Draft Policy Not in Effect until Approval of Self Certification from US Department of Commerce
Financial Risk Mitigation (“FRM”), commits to conduct its business according to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield Framework (the “Privacy Shield”) which became effective August 1, 2016 for the EU and January 12, 2017 for Switzerland. The Privacy Shield was developed by the U.S. Department of Commerce (DOC), the European Commission (the “EC”) and the Swiss Administration to provide companies based in the United States (U.S.), the European Union (EU) or Switzerland a mechanism to transfer data on European nationals to the U.S. and provide such European nationals the data protection available in the EU and Switzerland, in order to support transatlantic commerce. The EC and the Swiss Administration deems the Privacy Shield adequate to enable data transfers under EU and Swiss law.
FRM collects information about EU/EEA Data Subjects when conducting investigations on behalf of, and at the request of its Subscribers. The majority of FRM’s investigatory on EU/EEA Data Subjects involves the use of independent agents in Europe that research public domains such as published articles, searches of corporate registries, and other European public and regulatory databases. FRM and its agents also research education and employment data for the purposes of its investigatory work. FRM may also perform interviews as a part of its investigatory work.
Where such data is used, FRM’s Terms of Service (https://www.frm-inc.com/frmclientportaltermsofservice/) or other separate agreements with its Subscribers requires that the Subscriber certify that it has provided notice and received consent that such an investigation will be conducted and the EU/EEA Data Subject has given his/her unambiguous, voluntary and knowing consent to the Subscriber requesting the investigation.
The types of personal information that may be collected include, identification and location information, personal and family information, information available in publications, current and former employment information, information about educational and professional licensing, public record information, financial and credit history, business affiliations such as officer and director positions, and other publicly available information.
The investigation brief, results and related information may include:
lifestyle and social circumstances
goods and services
education and employment details
physical or mental health details
racial or ethnic origin
religious or other beliefs of a similar nature
trade union membership
offences including alleged offences
When personal information is collected directly from EU/EEA Data Subjects by FRM, it is only upon the direct instruction of FRM’s Subscriber who has contractually represented that they have provided notice to the EU/EEA Data Subject that an investigation will be conducted and the Data Subject has given unambiguous, voluntary and knowing consent to the Subscriber requesting the investigation, including a link to this policy in the event individuals are asked to provide personal information to FRM .
The information collected is only disclosed as necessary to perform services for FRM’s Subscribers pursuant to the consent of the individual unless a lawful exception to processing the data without Notice and Consent applies. FRM does not use personal information for any purpose other than that for which it was originally collected and authorized by the individual.
Notwithstanding the above, FRM may disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Notwithstanding the above, FRM may disclose personal information to third parties without Notice and Consent when a lawful exception applies.
As noted above, FRM does not collect any personal information without an individual’s unambiguous, voluntary and knowing consent to FRM’s Subscribers unless an exceptions. The individual’s choice is to not consent to the collection of information for purposes of the investigation unless exception applies, in which case FRM will not collect any information. Information is never disclosed to a third party except for the purposes consented to by the individual, or FRM’s processors to carry out the purpose for which it was collected. The information is not reused or disclosed by FRM for any other purpose.
- Accountability for Onward Transfer
FRM’s independent agents in Europe transfer personal data to FRM in the U.S. and FRM transfers that information only to its Subscribers pursuant to the individual’s consent as discussed above unless exception may apply. FRM does not transfer personal information to any third parties other than its Subscribers pursuant to the individual’s consent unless exception may apply. FRM’s Subscribers covenant and agree to undertake commercially reasonable steps to protect information received from FRM and to not disclose it except for the purpose for which it was collected pursuant to the individual’s consent unless an exception may apply.
FRM may transfer personal identifying data to its independent agents in the EU for the purpose of performing the investigations including manually searching court and other records. In such cases, FRM will transfer such identifying data only for limited and specified purposes.
FRM is liable under the Principles if an agent processes the information in a manner inconsistent with the Principles, unless it can prove that it is not responsible.
FRM maintains a comprehensive information security program designed to anticipate foreseeable threats or hazards for attacks, intrusions, unauthorized access, system failures, alteration, destruction, or breach of confidentiality through (a) using administrative, technical, and physical safeguards (Safeguards); (b) reasonably designing, periodically reviewing, regularly testing, monitoring, and risk assessing the Safeguards; and (c) modifying and upgrading systems, system controls, procedures (including training of employees and management).
FRM does not retain personal information beyond the time needed to prepare a report for its Subscribers usually for five (5) years thereafter for audit purposes unless Subscribe requires a longer retention period. FRM will provide access to the subject of the report, upon request unless an exception may apply. If the subject of a report would like to access his/her personal information retained by FRM, and to correct, amend, or delete information that is inaccurate, or has been processed in violation of the Privacy Shield principles, or if the EU/EEA Data Subject would like all information about him/herself deleted, the individual may contact:
Privacy Shield Ombudsman-Compliance
Financial Risk Mitigation
2332 N. Arnoult Rd.
Metairie, LA 70001
- Recourse, Enforcement and Liability
Individuals with complaints about the collection or use of your personal information should contact:
Privacy Shield Ombudsman
Financial Risk Mitigation
2332 N. Arnoult Rd.
Metairie, LA 70001
If your dispute is not resolved satisfactorily, you may submit it for mediation to: https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim, an alternative dispute resolution provider located in the United States. The services of JAMS are provided at no cost to you.
FRM is subject to regulation by the Federal Trade Commission (the “FTC”), and its investigatory and enforcement powers. Under certain circumstances, you may submit your complaint to binding arbitration, see: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.