Effective from 24/12/2018
CPA Global North America complies with both the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. CPA Global North America has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Personal Information” or “Information” means information that (1) is transferred from the EU or Switzerland to the US; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.
“Processing” of personal information means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaption or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, or that concerns an individual’s health.
CPA Global processes Personal Information that comes into our possession through electronic methods (website form, email, FTP sites), by accessing the Personal Information internally on source repositories such as our Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), document databases, billing platforms, or via other technology.
Types of Data Collected
CPA Global are a business to business (B2B) service provider with limited contact with consumers, therefore we will only collect and process a limited amount of personal data for the purposes stated in the ‘Purpose of Data Use’ section below. Where it concerns existing and prospective business customers, vendors and suppliers, typical categories of data relating to their employees that we will collect include; full names, postal addresses, email address, telephone number, job title and opinions on services provided as well as satisfaction levels. With regards to employees, contractors and temporary workers, only personal data required to manage and administer their employment with us will be collected and processed.
Personal Data Collected Via Technology
Purpose of Data Use
CPA Global processes Personal Information for clients, employees, and vendors for various business related purposes that most frequently support clients’ use of our products and services, enable us to manage employees, or adhere to multinational regulations where we conduct business. Examples of the type of activities that support these objectives include client account management, sales support, software support, client issue resolution, compensation analysis, third party risk management and personnel management and administration.
CPA Global will offer individuals the opportunity to (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. The Company will not disclose Personal or Sensitive Personal Information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
For sensitive personal information, CPA Global will obtain your affirmative express consent (opt in) if such information is to be disclosed to (i) a third party, or (ii) used for a purpose other than those for which it was originally collected or subsequently authorised by you through the opt-in choice. CPA Global will treat as sensitive, any Personal Information received from a third party where the third party identifies and treats it as sensitive.
ACCOUNTABILITY FOR ONWARD TRANSFERS
In cases of onward transfer to third parties of data of EU or Swiss individuals received pursuant to the Privacy Shield Frameworks, CPA Global is potentially liable. Except as otherwise stated in this policy, we do not generally share the Personal Information collected from our services with other entities. However, we may be required to share Personal Information if we believe in good faith that such disclosure is necessary; (a)(i) to comply with relevant laws or to respond to subpoenas or warrants served on CPA Global; (a)(ii) in response to a lawful request by public authorities, including to meet national security or law enforcement requirements (b) protect or defend the rights or property of CPA Global or users of CPA Global’s products or services; or (c) to support our business objectives described in the ‘Purpose of Data Use section’ above.
CPA Global may transfer personal information to a third party acting as a controller in accordance with the Notice and Choice Principles above. CPA Global will enter into a contract with the third party controller that provides that; such data will only be processed for the limited and specified purposes consistent with the consent you have provided, that the third party will provide the same level of protection as the Principles and will notify CPA Global it if makes a determination that it can no longer meet its obligations. Such contract will provide that if such a determination is made, the third party controller will cease processing or take reasonable and appropriate steps to remediate.
When transferring personal data to third party contractors or service providers (i.e. ‘agents’) that may be selected to support the business objectives described in the Purpose of Data Use section of this policy, CPA Global will (1) transfer such data only for limited and specified purposes; (2) obligate the agent to provide at least the same level of privacy protection as is required by the Principals; (3) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with CPA Global’s obligations under the Principles; (4) require the agent to notify us if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (5) upon notice; including under point (4), take reasonable and appropriate steps to stop and remediate unauthorised processing; and (6) provide a summary or a representative copy of the relevant privacy provisions of our contract with our agent to the Department of Commerce upon request.
CPA Global is committed to protecting the security of our data subject’s Personal Information. Therefore, we have implemented reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the personal data. Such measures include a variety of industry-standard security technologies and procedures, such as policies restricting access to Information to authorized personnel, mechanisms to protect Information from interception during transmission, physical safeguards to protect Information stored in electronic or hard copy form, and training, reviews and audits of our security and operational procedures.
DATA INTEGRITY AND PURPOSE LIMITATION
CPA Global shall only process Personal Information in a way that is compatible with and relevant to the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, CPA Global shall take reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete and current.
CPA Global will take reasonable and appropriate measures to only retain personal information in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of the previous paragraph.
Individuals have the right to access and change any of their Personal Information, and may do so by contacting their CPA Global’s Compliance Group, company contact or Human Resources (HR) representative. Individuals may correct, amend, or delete inaccurate Information or information processed in violation of these Principles, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Individuals may request deletion of their Personal Information by us, but please note that we may be required (by law or otherwise) to keep this Information and not delete it (or to keep this Information for a certain time, in which case we will comply with the deletion request only after we have fulfilled such requirements). When we delete any Information, it will be deleted from the active database, but may remain in our archives.
RECOURSE, ENFORCEMENT & LIABILITY
Attention: The Data Privacy Officer
Subject: Privacy Shield [Query] OR [Complaint] (Select the relevant option)
CPA Global has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint.
If your complaint is not satisfactorily addressed, and your inquiry or complaint involves human resource data, you may have your complaint considered by an independent recourse mechanism: for EU/EEA Data Subjects, a panel established by the EU data protection authorities (“DPA Panel”), and for Swiss Data Subjects, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”). To do so, you should contact the state or national data protection or labor authority in the jurisdiction where you work. CPA Global agrees to cooperate with the relevant national DPAs and to comply with the decisions of the DPA Panel and the FDPIC.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
Information Subject to Other Policies