For purposes of this Policy, "Personal Information"” means information that is: (a) transferred to BBDP by Clients from the European Union to the United States; (b) is recorded in any electronic form; (c) is about, or pertains to, a specific individual, and; (d) can be linked to that individual. Personal Information does not include information that pertains to an individual but from which such individual could not reasonably be identified, or publicly available information that has not been combined with non-public personal information.
BBDP adheres to the principles of the Safe Harbor Program. This Policy does not apply to any data or information other than Personal Information, or to any practice, policy or procedure of BBDP concerning any matter not specifically identified in this Policy. Without limiting any of the foregoing, this Policy does not apply to information collected by Clients that is not transferred from the European Union to BBDP or to any other party outside of the European Union.
The provisions of the Safe Harbor Program will be considered to govern in the event of any conflict between this Policy and the Safe Harbor Program. This Policy and its interpretation shall be governed by applicable United States case or statutory law, rule, regulation or industry standard that is legally binding on BBDP, such as PCI DSS v. 1.1 (all collectively referred to in this Policy as “applicable law”).
BBDP may change or update this Policy from time to time without giving prior notice to affected parties, provided that such changes are necessary to update this Policy and otherwise comply with the Safe Harbor Program. Changed or updated versions of this Policy shall be posted on the same section of the BBDP web site as this Policy, or on another conspicuously identified section of that site. Any changed or updated policy shall apply to Personal Information previously collected only to the extent that the changed or updated Policy does not reduce the rights of individuals under the Safe Harbor Program.
In the course of providing hosting, information technology consulting and development services and support (collectively “Services”) to its Clients who collect Personal Information (“Clients”), BBDP may store, process or transmit Personal Information that is collected by such Clients on Client Resources.
In that respect, it is the Clients, and not BBDP, which collect, use or disclose Personal Information. BBDP, acting as the agent of these Clients, simply provides and maintains the Client Resources that Clients use to support their collection, use or disclosure of Personal Information. BBDP therefore relies on each Client to implement the Principles with respect to the Client’s own use of Personal Information in a manner that complies with the Safe Harbor Program and/or the Directive, as applicable.
The Safe Harbor Program consists of seven privacy principles (“Principles”). The following describes how BBDP addresses each of these Principles:
As part of providing the Services, BBDP may store, process or transmit information of individuals collected by Clients that may include Personal Information. The Personal Information that individuals submit to our Clients is what is transferred to BBDP, as directed by such individuals, when such individuals submit their Personal Information to such Client(s). Such information is transmitted by the Client to BBDP via the Internet where it is stored or processed on Client Resources.
BBDP only stores, processes or transmits Personal Information at the direction of and on behalf of the Client who collected it. BBDP does not collect Personal Information on its own behalf or use it for its own purposes, apart from use in providing the Services to the Client who collected it.
Each Client governs the manner in which Personal Information is collected and used by that Client. Personal Information is only disclosed by BBDP to the Client who collects it, to third parties to whom the Client directs BBDP to disclose it, or to persons or entities that request and are entitled to receive Personal Information under applicable law or legal process (such as a subpoena or court order).
If an individual wishes to limit use and disclosure of his or her Personal Information, the individual should first contact the official designated for such requests by the Client to which the individual submitted his or her Personal Information. If the individual cannot locate or contact that Client’s official, or is dissatisfied with their response, then the individual may contact BBDP’s Safe Harbor privacy official at email@example.com, who will forward the request for limitation of use or disclosure to the applicable Client contact.
Because BBDP shall store, process or transmit Personal Information as an agent of its Client, BBDP shall use and disclose Personal Information in accordance with the reasonable notice policies provided by each Client and the choices made by individuals when they submit Personal Information to a Client.
As noted above, BBDP acts as the agent of its Clients with respect to Personal Information. If a Client instructs BBDP to provide a reasonable means for individuals to choose to opt out of whether (a) Personal Information may be disclosed to third parties, or (b) used for a purpose that is incompatible with the purpose for which that Client collected such Personal Information, then BBDP shall follow that Client’s instructions in that regard, subject to applicable law.
Furthermore, to the extent that a Client instructs BBDP to support that Client’s reasonable opt-in procedures for sensitive personal information as defined in the Directive (“Sensitive Personal Information”), BBDP shall follow that Client’s instructions in that regard, subject to applicable law. It shall be the responsibility of each Client to determine what information is Sensitive Personal Information and to inform BBDP accordingly.
3. Onward Transfer.
Because Clients shall utilize Client Resources provided by BBDP to collect and use Personal Information, that Personal Information shall be accessible to the Client who has collected it. BBDP shall allow or support the Client’s own access to such Personal Information (which may include transferring it to Client facilities or personnel), and may transfer that Personal Information to (a) third party agents of Client to whom the Client directs BBDP to transfer it, such as data processors (b) offsite storage facilities for backup purposes or (c) persons or entities that request and are entitled to receive Personal Information under applicable law or legal process (such as a subpoena or court order).
In the event that BBDP transfers Personal Information to a third party as noted above, BBDP shall obtain appropriate assurances either by ascertaining that the third party is subject to the Principles and/or the Directive (as applicable), is Safe Harbor certified, is subject to another European Commission adequacy finding or has entered into a written agreement with BBDP requiring that the third party provide the same level of protection to Personal Information as is required by the Principles.
Last, BBDP may transfer Personal Information to an acquirer or successor in interest of BBDP’s business or assets, but only for purposes of continuing to deliver the Services to Clients. Other than the onward transfers described in this section, BBDP shall not transfer Personal Information to any third party.
BBDP shall take reasonable precautions to protect Personal Information on Client Resources from loss, misuse, unauthorized access, disclosure, alteration or destruction. Details concerning the general security measures that BBDP applies to all of its information technology resources and the Client Resources is posted at www.bbdp.com/privacy.html. Additional details concerning the security measures applied by individual Clients may be hosted on such Clients’ sites.
5. Data Integrity.
As noted above, BBDP acts as the agent of its Clients with respect to Personal Information. Clients shall be responsible for informing BBDP of the purpose for which they have collected Personal Information. BBDP shall process Personal Information, in the course of providing the Services, in a way that is compatible with that purpose. If a Client instructs BBDP to take reasonable steps to ensure that data is reliable, accurate, complete and current to the extent needed to ensure that it is used in a way compatible with that purpose, then BBDP shall follow that Client’s instructions in that regard, subject to applicable law. In addition, BBDP shall use reasonable efforts to protect data hosted on Client Resources from security-related threats to reliability, accuracy, completeness and currency through application of the general security measures posted at www.bbdp.com/privacy.html.
As noted above, BBDP acts as the agent of its Clients with respect to Personal Information. If a Client instructs BBDP to (a) establish a means for individuals to access their Personal Information held on Client Resources, and/or (b) provide a means for such individuals to correct, amend or delete that information where it is inaccurate (subject to exceptions in the Directive and applicable law), then BBDP shall follow that Client’s reasonable instructions in that regard.
In the event that an individual wishes to access his or her Personal Information held on Client Resources and/or (b) correct, amend or delete that Personal Information where it is inaccurate, the individual should first contact the responsible official of the Client who collected such Personal Information. If such an individual cannot locate or contact the responsible official of the Client for these purposes, or is dissatisfied with the response from the Client, then the individual may contact BBDP’s Safe Harbor privacy official at firstname.lastname@example.org, who will forward the request to the applicable Client contact.
If the individual can verify his or her basis for seeking correction, amendment or deletion of Personal Information to the Client’s reasonable satisfaction, then BBDP shall correct, amend or delete such information. BBDP reserves the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual's privacy, in the case of a vexatious or fraudulent request or when permitted by applicable law.
BBDP is committed to ensuring that Personal Information is handled in a manner consistent with the Safe Harbor Program. In the event that an individual has a complaint or dispute concerning the manner in which his or her Personal Information has been handled, that individual may contact BBDP’s Safe Harbor privacy official at email@example.com to register such complaint or dispute. BBDP will reasonably cooperate with the individual, affected Client(s) and any United States authorities having lawful jurisdiction over such disputes or complaints, to the extent permitted by applicable law and with reference to the Principles, in the investigation and resolution of such complaints and disputes.
Furthermore, if a Client has instructed BBDP with respect to its complaint or dispute process for Personal Information on Client Resources, BBDP shall follow that Client’s reasonable complaint or dispute process in that regard, subject to applicable law.
BBDP shall regularly review its use of Personal Information, as part of its standard security practices, in an attempt to verify that that the attestations and assertions made in this Policy about BBDP’s Safe Harbor related privacy practices are true and have been implemented as presented. BBDP shall use reasonable efforts to remedy problems arising out of the failure to comply with the Principles by itself, its Clients or its or their third party agents, and shall apply consequences and sanctions to BBDP personnel, Clients, or third party agents that are sufficient to ensure compliance with the Principles, subject to applicable law and BBDP’s then-current employee disciplinary policy (for BBDP personnel), Client contracts with BBDP (for Clients) or third party agent agreements (for third party agents).
Adherence by BBDP, its Clients or its or their third party agents to the Safe Harbor Program and the Principles may be limited (a) to the extent required to respond to a legal or ethical obligation and (b) to the extent expressly permitted by applicable law.