The European Union (“EU”) adopted Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”), which takes effect as of May 25, 2018 and aims to provide a standardized approach to protecting the Personal Data of EU residents. Switzerland adopted, as amended from time to time, the Swiss Federal Data Protection Act (“SFDPA”) and the Data Protection Ordinance (“DPO”), which regulate all acts of Personal Data processing. In accordance with Article 4 of the GDPR, and the SFDPA and DPO, “Personal Data” includes any information relating to an identified or identifiable natural person. The GDPR, SFDPA and DPO allow the transfer of Personal Data only to countries that have data protection laws deemed “adequate” under the respective legal frameworks. The US Department of Commerce has agreed on the requirements to enable US Companies to satisfy the mandate under EU law and Swiss law that adequate protection be given to Personal Data transferred from the EU or Switzerland to the US. For EU and Swiss residents’ Personal Data, these requirements are memorialized in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, respectively.
Policy Applicability and Enforcement Authority
Business of CDS
CDS provides electronic discovery support services to law firms, corporate clients and government agencies that are parties to various types of litigation, investigations and regulatory proceedings. All data CDS collects is kept pursuant to strict privacy, confidentiality and security protocols. It is CDS’ practice to enter into confidentiality and security agreements to protect data, including Personal Data, received in connection with all client engagements.
CDS commits to comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, as set forth by the US Department of Commerce for the collection, use and retention of Personal Data from European Union member countries and Switzerland, respectively. Accordingly, CDS has certified that it complies with each of the seven Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. In the event of any conflict between the provisions of this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-US and Swiss-US Privacy Shield programs, and to view CDS’ certification pages, please visit http://www.privacyshield.gov.
CDS’s Collection and Disclosure of Personal Data from EU and Swiss Residents in Relation Site Use and Services Provision
CDS may require certain Personal Data, including a user’s name, business address, and business e-mail or business telephone details when a user (i) chooses to send CDS a message via the Site or (ii) seeks to download information contained in the Site (e.g., a whitepaper). CDS subscribes to the following privacy practices in connection with these two scenarios:
- CDS may utilize the Personal Data a user voluntarily provides to market its products and services to the user via e-mail, but such users have the right to discontinue receiving marketing e-mail from CDS at any time
- CDS has strict policies in place to protect the security, confidentiality and integrity of all user Personal Data we receive
- CDS does not share or sell user information, including Personal Data, to third parties
- CDS does not automatically log Personal Data from users of the Site
- CDS does not collect information about users of the Site, including Personal Data, from third-party sources
CDS may collect EU or Swiss residents’ Personal Data during the course of providing electronic discovery support services to clients under the EU-US Privacy Shield and the Swiss-US Privacy Shield programs, respectively. Types of Personal Data CDS may collect include names, mailing and e-mail addresses, identification numbers, and data related to an individual’s physical, physiological, mental, economic, political, religious, cultural or social identity.
CDS limits disclosure of Personal Data to employees and other EU-US Privacy Shield and Swiss-US Privacy Shield participants that have a specific business purpose for collecting, maintaining and processing such Personal Data. CDS may disclose Personal Data as required by law, regulation or the rules of practice of a governmental or quasi-governmental body. CDS may also disclose Personal Data to law enforcement officials in response to a lawful request made pursuant to national security interests or law enforcement requirements. Though we do not currently anticipate a change in our ownership, in the event of a sale of the company or a significant portion of its assets, CDS may disclose or transfer Personal Data to a purchasing party that is EU-US Privacy Shield-compliant and/or Swiss-US Privacy Shield-compliant, as applicable.
CDS acknowledges its potential liability in cases of its Onward Transfer of Personal Data to third parties that do not meet the criteria set forth in the immediately preceding paragraph.
Limitations on Use and Disclosure of Personal Data
CDS limits access to Personal Data to those persons in CDS’ organization, or agents of CDS, that have a specific business purpose for maintaining and processing such Personal Data. Individuals who have been granted access to Personal Data are aware of their responsibilities to protect the security, confidentiality and integrity of that information and have been provided training and instruction on how to do so. CDS takes appropriate measures to protect Personal Data against loss, misuse and unauthorized access.
Inquiries and Complaints
In compliance with the EU-US and Swiss-US Privacy Shield Principles, CDS commits to respond to inquiries and resolve complaints about your privacy and our collection or use of your Personal Data. Note that you have the right to access, correct or delete your Personal Data processed by CDS. Any European Union resident or Swiss resident with inquiries or complaints regarding this Policy and/or his or her Personal Data should first contact the following CDS representative:
Dino E. Medina, Esq.
CDS has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. There is no cost to you to utilize the BBB EU PRIVACY SHIELD complaint resolution process.
As a last resort, privacy complaints that remain unresolved after pursuing these and other channels may be subject to binding arbitration before the Privacy Shield Panel created jointly by the US Department of Commerce and the European Commission. The Privacy Shield Panel (which consists of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (e.g., access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Privacy Shield Principles solely with respect to the individual. These are the only powers of the Privacy Shield Panel with respect to remedies. In considering remedies, the Privacy Shield Panel is required to consider other remedies that have already been imposed by other mechanisms under the EU-US and Swiss-US Privacy Shield, respectively. No monetary damages, costs, fees, or other economic remedies are available, and each party bears its own attorney’s fees.
CDS may amend this Policy from time-to-time by posting a revised Policy on the Site, which is located at http://www.cdslegal.com. CDS will only amend this Policy in a manner consistent with the requirements of the EU-US and the Swiss-US Privacy Shield and other applicable law. This Policy was updated on June 5, 2018.