Effective November 1, 2019
This Policy contains sections with terms used by the European legislature for the adoption of the General Data Protection Regulation (“GDPR”). Pursuant to the GDPR, our Policy should be legible and understandable to the general public, our customers, and business partners. To ensure this, we will begin with explanations of the terminology used related to the GDPR and/or other data protection regulatory requirements.
Consent: Any freely given, specific, informed and unambiguous indication of the Individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Subject (“Individual”): Any identified or identifiable person, whose Personal Data is process by the controller who is responsible for the processing.
Personal Data: Any information relating to an identified or identifiable natural person (“Individual” described above); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
SITE INFORMATION COLLECTION
Personal Data. VAF does not collect your Personal Data without your Consent. For example, you may have the option to provide contact information such as your name, organization name, company, title, e-mail address, and/or optional answers to open ended questions related to cyber security, internet technology, and various aspects related to you or your business through our Site. Providing this optional information is voluntary on your part, and in the absence of providing such information, any Personal Data will not be collected. You may also have the option of providing additional information in a comment or message box, in which case we may collect a record of that information in a file specific to you. To the extent your public information is accessible (on third party websites such as LinkedIn, Facebook, Twitter, or other third party websites), VAF retains the right to collect such public information without your consent.
Anonymous Information. VAF does not directly collect anonymous information (such as your Internet Protocol address, Web browser information, or your actions while as you navigate the Site). However, the Site’s storage, hosting and/or applications may be provided by third party outsourcers who collect such information through the use of commonly-used information-gathering tools, such as cookies and Web beacons. Standing alone, this information does not personally identify you.
Mobile Devices. VAF does not directly collect any additional information from users who access the Site via mobile phone or other mobile devices. However, our third party service providers may collect additional mobile device information such as your mobile device IP address, operating system, carrier, and mobile Internet browser and device location information.
Use of Information Collected
Personal Data. VAF will only use Personal Data for the purposes for which it was given as described below, and it will not be shared without your consent except:
As necessary to collect analytics and respond to lead generations. For example, information related to your optional responses to questions described in Section 2(A) will be shared with VAF and its members, managers, affiliates, and employees. VAF may reach out to you if you provide your contact information. The information collected will be used for generating customer leads and recruitment. Such information will also be used to better assist VAF in its goal of providing quality services for its customers. Finally, such Personal Data will be used to customize content and ads, and to improve the overall Site experience through visitor analytics.
In response to legal process. For example, in response to a court order or a subpoena, or in response to a law enforcement agency’s request. VAF reserves the right to resist such requests in its sole discretion; and/or
Anonymous Information. VAF may use anonymous information collected from you to operate and improve the Site, diagnose technical problems, and to respond to your request for information.
Third Party Links
The Site may contain ads served by reputable third parties or sponsors, as well as links to other websites or third party applications such as Facebook, Twitter, or LinkedIn. These third parties may view, edit, or set their own cookies, and have privacy policies that differ in significant ways from VAF. We are not responsible for the privacy practices or the content of these third party ad servers, promoters, websites or applications, and we advise you to refer to the policy statement of these third parties to understand how they collect and use information.
The Site may be accessible internationally. However, our computer systems are based in the United States and your Personal Data will be processed by us in the U.S. If you access the Site as a visitor from outside the United States, you consent to the collection and/or processing in the United States of your information as described above. For Personal Data processed from parties in the European Economic Areas (“EEA”), VAF complies with the GDPR, as set forth more fully in Section 3 below.
GDPR SPECIFIC INFORMATION AND DISCLOSURES
For any and all Personal Data processed from parties in the EEA, VAF complies with the Regulations 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the GDPR.
VAF processes Personal Data both as a Processor and as a Controller. All data collected or stored by VAF is hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from intruders. All hosting is performed in accordance with the highest security regulations.
Controller for the purposes of the GDPR and other data protection laws applicable in the EEA related to data protection is fulfilled by the VAF Data Protection Officer.
Data Retention and Deletion
The Controller shall process and store Personal Data of the Individual only for the period necessary to achieve the purpose of its storage, or for as long as is granted pursuant to the European legislator or other legislators in laws or regulations to which the Controller must abide. Any Personal Data will be deleted upon the request of the Individual.
Rights of the Individual
Right of Confirmation: Each Individual has the right to obtain confirmation from the Controller as to whether or not his/her Personal Data is being Processed. If the Individual wishes to pursue this right, he/she may, at any time, contact the Controller or any employee of the same.
Right of Access: Each Individual has the right to obtain free information from the Controller about his/her Personal Data and to obtain a copy of said information. Additionally, our privacy regulations grant the Individual access to the following information:
The purposes of the processing;
The categories of personal data concerned;
The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
The existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the individual, or to object to such processing;
The existence of the right to lodge a complaint with a supervisory authority;
Where the personal data are not collected from the individual, any available information as to their source;
The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the individual.
Furthermore, the Individual has the right to obtain information regarding whether or not the Personal Data is transferred to a third country or international organization. If applicable, the Individual will then have the right to be informed of appropriate safeguards in place relating to the transfer of any information. If the Individual wishes to pursue this right, he/she may, at any time, contact the Controller or any employee of the same.
Right to Rectification: Each Individual has the right to obtain from the Controller the timely rectification of inaccurate Personal Data concerning him/her. If the Individual wishes to pursue this right, he/she may, at any time, contact the Controller or any employee of the same.
Right to Erasure (Right to be Forgotten): Each individual has the right to obtain from the Controller the erasure of Personal Data in a timely manner. The Controller has the obligation to erase Personal Data in a timely manner where one of the following applies, so long as Processing is not necessary:
The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
The individual withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR or other data privacy regulation, and where there is no other legal ground for processing.
The individual objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the individual objects to the processing pursuant to Article 21(2) of the GDPR or other data privacy regulation;
The personal data have been unlawfully processed;
The personal data must be erased for compliance with a legal obligation according to applicable laws in Union or Member State law to which the controller is subject;
The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR or other data privacy regulation.
If any of the above apply, the individual can contact the Controller or any employee of the same to ensure that the erasure request is complied with immediately.
Right of Restriction of Processing: Each Individual has the right to obtain from the Controller, restriction of Processing where one of the following applies:
The accuracy of the personal data is contested by the individual, for a period enabling the controller to verify the accuracy of the personal data;
The processing is unlawful and the individual opposes the erasure of the personal data and requests instead the restriction of their use instead;
The controller no longer needs the personal data for the purposes of the processing, but they are required by the individual for the establishment, exercise or defense of legal claims; or
The individual has objected to processing pursuant to Article 21(1) of the GDPR or other data privacy regulation pending the verification whether the legitimate grounds of the controller override those of the individual.
If any of the above conditions are met, and the individual wishes to request the restriction of processing, he/she may contact our Controller at any time and the Controller or an employee of the same will arrange for the restriction of processing.
Right to Data Portability: Each Individual has the right, to receive the Personal Data concerning him/her, which was provided to the Controller, in a commonly used a readable format. The Individual will have the right to transmit such Personal Data to another Controller. Furthermore, in exercising this right, the Individual will have the right to transmit his/her Personal Data directly from one Controller to another, where technically feasible and when doing so not impact the rights and freedoms of others. In order to assert this right, the Individual can contact the Controller or any employee of the same to ensure that the erasure request is complied with immediately.
Right to Object: Each Individual has the right to object, at any time, to Processing of Personal Data, which is based on point (e) or (f) of Article 6(1) of the GDPR or other data privacy regulation. This right also applies to profiling based on these provisions. VAF will stop Processing Personal Data in the event of objection, unless we can demonstrate compelling legitimate grounds for Processing which overrides the interests, right and freedoms, of the Individual. In order to assert this right, the Individual can contact the Controller or any employee of the same to ensure that the erasure request is complied with immediately.
Automated Individual Decision-Making, Including Profiling: Each Individual has the right not to be subject to decision making based solely on automated processing, including profiling. VAF does not use automated decision-making, or profiling.
Right to Withdraw Data Protection Consent: Each Individual has the right to withdraw his/her consent to Processing of his/her Personal Data at any time. In order to assert this right, the Individual can contact the Controller or any employee of the same to ensure that the erasure request is complied with immediately.
Controller Duties, Generally
If the Controller wishes to process existing Personal Data for a new purpose, he/she will inform the Individual. In the event of a data breach, the Controller will report such breach to its supervisory authorities and affected individuals, in compliance with the GDPR or other data privacy regulation. If a transfer of Personal Data which is undergoing Processing or is intended for Processing after transfer to a third party or international organization, VAF, complies with all provisions of Chapter 5 of the GDPR or other data privacy regulation.
Legal Basis for Processing
Article 6(1)(a) of the GDPR or other data privacy regulation serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose, such as the purposes described within this Policy. If the processing of Personal Data is necessary for the performance of a contract to which the Individual is a part, the data processing is based on Article 6(1)(b) or other data privacy regulation. This also applies to necessary processing operations which are necessary for pre-contractual measures. If VAF is subject to a legal obligation where Personal Data processing is required, the processing is based on Article 6(1)(c) or other data privacy regulation. In the event processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, processing is based on Article 6(1)(d) or other data privacy regulation. Finally, processing could be based on Article 6(1)(f) or other data privacy regulation. This legal basis is used if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or third party, except where such interests are overridden by their interests or fundamental rights and freedoms of the Individual which require protection of Personal Data (particularly, if the Individual is a child).
Personal Data as a Statutory or Contractual Requirement
There are times when Personal Data is required by law or when it is provided as a result of contractual provisions. If Personal Data is within a contract between the Individual and VAF, the Individual may be obligated to provide such Personal Data in order to conclude the contract. If Personal Data is not provided, we may be unable to conclude the contract. A Individual can contact our Controller to determine whether or not there would be an obligation to provide Personal Data in order to conclude a contract and the consequences of not providing such Personal Data.
GENERAL PROVIONS APPLICABLE TO ALL VISITORS
Children’s Online Privacy Protection
The Site is not designed for or directed to children under the age of 16, and we will not intentionally collect or maintain information about anyone under the age of 16.
The Site aspects which VAF hosts have security measures in place to help protect against the loss, misuse, and alteration of information and data under our control. These aspects are hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from intruders. These safeguards help prevent unauthorized access, maintain data accuracy, and are intended to ensure the appropriate use of information and data received by VAF, but “perfect” security does not exist on the internet. Although VAF implements security measures on Site aspects which it hosts and for information and data it obtains, it is not responsible, and does not make any representations, as to the security measures in place for any third parties, including but not limited to, other websites, social media platforms, or advertising agencies.
VAF offers to its visitors and customers a means to choose how we may use information provided. If, at any time after providing information, you change your mind and wish to change or delete your information, please send a request specifying your new choice to: firstname.lastname@example.org. VAF will respond to your correction or update request within thirty (30) days from the date of your request.
Correcting & Updating Your Information
To receive a copy of, or to update information you have provided to VAF via the Site, please send an e-mail to email@example.com. VAF will respond to your correction or update request within thirty (30) days from the date of your request.
VanAusdall & Farrar Inc.
Attn: Data Protection Officer
6430 E. 75th Street, Suite 500
Indianapolis, Indiana 46250
Do Not Track Requests
Certain browsers have incorporated “Do Not Track” features. Most of these features, when turned on, send a signal to the websites you visit indicating that you do not wish to be tracked. Those websites may or may not comply with such requests, depending on the sites’ privacy practices. Because there is not yet a common understanding of how to interpret the Do Not Track signal, VAF does not currently respond to the browser Do Not Track signals on its Site.
Copyright © 2019, VanAusdall & Farrar