Data Privacy Framework (DPF) Policy

Introduction

Simpligov, LLC. respects individuals’ privacy, and strives to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it and its subsidiaries do business. This Data Privacy Framework (DPF) Policy (the “Policy”) describes the privacy principles as follows with respect to certain personal information transmitted to Simpligov in the United States of America (the “U.S.”) from countries located within the European Economic Area and Switzerland.

1. Overview

SimpliGov LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  SimpliGov LLC  has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  SimpliGov LLC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

2. Scope

This Policy applies to all Personal Data received by Simpligov in the United States from the EEA, UK and/ or from Switzerland, either directly from individuals, from its affiliates or from other third-party organizations, and in any format whatsoever, including electronic, paper or oral transmission.

This Policy also applies to Simpligov’ Agents (defined below) that process Personal Data received by Simpligov in the United States from the EEA, UK and/ or from Switzerland on behalf of Simpligov.

3. Definitions

For purpose of this Policy, the following definitions shall apply:

  1. “Personal Data” and “Personal Information” means data about an identified or identifiable individual that are within the scope of the Directive 95/46/EC or the Swiss Federal Act on Data Protection, received by an organization in the United States from the European Union, UK and/ or Switzerland, and recorded in any form. Personal Data includes all Sensitive Personal Data (as defined below).
  2. “Sensitive Personal Data” or “Sensitive Personal Information” means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or, where received from a third party, data that is identified and treated as sensitive by the third party. Where Swiss individuals are concerned, “Sensitive Personal Data” or “Sensitive Personal Information” also includes ideological views or activities, and information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
  3. “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
  4. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  5. “Agent” means any third party that collects or uses Personal Data provided by Simpligov to perform tasks on behalf of Simpligov under the instructions of, and solely for, Simpligov.
  6. “Simpligov,” “we,” “our” or “us” means Simpligov, LLC. and its successors, assigns and wholly- owned affiliates and subsidiaries and their respective divisions and groups, each of which are located within the U.S.

4. Privacy Principles for Processing of personal data received from the EEA, UK and/or Switzerland

  1. NOTICE
    Where Simpligov collects Personal Data directly from individuals in the EEA, UK and/or Switzerland or receives it from its European, UK or Swiss affiliates, it or its European, UK or Swiss affiliates will inform those individuals about the purposes for which they collect and use Personal Data about them; the transfer of Personal Data to Simpligov in the U.S., the types or identity of third parties to which Simpligov discloses that information and the purposes for which it does so; and the choices and means Simpligov offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Simpligov, or as soon as practicable thereafter, and in any event before Simpligov uses the information for a purpose other than that for which it was originally collected. Simpligov may from time to time process certain Personal Data about customers, business partners, suppliers, vendors, service providers, employees and candidates for employment, including information recorded and stored on various types of media, including electronic media. Simpligov will process these types of data in conformity with the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles and will continue to apply the Principles to personal data received under the application of the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles as long as it holds this data.Purposes for which we may collect and use Personal Data from our customers, consumers and other non- employees include:
    1. Communicating to individuals about our products, services and related issues.
    2. Notifying individuals of, and administering, contests, sweepstakes, promotions and other offers.
    3. Evaluating the quality of our products and services.
    4. Allowing individuals to register for our websites, online communities and other social networking services, and administering and processing these registrations.
    5. Transferring Personal Data in connection with Simpligov’ legal, regulatory compliance and auditing purposes.
    6. Facilitating Simpligov’ internal administrative purposes and application functionality, maintaining, administering and complying with Simpligov’ legal, regulatory compliance and auditing obligations, policies and procedures.
    7. Execution of contracts and delivery of products and services to customers; execution and management of development etc.

    Simpligov also collects Personal Data concerning its employees and candidates for employment (Human Resources Data) in connection with administration of its human resources programs and functions and for purpose of communicating with its employees. Simpligov also applies the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles to this data. Further information in this regard can be found in Simpligov’ Human Resources Privacy Policy available for employees in the Intranet.

    We may share Personal Data within the U.S. family of Simpligov companies. Simpligov may also share Personal Data with its third-party Agents for the sole purpose of, and only to the extent needed to, support Simpligov’ or our customers’ business needs. We may also disclose Personal Data to our Agents in the U.S. and other third parties when required to do so under law or by legal process. Third Party Agents are required to keep confidential Personal Data received from Simpligov and may not use it for any purpose other than originally intended.

  2. CHOICE
    Simpligov will offer individuals in the EEA, UK or Switzerland the opportunity to choose (by either opt-out or opt- in) if their Personal Data is (a) to be disclosed to a third party that is not an Agent, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.For Sensitive Personal Data, Simpligov will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to permit Simpligov to (a) disclose their Sensitive Personal Data to a third party that is not an Agent or (b) use Sensitive Personal Data for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.Simpligov will provide individuals with reasonable, clear and conspicuous and readily available mechanisms to exercise these choices.
  3. ACCOUNTABILITY FOR ONWARD TRANSFER
    Simpligov will transfer Personal Data to Agents only for limited and specific purposes. Simpligov will obtain contractual assurances from its Agents that they will safeguard Personal Data in a manner consistent with this Policy and that they will provide at least the same level of protection as is required by the relevant the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles. Simpligov recognizes its responsibility and potential liability for onward transfers to Agents. Where Simpligov has knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Policy and/or the level of protection as required by the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles, Simpligov will take reasonable steps to prevent, remediate or stop such use or disclosure. If Simpligov transfers Personal Information to non-agent third parties acting as a Controller, Simpligov will apply the Notice and Choice principles and will obtain contractual assurance from these parties that they will provide the same level of protection as is required under the principles, unless a derogation for specific situations under European data protection law applies. If you are an EU, UK, or Swiss Individual, where we transfer your personal data to third party service providers who perform services for us on our behalf, we are responsible for the processing of that data by them and shall remain liable if they process your personal data in a manner inconsistent with the DPF Principles referred to in this policy, unless we prove that we are not responsible for the event giving rise to the damage. 
  4. ACCESS
    Upon request and in accordance with the v, Simpligov will grant individuals reasonable access to their Personal Data that is held by Simpligov. In addition, Simpligov will take reasonable steps to permit individuals to correct, amend, or delete their Personal Data that is demonstrated to be inaccurate, incomplete or processed in violation of the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles. In accordance with the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles, Simpligov may limit or deny access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, where the legitimate rights of persons other than the individual would be violated or if necessary to safeguard important countervailing public interests (e.g., national security) or in other limited circumstances (e.g., disclosure would breach a legal or other professional privilege).
  5. SECURITY
    Simpligov will take reasonable precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
  6. DATA INTEGRITY AND PURPOSE LIMITATION
    Simpligov will use Personal Data only in ways that are compatible with the purposes for which it was originally collected or as subsequently authorized by the individual. Simpligov will also take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. Simpligov will adhere to the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles for as long it retains Personal Information received under its the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles certification.
  7. RECOURSE, ENFORCEMENT AND LIABILITY
    Simpligov utilizes the self-assessment approach to verify its compliance with this Policy. Simpligov periodically verifies that this Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles. Simpligov will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles. Simpligov will also investigate suspected infractions of this Policy. Simpligov is also subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

    Simpligov Privacy and Information Security programs include adequate training for employees and personnel on their responsibilities with reference to the implementation of the the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles. If Simpligov determines that any employee of Simpligov is in violation of this Policy, such person will be subject to disciplinary action up to and possibly including termination of employment.

    In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SimpliGov LLC commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals and Swiss individuals with inquiries or complaintsregarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact SimpliGov LLC at [email protected]. 

    Simpligov, LLC. respects individuals’ privacy, and strives to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it and its subsidiaries do business. This Data Privacy Framework (DPF) Policy (the “Policy”) describes the privacy principles as follows with respect to certain personal information transmitted to Simpligov in the United States of America (the “U.S.”) from countries located within the European Economic Area and Switzerland.

    In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SimpliGov LLC commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

    In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SimpliGov LLC commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to VeraSafe Data Privacy Framework (DPF) Dispute Resolution Procedure , an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ for more information or to file a complaint.  The services of Versafe are provided at no cost to you.

    For Employee Personal Data, Simpligov is committed to cooperate with the different national EU Data Protection Authorities (“DPAs”) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the dispute resolution procedures such DPAs may indicate in cases of complaints by Employees as well as with any regulations or guidelines such DPAs may issue from time to time in in accordance with Switzerland, EU and Member State data protection legislation. Simpligov undertakes to register and/or keep its registration updated as a data controller and/or processor in all jurisdictions where Simpligov maintains entities in the EU and Switzerland.

    Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

    In the event that Simpligov or such authorities determines that Simpligov failed to comply with this Policy, Simpligov will take appropriate steps to address any adverse effects arising directly from such failure and to promote future compliance.

5. Limitations

  1. SimpliGovs’ adherence to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, e.g. in the course of lawful requests by public authorities (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.

6. Contact information

  1. Questions or comments regarding this Policy or our practices concerning Personal Data should be submitted to Simpligov by mail or e-mail as follows:

    Chief Information Officer,
    Simpligov, LLC.
    1724 10th Street, Suite 115
    Sacramento, CA 95811, United States of America
    e-mail: [email protected]

    If you are a citizen of an EEA member state, you may also address any unresolved complaints to the panel of the EU Data Protection Authorities at the following address:

    http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

7. Changes to this Policy

  1. This Policy may be amended from time to time, consistent with the requirements of the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles. Appropriate public notice will be given concerning such amendments.