Last Modified: 05/31/2019
Last Reviewed: 01/01/2020
You may have heard a lot of buzz around the GDPR (General Data Protection Regulation). The GDPR is a series of laws approved by the European Union (“EU”) Parliament to align legislation with the way data is used today. The GDPR’s intent is to allow individuals greater control over their data. With the GDPR come several requirements of companies like XDD. You can learn more about the GDPR here: www.privacytrust.com/gdpr/. Now, excuse us while we get some legalize out of the way.
PRIVACY SHIELD POLICY:
The terms set forth in this Privacy Shield Policy portion of the Agreement (“Privacy Shield Policy”) extend to Xact Data Discovery’s collection, use and retention of Personal Data transferred from European Union member countries to the United States (“EU Personal Data”) and supplements the terms set forth elsewhere in the Terms and Conditions with respect to such EU Personal Data. The Federal Trade Commission has jurisdiction and enforcement authority over Xact Data Discovery’s compliance with this Privacy Shield Policy and the EU-U.S. Privacy Shield Framework. This Privacy Shield Policy also applies to the following US subsidiary of Xact Data Discovery: Orange Research Group.
Compliance with EU-US Privacy Shield Framework:
Xact Data Discovery complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union to the United States. Xact Data Discovery has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. Xact Data Discovery, in reliance on the Privacy Shield, commits to subject all EU Personal Data to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov. The Privacy Shield List is available at www.privacyshield.gov/list.
Inquiries and Complaints (EU-US Privacy Shield):
Chief Legal Officer
5800 Foxridge Drive, Suite 406
Mission, KS 66202
Xact Data Discovery has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to Privacy Trust, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.privacytrust.com/privacyshield/disputeresolution for more information and to file a complaint. This body is designated to address complaints and provide appropriate recourse free of charge to affected individuals.
EU Personal Data Collection, Use, and Disclosure:
The EU Personal Data we receive may include, but is not limited to, your email address, name, phone number, postal address, and other information. We will only process EU Personal Data in ways that are compatible with the purpose for which we collected it, or for purposes the individual later authorizes. We process sensitive EU Personal Data for the following purposes: forensic collections, eDiscovery processing, hosting, review, and traditional litigation support services. When we collect sensitive EU Personal Data, we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive EU Personal Data to non-agent third parties, or before we use your sensitive EU Personal Data for a different purpose than we collected it for or than you later authorized.
Xact Data Discovery acknowledges that EU individuals have the right to access their Personal Data that we maintain about them. Xact Data Discovery will also provide an individual opt-out choice before we share their Personal Data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate EU Personal Data, or who wishes to limit the use and disclosure of their Personal Data, should direct their questions to firstname.lastname@example.org. If requested to remove Personal Data, we will respond within a reasonable timeframe.
Xact Data Discovery limits disclosure of Personal Data to employees and other trusted third party business advisory and expert services firms that provide bibliographic coding, human/machine language translation, backup tape restoration, forensic collections/analysis, traditional litigation support, contract attorney review services and quality control services in whole or in part, on our behalf and who have a specific business purpose for collecting, maintaining, reviewing and processing such Personal Data. Where required by the Privacy Shield Policies, we enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield Policies require and limiting their use of the EU Personal Data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process EU Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of EU Personal Data that we transfer to them.
Data We Collect and How We Collect It:
For personal information of individuals received from the EU, XDD is committed to handling such personal information in accordance with Privacy Shield as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.
XDD Collects and Processes personal data of the following:
When XDD collects data from business clients, website users and visitors, and social media users, it acts in a role of a data controller. However, XDD also acts in a role of a data processor when XDD processes personal data from targeted persons at the direction of XDD’s clients.
The data that XDD collects can include names, email addresses, home addresses, telephone numbers, state/province, country, information about products/services of interest, comments, organization name, job title, Relativity login credentials, Relativity access and usage analytics data, IP address and location, cookie ID, device ID, browser type and version, time zone, browser plug-in types and versions, operating system and platform, social media photos, social media comments and messages, and, other information disclosed in the course of general business practice.
With regard to data collected from Targeted Persons at the direction of an XDD client, XDD retains that data until advised to return or delete the data. XDD will not destroy or return data until a client completes a data destruction form.
With regard to business clients’ and website/social media users’ data, XDD maintains personal data indefinitely or until a user rescinds consent for the retention of or use of the data.
Use of Personal Data:
XDD will only use data in a way that is compatible with the reason for which it was collected and authorized by our client. Further:
Legal basis for processing Personal Information (EU visitors only):
If you are a visitor/client located in the EU, Xact Data Discovery is the data controller of your personal information. Xact Data Discovery’s data protection personnel can be contacted at email@example.com.
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, in compliance with a legal obligation, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you.
If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.
How to Unsubscribe from XDD Marketing Communications:
XDD communicates with customers and prospects via email marketing campaigns on a periodic basis to share educational content and service information. Campaigns are sent via an email services provider and you always have the option to unsubscribe or opt-out. You may unsubscribe by clicking on the “unsubscribe” link located on the bottom of our emails. You may also rescind your consent to receive marketing communications by sending us an email at firstname.lastname@example.org, or by post to Xact Data Discovery, 5800 Foxridge Drive, Suite 406, Mission, Kansas 66202.
Notice and Choice:
To the extent permitted by the EU-U.S. Privacy Shield, XDD reserves the right to process personal information in the course of providing professional services to our clients without the knowledge of individuals involved. Where we collect, at the direction of our clients, personal information directly from individuals in the E.U. it remains the responsibility of our client to inform the individual of the purposes for which we collect and use it and the types of non-agent third parties to which the information is disclosed. It remains the responsibility of our client to inform those individuals about the choices and means, if any, offered the individuals for limiting the use or disclosure of their information.
How Can You Access This Information?
XDD collects and processes data under the instruction and direction of our clients. If an individual becomes aware that information we maintain about that individual is inaccurate, or if an individual would like to update or review his or her information, the individual must contact and coordinate with our client and proceed according to that client’s personal information policy.
Will We Share Personal Information With Third Parties?
XDD will not disclose an individual’s personal information to third parties unless directed by our client or when one or more of the following conditions are true:
Compliance with Law Enforcement:
Xact Data Discovery may be required to disclose EU Personal Data in response to a lawful request by public authorities, including the need to meet national security or law enforcement requirements.
XDD’s intent is to strictly protect the security of your personal information, honor your choice for its intended use, and carefully protect your data from loss, misuse, unauthorized access or disclosure, alteration, or destruction. We have taken appropriate steps to safeguard and secure information we collect online including the use of encryption when collecting personal information.
Xact Data Discovery has policies, procedures, and processes to protect client data, which includes encryption of data at rest, transit and logical segregation. All data is stored within our secured datacenter with redundant firewalls and network security systems utilizing threat intelligence from Cisco Talos. All external ports are disabled except for necessary 443 ports for encrypted channel communications and DMZ utilized for external facing web servers. Along with systems security, we have implemented annual security awareness training which includes GDPR awareness. Our incident response policy will include details necessary to ensure minimal disruption of corporate workflow and operations in the event of a major natural disaster, major systems interruption or other designated major corporate emergency.
If XDD transfers your information to a third-party (e.g. analytics or web hosting vendors), XDD will attempt to ensure the third-party maintains the same level of security as us. We can actively monitor their compliance using TrustBase. XDD is a participant in the U.S. Department of Commerce’s EU-U.S. Privacy Shield and has certified that we adhere to the EU-U.S. Privacy Shield Principles. XDD is subject to the investigatory and enforcement powers of the Federal Trade Commission.
XDD welcomes your comments and/or questions regarding this privacy statement; please contact us by sending us your feedback to email@example.com, or writing to:
Xact Data Discovery
5800 Foxridge Drive, Suite 406
Mission, KS 66202
If however you are unhappy with our response to your concerns you can raise an issue with Privacy Trust, an independent third party dispute resolution service.
If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, you can also submit your complaint to Privacy Trust, an independent third party. Visit www.privacytrust.com/drs/xactdatadiscovery to file a complaint.
Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
Take our quick Webinar Topic Survey to help us tailor our educational series.