Updated: March 28, 2019
Nullable, Inc. dba Aware, a Delaware Corporation (“Aware”) strives to properly address applicable data protection and privacy legal requirements. Aware recognizes that the European Union (“EU”) has an “omnibus” data protection regime established pursuant to the General Data Protection Regulation (2016/679) (“GDPR”). Among other things, GDPR generally requires “adequate protection” for personally identifiable information, related to individuals in the EU, (“PII”) that Aware transfers outside of the EU. To address this requirement, Aware adheres to the EU-U.S. Privacy Shield Privacy Principles published by the US Department of Commerce (“Privacy Shield”) with respect to European PII. For more information about the Privacy Shield, please refer to the Privacy Shield website at https://www.privacyshield.gov/.
The types of PII that Aware may receive include, but not necessarily limited to, personal data including vendor management data, content communications, and data from visitors to our websites.
In addition, to the extent such information is included in the processed content communications and customers’ collaborative platforms, Aware may receive HR Data and PII that is “sensitive” within the meaning of the Privacy Shield in a few instances. To the extent such information is accessible or communicated through the Aware customers’ collaborative platforms, Aware may receive information that includes genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership.
Uses of PII
Aware will use and otherwise process PII for the following purposes:
As necessary in connection with these purposes, Aware personnel in the United States may, on a limited basis, access and otherwise process PII in connection with their job responsibilities, as described in Aware's Data and Information security policies. Aware takes appropriate steps to ensure that such personnel are bound by duties of confidentiality with respect to PII.
CHOICE AND ONWARD TRANSFER
Aware will only use PII for the purposes for which such data was originally collected and will not disclose PII to any third party, except with the appropriate consent of the affected individuals or as otherwise permitted under the Privacy Shield. In cases of onward transfer to third parties, Aware remains responsible and liable under the Privacy Shield Principles if third parties process data in a manner inconsistent with the Principles, unless Aware proves that it is not responsible for the event giving rise to the damage.
DATA SECURITY AND DATA INTEGRITY
Aware maintains reasonable security measures to safeguard PII from loss, misuse, unauthorized access, disclosure, alteration, or destruction. Aware also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete, and current.
Individuals in the EU have the ability to access, review and update their own PII in accordance with applicable law. Individuals in both the EU should transmit requests for access to their own PII, in writing, to the Privacy Shield Contact identified below. Individuals noticing changes or inaccuracies their PII are responsible for informing the Privacy Shield Contact of such changes so that the PII may be updated or corrected.
DISCLOSURES REQUIRED OR PERMITTED BY LAW
ENFORCEMENT AND CONTACT INFORMATION
The Federal Trade Commission has jurisdiction over Aware's compliance with the Privacy Shield. Aware has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning European Citizen Data transferred from the EU. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. Information regarding local contact information for local data protection authorities can be found at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. For any residual claims, an individual may invoke binding arbitration as set forth in Annex I of the Privacy Shield, provided that such individual has invoked binding arbitration by delivering notice to Aware's Privacy Shield Contact in accordance with the procedures and subject to the limitations set forth in Annex I of the Privacy Shield. In particular, an individual who decides to invoke this arbitration option must first: 1) raise the claimed violation directly with Aware and afford the Aware an opportunity to resolve the issue within the timeframe set forth in Section III.11(d)(i) of the Privacy Shield; 2) make use of the independent recourse mechanism under the Privacy Shield; and 3) raise the issue through their Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce.
Aware Privacy Shield Contact:
Chief Operating Officer
111 Liberty St.
Columbus, OH 43215
Phone: (844) 433-3326