European Information Handling Policy
The EU-U.S. Privacy Shield Framework (“Privacy Shield”) is a certification-based program for facilitating the legitimate transfer of data from the European Union (“EU”) to companies in the United States. It is administered by the U.S. International Trade Administration, an agency of the U.S. Department of Commerce. International Screening Solutions (“ISS”) is a certified participant in the Privacy Shield, and proof of its participation is available online at the Department of Commerce’s Privacy Shield List.
ISS is committed to applying the European Information Handling Policy (“EU Policy”), and the Privacy Shield principles it embodies, to all personal information relating to an identified or identifiable individual transferred from the EU to ISS in reliance on the Privacy Shield, as well as other personal information to which ISS is contractually obligated to apply the EU Policy (“EU Personal Data”). This EU Policy does not apply to collected information that is not EU Personal Data, including information that is transferred from the EU under a different legitimate data transfer mechanism. ISS is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. The applicability of, and ISS’s adherence to, this policy may be limited in the event of a conflict between the EU Policy and ISS’s obligations under other laws (e.g., Fair Credit Reporting Act, 15 USC Sec. 1681 et seq.), statutes, regulations, or cases; or as necessary for recognized national security, public interest or law enforcement requirements.
Privacy Shield Principles
ISS may process EU Personal Data in order to validate credentials and certificates, investigate public sources of data for evidence of wrongdoing by individuals (“screening services”), or to facilitate the use of ISS’s SaaS products by subscribing clients.” Clients may use ISS services in connection with employment related purposes or fraud and regulatory risk mitigation purposes (such as know your customer and anti-money laundering).
This section covers any EU Personal Data that ISS has obtained by manually or electronically searching public sources (public websites, official published lists, etc.); directly from individuals, clients or their agents, or other entities if located in the EU; or from clients, client agents, or other entities that indicate information is subject to Privacy Shield protection. EU Personal Data collected may include standard personally identifiable information (e.g., name, address, job title) or sensitive categories of information (i.e., personal information specifying racial or ethnic origin, political opinions, religious or philosophical beliefs or criminal records); which data is considered sensitive information may vary depending on jurisdiction.
ISS may gather, transmit, or store the above categories of data about individuals on behalf of its clients or their agents (e.g., recruiters, staffing firms, consulting companies, financial institutions or background screening companies and consumer reporting agencies). If ISS creates an information product (such as background report) it may deliver the report to its client for use in making employment-related decisions
regarding hiring, retention, promotion or re-assignment; insurance-related decisions; or customer-related decisions; or for resale to an entity that is making an employment-, insurance-, or customer-related decision. Generally, ISS’s clients are agents acting on behalf of other companies. ISS does not make decisions on behalf of its clients, nor does it subsequently resell, reuse, or otherwise disclose information gathered on behalf of any such entities to third parties, whether for marketing or another reason outside the original scope of the data collection.
Below are some examples of ways that employers commonly use data provided by ISS:
- to complete background checks on applicants and current employees
- to verify education and other credentials presented by applicants and current employees
- to investigate reports or suspicion of job-related wrongdoing
- to investigate current or prospective customers’ compliance with applicable anti-corruption/anti-bribery laws and regulations
Clients may submit EU Personal Data to ISS when they place orders for services and, if they have offices in the EU, when providing employee information (e.g., business contact details) needed to fulfill the service contract between ISS and themselves. In both cases, ISS’s clients have a closer relationship to the individual; therefore, ISS does not provide individuals with direct notice, but will not process EU Personal Data until a client (i) certifies its use of a consumer notice substantially similar to the notice required by the Privacy Shield’s Notice Principle, or (ii) certifies its use of a notice or other mechanism that satisfies its responsibilities for processing data protected by EU regulations, or (iii) gives proof of a legitimate reason why such notice is not required.
Furthermore, ISS indexes public websites in order to provide certain services. These websites may publish information related to many individuals, and the information may or may not be arranged in a manner that makes it easy to identify a specific individual. ISS does not control the form or content of indexed websites, and cannot provide direct notices to the individuals whose information is available through those indexed websites.
It is important to note that, by design, ISS rarely has direct contact with individuals. However, if ISS deliberately collects EU Personal Data directly from individuals, they are informed about the purposes for which the information is being collected and used, how to contact ISS with inquiries or complaints, the types of third parties to which it discloses the information, and any mechanisms in place to allow individuals to exercise choice for limiting use or disclosure outside the original scope and purpose of collection, among other things. Notice is provided in clear and conspicuous language either when ISS first asks the individual to provide EU Personal Data or as soon thereafter as is practicable, but in any event before ISS uses the information for a purpose other than that for which it was originally collected, or discloses it to a third party other than an agent acting under ISS’s instructions (“non-agent third party”).
Generally, individuals have a right to “opt-out” of their EU Personal Data being disclosed to non-agent third parties or used for a purpose that is different than the original purpose of collection. When sensitive categories of information will be processed, an individual must “opt-in” to the processing, meaning that ISS cannot disclose the sensitive information to non-agent third parties or use it for a different purpose
unless the individual provides explicit written consent (or some clear expression of that individual’s choice) authorizing the disclosure and/or change in usage.
As a reminder, ISS rarely has direct contact with individuals and, in most cases, simply acts as a processor or agent of another company. Therefore, ISS’s clients are responsible for offering individuals choice when the Privacy Shield principles are applicable, and ISS will not process EU Personal Data unless a client certifies that individuals have been provided adequate choice.
III. Onward Transfer to Third Parties
The principles of “Notice” and “Choice” apply to transfers of EU Personal Data made to non-agent third parties. Therefore, EU Personal Data is only provided to third parties for purposes described in the “Notice” section of this EU Policy or otherwise disclosed to individuals. Opt-in authorization is obtained before transfers when it is appropriate to do so (such as for transfers of sensitive information); no information will be disseminated to a third party where a consumer has exercised the right of choice and either opted-out (for non-sensitive information) or failed to opt-in (for sensitive information).
ISS may disclose EU Personal Data to its agents and clients, provided they contractually agree to ensure that EU Personal Data has at least the same level of privacy protection offered by the Privacy Shield principles. ISS may disclose EU Personal Data in response to a lawful request by public authorities if required to do so by laws regarding national security or law enforcement or in good faith belief that such disclosure is required by law. ISS does not generally disclose data to any third party other than those authorized by ISS’s clients. ISS does not disclose data to third parties for marketing purposes.
In the case of information transferred to third parties who are ISS agents, ISS remains liable if an agent processes EU Personal Data in a manner inconsistent with the Privacy Shield principles, unless ISS can prove that it is not actually responsible for the event(s) giving rise to the individual’s damage. Likewise, failure to establish contractual relationships with non-agent third parties can result in sanctions and disciplinary action up to revocation of ISS’s certification and removal from the Privacy Shield List.
ISS takes reasonable steps to protect EU Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction.
Access to information maintained in ISS systems is restricted to authorized personnel who have a need to access that information in order to complete their jobs. If ISS transmits EU Personal Data through the Website or ISS-controlled networks it will utilize industry-standard encryptions, including 256-bit Secure Sockets Layer (SSL) protocol.
When ISS no longer needs to process EU Personal Data, it is destroyed by shredding or electronic erasure done in a manner such that the information cannot be practicably read or recovered.
V. Data Integrity and Limited Purpose
ISS processes EU Personal Data in ways that are compatible with the purposes for which it has been collected (as identified in the Notice section above) or as otherwise authorized by the individual, and for no other purposes. To the extent necessary for those purposes, ISS takes reasonable steps to ensure that EU Personal Data is reliable for its intended use, and that it is accurate, complete, and current. ISS does not use or sell EU Personal Data for marketing purposes.
An individual may make a written request for access to any EU Personal Data that ISS maintains about him or her. ISS will give individuals reasonable opportunity to correct, amend, or delete incomplete or inaccurate information, as well as information that is proven to have been processed in violation of the Privacy Shield principles, unless (i) the burden or expense of providing access would be disproportionately high compared to the risks to the individual’s privacy, or (ii) the rights of persons other than the individual would be violated.
ISS has the right to request and obtain sufficient information to allow it to confirm that the identity of the person making the access request matches the identity of the individual who is the subject of the information, to ensure that the information is only provided to the correct individual.
To request information relating to their EU Personal Data, individuals may contact ISS in writing by submitting a letter or an Access Request Form to the address identified in the section of this policy called “ISS Contact Information”.
If an individual’s initial writing does not provide sufficient evidence of identity, the individual will be asked to provide sufficient evidence of his or her identity to ensure that information is only released to the correct individual. If ISS is unable to grant access to the individual’s EU Personal Data or correct the information, it will notify the individual.
ISS is obligated to remedy problems arising out of an identified failure to comply with the Privacy Shield principles. ISS will verify that assertions made in this EU Policy are true and implemented via annual self-assessment of its privacy policies and procedures.
ISS is also obligated to maintain a free and readily available independent recourse mechanism to investigate complaints. Because ISS may be required to handle human resources data of employees working in the EU, it has elected to satisfy this requirement from sections (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by cooperating with any competent EU Data Protection Authorities in the investigation and resolution of the Privacy Shield complaints brought by individuals who are protected under the Privacy Shield. Where a Data Protection Authority takes the view that ISS must take specific action to comply with the Privacy Shield principles, ISS will respect that opinion and comply by (i) taking any remedial steps suggested and/or compensating the individual, and (ii) providing the Data Protection Authority with written confirmation that suggested compliance actions have been carried out.
ISS has no affiliates or offices in the EU and there is no specific Data Protection Authority with direct jurisdiction over an establishment of ISS. Furthermore, ISS may receive human resources data regarding employees and other EU Personal Data from any of the EU member countries; therefore, ISS does not identify a specific Data Protection Authority for contact. Instead an individual should identify and communicate with his or her own state or national data protection or labor authority.
If an individual (“you”) has a complaint or dispute related to ISS’s handling of your EU Personal Data, ISS encourages you to first submit a letter or Notice of Consumer Dispute Form to the address identified in the section of this policy called “ISS Contact Information”. ISS will make every effort to respond to your concerns in a timely manner, but if it cannot, you may file a complaint with your state or national data protection or labor authority, which may be done at any time.
Subject to other requirements and restrictions, any residual claims remaining after all other redress mechanisms have been exhausted may be submitted to an arbitration panel for binding arbitration in order to determine whether ISS violated its obligations under the Privacy Shield principles and whether the violation(s) remains fully or partially unremedied. The arbitration panel is authorized to impose non-monetary equitable relief (e.g., access, correction, deletion, or return of data) necessary to remedy the violation.
ISS Contact Information
International Screening Solutions, Inc.
4255 Wage Green Road, Suite 520
Kennesaw, GA 30144
Effective: November 8, 2017