The European Union (“EU”) adopted Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”), which takes effect as of May 25, 2018 and aims to provide a standardized approach to protecting the Personal Data of EU residents. Switzerland adopted the Swiss Federal Data Protection Act (“SFDPA”) and the Data Protection Ordinance (“DPO”), which regulate all acts of Personal Data processing. In accordance with Article 4 of the GDPR, and the SFDPA and DPO, “Personal Data” includes any information relating to an identified or identifiable natural person. The GDPR, SFDPA and DPO allow the transfer of Personal Data only to countries that have data protection laws deemed “adequate” under the respective legal frameworks. The US Department of Commerce has agreed on the requirements to enable US Companies to satisfy the mandate under EU law and Swiss law that adequate protection be given to Personal Data transferred from the EU or Switzerland to the US. For EU and Swiss residents’ Personal Data, these requirements are memorialized in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, respectively.
Policy Applicability and Enforcement Authority
Business of CDS
CDS provides electronic discovery support services to law firms, corporate clients and government agencies that are parties to various types of litigation, investigations and regulatory proceedings. All Personal data CDS collects, uses and transfers to the US is subject to strict privacy, confidentiality and security protocols.
Privacy Shield Framework Commitment
CDS commits to comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, as set forth by the US Department of Commerce for the collection, use and transfer to the US of Personal Data from European Union member countries and Switzerland, respectively. Accordingly, CDS has certified that it complies with each of the following seven Privacy Shield Principles: 1) Notice; 2) Choice; 3) Accountability for Onward Transfer; 4) Security; 5) Data Integrity and Purpose Limitation; 6) Access; 7) Recourse, Enforcement and Liability. In the event of any conflict between the provisions of this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-US and Swiss-US Privacy Shield programs, and to view CDS’ certification pages, please visit www.privacyshield.gov.
CDS’ Collection, Use and Transfer of Personal Data from EU and Swiss Residents in Relation Site Use, Business Development, Services Provision and Human Resources
CDS may require certain Personal Data, including a user’s name, business address, and business e-mail or business telephone details when a user (i) chooses to send CDS a message via the Site or (ii) seeks to download information contained in the Site (e.g., a whitepaper). CDS subscribes to the following privacy practices in connection with these two scenarios:
- CDS may utilize the Personal Data a user voluntarily provides to market its products and services to the user via e-mail, but such users have the right to discontinue receiving marketing e-mail from CDS at any time
- CDS does not share or sell user information, including Personal Data, to third parties
- CDS does not automatically log Personal Data from users of the Site
- CDS does not collect information about users of the Site, including Personal Data, from other sources
CDS may collect and transfer EU or Swiss residents’ Personal Data to the US under the EU-US Privacy Shield and the Swiss-US Privacy Shield programs, respectively, to administer its business development program, to provide electronic discovery support services to its clients, and to manage its human resources program. Types of Personal Data CDS may collect and transfer to the US in furtherance of these functions follows:
- Business Development Program Administration – current and prospective client names, physical business addresses, business e-mail addresses, business telephone numbers
- Electronic Discovery Support Services Provision – data subject names, personal and business physical addresses, personal and business e-mail addresses, personal and business telephone numbers, identification numbers, and physical, physiological, mental, economic, political, religious, cultural and social identity data
- Human Resources Program Management – current and prospective employee names, physical addresses, e-mail addresses, telephone numbers, identification numbers, and curricula vitae
Disclosure of Personal Data
CDS limits disclosure of Personal Data to employees and other EU-US Privacy Shield and Swiss-US Privacy Shield participants that have a specific, role-based, business purpose for collecting, maintaining or processing such Personal Data. Employees who have been granted access to Personal Data are aware of their responsibilities to protect the security, confidentiality and integrity of that information and have been provided training and instruction on how to do so.
CDS may disclose Personal Data as required by law, regulation or the rules of practice of a governmental or quasi-governmental body. CDS may also disclose Personal Data to law enforcement officials in response to a lawful request made pursuant to national security interests or law enforcement requirements. Though we do not currently anticipate a change in our ownership, in the event of a sale of the company or a significant portion of its assets, CDS may disclose or transfer Personal Data to a purchasing party that is EU-US Privacy Shield-compliant and/or Swiss-US Privacy Shield-compliant, as applicable.
CDS acknowledges its potential liability in cases of its Onward Transfer of Personal Data to third parties that do not meet the criteria set forth in the two immediately preceding paragraphs.
Limiting Use and Disclosure of Your Personal Data
You have the right to choose (opt out) whether your personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by you. Should you desire to opt out, please contact the CDS representative identified below in the section entitled “Inquiries and Complaints.”
Applicable law provides certain exceptions to your ability to opt out, which include for example, where CDS and you are parties to a contract that is still being performed. Where applicable law permits or requires CDS to retain and continue to use your personal data, we will do so in compliance with such applicable law and the Privacy Shield Principles. If you contact CDS to opt out under these circumstances, we will, consistent with applicable law and the Privacy Shield Principles, explain the options available to you and comply with your selected option.
Inquiries and Complaints
In compliance with the EU-US and Swiss-US Privacy Shield Principles, CDS commits to respond to inquiries and resolve complaints about your privacy and our collection or use of your Personal Data. Note that you have the right to access, correct, port or delete your Personal Data held by CDS. Any European Union resident or Swiss resident with inquiries or complaints regarding this Policy and/or his or her Personal Data should first contact the following CDS representative:
CDS also commits to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. There is no cost to you to utilize the BBB EU PRIVACY SHIELD complaint resolution process.
CDS further commits to cooperate with the panel established by the EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner, respectively, with regard to unresolved Privacy Shield complaints concerning human resources Personal Data transferred from the EU or Switzerland to the US in the context of the employment relationship.
As a last resort, privacy complaints that remain unresolved after pursuing these and other channels may be subject to binding arbitration before the Privacy Shield Panel created jointly by the US Department of Commerce and the European Commission. The Privacy Shield Panel (which consists of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (e.g., access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Privacy Shield Principles solely with respect to the individual. These are the only powers of the Privacy Shield Panel with respect to remedies. In considering remedies, the Privacy Shield Panel is required to consider other remedies that have already been imposed by other mechanisms under the EU-US and Swiss-US Privacy Shield, respectively. No monetary damages, costs, fees, or other economic remedies are available, and each party bears its own attorney’s fees.
CDS may amend this Policy from time-to-time by posting a revised Policy on the Site, which is located at http://www.cdslegal.com. CDS will only amend this Policy in a manner consistent with the requirements of the EU-US and the Swiss-US Privacy Shield and other applicable law. This Policy was updated on August 26, 2019.