This Policy applies to all Personal Data received by Episerver in the United States from the European Union in any tangible and/or electronic medium.
For purposes of this Policy, the following definitions shall apply:
"Agent" means any third party that uses Personal Data provided by Episerver to perform tasks on behalf of and under the instructions of Episerver.
“Department” means the Department of Commerce or its designee.
"Episerver" means Episerver, AB., Episerver Inc., and its affiliates, predecessors, successors, subsidiaries, divisions and groups.
"Personal Data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and includes any information or set of information that identifies or could be used by or on behalf of Episerver to identify an individual.
NOTICE AND PURPOSE OF COLLECTION: Episerver customers determine the types of data they submit to Episerver to process on their behalf in the course of using Episerver services. Episerver has no direct relationship with the individuals whose information it receives from its customers or their business partners. Episerver does not control such information, does not select or determine the specific types of data that it processes, and does not determine the purpose for which it is processed.
In other instances, Episerver may collect Personal Data when performing expert services at its customers’ request, to provide customer support, in general support of its customer relationships, which may include but are not limited to marketing activities, fulfilling product orders, to improve product offerings, customer surveys, questionnaires, responses to comments, etc., to download software and/or gain access to and/or enable certain products or services, for internal business processes, such as financial processing, responding to informational requests, and to comply with applicable laws.
Episerver also receives human resource-related personal information from its partners and affiliates and may share such information with the same in the ordinary course of business and for general employee administration purposes.
Where Episerver receives Personal Data from its subsidiaries, affiliates or other entities in the European Union, it will use such information in accordance with the privacy notices provided by such entities and the choices made by the individuals to whom such Personal Data relates.
ACCESS: Individuals may access their Personal Data by sending a request to Episerver at the notices address below. Episerver will provide the choices and means to individuals and may limit the use and disclosure of their Personal Data upon request.
In some cases, Episerver has limited access to data we process on behalf of our customers in connection with our services. Therefore, requests to access, correct, amend, remove and/or limit the use and disclosure of Personal Data that Episerver processes on behalf of its customers should include the name of the Episerver customer who submitted your Personal Data to Episerver. We will forward such requests to the identified customer to respond directly to you and we will provide any necessary assistance in that customer’s response to your request.
COMPELLED DISCLOSURE: Episerver may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
DISPUTE RESOLUTION: Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the notices address given below. Episerver will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy. For complaints that cannot be resolved between Episerver and the complainant, Episerver has agreed to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Privacy Shield Principles. Under certain conditions, as more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, individuals may be able to invoke binding arbitration before the Privacy Shield Panel jointly created by the U.S. Department of Commerce and the European Commission.
CHOICE: Episerver will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
For sensitive information (i.e., Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), the commission or alleged commission by the individual of any offense; or any proceedings for any offense committed, or alleged to have been committed, by the individual, the disposal of such proceedings or the sentence of any court in such proceedings. Episerver will obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. Individuals may withdraw their consent at any time. In addition, Episerver will treat as sensitive any Personal Data received from a third party where the third party identifies and treats it as sensitive.
DATA INTEGRITY: Episerver will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. Episerver will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual and will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current for so long as Episerver holds such information. Episerver will only hold such information for so long as it serves the purpose as described herein.
TRANSFERS TO AGENTS: If Episerver transfers data to a third party agent, Episerver will: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Episerver’s obligations under the Principles; (iv) require the agent to notify Episerver if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. Episerver will facilitate the exercise of data subject rights under (GDPR) Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
SECURITY: Episerver will take all reasonable and appropriate organizational and technical measures to protect Personal Data from loss, misuse, unauthorized and unlawful access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
ENFORCEMENT AND COMPLIANCE: Episerver will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that Episerver determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Upon its certification, Episerver will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield and/or to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Episerver is subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to its compliance with the EU-U.S. Privacy Shield Framework. If Episerver becomes subject to an FTC or court order based on non-compliance, Episerver will make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. Episerver may be required to disclose Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requests.
ONWARD TRANSFER LIABILITY: If a third-party processes Personal Data on behalf of Episerver in a manner inconsistent with the Privacy Shield Principles, Episerver could be liable unless Episerver can prove that it is not responsible for the event giving rise to any damage.
Questions or comments regarding this Policy should be submitted to Episerver by mail.
or write to –
c/o Legal Department
542 Amherst Ave
Nashua, NH 03063
This Policy may be amended from time to time, consistent with the requirements of the Principles. Appropriate public notice will be given concerning such amendments.
EFFECTIVE DATE: January 20, 2017