Privacy Notice | Effective July 20, 2022

OneTrust Privacy Notice

 

Introduction

OneTrust LLC (“OneTrust,” “we,” or “us”) offers a privacy, security, and governance platform and hosts and attends events globally. This Privacy Notice (“Notice”) covers the personal information that OneTrust, its subsidiaries and affiliates located worldwide within the OneTrust family of companies (“Affiliates”) collect through onetrust.com and other websites (e.g., convercent.com, dataguidance.com, planetly.com, privacyconnect.com, redacted.ai, tugboatlogic.com) (individually, “Website” and collectively the “Websites”), applications, products, and services owned or controlled by OneTrust or Websites that post a link to this Notice. In this Notice, personal information means information that (either in isolation or in combination with other information) enables you to be directly or indirectly identified (“Personal Information”). Please note that this Notice does not cover the handling of Personal Information when OneTrust or our Affiliates are processing Personal Information on behalf of our customers e.g., Personal Information submitted by individuals for processing through the platforms hosted by OneTrust or our Affiliates for the purposes of providing a service to our customers is not covered by this Notice.

 

This Notice aims to inform you about how we collect, use, disclose and store Personal Information in our role as a controller of Personal Information when you:

 

  • Interact or use our Websites, including when you download materials from our resources page or request a demo.
  • Register and/or attend our events (e.g., PrivacyConnect and Converge by Convercent), conferences, or webinars (collectively “Events”).
  • Provide your Personal Information for the purposes of administering our services and managing our relationship with you in any manner (collectively the “Services”) e.g. setting up an account or collecting your Personal Information to process an invoice for accounting purposes.

 

Personal Information OneTrust collects

 

Personal Information you provide to us:

 

From Websites or Events: We may collect Personal Information that you choose to send to us or provide to us, for example, on our “Request a Demo” (or similar) online form, when you interact with a chat bot in one of our Websites, or if you register for any Events. If you contact us through the Websites, we will keep a record of our correspondence.

 

From the Services:  We receive and store the Personal Information you provide directly to us. For example, when setting up new users, we collect Personal Information, such as name, e-mail address, postal address, phone number, job title, etc. We may collect and store media, documents, or other information you provide to us. We collect commercial information, such as records of the purchased Services or information related to requests for demos.

 

Our customers will typically act as data controllers for any Personal Information related to them or Personal Information that third parties upload in our systems, products, and applications in connection with the provision of our Services. OneTrust will typically act as a data processor in accordance with applicable Service and/or data processing agreements (“Agreement/s”). Further information, including specific obligations of the data controller and processor, can be found in the Agreements.

 

Personal Information we automatically collect:

 

When you use the Websites:

 

When you visit our Websites, we collect Internet or other electronic network activity information through the use of cookies and other trackers. Depending on your tracking preferences, the information we collect may include but is not limited to your device’s Internet Protocol (“IP’) address, referring website, what pages your device visited, and the time that your device visited our Website. We may also rely on analytics and tools used to prevent spam and other security risks related to the use of abusive automated software. You can choose your preferences with regards to the cookies and other trackers by accessing the preference centre on our Websites. Visit our  Cookie Notice for more information on the types of cookies and other trackers we use on our Websites.

 

For further information please visit the OneTrust Cookie Notice.

 

When you use the Services:

 

Internet or other electronic network activity information may also be collected when you use the Services:

 

  • Usage information – we keep track of user activity in relation to the types of Services our customers and their users use, the configuration of their computers, and performance metrics related to their use of the Services.
  • Log information – we log information about our customers and their users when they use one of our Services, including their IP addresses.
  • Information collected by cookies and other similar technologies – we use various technologies to collect information, including saving cookies to users’ computers.
  • Customer feedback – While using the Services, you may be asked to provide feedback (e.g., in the software directly or after receiving help from our support team). Providing this feedback is entirely optional.

 

Information we collect from trusted third parties:

 

If your Personal Information has been collected as (i) you interacted or used our Website, (ii) you registered and/or attended our Events, and/or (iii) part of the Services, your Personal information, as stored in our CRM service provider, may be enriched or updated to ensure it is accurate and up to date, and achieves the purpose for which it was originally collected. Please note that the information used to enrich and update your Personal Information, as obtained from the use of third parties’ data sets, does not constitute Personal Information, but merely amounts to data elements related to your organization’s name, structure, industry, and similar attributes.

 

Please note that we may also obtain non-personal information related to your organization’s name, structure, industry, and similar attributes through the use of third parties’ data sets, for the purpose of enriching or updating your Personal Information we already hold.

How and on what grounds do we use your Personal Information?

Personal Information we collect directly from you on our Websites or Events:

 

We will use the Personal Information we collect through our Websites:

 

  • To administer our Websites, our Events, and for internal operations, including troubleshooting, data analysis, testing, statistical and survey purposes.
  • To improve our Websites to ensure that content is presented most effectively for you and your device.
  • For trend monitoring, marketing, and advertising.
  • For purposes made clear to you at the time you submit your Personal Information, for example, to fulfill your request for a demo, to provide you with access to one of our webinars or whitepapers, or to provide you with information you have requested about our Services.
  • As part of our efforts to keep our Websites secure.

 

Our use of your Personal Information may be based on our legitimate interests to ensure network, information security, and business performance improvement. Our direct marketing purposes are based on your consent (for example when you request a demo, contact us directly, provide us your business card, agree to receive communications after an Event, and similar circumstances). We may also rely on our legitimate interests to improve business and marketing practices or contact you to offer similar Services or products that you may have bought from us, requested a demo, or negotiated with us.

 

Personal Information we collect directly from you as part of the administration of our Services:

 

We may use the Personal Information we collect from our customers and their users in connection with the Services we provide for a range of reasons, including to:

 

  • Set up a user account.
  • Provide, operate and maintain the Services.
  • Process and complete transactions, and send related information, including transaction confirmations and invoices.
  • Manage our customers’ use of the Services, respond to inquiries and comments, and provide customer service and support.
  • Send customers technical alerts, updates, security notifications, and administrative communications.
  • Investigate and prevent fraudulent activities, unauthorized access to the Services, and other illegal activities.
  • For any other purposes about which we notify customers and users.
  • Cookies: When OneTrust customers access their tenants hosted in the Cloud we use strictly necessary cookies and other trackers to provide authentication tools, enhance security, and prevent fraud. The OneTrust apps (the “Apps”) are the sub-domains of our Websites. Therefore, the preferences signaled on our Websites (through the cookies banner and preference centre) will be reflected on the Apps. For example, if you choose to accept analytics cookies on one of our Websites, these will be active in the Apps unless you modify your choices by resurfacing the preference center. For more information about our use of cookies and other trackers visit the OneTrust Cookie Notice.

 

We use your Personal Information in this context based on the Agreement that we have in place with you or our legitimate interests, typically, either for security purposes or business practice improvement (e.g., the prevention and investigation of fraudulent activities).

 

Provision of Personal Information in these instances may be necessary to enable our proper execution of the Agreement. Failure to provide Personal Information may cause some services to become unavailable. Personal Information will be deleted based on the terms of the Agreement that we have in place with you.

 

Enterprise Data Analytics:

 

If your Personal Information has been collected (i) directly from you on our Websites or Events, and/or (ii) part of the administration of our Services, your Personal information may be used for the purposes of enterprise data analytics, depending on the scope and purpose of the analysis.

How do we share and disclose Personal Information to third parties?

 

We share, disclose, and obtain information, including Personal Information, about our customers in the following limited circumstances:

 

Vendors, consultants, and other service providers:

 

We may share your Personal Information with third-party vendors, consultants, and other service providers we employ to perform tasks on our behalf.  These companies include (for example) our payment processing providers, website analytics companies (e.g., Google Analytics),  tools used to prevent spam and other security risks related to the use of abusive automated software (e.g., Google reCAPTCHA), online activities, product feedback or help desk software providers (e.g., Salesforce), CRM service providers (e.g., Salesforce), email service providers (e.g., SendGrid) and others.

 

If OneTrust receives your Personal Information in the United States and subsequently transfers that information to a third party agent or service provider for processing, OneTrust remains responsible for ensuring that such third party agent or service provider processes your Personal Information to the standard required by the applicable privacy laws, including the GDPR. These transfers will typically be based on our legitimate interests or agreed upon in the Agreement. For further information please see International data transfers section below.

 

Event sponsors:

 

When you attend PrivacyConnect, we share your contact details with the Event sponsor/s unless you opt-out.  You may opt-out at any time by submitting a request.

 

When you attend TrustWeek, we ask your preferences on sharing your contact details with the Event sponsor/s. Based on your choice, we may share your contact details (such as your name, email address, company name, and phone number) with the Event sponsor/s. If you’d like to opt-out of sharing your details with sponsors, you can always choose not to consent at the time of registration or by submitting a request thereafter.

 

Business transfers:

 

We may choose to buy or sell assets and may share and/or transfer customer information, including Personal Information, in connection with the evaluation of and entry into such transactions and based on our legitimate interests. Also, if we or our assets are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information may be one of the assets transferred to or acquired by a third party.

 

OneTrust group companies:

 

We may also share your Personal Information within the OneTrust family of companies for purposes consistent with this Notice and based on our legitimate interests.

 

Protection of OneTrust and others:

 

We reserve the right to access, read, preserve, and disclose any Personal Information as necessary to i) comply with a law or a court order, ii) enforce or apply our Agreements with you and other agreements, or iii) protect the rights, property, or safety of OneTrust, our employees, our users, or others.

 

Disclosures for national security or law enforcement:

 

Under certain circumstances, we may be required to disclose your Personal Information in response to valid requests by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations.

 

For how long do we store your Personal Information?

 

We store your Personal Information for different time periods depending on the category of Personal Information. Some information may be deleted automatically based on specific schedules, such as marketing information. Other information e.g. account information, may be retained for a longer period of time based on the Agreement you have with us. Finally, we may further retain information for business practices based on our legitimate interests or legal purposes, such as network improvement, fraud prevention, record-keeping, or enforcing our legal rights.

 

Security and certifications

 

We use appropriate technical, organizational, and administrative security measures to protect any Personal Information we store from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

 

For an updated list of all our certifications and security reports, please refer to the following table:

 

logo ISO/IEC 27001:2013
ISO/IEC 27701:2019
SOC 2 Type 2
TISAX VDA ISA v4.1
PCI DSS v3.2.1
logo ISO/IEC 27001:2013
SOC 2 Type 2
HITRUST CSF v9.2
NIST CSF v1.0
The Security Assurance Platform - Tugboat Logic SOC 2 Type 2
ISO27001

 

No company or service can guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user’s Personal Information at any time. Among other practices, your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

 

Your privacy rights

 

What choices do I have?

 

You can always opt not to disclose information to us, but keep in mind that some information may be needed to register with us or take advantage of some features of our Services or products.

 

Marketing communications:

 

You can opt-out of receiving certain promotional or marketing communications from us at any time by using the unsubscribe link in the emails communications we send, or by filling out this request form.  Please note that if you have an account with us and you opt out of receiving promotional and marketing related communications from us, we may continue to send you non-promotional communications, e.g. service-related emails.

 

Cookies:

 

You can change your preferences with regards to the cookies and other trackers at any time by clicking on the persistent cookie icon at the bottom of the screen on all our Websites.

 

How can I exercise my privacy rights?

 

If you would like to access, review, update, rectify, and delete any Personal Information we hold about you, or exercise any other data subject right available to you under the EU General Data Protection Regulation (GDPR),  including the right to request a copy of standard contractual clauses, you can either click the “Exercise your Rights” link located on the top left corner of this Notice or fill out this request form. Our privacy team will examine your request and respond to you as quickly as possible. Please note that we may still use any aggregated and de-identified Personal Information that does not identify any individual and may also retain and use your Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our Agreements.

 

We remind you that you have a right to lodge a complaint with a supervisory authority should you feel unsatisfied with our treatment of your Personal Information. For more information, you can visit the Information Commissioner’s Office website at www.ico.org.uk.

 

California residents: California residents have specific rights under the California Consumer Privacy Act (‘CCPA’). For more information and to exercise your rights, please see the section titled The California Consumer Privacy Act below.

 

Residents of the European Economic Area or the United Kingdom: If you are a resident of the European Economic Area or the United Kingdom, please see the section titled Additional Information for users in the European Economic Area and the United Kingdom below for further information about your privacy rights.

 

International data transfers

 

OneTrust is a company operating globally. Therefore, Personal Information of individuals who visit our Websites and/or who use our Services or otherwise interact with us may be transferred and accessed from around the world, such as from countries where OneTrust, its Affiliates, or our service providers operate.

 

We will always protect your Personal Information in accordance with this Notice wherever it is processed. OneTrust does not voluntarily or actively transfer or disclose our customers’ Personal Information to the government or law enforcement authorities (the “Authorities”) and/or otherwise grant any Authorities access to your Personal Information. In the event of a request from the Authority, we have procedures and controls in place to make sure that any such request is assessed according to the procedure outlined in our Transparency Report.

 

Information for users in the European Economic Area (“EEA”) or in the United Kingdom (“UK”):

 

Operating globally, OneTrust LLC may transfer Personal Information from the EEA or the UK to the United States and other countries, including Personal Information we receive from individuals residing in the EEA or the UK who visit our Websites and/or who may use our Services or otherwise interact with us. Please note that the term Personal Information used in this Notice is equivalent to the term “personal data” under applicable European and UK data protection laws for individuals located in the EEA or the UK.

 

When OneTrust LLC engages in such transfers of Personal Information, it relies on:

 

  • Adequacy Decisions, as adopted by:
    • European Commission, based on Article 45 of Regulation (EU) 2016/679 (GDPR)
    • UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018; or
  • Standard Contractual Clauses (if you are a OneTrust customer, to access our standard customer SCCs please visit https://www.onetrust.com/legal-sccs/), as issued by:
    • European Commission
    • Information Commissioner’s Office (ICO)

 

The European Commission and the ICO have determined that the above Standard Contractual Clauses may provide sufficient safeguards to protect personal data transferred outside the EEA and the UK. For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.

 

OneTrust LLC perform transfers impact assessments and continually monitors the circumstances surrounding such transfers to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the European and UK data protection laws.

 

The “Schrems II” judgment

 

Following i) invalidation of the EU-US Privacy Shield Framework in Case C-311/18 by the Court of Justice of the European Union and ii) the opinion of the Swiss Federal Data Protection and Information Commissioner (FDPIC) of 8 September 2020, OneTrust no longer relies on i) the EU-US Privacy Shield and ii) the Swiss-U.S. Privacy Shield Frameworks as mechanisms of international data transfer, until further notice.

 

However, OneTrust LLC remains committed to maintaining its self-certifications under the EU-US Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks and complying with their Privacy Shield Principles, as an additional measure of protection of its users’ privacy, until further notice.

 

Additional privacy measures for users in the European Economic Area (“EEA”), United Kingdom (“UK”), and Switzerland

 

OneTrust LLC complies with the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks, as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of Personal Information transferred to the US from European Union member states, the UK, and Switzerland. OneTrust LLC has certified to the U.S. Department of Commerce that it adheres to the EU-US and Swiss-US Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability with respect to such Personal Information. If there is any conflict between the policies in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

 

In compliance with the EU-US Privacy Shield and Swiss-US Privacy Shield Principles, we are committed to resolve complaints about your privacy and our collection or use of your Personal Information. Individuals located within the EEA, the UK, or Switzerland with inquiries or complaints regarding this Notice should first contact OneTrust at: Linda Thielová, Data Protection Officer, [email protected]. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of Personal Information within 45 days of receiving your complaint.

 

OneTrust has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield and Swiss-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. This service is provided free of charge to you.

 

Under certain limited circumstances, individuals in the EEA, the UK, and Switzerland may invoke binding Privacy Shield arbitration as a last resort, if all other forms of dispute resolution (discussed above) have been unsuccessful. To learn more about this resolution method and its availability to you, please visit https://www.privacyshield.gov/.

 

OneTrust LLC is subject to the jurisdiction of the U.S. Federal Trade Commission for purposes of Privacy Shield enforcement.

 

Additional resources:

 

Additional information for California consumers – The California Consumer Privacy Act

 

Under the California Consumer Privacy Act (the ‘CCPA’), California residents have certain rights regarding the Personal Information that businesses have about them. This includes the rights to request access or deletion of your Personal Information, as well as the right to direct a business to stop selling your Personal Information.

 

Personal Information disclosed for business purposes:

 

OneTrust shares and has shared in the preceding 12 months personal information as necessary for specific “business purpose,” as defined by the CCPA (Cal. Civ. Code 1798.140(d)) and specified in the section “How do we share and disclose information to third parties?” This includes sharing personal identifiers, commercial information, internet or other electronic network activity with payment processing providers, customer relationship management, consulting, email, product feedback, and helpdesk services. While OneTrust does not sell Personal Information in exchange for any monetary consideration, we do share Personal Information for other benefits that could be deemed a “sale,” as defined by the CCPA (Cal. Civ. Code 1798.140(t)(1)). This includes sharing personal identifiers, commercial information, and internet or other electronic network activity with advertising networks, website analytics companies, and event sponsors. OneTrust does not sell Personal Information of consumers who are under 16 years of age.

 

The CCPA rights

 

Right to opt-out of sale:

 

While OneTrust does not sell personal information in exchange for any monetary consideration, we do share Personal Information for other benefits that could be deemed a “sale,” as defined by the CCPA (Cal. Civ. Code 1798.140(t)(1)). We support the CCPA and wish to provide you with control over how your Personal Information is collected and shared.

 

You have a right to direct OneTrust not to sell your Personal Information. Click here to learn more and to exercise your right to opt-out. With respect to cookies, you can always customize your settings at any time. Please note that we may still use aggregated and de-identified Personal Information that does not identify you or any individual. We may also retain Personal Information as needed to comply with legal obligations, enforce Agreements, and resolve disputes.

 

Right to request disclosure:

 

You have the right to request disclosure about what categories of Personal Information OneTrust has sold or disclosed for a business purpose about you and the categories of third parties to whom the personal information was sold or disclosed. You have a right to request disclosure of specific pieces of Personal Information. Below is a complete list of the Personal Information that you can include in your request.

 

  • The categories of Personal Information that OneTrust has collected about you.
  • The categories of sources from which OneTrust collected the Personal Information.
  • The business or commercial purpose for collecting or selling Personal Information.
  • The categories of third parties with whom OneTrust shares Personal Information.
  • The specific pieces of Personal Information OneTrust has collected about you.
  • The categories of Personal Information that OneTrust disclosed about you for business purpose.
  • The categories of Personal Information that OneTrust has sold about you, as well as the categories of third parties to whom OneTrust sold your Personal Information.

 

If you would like to exercise your right to request disclosure, please fill out this request form. Our privacy team will examine your request and respond to you as quickly as possible.

 

Right to request deletion:

 

You have the right to request that OneTrust delete any Personal Information about you that OneTrust has collected from you. Please note that there are exceptions where OneTrust does not have to fulfill a request to delete Personal Information, such as when the deletion of information would create problems with completing a transaction or compliance with a legal obligation.

 

If you would like to exercise your right to delete, please fill out this request form. Our privacy team will examine your request and respond to you as quickly as possible.

 

Right to non-discrimination:

 

OneTrust will not discriminate against you (e.g., through denying goods or services or providing a different level or quality of goods o/r services) for exercising any of the rights afforded to you.

 

How do we handle your requests?

 

We endeavor to respond to a verifiable consumer request within the required timeframes. If we need more time, we will inform you of the reason and extension period in writing. If you submit your privacy request electronically through our request form, we will deliver our written response to the verified email associated with the request. If you did not submit the request with us via the online webform, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain why we cannot comply with a request, if applicable. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

 

California and Delaware “Do Not Track” disclosures

 

California and Delaware law require OneTrust to indicate whether it honors your browser’s “Do Not Track” settings concerning targeted advertising. OneTrust adheres to the standards set out in this Notice and does not monitor or respond to Do Not Track browser requests.

 

Children

 

We do not knowingly collect or solicit Personal Information from anyone under the age of 13. If you are under 13, please do not attempt to register for the Services or send any Personal Information about yourself to us. If we learn that we have collected Personal Information from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us their Personal Information, please contact us at [email protected].

 

Linked websites

 

For your convenience, hyperlinks may be posted on the Websites that link to other websites (the “Linked Sites”). We are not responsible for, and this Notice does not apply to, the privacy practices of any Linked Sites or of any companies that we do not own or control. Linked Sites may collect information in addition to that which we collect on the Websites. We do not endorse any of these Linked Sites, the services or products described or offered on such Linked Sites, or any of the content contained on the Linked Sites. We encourage you to seek out and read each Linked Site’s privacy notice to understand how the Personal Information about you is used and protected.

 

Changes to this Notice

 

We are constantly trying to improve our Websites and Services, so we may need to change this Notice from time to time. We will alert you about material changes by, for example, placing a notice on our Websites and/or by sending you an email (if you have registered your e-mail with us) when we are required to do so by applicable law. You can see when this Notice was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this Notice.

 

Contact us

 

For Customers: Please contact the OneTrust entity identified on your order form.

 

Controller’s Contact Information:

 

Atlanta, GA, USA (Co-Headquarters)
1200 Abernathy Rd NE, Building 600
Atlanta, GA 30328
United States
+1 (844) 847-7154
London, England (Co-Headquarters)
82 St John St
Farringdon
London, EC 1M 4JN
+44 (800) 011-9778
Munich, Germany
Mühldorfstraße 8
81671 München
Germany
+049 (0) 89 262 013 995

 

Data Protection Officer:

Linda Thielová

[email protected]

 

If you have questions, requests, or concerns regarding your privacy and rights, please let us know how we can help.

 

Onetrust All Rights Reserved