Personal Data Defined
“Personal Data” is any information about an individual that is personally identifiable including:
- Date of birth
- Contact information such as mailing address, email address, and phone numbers;
- Personal Interests
- IP address, cookie information, software and hardware attributes
- Other general information provided to the Corporation
Personal Data Collection and Use
- Information Collection. The Corporation collects personal information through several different methods:
- When customers register with the Corporation;
- When customers use Corporation products or services, including its website; and
- When customers visit Corporation pages or the pages of certain Corporation partners
- Information Use. The Corporation uses the customers’ information for the following general purposes:
- To gather necessary information to process orders electronically;
- To customize the advertising and content you see;
- To fulfill your requests for products and services;
- To improve our services;
- To contact you;
- To conduct research;
- To provide anonymous reporting for internal and external clients; and/or
- For any other purpose as may be identified by the Corporation at the time the Personal Data is collected.
Procedures and Safeguards
- Consent. Prior to the collection and processing of Personal Data, Corporation employees shall obtain consent from the customer in a manner appropriate to the context. Generally, such consent is implied from the circumstances in which the customer is providing the information, but when Personal Data is used in ways that are not reasonably implied from the apparent circumstances or when Personal Data is being collected via storing or retrieving any information on a computer, smartphone or tablet, consent shall be obtained orally, in writing, or electronically.
- Disclosures. To provide notice and receive informed consent, disclose the following before collecting Personal Data when it is not otherwise clear from the circumstances:
- The purpose(s) for which the Personal Data is to be processed or used;
- The methods by which the Personal Data is to be collected;
- The scope of Personal Data that may be collected (e.g., types, over what time period, etc.); and
- The identity of anyone to whom the Personal Data may be disclosed or transferred.
- Consent Not Required. The Corporation need not obtain affirmative consent from the customers in the following limited circumstances:
- When such consent is implied from the circumstances;
- When the Personal Data is available and collected from a public source;
- When the processing is necessary for the performance of a contract to which the customer is a party, or in order to take steps at the request of the customer prior to entering into a contract;
- When the processing is necessary for compliance with the Corporation’s legal compliance obligations, such as to investigate and protect its legal interests;
- When the processing is necessary in order to protect the vital interests of the customer, narrowly construed;
- When processing is necessary for the Corporation’s legitimate business interests, as disclosed to the customer, consistent with the fundamental rights and freedoms of the customer; or
- Where the intended collection, use, processing, and/or disclosure is otherwise permitted or not precluded by applicable law.
- Withdrawal of Consent. Consent to the collection and use of Personal Data may be withdrawn, subject to contractual and legal restrictions and reasonable notice. If such consent is withdrawn, Corporation employees shall all take reasonable measures to remove the Personal Data from Corporation’s records and cease use of such Personal Data where possible.
- Data Collection Purposes. Before or at the time of collecting Personal Data, Corporation employees shall:
- Identify the purposes for which information is being collected;
- Use the Personal Data solely with the objective of fulfilling those purposes specified and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law;
- Only retain Personal Data as long as necessary for the fulfillment of those purposes; and
- Ensure that the Personal Data collected is relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, is accurate, complete, and up-to-date.
- Data Accuracy. The Corporation should use its best efforts to process accurate Personal Data. To this end, customers may make reasonable requests for the correction of any incorrect or misleading Personal Data about them. To the extent reasonably feasible, the Corporation shall, as appropriate, correct or destroy Personal Data that is inaccurate, misleading, or out-of-date. If the requested correction is not made, the request should be noted in the customer’s file or other relevant location to the extent feasible and explained to the customer as to why the change was not made.
- Data Security. The Corporation takes reasonable administrative, technical, and physical measures to safeguard against unauthorized processing or use of Personal Data, and against the accidental loss of, or damage to, Personal Data. These measures include:
- Making available written plans to identify, prevent, detect, respond to, and recover from cybersecurity threats and incidents;
- Developing security authentication procedures for accessing all systems that store Personal Data;
- Maintaining patched, up-to-date anti-virus software, firewalls, and other computer security safeguards, and appointing appropriate personnel to be responsible for keeping such safeguards up-to-date;
- Requiring third-party data processors, vendors and other service providers who will be processing Personal Data to maintain appropriate security measures;
- Maintaining appropriate records of access to and processing of Personal Data;
- Auditing Personal Data security at regular intervals (but no less than annually) and recording the results of such audits;
- Using appropriate protections, such as encryption, to protect Personal Data, as necessary, in transit and when stored on portable computer media as necessary or appropriate;
- Utilizing appropriate and secure destruction methods of Personal Data as legally required; and
- Taking all other reasonable measures as required from time to time by local laws and regulations.
- Sharing Personal Data with Third Parties. The Corporation may share the Personal Data with its corporate affiliates and third parties to the extent such third parties are contractually required to follow the procedures set forth herein, with reasonable exceptions based on the third parties need for the Personal Data, or substantially equivalent standards, and to protect Personal Data in accordance with all relevant laws, regulations and rules.
- Confidentiality. Employees and third-party contractors may not disclose information made available on the Corporation’s systems and networks, including to other Corporation personnel, except as expressly authorized by the appropriate manager.
- Incident Reporting and Response. The suspected theft, loss, or unauthorized processing of data, including Personal Data, must be immediately addressed. The Corporation shall take steps to immediately investigate the cause of the security breach and make every effort to contain the breach.
Approval and Amendments
- Approval. This Policy has been adopted by the Corporation and shall be effective until further notice.
- Amendment. This Policy may be amended by the Corporation.