The Directive protects individuals with regard to the processing and movement of personal data. It permits transfers of Personal Data from an EU Member State to a non-EU Member State only if such non-EU Member State provides an “adequate level of protection.” The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions regarding the transfer of Personal Data from the EU to the United States (the “Safe Harbor Principles”) that satisfy the “adequate level of protection” requirement of the Directive. CompRSA, consistent with its commitment to protect personal information, adheres to principles consistent with the Safe Harbor Principles.
For purposes of this Policy, the term “Personal Data” means any information relating to a natural person within the Member States of the EU who is identified or who can be identified directly or indirectly in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. For purposes of this Policy, the term “Data Subject” means the natural person who is identified or identifiable by such Personal Data.
CompRSA adheres the following principles that are consistent with the Safe Harbor Principles:
1. Notice. At the time when CompRSA first asks a Data Subject to provide Personal Data to CompRSA or as soon thereafter as is practicable, but in any event before CompRSA uses such Personal Data for a purpose other than the purpose(s) for which it was originally collected or discloses it for the first time to a third party, CompRSA will inform such Data Subject in clear and conspicuous language of: (a) the purpose(s) for which CompRSA collects and uses such Data Subject’s Personal Data, (b) how such Data Subject can contact CompRSA with any inquiries or complaints about such Data Subject’s Personal Data, (c) the types of third parties to whom CompRSA discloses such Data Subject’s Personal Data, and (d) the choices and means that CompRSA offers such Data Subject for limiting the use and disclosure of such Data Subject’s Personal Data.
2. Choice. CompRSA will offer a Data Subject the opportunity to choose (opt-out) whether such Data Subject’s Personal Data is: (a) to be disclosed to a third party, or (b) to be used for a purpose other than the purpose(s) for which it was originally collected or subsequently authorized by such Data Subject. CompRSA will offer a Data Subject clear and conspicuous, readily available mechanisms to exercise such choice.
When the following categories of Personal Data are involved: personal information specifying (a) medical or health conditions, (b) racial or ethnic origin, (c) political opinions, (d) religious or philosophical beliefs, (e) trade union membership, or (f) information specifying the sex life of the Data Subject (collectively referred to as “Sensitive Personal Data”), CompRSA will offer Data Subjects affirmative or explicit (opt-in) choice if the Sensitive Personal Data is to be disclosed to a third party or used for a purpose other than the purpose(s) for which it was originally collected or subsequently authorized by the Data Subject. CompRSA also treats as Sensitive Personal Data any information that it receives from a third party when such third party treats and identifies such information as Sensitive Personal Data.
3. Onward Transfer. CompRSA will disclose Personal Data to third parties pursuant to the Notice and Choice principles set forth above. In the event that CompRSA wants to transfer Personal Data to a third party that is acting as its agent, CompRSA will, prior to such transfer, obtain assurances from such third party that it: (a) subscribes to the Safe Harbor Principles, (b) is subject to the Directive, (c) is subject to another “adequate level of protection” finding, or (d) will enter into a written agreement with CompRSA requiring that the third party provide at least the same level of privacy protection as is required by the relevant Safe Harbor Principles.
4. Security. CompRSA takes reasonable precautions to protect Personal Data from loss, misuse and unauthorized alteration, destruction, access and disclosure. Please note, however, that no transmission over the Internet can be 100% secure.
5. Data Integrity. CompRSA will not process Personal Data in a manner other than the purpose(s) for which it: (a) has been collected, or (b) has been subsequently authorized by the Data Subject. CompRSA will take reasonable steps to ensure that Personal Data is current, accurate, complete and relevant for its intended use.
6. Access. Upon a written request to CompRSA, CompRSA will grant a Data Subject reasonable access to such Data Subject’s Personal Data that CompRSA possesses. CompRSA will correct, amend or delete any Personal Data that is shown, to CompRSA reasonable satisfaction, to be out of date, inaccurate, incomplete or no longer necessary for the purpose(s) for which it was collected or subsequently authorized by the Data Subject.
7. Enforcement. CompRSA will conduct compliance audits of its adherence to the principles set forth in this Policy from time to time and will establish follow up procedures for verifying that its attestations and assertions about its privacy practices are true and that its privacy practices have been implemented as presented in this Policy. In the event that CompRSA determines that any of its employees are in violation of the principles set forth in this Policy, CompRSA will subject such employee(s) to appropriate disciplinary action, up to and including termination of employment.
CompRSA will investigate and attempt to resolve complaints and disputes regarding the use and disclosure of Personal Data in accordance with the principles contained in this Policy. In the event that complaints cannot be resolved between CompRSA and any complainant, CompRSA will cooperate and participate in the dispute resolution procedures of the panel established by the EU data protection authorities to resolve such disputes.
This Policy may be amended by CompRSA from time to time, provided that such amendments are consistent with the requirements of the Safe Harbor Principles. Please come back to this page from time to time to review this Policy.