OrgVitality’s Data Privacy Framework Policy
OrgVitality, LLC has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy complaints concerning data transferred from the EU and Switzerland. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs or Swiss DPA (FDPIC) for more information or to file a complaint. The services of EU DPAs and the Swiss FDPIC are provided at no cost to you.
We commit to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
We are aware of the General Data Protection Regulation (GDPR) which regulates the use of personal data of individuals within the EU. As we do not sell products or provide services directly to any data subjects in the EU or engage in any monitoring or profiling of individuals, the GDPR does not directly apply to OrgVitality, LLC. However, where we have corporate clients based in the EU or with EU based employees, our clients are obliged to seek certain commitments from us. We fully expect to provide our clients with all such information, data security guarantees and data assistance as required of ‘data processors’ under GDPR.
NOTICE: ACTIVITIES COVERED AND DESCRIPTIONS OF DATA PRIVACY FRAMEWORK
- Individuals are given the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
- For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), OrgVitality, LLC will obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, OrgVitality, LLC will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.
ACCOUNTABILITY FOR ON-WARD TRANSFER
- To transfer personal information to a third party acting as a controller, OrgVitality, LLC will comply with the Notice and Choice Principles. OrgVitality, LLC will enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate. b. To transfer personal data to a third party acting as an agent, OrgVitality, LLC will: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
- OrgVitality, LLC will take reasonable and appropriate measures to protect from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
DATA INTEGRITY AND PURPOSE LIMITATION:
- Consistent with these Principles, personal information will be limited to the information that is relevant for the purposes of processing. (See footnote 2 below). OrgVitality, LLC will not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, OrgVitality, LLC will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. OrgVitality, LLC will adhere to the Principles for as long as it retains such information. b. Information may be retained in a form identifying or making identifiable (See Footnote 3 below) the individual only for as long as it serves a purpose of processing within the meaning of section “a” immediately above. This obligation does not prevent OrgVitality, LLC from processing personal information for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis. In these cases, such processing shall be subject to the other Principles and provisions of the Framework. Organizations should take reasonable and appropriate measures in complying with this provision. Footnotes Footnote 2. Depending on the circumstances, examples of compatible processing purposes may include those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection. Footnote 3. In this context, if, given the means of identification reasonably likely to be used (considering, among other things, the costs of and the amount of time required for identification and the available technology at the time of the processing) and the form in which the data is retained, an individual could reasonably be identified by OrgVitality, LLC, or a third party if it would have access to the data, then the individual is “identifiable.”
- Individuals will have access to personal information about them that OrgVitality, LLC holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
RECOURSE, ENFORCEMENT AND LIABILITY:
- OrgVitality, LLC will respond promptly to inquiries and requests by the Department for information relating to the Data Privacy Framework. OrgVitality, LLC will respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. OrgVitality, LLC has chosen to cooperate with DPAs, and will respond directly to such authorities with regard to the investigation and resolution of complaints. c. OrgVitality, LLC will arbitrate claims and follow the terms as set forth in the Data Privacy Framework Policy, provided that an individual has invoked binding arbitration by delivering notice to OrgVitality, LLC and following the procedures and subject to conditions set forth in Data Framework Policy. d. In the context of an onward transfer, OrgVitality, LLC has responsibility for the processing of personal information it receives under the Data Privacy Framework and subsequently transfers to a third party acting as an agent on its behalf. OrgVitality, LLC shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. e. If OrgVitality, LLC becomes subject to an FTC or court order based on non-compliance, OrgVitality, LLC shall make public any relevant Data Privacy Framework-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
PASSIVE INFORMATION COLLECTED
We and our third-party service providers may use a variety of technologies that automatically collect information when you use this Web Site. This information may include browser type, operating system and IP address. The methods that may be used to collect this information include the following:
- A cookie is a data file placed on a computer when it is used to visit this Web Site. Cookies may be used for many purposes, including, without limitation, tracking user preferences and web pages visited while using this Web Site. You may disable cookies using your browser’s preferences, but some features of this Web Site may not function properly or may operate slowly if you disable the cookies.
- Web Beacons. A web beacon is a small graphic image or other web programming code (also known as “1×1 GIFs” or “clear GIFs”) that may be included in our Web Site pages or e-mail messages. Web beacons may be invisible to you, but any electronic image or other web programming code inserted into a web page or e-mail can act as a web beacon. Web beacons or similar technologies may be used for a number of purposes, including, without limitation, to count how many e-mails that were sent were actually opened, to serve users with relevant content at the Web Site, count Web Site visitors, monitor Web Site traffic patterns, and/or count how many articles or links were actually viewed.
- Embedded Scripts. An embedded script is a programming code that is designed to collect information about your interactions with this Web Site, such as which links you click on. The code is temporarily downloaded onto your computer from our web server or third party provider, is active only while you are connected to the Web Site, and is deactivated or deleted thereafter.
- Mobile Device Identifiers. Mobile device identifiers are certain mobile service providers which uniquely identify mobile devices. We or our third-party providers may receive such device information if you access the Web Site through mobile devices. Certain features of our Web Site may require collection of mobile phone numbers and we may associate that phone number to mobile device identification information. Additionally, some mobile phone service providers operate systems that pinpoint the physical location of devices that use their services. Depending on the provider, we or our third-party service providers may receive this information.
Information collected through passive means may be non-identifying or may be associated with you. In the latter case, it will be treated as PII.
USE OF INFORMATION COLLECTED
- To respond to your inquiries, comments, questions or requests;
- To send you newsletters, e-mails and other communications for which you have registered;
- To monitor and statistically analyze usage of the Web Site and to improve the Web Site and/or product and services offerings;
- To administer the Web Site’s systems, to audit the Web Site and for other internal business purposes;
- To add to our database, subscriber lists and/or contact lists;
- To comply with a judicial, administrative or similar proceeding or order such as a subpoena, search warrant, discovery request or other valid law enforcement measure or investigation;
- To protect the legal rights, interests and safety of the Web Sites, our users or others in cooperation with copyright owners, internet service providers, wireless service providers and law enforcement agencies;
USER NAMES, FORUMS, MESSAGE BOARDS AND SIMILAR PAGES
You may be asked to choose a user name and password in order to identify yourself on the Web Site. Some features of the Web Site may allow you to post communications that will appear on the Web Site for other visitors to view and your user name may appear in connection with those postings. For that reason, you may not want to use your real name or the name of any other actual person as your user name.
OUR COMMITMENT TO SECURITY
Your privacy is important to us. OrgVitality uses reasonable efforts and safeguards to protect the PII we collect on this Web Site from unauthorized access, use, modification or disclosure. However, due to the design of the internet and other factors outside of our control, we cannot guarantee that PII will be protected in all situations and circumstances. All information you transmit to OrgVitality via the Web Site is at your own risk.
CONSENT TO TRANSFER
This Web Site is operated in the United States. If you are located in Canada, the European Union or elsewhere outside the United States, please be aware that any information you provide to us will be transferred to the United States. By using the Web Site or by providing us with your information, you consent to this transfer.
UPDATING/CORRECTING YOUR PII AND CONTACTING ORGVITALITY
This Web Site may contain pages through which you can change your preferences or update the PII you have provided us through the Web Site. If you register to receive e-mail, you may unsubscribe by following the instructions provided to you in the applicable communication. You can contact OrgVitality, LLC directly in order to: (i) update or correct the PII that we store about you; or (ii) direct us to render inactive on our systems all your PII. We may be reached at email@example.com or at 914-747-7736. Please note that if you request us to render inactive your PII, we may still use aggregate non-PII, and some PII that you provided may continue to reside on backup tapes and other non-active systems for data restoration purposes. We will not manually delete PII from such backup media.
The Web Site is a general audience web site. We do not knowingly collect or maintain any PII from children under the age of thirteen (13). We do not expect children to be attracted to or to use this Web Site. In the event we discover that a child under the age of thirteen (13) has provided this Web Site with PII, we will delete such child’s PII from our database.