Kensium LLC (Kensium) and its affiliates complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States.
For more information about the Privacy Shield Principles or to access Kensium’s certification statement, please go to https://privacyshield.gov.
1. PRIVACY SHIELD OVERVIEW
The U.S. Department of Commerce and the European Commission as well as the Swiss Federal
Council have agreed on a set of data protection principles and associated supplemental principles to enable U.S. companies to satisfy European Union (“EU”) and Swiss law requiring that Personal Data transferred from the EU and Switzerland to the U.S. be adequately protected (the “EU-U.S. Privacy Shield” and the “Swiss-U.S. Privacy Shield” respectively, together the “Privacy Shield”). The European
Economic Area (the “EEA”), which as of the date of this Policy includes all member states of the EU and
Iceland, Liechtenstein and Norway, and Switzerland have recognized the Privacy Shield as providing adequate protection of Personal Data.
Should there be any conflict between the Privacy Shield Principles and this Policy, this Policy shall be interpreted to be consistent with the Privacy Shield Principles.
This Policy applies to all Personal Data received by Kensium in the United States from the EEA and/ or from Switzerland, either directly from individuals, from its affiliates or from other third party organizations, and in any format whatsoever, including electronic, paper or oral transmission.
This Policy also applies to Kensium’s Subcontractors (defined below) that process Personal Data received by Kensium or its affiliates from the EEA and/ or from Switzerland on behalf of Kensium.
For purpose of this Policy, the following definitions shall apply:
“Personal Data” and “Personal Information” means data about an identified or identifiable individual that are within the scope of the Directive 95/46/EC or the Swiss Federal Act on Data Protection, received by an organization in the United States from the European Union and/ or Switzerland, and recorded in any form. Personal Data includes all Sensitive Personal Data (as defined below).
“Sensitive Personal Data” or “Sensitive Personal Information” means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or, where received from a third party, data that is identified and treated as sensitive by the third party. Where Swiss individuals are concerned, “Sensitive Personal Data” or “Sensitive Personal Information” also includes ideological views or activities, and information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
“Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes
and means of the processing of personal data.
“Subcontractors” means any third party that collects or uses Personal Data provided by Kensium to perform tasks on behalf of Kensium under the instructions of, and solely for, Kensium.
“Kensium,” “we,” “our” or “us” means Kensium LLC and its successors, assigns and wholly owned affiliates and subsidiaries and their respective divisions and groups, each of which are located within the U.S.
4. PRIVACY PRINCIPLES FOR PROCESSING OF PERSONAL DATA RECEIVED FROM THE EEA AND/OR SWITZERLAND
The privacy principles set forth in this Policy have been developed based on the Privacy Shield Principles.
Where Kensium collects Personal Data directly from individuals in the EEA and/ or Switzerland or receives it from its European or Swiss affiliates, it or its European or Swiss affiliates will inform those individuals about the purposes for which they collect and use Personal Data about them; the transfer of Personal Data to Kensium in the U.S., the types or identity of third parties to which Kensium discloses that information and the purposes for which it does so; and the choices and means Kensium offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Kensium, or as soon as practicable thereafter, and in any event before Kensium uses the information for a purpose other than that for which it was originally collected.
Kensium may from time to time process certain Personal Data about customers, business partners, suppliers, vendors, service providers, employees and candidates for employment, including information recorded and stored on various types of media, including electronic media.
Kensium will process these types of data in conformity with the Privacy Shield Principles and will continue to apply the Principles to personal data received under the application of the Privacy Shield as long as it holds this data.
Purposes for which we may collect and use Personal Data from our customers, consumers and other non-employees include:
• Communicating to individuals about our products, services and related issues.
• Notifying individuals of, and administering, contests, sweepstakes, promotions and other offers.
• Evaluating the quality of our products and services.
• Allowing individuals to register for our websites, online communities and other social networking services, and administering and processing these registrations.
• Transferring Personal Data in connection with Kensium’s legal, regulatory compliance and auditing purposes.
• Facilitating Kensium’s internal administrative purposes and application functionality, maintaining, administering and complying with Kensium’s legal, regulatory compliance and auditing obligations, policies and procedures.
• Execution of contracts and delivery of products and services to customers; execution and management of development, engineering and construction projects; manufacturing execution and supply chain management.
Kensium also collects Personal Data concerning its employees and candidates for employment (Human
Resources Data) in connection with administration of its human resources programs and functions and
We may share Personal Data within the U.S. family of Kensium companies. Kensium may also share Personal Data with its third party Subcontractors for the sole purpose of, and only to the extent needed to, support Kensium’s or our customers’ business needs. We may also disclose Personal Data to our Subcontractors in the U.S. and other third parties when required to do so under law or by legal process. Third Party Subcontractors are required to keep confidential Personal Data received from Kensium and may not use it for any purpose other than originally intended.
Kensium will offer individuals in the EEA or Switzerland the opportunity to choose (by either opt-out or opt-in) if their Personal Data is (a) to be disclosed to a third party that is not an Agent, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.
For Sensitive Personal Data, Kensium will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to permit Kensium to (a) disclose their Sensitive Personal Data to a third party that is not an Agent or (b) use Sensitive Personal Data for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.
Kensium will provide individuals with reasonable, clear and conspicuous and readily available mechanisms to exercise these choices.
4.3 ACCOUNTABILTY FOR ONWARD TRANSFER
Kensium will transfer Personal Data to Subcontractors only for limited and specific purposes. Kensium will obtain contractual assurances from its Subcontractors that they will safeguard Personal Data in a manner consistent with this Policy and that they will provide at least the same level of protection as is required by the relevant Privacy Shield Principles. Kensium recognizes its responsibility and potential liability for onward transfers to Subcontractors. Where Kensium has knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Policy and/or the level of protection as required by the Privacy Shield Principles, Kensium will take reasonable steps to prevent, remediate or stop such use or disclosure.
If Kensium transfers Personal Information to non-agent third parties acting as a Controller, Kensium will apply the Notice and Choice principles and will obtain contractual assurance from these parties that they will provide the same level of protection as is required under the principles, unless derogation for specific situations under European data protection law applies.
Upon request and in accordance with the Privacy Shield Principles, Kensium will grant individuals reasonable access to their Personal Data that is held by Kensium. In addition, Kensium will take reasonable steps to permit individuals to correct, amend, or delete their Personal Data that is demonstrated to be inaccurate, incomplete or processed in violation of the Privacy Shield Principles. In accordance with the Privacy Shield Principles, Kensium may limit or deny access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, where the legitimate rights of persons other than the individual would be violated or if necessary to safeguard important countervailing public interests (e.g., national security) or in other limited circumstances (e.g., disclosure would breach a legal or other professional privilege).
Kensium will take reasonable precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
4.6 DATA INTEGRITY AND PURPOSE LIMITATION
Kensium will use Personal Data only in ways that are compatible with the purposes for which it was originally collected or as subsequently authorized by the individual. Kensium will also take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. Kensium will adhere to the Privacy Shield Principles for as long it retains Personal Information received under its Privacy Shield certification.
4.7 RECOURSE, ENFORCEMENT AND LIABILITY
Kensium utilizes the self-assessment approach to verify its compliance with this Policy. Kensium periodically verifies that this Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the Privacy Shield Principles.
Kensium will investigate complaints and disputes regarding use and disclosure of Personal Data in accordance with the Privacy Shield Principles. Kensium will also investigate suspected infractions of this Policy.
Kensium’s participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission.
If Kensium determines that any employee of Kensium is in violation of this Policy, such person will be subject to disciplinary action up to and possibly including termination of employment. Kensium encourages interested persons with questions or concerns relating to this Policy to contact us using the contact information below.
In compliance with the Privacy Shield Principles, Kensium commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Kensium by mail or e-mail as follows:
Attn: Michael Kasehagen
200 South Wacker Drive
Chicago, IL 60606
Kensium has further committed to refer unresolved Privacy Shield complaints to JAMS an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Under certain conditions detailed in the Privacy Shield, Data Subjects may be able to invoke binding arbitration before the Privacy Shield Panel.
Kensium agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. Kensium acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.
Kensium’s adherence to the Privacy Shield Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, e.g. in the course of lawful requests by public authorities (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or
Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.
6. CONTACT INFORMATION
Questions or comments regarding this Policy or our practices concerning Personal Data should be submitted to Kensium by mail or e-mail as follows:
200 South Wacker Drive
Chicago, IL 60606
If you are a citizen of an EEA member state, you may also address any unresolved complaints to the
panel of the EU Data Protection Authorities at the following address:
If you are a citizen of Switzerland, you may address any unresolved complaints to the Swiss Federal Data Protection and Information Commissioner at the following address:
7. CHANGES TO THIS POLICY
This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles. Appropriate public notice will be given concerning such amendments.
8. EFFECTIVE DATE
This Policy is effective as of July 10, 2017.
Last updated: July 25, 2018