SHC Privacy Shield Policy
Last Updated: May 9, 2018
SurveyHealthcare (SHC) has adopted this Privacy Notice ("Notice") to establish and maintain an adequate level of Personal Data privacy protection. This Policy applies to the processing of Personal Data that SHC obtains from its Customers.
|Notice for European Union Residents|
SHC complies with the General Data Protection Regulation (GDPR) and the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union to the United States, respectively. SHC has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability for personal data submitted by our Customers in participating European Union countries and our Privacy Shield certification is available here. We may also process personal data our Customers submit relating to individuals in the EU via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.
If there is any conflict between the terms in this privacy notice and the GDPR or the Privacy Shield Privacy Principles, the GDPR and the Privacy Shield Privacy Principles shall govern. SHC acknowledges that as a participant in the Privacy Shield Framework we are under the enforcement authority of the Federal Trade Commission.
To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/.
Capitalized terms are defined in Section XV of this Policy.
This Policy applies to the processing of SHC Customer Personal Data that SHC transfers to and stores in the United States.
We’re committed to helping you understand how we manage and protect the information we collect. We take privacy seriously and have taken many steps to help safeguard the information we collect from you.
II. RESPONSIBILITIES AND MANAGEMENT
|SHC has designated the Privacy Department to oversee its information security program, including its compliance with the Privacy Shield program. The Privacy Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to firstname.lastname@example.org.|
SHC will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. SHC personnel will receive training, as applicable, to effectively implement this Policy. Please refer to Section VI for a discussion of the steps that SHC has undertaken to protect Personal Data.
III. RENEWAL / VERIFICATION
SHC will renew its Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
Prior to the re-certification, SHC will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Customer Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, SHC will undertake the following:
SHC will prepare an internal verification statement on an annual basis.
IV. PURPOSES OF DATA PROCESSING, LEGAL BASES AND AUTOMATED DECISIONS
SHC provides research solutions to its Customers, which are predominantly business customers, although individuals are not restricted from purchasing such products nor supplying SHC with research support services. SHC collects Personal Data from Customers when they purchase our products, supply research support services, register with our website, request information from us, or otherwise communicate with us. For example, SHC Customers may choose to seek support via email communication.
|The Personal Data that we collect may vary based on the Customer’s interaction with SHC. As a general matter, SHC collects the following types of Personal Data from its Customers: contact information, including, a contact person’s name, work email address, work mailing address, work telephone number, title, billing/bank details, Tax Identification Number, company name, and IP address.|
SHC uses Personal Data that it collects directly from its Customers indirectly in its role as a service provider for the following business purposes, without limitation: (1) maintaining and supporting its products, delivering and providing the requested products/services, and complying with its contractual obligations related thereto (including managing transactions, reporting, invoices and other operations related to providing/receiving services to/from a Customer); (2) satisfying governmental reporting, tax, and other requirements (3) storing and processing data, including Personal Data, in computer databases and servers located in the United States; (4) verifying identity (e.g., for online access to accounts); (5) as requested by the Customer; (6) for other business-related purposes permitted or required under applicable local law and regulation; and (7) as otherwise required by law.
|Our legal bases for the processing of your personal data are: 1) your consent and/or 2) any other applicable legal bases, such as our legitimate interest in engaging in commerce and offering products and services of value to our customers.|
We reserve the right to make automated decisions, including using machine learning algorithms, about our customers and website visitors in order to optimize the products and services offered and/or delivered.
V. CHOICE WITH RESPECT TO USES AND DISCLOSURES OF PERSONAL DATA
SHC recognizes that EU individuals have the right to limit the use and disclosure of their Personal Data, and we are committed to respecting those rights. We offer individuals the opportunity to opt out of disclosures of Personal Data to a third party or the use of Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual. We will comply with the GDPR with respect to disclosures of Sensitive Data including, when applicable, obtaining the explicit consent (i.e., opt in consent) of an individual prior to disclosing Sensitive Data to a third party or using Sensitive Data for purposes other than those for which it was originally collected or subsequently authorized by the individual.
VI. DISCLOSURES / ONWARD TRANSFERS OF PERSONAL DATA
SHC is potentially liable in cases of onward transfers of Personal Data to third parties, such as when third parties that act as agents on our behalf process Personal Data in a manner inconsistent with applicable data protection regulations. We will ensure that any third party to which we disclose Personal Data provides the same level of privacy protection as is required by the applicable data protection regulations and agrees in writing to provide an adequate level of privacy protection. Except as otherwise provided herein, SHC discloses Personal Data only to third parties who reasonably need to know such data. Such recipients must agree to abide by confidentiality obligations.
|SHC may provide Personal Data to third parties and our agents, consultants, and contractors to perform tasks on behalf of and under our instructions. For example, disclosure may occur to our third parties and agents, consultants and contractors who may include, but are not limited to: Market Research Survey Scripting and Hosting platforms, credit checking entities, auditors and taxing authorities. We may provide Personal Data to such third parties for the following purposes, without limitation: survey reporting, credit checks, auditing purposes and governmental reporting, tax, and other requirements. Such third parties must agree to use such Personal Data only for the purposes for which they have been engaged by SHC and they must either: (1) comply with the GDPR, the Privacy Shield principles or another mechanism permitted by the applicable European data protection law(s) for transfers and processing of Personal Data; or (2) agree to provide adequate protections for the Personal Data that are no less protective than those set out in this Policy.|
SHC also may disclose Personal Data for other purposes or to other third parties when a Data Subject has consented to or requested such disclosure or under the following circumstances:
Please be aware that in rare situations, it may be necessary disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
VII. DATA INTEGRITY, PURPOSE LIMITATION AND RETENTION
SHC shall not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To that end, SHC will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. SHC uses reasonable efforts to maintain the accuracy and integrity of Personal Data and to update it as appropriate.
|We will retain your information for as long as your account is active and for at least twenty-four (24) months thereafter to allow you to re-activate your account without loss of data. We will also retain your information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.|
VIII. DATA SECURITY
SHC has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Data is stored on a secure network with firewall protection, and access to SHC’s electronic information systems requires user authentication via password or similar means. SHC also employs access restrictions, limiting the scope of employees who have access to Customer Personal Data. Further, SHC uses secure encryption technology to protect certain categories of personal data.
Despite these precautions, no data security safeguards guarantee 100% security all of the time.
X. PERSONNEL ACCESS OF PERSONAL DATA
SHC personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.
XI. RIGHT TO ACCESS, CHANGE OR DELETE PERSONAL DATA
Access, Rectification and Erasure
Customers (Data Subjects) have the right to obtain confirmation about whether Personal Data is included about them in our databases. Upon request, SHC will provide an individual access to his or her Personal Data within the time frame dictated by the applicable data protection regulations. SHC will permit an individual to know what Personal Data about them is included in our databases and to ensure that such Personal Data is accurate and relevant for the purposes for which SHC collected the Personal Data. Customers may review their own Personal Data stored in the databases and correct, update, modify, or delete any data that is incorrect or incomplete.Your right to access your Personal Data may be restricted in exceptional circumstances, including, but not limited to, when the burden or expense of providing this access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated by the provision of such access. If we determine that your access should be restricted in a particular instance, we will provide you with an explanation of our determination and respond to any inquiries you may have.
|Customers may access their Personal Data by contacting SHC by phone or email at the contact information below. In making modifications to their Personal Data, Data Subjects must provide only truthful, complete, and accurate information.|
To request deletion of Personal Data, you should submit a written request to:
Via Postal Mail:
Restriction of Processing
You may restrict processing of your Personal Data for certain reasons, such as, for example if you consider your Personal Data collected by us to be inaccurate or you have objected to the processing and the existence of legitimate grounds for processing is still under consideration.
You may request the Personal Data you provided to us in a commonly used and machine-readable form.
Right to Withdraw Consent
You have the right to withdraw your consent at any time, without affecting the lawfulness of our processing based on such consent before it was withdrawn, including processing related to existing contracts for our Services.
Requests for Personal Data
SHC will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arise: (a) legally binding request for disclosure of the Personal Data by a law enforcement authority unless prohibited by law or regulation; or (b) requests received from the Data Subject.
XII. CHANGES TO THIS POLICY
This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. We will notify Customers if we make changes that materially affect the way we handle Personal Data previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.
XIII. QUESTIONS OR COMPLAINTS
|Customers may contact SHC with questions, concerns, or complaints concerning our privacy practices or this Privacy Notice at the following addresses:|
Via Postal Mail:
XIV. ENFORCEMENT AND DISPUTE RESOLUTION
We commit to resolving individuals complaints related to our privacy practices or our collection, or use, or disclosure of Personal Data. An individual may file a privacy complaint by contacting us at our contact information in Section XII. Further, individuals with questions or concerns about the use or disclosure of their Personal Data should contact us as outlined in Section XIII.
SHC acknowledges that as a participant in the Privacy Shield Framework we are under the enforcement authority of the Federal Trade Commission.
If an individuals complaint cannot be satisfied through our internal complaint process, the individual may bring a complaint before the INSIGHTS ASSOCIATION PRIVACY SHIELD PROGRAM, a non-profit alternative dispute resolution provider located in the United States and operated by the Insights Association. The INSIGHTS ASSOCIATION PRIVACY SHIELD PROGRAM is designed to handle eligible complaints brought by EU citizens about Privacy Shield Principles. If you have any complaints regarding our compliance with the Privacy Shield Framework you should first contact us (as provided above).
If contacting us does not resolve your complaint or you do not receive timely acknowledgement of your complaint, please visit the INSIGHTS ASSOCIATION PRIVACY SHIELD PROGRAM website at http://www.insightsassociation.org/get-support/privacy-shield-program/privacy-shield-eu-swiss-citizens-file-complaint for more information and to file a complaint. We will cooperate with the independent dispute resolution mechanism to resolve any complaint that is not resolved through our internal processes. Please note that if an individuals complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
“Customer” means a prospective, current, or former partner, vendor, supplier, customer, or client of SHC. The term also shall include any individual agent, employee, representative, customer, or client of an SHC Customer where SHC has obtained his or her Personal Data from such Customer as part of its business relationship with the Customer.
“Data Subject” means an identified or identifiable natural living person in the European Union. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.
“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of SHC or any of its affiliates or subsidiaries.
“Europe” or “European” refers to a country in the European Economic Area.
“Personal Data” as defined under Regulation (EU) 2016/679, the General Data Protection means any and all data (regardless of format) that (i) identifies or can be used to identify, contact or locate a natural person, or (ii) pertains in any way to an identified natural person. Personal Data includes obvious identifiers (such as names, addresses, email addresses, phone numbers and identification numbers) as well as biometric data, “personal data” (as defined in the GDPR), and any and all information about an individual’s computer or mobile device or technology usage, including (for example and without limitation) IP address, MAC address, unique device identifiers, unique identifiers set in cookies, and any information passively captured about a person’s online activities, browsing, application or hotspot usage or device location.
Sensitive Data is a subset of Personal Data which due to its nature has been classified by law as deserving additional privacy and security protections. Sensitive Personal Data consists of: (i) all government-issued identification numbers, (ii) all financial account numbers (including payment card information and health insurance numbers), (iii) individual medical records, genetic and biometric information, (iv) user account credentials, such as usernames, passwords, security questions/answers and other password recovery data, (v) data elements that constitute Special Categories of Data under the GDPR, namely EEA Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, and (vi) any other Personal Data designated by SHC as Sensitive Personal Data.