Safe Harbor Policy
Effective August 25, 2015
For purposes of this Policy, the following definitions shall apply:
“Agent” means any third party that uses Personal Data provided by ExecOnline to perform tasks on behalf of or at the instruction of ExecOnline.
“Client” means a person who has provided the requisite personal information to ExecOnline for the purpose of soliciting ExecOnline’s Educational Services and Products.
“Client Personal Data” means Personal Data (defined below) of a Client that ExecOnline collected and processed as part of its Education Services.
“Client -Services” means Educational Services and Products. ExecOnline provides organizations and executives with access to elite institutions that each offer world-class instruction across a range of subject areas. We facilitate the ability to work with multiple schools in one of their recognized areas of strength, while also providing uniformity and excellence for the organization and the learner.
“Personal Data” means any information or set of information that identifies or could be used by or on behalf of ExecOnline to identify an individual subject to the EU Data Privacy Directive 95/46/EC, as modified, supplemented and/or replaced. Personal Data does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public Personal Data.
“Sensitive Personal Data” means Personal Data that reveals race, ethnic origin, trade union membership, political opinions or that data which concerns health.
“ExecOnline” means ExecOnline, its predecessors, affiliates, successors, subsidiaries, divisions and groups.
II. SAFE HARBOR
The United States Department of Commerce and the European Commission have agreed on a set of data protection principles (“Safe Harbor Principles”) and frequently asked questions (the “U.S.-EU Safe Harbor Framework”) to enables U.S. companies to satisfy the requirement under European Union law that an adequate level of protection is given to Personal Data transferred from the EU to the United States. The EEA also has recognized the U.S. Safe Harbor as providing an adequate level of data protection (OJL 45, 15.2.2001, p.47). The United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland have agreed on a similar set of data protection principles and frequently asked questions (the “U.S.-Swiss Safe Harbor Framework”) to enable U.S. companies to satisfy the requirement under Swiss law that an adequate level of data protection is given to Personal Data transferred from Switzerland to the United States. Consistent with its commitment to protect Personal Data privacy, ExecOnline adheres to the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks. ExecOnline has a Chief Technology and Compliance Officer who assists in ensuring compliance with this Policy and all data security issues. ExecOnline educates its employees concerning compliance with this Policy and has self-assessment procedures in place to assure compliance. ExecOnline’s CEO, CTO and external legal advisors are available to any of its valued employees, Clients, vendors, business partners or others who may have questions concerning this Policy or data security practices. Relevant contact information is provided herein.
ExecOnline will conduct Client Services in accordance with the notice given to and/or the consent obtained from the Client. ExecOnline will not disclose Client Personal Data to third parties other than the Agents. All Personal Data collected by ExecOnline will be used for legitimate business purposes consistent with this Policy.
IV. PRIVACY PRINCIPLES
The privacy principles in this Policy are based on the seven Safe Harbor Principles.
- NOTICE: Where ExecOnline collects Personal Data directly from individuals requesting Educational Services from ExecOnline, it will inform them about the purposes for which it collects and uses Personal Data about them, the types of non-agent third parties to which ExecOnline discloses that information, if any, and the choices and means, if any, ExecOnline offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to ExecOnline, or as soon as practicable thereafter, and in any event before ExecOnline uses the information for a purpose other than that for which it was originally collected. ExecOnline may disclose Personal Data if required to do so by law or to protect and defend the rights or property of ExecOnline. ExecOnline will collect Client Personal Data only in accordance with the notice to and consent given by the Client. Should you have any complaints or inquiries regarding this Policy or the provisions contained herein, please contact ExecOnline’s Chief Technology and Compliance Officer.
- CHOICE: ExecOnline will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Moreover, ExecOnline does not collect Sensitive Personal Data from its Clients. ExecOnline will provide individuals with reasonable mechanisms to exercise their choices should requisite circumstances arise.
- DATA INTEGRITY: ExecOnline will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. ExecOnline will take reasonable steps to make sure that Personal Data is relevant to its intended use, accurate, complete and current.
- TRANSFERS TO AGENTS: ExecOnline will obtain assurances from its Agents that they will safeguard Personal Data consistently with this Policy. Examples of appropriate assurances that may be provided by Agents include: a contract obligating the Agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), Safe Harbor certification by the Agent, or being subject to another European Commission adequacy finding (e.g., companies located in Switzerland). Where ExecOnline has knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Policy, ExecOnline will take reasonable steps to prevent or stop the use or disclosure. ExecOnline holds its Agents accountable for maintaining the trust our employees and Clients place in the company.
- ACCESS AND CORRECTION: Upon request and as part of the Client’s general online profile, ExecOnline will grant individuals reasonable access to Personal Data that it holds about them. In addition, ExecOnline will take reasonable steps to permit individuals to correct, amend or delete information that is demonstrated to be inaccurate or incomplete. Any Client that desires to review or update Personal Data can do so by contacting their ExecOnline account representative.
- SECURITY: ExecOnline will take reasonable and commercially viable precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. ExecOnline protects data in many ways. Physical security is designed to prevent unauthorized access to database equipment and hard copies of sensitive Personal Data. Electronic security measures continuously monitor access to our servers and provide protection from hacking or other unauthorized access from remote locations. This protection includes the use of firewalls, restricted access and encryption technology. ExecOnline limits access to Personal Data and data to those persons in ExecOnline’s organization, or as agents of ExecOnline, that have a specific business purpose for maintaining and processing such Personal Data. Individuals who have been granted access to Personal Data are aware of their responsibilities to protect the security, confidentiality and integrity of that information and have been provided training and instruction on how to do so. ExecOnline will disclose Client Personal Data only to the Client who requested the Client Services and in accordance with the Notice provided by the Client to the Client’s employee and/or the consent given by the Client-employee. Of course, no set of safeguards is 100% secure. This means that, for example, despite our best efforts, an unauthorized access or acquisition of your information could occur. In that case, we will do our best to mitigate harm to you and, where appropriate notify you of the incident.
- ENFORCEMENT: ExecOnline will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy and the U.S. Department of Commerce Safe Harbor Principles. Any employee that ExecOnline determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.
V. DISPUTE RESOLUTION
Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the ExecOnline Corporate Office at the address given below. ExecOnline will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy. For complaints that cannot be resolved between ExecOnline and the complainant, ExecOnline has agreed to cooperate and comply with the EU Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner to investigate all unresolved complaints.
VI. INTERNET PRIVACY
The practices described in this Policy are current Personal Data protection policies as of August 1, 2015. ExecOnline reserves the right to modify or amend this Policy at any time consistent with the requirements of the Safe Harbor Principles. Appropriate public notice will be given concerning such amendments.
If you have questions about our privacy and security policy, contact us at:
Chief Technology and Compliance Officer
261 Madison Avenue
New York, NY 10016