Track record of successful GDPR implementations across industries.
1. Introduction and Scope
At VeraSafe, privacy is what we do. Because of our focus on privacy, we take the protection of personally identifiable information (“Personal Data”) very seriously.
- professional data protection compliance and cybersecurity consulting services;
- external data protection officer and privacy officer services;
- representative services, including data protection representative services in the European Union (EU) and the United Kingdom (UK);
- dispute resolution services, including when acting as an Independent Recourse Mechanism (“IRM”) under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) (collectively, the “Professional Services”);
- our web-based learning management system; and
- our website seals, such as the VeraSafe “Privacy Verified” website seal, and their attendant administrative web application (with the learning management system, the “Applications”) (collectively, with the Professional Services, the “Services”).
2. What Is Not Covered in this Policy?
VeraSafe human resources data.
Business development data.
Information that is not Personal Data.
This Policy does not apply to information that is not Personal Data. Personal Data is information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual.
This Policy covers VeraSafe, LLC and the following affiliate entities:
- VeraSafe Czech Republic s.r.o.;
- VeraSafe Ireland Limited;
- VeraSafe Legal, LLP;
- VeraSafe Netherlands BV;
- VeraSafe South Africa (Pty) Ltd.;
- VeraSafe United Kingdom Ltd.; and
- VeraSafe Spain.
Throughout this Policy, when we refer to “VeraSafe”, “we”, “us”, or “our”, we mean VeraSafe, LLC and its affiliates, collectively.
4. Our Role with Respect to Your Personal Data
VeraSafe as a Controller
Generally, when providing Professional Services, such as consulting services, VeraSafe acts as a data controller for the Personal Data we process. This means that VeraSafe determines the type of Personal Data that clients collect and provide to us to process on their behalf.
VeraSafe as a Processor
When providing access to our Applications, VeraSafe acts as a data processor for the Personal Data we process for our clients. This means that those clients determine the type of Personal Data that they provide to us to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our clients (generally, employee data) when we act as a data processor in providing access to our Applications.
In the context of certain Professional Services, such as data representative services, VeraSafe is neither a data controller nor a data processor.
5. Basis of Processing
Depending upon the context, we process your Personal Data on the basis of:
- the need to perform a contract that we entered into with you or your organization;
- our legitimate interests, such as our interest in providing our Services for valuable consideration, and our clients’ interests in complying with applicable data protection laws;
- our obligation to comply with applicable law; or
- any other ground, as required or permitted by applicable law.
Where we receive your Personal Data as part of providing our Services to you based on a contract, we require certain Personal Data in order to carry out the contract. Without that necessary Personal Data, we will not be able to provide the Services to you.
6. How We Receive Personal Data
We may collect or otherwise receive your Personal Data when:
- you provide it directly to us as part of using our Services;
- our clients (including their employees, contractors, and other representatives of the organization) provide it to us while using our Services;
- we receive it from European data protection authorities;
- we receive it from other companies within our corporate group;
- we obtain it from publicly available sources, such as social media pages or corporate, government, or professional websites; and
- when an associate of yours or one of our partners or clients refers you to our Services by providing your Personal Data to us.
7. Categories of Personal Data
We may process the following categories of Personal Data:
- biographical information, such as first name and last name;
- contact information, such as email address, phone number, postal address, and IP address and associated location;
- professional information, such as job title, position, and information about your company or business;
- other information, such as your interests, whether or not you have opened email(s) we send you, information pertaining to your use of the Applications, details about your data protection inquiry or concern; and any other category of Personal Data submitted to us by you, our client, European data protection authorities, or other companies within our corporate group.
8. Purposes of Processing Personal Data
We may process your Personal Data for the purposes of:
- providing and enabling use of the Services;
- responding to your requests or questions;
- complying with our legal obligations in our role as a data protection officer, a representative in the EU or UK, or an IRM; and
- collecting payments that are due to VeraSafe, enforcing our legal rights, and
complying with laws and regulations applicable to VeraSafe.
9. Personal Data Retention
When we act as a data controller, we retain Personal Data for as long as required by applicable law.
When we act as a data processor, we retain Personal Data for as long as instructed by the respective client (who typically acts as a data controller). We delete the Personal Data submitted to us within six months of the end of our service agreement with the client unless applicable laws require otherwise.
10. Sharing Personal Data with Third Parties
We may share Personal Data with our affiliates, as well as with our service providers, who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in providing our Services or as required by law. Our service providers provide:
- website and application hosting services;
- software development services;
- professional translation services;
- cloud storage services;
- email software;
- team collaboration tools;
- project management software;
- help desk software;
- video and web conferencing software;
- VOIP telephone software and services;
- Internet messaging software;
- email scheduling, analytics, and tracking software;
- office productivity software;
- professional tax/accounting services;
- customer relationship management software;
- accounting software;
outsourcing management and contracting software; and
- electronic signature software.
Some of these third parties may be located outside of the European Union or the European Economic Area (EEA). However, before transferring your Personal Data to these third parties, we will require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. We remain liable for the protection of your Personal Data within the scope of our Privacy Shield certification that we transfer to third parties, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.
11. Other Disclosures of Your Personal Data
We may disclose your Personal Data to the extent required by law or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by government or law enforcement officials or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.
We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser. Most of the cookies placed on your device through our Applications are first-party cookies since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Applications. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.
13. Data Integrity & Security
We have implemented and will maintain technical, administrative, and physical security measures that are reasonably designed to help protect Personal Data from unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction. We have also implemented solutions to prevent accidental loss and mitigate unavailability of relevant information systems used to process Personal Data.
14. Your Privacy Rights: Access & Review
If we process your or your child’s Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data. You may also have the right to ask that we limit our processing of such Personal Data, as well as the right to object to our processing of such Personal Data. You may also have the right to data portability with respect to such Personal Data.
If we have received your Personal Data in reliance on our certification under the Privacy Shield Framework, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties.
You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you subsequently authorized. Requests should be sent directly to the client who provided your Personal Data to us. VeraSafe has limited rights to access Personal Data our clients submit to us. Therefore, if you contact us with such a request, please provide the name of the VeraSafe client who submitted your Personal Data to us. We will forward your request to that client and provide any needed assistance as they respond to your request.
15. Privacy of Children
The Services are not directed at, or intended for use by, children under the age of 16. To the extent that we process any Personal Data about children under the age of 16, we do so according to the documented instructions of our client, who typically acts as a data controller, or in order to comply with applicable law.
16. Privacy Shield
For Personal Data processed in the scope of this Policy, VeraSafe, LLC complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as adopted and set forth by the U.S. Department of Commerce and the European Commission and the Swiss Administration, respectively, regarding the processing of Personal Data transferred from the European Union and Switzerland to the United States, or otherwise received in reliance on the Privacy Shield. We commit to adhere to the Privacy Shield Principles and have certified our adherence to the U.S. Department of Commerce.
VeraSafe does not rely on the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks as legal bases for transfers of personal data in light of the judgment of the Court of Justice of the EU in Case C-311/18 (known as “Schrems II”) and the policy paper of the Swiss Federal Data Protection and Information Commissioner dated September 8, 2020.
17. Dispute Resolution
Where a privacy complaint or dispute cannot be resolved through VeraSafe’s internal process, VeraSafe, LLC has agreed to cooperate with the EU Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner and to participate in the dispute resolution procedures of the panel established by the EU Data Protection Authorities.
18. Binding Arbitration
19. European Economic Area and United Kingdom Supervisory Authority Oversight
If you are a Data Subject whose Personal Data we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Economic Area member states or the United Kingdom.
20. U.S. Regulatory Oversight
VeraSafe, LLC is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
21. Changes to This Policy
If we make any material change to this Policy, we will post the revised Policy to this web page. We will also update the “effective on” date. By continuing to use our Services after we post any of these changes, you accept the modified Policy.
22. Contact Us
If you have any questions about this Policy or our processing of your Personal Data, you can reach us at:
Attn: General Counsel
100 M Street S.E., Suite 600
Washington D.C., 20003
|Phone:||1-888-376-1079 (inside United States)
1-617-398-7067 (outside United States)
We will respond to legitimate inquiries within 30 days of receipt.
23. Data Protection Representatives
European Union – VeraSafe Czech Republic s.r.o.
Address: Klimentská 46, Prague 1, 11002, Czech Republic
United Kingdom – VeraSafe United Kingdom Ltd.
Address: 37 Albert Embankment, London, SE1 7TL, United Kingdom