Expedient complies with the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”) Principles and the UK Extension to the EU-U.S. DPF Principles, and the Swiss-U.S. Data Privacy Framework (the “Swiss-U.S. DPF”) Principles as set forth by the U.S. Department of Commerce. Expedient has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (the “EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Expedient has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (the “Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Expedient is subject to the jurisdiction of the Federal Trade Commission.
This Policy for Compliance with the Data Privacy Framework Principles (“Policy”) covers Expedient’s storage and transmission of Personal Data made available to Expedient by its clients that have access to the Personal Data of individuals who reside in European Economic Area (which includes the twenty-seven (27) member states of the European Union plus Iceland, Liechtenstein, Norway, Switzerland and the United Kingdom that participate in the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF or the Swiss-U.S. DPF). Personal Data is data about an identified or identifiable individual received by Expedient from clients located in the EEA. Clients are business entities that operate in the EEA and use Expedient’s services to store Personal Data at Data Centers operated by Expedient and located in the United States. Expedient does not directly collect, record, use, organize, disclose, adapt, alter, disseminate, erase or destroy Personal Data received from clients located in the European Economic Area. Expedient does not store the Personal Data of its clients on its own behalf or for any purpose of its own.
Before agreeing to process any Personal Data from its clients at its U.S-based Data Centers, Expedient will ask those clients to acknowledge and agree that they have complied with the Data Privacy Framework Principles of transparency, legitimate purpose and proportionality. Expedient will cooperate with each client to ensure compliance with the Data Privacy Framework Principles.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Expedient commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS Data Privacy Framework Dispute Resolution (hereafter “JAMS”), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you. Complaining parties may also, in the absence of a satisfactory resolution by Expedient in cooperation with JAMS, seek to engage in binding arbitration through an arbitrator identified by the U.S. Department of Commerce and the European Commission or Swiss Federal Administration, as applicable, pursuant to the Data Privacy Framework Principles.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Expedient commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
Except for incidental access resulting from a client’s authorized request for technical assistance with Expedient services, Expedient’s employees do not have access to Personal Data stored within our Data Centers. Expedient will comply with a request to provide access to its Data Centers that store information systems hosting Personal Data only in response to lawful requests by public authorities, including meeting national security or law enforcement requirements, in accordance with the Data Privacy Framework Principles. For clarity, Expedient is a sub-processor of the Personal Data that its clients collect and either store with us or utilize Expedient services to process such Personal Data.
Expedient works hard to protect all Personal Data stored on information systems hosted at its Data Centers from unauthorized access, unauthorized alteration, disclosure or destruction. Expedient has strict policies regarding access to its Data Centers, has developed administrative, technical and organizational controls to protect Personal Data, and undertakes annual reviews of its security policies.
Expedient has certified to the U.S. Department of Commerce that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability with respect to all personal data received from the EU, UK, or Switzerland in reliance on the DPF. However, Expedient does not transfer Personal Data stored in information systems at its Data Centers unless it is directed to do so by a client. Expedient works with its clients ensure compliance with the Accountability for Onward Transfer requirements for any transfer of Personal Data initiated by such client. If Expedient is directed to transfer Personal Data to a third party acting as an agent, Expedient will make sure that the third party subscribes to the Data Privacy Framework Principles or can present evidence that such third party has otherwise complied with the requirements for permitted transfer under the EU’s General Data Protection Regulation.
In instances when Expedient collects Personal Data directly from users, we offer offers those users the opportunity to choose whether their Personal Data may be (i) disclosed to third-party Controllers or (ii) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by the relevant user. To the extent required by the Data Privacy Framework Principles, either Expedient or the client providing the Personal Data obtains opt-in consent for certain uses and disclosures of Sensitive Data. Individuals may contact Expedient as indicated below regarding the company’s use or disclosure of their Personal Data. Unless Expedient offers users an appropriate further choice, the company uses Personal Data only for purposes that were disclosed at the time it was collected or which are otherwise indicated in this Policy.
The above choice does not apply where the sharing of your Personal Data is with a third party who is acting as our agent (such as our service providers who perform services that help us to run our business). We will not provide your Personal Data to a third party under these circumstances unless we have a contract in place with that third party that requires the third party to comply with the Data Privacy Framework Principles. However, Expedient shall remain liable should a third party processes Personal Data in a manner that is inconsistent with the Data Privacy Framework Principles.
Expedient may amend this Policy from time to time by posting a revised Policy, which is located at /services/managed-services/compliance-security/privacy-framework/. Expedient will amend this Policy in a manner consistent with the requirements of the Data Privacy Framework Principles.
Attn: Data Privacy Framework Compliance Officer
1 Allegheny Square, Suite 600
Pittsburgh, PA 15212