VISUAL COMPLIANCE PRIVACY SHIELD POLICY
Descartes Visual Compliance (USA) LLC doing business as Visual Compliance ("Visual Compliance") has adopted this Privacy Shield Policy ("Policy") to establish and maintain an adequate level of Personal Data privacy protection. This Policy applies to the processing of Personal Data that Visual Compliance obtains from Customers located in the European Union and European Economic Arrangement and Switzerland to which Privacy Shield applies.
The Federal Trade Commission (FTC) has jurisdiction over Visual Compliance's compliance with the Privacy Shield.
All Visual Compliance employees who handle Personal Data from EU and EEA countries and Switzerland are required to comply with the Principles stated in this Policy.
"Business Data" means data that is entered or uploaded for processing by Customer in order to carry out International Trade Compliance functions. Depending on the function selected, Business Data may include information about trading partners and other types of business contacts, products or trade transactions.
"Customer" means a company or other institution who has contracted with Visual Compliance to use the Services.
"Customer/User Information" means information about Customer or its employees, agents or other persons acting on behalf of Customer who are registered users of the Services or communicate with Visual Compliance in relation to Customer's use of the Services.
"Customer Personnel" means employees, agents or other persons acting on behalf of Customer who are registered users of the Services or communicate with Visual Compliance in relation to Customer's use of the Services.
"Data Subject" means an identified or identifiable natural living person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Europe" or "European" refers to a country in the European Union or European Economic Arrangement (EEA) that is be covered by the Privacy Shield program.
"Personal Data" as defined under the EU Regulation 2016/679 per 25 May 2018 ("GDPR") means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified , directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Sensitive Data" means Personal Data that discloses a Data Subject's medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership.
"Services" means the SAAS software and related services provided by Visual Compliance.
"Third Party" means any individual or entity that is neither Visual Compliance nor a Visual Compliance employee, agent, contractor, or representative.
This Policy applies to the processing of Personal Information that Visual Compliance receives in the United States concerning Customer Personnel who reside in the European Union (or EEA) or Switzerland. Visual Compliance provides products and services to businesses only.
This Policy does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. (The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.)
3. Visual Compliance's Role as an SAAS Software Service Provider
Visual Compliance provides a hosted SAAS software service that provides customers with a number of Export Compliance functions including but not limited to denied party screening and product classification. Visual Compliance also provides other related offerings to its Customers.
In providing the Service, Visual Compliance receives Business Data submitted for processing by the Service and Customer/User Data required to provide the Services and manage the business relationship between Visual Compliance and the Customer.
In receiving and processing the Business Data, Visual Compliance acts as a Data Processor, receiving, processing and storing any Personal Data it may contain only as directed by Customer.
4. Responsibilities and Management
Visual Compliance has designated the Legal Department to oversee its information security program, including its compliance with the EU - US Privacy Shield and Swiss-US Privacy Shield programs. The Legal Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to:
Visual Compliance will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. Visual Compliance personnel will receive training, as applicable, to effectively implement this Policy.
5. Renewal and Verification
Visual Compliance will renew its EU - US Privacy Shield and Swiss – US Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certifications or if it employs a different adequacy mechanism.
Prior to the re-certification, Visual Compliance will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Customer Contact are accurate and that the company has appropriately implemented these practices.
6. Collection of Personal Data
Visual Compliance is a provider of SAAS software subscription services that help Customers manage International Trade Compliance. In using these Services, Customer Personnel may, on behalf of Customer enter or upload Business Data for processing and storage on the Service. This data may include Personal Information about Customer's trade partners and other individuals or legal entities. When receiving, processing and storing Business Data, Visual Compliance is acting solely as a Data Processor and performs these actions only as directed by Customer. Business Data regarding individuals and entities that is processed and stored on the Service consists of names and addresses as well as other optional information, as determined by the Customer.
Visual Compliance provides the Services to companies who license the Services on a subscription basis. Visual Compliance collects Customer/User Data when Customer Personnel purchase Service subscriptions on behalf of Customer, set up user accounts, log-in to their account, complete surveys, request information or otherwise communicate with us. For example, Visual Compliance Customer Personnel may seek telephone or email support for the service or to manage their account.
The Customer/User Data that we collect may vary based on the types of interactions that Customer Personnel have with Visual Compliance. As a general matter, Visual Compliance collects the following types of Personal Data from its Customer Personnel: work contact information, including, a contact person's name, work email address, work mailing address, work telephone number, title, and company name. In order to collect payment for Services, Customer company level credit card and/or bank account information may be collected.
When Customer Personnel use our services online, we will collect their IP address and browser type. We may associate IP address and browser type with a specific Customer.
7. Use of Personal Data
Business Data entered or uploaded to the Services by Customer Personnel is used only to carry out the functions and processes initiated by Customer Personnel on behalf of Customer. For example, Customer Personnel may initiate screening of trade partners or other individuals for presence on US or international watch lists or process trade transactions such as imports or exports in which such individuals have participated.
Visual Compliance uses Personal Data that it collects directly from its Customer Personnel for the following business purposes, without limitation:
8. Disclosures/Onward Transfer of Personal Data
Visual Compliance will not disclose Personal Data to a third party, except as stated below:
Visual Compliance may disclose Personal Data to subcontractors and third-party agents who assist Visual Compliance in providing Services to its customers and prospective customers. Before disclosing Personal Data to a subcontractor or third-party agent, Visual Compliance will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist Visual Compliance in providing the Services; (b) provide at least the same level of protection for Personal Data as required by the Principles; and (c) notify Visual Compliance if the recipient is no longer able to provide the required protections. Upon notice, Visual Compliance will act promptly to stop and remediate unauthorized processing of Personal Date by a recipient. Visual Compliance will remain liable for onward transfers to its subcontractors and third-party agents.
Visual Compliance may also be required to disclose, and may disclose, Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. If such a request involves Business Data being processed for a Customer, to the extent permitted, Visual Compliance will inform Customer before making such disclosure and provide it with a reasonable opportunity to object to such disclosure.
9. Sensitive Data
Visual Compliance does not collect Sensitive Data.
10. Data Security
Visual Compliance has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Data is stored on a secure network with firewall protection, and access to Visual Compliance's electronic information systems requires user authentication via password or similar means. Visual Compliance also employs access restrictions, limiting the scope of employees who have access to Personal Data. Further, Visual Compliance uses secure encryption technology to protect certain categories of personal data.
11. Data Integrity and Purpose Limitation
Customer is responsible for a) limiting their collection of Business Data containing Personal Data to that which is necessary to accomplish the purposes disclosed to Data Subjects and compatible purposes; b) ensuring that Personal Data they collect is accurate, complete, current and reliable for its intended uses; c) providing Visual Compliance with instructions for the processing of Personal Data consistent with such purposes. Visual Compliance will process Personal Data only in accordance with the customer's or prospective customer's instructions.
In the performance of Services, Visual Compliance will request only information required to perform the applicable Services and will retain such information only for as long as necessary to provide the Services or for compatible purposes, such as to provide additional Services, to comply with legal requirements (such as document retention standards), or to preserve or defend Visual Compliance's legal rights.
Visual Compliance shall only process Customer/User Data in a way that is compatible with and relevant for the purpose(s) for which it was collected or authorized by the individual. To the extent necessary for those purposes, Visual Compliance shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.
When Visual Compliance receives Business Data, it does so on Customer's behalf. Customer is responsible for providing access to, or correction, amendment or deletion of Personal Data contained within Customer's Business Data to their Data Subjects.
Customer Personnel have the right to know what Personal Data about them has been collected and stored and to ensure that such Personal Data is accurate and relevant for the purposes for which Visual Compliance collected it.
Upon reasonable request and as required by the Privacy Shield principles, Visual Compliance allows Customer Personnel access to their Personal Data, in order to correct or amend such data where inaccurate. Customer Personnel may edit their Personal Data by contacting Visual Compliance by phone or email. To request erasure of Personal Data, Customer Personnel should submit a written request to Visual Compliance.
When Visual Compliance receives and processes Business Data, it does so on Customer's behalf. Customer is responsible for providing their Data Subjects with the ability to request limitation of the use or disclosure of their Personal Data. Visual Compliance will cooperate with Customers' instructions regarding Data Subjects' choices.
When required by the Privacy Shield, Visual Compliance will offer individuals the opportunity to opt out of (1) disclosures of Personal Information to a third party, or (2) our use of Personal Information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual. Customer may also opt out of any newsletters, product announcements or other informational communications.
14. Enforcement and Dispute Resolution
In compliance with the EU – US Privacy Shield Principles and Swiss – US Privacy Shield Principles, Visual Compliance commits to resolve complaints about your privacy and our collection or use of your personal information. EU, EEA and Swiss individuals with questions or concerns about the use of their Personal Data should contact us at: .
If a Customer's question or concern cannot be satisfied through this process Visual Compliance has further committed to refer unresolved privacy complaints under EU – US Privacy Shield or Swiss - US Privacy Shield to an independent dispute resolution mechanism operated by the ICDR/AAA.
If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed by Visual Compliance, EU, EEA and Swiss individuals may bring a complaint before the ICDR/AAA Privacy Shield Program which is accessible at http://go.adr.org/privacyshield.html.
Finally, as a last resort and in limited situations, EU, EEA and Swiss individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
15. Changes to This Policy
Visual Compliance may revise this Policy at any time. If Visual Compliance decides to materially change this Policy, Visual Compliance will post the revised Policy at this location.