EXPEDIENT EU-U.S. AND SWISS-U.S. PRIVACY SHIELD POLICY for GENERAL DATA PROTECTION REGULATION (GDPR)

Expedient is a participant in the U.S. Department of Commerce’s EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield programs and has certified that it adheres to the EU-U.S. and Swiss-U.S. Privacy Shield Principles. For more information about the EU-U.S. and Swiss-U.S. Privacy Shield programs, visit the Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov/welcome. Expedient is subject to the jurisdiction of the Federal Trade Commission.

This Privacy Policy (“Policy”) covers Expedient’s storage of Personal Data provided to Expedient by Clients that process Personal Data of individuals who reside in European Economic Area (which includes the twenty-eight member states of the European Union plus Iceland, Liechtenstein and Norway that participate in the U.S.-EU Privacy Shield) (“EEA”), the United Kingdom, and Switzerland and that are subject to the General Data Protection Regulation (“GDPR”) as a Data Controller or Data Processor, as those terms are defined in the GDPR. Expedient, a Data Processor under GDPR based on its storage of Personal Data of such Clients, has appointed a data protection officer which can be contacted at dpo@expedient.com. Personal Data is data about an identified or identifiable individual. Expedient does not directly collect, record, use, organize, disclose, adapt, alter, disseminate, erase or destruct Personal Data received from Clients in the EEA, the United Kingdom, and Switzerland. Expedient does not store Personal Data on its own behalf or for any purpose of its own.

Before storing any Personal Data from Clients at its Data Centers, Expedient will ask Clients to acknowledge and agree that Clients complied with the Privacy Shield Principles, including: Notice; Choice; Accountability for Onward Transfers; Security; Data Integrity and Purpose Limitation; Access; Recourse; and Enforcement and Liability. Expedient will cooperate with Client to ensure compliance with the Privacy Shield Principles. Expedient does not have any control over the uses its Clients may make of the Personal Data disclosed to them and stored by Expedient.

If individuals whose Personal Data is stored at Expedient’s Data Centers require access to their Personal Data in order to be able to correct, amend, or delete their Personal Data, individuals should contact Client at the address provided by Client in its Notice at the time the Personal Data was collected by the Client and contact Expedient at privacy.shield@expedient.com. or dpo@expedient.com. Expedient will cooperate with the Client to provide access to individuals whose Personal Data is stored at Expedient’s Data Centers in accordance with the Privacy Shield Principles to allow individuals to correct, amend, or delete their Personal Data, and in accordance with the GDPR (Section 3).

If individuals whose Personal Data is stored at Expedient’s Data Centers want to limit the use and disclosure of their Personal Data, individuals should contact Client at the address provided by Client in its Notice at the time the Personal Data was collected by the Client and contact Expedient at privacy.shield@expedient.com or dpo@expedient.com. Expedient will cooperate with the Client to limit the use and disclosure of Personal Data of individuals whose Personal Data is stored at Expedient’s Data Centers in accordance with the Privacy Shield Principles and the GDPR.

In compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Principles, Expedient strives to resolve all complaints about Personal Data stored at its Data Centers. If individuals whose Personal Data is stored at Expedient’s Data Centers have a complaint against the Client and Expedient, individuals should contact Client at the address provided by Client in its Notice at the time the Personal Data was collected by the Client and contact Expedient at privacy.shield@expedient.com. Expedient will respond to a complaint within 45 days of receiving the complaint.

Under the Privacy Shield Principles, any complaints that remain unresolved by Expedient will be referred to JAMS, an independent dispute resolution mechanism located in the United States. Individuals whose complaints have not been satisfactorily addressed by Expedient can visit JAMS’ website at https://www.jamsadr.com/eu-us-privacy-shield for details on how to file a complaint. This recourse mechanism is free of charge to individuals. As a last resort, complaints that remain unresolved after pursuing these recourse mechanisms may be subject to binding arbitration. For more details about binding arbitration, contact Expedient at privacy.shield@expedient.com.

Expedient’s employees do not have access to Personal Data stored at Data Centers owned by Expedient, except incidental access if Client requests technical assistance based on the services purchased from Expedient. Expedient will comply with a request to provide access to its Data Centers that store information systems hosting Personal Data only in response to lawful requests by public authorities, including meeting national security or law enforcement requirements, in accordance with the Privacy Shield Principles.

Expedient works hard to protect Personal Data stored on information systems hosted at its Data Centers from unauthorized access, unauthorized alteration, disclosure or destruction. Expedient has strict policies regarding access to its Data Centers and undertakes annual reviews of its security policies.

Expedient does not transfer or disclose Personal Data stored in information systems at its Data Centers to a third party unless it is directed to do so by Client. Client will be responsible for complying with the Accountability for Onward Transfers Principles for any transfer of Personal Data initiated by Client. Expedient does not transfer Personal Data to a third party acting as its agent.

If there is any conflict between the terms in this Policy and the EU-U.S. and Swiss-U.S. Privacy Shield Principles, the EU-U.S. and Swiss-U.S. Privacy Shield Principles shall govern. Expedient may amend this Policy from time to time by posting a revised Policy, which is located at [enter the link to where the Policy is posted/not the physical address]. Expedient will amend this Policy in a manner consistent with the requirements of the EU-U.S. and Swiss-U.S. Privacy Shield Principles.

View the Expedient entry in the EU-U.S. Privacy Shield participant list.

Expedient
Attn: Privacy Shield Compliance Officer Nova Tower One 1 Allegheny Square, Suite 600 Pittsburgh, PA 15212

Effective Date: August 1, 2016

Last Updated: May 22, 2019
privacy.shield@expedient.com

The best of Expedient delivered to your inbox.

Sign up for more technical briefs, stories, and special offers from Expedient.