VeraSafe Services Privacy Policy

Effective Date: November 11, 2020

1. Introduction and Scope

At VeraSafe, privacy is what we do. Because of our focus on privacy, we take the protection of personally identifiable information (“Personal Data”) very seriously.

In the course of operating our business, we process Personal Data in a variety of ways. This Privacy Policy (the “Policy”) addresses the individuals (“Data Subjects”) whose Personal Data we process in the course of providing our services, which include:

  • professional data protection compliance and cybersecurity consulting services;
  • external data protection officer and privacy officer services;
  • representative services, including data protection representative services in the European Union (EU) and the United Kingdom (UK);
  • dispute resolution services, including when acting as an Independent Recourse Mechanism (“IRM”) under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) (collectively, the “Professional Services”);
  • our web-based learning management system; and
  • our website seals, such as the VeraSafe “Privacy Verified” website seal, and their attendant administrative web application (with the learning management system, the “Applications”) (collectively, with the Professional Services, the “Services”).

This Policy does not apply to the Personal Data of employees, prospective employees, contractors, prospective contractors, suppliers, business owners, directors, and officers of VeraSafe.

This Policy also does not apply to our processing of Personal Data we may receive in the course of marketing and selling the services that VeraSafe provides to its clients, and Data Subjects whose Personal Data we may receive in the course of our regulatory outreach activities, including our consultations with supervisory authorities or other regulatory agencies. To access VeraSafe’s other privacy policies, please visit https://www.verasafe.com/legal-notices/.

2. Entities Covered by This Privacy Policy

This Policy covers VeraSafe, LLC and the following affiliate entities:

  • VeraSafe Czech Republic s.r.o.;
  • VeraSafe Ireland Limited;
  • VeraSafe Legal, LLP;
  • VeraSafe Netherlands BV; and
  • VeraSafe United Kingdom Ltd.

Throughout this Policy, when we refer to “VeraSafe”, “we”, “us”, or “our”, we mean VeraSafe, LLC and its affiliates, collectively.

3. Our Role with Respect to Your Personal Data

When providing Professional Services, VeraSafe generally acts as a data controller for the Personal Data we process. This means that we decide how and why Personal Data is collected and further processed.

When providing access to our Applications, VeraSafe acts as an agent, also known as a data processor, for the Personal Data we process for our clients. This means that our clients determine the type of Personal Data that they provide to us to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our clients when we act as a data processor.

4. Basis of Processing

Depending upon the context, we process your Personal Data on the basis of:

  • the need to perform a contract that we entered into with you or your organization;
  • our legitimate interests, such as our interest in providing our Services for valuable consideration, and our clients’ interests in complying with applicable data protection laws;
  • our obligation to comply with applicable law; or
  • any other ground, as required or permitted by applicable

Where we receive your Personal Data as part of providing our Services to you based on a contract, we require certain Personal Data in order to carry out the contract. Without that necessary Personal Data, we will not be able to provide the Services to you.

5. How We Receive Personal Data

We may collect or otherwise receive your Personal Data when:

  • you provide it directly to us as part of using our Services;
  • our clients (including their employees, contractors, and other representatives of the organization) provide it to us while using our Services;
  • we receive it from European data protection authorities;
  • we receive it from other companies within our corporate group;
  • we obtain it from publicly available sources, such as social media pages or corporate, government, or professional websites; and
  • when an associate of yours or one of our partners or clients refers you to our Services by providing your Personal Data to us.

6. Categories of Personal Data

We may process the following categories of Personal Data:

  • biographical information, such as first name and last name;
  • contact information, such as email address, phone number, postal address, and IP address and associated location;
  • professional information, such as job title, position, and information about your company or business;
  • your interests, such as whether or not you have opened email(s) we send you, or the particular VeraSafe Services that might be of interest to your company;
  • information pertaining to your use of the Applications;
  • details about your data protection inquiry or concern; and
  • any other category of Personal Data submitted to us by you, our client, European data protection authorities, or other companies within our corporate group.

7. Purposes of Processing Personal Data

We may process your Personal Data for the purposes of:

  • providing and enabling use of the Services;
  • responding to your requests or questions;
  • complying with our legal obligations in our role as a data protection officer, a representative in the EU or UK, or an IRM; and
  • collecting payments that are due to VeraSafe, enforcing our legal rights, and complying with laws and regulations applicable to VeraSafe.

8. Personal Data Retention

When we act as a data controller, we retain Personal Data for as long as required by applicable law.

When we act as a data processor, we retain Personal Data for as long as instructed by the respective client (who typically acts as a data controller). We delete the Personal Data submitted to us within six months of the end of our service agreement with the client unless applicable laws require otherwise.

9. Sharing Personal Data with Third Parties

We may share Personal Data with our affiliates, as well as with our service providers, who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in providing our Services or as required by law. Our service providers provide:

  • website and application hosting services;
  • software development services;
  • professional translation services;
  • cloud storage services;
  • email software;
  • team collaboration tools;
  • project management software;
  • help desk software;
  • video and web conferencing software;
  • VOIP telephone software and services;
  • Internet messaging software;
  • email scheduling, analytics, and tracking software;
  • office productivity software;
  • professional tax/accounting services;
  • customer relationship management software;
  • accounting software;
  • outsourcing management and contracting software; and
  • electronic signature software.

Some of these third parties may be located outside of the European Union or the European Economic Area (EEA). However, before transferring your Personal Data to these third parties, we will require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. We remain liable for the protection of your Personal Data within the scope of our Privacy Shield certification that we transfer to third parties, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.

10. Other Disclosures of Your Personal Data

We may disclose your Personal Data to the extent required by law or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by government or law enforcement officials or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

11. Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide some of our Applications’ functionality, authentication, usage analytics (web analytics), and to remember your settings, and generally improve our Applications.

We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser. Most of the cookies placed on your device through our Applications are first-party cookies since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Applications. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.

For more information about the cookies we use, please refer to our Cookie Policy, which forms a part of this Policy.

12. Data Integrity & Security

We have implemented and will maintain technical, administrative, and physical security measures that are reasonably designed to help protect Personal Data from unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction. We have also implemented solutions to prevent accidental loss and mitigate unavailability of relevant information systems used to process Personal Data.

13. Your Privacy Rights: Access & Review

If we process your or your child’s Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data. You may also have the right to ask that we limit our processing of such Personal Data, as well as the right to object to our processing of such Personal Data. You may also have the right to data portability with respect to such Personal Data.

If we have received your Personal Data in reliance on our certification under the Privacy Shield Framework, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties.

You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you subsequently authorized. Requests should be sent directly to the client who provided your Personal Data to us. VeraSafe has limited rights to access Personal Data our clients submit to us. Therefore, if you contact us with such a request, please provide the name of the VeraSafe client who submitted your Personal Data to us. We will forward your request to that client and provide any needed assistance as they respond to your request.

14. Privacy of Children

The Services are not directed at, or intended for use by, children under the age of 16. To the extent that we process any Personal Data about children under the age of 16, we do so according to the documented instructions of our client, who typically acts as a data controller, or in order to comply with applicable law.

15. Privacy Shield

For Personal Data processed in the scope of this Policy, VeraSafe, LLC complies with the Privacy Shield Frameworks, as adopted and set forth by the U.S. Department of Commerce and the United Kingdom, regarding the processing of Personal Data transferred from the United Kingdom to the United States, or otherwise received in reliance on the Privacy Shield. We commit to adhere to the Privacy Shield Principles and have certified our adherence to the U.S. Department of Commerce.

To learn more about the Privacy Shield, and to view our certification, please visit https://www.privacyshield.gov and https://www.privacyshield.gov/list, respectively.

16. Dispute Resolution

Where a privacy complaint or dispute cannot be resolved through VeraSafe’s internal process, VeraSafe, LLC has agreed to cooperate with the EU Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner and to participate in the dispute resolution procedures of the panel established by the EU Data Protection Authorities.

17. Binding Arbitration

If your dispute or complaint can’t be resolved by us, nor through the recourse mechanism described in the Dispute Resolution section of this Privacy Policy, you may have the right to require that we enter into binding arbitration with you under the Privacy Shield’s “Recourse, Enforcement and Liability Principle” and Annex I of the Privacy Shield.

18. European Economic Area and United Kingdom Supervisory Authority Oversight

If you are a Data Subject whose Personal Data we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Economic Area member states or the United Kingdom.

19. U.S. Regulatory Oversight

VeraSafe, LLC is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

20. Changes to This Policy

If we make any material change to this Policy, we will post the revised Policy to this web page. We will also update the “effective on” date. By continuing to use our Services after we post any of these changes, you accept the modified Policy.

21. Contact Us

If you have any questions about this Policy or our processing of your Personal Data, please write to us at [email protected] or by postal mail at:

VeraSafe
Attn: General Counsel
100 M Street S.E., Suite 600
Washington D.C., 20003
USA

You may also contact us by phone at our client support number 1-888-376-1079 (or if calling from outside the U.S. dial +1-617-398-7067).

We will respond to legitimate inquiries within 30 days of receipt.

22. Data Protection Representative in the European Union

We have appointed our group company, VeraSafe Czech Republic s.r.o. (“VeraSafe Czech Republic”), as the representative in the EU for data protection matters for VeraSafe’s group companies that are not established in the EU. While you may also contact VeraSafe, LLC, if you are located in the European Economic Area, you may contact VeraSafe Czech Republic on matters related to the processing of Personal Data in the EEA. To contact VeraSafe Czech Republic, please use this contact form: https://www.verasafe.com/public-resources/contact-data-protection-representative/ or call via telephone: +420 228 881 031.

Alternatively, VeraSafe Czech Republic can be contacted by mail at:

VeraSafe Czech Republic s.r.o.
Klimentská 46
Prague 1, 11002
Czech Republic

23. Data Protection Representative in the United Kingdom

We have appointed our group company, VeraSafe United Kingdom Ltd. (“VeraSafe United Kingdom”), as the representative in the UK for data protection matters for VeraSafe’s group companies that are not established in the UK. While you may also contact VeraSafe, LLC, if you are in the United Kingdom, you may contact VeraSafe United Kingdom Ltd. on matters related to the processing of Personal Data in the United Kingdom. To contact VeraSafe United Kingdom Ltd., please use this contact form: https://www.verasafe.com/public-resources/contact-data-protection-representative/ or call via telephone: +420 228 881 031.

Alternatively, VeraSafe United Kingdom can be contacted at:

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London, SE1 7TL
United Kingdom

Why VeraSafe?

Track record of successful GDPR implementations across industries.

Work directly with our in-house team of US and European attorneys, IT experts, and project managers.

Strategic, risked-based approach to compliance.

Fully customizable GDPR compliance program, tailored to fit your needs.

Holistic approach: We help you identify business opportunity hidden inside the GDPR.

Going beyond just EU privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.