Data Privacy Framework Policy

Overview

ComPsych Corporation and its affiliates, including ComPsych International, Inc., (collectively "Company") value individual privacy. Company is a leading provider of employee assistance programs and behavioral health, work-life, wellness and HR administration services.

Company complies with and has certified to the US Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) regarding the processing of personal data received from the European Economic Area (EEA) in reliance on the EU-U.S. DPF, from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF, and from Switzerland in reliance on the Swiss-U.S. DPF Principles.

If there is any conflict between this Data Privacy Framework Policy (Policy) and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the DPF Principles), the DPF Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) Program, please visit www.dataprivacyframework.gov.

Scope

This Policy sets forth the privacy principles that Company follows when processing Personal Data received from customers or prospective customers located in the EEA, Switzerland, and the United Kingdom (UK) while providing services from the United States (U.S.). For purposes of this Policy, “Personal Data” means data about an identified or identifiable individual that is received by ComPsych in the U.S. from the EEA, Switzerland, or the UK, and recorded in any form, and is within the scope of Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”), the Swiss Federal Data Protection Act, or the UK Data Protection Act 2018, respectively. Please also see our EEA and UK Data Protection Notice available on our website.

This Policy applies to, and is limited to, the processing of identifiable Personal Data that Company receives in the U.S. that was collected from Data Subjects (as defined below) who reside in the EEA, UK or Switzerland. When Company processes Personal Data, it does so only for the purpose of providing services.

This Policy does not cover data (whether or not the data is Personal Data) through which individuals are no longer identifiable.

Defined Terms

Capitalized terms in this Privacy Policy have the following meanings:

"Data Subject" means an identified or identifiable natural living person, who is also a resident of Switzerland, the EEA or the UK. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity.

"Personal Data" means data that personally identifies or may be used to personally identify a Data Subject. Personal Data includes Sensitive Data (defined below) as well as an individual’s name, country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password and identification numbers. Personal Data does not include data that is encoded or anonymized, or publicly available information not combined with Personal Data.

"Sensitive Data" means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation or trade union membership.

"Third Party" means any individual or entity that is neither Company nor a Company employee, agent, contractor or representative.

Collection and Use of Personal Data

Company may receive Personal Data concerning Data Subjects: (1) directly from the Data Subject, (2) from Third Parties, or (3) through other means.

A. How and Why We Collect Personal Data

B. Creation of Anonymous Data

We may create Anonymous Data records from Personal Data by excluding information (such as the Data Subject’s name) that makes the data personally identifiable. We use this Anonymous Data to analyze usage patterns and enhance our services. Company reserves the right to use Anonymous Data for any purpose and disclose Anonymous Data to Third Parties in its sole discretion.

C. How We Use Personal Data

Company uses Personal Data for legitimate business purposes, including without limitation: (a) to provide requested services or information to Data Subjects, including behavioral health services and other related services; (b) to manage and administer employee assistance programs, behavioral health programs, work-life services, and health and wellness programs; (c) to communicate with Data Subjects; (d) to provide customer service or technical support; (e) to assess and improve the quality of our website, products, services and business operations; (f) to satisfy governmental reporting and tax requirements; (g) to address security, health, and safety concerns; (h) to plan and implement potential acquisitions and mergers; and (i) for other business-related purposes permitted or required under applicable local laws and regulations.

Right to Access, Change or Delete Personal Data

Upon reasonable request, and to the extent the request does not compromise the protections set forth in this Policy, Company allows EEA, UK and Swiss Data Subjects reasonable access, in accordance with applicable laws and regulations, to their Personal Data that Company may maintain. Individuals may request that Company correct, amend or delete such data where it is inaccurate. Company will grant such requests, except where doing so would cause unreasonable burden or expense, or pose a risk to such individual’s privacy.

If a Data Subject wishes to access, change, or delete their Personal Data held by Company, requests should be sent to the Company’s Privacy Official at:

ComPsych Corporation,
455 N. Cityfront Plaza Drive, 13th Floor,
Chicago, IL 60611, U.S.A.,
Attn: Privacy Official

or via email at: privacyofficial@compsych.com.

Company will endeavor to respond in a timely manner to all reasonable requests.

Right to Opt-out/Opt-in

Data Subjects have the right to opt-out of:

Sensitive Data

Data Subjects have the right to opt-in to allow collection of Sensitive Data. Except as stated otherwise herein, Company does not process or disclose Sensitive Data to Third Parties without the express consent of Data Subjects. Further, Company does not use Sensitive Data for any purpose other than (i) for the purpose for which it was originally provided by the Data Subject, (ii) for a purpose later expressly consented to by the Data Subject, or (iii) for an exception expressly noted below.

Notwithstanding the above, Company may use or disclose Sensitive Data (and other Personal Data) without prior express consent where such disclosure or use: (a) is in the vital interests of the Data Subject or another person; (b) is necessary for the establishment of legal claims or defenses, to obtain legal advice, or for the purposes of establishing, exercising or defending Company’s legal rights; (c) is required to provide behavioral and medical care or diagnosis; (d) is necessary to carry out Company’s obligations under applicable employment, workers’ compensation, public health or other laws; (e) is necessary for specified public health activities and purposes; (f) is data manifestly made public by the Data Subject; (g) is required by law enforcement officials or public authorities in response to a lawful request made pursuant to national security interests or law enforcement requirements; or (h) as otherwise required or permitted by law.

If a Data Subject wishes to exercise their rights under this section, requests should be sent to the Company’s Privacy Official at:

ComPsych Corporation,
455 N. Cityfront Plaza Drive, 13th Floor,
Chicago, IL 60611, U.S.A.,
Attn: Privacy Official

or via email at: privacyofficial@compsych.com.

Company will endeavor to respond in a timely manner to all reasonable requests.

Confidentiality and Security of Personal Data

Company maintains reasonable physical, administrative and technical safeguards designed to secure Data Subjects’ Personal and Sensitive Data, and to prevent unauthorized access to such information. For example, all customer communication and files in digital format are stored on a secure network, accessible only by approved staff. All critical systems and servers are separately housed within Company's secure facilities and are accessible only by authorized personnel. Company takes precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration, and destruction. Company periodically performs network backups; all backup files are stored offsite and are handled by authorized personnel only.

Despite these precautions, however, no data security safeguards are foolproof. Identity thieves, hackers and other unauthorized individuals may find ways to obtain Personal Data. Although this is unlikely, if Company learns that any Personal Data was obtained without authorization and there is a risk of fraud or identity theft, Company will notify the affected Data Subject(s) and take steps to mitigate harm.

Data Integrity and Purpose Limitation

Company will limit the collection of Personal Data to that which is necessary to provide services and compatible purposes. Company will use reasonable efforts to maintain the accuracy and integrity of any Personal Data it receives and update it as appropriate. Personal Data is retained only for as long as is necessary to provide services or for compatible purposes, such as to provide additional Services, to comply with legal requirements, or to preserve or defend Company’s legal rights.

Onward Transfers of Personal Data

Except as otherwise provided herein, Company discloses Personal Data only to those Third Parties who reasonably need to know such data for a legitimate business purpose, such as those who are engaged by us to provide a Data Subject with services. Such recipients must agree to abide by confidentiality obligations consistent with the DPF Principles.

Company may also provide Personal Data to Third Parties who act as agents to perform tasks on behalf of and under the instructions of Company. Such Third Parties must agree to: (1) use such Personal Data only for the purposes for which they have been engaged by Company and they must either: (a) comply with the DPF Principles for transfers and processing of Personal Data; or (b) agree to provide adequate protections for Personal Data that are no less protective than those set out in this Policy, and (2) notify ComPsych if the Third Party is no longer able to provide the required protections. Company may allow exceptions to this policy, permitting Personal Data to be disclosed, when a Data Subject has consented to the disclosure.

If Company learns that one of its data processors/service providers is using or disclosing Personal Data in a manner contrary to this Policy, Company will take necessary steps to prevent or stop the use or disclosure. Company acknowledges its potential liability in cases of its onward transfer of Personal Data to third parties that do not meet the criteria set forth in the immediately preceding paragraph.

Company is required to disclose Personal Data in response to lawful request by public authorities, which enforcement authority has jurisdiction over Company’s compliance with the DPF Principles.

Recourse, Enforcement & Liability

In compliance with the DPF Principles, ComPsych commits to resolve complaints about a Data Subject’s privacy and Company’s collection or use of Personal Data transferred to the United States pursuant to this Policy.

Individuals in the EEA, UK or Switzerland with DPF inquiries or complaints should first contact Company’s Privacy Official at: ComPsych Corporation, 455 N. Cityfront Plaza Drive, 13th Floor, Chicago, IL 60611, USA Attn: Privacy Official or privacyofficial@compsych.com.

Company has further committed to refer unresolved privacy complaints under the DPF Principles to the American Arbitration Association, a non-profit alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://go.adr.org/dpf_irm.html for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not otherwise resolved by other redress mechanisms. For more information about binding arbitration, visit DPF Program Arbitration Procedures.

Company retains sole and absolute discretionary authority to resolve all questions relating to the administration, interpretation and application of this Policy. This authority includes interpreting the terms of this Policy, including any disputed or doubtful terms.

Company is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

For More Information

Data Subjects with questions about how Company processes Personal Data should contact Company’s Privacy Official.

Changes to this Policy

Company may amend this Policy from time to time. Company will only amend this Policy in a manner consistent with DPF Principles and other applicable law. Changes to the Policy will be posted on Company’s website. Data Subjects should check Company’s website regularly for any changes to this Policy.

Effective Date: October 11, 2017 (Rev. January 30, 2020, Rev. August 2023)