I. Introduction
Emptoris, Inc. (“Emptoris”) transacts business with companies located in the United States and internationally, including countries that are part of the European Union (“EU”). Our policy concerning the privacy of individuals’ personal identifiable information is treated consistently with the same high level of security regardless of whether the information emanated from inside or outside the boarders of the United States.
II. Data Protection Compliance
It is the policy of Emptoris to comply with all applicable regulatory requirements for the processing of personal and sensitive data, including the EU Data Protection Directive, the U.S. Commerce Department Safe Harbor framework and HIPAA, as each may be amended and supplemented. Emptoris Safe Harbor certification can be found at http://www.emptoris.com/. For more information about the Safe Harbor Principles, please visit the U.S. Department of Commerce's Website at http://www.export.gov/safeharbor/.
III. Emptoris provides spend data analysis support services.
Emptoris role in data protection and privacy is generally limited by its position as a spend analysis solution provider.
Emptoris currently receives data from entities located globally for the purpose of helping clients identify where and how they are spending their resources, particularly cash resources. Emptoris receives spend data from clients wishing to have their spend data analyzed. The data comes in many forms. Emptoris collects, standardizes and analyzes the spend data (processing purposes only) then makes reports of the analysis available back to the clients. Any personal data provided to Emptoris is incidental to the spend data. Emptoris does not use the personal data for any purpose nor does it transfer the personal data to anyone.
As set forth in FAQ 10 of the Safe Harbor Framework, data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU. The purpose of the contract is to protect the interests of the data controller, i.e. the person or body who determines the purposes and means of processing, who retains full responsibility for the data vis-à-vis the individual(s) concerned. The contract thus specifies the processing to be carried out and any measures necessary to ensure that the data is kept secure. Emptoris is currently subject to and will enter into a written contract with any EU Member entity prior to processing any such electronic data. The contract will contain terms and provisions regarding each respective party’s rights and obligations as it relates to the processing of data for spend analysis purposes. This will ensure that the EU data controller will be in compliance with the Member State Data Protection law. Any data processed by Emptoris will not be disclosed to third parties, except where permitted or required by the contract between the EU Member and Emptoris. Any information, which an Emptoris customer (acting as the EU controller) identifies as sensitive information will be treated accordingly.
Emptoris has in place and will provide adequate data security measures to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration or destruction.
IV. Definitions: For purposes of this Policy, the following definitions shall apply:
“Agent” means any third party that may use Personal Information provided by Emptoris to perform tasks on behalf of or at the instruction of Emptoris.
“Personal Information” means any information or set of information that identifies or could be used by or on behalf of Emptoris to identify an individual. Personal information does not include information that is encoded or anonymized, or publicly available information that has been combined with non-public Personal Information. Personal Information means any information that reveals race, ethnic origin, trade union membership, or that concerns health. In addition, Emptoris will treat any sensitive information received from a third party where that third party treats and identifies the information as sensitive as Personal Information.
V. Privacy Principles
A. “Notice.” Where Emptoris collects Personal Information directly or indirectly from individuals or corporations, it will inform them about the purposes for which it collects and uses Personal Information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Emptoris, or as soon as practicable thereafter, and in any event before Emptoris uses the information for a purpose other than that for which it was originally collected. Emptoris may disclose Personal Information if required to do so by law or to protect and defend the rights or property of Emptoris.
B. “Choice.” Where Emptoris collects Personal Information directly from individuals, it will offer individuals and corporations the opportunity to choose (opt-out) whether their Personal Information is;
- To be disclosed to a non-agent third party, or
- To be used for a purpose other than the purpose for which it was originally collected or subsequently authorizes by the individual or corporation
- For sensitive Personal Information Emptoris will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual or corporation.
- Emptoris will provide individuals with reasonable mechanisms to exercise their choice should requisite circumstances arise
C. “Data Integrity.” Emptoris will use Personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Emptoris will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete and current.
D. “Access.” Upon request, Emptoris will grant individuals reasonable access to Personal Information that it holds about them. In addition, Emptoris will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.
E. “Security.” Emptoris will take responsible steps to ensure that data is reliable for its intended use, accurate, complete, and current.
F. “Enforcement.” Emptoris will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that Emptoris determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.
VI. Dispute Resolution.
Any questions or concerns regarding the use or disclosure of Personal Information should be directed to Emptoris at the address given below. Emptoris will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this Policy. For complaints that cannot be resolved between Emptoris and the complainant, Emptoris has agreed to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities to resolve disputes pursuant to the Safe Harbor Principles.
VII. Contact Information.
Questions or comments regarding this Policy should be submitted to Emptoris by mail or e-mail as follows:
Emptoris, Inc.
200 Wheeler Road
Burlington, MA 01803
privacypolicy@Emptoris.com
The preceding paragraphs describe Emptoris Personal Data Protection Policy as of March 30, 2008. Emptoris retains the right to modify or amend this Policy at any time consistent with the requirements of the Safe Harbor Principles.
|
