Effective Date: October 11, 2017 (Rev. January 30, 2020)
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area to the United States. Also, on September 8, 2020, the Federal Data Protection and Information Commissioner of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection.
Despite these rulings, ComPsych remains committed to following robust privacy principles, such as those underlying the EU-US Privacy Shield Framework.
Please note that EU Standard Contractual Clauses (SCCs) remain a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area and the United Kingdom and Switzerland to the United States.
- how his or her Personal Data (as defined below) that is transferred to Company in the United States is processed, disclosed and transferred;
- his or her choices with respect to how this Personal Data will be handled by Company; and
- his or her other rights with regard to this Personal Data.
This Policy applies to, and is limited to, the processing of identifiable Personal Data that Company receives in the United States that was collected from Data Subjects (as defined below) who reside in the European Union, United Kingdom, Iceland, Norway, Lichtenstein or Switzerland.
This Policy does not cover data (whether or not the data is Personal Data) through which individuals are no longer identifiable, or identifiable only with a disproportionately large expense in time, cost or labor, or data combined with pseudonyms rather than actual names or other identifiable information.
"Data Subject" means an identified or identifiable natural living person, who is also a resident of Switzerland, the EU or the EEA. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity.
"Personal Data" means data that personally identifies or may be used to personally identify a Data Subject. Personal Data includes Sensitive Data (defined below) as well as an individual’s name, country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password and identification numbers. Personal Data does not include data that is encoded or anonymized, or publicly available information not combined with Personal Data.
"Sensitive Data" means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation or trade union membership.
"Third Party" means any individual or entity that is neither Company nor a Company employee, agent, contractor or representative.
Collection and Use of Personal Data
Company may receive Personal Data concerning Data Subjects: (1) directly from the Data Subject, (2) from Third Parties, or (3) through other means.
A. How and Why We Collect Personal Data
- Contact Information. When a Data Subject contacts us to utilize our services, Company may collect that Data Subject’s contact information, including name, telephone number, e-mail address and street address, in order to provide the requested services.
- Behavioral Health Information. In order to provide a Data Subject with behavioral health services, Company may collect behavioral health information about Data Subjects, including behavioral health history and current concerns.
- Inquiry-related Information. When a Data Subject contacts us to inquire about, request or receive information or services from Company, we may collect certain Personal Data in order to provide the requested information or services or to otherwise respond to the inquiry.
- Employment Information. In order to determine a Data Subject’s eligibility for our services, to pay providers for services, to bill for our services, or for other related purposes, we may collect information related to a Data Subject’s employment, such as employer name, address, and phone number.
- Other Information. We collect information in the course of conducting our business operations or in furtherance of our legitimate business interests that may lead to the incidental collection of Personal Data.
B. Creation of Anonymous Data
We may create Anonymous Data records from Personal Data by excluding information (such as the Data Subject’s name) that makes the data personally identifiable. We use this Anonymous Data to analyze usage patterns and enhance our services. Company reserves the right to use Anonymous Data for any purpose and disclose Anonymous Data to Third Parties in its sole discretion.
C. How We Use Personal Data
Company uses Personal Data for legitimate business purposes, including without limitation: (a) to provide requested services or information to Data Subjects, including behavioral health services and other related services; (b) to manage and administer employee assistance programs, behavioral health programs, work-life services, and health and wellness programs; (c) to communicate with Data Subjects; (d) to provide customer service or technical support; (e) to assess and improve the quality of our website, products, services and business operations; (f) to satisfy governmental reporting and tax requirements; (g) to address security, health, and safety concerns; (h) to plan and implement potential acquisitions and mergers; and (i) for other business-related purposes permitted or required under applicable local laws and regulations.
- A. How and Why We Collect Personal Data
Onward Transfers of Personal Data
Except as otherwise provided herein, Company discloses Personal Data only to those Third Parties who reasonably need to know such data for a legitimate business purpose, such as those who are engaged by us to provide a Data Subject with services. Such recipients must agree to abide by confidentiality obligations consistent with the Privacy Shield Principles.
Company may also provide Personal Data to Third Parties who act as agents to perform tasks on behalf of and under the instructions of Company. Such Third Parties must agree to use such Personal Data only for the purposes for which they have been engaged by Company and they must either: (1) comply with the Privacy Shield Principles or another mechanism permitted by the EU and/or Swiss Data Protection Directive for transfers and processing of Personal Data; or (2) agree to provide adequate protections for Personal Data that are no less protective than those set out in this Policy. Company may allow exceptions to this policy, permitting Personal Data to be disclosed, when a Data Subject has consented to the disclosure.
If Company learns that one of its data processors/service providers is using or disclosing Personal Data in a manner contrary to this Policy, Company will take necessary steps to prevent or stop the use or disclosure. Company acknowledges its potential liability in cases of its onward transfer of Personal Data to third parties that do not meet the criteria set forth in the immediately preceding paragraph.
A. Data Subjects have the right to opt-out of:
- any transfer of their Personal Data to a Third Party; or
- any transfer of Personal Data if for a purpose different from the purpose for which it was originally collected.
Data Subjects have the right to opt-in to allow collection of Sensitive Data. Except as stated otherwise herein, Company does not process or disclose Sensitive Data to Third Parties without the express consent of Data Subjects. Further, Company does not use Sensitive Data for any purpose other than (i) for the purpose for which it was originally provided by the Data Subject, (ii) for a purpose later expressly consented to by the Data Subject, or (iii) for an exception expressly noted below.
Notwithstanding the above, Company may use or disclose Sensitive Data (and other Personal Data) without prior express consent where such disclosure or use: (a) is in the vital interests of the Data Subject or another person; (b) is necessary for the establishment of legal claims or defenses, to obtain legal advice, or for the purposes of establishing, exercising or defending Company’s legal rights; (c) is required to provide behavioral and medical care or diagnosis; (d) is necessary to carry out Company’s obligations under applicable employment, workers’ compensation, public health or other laws; (e) is necessary for specified public health activities and purposes; (f) is data manifestly made public by the Data Subject; (g) is required by law enforcement officials or public authorities in response to a lawful request made pursuant to national security interests or law enforcement requirements; or (h) as otherwise required or permitted by law.
Confidentiality and Security of Personal Data
Company maintains reasonable physical, administrative and technical safeguards designed to secure Data Subjects’ Personal and Sensitive Data, and to prevent unauthorized access to such information. For example, all customer communication and files in digital format are stored on a secure network, accessible only by approved staff. All critical systems and servers are separately housed within Company's secure facilities and are accessible only by authorized personnel. Company takes precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration, and destruction. Company periodically performs network backups; all backup files are stored offsite and are handled by authorized personnel only.
Despite these precautions, however, no data security safeguards are foolproof. Identity thieves, hackers and other unauthorized individuals may find ways to obtain Personal Data. Although this is unlikely, if Company learns that any Personal Data was obtained without authorization and there is a risk of fraud or identity theft, Company will notify the affected Data Subject(s) and take steps to mitigate harm.
Right to Access, Change or Delete Personal Data
If a Data Subject wishes to access, change, or delete their Personal Data held by Company, requests should be sent via mail or e-mail to the Company’s Privacy Official at: ComPsych Corporation, 455 N. Cityfront Plaza Drive, 13th Floor, Chicago, IL 60611, USA Attn: Privacy Official or firstname.lastname@example.org.
Company will endeavor to respond in a timely manner to all reasonable requests.
Company will use reasonable efforts to maintain the accuracy and integrity of any Personal Data it receives and update it as appropriate.
Changes to this Policy
Company may amend this Policy from time to time. Company will only amend this Policy in a manner consistent with Privacy Shield Principles and other applicable law. Changes to the Policy will be posted on Company’s website [www.compsych.com and www.guidanceresources.com]. Data Subjects should check Company’s website regularly for any changes to this Policy.
Questions or Complaints
455 N. Cityfront Plaza Drive
Chicago, IL 60611
Enforcement and Dispute Resolution
Company periodically verifies that the Policy is accurate and comprehensive for the information intended to be covered, and conforms to the Privacy Shield Principles and applicable data privacy and protection laws. We encourage interested persons to raise any concerns with us about this Policy.
If a Data Subject has any questions, complaints or disputes regarding the manner in which Company handles or protects your Personal Data, they should contact the Company’s Privacy Official (contact information above). Company will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy.
Company has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the American Arbitration Association, a non-profit alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://go.adr.org/privacyshield.html for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel to be created jointly by the US Department of Commerce and the European Commission.
Company retains sole and absolute discretionary authority to resolve all questions relating to the administration, interpretation and application of this Policy. This authority includes interpreting the terms of this Policy, including any disputed or doubtful terms.
Company is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).