In addition to other terms defined herein, the following definitions shall apply to this Policy:
“PI” means personal Data about an identified or identifiable individual, such as names and addresses.
“Processing” or “Processes” are operations involving PI.
“EU Person” is an individual in an EU member state.
“EUPI” is PI that is within the scope of the Framework, received by CSC TCI from an EU Person located in an EU
member state, and recorded in any form.
II. Collection, Use and Disclosure
CSC TCI only collects, obtains access to, Processes and uses Data as necessary for and/or relevant to its proper business purposes of: offering and providing tax related software, support and services, backing up Data for business continuity, disaster recovery and archival purposes; maintaining security of services, systems, networks, and Data, and complying with laws, regulations, professional standards, contract terms, court orders, administrative or judicial processes, subpoenas and search warrants (“Purposes”). When appropriate, CSC TCI provides clients and personnel with access to their Data to correct, amend or delete such Data. Unless restricted by law, regulation, professional standards or contract, CSC TCI may disclose certain Data to its personnel or to third-parties: for Purposes; with regard to a merger, sale, assignment or other transfer of CSC TCI, Inc.; to protect CSC TCI’s legal interests; in connection with internal business practices; with consent by the Data owner; and when necessary to respond to an emergency that may threaten risk of harm to or destruction of person, property or Data. Except as part of a merger, sale or other significant entity change, CSC TCI will not sell, rent or lease PI. CSC TCI requires most personnel to execute confidentiality agreements, and assesses all third-party agents and subcontractors for suitability and reliability, given the nature of the Processing activity and Data involved. Third-party contracts typically address confidentiality, privacy and security obligations, as well as notification of known or suspected security breaches, misappropriation, or unauthorized disclosure and use of Data.
III. Framework Principles
With regard to collection, use, retention and Processing of EUPI, CSC TCI adheres to the Privacy Shield Principles set forth in the Framework.
If CSC TCI obtains EUPI directly from any EU Person, it will notify such EU Person of: the purposes for which it collects and uses their EUPI; how the individual can contact CSC TCI with inquiries or complaints about such use; the types of third parties (if any) to which CSC TCI discloses such EUPI; and the choices and means that CSC TCI offers for limiting the use and disclosure of their EUPI. Choices and means of limiting use and disclosure of PI may include use of encryption technology, limiting support options, providing separate backup mechanisms, and/or ceasing provision of certain products and services. Notice will be provided in clear and conspicuous language when CSC TCI first asks any EU Person to provide PI to CSC TCI, or as soon as practicable thereafter, and in any event before CSC TCI Processes such information for a purpose other than that which it was originally collected, or discloses it for the first time to a third party. If EUPI is provided to CSC TCI by its entity clients, notice will not be provided to the relevant EU Person by CSC TCI, however CSC TCI will use and disclose such EUPI in accordance with the purpose for which it was originally collected by the client and with consents made, so long as the client makes CSC TCI aware of such purpose and consents. CSC TCI clients are responsible for providing notice to all EU Persons who are the subject of Data
and PI provided by such client to CSC TCI.
CSC TCI will offer EU Persons providing EUPI directly to CSC TCI, the opportunity to choose (opt-out) whether their PI will (a) be disclosed to a third party (unless that disclosure is required or allowed by contract),or (b) be used for a purpose that is incompatible with the purpose for which that information was originally collected or subsequently authorized by the EU Person. CSC TCI will provide EU Persons with clear and conspicuous, readily available and affordable mechanisms to exercise their choices. For sensitive EUPI (which specifies medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or regarding gender and sexuality), CSC TCI will give EU Persons the explicit choice to consent (opt-in) to disclosure to a third party, or use for a purpose other than that for which that information was originally collected or subsequently authorized by the EU Person via exercise of the opt in choice. If any EUPI is provided to CSC TCI by its clients, choice will not be provided to the EU Person by CSC TCI, however CSC TCI will use and disclose such EUPI in accordance with the purpose for which it was originally collected by the entity client and with consents made, so long as the client makes CSC TCI aware of such purpose and consents. CSC TCI clients are responsible for obtaining consent from and providing choice to all EU Persons who are the subject of Data and PI provided by such client to CSC TCI.
3. Accountability for Onward Transfer
CSC TCI will apply the notice and choice principles in providing EUPI collected directly from a EU Person and thereafter provided to a third party. CSC TCI is potentially liable in cases of onward transfers of EUPI to third parties. Accordingly, CSC TCI will obtain assurances that its agents and subcontractors subscribe to the EU-US Privacy Shield Privacy Principles or otherwise use safeguards consistent with this Policy.
CSC TCI will take reasonable precautions to protect EUPI in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. CSC TCI follows industry standard security measures, which include physical, administrative and technical safeguards and controls designed to protect EUPI and other Data from loss, misuse, unauthorized access, disclosure, alteration or destruction. CSC TCI takes precautions in its efforts to ensure that access to EUPI is available only to those who are authorized. No protocol, encryption, or other precaution can provide complete security for electronic Data, so CSC TCI does not provide a guarantee of total security. Moreover, the privacy of information regarding the employees, customers and business associates of CSC TCI’s clients are the responsibility of such clients; CSC TCI clients have the only direct relationship with these Data subjects. CSC TCI follows commercially reasonable measures for retention and destruction of Data, including EUPI. Where appropriate, Data is deleted and/or disposed of effectively and securely. Even if destruction is requested by a client, personnel or EU Person, it may still be necessary for CSC TCI to retain certain Data pursuant to law, contract terms or to comply with internal retention and destruction policies.
5. Data Integrity and Purpose Limitation
CSC TCI will use EUPI only in ways that are relevant for the Purposes for which it was collected or authorized by the relevant EU Person. CSC TCI will take reasonable steps designed so that EUPI Processing is performed as intended, and in an accurate, complete and current manner.
Upon request, CSC TCI will grant EU Persons reasonable access to their EUPI held by CSC TCI, and will take reasonable steps to permit corrections, amendments, or deletions of inaccurate or incomplete EUPI, except where the burden or expense of providing access would be disproportionate to the risks to the EU Person’s privacy in the case in question, or whether the rights of other persons would be violated.
7. Recourse, Enforcement and Liability
8. Self-Assessment Verification
To ensure compliance with Framework Privacy Principles set forth in Section III of this Policy, CSC TCI will conduct an annual independent audit of its practices, which shall include confirming (a) the Policy and posting revised versions of the Policy in a conspicuous place on CSC TCI’s website where employees and clients can see them; (b) the Policy is accurate, comprehensive and conforms to the Framework’s principles; (c) annual renewal of EU-US Privacy Shield self-certification with the US Department of Commerce; (d) inclusion of CSC TCI’s name on the US Department of Commerce’s EU-US Privacy Shield list of compliant companies; (e) appropriate employee training and internal procedures exist for periodic reviews of CSC TCI’s compliance with the Policy. Any employee that CSC TCI determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.
9. Dispute Resolution
In compliance with the EU-US Privacy Shield Principles, CSC TCI commits to resolve complaints about privacy and the collection or use of EUPI free of charge. EU Persons with inquiries or complaints regarding this Policy may first contact Corptax, Attention Ivy Jacobson, Associate General Counsel, either by mail at Corptax, Inc., 2100 E. Lake Cook Road, Buffalo Grove, IL 60089, and/or by phone at 917.353.9643. CSC TCI has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. In addition, the Federal Trade Commission has jurisdiction to hear any claims of unfair or deceptive practices or violations of laws or regulations governing privacy. Under certain limited conditions, EU Persons may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.
CSC TCI’s adherence to the Framework principles may be limited and CSC TCI may be required to disclose EUPI in response to a lawful request by public authorities; to meet national security or law enforcement requirements; where there is a conflicting or overriding legal obligation; to the extent expressly permitted by any applicable law, rule or regulation; or where CSC TCI receives EUPI as a Processor acting on the instructions of a client, in which case CSC TCI will receive such EUPI merely for Processing in accordance with Purposes. CSC TCI clients will remain responsible for compliance with applicable laws and the Framework Privacy Shield Principles with regard to all PI provided by such clients to CSC TCI. CSC TCI client contracts contain strict restrictions that prohibit clients from accessing or reviewing other clients’ Data.
IV. Application and Exceptions
Questions and concerns regarding this Policy and its terms or regarding suspected misuse of Data should be directed to Ivy Jacobson, CSC TCI Associate General Counsel, 917.353.9643. CSC TCI will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Data in accordance with the principles contained in this Policy. The effective date of this Policy is: August 1, 2016.