Privacy Notice
Effective Date: December 11th, 2020

Your privacy is important to the Confirmit group of companies (“Confirmit,” “Dapresy”, “we,” “us,” or “our”). This policy discloses the information practices for Confirmit web sites www.confirmit.comhttps://extranet.confirmit.comwww.dapresy.com,  and our mobile applications, including what type of information is gathered and tracked, how the information is used, and with whom the information is shared.

Confirmit and Dapresy are part of the same group of companies. References to “Confirmit” in here shall include reference to “Dapresy” unless otherwise stated.

1. Introduction

Your privacy is important to the Confirmit group of companies. This privacy notice discloses the information practices for Confirmit-controlled web sites (www.confirmit.com and https://extranet.confirmit.com, www.dapresy.com,) and for Confirmit-provided mobile applications (AskMe, CAPI, Mobile Panel, SODA, and Confirmit Go), including what type of information is gathered and tracked, how the information is used, and with whom the information is shared. This policy applies to Confirmit customers, to web-visitors, registered account holders of our products, app mobile users, and applicants to positions at Confirmit.

2. Definitions

In this privacy notice, the term “personal data” includes:

·       Under the laws of the United States, personal data shall include any “non-public personal information” as that term is defined in the Gramm-Leach-Bliley Act found at 15 USC Subchapter 1 §6809(4), and "protected health information" as defined in the Health Insurance Portability and Accountability Act found at 45 CFR §160.103.

·       Under the laws of the countries in the European Economic Area (“EEA”), personal data shall have the meaning given to it in Directive 95/46/EC (the “EU Directive”) and in the General Data Protection Regulation (“GDPR”).

·       Under the laws of Australia, personal data shall include information or an opinion about an identified individual or an individual who is reasonably identifiable: (a) whether the information is true or not; and (b) whether the information or opinion is recorded in a material form or not.

·       Under the laws of California, personal data shall include any “personal information” as that term is defined in the California Consumer Privacy Act (“CCPA”) §1798.140(o).

Data controller” means the party that determines the purposes or means of the processing of the personal data.

Data processor” means the party that processes the personal data on behalf of the data controller.

 

 

3. Confirmit’s two roles as data processor and data controller

3.A. For the first type, Confirmit acts as data processor and as a software-as-a-service (“SaaS”) provider for companies conducting data collection and reporting activities via the Internet or mobile apps. You may be submitting responses to web surveys or app surveys via mobile devices, and the template of the survey may state "Powered by Confirmit." Surveys launched by Confirmit’s customers may be hosted on Confirmit's SaaS environments, or alternatively they may be hosted on the customer's hosting environment on Internet other than Confirmit’s.


In any of these cases, please be aware that it is our customers as data controllers who are initiating or performing the data collection, who determine from whom to collect personal data, and who define how to use the collected personal data. Confirmit is acting as a data processor, and our customers use the SaaS at their own initiative. Confirmit will therefore process any and all categories of personal data uploaded to or collected onto the SaaS by our customers. For more details about how Confirmit’s customer intends to use your personal data, please refer to the privacy notice of the Confirmit customer from whom the email or the web survey originates. For more information related to Confirmit’s role as a data processor, please see Section 4 below, “Confirmit as a data processor.”

3.B. The second type of sites we manage is related to information offered by Confirmit to its business customers, prospects, and other visitors on the Confirmit website, the Confirmit extranet, and other sites we offer access to where Confirmit acts as the data controller.

4. Confirmit as a data processor

4.A. Our role as a processor

In relation to our roles as SaaS provider and data processor, Confirmit processes information under the instructions of its customers and has no direct relationship with the individuals whose personal data Confirmit collects or processes on behalf of its customer.

If you seek access to correct, amend, or delete inaccurate personal data, or if you seek to invoke any other rights in respect to the personal data under applicable laws, you should direct your query to Confirmit’s customer as the data controller. We will honor and support any instructions our customer provide us with respect to your personal data. If Confirmit is requested by Confirmit’s customer to take actions on personal data (access, update, export, delete or other as required), we will respond within a reasonable timeframe in accordance with applicable laws.

If you would no longer like to be contacted by one of our customers that use our SaaS service, please contact the customer directly.

If you have reached out to our customer and are not getting a reply, you may approach Confirmit in accordance with section 6 below. 

4.B. Data storage, data access, data transfers, and data retention

Personal data that our customers collect from you may, subject to adequate confidentiality undertakings, and for the sole purpose of providing our customers with the services they have contracted from us, be transferred to or accessed by personnel of Confirmit-affiliated entities (see list here), and to or by third party companies  and subcontractors that help us provide our services. In any such case, the personnel granted access to your personal data will have been deemed by their managers to have a reasonable business need to do so. 

Where Confirmit transfers personal data to one of its affiliates (including Dapresy affiliates), we will have legitimate transfer mechanisms in place. See more details in section 5.F. below. Transfers to subsequent third parties are covered by the service agreements with our customers.

Depending on which Horizons SaaS environment you have been invited to take a survey, your personal data will be stored on servers in London (survey.euro.confirmit.com), or Dallas (survey.confirmit.com), or Sydney (survey.confirmit.com.au). Other URLs may be used by our customers. The data center of the Horizons SaaS environments are managed under our control by Rackspace entities in the United States, in the United Kingdom, and in Australia.

Confirmit leverages Microsoft Azure Cloud to provide additional Horizons environments based on data storage in new regions. As of the date of this Privacy Notice, Horizons Cloud is offered in Canada and in Germany. 

Depending on which Dapresy SaaS environment you have been invited to take a survey, data  stored in Dapresy Pro can be located in the United States (dc.dapresy.com, lax.dapresy.com), Canada (na.dapresy.com), United Kingdom (uk.dapresy.com), the Netherlands (live.dapresy.com, europe.dapresy.com, manager.dapresy.com), Australia (au.dapresy.com), Hong Kong (hk.dapresy.com), dep. Other URLs may be used by our customers. The data center of SaaS environments are managed under our control by Aptum entities in North America and United Kingdom. In the Netherlands, the data is stored in the Iron Mountain data center, while in Australia the data is stored in Rackspace. 

Where Confirmit transfers personal data to subcontractors as agreed in our contracts with our customer, we will have legitimate transfer mechanisms in place, and where the subcontractor processes the personal data outside of the EEA and in a jurisdiction not deemed by the EU to meet the applicable EU adequacy standards, we are requiring the subcontractor to enter into Model Clauses with us.

We will retain personal data our customers have instructed us to process for them for as long as needed to provide services to our customers in accordance with the contractual terms in our agreements with them. Our customers can at any time instruct for such personal data to be updated, exported, deleted, or as otherwise required. Confirmit will retain personal data as necessary to comply with our legal obligations, resolve disputes, and in accordance with our customer agreements.

4.C. Security measures

Confirmit operates under a strong security and privacy regime. Confirmit has successfully undergone third-party System and Organization Controls (SOC) 2 Type II audit (performed in accordance with SSAE 18 and the AT-101 Trust Services Principles) for its Horizons platform and operations.  The examination, performed annually by an AICPA accredited firm, tests and reports on the design and effectiveness of Confirmit’s controls in the areas of security, confidentiality and availability. The SOC 2 report provides assurance that we have designed and implemented effective security controls as defined in the SOC 2 standards.  During the examination, the independent auditors evaluated and tested controls over the following domains:

·       Organization and management

·       Communications

·       Risk management, design, and implementation of controls

·       Monitoring of controls

·       Logical and physical access controls

·       Systems operation

·       Change Management

If your personal data is stored on Confirmit's Horizons or Dapresy SaaS environments, you are welcome to read more about how we protect your personal data by applying industry leading security measures and performing ongoing security tests and controls. For Horizons, please refer to the PowerPoint file available for you to download from here. For Dapresy, please see here.

4.D. Device information

In relation to the first type of Internet site discussed in section 3.A above, when you download and use mobile apps produced by Confirmit, we automatically collect information on the type of device you use, operating system version, and where applicable, the device identifier (or "UDID").

The mobile apps do not require location permission in order to be used. However, our customers who are using our mobile apps in order to collect personal data from you may request that the mobile apps collect your precise geolocation. Should location be requested, you will be prompted by the operating system of your device with a message that the mobile app has requested to access the device location (please note that Android OS 6 or older versions lack of this feature).  You can accept or reject that request. If permission has been granted, this permission can be later changed at any time under the operating system settings area.

Depending on our customers’ use of the mobile app, the mobile app may also use beacons or similar technologies as part of the survey taking.  

4.E. Cookies and Tracking Technologies on the SaaS environment

We and our service providers use cookies, web beacons, scripts, eTags, local storage (HTML5) or similar tracking technologies.  These technologies are used on the SaaS environment to provide you with a better user experience, including authenticate users of, or personalize the content on the SaaS website or online service. They are also used to preserve functionality in our SaaS platforms, such as monitoring of network communications, maintain or analyze the functioning of the SaaS website or online service, protect the security or integrity of the user, SaaS website or online service.

You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on the SaaS environment. 

For information about cookies when you provide personal data to our customers via our SaaS environment, please refer to our Cookie Policy. We do not use cookies in surveys you are invited to take via an email invitation with a clickable link or via pop-ups or web intercepts, but our customers using the SaaS may launch their own cookies, which we may not be aware of. Please contact the company inviting you to access the surveys or reports delivered via the SaaS for information about their cookies.

5. Confirmit as a data controller

5.A. Our role as a data controller

The security of your personal data is important to us.  We follow generally recognized industry standards to protect the personal data submitted to us during transmission and once it is received. In general, you can visit Confirmit on the Internet without telling us who you are and without giving any personal data about yourself, except that we may log IP address and geolocation. There are times, however, when Confirmit or our partners may require additional personal data from you.

Confirmit will act as a data controller where, for example, you visit our web-sites and provide us with your contact details to obtain access to resources, or where we store your details as part of our management of accounts you have with us in your role as a customer. Confirmit also acts as a data controller during recruitment processes, see section 5.Q below. Where Confirmit acts as the data controller, you may choose to provide us with your personal data in a variety of situations. For example, you may want to give us information such as your name, physical address, email address, zip code, resume, phone number, and additional contact information.  We intend to let you know how we will use such information and seek your consent in accordance with applicable laws before we collect it from you. 

You may at any time revoke your consent or invoke rights in relation to the personal data provided to us in accordance with applicable laws. If you tell us that you do not want us to use this information to make further contact with you beyond fulfilling your requests, we will respect your wishes. If you give us personal data about somebody else such as a spouse or work colleague, we will assume that you have his or her permission to do so.

Confirmit will also act as data controller when processing personal data for administrative and operational purposes related to our provision to customers of services under agreements we have with them. Processing of such personal data will serve administrative and operational purposes such as account management, invoicing and financial reporting, data protection and cybersecurity, and complying with our legal obligations.

Confirmit does not request the disclosure of special categories of personal data or sensitive data.

You may contact Confirmit in order to invoke your rights as a data subject under applicable laws in accordance with section 19 below. 

5.B. Information provided in accordance with Article 13 of the GDPR

a. Confirmit is an entity acting as the data controller. A full list of Confirmit group entities is available here.

b. Contact details of the data protection officer are available in section 19 below.

c. The purposes of the processing are either stated in the consent note we obtain from you prior to processing your personal data, or alternatively:  

·       To fulfill your transaction request;

·       To provide you with a subscription;

·       To provide you with support and consulting services;

·       To verify your identity;

·       To provide information on products, services, or callback requests;

·       To send you specific marketing materials;

·       To allow our business partners to contact you for marketing purposes;

·       In connection with a job application or inquiry;

·       To contact you about employment consideration; and

·       To invite you to complete web surveys.

Marketing Preferences - If you no longer wish to receive communications from us, you may opt-out by following the unsubscribe instructions located at the bottom of each communication.  You may opt back in by emailing us or completing other opt-in actions offline or online.

d. The recipients of your personal data will be selected Confirmit employees and third-party providers under contract with Confirmit ensuring data protection levels equivalent to those set forth in this privacy notice. Where personal data collected in the EEA is transferred to a subcontractor in a third country outside of the EEA and which country is not deemed to meet the adequacy standards of the EU Commission, Confirmit shall have ensured suitable safeguards with such subcontractor both technically and contractually.

e. Data Retention - We will retain your personal data for as long as reasonably necessary in accordance with the purpose of the processing as communicated to you as part of the consent or privacy notice.

·       We delete personal data relating to marketing activities where the data subject has a) opted out of marketing emails b) has invalid emails in the system or c) have been inactive for 9+ months.

·       We will retain personal data we process about our customers for as long as needed to provide services to our customers in accordance with the contractual terms in our agreements with them. Confirmit will retain such personal data as necessary to comply with our legal obligations and to resolve disputes.

f. You have the right to seek access to and rectification or erasure of your personal data in accordance with applicable laws as set forth in section 6 below.

g. Where our processing of your personal data is based on your consent, you have the right to withdraw such consent at any time as set forth in section 6 below.

h. Where applicable laws so prescribe, you have the right to lodge a complaint to a supervisory authority.

5.C. Information for Confirmit business partners

If you represent a Confirmit business partner, you may visit a Confirmit website intended specifically for Confirmit business partners. We may use information provided on that site to administer and develop our business relationship with you, the business partner you represent, and Confirmit business partners generally.

5.D. Information for Confirmit customers

If you work for a Confirmit customer, you may visit a Confirmit website intended specifically for Confirmit customers. We may use information provided on that site to administer and develop our business relationship with you, the customer for which you work, and Confirmit customers generally.

We may also collect and process your personal data as necessary for the performance of the contract in place between the Confirmit customer and Confirmit in accordance with GDPR Article 6.

5.E Other Confirmit website notices

In some cases, specific Confirmit websites may contain other notices about their use and the information practices applicable to those sites.

5.F Cross-border flows of personal data

Confirmit is a global organization with legal entities, business processes, management structures, and technical systems that cross borders. See here for a full list of Confirmit affiliates and here for a list of Dapresy affiliates (Confirmit and Dapresy are part of the same group of companies).

Our privacy practices are designed to provide protection for your personal data in accordance with the laws applicable to each respective Confirmit affiliate.

We may share your personal data within Confirmit, or with service providers and transfer it to countries in the world where we or our service providers do business.

Transfers of your personal data between the Confirmit group of companies are made subject to our Confirmit Intra-group Personal Data Transfer Agreement which includes the use of EU approved Standard Contractual Clauses (Model Clauses). Transfers of your personal data from the Confirmit group of companies to their respective service providers will be subject to adequate contractual terms, including where required, EU Model Clauses. 

Some countries may provide less legal protection for your information. In such countries Confirmit will handle information in the manner we describe in this privacy notice.

5.G. Sharing with Services Providers and Business Partners

Service Providers

We may share your information with third parties who provide services on our behalf to help with our business activities under contractual terms providing adequate protection to your information.  These companies are authorized to use your personal data only under our instructions and only as necessary to provide the contracted services to us.  These services may include:

·       Sending marketing communications

·       Fulfilling subscription services

·       Conducting research and analysis

·       Providing data center facilities

Before we share personal information, we enter into written agreements with recipients which contain data protection terms that safeguard your data.

5.H. Passive collection

As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring and exit pages, the files viewed on our site (for example, HTML pages, graphics, or other), operating system, date and time stamp, and clickstream data to analyze trends in the aggregate and administer the site.

5.I. Cookies and Tracking technologies

Confirmit, our services providers and partners use cookies, web beacons, scripts, eTags, local storage (HTML5) or similar tracking technologies to analyze trends, administer the website, track users’ movements around the website, and to keep track of the domains from which people visit. We may extract some information about your transactions in a non-identifiable format and combine it with other non-identifiable information such as clickstream data and gather demographic information about our user base as a whole. 

You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service. 

Social Media Features – Our sites and services may include social media features, such as Facebook “Like” button and Twitter re-tweets, as well as share buttons or interactive mini-programs. These features collect the user’s IP address, the pages visited on the site or service, and set cookies to enable the features to function properly.  Social media features are either hosted by a third party or hosted directly on the Website. Interactions with these features are governed by the privacy notices of the social media companies that provide them.

5.J. Mobile analytics

We use mobile analytics software to allow us to better understand the functionality of our mobile software on your phone. This software may record information such as how often you use the application, the events that occur within the application, individual and aggregated usage, performance data, and from where the application was downloaded. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile application.

5.K. Service quality monitoring

Certain web transactions may also involve you calling us or our calling you. Please be aware that it is Confirmit's general practice to monitor and in some cases record such calls for staff training or quality assurance purposes.

5.L. Personalized URL link

On occasion, we may personalize and customize websites for certain visitors. If you visit one of these sites, you may find it customized with references to products and services that we believe may be of interest to you based on your previous interactions with Confirmit and information you have provided to us. While you are visiting these websites, we may collect information about your visit to better tailor the site to your interests. An invitation to visit one of these websites is usually presented as a personalized URL in an email, a notice on a website registration page, or as a response to you logging on to a certain website.

5.M. Disclosures required by law or to fulfill a business transition

We may also disclose your personal data as required by law such as to comply with a subpoena or other legal process when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. If Confirmit is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email or a prominent notice on our website of any change in ownership, uses of your personal data, and choices you may have regarding your personal data. We may also disclose your personal data to any other third party with your prior consent.

5.N. Links to non-Confirmit websites

Confirmit websites may contain links to other websites. Confirmit is not responsible for the privacy practices or the content of those other websites.

5.O. Notification of changes

We may update this Privacy Policy to reflect changes to our information practices. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

5.P. Information We Acquire from Third Parties

We may receive information about you from other sources including publicly available databases or third parties from whom we have purchased data and combine this data with information we already have about you.  This helps us to update, expand, and analyze our records, identify new customers, and provide products and services that may be of interest to you.  If you provide us personal data about others or if others give us your information, we will only use that information for the specific reason for which it was provided to us.

Examples of the types of personal data that may be obtained from public sources or purchased from third parties and combined with information we already have about you may include purchased marketing data about our customers from third parties that is combined with information we already have about you to create more tailored advertising and products.

5.Q. Recruitment

During recruitment processes, we will be in need of processing personal data about job applicants. Such processing will be in compliance with the laws of the jurisdiction in which we recruit. Our processes for retention and deletion of documents and data related to recruitment processes is set forth in “Confirmit HR Data Retention Policy”. For any questions, please see Section 6 below. 

6. Confirmit’s compliance with the California Consumer Privacy Act (“CCPA”)

This section supplements the other sections of this privacy notice and applies to you if you are a resident of the State of California. We adopt this notice to comply with the CCPA. Any terms defined in the CCPA have the same meaning as they do in the CCPA when used in this section.

Please note that this section primarily relates to our direct consumers, such as business contacts who work for our customers.  If you are a consumer of one of our customers (the business which sent you the survey which lead you here, for example), please contact that company directly, such as through the contact methods they provide in their privacy notices.  We will not be able to carry out your requests to exercise your rights under the CCPA in relation to personal information controller by our customers.

You have the right to request that we disclose what personal information we collect, use, disclose, and sell.  We can provide the following data in regards to your information: specific pieces of personal information, categories of personal information we have collected, categories of sources from which the personal information was collected, categories of personal information that we sold or disclosed for a business purpose, categories of third parties to whom we sold or disclosed for a business purpose, or the business or commercial purpose for collecting or selling personal information. Some of the foregoing may not apply to you. 

You have the right to be provided with access to any of your personal information in our possession.

You have the right to request the deletion of your personal information that we hold.  Please note that there are exceptions to this deletion right, such as the information we need to keep to comply with the CCPA, that is permitted to be retained under the CCPA, or is required or permitted to be retained under other applicable laws.

You have the right not to receive discriminatory treatment by us for the exercise of the privacy rights conferred by the CCPA.

You are able to opt out of our sale of your personal information to third parties. You may do so by clicking here: “Do Not Sell My Personal Information.”  

We collected the following categories of personal information from consumers over the past twelve months:

Category of personal information collected

Whether we collected this category of personal information from consumers over the past twelve months

Categories of sources from which this category of personal information was collected

Business or commercial purpose for which this category of personal information was collected

Categories of third parties with whom Confirmit shares this category of personal information

Personal identifiers

Yes

Consumers and our service providers

Marketing, sales, SaaS, and support thereof

Service providers which assist us with SaaS, marketing and sales, and support thereof

Personal information

Yes

Consumers and our service providers

Marketing, sales, SaaS, and support thereof

Service providers which assist us with SaaS, marketing and sales, and support thereof

Commercial information

No

Not applicable

Not applicable

Not applicable

Biometric information

No

Not applicable

Not applicable

Not applicable

Internet or other electronic network activity information

Yes

Consumers and our service providers

Marketing, sales, SaaS, and support thereof
 

Service providers which assist us with SaaS, marketing and sales, and support thereof
 

Geolocation data

No

Not applicable

Not applicable

Not applicable

Audio, electronic, visual, thermal, olfactory, or similar information

No

Not applicable

Not applicable

Not applicable

Professional or employment-related information

Yes

Consumers and our service providers

Marketing, sales, SaaS, and support thereof

Service providers which assist us with SaaS, marketing, sales, and support thereof

Education information

No

Not applicable

Not applicable

Not applicable

Consumer profiles

Yes

Consumers and our service providers

Marketing, sales, and support thereof

Service providers which assist us with support 

Characteristics of protected classifications under California or federal law

No

Not applicable

Not applicable

Not applicable

 

We have not sold personal information of consumers in the past twelve months.

We have disclosed personal information to service providers for a business purpose in the past twelve months. The categories of personal information we disclosed are stated in the table above.  We have contractual requirements in place with our service providers so that they will not further collect, sell, or use personal information except as necessary to perform our business purpose.

Our sources of personal information are: consumers and service providers. 

We collect personal information for the business or commercial purposes listed in Section 5.B(c) above.

We do not sell personal information of minors under 16 years of age without affirmative authorization.

If you make a request to us under this section, we are required to verify your identity before complying with your request.  Your request should come from the same e-mail address that you registered with us. We may need to ask for additional verification details as applicable from time to time. You may designate an authorized agent to make a request under the CCPA on your behalf, but you must verify that you authorize your agent to do so.

To make any requests pursuant to this section, or if you have any questions or comments for us in regards to this section, please contact us at privacy@confirmit.com. Alternatively, you can opt-out from Confirmit’s newsletters, or from Confirmit selling your data, at this website. See also Article 7 below. 

7. Privacy questions, access rights, incident reporting

If you have any questions about how we use your personal data or about this privacy notice, you can send an email to privacy@confirmit.com. You can also contact us by mail at 300 Seventh Ave., 3rd Floor, New York, NY 10001, or you may contact us at the physical addresses of the office closest to you, see our list here.

If you would like to reach Confirmit’s Data Protection Officer (as defined under the GDPR) you can contact DataProtectionOfficer@confirmit.com .

If you have an unresolved privacy or personal data use concern that we have not addressed satisfactorily, please contact our U.S. based third-party dispute resolution provider free of charge at https://feedback-form.truste.com/watchdog/request.

TRUSTe

 

Upon request, Confirmit will provide you with information about whether we control any of your personal data on our own behalf. If you wish to obtain a copy of particular information you provided to Confirmit, if you become aware that the information is incorrect and you would like us to correct it, update it, or delete it, if you would like to exercise any of your legal rights such as those in relation to updating your preferences regarding how we use your personal data, or to withdraw consent, contact us at privacy@confirmit.com.  We will respond to your access request within a reasonable timeframe within the timelines prescribed by applicable law.

If you are enquiring or exercising any of your legal rights or want to withdraw your consent on behalf of personal data we collect and process under the instructions of our customers (see section 4 above), please direct your query to our customer, which is the data controller. If you contact our company in relation to this, we are under obligation to refer your enquiry to the data controller. We will honor and support any lawful instructions they provide us with respect to your personal information.

 

Before Confirmit is able to assist you, provide you with any information, or correct any inaccuracies, we may ask you to verify your identity and to provide other details to help us to respond to your request. We will endeavor to respond within an appropriate timeframe.

Should you want to report an incident relating to Confirmit’s security, confidentiality, or privacy, you are welcome to file a report by entering required data at http://securityincident.confirmit.com. Alternatively, contact privacy@confirmit.com.

8. EU–U.S. and Swiss-U.S.  Privacy Shield versus EU Standard Contractual Clauses (Model Clauses)

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a judgment declaring Privacy Shield to no longer be valid. Privacy Shield can therefore no longer be relied upon as a lawful mechanism for complying with EU data protection requirements when transferring personal data from the European Economic Area (EEA) to the United States. 

 

Although Confirmit remains certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield (see the U.S. Department of Commerce’s Privacy Shield List), and committed to the Privacy Shield Principles when processing personal data. Confirmit does not rely on Privacy Shield for transfers of personal data to the US. 

 

The GDPR offers several methods to ensure that international transfers of personal data are lawful. 

Transfers of personal data between the Confirmit group of companies are made subject to our Confirmit Intra-group Personal Data Transfer Agreement which includes the use of EU approved Standard Contractual Clauses. Transfers of personal data from the Confirmit group of companies to their respective service providers will be subject to adequate contractual terms, including where required, EU Standard Contractual Clauses. 

The continued validity of the EU Standard Contractual Clauses was not impacted by the July 16th 2020 CJEU verdict. 

As noted above, Confirmit, Inc., based in the United States, continues to participate in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. Confirmit, Inc. is committed to subjecting all personal data received from EEA member countries, Switzerland and the United Kingdom respectively in reliance on the Privacy Shield Frameworks to the Framework’s applicable principles. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield List.

Confirmit, Inc. is responsible for the processing of personal data it receives under the Privacy Shield Framework and which it may subsequently transfer to a third party acting as an agent on its behalf. Confirmit, Inc. complies with the Privacy Shield Principles for all onward transfers of personal data from the EEA, Switzerland and the United Kingdom including the onward transfer liability provisions. If there is any conflict between the terms in this privacy notice and the Privacy Shield Principles in relation to data Confirmit, Inc. receives under the Privacy Shield Framework, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit the Privacy Shield website.

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Confirmit, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Confirmit, Inc. may be required to disclose personal data in response to lawful requests by public authorities including to meet national security or law enforcement requirements.

Under certain conditions more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

9. Phishing emails that reference Confirmit

We have been informed that emails with the subject “Important Information Regarding Your XXXX Account,” or similar are being sent by parties not affiliated with Confirmit. These emails ask recipients to provide login information related to an account that might be held at the company referenced in the subject line. The emails may point to this webpage or Confirmit’s privacy policy for more information.

Confirmit is not responsible for the content of these emails. If you believe that you have been asked to provide personal data, please approach the company with whom you hold the account for more information and instructions. Confirmit does not engage in such practices.

Note that Confirmit as a provider of online survey software enables its customers to send emails to individuals asking them to participate in market research surveys or to provide customer and employee feedback. Confirmit does not authorize, approve, or in any other way bear responsibility for emails sent out by customers.