EFFECTIVE DATE: June 30, 2017
This Policy applies to all Personal Data received by Episerver in the United States from the European Union in any tangible and/or electronic medium.
For purposes of this Policy, the following definitions shall apply:
NOTICE AND PURPOSE OF COLLECTION: Episerver customers determine the types of data they submit to Episerver to process on their behalf in the course of using Episerver services. Episerver has no direct relationship with the individuals whose information it receives from its customers or their business partners. Episerver does not control such information, does not select or determine the specific types of data that it processes, and does not determine the purpose for which it is processed.
In other instances, Episerver may collect Personal Data when performing expert services at its customers’ request, to provide customer support, in general support of its customer relationships, which may include but are not limited to marketing activities, fulfilling product orders, to improve product offerings, customer surveys, questionnaires, responses to comments, etc., to download software and/or gain access to and/or enable certain products or services, for internal business processes, such as financial processing, responding to informational requests, and to comply with applicable laws.
Episerver also receives human resource-related personal information from its partners and affiliates and may share such information with the same in the ordinary course of business and for general employee administration purposes.
Where Episerver receives Personal Data from its subsidiaries, affiliates or other entities in the European Union, it will use such information in accordance with the privacy notices provided by such entities and the choices made by the individuals to whom such Personal Data relates.
DISCLOSURE: Our agents, vendors, consultants, and other service providers (collectively “Service Providers”) may receive, or be given access to information, including your Personal Data, in connection with their work on our behalf. Examples of Service Providers include companies that provide customer support or process credit card payments on our behalf. These Service Providers are prohibited from using your Personal Data for any purpose other than to provide this assistance, although we may permit them to use aggregate information which does not identify you or de-identified data for other purposes.
Without limiting the foregoing, in our sole discretion, we may disclose aggregated information, such as statistical information, which does not identify you or de-identified information about you with third parties or affiliates for any purpose.
COMPELLED DISCLOSURE: Episerver may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
DISPUTE RESOLUTION: Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the notices address specified in “Contact Information” below. Episerver will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy. For complaints that cannot be resolved between Episerver and the complainant, Episerver has agreed to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Privacy Shield Principles. Under certain conditions, as more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, individuals may be able to invoke binding arbitration before the Privacy Shield Panel jointly created by the U.S. Department of Commerce and the European Commission.
ACCESS: Individuals may access their Personal Data by sending a request to Episerver at the notices address specified in “Contact Information” below. Episerver will provide the choices and means to individuals and may limit the use and disclosure of their Personal Data upon request.
In some cases, Episerver has limited access to data we process on behalf of our customers in connection with our services. Therefore, requests to access, correct, amend, remove and/or limit the use and disclosure of Personal Data that Episerver processes on behalf of its customers should include the name of the Episerver customer who submitted your Personal Data to Episerver. We will forward such requests to the identified customer to respond directly to you and we will provide any necessary assistance in that customer’s response to your request.
CHOICE: Episerver will offer European Union data subjects the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
For sensitive information (i.e., Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), the commission or alleged commission by the individual of any offense; or any proceedings for any offense committed, or alleged to have been committed, by the individual, the disposal of such proceedings or the sentence of any court in such proceedings. Episerver will obtain affirmative express consent (opt in) from European Union data subjects if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. European Union data subjects may withdraw their consent at any time. In addition, Episerver will treat as sensitive any Personal Data received from a third party where the third party identifies and treats it as sensitive.
If you are a European Union data subject and wish to exercise choice, please e-mail or write to us at the addresses specified in “Contact Information” below.
YOUR CALIFORNIA PRIVACY RIGHTS: California’s “Shine the Light” law permits customers in California to request certain details about how certain types of their information are shared with third parties and, in some cases, affiliates, for those third parties’ and affiliates’ own direct marketing purposes. Under the law, a business should either provide California customers certain information upon request or permit California customers to opt in to, or opt out of, this type of sharing.
Episerver may share personal information as defined by California’s “Shine the Light” law with third parties and/or affiliates for such third parties’ and affiliates’ own direct marketing purposes. If you are a California resident and wish to obtain information about our compliance with this law, please e-mail or write to us at the addresses specified in “Contact Information” below. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that Episerver is not required to respond to requests made by means other than through the provided e-mail address or mail address.
DATA INTEGRITY: Episerver will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. Episerver will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual and will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current for so long as Episerver holds such information. Episerver will only hold such information for so long as it serves the purpose as described herein.
TRANSFERS TO AGENTS: If Episerver transfers data to a third party agent, Episerver will: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Episerver’s obligations under the Principles; (iv) require the agent to notify Episerver if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. Episerver will facilitate the exercise of data subject rights under (GDPR) Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
SECURITY: Episerver will take all reasonable and appropriate organizational and technical measures to protect Personal Data from loss, misuse, unauthorized and unlawful access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
ENFORCEMENT AND COMPLIANCE: Episerver will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that Episerver determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Upon its certification, Episerver will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield and/or to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Episerver is subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to its compliance with the EU-U.S. Privacy Shield Framework. If Episerver becomes subject to an FTC or court order based on non-compliance, Episerver will make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. Episerver may be required to disclose Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requests.
ONWARD TRANSFER LIABILITY: If a third-party processes Personal Data on behalf of Episerver in a manner inconsistent with the Privacy Shield Principles, Episerver could be liable unless Episerver can prove that it is not responsible for the event giving rise to any damage.
DO NOT TRACK: Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no industry consensus as to what site operators should do with regard to these signals. Accordingly, we do not monitor or take action with respect to “Do Not Track” signals or other mechanisms. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.
Questions or comments regarding this Policy should be submitted to Episerver by mail.
or write to:
c/o Legal Department
542 Amherst Ave
Nashua, NH 03063, USA
This Policy may be amended from time to time, consistent with the requirements of the Principles. Appropriate public notice will be given concerning such amendments.