In addition to other terms defined herein, the following definitions shall apply to this Policy:
- “PI” means personal Data about an identified or identifiable individual, such as names and addresses.
- “Processing” or “Processes” are operations involving PI.
- “EU Person” is an individual in an EU member state.
- “EUPI” is PI that is within the scope of the Framework, received by MMT from an EU Person located in an EU member state, and recorded in any form.
II. Collection, Use and Disclosure
MMT only collects, obtains access to, Processes and uses Data as necessary for and/or relevant to its proper business purposes of: offering and providing non-emergency transportation services, backing up Data for business continuity, disaster recovery and archival purposes; maintaining security of services, systems, networks, and Data, and complying with laws, regulations, professional standards, contract terms, court orders, administrative or judicial processes, subpoenas and search warrants (“Purposes”). When appropriate, MMT provides clients and personnel with access to their Data to correct, amend or delete such Data. Unless restricted by law, regulation, professional standards or contract, MMT may disclose certain Data to its personnel or to third-parties: for Purposes; with regard to a merger, sale, assignment or other transfer of MMT; to protect MMT’s legal interests; in connection with internal business practices; with consent by the Data owner; and when necessary to respond to an emergency that may threaten risk of harm to or destruction of person, property or Data. Except as part of a merger, sale or other significant entity change, MMT will not sell, rent or lease PI. MMT requires most personnel to execute confidentiality agreements, and assesses all third-party agents and subcontractors for suitability and reliability, given the nature of the Processing activity and Data involved. Third-party contracts typically address confidentiality, privacy and security obligations, as well as notification of known or suspected security breaches, misappropriation, or unauthorized disclosure and use of Data.
III. Framework Principles
With regard to collection, use, retention and Processing of EUPI, MMT adheres to the Privacy Shield Principles set forth in the Framework.
If MMT obtains EUPI directly from any EU Person, it will notify such EU Person of: the purposes for which it collects and uses their EUPI; how the individual an contact MMT with inquiries or complaints about such use; the types of third parties (if any) to which MMT discloses such EUPI; and the choices and means that MMT offers for limiting the use and disclosure of their EUPI. Choices and means of limiting use and disclosure of PI may include use of encryption technology, limiting support options, providing separate backup mechanisms, and/or ceasing provision of certain products and services. Notice will be provided in clear and conspicuous language when MMT first asks any EU Person to provide PI to MMT, or as soon as practicable thereafter, and in any event before MMT processes such information for a purpose other than that which it was originally collected, or discloses it for the first time to a third party. If EUPI is provided to MMT by its entity clients, notice will not be provided to the relevant EU Person by MMT, however MMT will use and disclose such EUPI in accordance with the purpose for which it was originally collected by the client and with consents made, so long as the client makes MMT aware of such purpose and consents. MMT clients are responsible for providing notice to all EU Persons who are the subject of Data and PI provided by such client to MMT.
MMT will offer EU Persons providing EUPI directly to MMT, the opportunity to choose (opt-out) whether their PI will (a) be disclosed to a third party (unless that disclosure is required or allowed by contract),or (b) be used for a purpose that is incompatible with the purpose for which that information was originally collected or subsequently authorized by the EU Person. MMT will provide EU Persons with clear and conspicuous, readily available and affordable mechanisms to exercise their choices. For sensitive EUPI (which specifies medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or regarding gender and sexuality), MMT will give EU Persons the explicit choice to consent (opt-in) to disclosure to a third party, or use for a purpose other than that for which that information was originally collected or subsequently authorized by the EU Person via exercise of the opt in choice. If any EUPI is provided to MMT by its clients, choice will not be provided to the EU Person by MMT, however MMT will use and disclose such EUPI in accordance with the purpose for which it was originally collected by the entity client and with consents made, so long as the client makes MMT aware of such purpose and consents. MMT clients are responsible for obtaining consent from and providing choice to all EU Persons who are the subject of Data and PI provided by such client to MMT.
3. Accountability for Onward Transfer
MMT will apply the notice and choice principles in providing EUPI collected directly from a EU Person and thereafter provided to a third party. MMT is potentially liable in cases of onward transfers of EUPI to third parties. Accordingly, MMT will obtain assurances that its agents and subcontractors subscribe to the EU-US Privacy Shield Privacy Principles or otherwise use safeguards consistent with this Policy.
MMT will take reasonable precautions to protect EUPI in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. MMT follows industry standard security measures, which include physical, administrative and technical safeguards and controls designed to protect EUPI and other Data from loss, misuse, unauthorized access, disclosure, alteration or destruction. MMT takes precautions in its efforts to ensure that access to EUPI is available only to those who are authorized. No protocol, encryption, or other precaution can provide complete security for electronic Data, so MMT does not provide a guarantee of total security. Moreover, the privacy of information regarding the employees, customers and business associates of MMT’s clients are the responsibility of such clients; MMT clients have the only direct relationship with these Data subjects. MMT follows commercially reasonable measures for retention and destruction of Data, including EUPI. Where appropriate, Data is deleted and/or disposed of effectively and securely. Even if destruction is requested by a client, personnel or EU Person, it may still be necessary for MMT to retain certain Data pursuant to law, contract terms or to comply with internal retention and destruction policies.
5. Data Integrity and Purpose Limitation
MMT will use EUPI only in ways that are relevant for the Purposes for which it was collected or authorized by the relevant EU Person. MMT will take reasonable steps designed so that EUPI Processing is performed as intended, and in an accurate, complete and current manner.
Upon request, MMT will grant EU Persons reasonable access to their EUPI held by MMT, and will take reasonable steps to permit corrections, amendments, or deletions of inaccurate or incomplete EUPI, except where the burden or expense of providing access would be disproportionate to the risks to the EU Person’s privacy in the case in question, or whether the rights of other persons would be violated.
7. Recourse, Enforcement and Liability
8. Self-Assessment Verification
To ensure compliance with Framework Privacy Principles set forth in Section III of this Policy, MMT will conduct an annual independent audit of its practices, which shall include confirming (a) the Policy and posting revised versions of the Policy in a conspicuous place on MMT’s website where employees and clients can see them; (b) the Policy is accurate, comprehensive and conforms to the Framework’s principles; (c) annual renewal of EU-US Privacy Shield self-certification with the US Department of Commerce; (d) inclusion of MMT’s name on the US Department of Commerce’s EU-US Privacy Shield list of compliant companies; (e) appropriate employee training and internal procedures exist for periodic reviews of MMT’s compliance with the Policy. Any employee that MMT determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.
9. Dispute Resolution
In compliance with the EU-US Privacy Shield Principles, MMT commits to resolve complaints about privacy and the collection or use of EUPI free of charge. EU Persons with inquiries or complaints regarding this Policy may first contact Marquee Medical Transportation, Attention Jake Ross, Owner, either by email at firstname.lastname@example.org or by phone at (858) 412-0399. MMT has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. In addition, the Federal Trade Commission has jurisdiction to hear any claims of unfair or deceptive practices or violations of laws or regulations governing privacy. Under certain limited conditions, EU Persons may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.
MMT’s adherence to the Framework principles may be limited and MMT may be required to disclose EUPI in response to a lawful request by public authorities; to meet national security or law enforcement requirements; where there is a conflicting or overriding legal obligation; to the extent expressly permitted by any applicable law, rule or regulation; or where MMT receives EUPI as a Processor acting on the instructions of a client, in which case MMT will receive such EUPI merely for Processing in accordance with Purposes. MMT clients will remain responsible for compliance with applicable laws and the Framework Privacy Shield Principles with regard to all PI provided by such clients to MMT. MMT client contracts contain strict restrictions that prohibit clients from accessing or reviewing other clients’ Data.
IV. Application and Exceptions
Questions and concerns regarding this Policy and its terms or regarding suspected misuse of Data should be directed to Marquee Medical Transportation, Attention Jake Ross, Owner, either by email at email@example.com or by phone at (858) 412-0399. MMT will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Data in accordance with the principles contained in this Policy. The effective date of this Policy is: December 1, 2018.