This Privacy Shield Policy sets forth the principles under which Beyond IT manages the processing of Personal Data collected in the European Union member countries and Switzerland and subsequently transferred to the United States (U.S.). Beyond IT employees that have access in the U.S. to Personal Data covered by this Privacy Shield Policy are responsible for conducting themselves in accordance with this policy and may not use or disclose Personal Data in a manner contrary to this policy without the prior written permission of the Data Protection Officer.
“Personal Data” means any information relating to an individual residing in the European Union and Switzerland that can be used to identify that individual either on its own or in combination with other readily available data such as your name, date of birth, address, occupation or skill level. Our purpose for collecting this data is that Beyond IT is typically engaged by clients involved with an active or potential litigation for investigative or discovery purposes. The type of data we collect includes documents, email, spreadsheets, presentations, etc that are searched as part of legal discovery, request for production, or as a result of an internal investigation.
“Sensitive Personal Data” means Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.
“Data Subject” means the individual to whom any given Personal Data covered by this Privacy Shield Policy refers.
Privacy Shield Principles
Beyond IT commits to the Privacy Shields’ Principles for all Personal Data received in the U.S. from European Union member countries and Switzerland in reliance on the respective Privacy Shield framework.
Beyond IT notifies data subjects covered by this policy about its data practices regarding Personal Data received by Beyond IT in the U.S. from European Union member countries and Switzerland in reliance on the respective Privacy Shield framework, including the types of Personal Data it collects about them, the purposes for which it collects and uses such Personal Data, the types of third parties to which it discloses such Personal Data and the purposes for which it does so, the rights of Data Subjects to access their Personal Data, the choices and means that Beyond IT offers for limiting its use and disclosure of such Personal Data, how Beyond IT’s obligations under the Privacy Shield are enforced, and how Data Subjects can contact Beyond IT with any inquiries or complaints.
In the event Personal Data are to be used for a new purpose incompatible with the purposes for which the data were originally collected or subsequently authorized or transferred to the control of a non-agent third party, Beyond IT will provide Data Subjects an opportunity to decline to have their data so used or transferred. Requests to opt out of such uses or disclosures of Personal Data should be sent to: firstname.lastname@example.org.
If Sensitive Personal Data covered by this policy is to be used for a new purpose or transferred to the control of a non-agent third party, the Data Subject’s consent will be obtained prior to the new use or transfer of the data.
- Onward Transfer
In the event we transfer Personal Data covered by this Privacy Shield Policy to a third party acting as a controller (such as a Court of Law or those designated by the court, attorneys involved in the particular litigation, designated e-discovery vendor of the court or attorney) we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Beyond IT has knowledge that a third party acting as a controller is processing Personal Data covered by this Privacy Shield Policy in a way that is contrary to the Privacy Shield Principles, Beyond IT will take reasonable steps to prevent or stop such processing.
With respect to our agents, we will transfer only the Personal Data covered by this Privacy Shield Policy needed for an agent to deliver to Beyond IT the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Beyond IT’s obligations under the Privacy Shield Principles; and (iv) require the agent to notify Beyond IT if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.
Beyond IT remains liable under the Privacy Shield Principles if an agent processes Personal Data covered by this Privacy Shield Policy in a manner inconsistent with the Principles, except where Beyond IT is not responsible for the event giving rise to the damage.
Beyond IT takes reasonable and appropriate precautions to protect Personal Data in its possession from loss, misuse, alteration, destruction, or unauthorized access or disclosure. Beyond IT may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. If allowed by law or when possible, Beyond IT will notify the individual prior to the disclosure to challenge the request.
Data subjects have reasonable access to their Personal Data, and may request corrections, deletions, or additions, as appropriate, except where the burden or expense of providing such access would be disproportionate to the risks to the individual data subject’s privacy. Requests for access, correction, amendment, or deletion should be sent to: email@example.com.
- Data Integrity
Beyond IT limits the collection, usage, and retention of Personal Data to that which is germane to the relevant purposes and takes steps to ensure that any Personal Data are accurate, complete, current and reliable for the intended use.
- Enforcement, Recourse and Liability
Beyond IT’s participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission.
In compliance with the Privacy Shield Principles, Beyond IT commits to resolve complaints about your privacy and our collection or use of your Personal Data. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact Beyond IT at: firstname.lastname@example.org.
Beyond IT has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint.
Under certain conditions detailed in the Privacy Shield, Data Subjects may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Beyond IT agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. Beyond IT acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.
This Privacy Shield Policy may be amended from time to time consistent with the requirements of the Privacy Shield. When we do update the privacy statement, we will also revise the “Last Updated” date at the top of this document. Any material changes to this privacy statement will also be posted on the Beyond IT web page.