have been engaged by ASG and they must agree to provide adequate protections for the Personal Data that are no less protective than those set out in this Policy.
ASG also may disclose Personal Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure. ASG also may disclose Personally Identifiable Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure or when otherwise permitted under law. Please be aware that ASG may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
In cases of onward transfer to Third Parties of data of EU individuals received pursuant to the EU-U.S. Privacy Shield, ASG is potentially liable.
VI. SENSITIVE DATA
ASG does not collect Sensitive Data from its Individual Customers.
VII. DATA INTEGRITY AND SECURITY
ASG uses reasonable efforts to maintain the accuracy and integrity of Personal Data and Personally Identifiable Information and to update it as appropriate. For instance, regular reviews are conducted throughout each business month as data in ASG’s databases is used for customer billing and invoicing. ASG has implemented physical, administrative and technical safeguards designed to protect Personal Data and Personally Identifiable Information in ASG’s custody and control from loss, misuse, and unauthorized access, disclosure, alternation, or destruction.
IX. ACCESSING PERSONAL DATA
ASG has an approved list of managers and personnel with access to Personal Data and may access and use Personal Data only for the purposes for which they are authorized. Access is monitored. Individuals with access are trained on the requirements of this Policy and security.
Data Subjects residing in the EU or Switzerland have a right to opt-out by contacting us at firstname.lastname@example.org before we share their Personal Data with Third Parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.
XI. RIGHT TO ACCESS, CHANGE OR DELETE PERSONAL DATA OR PERSONALLY IDENTIFIABLE INFORMATION
A. Right to Access. Individual Customers have the right to know what Personal Data (or Personally Identifiable Information, as applicable) about them is included in the databases and to ensure that such Personal Data (or Personally Identifiable Information, as applicable) is accurate and relevant for the purposes for which ASG collected it. Individual Customers may review their own Personal Data (or Personally Identifiable Information, as applicable) stored in the databases and correct, erase, or block any data that is incorrect, as permitted by applicable law and ASG policies. Upon reasonable request and as required by the Privacy Shield Principles, ASG allows Individual Customers access to their Personal Data (or Personally Identifiable Information, as applicable), in order to correct or amend such data where inaccurate.
Individual Customers may request edits to their Personal Data (or Personally Identifiable Information, as applicable) by contacting ASG by email (email@example.com). In making modifications to their Personal Data (or Personally Identifiable Information, as applicable), Data Subjects must provide only truthful, complete, and accurate information. To request erasure of Personal Data (or Personally Identifiable Information, as applicable), Individual Customers should submit a written request to ASG at firstname.lastname@example.org.
B. Requests for Personal Data (or Personally Identifiable Information, as applicable). ASG will track each of the following and will provide notice to the appropriate parties as required under law and contract when either of the following circumstances arise: (a) a legally binding request for disclosure of the Personal Data (or Personally Identifiable Information, as applicable) is made by a law enforcement authority, unless prohibited by law or regulation; or (b) a written request is received from the Data Subject. If ASG receives a request for access to his/her Personal Data (or Personally Identifiable Information, as applicable) from an Individual Customer, then, unless otherwise required under law or by contract with such Individual Customer, ASG will refer such Data Subject to the Individual Customer.
C. Satisfying Requests for Access, Modifications, and Corrections. ASG will endeavor to respond in a timely manner to all reasonable written requests to view, modify, or inactivate Personal Data (or Personally Identifiable Information, as applicable).
XII. CHANGES TO THIS POLICY
This Policy may be amended from time to time, consistent with the EU-U.S. Privacy Shield and U.S.-Swiss Safe Harbor Principles and applicable data protection and privacy laws and principles. We will make available to employees any changes to this Policy either by posting to our intranet, through email, or other means. We will notify Customers if we make changes that materially affect the way we handle Personal Data previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.
XIII. QUESTIONS OR COMPLAINTS
EU Individual Customers may contact ASG with questions or complaints concerning this Policy at email@example.com.
XIV. ENFORCEMENT AND DISPUTE RESOLUTION
ASG is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
If an EU Customer’s question or concern cannot be satisfied through this process, ASG has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
In compliance with the U.S. Swiss Safe Harbor Principles, ASG commits to resolve complaints about your privacy and our collection or use of your personal information. Swiss individuals with a question or concern about the use of their Personal Data should contact us at firstname.lastname@example.org.
If a Swiss Customer’s question or concern cannot be satisfied through this process, ASG has further committed to refer unresolved privacy complaints under the US-Swiss Safe Harbor to an independent dispute resolution mechanism operated by the Council of Better Business Bureaus.
If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.
XV. CALIFORNIA ONLINE PRIVACY PROTECTION ACT
Special Note Regarding Personal Information of Residents of California. Pursuant to California Civil Code Section 1798.83, if you are a California resident, you have the right to request and receive, once a year and free of charge, information about Third Parties to whom we have disclosed certain types of personal information (if any) about you for their direct marketing purposes in the prior calendar year, and a description of the categories of personal information shared. To make such a request, please send an email to email@example.com and please include the phrase “California Privacy Request” in the subject line, the domain name of the website you are inquiring about, along with your name, address and email address. At our option, we may respond to such requests by providing instructions about how our users can exercise their options to prevent our disclosure of personal information to Third Parties for their direct marketing purposes.
As required by the California Online Privacy Protection Act (“California Act”) and the California Business and Professions Code, this Policy also identifies the categories of “Personally Identifiable Information” (as that term is defined in the California Act) that we collect through our website about Individual Customers who use or visit our website and the categories of Third Parties with whom such Personally Identifiable Information may be shared.
Depending on the visitor’s activity at our website, certain Personally Identifiable Information may be collected, in addition to information set forth in other sections of this document.
Please refer to Section 11 for a description of the process maintained by ASG for an Individual Customer who uses our website to review and request changes to any of his or her Personally Identifiable Information that is collected through our website.
Please refer to Section 12 for a description of the process by which we notify Individual Customers who use our website of material changes to this Policy.
See more about the California Act at http://consumercal.org/california-online-privacy-protection-act-caloppa/#sthash.0FdRbT51.dpuf.
XVI. DEFINED TERMS
Capitalized terms in this Policy have the following meanings:
“Individual Customer” means an Individual current, prospective or former customer, client of the ASG Group. The term also shall include any individual agent, representative, of an individual customer of the ASG Group.
“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics. For Customers residing in Switzerland, a Data Subject also may include a legal entity.
“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of ASG or any of its affiliates or subsidiaries, who is also a resident of a country within the European Economic Area.
“Europe” or “European” refers to a country in the European Union.
“Personal Data” as defined under the European Union Directive 95/46/EC means data that personally identifies or may be used to personally identify a person, including an individual’s name in combination with country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password, and identification numbers. Personal Data does not include data that is de-identified, anonymous, or publicly available. For Switzerland, the term “person” includes both a natural person and a legal entity, regardless of the form of the legal entity.
“Personally Identifiable Information” means individually identifiable information about an individual consumer, including any of the following: the individual’s first and last name; home or other physical address, including street name and name of a city or town; e-mail address; telephone number; social security number; any other identifier that permits the physical or online contacting of a specific individual; or information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with another identifier.
“Sensitive Data” means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership.
“Third Party” means any individual or entity that is neither ASG nor an ASG employee, agent, contractor, or representative.