Visor del documento
Nombre Último Cambio
Sirota Consulting Corp (en) - Política de Privacidad y Puerto Seguro 10-feb-2016 | 26,8%
Cambio importante indicado
# Antigua Versión Nueva Versión
0 Privacy Policy Privacy Policy
1 Last Updated: February 2014 Last Updated: February 2016
2 Introduction: Introduction:
3 Sirota Consulting LLC (the “Company”) recognizes and respects the legitimate interest of individuals to protect the privacy of information about them that may be collected or processed in the ordinary course of our business. The Company has therefore adopted a privacy and data protection policy which is applicable to information relating to our employees as well as to information relating to other individuals collected or processed in the general course of our survey research business. Sirota Consulting LLC (the “Company”) recognizes and respects the legitimate interest of individuals to protect the privacy of information about them that may be collected or processed in the ordinary course of our business. The Company has therefore adopted a privacy and data protection policy that is applicable to information relating to our employees as well as to information relating to other individuals collected or processed in the general course of our survey research business. It is the goal of the Company to set forth the rights of Data Subjects (defined below) in clear and unambiguous terms.
4 For the purposes of this policy, we use the term “Personally Identifiable Information” (or abbreviated as “PII”) to refer to any information relating to a living person who can be identified, directly or indirectly, by reference to that information and which is in the Company’s possession. An individual with respect to whom PII may be collect or processed may be generically referred to as a “Data Subject”, or more specifically, as employee or survey respondent. Through this policy, it is the Company’s intention to protect the reasonable privacy interests of individuals and for the company to be in compliance with all applicable laws, rules and regulations relating to data privacy. References to “we” and the “Company” refer to Sirota Consulting LLC and its subsidiaries and affiliated companies. For the purposes of this policy, we use the term “Personally Identifiable Information” (or abbreviated as “PII”) to refer to any information relating to a living person who can be identified, directly or indirectly, by reference to that information and which is in the Company’s possession. An individual with respect to whom PII may be collect or processed may be generically referred to as a “Data Subject”, or more specifically, as employee or survey respondent. Through this policy, it is the Company’s intention to protect the reasonable privacy interests of individuals and for the company to be in compliance with all applicable laws, rules and regulations relating to data privacy. References to “we” and the “Company” refer to Sirota Consulting LLC and its subsidiaries and affiliated companies.
5 General Summary: General Summary:
6 Sirota Consulting LLC takes all reasonable precautions to protect the privacy of Data Subjects by appropriately safeguarding PII from loss, misuse, unauthorized access, transfer, disclosure, alteration or destruction. The Company does not process personal data other than to the extent such processing is necessary to achieve the legitimate business purposes of the Company. The Company does not share, transfer to third parties, assign, sell, permit the viewing of or access to any PII, except as set forth in this policy. Examples of these precautions include physical and logical separations, encryption and security, password protections for online information systems and restricted access to PII. In addition, any inquiries to the Company, either written or verbal, concerning the identity, employment record, or performance of a current or terminated employee or of any Data Subject, are to be referred to the General Counsel’s office which has oversight responsibility for data privacy. If the request is from a government agency, our General Counsel will verify the credentials of the agency representative before releasing any information. Policies: Sirota Consulting LLC takes commercially reasonable precaution to protect the privacy of Data Subjects by appropriately safeguarding PII from loss, misuse, unauthorized access, transfer, disclosure, alteration or destruction. The Company does not process personal data other than to the extent such processing is necessary to achieve the legitimate business purposes of the Company. The Company does not share, transfer to third parties, assign, sell, permit the viewing of or access to any PII, except as set forth in this policy. Examples of these precautions include physical and logical separations, encryption and security, password protections for online information systems and restricted access to PII. In addition, any third party inquiries to the Company, either written or verbal, concerning the identity, employment record, or performance of a current or terminated employee or of any Data Subject, are referred to the Company’s Data Privacy Officer, a corporate officer appointed by the Board of Directors with oversight responsibility for data privacy. If the request is from a government agency, our General Counsel will verify the credentials of the agency representative and take appropriate steps to safeguard confidentiality and privacy, including but not limited to seeking judicial review of the request and seeking protective relief before releasing any information.Policies:
7 In collecting or processing and otherwise handling Personally Identifiable Information, it is the policy of this Company and all employees of the Company shall act in accordance with therewith to: In collecting or processing and otherwise handling Personally Identifiable Information, it is the policy of this Company and all employees of the Company shall act in accordance with these policies to:
8 1. Ensure that personal data is processed fairly and in accordance with legal requirements. 1. Ensure that personal data is processed fairly, securely, accurately and only to the extent reasonably necessary to carry out the business of the Company. For Employees of the Company, that means that the use of PII will be limited to what the Company must do to process business critical information, such as payroll, benefits, other pension and related filings and as otherwise required by national or local ordinances. For survey respondents, this means that the Company will process demographic information regarding individuals participating in surveys only for the purposes necessary to analyze the data and for related scientific and professional research purposes.
9 2. Ensure that Data Subjects know for whom the data is being obtained or processed and for what purposes it will be used. This may be set out in documents or may be explained to the individual. In certain situations, data is anonymized so that the names of the data subjects are not known by data processors within the Company. In these cases, data subjects do not need to be notified. It is noted that statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized does not constitute PII. 2. Ensure that Data Subjects know for whom the data is being obtained or processed and for what purposes it will be used. This may be set out in documents or may be explained to the individual. To the extent possible, PII will be anonymized so that the names and identities of the data subjects are not known by data processors within the Company or by the Company’s clients for which the surveys are commissioned. It is noted that statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized is not itself PII.
10 3. Ensure that the Data Subject has been told to what use the data is going to be put and, where appropriate, we will ensure that the individual has consented to the data being used for that purpose. This may be implicit or explicit, but it will be explicit for any information that is sensitive (see below for further details on Sensitive Personal Information). However, consent will not be necessary if: 3. Ensure that the Data Subject has been advised in clear and unambiguous terms to what use the data is going to be put and we will ensure that the individual has consented to the data being used for that purpose. Requesting consent will likewise be in clear and unambiguous terms, and we will seek explicit consent, but it will be explicit for any information that is sensitive (see below for further details on Sensitive Personal Information). However, consent will not be necessary if:
11 The information is required to perform contractual obligations to that individual or to take steps at their request with a view to entering into a contract with them. The information is required to perform contractual obligations to that individual or to take steps at their request with a view to entering into a contract with them.
12 We are required by legal process, statute or applicable regulation to supply the information or it is necessary to obtain the information in order to comply with any legal obligation. We are required by legal process, statute or applicable regulation to supply the information or it is necessary to obtain the information in order to comply with any legal obligation.
13 Is necessary to use the information to protect that individual’s vital interests. Is necessary to use the information to protect that individual’s vital interests.
14 Notwithstanding the foregoing, we will not collect process or otherwise deal with any PII in any manner incompatible with that purpose stated and we will not go beyond or act in contravention of any confidentiality or privacy undertakings given to any such data subjects. Notwithstanding the foregoing, we will not collect process or otherwise deal with any PII in any manner incompatible with that purpose stated and we will not go beyond or act in contravention of any confidentiality or privacy undertakings given to any such data subjects.
15 4. We will collect or process PII only to the extent that it is relevant and not excessive in relation to the purpose for which it is collected or processed. 4. We will collect or process PII only to the extent that it is relevant and not excessive in relation to the purpose for which it is collected or processed.
16 When seeking information we will only ask for what is needed for the particular purpose and no more. When seeking information, we will only ask for what is needed for the particular purpose and no more.
17 When legitimately disclosing information to another party we will only reveal the information that is strictly relevant to that purpose. When legitimately disclosing information to another party we will only reveal the information that is strictly relevant to that purpose.
18 5. We will ensure that the information is accurate and kept up to date (as relevant and appropriate). 5. We will ensure that the information is accurate and kept up to date (as relevant and appropriate).
19 Where feasible, the information should be obtained directly from the Data Subject or the accuracy checked with them. Data Subjects will have the right to review the accuracy of any PII relating to them in our possession and to correct any erroneous information. Where feasible, the information should be obtained directly from the Data Subject or the accuracy checked with them. Data Subjects will have the right to review the accuracy of any PII relating to them in our possession and to correct any erroneous information.
20 However, not all information that relates to an individual has to be disclosed to them if requested. Disclosure should not occur if: However, not all information that relates to an individual has to be disclosed to them if requested. Disclosure should not occur if:
21 It would involve identifying another person. It would involve identifying another person.
22 It would involve the Company breaching a duty of confidentiality owed to another. It would involve the Company breaching a duty of confidentiality owed to another.
23 The information is subject to legal privilege. The information is subject to legal privilege.
24 It is a reference given by the Company. It is a reference given by the Company.
25 It relates to management forecasting or planning. It relates to management forecasting or planning.
26 It relates to matters over which the Company is negotiating with that individual and the disclosure of the information would prejudice those negotiations. It relates to matters over which the Company is negotiating with that individual and the disclosure of the information would prejudice those negotiations.
27 6. We will not retain personal data for longer than is necessary except to the extent that we are able to aggregate the same to the point that it is annonymized for statistical research. How long is appropriate will depend on the type of data and the use to which it has been put. Specific guidelines will be provided to deal with particular items of data. 6. We will not retain personal data for longer than is necessary except to the extent that we are able to aggregate the same to the point that it is annonymized for statistical research. How long is appropriate will depend on the type of data and the use to which it has been put. In general, and subject to our clients’ lawful instructions, PII relating to survey responses are retained for five (5) years to enable continued data analysis by way of providing trend and normative data. However, survey respondents may request that their PII be removed from the Company’s active systems (see policy #15 below). The Company also retains employee PII for not less than seven (7) years to comply with IRS regulations and good business practice. The Company’s general counsel may direct that such information be retained for a longer period of time in the event of a litigation hold or as he deems necessary to protect the interests of the Company or as otherwise required by law.
28 7. Individuals have the right to review personal data about them that the Company holds and to correct any inaccuracies in such information. 7. Individuals have the right to review personal data about them that the Company holds and to correct any inaccuracies in such information.
29 Most clients and employees will be aware of what information we hold relating to them but there may be some exceptions. Any queries should be referred to the General Counsel of the Company and should not be addressed by employees directly unless authorized to do so. The section on exceptions deals with this point in more detail. Most clients and employees will be aware of what information we hold relating to them but there may be some exceptions. Any queries should be referred to the Data Privacy Officer of the Company and should not be addressed by employees directly unless authorized to do so.
30 8. We will ensure that appropriate technical and organisational measures are in place to ensure an unauthorised or unlawful processing or accidental loss or damage or destruction to personal data is prevented. 8. We will ensure that appropriate technical and organisational measures are in place to ensure that an unauthorized or unlawful processing or accidental loss or damage or destruction to personal data is prevented.
31 9. We will take appropriate steps and will be implement procedures and providing training to staff as appropriate for the information they handle. This will be subject to an ongoing review. 9. We will take appropriate steps and will be implement procedures and providing training to staff as appropriate for the information they handle. This will be subject to an ongoing review.
32 10. We will not disclose or otherwise transfer PII, except: 10. We will not disclose or otherwise transfer PII, except:
33 Requested by an employee, the Company will transfer information relating to that employee (e.g., in order to verify employment in connection with that employee's application for credit); or Requested by an employee, the Company will transfer information relating to that employee (e.g., in order to verify employment in connection with that employee's application for credit); or
34 To a third party acting as its agent for the Company or a client of the Company with respect to such clients’ processed information, such as an outside benefits administrator or a third party professional service organization retained by a client, provided such transferee provides a level of data protection substantially similar to that provided by this Company or such transferee enters into an agreement in which the third party undertakes upon receipt of such PII to provide substantially similar level of protection as this Company provides; and To a third party acting as its agent for the Company or a client of the Company with respect to such clients’ processed information, such as an outside benefits administrator or a third party professional service organization retained by a client, provided such transferee provides a level of data protection substantially similar to that provided by this Company or such transferee enters into an agreement in which the third party undertakes upon receipt of such PII to provide substantially similar level of protection as this Company provides; and
35 When it is necessary to comply with legal obligations, such as providing government authorities appropriate tax and social security information, or if required under court order or subpoena; and When it is necessary to comply with legal obligations, such as providing government authorities appropriate tax and social security information, or if required under court order or subpoena; and
36 When necessary to protect and defend our legal and property rights, or meet national security, the public interest, or law enforcement requirements; and When necessary to protect and defend our legal and property rights, or meet national security, the public interest, or law enforcement requirements; and
37 In providing statistical reporting in the ordinary course to the Company’s clients, provided the PII is suitably annonymized through either technical procedures or the implementation of minimum aggregation rules; and In providing statistical reporting in the ordinary course to the Company’s clients, provided the PII is suitably annonymized through either technical procedures or the implementation of minimum aggregation rules; and
38 If the request is from a government agency, our General Counsel will use reasonable efforts to verify the credentials of the agency representative and the legitimacy of the request before releasing information. If the request is from a government agency, or the result of legal process, our General Counsel will verify the credentials of the agency or other legal representative and take appropriate steps to safeguard confidentiality and privacy, including but not limited to seeking judicial review of the request and seeking protective relief before releasing any information.
39 11. The Company complies with the U.S. - EU Safe Harbor Framework and the U.S. - Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Sirota Consulting LLC has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view the Company’s certification, please visit http://www.export.gov/safeharbor/ . 11. Up until January of 2016, the Company was in compliance with the substantive provisions of the U.S. - EU Safe Harbor Framework and the U.S. - Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Sirota Consulting LLC certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. Although recent regulatory actions have reduced the efficacy of the Safe Harbor certification, Sirota nonetheless remains in substantive compliance with those privacy principles. In addition, the Company anticipates that it will likewise act expeditiously to be compliant with the EU-US Data Shield as that agreement is made fully effective.
40 12. With respect to sensitive personal data, the following shall apply: 12. With respect to sensitive personal data, the following shall apply:
41 Sensitive personal data is personal data which relates to: Sensitive personal data is personal data which relates to:
42 The racial or ethnic origin of the individual. The racial or ethnic origin of the individual.
43 His/her political opinions. His/her political opinions.
44 His/her religious beliefs or other beliefs of a similar nature. His/her religious beliefs or other beliefs of a similar nature.
45 Whether he/she is a member of a trade union. Whether he/she is a member of a trade union.
46 His/her physical or mental health or condition. His/her physical or mental health or condition.
47 His/her sex life. His/her sex life.
48 The alleged commission by him/her of any offence or anything related to any criminal proceedings against him/her. The alleged commission by him/her of any offence or anything related to any criminal proceedings against him/her.
49 In addition to the above principles, and except with reference to sensitive personal data relating to US based employees or survey respondents, the following conditions also apply to the processing of sensitive personal data: In addition to the above principles, and except with reference to sensitive personal data relating to US based employees or survey respondents, the following conditions also apply to the processing of sensitive personal data:
50 The individual must give their specific consent to the processing of the personal data. The individual must give their specific consent to the processing of the personal data.
51 The processing must be necessary for the purposes of exercising or performing any right or obligation conferred or imposed by law on the Company in connection with employment. The processing must be necessary for the purposes of exercising or performing any right or obligation conferred or imposed by law on the Company in connection with employment.
52 Processing of information relating to racial or ethnic origin that is necessary for the purposes of reviewing policy of opportunity or treatment is permissible. Processing of information relating to racial or ethnic origin that is necessary for the purposes of reviewing policy of opportunity or treatment is permissible.
53 Processing is necessary for medical purposes by a health professional or similar. Processing is necessary for medical purposes by a health professional or similar.
54 13. The General Counsel of the Company is the data privacy officer of the Company and is responsible for overall compliance with the principles and policies set forth herein. All enquiries should be addressed to him. This policy will be reviewed and updated from time to time. 13. The data privacy officer of the Company is responsible for overall compliance with the principles and policies set forth herein. All enquiries should be addressed to privacy@sirota.com .
55 14. While the Company takes reasonable steps to ensure that Personal Data is accurate, complete, and current, it is a responsibility of all employees to immediately inform the Company in the event of changes in Personal Information. Upon request, data subjects may access Personal Information about them and are able to have inaccurate information corrected. 14. While the Company takes reasonable steps to ensure that Personal Data is accurate, complete, and current, it is a responsibility of all employees to immediately inform the Company in the event of changes in Personal Information. Upon request, data subjects may access Personal Information about them and are able to have inaccurate information corrected.
56 15. 15. In the event that a survey respondent wishes to have his or her PII deleted from the Company’s active servers after the conclusion of a survey, a written request to do so can be addressed to the Company’s privacy officer as privacy@sirota.com and the request will be honored in the ordinary course of business. The deletion of information will be on the active servers only and not the back up media (tapes) maintained by the Company for emergency planning purposes. However, a log is maintained of any PII that is deleted and in the event a back-up tape is required to be restored, the Company will delete the PII from the restored database.
57 In the event of a dispute relating to the Company’s handling of PII, Data subjects should be directed to contact the Company’s General Counsel in Purchase, New York in order to register complaints, to submit access requests, or to address any other issues arising under the Safe Harbor Principles. Our General Counsel is authorized to expeditiously investigate and mediate any such dispute or disagreement. Under the Safe Harbor Certification, the Company has agreed to cooperate with data protection authorities located in the EU (DPAs) and Switzerland (FDPIC). 16. In the event of a dispute relating to the Company’s handling of PII, Data subjects should be directed to contact the Company’s data privacy officer at Four Manhattanville Road, Purchase, New York 10577 or by email to privacy@sirota.com in order to register complaints, to submit access requests, or to address any other issues arising under these privacy policies. The data privacy officer is authorized to expeditiously investigate and mediate any such dispute or disagreement. In the instance of a complaint or disagreement regarding the collection, processing, use, transfer or accuracy or PII the data privacy officer will respond by mail or email (using the same method of communication as the initial inquiry unless otherwise requested) within seven days of receipt of the communication and the officer is authorized to take all appropriate steps to respond to and resolve the matters raised.
58
59