Dechen Consulting Group, Inc.(“DCG”) has adopted this Privacy Policy (“Policy”) to establish and maintain an adequate level of Personal Data privacy protection. This Policy applies to the processing of Personal Data that DCG obtains from customers located in the European Union.
DCG complies with the US-EU Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from Customers in the European Union member countries. DCG certifies that it adheres to the Privacy Shield Privacy Principles of notice, choice, and accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Privacy Principles, the Privacy Shield Privacy Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov.
The Federal Trade Commission (FTC) has jurisdiction over DCG’s compliance with the Privacy Shield.
All DCG employees and associates within all corporate entities including subsidiaries who handle Personal Data from Europe are required to comply with the Principles stated in this Policy.
1. SCOPE
This Policy applies to the processing of Individual Personal Data that DCG is provided access to, concerning Individual Customers who reside in the European Union. DCG is given access to this information as part of provision of services to businesses and consumers in the EU region.
2. TERMS AND DEFINITIONS
Some of the Key terms in this Policy and their intended and designated meanings are given below:
“Individual Customer” means an Individual customer or client of DCG. The term also shall include any individual agent or representative of an individual customer of DCG as part of its business relationship with DCG. This term also include all employees of DCG, including permanent and temporary staff, where DCG has obtained his or her Personal Data as a part of the employment and/or contractual relationship.
“Customer” means any corporate customer or client of DCG under contractual agreement. As per the contractual agreement, DCG might be given access to their data including Personal Data as a part of fulfilment of the Service Scope and Commitments.
“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.
“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of DCG or any of its affiliates or subsidiaries, who is also a resident of a country within the EU.
“Personal Data” as defined under the European Union Directive 95/46/EC means data that personally identifies or may be used to personally identify a person, including an individual’s name in combination with country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password, and identification numbers. Personal Data does not include data that is de-identified, anonymous, or publicly available. “Sensitive Data” means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership.
“Third Party” means any individual or entity that is neither DCG nor a DCG employee, agent, contractor, or representative.
3. RESPONSIBILITIES AND MANAGEMENT
DCG has designated a Data Protection Officer (DPO) to oversee its Privacy and compliance aspects, including its compliance with the EU Privacy Shield program. The DPO shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to privacyshield@dcg-us.com.
DCG will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. DCG personnel will receive training, as applicable, to effectively implement this Policy.
4. RENEWAL / VERIFICATION
DCG will renew its EU Privacy Shield Certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
Prior to the re-certification, DCG will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of HR and Non-HR Personal Data are accurate and that the company has appropriately implemented these practices.
Specifically, as part of the verification process, DCG will undertake the following:
- Review this Privacy policy and its publicly posted Privacy Policy to ensure that these policies accurately describe the practices regarding the collection and processing of Individual Customer Personal Data
- Ensure that the publicly posted Privacy Policy informs Individual Customers of DCG’s participation in the EU Privacy and where to obtain a copy of additional information (e.g., a copy of this Policy)
- Ensure that this Policy continues to comply with the Privacy Shield principles
- Confirm that Individual Customers are made aware of the process for addressing complaints and any independent dispute resolution process (DCG may do so through its publicly posted website, Individual Customer contract, or both)
- Review its processes and procedures for training Employees about DCG’s participation in the Privacy Shield program and the appropriate handling of Individual’s Personal Data
DCG will prepare an internal verification statement on an annual basis.
5. COLLECTION AND USE OF PERSONAL DATA
DCG serves as a service provider to our global customers. Our Service to our customers includes building, implementing and supporting commercial and reporting applications used by their employees globally, including Europe.
In our capacity as a service provider, we have access to, and process Personal Data stored in customer’s systems. In such cases, we act as a data processor and process personal information on behalf of and under the direction of our customers.
The information that we access in this capacity is used providing services to our Customer, and as governed by our Service contract with them. We do not use/process the data for any other purpose.
DCG uses Personal Data that it is provided access to, in its role as a service provider for the following business purposes, without limitation:
- maintaining and supporting business applications, delivering and providing requested services, and complying with its contractual obligations related thereto;
- for other business-related purposes permitted or required under applicable local law and regulation;
- and as otherwise required by law.
6. DISCLOSURES / ONWARD TRANSFERS OF PERSONAL DATA
DCG will not disclose Personal Data provided access to by our Customers and Individual Customers to any Third Parties, unless required by contractual obligations and authorized by the customer, and unless otherwise required by the applicable laws and regulations.
7. SENSITIVE DATA
DCG does not collect or process any Sensitive Data from its Customers.
8. DATA INTEGRITY AND SECURITY
DCG uses reasonable efforts to maintain the accuracy and integrity of Personal Data and to update it as appropriate, as required by the scope of service contract with customers.
DCG has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction.
DCG is also in the process of enhancing the information security of our internal systems and practices through adoption of global security best practices and standards such as ISO/IEC 27001. DCG is also committed to ensuring utmost compliance towards applicable Privacy laws and regulations including GDPR.
9. NOTIFICATION
DCG notifies Customers and individuals about its adherence to the EU-US Privacy Shield through its publicly posted website privacy policy, available at:
http://www.dcg-us.com/ /privacy-policy/
10. ACCESSING PERSONAL DATA
DCG personnel will access and use Personal Data provided by our customers only if they are authorized to do so and only for the purpose for which they are authorized.
11. SMS Consent:
SMS consent and phone numbers will never be shared with any 3rd party for any reason.
12. RIGHT TO ACCESS, CHANGE OR DELETE PERSONAL DATA
While individuals have the rights to access, modify, port, restrict and delete the personal data, DCG as the data processor do not hold any direct role in providing mechanisms for and fulfilling those requests from individuals. These will be managed and fulfilled by our customers who act as data Controllers.
DCG will facilitate and support these processes in whichever way required and feasible, as per our Service and Data processing agreements and contracts with our customers.
13. CHANGES TO THIS POLICY
This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. We will make changes to this policy either by posting it on our website. We will notify Customers if we make changes that materially affect the way we handle Personal Data previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.
14. QUESTIONS OR COMPLAINTS
EU Individual customers may contact DCG with questions or complaints concerning this Policy at the following address:
15. ENFORCEMENT AND DISPUTE RESOLUTION
In compliance with the US-EU Privacy Shield Principles, DCG commits to resolve complaints about our customers privacy and our collection or use of personal information. EU individuals with questions or concerns about the use of their Personal Data should contact us at: privacyshield@dcg-us.com
If a Customer’s question or concern cannot be satisfied through this process DCG has further committed to refer unresolved privacy complaints under US-EU Privacy Shield to an independent dispute resolution mechanism operated by EU data protection authorities (DPAs)
DCG commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship.