EU-US Privacy Shield and Swiss-US Privacy Shield Policy
The European Union (“EU”) adopted Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“EU Directive”), which requires EU member countries to adopt laws protecting personal data collected within their borders. Switzerland adopted the Swiss Federal Data Protection Act (“SFDPA”) and the Data Protection Ordinance (“DPO”), which regulate all acts of personal data processing. In accordance with Article 2a of the EU Directive, and the SFDPA and DPO, personal data includes any information relating to an identified or identifiable natural person (“Personal Data”). The EU Directive, SFDPA and DPO allow the transfer of Personal Data only to countries that have data protection laws deemed “adequate” under the respective legal frameworks. The US Department of Commerce has agreed on the requirements to enable US Companies to satisfy the mandate under EU law and Swiss law that adequate protection be given to Personal Data transferred from the EU or Switzerland to the US. For EU and Swiss citizens’ Personal Data, these requirements are memorialized in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
Zapproved has certified with the Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.
Zapproved complies with EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. Zapproved has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. As an e-discovery company, data we collect and store is done so at the direction of and on behalf of our customers, rather than directly from individuals. All data Zapproved collects and/or retains on behalf of our customers is kept pursuant to strict privacy and confidentiality practices, and Zapproved does not disclose data to third parties.
The United States Federal Trade Commission (FTC) is the enforcement authority with jurisdiction over this compliance with the Privacy Shield.
Attention: VP of Product Strategy
1414 NW Northrup St. Ste. 700
Portland, OR 97209 USA
Zapproved is committed to provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved. Zapproved has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Zapproved is also committed to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
Processor on Behalf of Customers
Zapproved provides software as a service designed to help companies manage their legal hold notification and preservation process, as well as collect and process data related to corporate legal and IT needs. In this capacity, Zapproved does not own or control any of the information it processes on behalf of its customers. Zapproved receives information transferred from the EU and Switzerland to the United States merely as a processor on behalf of our customers.
Zapproved has appointed a corporate leader of fair information practices who is responsible for the internal supervision of Zapproved’s privacy policies. Zapproved has also appointed a corporate leader for data security. Zapproved is committed to educating its customers and associates (employees) in the United States about the issues, guidelines and laws surrounding compliance with the Privacy Shield Framework.
The corporate leader for fair information practices is available to any associate who has questions concerning Zapproved’s Privacy Shield Policy or data security practices.
Zapproved’s policies and manner of compliance are described separately below.
Zapproved as a Processor on Behalf of Customers
When Zapproved acts as a processor on behalf of its customers, the policies outlined below apply to all data processing operations concerning personal information that has been transferred from the EU and Switzerland to the United States.
Before starting any processing on behalf of Zapproved’s customers, Zapproved will enter into a processing contract with the EU and Swiss data controller responsible for the personal information pursuant to the applicable EU Member State Data Protection law.
The processing contract ensures that the EU and Swiss data controller will be in compliance with the Member State Data Protection law. The processing contract will also specify that the processing will be carried out with appropriate data security measures. Zapproved has in place measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Any information Zapproved’s customer (acting as the EU and Swiss controller) identifies as sensitive will be treated accordingly. Further, any data processed by Zapproved will not be disclosed to third parties except where permitted or required by the processing contract, EU Privacy Shield, Swiss-US Privacy Shield or the applicable Member State Data Protection law. Zapproved will not disclose personally identifiable information to third parties unless specifically agreed to and at the direction of the data owner, or when we are required by law in response to lawful requests by public authorities to meet national security or law enforcement requirements including subpoenas, court orders or legal process.
As a processor on behalf of Zapproved’s customers (who is the EU controller), Zapproved is not required to apply other EU Privacy Shield Principles to the personal information received for processing from a customer.
Prior to the transfer of any non-public personal information from the EU and Switzerland to the United States, Zapproved requires contractual confirmation from the EU and Swiss controller from whom Zapproved acquired the information that the personal data has been provided to Zapproved in accordance with the applicable EU Member State Data Protection law, thereby ensuring the data subjects have been provided with proper notice regarding how their personal data will be used. In addition, when personal data is collected directly from data subjects, Zapproved provides the data subject with notice regarding the manner and circumstances in which the personal data will be used and transferred to third parties.
Prior to the transfer of any non-public personal information from the EU and Switzerland to the United States, Zapproved requires contractual confirmation from the EU and Swiss controller from whom Zapproved acquired the information that the personal data has been collected in accordance with applicable EU member State Data Protection law, thereby ensuring the data subjects have been provided with the proper choice regarding how their personal data may be used.
Zapproved takes reasonable steps to ensure the information transferred from the EU and Switzerland to the United States is reliable, accurate and complete. The steps Zapproved takes to assure data integrity are based on the purposes for which the personal information is used.
Zapproved complies with the notice and choice principles as described above for all data disclosed or transferred to a third party. However, when Zapproved uses data processors to perform processing tasks on behalf and under the instruction of Zapproved, Zapproved requires that its data processors enter into a written agreement with Zapproved requiring them to provide the same level of protection as Zapproved provides, and retains liability for onward transfers to such agents when under the direction of Zapproved.
Zapproved has in place an information security policy to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. Zapproved has received SOC 2® Type 2 Report certification that it complies with this policy, providing for independent third-party validation that it has controls in place to protect against unauthorized access (both physical and logical).
Zapproved’s security officer is responsible for conducting investigations into any alleged computer or network breaches, incidents or problems and ensuring the proper disciplinary action is taken against those who violate Zapproved’s information security policy.
Any security compromises or potential security compromises and any inquiries concerning security should be reported to the Zapproved consumer advocate. Contact information is provided below.
Zapproved acknowledges the right of EU and Swiss individuals to access information held about them. When Zapproved acts as a Data Processor, Zapproved’s customers are responsible, pursuant to their contractual agreements with the company, for providing individuals with access to their Personal Information and allowing individuals to correct, amend and delete their information, as required by applicable law. Zapproved requires its customers to maintain appropriate procedures for handling individuals’ requests to access, correct or delete their Personal Information, in accordance with applicable law. To exercise these rights, individual should contact the appropriate Zapproved customer that transferred their Personal Information to Zapproved. Zapproved will cooperate fully with its customers in responding to any such request. In the event a request is made directly to Zapproved, customers are required to cooperate with Zapproved in promptly addressing such requests.
Zapproved agrees to process all reasonable requests for access within a reasonable time period, but reserves the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual’s privacy or in the case of an unwarranted or fraudulent request as provided under “How to Contact Us.”
Zapproved acts as a Data Processor. Individuals should submit complaints concerning the processing of their Personal Information to the company’s customer that originally collected their information in accordance with the customer’s relevant dispute resolution mechanism (if available). Zapproved will participate in the customer’s dispute resolution process at the request of the individual.
How to Contact Us
Please address any questions or concerns regarding this Policy or Zapproved’s practices concerning Personal Information by contacting Zapproved’s VP of Product Strategy by telephone at (888) 806-6750, by email at firstname.lastname@example.org, or in writing addressed to:
Attention: VP of Product Strategy
1414 NW Northrup St. Ste. 700
Portland, OR 97209 USA
Zapproved is a registered trademark of Zapproved LLC.