Privacy Shield Policy
Last updated July 31, 2018
Castellan Solutions is committed to maintaining your confidence and trust.
Castellan Solutions complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as outlined by U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) that is transferred from European Union member countries and Switzerland to the United States. If there is any conflict between the policies outlined in this Policy and the Privacy Shield Principles, the Privacy Shield Principles will govern. To learn more about the Privacy Shield Framework, and to view our certification page, please visit Privacy Sheild.gov.
“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, by Personal Data supplied to Castellan Solutions.
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).
“Sensitive Personal Data” mean Personal Data regarding a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.
As the Privacy Shield Framework only applies to Personal Data transferred from European Union member countries and Switzerland, this Policy only applies to Personal Data transferred from European Union member countries and Switzerland to our operations in the United States.
All employees of Castellan Solutions that have access to Personal Data covered by this Policy are responsible for conducting themselves in accordance with this Policy. Personal Data covered by this Policy shall not be collected, used, or disclosed in a manner contrary to this Policy without proper written permission from the Data Privacy Office.
Castellan Solutions’ Compliance with the Privacy Shield Principles
We commit to subject all Personal Data covered by this Policy to the Privacy Shields’ Principles in accordance with the respective Privacy Shield Framework.
We notify Data Subjects covered by this Policy about our data practices regarding Personal Data received in the U.S. from European Union member countries and Switzerland in reliance on the respective Privacy Shield framework. These practices include the types of Personal Data we collect about them, the purposes for which we collect and use such Personal Data, the types of third parties to which we disclose such Personal Data and the purposes for which we do so, the rights of Data Subjects to access their Personal Data, the choices and means that we offer for limiting our use and disclosure of such Personal Data, how our obligations under the Privacy Shield are enforced, and how Data Subjects can contact us with any inquiries or complaints.
If Personal Data is (a) disclosed to a third party not identified at the time of data collection or (b) used for a purpose other than that which it was originally collected for, we will provide Data Subjects with an opportunity to choose whether to have their Personal Data so disclosed or used. Our employees are responsible for providing proper notification to Data Subjects when they have the right to opt out of such disclosures or uses.
3. Accountability for Onward Transfer
We currently transfer Personal Data to OnSolve, a third party service provider who helps us provide emergency notification services. The Personal Data we transfer is contact information that enables OnSolve to communicate with Data Subjects in the event of an emergency.
In the event that we transfer Personal Data covered by this Policy to a third party acting as a controller, we will do so only if the third party has provided us with contractual assurances that it will (a) process the Personal Data for limited and specified purposes consistent with the consent provided by the Data Subject; (b) provide the same level of protection as is required by the Privacy Shield Principles; and (c) notify us if they can no longer meet this obligation.
In the event that we transfer Personal Data covered by this Policy to a third party acting as an agent, we will do so only if the third party has provided us with contractual assurances that it will (a) transfer the Personal Data for limited and specified purposes; (b) provide the same level of protection as is required by the Privacy Shield Principles; (c) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with our obligations under the Privacy Shield Principles; (d) and require the agent to notify us if it makes a determination that it can no longer meet its obligations to provide the same level of protection as required by the Privacy Shield Principles. If we are to receive such a notice, we will (a) take reasonable and appropriate steps to stop and remediate any authorized processing and (b) provide a summary or copy of the relevant privacy provisions of our contract with that agent to the U.S. Department of Commerce, if requested.
We remain liable under the Privacy Shield Principles if an agent processes Personal Data covered by this Privacy Shield Policy in a manner inconsistent with the Principles, except where we are not responsible for the event giving rise to the damage. Additionally, we may be required to disclose Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
We take reasonable and appropriate measures to protect Personal Data covered by this Policy from loss, misuse, unauthorized access, disclosure, alteration and destruction. While we cannot guarantee the security of Personal Data, we are committed to safeguarding all Personal Data received from the EU and Switzerland.
5. Data Integrity and Purpose Limitations
We only collect Personal Data covered by this Policy that is relevant for the purposes of processing. We do not process Personal Data that is incompatible with the purposes for which it was collected or authorized by the Data Subject. Additionally, we take reasonable steps to ensure that any Personal Data that is collected is relevant to its intended use, accurate, complete and current.
We retain Personal Data in a form identifying or making identifiable a Data Subject only for as long as it serves a purpose of processing, which includes the performance of Services, obligations to comply with professional standards and legitimate business purposes. We will only request the minimum amount of Personal Data required to carry out these purposes, and will adhere to the Privacy Shield Principles for as long as we retain Personal Data.
All Data Subjects have the right to access the Personal Data covered by this policy that we hold about them. Additionally, if Personal Data is inaccurate or has been processed in violation with the Privacy Shield Framework, Data Subjects have the right to access their Personal Data to correct it, amend it or delete it.
To request access to, or correction, amendment or deletion of, Personal Data, a Data Subject should contact us at: DataPrivacyOffice@assurancesoftware.com. We will cooperate with all reasonable requests to assist Data Subjects to exercise their rights under the Privacy Shield, except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated.
7. Recourse, Enforcement, and Liability
Our participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission. In compliance with the Privacy Shield Principles, we commit to resolve complaints about your privacy and our collection or use of your Personal Data.
Any Data Subject who has a compliant about our processing of his/her Personal Data, or has inquiries regarding this Policy, should contact us at: DataPrivacyOffice@castellanbc.com
We are further committed to settle any unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles by cooperating with European Union data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner. If you do not receive timely acknowledgment of a complaint, or if we do not satisfactorily address your compliant, please visit the Privacy Shield website for more information about how to contact your local DPA or the Swiss Commissioner.
In addition to the above dispute resolution mechanisms, Data Subjects may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.
We agree to periodically review and verify our compliance with the Privacy Shield Principles, and to remedy any issues that arise out of failure to comply with the Privacy Shield Principles. We acknowledge that failure to provide an annual self-certification to the U.S. Department of Commerce will remove us from the Department’s list of Privacy Shield participants.
We may modify this Policy from time to time, consistent with changes to the requirements of the Privacy Shield Principles or Framework. If we change this Policy, we will provide Data Subjects appropriate notice regarding such modifications by highlighting the change on our Site, or by emailing your email address of record.
How to Contact Us
Should you have any questions or concerns about this Policy or need to update certain personal information, please contact us:
- USA: (800) 478-7645
- International: +1 610 878 2644
- E-mail: firstname.lastname@example.org