The European Union (“EU”) adopted Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”), which takes effect as of May 25, 2018 and aims to provide a standardized approach to protecting the Personal Data of EU residents. Switzerland adopted, as amended from time to time, the Swiss Federal Data Protection Act (“SFDPA”) and the Data Protection Ordinance (“DPO”), which regulate all acts of Personal Data processing. In accordance with Article 4 of the GDPR, and the SFDPA and DPO, “Personal Data” includes any information relating to an identified or identifiable natural person. The GDPR, SFDPA and DPO allow the transfer of Personal Data only to countries that have data protection laws deemed “adequate” under the respective legal frameworks.
Policy Applicability and Enforcement Authority
Business of CDS
CDS provides electronic discovery support services to law firms, corporate clients and government agencies that are parties to various types of litigation, investigations and regulatory proceedings. All data CDS collects is kept pursuant to strict privacy, confidentiality and security protocols. It is CDS’ practice to enter into confidentiality and security agreements to protect data, including Personal Data, received in connection with all client engagements.
Subsequent to the exit of the UK from the EU, CDS intends to continue to transfer Personal Data from the EU and the European Economic Area (“EEA”) to the UK. For transfers from the EU or the EEA to the UK, CDS will rely on the European Commission Standard Contractual Clauses. When CDS’ services involve the transfer of personal data out of the EU/EEA, the UK or Switzerland to a jurisdiction that is not the object of an EU or Swiss “adequacy” decision, as applicable, then CDS will also rely on the European Commission Standard Contractual Clauses (with the necessary amendments to the European Commission Standard Contractual Clauses for Switzerland).
In order to operate our business efficiently, CDS may store and process transferred personal data in the United States, the EU, the UK, Switzerland and/or any other country where our partners maintain facilities and/or our clients maintain Personal Data. CDS will only do so as long as those partners and/or clients transfer Personal Data via a valid legal mechanism such as the European Commission Standard Contractual Clauses (with the necessary amendments to the European Commission Standard Contractual Clauses for Swiss personal data transfers), which commit them to similar data protection standards as in the EU, the UK and Switzerland, as applicable.
CDS’s Collection and Disclosure of Personal Data from EU and Swiss Residents in Relation Site Use and Services Provision
CDS may require certain Personal Data, including a user’s name, business address, and business e-mail or business telephone details when a user (i) chooses to send CDS a message via the Site or (ii) seeks to download information contained in the Site (e.g., a whitepaper). CDS subscribes to the following privacy practices in connection with these two scenarios:
- CDS may utilize the Personal Data a user voluntarily provides to market its products and services to the user via e-mail, but such users have the right to discontinue receiving marketing e-mail from CDS at any time
- CDS has strict policies in place to protect the security, confidentiality and integrity of all user Personal Data we receive
- CDS does not share or sell user information, including Personal Data, to third parties
- CDS does not automatically log Personal Data from users of the Site
- CDS does not collect information about users of the Site, including Personal Data, from third-party sources
CDS may collect EU or Swiss residents’ Personal Data during the course of providing electronic discovery support services to clients under the European Commission Standard Contractual Clauses. Types of Personal Data CDS may collect include names, mailing and e-mail addresses, identification numbers, and data related to an individual’s physical, physiological, mental, economic, political, religious, cultural or social identity.
CDS limits disclosure of Personal Data to employees and partners that have a specific business purpose for collecting, maintaining and processing such Personal Data. CDS may disclose Personal Data as required by law, regulation or the rules of practice of a governmental or quasi-governmental body. CDS may also disclose Personal Data to law enforcement officials in response to a lawful request made pursuant to national security interests or law enforcement requirements. Though we do not currently anticipate a change in our ownership, in the event of a sale of the company or a significant portion of its assets, CDS may disclose or transfer Personal Data to a purchasing party under the European Commission Standard Contractual Clauses.
CDS acknowledges its potential liability in cases of its Onward Transfer of Personal Data to third parties that do not meet the criteria set forth in the immediately preceding paragraph.
Limitations on Use and Disclosure of Personal Data
CDS limits access to Personal Data to those persons in CDS’ organization, or agents of CDS, that have a specific business purpose for maintaining and processing such Personal Data. Individuals who have been granted access to Personal Data are aware of their responsibilities to protect the security, confidentiality and integrity of that information and have been provided training and instruction on how to do so. CDS takes appropriate measures to protect Personal Data against loss, misuse and unauthorized access.
Inquiries and Complaints
In compliance with applicable law, CDS commits to respond to inquiries and resolve complaints about your privacy and our collection or use of your Personal Data. Note that you have the right to access, correct or delete your Personal Data processed by CDS. Any EU resident or Swiss resident with inquiries or complaints regarding this Policy and/or his or her Personal Data should first contact the following CDS representative:
Dino E. Medina, Esq.
If you believe that your rights have not been respected, then you are also entitled to make a complaint to the Supervisory Authority or Personal Data Protection Authority in your country to ask them for a resolution. No monetary damages, costs, fees, or other economic remedies are available, and each party bears its own attorney’s fees.
CDS may amend this Policy from time-to-time by posting a revised Policy on the Site, which is located at http://www.cdslegal.com. CDS will only amend this Policy in a manner consistent with applicable law. This Policy was updated on July 12, 2021.