Syntax EU-U.S. Data Privacy Framework Policy

Last modified and effective as of October 1, 2023

SYNTAX, its affiliates and subsidiaries (“SYNTAX” or “Company”) complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) as set forth by the U.S. Department of Commerce (“DOC”) regarding the collection, use, and retention of certain personal data transferred from the European Economic Area (“EEA”) to the United States. SYNTAX has certified to the DOC that it adheres to the EU-U.S. Data Privacy Framework Principles (“DPF Principles”). Company is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”). To learn more about the EU-U.S. DPF program and to view our certification, please visit https://www.dataprivacyframework.gov/.

This Data Privacy Framework Policy (“DPF Policy”) outlines our general policies and procedures for implementing the EU-U.S. DPF and should be read in conjunction with our SYNTAX website Privacy Policy (“Privacy Policy”) www.syntax.com/privacy-policy/. Please note we may amend this DPF Policy as required and consistent with the DPF Principles. If there is any conflict between the terms of this DPF Policy and the DPF Principles, the DPF Principles shall govern. We will post a notice of the material changes at the top of this DPF Policy, on our website homepage, or in our Privacy Policy. Material changes will apply to Personal Data we collect or receive prior to the change unless they reduce the rights of the individuals whose Personal Data is impacted.

 

SYNTAX employees whose Personal Data may be transferred from the EEA to the United States should contact [email protected] to view the HR privacy policy applicable to them.

Definitions. For the purpose of this DPF Policy, the following definitions apply:

Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Categories of Personal Data”’ means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

NOTICE

Categories of Data. We may collect or receive Personal Data transferred from the EEA that includes the following:

  • Personal Data regarding current, former or potential customers and clients including contact information
  • Personal Data regarding vendors and services providers including contact information
  • Personal data collected through use of our website, such as: Your IP address, Your operating system and platform, etc.

How We Use Your Data. In general, we will use the information we receive or collect about you only for the purpose it was collected, for compatible purposes, as permitted or required by law, as necessary to carry out our contractual duties and obligations, and as otherwise provided in this DPF Policy or our  Privacy Policy www.syntax.com/privacy-policy/. For example, we may use your information to:

  • To respond to your requests for information or communicate with you about our professional services and related issues.
  • To provide you with the professional services you have purchased or requested and related support.
  • To manage and administer our business relationship with you.
  • To protect against and prevent fraud, illegal activity, and claims and other liabilities or to assist law enforcement agencies.
  • To investigate and establish a legal claim or defend ourselves against any third-party allegations or claims.
  • For our research and development efforts to evaluate or improve the professional services we provide to you.
  • For other everyday business purposes including financial account management, contract management, IT,  website administration, fulfillment, analytics, corporate governance, reporting and legal compliance.
  • To transfer, as necessary, for our legal, regulatory, auditing, or operational needs.
  • For marketing and advertising purposes.

DATA INTEGRITY AND PURPOSE LIMITATION

We take reasonable steps to limit the collection of your Personal Data to that which is necessary to accomplish the purpose disclosed to you and compatible purposes.

We will take reasonable steps to ensure the Personal Data we collect about you is reliable for its intended use, accurate, complete, and current.

We will retain your Personal Data in an identifiable form only for the period necessary to fulfil the purposes of the processing and subject to our legitimate business needs, unless a longer retention period is required or permitted by law or by the DPF Principles.  We will adhere to the DPF Principles for as long as we retain the Personal Data collected under the EU-U.S. DPF.

CHOICE

Prior to disclosing Personal Data to a non-agent third party, other than those categories of parties identified above, or prior to using that Personal Data for a purpose materially different from the one for which it was collected or authorized, we will permit you to opt out of such disclosure or use, as required by applicable law.

Prior to disclosing Special Categories of Personal Data to a third party, or prior to using that data for a purpose materially different from the one for which it was collected or authorized, we will permit you to affirmatively and explicitly opt into such disclosure or use, as required by applicable law.

ACCESS

You may have additional rights relating to your Personal Data, subject to limitations. Your request may be limited or denied where providing access would be unreasonably burdensome or expensive, where the rights of non-requesting individuals would be adversely affected, or you are unable to present appropriate identification to verify your identity.

Your rights may include the following, where applicable:

  • Access or request a copy of your Personal Data
  • Rectify or amend inaccurate Personal Data we have about you
  • Request deletion of your Personal Data where it has been processed in violation of the DPF Principles

 Exercising your rights. To exercise your rights, you may contact us at [email protected]. Please note you will be required to provide adequate identification to verify your identity. We are not responsible for requests that are not sent by email to the above address or lack sufficient information to identify you or the nature of your request. We require that your request include your:

  • Name
  • Date of birth
  • Address
  • Email address
  • Nature of the request
  • Your relationship with us
  • The date range for the relevant personal data
  • Preference for whether our response should be mailed or emailed to you.

We may request additional information to verify your identity, as necessary.

SAFEGUARDING OF INFORMATION

We take reasonable and appropriate physical, technical, and administrative measures to protect the Personal Data we receive or collect from the EEA to guard against loss, misuse or unauthorized access, disclosure, alteration or destruction. No system for safeguarding Personal Data or other information is 100% secure and although we have taken steps to protect Personal Data, we cannot fully eliminate security risks associated with Personal Data.

ONWARD TRANSFER

In general, we do not sell, trade or otherwise share Personal Data transferred to us from the EEA with unaffiliated third parties except with your consent and/or as described in this DPF Policy, our Privacy Policy, or as required or permitted by law. We may disclose your data for the same reasons that we may use it as described in this DPF Policy, which includes disclosing it to our affiliates and non-affiliated entities, as we deem necessary to carry out those purposes.

  • Third Party Vendors.  We may disclose this data to our third party vendors for reasons including the following:
    • With your consent or as you direct
    • To manage, improve, and optimize our website
    • For IT services, cloud storage
    • To provide you with professional services or offers products, services, information, offers, newsletters, promotions, etc.
    • To process payments and requests for products and services
    • To engage in marketing activities, such as sharing personal information with our partners to deliver advertisements to our shared customers
    • To enhance our services by, among other methods, obtaining assistance with providing more personalized services to you through analytics and other technologies (including, but not limited to, data storage, maintenance services, database management, web analytics and payment processing)
    • To protect our interests and legal rights, such as through responding to subpoenas and defending litigation
    • To protect against and prevent fraud, illegal activity, and claims and other liabilities
    • To provide relevant training

We endeavor to choose affiliates and non-affiliate companies with similar standards to ours regarding the protection of data and who are either subject to a law providing an adequate level of privacy protection or have agreed to provide an adequate level of protection. These companies are generally not authorized to use the information we disclose to them for any other purpose.

We remain liable for the failure of a third party who processes Personal Data on our behalf to comply with the DPF Principles unless we are able to demonstrate that we are not responsible for the event giving rise to the damage.

  • Clients. We may disclose Personal Data transferred from the EEA to clients as needed to perform under our services agreement.
  • Legal Process, Security, Defense, Protection.  We may disclose data about you to a public authority or if required by law, subpoena, or other legal process including for national security or law enforcement.  Additionally, we may disclose data about you if we have a good faith belief that disclosure is reasonably necessary to:
  • demonstrate our relationship with you;
  • investigate, prevent, or take action regarding suspected or actual illegal activities or to assist law enforcement agencies;
  • investigate and establish a legal claim or defend ourselves against any third-party allegations or claims.
  • Change in Control or Sale.  We may share, sell, assign, or license your Personal Data in connection with certain business transactions, such as a sale, acquisitions, merger, or change in control, or in preparation for any of these events. In such cases, we will take appropriate steps under the circumstances and to the extent possible to ensure that the recipient agrees to provide privacy protections substantially similar to those established by this DPF Policy.  Any entity that acquires all or substantially all of the Company’s assets will have the right to continue using your data consistent with this DPF Policy or as otherwise agreed to by you.

RECOURSE, ENFORCEMENT AND LIABILITY

In compliance with the DPF Principles, we are committed to resolving complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our DPF Policy should first contact our Head of Legal at [email protected]

Further we have committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved EU-U.S. DPF complaints concerning data transferred from the EU.

In the event we are unable to satisfactorily resolve your complaint you may contact the following organizations to assist you in resolving your complaint:

EU Data Protection Authorities

Under certain circumstances, you may invoke binding arbitration to determine whether SYNATX has violated its obligations to you under the DPF Principles and whether any such violation remains fully or partially unremedied (“residual claims”).  Please follow this link for additional information. https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2 [dataprivacyframework.gov].

CONTACT INFORMATION

If you have questions or would like additional information, please contact us at [email protected].