EU and Switzerland Safe Harbor Policy
Predictablely Inc. (“Predictable.ly”) acknowledges the standards for personal data protection in the European Union and Switzerland. Through its relationship with a global customer base, Predictable.ly has access to Personally Identifiable Information (PII) of customers in the EEA and Switzerland. This Policy addresses the privacy concerns of European/Swiss customers due to data transfer between Predictable.ly’s European/Swiss and U.S. business units and/or locations.
To affect this Policy, Predictable.ly will adhere to the United States Department of Commerce Safe Harbor Principles and will self-certify to the United States Department of Commerce compliance with the European/Swiss Safe Harbor Principles. This Policy applies to all PII data transmissions from Predictable.ly operations in the EEA/Switzerland to the United States. This includes transmission of data over phone lines, computer lines, and hard copy and includes any material that identifies a particular individual customer.
The use of EEA/Swiss customer PII may include personal telephone numbers, addresses, credit card or bank account information, and any other material that identifies a particular individual customer of Predictable.ly.
In implementing this policy, Predictable.ly will annually self-certify to the Department of Commerce, that it agrees to adhere to the EU/Swiss Safe Harbor Principles.
Predictable.ly acknowledges that its failure to provide an annual self-certification to the Department of Commerce will result in the removal of Predictable.ly from the list of participants.
Questions regarding the transmission of personal data from the EEA/Switzerland to the United States or any other non-EEA/non-Swiss location, or any further transmission of the personal data once received in the United States, should be referred to Predictable.ly’s Support Group at firstname.lastname@example.org.
Alternatively, you can opt-out of our e-mail communications by ticking the opt-out box at the bottom of the email.
Predictable.ly has adopted the seven Safe Harbor principles of notice, choice, onward transfer (transfer to third parties), access, security, data integrity and enforcement with respect to PII and sensitive data to be transferred to the U.S. from Predictable.ly operations in the EEA/Switzerland.
Notice – Predictable.ly will notify customers in the EEA/Switzerland about the purposes for which personal data will be collected and used. Information will be provided on how customers can contact Predictable.ly with inquiries or complaints regarding personal data. Predictable.ly will give notice to customers regarding third parties to which it discloses the information, and restrictions that limit the information’s use and disclosure. In certain situations, data is “anonymized” so that the names of the data subjects are not known by data processors within Predictable.ly. In these cases, data subjects do not need to be notified.
Choice – Prior to releasing personal data to a third party, Predictable.ly will give an individual customer the opportunity to choose whether their personal data is disclosed to that third party, used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by that individual. For sensitive data, an affirmative choice will be given to the customer if the personal data is to be disclosed to a third party or used for a purpose other than its original purpose or the purposes authorized subsequently by the individual.
Onward transfer – (transfer to third parties) – Prior to disclosing personal data to a third party, Predictable.ly will apply the notice and choice principles, enumerated above. Predictable.ly will commit to ensuring that the third party keeper of personal data also subscribes to the EU/Swiss Safe Harbor Principles or any other EU/Swiss adequacy finding. Predictable.ly will also enter into a written agreement with such third party requiring that the third party provide at least the same level of personal data protection as is maintained by Predictable.ly.
Access – Customers covered under this policy will have access to personal information about themselves that Predictable.ly holds and will be able to correct, amend or delete information if it is inaccurate (the exception is when the burden or expense of providing access would be disproportionate to the risks of the individual privacy in the case in question or the rights of persons other than the individual would be violated.)
Security – Predictable.ly will take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Access to personally identifiable personal data of EEA/Swiss customers will be to a limited number of users on a need to know basis.
Data Integrity – Personal data kept by Predictable.ly will be relevant for the purposes for which it is to be used. Predictable.ly will take reasonable steps to ensure that the data is reliable and that it is applied to its intended use. Predictable.ly will also ensure that the information is accurate, complete and correct.
Enforcement – To ensure compliance with these Safe Harbor Principles, Predictable.ly will:
• Commit to cooperate with JAMS as its independent recourse mechanism and with the Data Protection Authorities (DPAs) of the EU/Switzerland in the investigation and resolution of complaints and will comply with any advice given by DPAs;
• Employ a procedure for verifying that the commitment the company has made to adhere to the Safe Harbor Principles has been implemented;
• Remedy issues arising out of any failure to comply with the Principles. Predictable.ly acknowledges that its failure to provide an annual self-certification to the Department of Commerce will remove it from its list of participants and the transfers of information will not be allowed unless Predictable.ly otherwise complies with the EU/Swiss Data Protection Directive.
• Predictable.ly will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that Predictable.ly determines is in violation of this policy will be subject to disciplinary action, up to and including termination of employment.
Dispute Resolution– The Predictable.ly Support Group (“WSG”) will be the internal mechanism for ensuring compliance with the Safe Harbor Principles and facilitating the independent recourse mechanism referenced in the “Enforcement” section above.
Any questions or concerns regarding the use or disclosure of personal information should be directed to the WSG at the address given below. Predictable.ly will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information by reference to the principles contained in this Policy. For complaints that cannot be resolved between Predictable.ly and the complainant, Predictable.ly has agreed to participate in the following dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Safe Harbor Principles:
• For disputes involving human resources personal information received by Predictable.ly from the EEA/Switzerland, Predictable.ly has agreed to cooperate with the data protection authorities in the EU/Switzerland and to participate in the dispute resolution procedures of the panel established by the European/Swiss data protection authorities (“DPAs”);
• For all other disputes involving personal information received by Predictable.ly from the EEA/Switzerland, Predictable.ly has agreed to formal mediation with JAMS pursuant to the JAMS International Mediation Rules, which are accessible on the JAMS website at http://www.jamsadr.com/rules-international-rules. Individuals who submit a question or concern to Predictable.ly and who do not receive acknowledgment from Predictable.ly of the inquiry, or who think their question or concern has not been satisfactorily addressed, should then contact JAMS on the Internet at http://www.jamsinternational.com/submit-a-case. JAMS will act as a liaison to Predictable.ly to resolve these disputes. Predictable.ly will assume the costs of the administrative fees if the mediator makes a written recommendation that finds Predictable.ly in breach of its duties pursuant to the Safe Harbor. The JAMS dispute resolution process shall be conducted in English.
Limitation of Appliance of Principles
Adherence by Predictable.ly to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.
Questions or comments regarding this Policy should be submitted to the Predictable.ly Support Group by mail to:
c/o Jeffrey Neu
New York, New York 10001
Predictable.ly – Means Predictablely Inc., its predecessors, successors, parents, subsidiaries, divisions, and groups in the United States.
European Union – The European Union (“EU”) consists of 27 independent sovereign states: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
European Economic Area – The European Economic Area (“EEA”) unites the EU Member States and the three EEA EFTA States (Iceland, Liechtenstein, and Norway).
Personally Identifiable Information (“PII” or “Personal Data”, for the purposes of this Policy) – Any personal information relating to an identified or identifiable natural person who is a Predictable.ly customer and who can be identified, directly or indirectly, in particular by a reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Sensitive Data – Sensitive data is data that pertains to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, income records, health, sexual orientation or alleged commission of any offense. This data may not be transferred to a third party unless an individual gives explicit consent.