GOLDSPRING’S ROLE AS A SERVICE PROVIDER TO ITS CUSTOMERS AND PROSPECTIVE CUSTOMERS
GoldSpring conducts various procurement, policy, and other activities (collectively “Services”) on behalf of its customers and prospective customers in the EEA and Switzerland through employees who may be located in the U.S. These U.S.-based employees may process Personal Data to provide Services to customers and prospective customers located in the EEA or Switzerland.
Customers using GoldSpring’s Services are responsible for directly or indirectly, via a third-party supplier, providing the data used by GoldSpring in providing the Services. Except as stated in the paragraph immediately below, customers determine the categories of Personal Data and other information that are provided to GoldSpring, agreeing as to how that information will be used, to whom it will be disclosed, and for what purposes.
Specifically, in regard to GoldSpring’s Services, GoldSpring may store the following categories of Personal Data: full name, email address, customer’s employee identification number, and other personally identifiable information as may be required to perform Services and provide reporting to customer’s requirements.
When GoldSpring processes Personal Data, GoldSpring does so only for the purpose of providing Services pursuant to the customer’s or
prospective customer’s instructions.
THE CUSTOMER’S AND PROSPECTIVE CUSTOMER’S RESPONSIBILITIES WITH RESPECT TO PERSONAL DATA
GoldSpring customers and prospective customers with employees and/or operations in the EEA and/or Switzerland may choose to include Personal Data among the data used and stored by GoldSpring or shared with GoldSpring in connection with its provision of Services.
GoldSpring processes only the Personal Data that its customers or prospective customers have chosen to share with GoldSpring. GoldSpring has no direct or contractual relationship with the subject of such Personal Data (a “Data Subject”). As a result, when a customer or prospective customer shares Personal Data, the customer or prospective customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.
GOLDSPRING’S COMPLIANCE WITH THE PRIVACY SHIELD PRINCIPLES
GoldSpring employees located in the U.S. may provide Services for customers and prospective customers located in the EEA or Switzerland. To provide such Services, GoldSpring may access and use Personal Data. GoldSpring will apply the following Privacy Shield Principles to Personal Data physically or remotely transferred from the EEA or Switzerland to the U.S.
Data Subjects have the right to access the Personal Data an organization holds about them. If such Personal Data is inaccurate or processed in violation of the Privacy Shield Principles, a Data Subject may also request that Personal Data be corrected, amended, or deleted.
When GoldSpring receives Personal Data, it does so on its customer’s or prospective customer’s behalf. To request access to, or correction, amendment or deletion of, Personal Data, Data Subjects should contact the GoldSpring customer or prospective customer that collected their Personal Data. GoldSpring will cooperate with its customers’ and prospective customers’ reasonable requests to assist Data Subjects to exercise their rights under the privacy shield.
Data subjects have the right to opt out of (a) disclosures of their Personal Data to third parties not identified at the time of collection or subsequently authorized, and (b) uses of Personal Data for purposes materially different from those disclosed at the time of collection or subsequently authorized. GoldSpring’s customers and prospective customers are responsible for informing Data Subjects when they have the right to opt out of such uses or disclosures.
Data Subjects who wish to limit the use or disclosure of their Personal Data should submit that request to GoldSpring’s customer or prospective customer that controls the use and disclosure of their Personal Data. GoldSpring will cooperate with its customers’ and prospective customers’ instructions regarding Data Subjects’ choices.
GoldSpring is committed to safeguarding the Personal Data that it receives from the EEA and Switzerland. While GoldSpring cannot guarantee the security of Personal Data, GoldSpring takes reasonable and appropriate measures to protect Personal Data in GoldSpring’s possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.
GoldSpring utilizes a combination of online and offline security technologies, procedures and organizational measures to help safeguard Personal Data. For example, security is designed to prevent unauthorized access to GoldSpring computers. Electronic security measures — including, for example, network access controls, passwords and access logging — provide protection from hacking and other unauthorized access. GoldSpring also protects Personal Data through the use of firewalls, role-based restrictions and, where appropriate, encryption technology. GoldSpring limits access to Personal Data to employees, subcontractors, and third- party agents that have a specific business reason for accessing such Personal Data. Individuals granted access to Personal Data are aware of their responsibilities to protect such information and are provided appropriate training and instruction.
PURPOSE LIMITATION AND DATA INTEGRITY
GoldSpring’s customers and prospective customers are responsible for limiting their collection of Personal Data to that which is necessary to accomplish the purposes disclosed to Data Subjects and compatible purposes. They also are responsible for providing GoldSpring with instructions for the processing of Personal Data consistent with such purposes. GoldSpring will process Personal Data only in accordance with the customer’s or prospective customer’s instructions.
GoldSpring’s customers and prospective customers also are responsible for ensuring that (a) Personal Data they collect is accurate, complete, current and reliable for its intended uses; and (b) Personal Data is retained only for as long as is necessary to accomplish the customer’s or prospective customer’s legitimate business purposes disclosed to the Data Subject and for compatible purposes. GoldSpring will cooperate with customers’ and prospective customers’ reasonable requests for assistance in meeting these obligations.
In the performance of Services, GoldSpring will request only the minimum amount of information required to perform the applicable Services and will retain such information only for as long as necessary to provide the Services or for compatible purposes, such as to provide additional Services, to comply with legal requirements, or to preserve or defend GoldSpring’s legal rights.
GoldSpring will not disclose Personal Data to a third party, except as stated below:
GoldSpring may disclose Personal Data to subcontractors and third-party agents who assist GoldSpring in providing Services to its customers and prospective customers. Before disclosing Personal Data to a subcontractor or third-party agent, GoldSpring will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist GoldSpring in providing the Services; (b) provide at least the same level of protection for Personal Data as required by the Principles; and (c) notify GoldSpring if the recipient is no longer able to provide the required protections. Upon notice, GoldSpring will act promptly to stop and remediate unauthorized processing of Personal Date by a recipient. GoldSpring will remain liable for onward transfers to its subcontractors and third-party agents.
GoldSpring may also be required to disclose, and may disclose, Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. To the extent permitted, GoldSpring will inform its relevant customer or prospective customer before making such disclosure and provide it with a reasonable opportunity to object to such disclosure.
RECOURSE, ENFORCEMENT & LIABILITY
In compliance with the EU-US and Swiss-US Privacy Shield Principles, GoldSpring commits to resolve complaints concerning its processing of Personal Data in accordance with the Privacy Shield Principles.
Any Data Subject who has a complaint about GoldSpring’s processing of his/her Personal Data should first contact GoldSpring’s Legal Department by emailing email@example.com or by calling 336-293-8839.
GoldSpring has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles and Swiss-US Privacy Shield Principles to an independent recourse mechanism, ICDR/AAA, operated by the American Arbitration Association (“AAA”). If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by GoldSpring, please visit http://go.adr.org/privacyshield.html for more information and to file a complaint at no cost to you.
In addition to the above dispute resolution mechanisms, Data Subjects may invoke binding arbitration if their complaint is not resolved by the AAA or by the Department of Commerce after referral from the relevant data protection authority in the EEA or Switzerland. For more information about binding arbitration, visit https://www.privacyshield.gov.
GoldSpring is subject to the investigatory and enforcement powers of the Federal Trade Commission.
FOR MORE INFORMATION
Data Subjects with questions about how GoldSpring processes Personal Data should first contact the GoldSpring customer or prospective customer that collected the Personal Data. GoldSpring’s Legal Department can be contacted by emailing firstname.lastname@example.org or by calling 336-293-8839.
GoldSpring may revise this Policy at any time. If GoldSpring decides to materially change this Policy, GoldSpring will post the revised Policy at this location.
Last Revision Date: April 13, 2017.