European Information Handling
International Screening Solutions (“ISS”) strives to respect the information privacy needs of consumers and clients while providing information services that help those parties realize their mutual goals. Our policy is to preserve the confidentiality of all private Personally Identifiable Information (“PII”) that is submitted to us in writing or electronically regardless of whether that information is provided to us by you (a consumer) or by one of our clients in connection with employment background screening—including credential verification and credit information—fraud and regulatory risk management or other services. The ISS Website is not used to collect consumer PII.
The applicability of, and ISS’s adherence to, this policy may be limited in the event of a conflict between the EU Policy and ISS’s obligations under other laws (e.g., Fair Credit Reporting Act, 15 USC Sec. 1681 et seq.), statutes, regulations, or cases; or as necessary for the purpose of recognized national security, public interest or law enforcement requirements.
Privacy Shield Principles
ISS may receive EU Personal Data at the request of clients and other third parties for investigative, credential verification, and other employment related purposes, as well as fraud and regulatory risk mitigation purposes. ISS is a certified participant in the Privacy Shield framework. In the United States the Privacy Shield is administered by the U.S. International Trade Administration, an agency of the U.S. Department of Commerce, and ISS is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Proof of our participation is available online at the Department of Commerce’s Privacy Shield List.
When ISS collects EU Personal Data from individuals, individuals are informed about the purposes for which the information is being collected and used, how to contact ISS with inquiries or complaints, the types of third parties to which it discloses the information, and any mechanisms in place to allow consumers to exercise choice for limiting use or disclosure outside the original scope and purpose of collection, among other things. Notice is provided in clear and conspicuous language either when individuals are first asked to provide EU Personal Data or as soon thereafter as is practicable, but in any event before ISS uses the information for a purpose other than that for which it was originally collected or processed by the transferring organization, or discloses it for the first time to a third party (other than the agents acting under our instructions). The remainder of this section describes how ISS collects and/or uses EU Personal Data.
The scope of this notice covers EU Personal Data that ISS has obtained on behalf of employers and their agents by manually or electronically contacting or searching the appropriate sources of the data (public record holders, educational institutions, law enforcement agencies, etc.), and/or directly from consumers, employers or their agents, or other entities to which the consumer has or seeks a connection. The EU Personal Data collected may include standard PII (like name and address information) or sensitive categories of information (like personal information specifying racial or ethnic origin, political opinions, religious or philosophical beliefs or criminal records); what data is considered sensitive information may vary depending on jurisdiction.
Upon request, ISS gathers consumer and other data that it provides to employers or their agents (such as recruiters, staffing firms, or background screening companies and consumer reporting agencies) in the form of information products (such as background reports) for use in making employment-related decisions regarding hiring, retention, promotion or re-assignment. Generally ISS’s clients are agents acting on behalf of other companies. ISS does not make decisions on behalf of employers or their agents and the information gathered on behalf of any such entities is not subsequently sold, reused, or otherwise disclosed to third parties by ISS for marketing or other reasons outside the scope and purpose of the collection.
Below are some examples of ways that employers commonly use data provided by ISS:
- to complete background checks on applicants and current employees
- to verify education and other credentials presented by applicants and current employees
- to investigate reports or suspicion of job-related wrongdoing
- investigation of employee compliance with applicable laws and regulations
ISS also gathers and maintains consumer information provided directly by you, your employer or other entities with which you have or are seeking employment or a business relationship in order to perform services like those listed above as well as other services related to fraud prevention and regulatory compliance, such as for assessing compliance with anti-corruption/anti-bribery laws.
It is important to note that in most cases ISS will act as a processor or agent of another company and consequently will not have direct contact with consumers. In these cases ISS does not provide consumers with direct notice, but will not process EU Personal Data until the client or third party certifies its use of a consumer notice substantially similar to the notice required by the Privacy Shield’s Notice Principle or gives proof of a legitimate reason why such notice is not required.
More information regarding the nature and scope of consumer data inquiries is available by contacting ISS in writing to the address identified in the section of this policy called “Our Contact Information”.
Generally, individuals have a right to choose whether their EU Personal Data will be disclosed to a third party (other than our agents) or will be used for a purpose incompatible with the original purpose of collection or subsequent authorization by the individual (opt-out). For sensitive information an individual must “opt-in” by granting explicit written consent authorizing disclosure to non-agent third parties or by some other reasonable mechanism of exercising and recording the individual’s choice.
ISS generally seeks to ensure that all individuals with opportunity to opt-in regardless of whether the information is sensitive or not, and encourages its clients to do the same, but there may be situations where specific choice is not required as in the case of certain matters of public interest (for example, mandatory disclosure of EU Personal Data pursuant to laws regarding national security or law enforcement).
It is important to note that in most cases ISS will act as a processor or agent of another company and consequently will not have direct contact with consumers. In these cases ISS is not directly responsible for offering choice; however, we will not process consumer information unless a client has provided, at the very least, a certification that you have been provided adequate choice as required under the Privacy Shield.
III. Onward Transfer to Third Parties
The principles of “Notice” and “Choice” also apply to transfers of EU Personal Data made to third parties that are not our agents. Therefore, EU Personal Data is only provided to third parties for purposes described in the “Notice” section of the EU Policy or otherwise disclosed to consumers. Authorization (opt-in) is obtained before transfers when it is appropriate to do so (such as for transfers of sensitive information); no information will be disseminated to a third party where a consumer has exercised the right of choice and either opted-out (for non-sensitive information) or failed to opt-in (for sensitive information).
ISS may disclose EU Personal Data to its agents, as well as its clients who enter written agreements with ISS, in which the third party agrees to follow practices that offer at least the same level of privacy protection as the Privacy Shield Principles. ISS may disclose EU Personal Data in response to a lawful request by public authorities if required to do so by laws regarding national security or law enforcement or in good faith belief that such disclosure was required by law. ISS does not disclose data to third parties for marketing purposes.
In the case of information transferred to third parties who are our agents, ISS remains liable if an agent processes EU Personal Data in a manner inconsistent with the Privacy Shield Principles, unless it can be proved that ISS is not actually responsible for the event(s) giving rise to the consumer’s damage. Likewise failure to establish contractual relationships with third parties who are not our agents can result in sanctions and disciplinary action up to revocation of our certification and removal from the Privacy Shield List.
ISS takes reasonable steps to protect EU Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction.
Access to information maintained in our systems is restricted to authorized personnel who have a need to access that information in order to complete their jobs. If we transmit PII through the Website or ISS controlled networks we utilize industry standard encryptions, including 256-bit Secure Sockets Layer (SSL) protocol.
PII is destroyed by shredding or electronic erasure that is done in a manner such that the information cannot be practicably read or recovered.
V. Data Integrity and Limited Purpose
ISS processes EU Personal Data in ways that are compatible with the purposes for which it has been collected (as identified in the Notice section above) or as otherwise authorized by the consumer and for no other purposes. To the extent necessary for those purposes, ISS takes reasonable steps to ensure that personal data is reliable for its intended use, and that it is accurate, complete, and current. ISS does not use consumer PII for marketing purposes or sell PII to third parties for marketing purposes.
A consumer may make a written request for access to all EU Personal Data that ISS has collected and maintains about him or her, if any. ISS will give consumers reasonable opportunity to correct, amend, or delete incomplete or inaccurate information about them as well as information that is proven to have been processed in violation of the Privacy Shield Principles, unless (i) the burden or expense of providing access would be disproportionately high compared to the risks to the individual’s privacy, or (ii) the rights of persons other than the individual would be violated.
ISS has the right to request and obtain sufficient information to allow it to confirm that the identity of the person making the access request matches the identity of the data subject. ISS will make reasonable efforts to confirm the identity of the requestor to ensure that information is only provided to the data subject.
To request information relating to his or her EU Personal Data, a consumer may contact ISS in writing. Consumers may do so by sending a letter or downloading and mailing an Access Request Form to the address identified in the section of this policy called “Our Contact Information”.
If a consumer’s initial writing did not provide sufficient evidence of identity, the consumer will be asked to provide sufficient evidence of his or her identity to ensure that information is only released to the correct individual. If ISS is unable to grant access to the consumer’s EU Personal Data or to correct the data, we will notify the consumer.
ISS is obligated to remedy problems arising out of an identified failure to comply with the Privacy Shield Principles. We will verify that assertions made in this EU Policy are true and implemented via annual self-assessment of our privacy policies and procedures. ISS is also obligated to maintain a free and readily available independent recourse mechanism to investigate consumer complaints.
Because ISS may be required to handle human resources data from employees working in the European Union, it has elected to satisfy this requirement from sections (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by cooperating with any competent EU Data Protection Authorities in the investigation and resolution of Privacy Shield complaints brought by a consumer who is protected under Privacy Shield. Where a Data Protection Authority takes the view that ISS must take specific action to comply with the Privacy Shield Principles, ISS will respect that opinion and comply by (i) taking any remedial steps suggested and/or compensating the consumer, and (ii) providing the Data Protection Authority with written confirmation that suggested compliance actions have been carried out.
ISS has no affiliates or offices in the EU and there is no specific Data Protection Authority with direct jurisdiction over an establishment of ISS. Furthermore, ISS may receive human resources data regarding employees and other EU Personal Data from any of the EU member countries; therefore, ISS does not identify a specific Data Protection Authority for contact. Instead a consumer should identify and communicate with his or her own state or national data protection or labor authority.
If you have a complaint or dispute related to our handling of your EU Personal Data, we encourage you to first contact ISS directly in writing. You may do so by sending a letter or downloading and mailing a Notice of Consumer Dispute Form to the address identified in the section of this policy called “Our Contact Information”. We will do our best to respond to your concerns in a timely manner, but if we cannot, you may make complaint to your state or national data protection or labor authority (which you may do at any time).
Subject to other requirements and restrictions, any residual claims remaining after all other redress mechanisms have been exhausted may be submitted to an arbitration panel for binding arbitration in order to determine whether ISS violated its obligations to you under the Privacy Shield Principles and whether the violation(s) remains fully or partially unremedied. The arbitration panel is authorized to impose non-monetary equitable relief (like access, correction, deletion, or return of data) necessary to remedy the violation.
Our Contact Information
International Screening Solutions, Inc.
114 TownPark Drive, Suite 540
Kennesaw, GA 30144
Effective: September 21, 2016