EXECONLINE PRIVACY POLICY 

Last updated: June 26, 2019    

Your trust matters to us. That is why ExecOnline protects and uses responsibly your personal information, while continuing to deliver the excellent services expected of us. We are committed to protecting your privacy and the security of information that can directly or indirectly be used to identify a natural person (“Personal Data”). ExecOnline has created this privacy policy to explain how we collect, use, share and protect Personal Data (“Privacy Policy”) in its delivery of our programs, courses, sites and services (“Offerings”) or respond to any queries you may have. Please read this policy carefully.

The words “our”, “us”, “we” and “ExecOnline” refer to ExecOnline, Inc. and our affiliates, if any.  For purposes of this policy, “processing” or “process” mean any activity that involves the use of Personal Data, including obtaining, holding, or carrying out any operation or set of operations on the data, organising, amending, retrieving, using, transferring, disclosing, erasing or destroying it. 

Contact Information

If you have any comments or inquiries about this Privacy Policy, or if you would like to update information we have about you or exercise your rights, you may contact us by sending an email to privacy@execonline.com or by sending regular mail to the following address:

ExecOnline, Inc.
860 Broadway, Floor 6
New York New York 10003

Overview

This Privacy Policy addresses the following questions and areas:

1. 1. Does this Privacy Policy apply to you?
   2. What Personal Data does ExecOnline collect?
   3. Does ExecOnline use cookies?
   4. Why does ExecOnline process Personal Data?
   5. Who has access to your Personal Data?
   6. How long will ExecOnline process your Personal Data?
   7. What measures does ExecOnline take to protect your Personal Data?
   8. Where does ExecOnline store or transfer your Personal Data?
   9. What rights can you exercise in relation to your Personal Data?
   10. What if you have questions, requests or complaints?
   11. Will there be updates to this Privacy Policy? 

1.  Does this Privacy Policy apply to you?

• Application. This Privacy Policy applies to you if (i) you are a client or customer of ExecOnline (“Client”) or an  employee participant of a Client (“Client Employees”), (ii) you contact ExecOnline by visiting any of its platforms or websites such as www.execonline.com including any subpages, any current or future social or professional media sites and/or applications (collectively, “Sites”), (iii) you apply for employment using any of the Sites or (iv) you contact ExecOnline or receive contact from it by email or another digital method. References to “you” or “your” in this Privacy Policy will be a reference to all of the above categories.
• No one under 18.   We do not knowingly request, collect or maintain Personal Data from anyone under the age of 18, unless or except as permitted by law. If we learn that Personal Data has been collected from a person under 18 years of age on or through the Sites, then we will take the appropriate steps to cause this information to be deleted. 
• No obligation to provide Personal Data. As a general principle, granting of any consent and the provision of any Personal Data to ExecOnline is entirely voluntary by you. However, there are circumstances where ExecOnline cannot take action without certain Personal Data (e.g., because Personal Data is required to provide the Offerings you have purchased or provide you with access to Offering information and resources before a purchase.

2.  What Personal Data does ExecOnline collect?

In the course of its business activities and providing its Offerings or accessing the Sites, ExecOnline will need to process certain Personal Data. The Personal Data that you provide directly or indirectly to ExecOnline when using our Offerings and/or accessing our Sites includes:

• Contact information.
  This may include your name, gender, company name, work title, personal or work address, e-mail address and phone numbers.

• Financial information.
  This may include your credit card number, payment status and invoice.

• Account information.
  This may include log-in details, including your email address, user name, URL and other information provided through your account.

• User and preference information.
  This may include a personal photo or a video you voluntarily elect to provide in using the ExecOnline Offerings. It may also include, as applicable, Offerings usage and survey information. Other users of the ExecOnline Offerings may provide information about you when they submit content through the ExecOnline Offerings or Sites. For example, a Client administrator may provide your Personal Data when they designate you as a permitted user of the Offerings for your company’s account, or you may be mentioned in a technical support communication initiated by someone else.

• Automatically generated information.
  This may include your IP address, unique device or user identifier, system and browser type, date, time and location stamps, referring website address, content and pages you accessed on our Sites and click-stream information.

• Applicant or employment information.
  Employment-related information includes your indicated job preferences, work history and information provided on applications submitted to us online.

• Other Data.
  “Other Data” is data that generally does not reveal your specific identity or does not directly relate to an individual. We may use and disclose Other Data for any purpose, except where we are not allowed to under Applicable Laws. To the extent Other Data reveals your specific identity or relates to an individual, we will treat Other Data as Personal Data. Other Data includes:

• •  Browser and device data
  •  Data collected through cookies, pixel tags and other technologies
  •  Demographic data and other data provided by you
  •  Aggregated data

• No Special Category Data.
  Unless specifically requested, we ask that you not send us and you not disclose, on or through the Offerings, the Sites or otherwise to us, any special category or sensitive Personal Data (e.g., social security numbers, national identification number, data related to racial or ethnic origin, political opinions, religion, ideological or other beliefs, health, biometrics or genetic characteristics).

3.  Does ExecOnline use cookies?

Yes, ExecOnline uses cookies and similar technologies on its Sites. Through these cookies and other commonly used information-gathering and analytic tools, ExecOnline automatically obtains Personal Data as listed above when you visit our Sites. To learn more about the cookies and similar technologies, please consult our Cookie Policy. 

4.  Why does ExecOnline process Personal Data?

We will only collect and process Personal Data about you where we have lawful bases. Lawful bases include to manage a contractual relationship with you, to comply with legal grounds and/or because we have a legitimate business purpose to do so.

Contract with you.

• The processing is necessary to perform under a Client agreement between you and ExecOnline for provision of our Offerings, including: 

• • creation and management of Client Employee participant accounts, provisioning of the Offerings, registering Client Employees for the Offerings, providing technical support in preparation for and while providing the Offerings;
  • providing identity verification and enabling you to avoid having to re-enter Personal Data on future visits to our Sites or subsequent use of our Offerings;
  • tracking attendance, progress and completion of an Offering;
  • sharing your Personal Data, your performance with an Offering, demographic and survey data with school partners (“Partners”), program instructors or coaches; 
  • providing post-Offering analysis, receiving feedback from you on the Offering and sending notices and other disclosures as required by the Client contract; and
  • during possible dispute resolution.

Legal Grounds.

• The processing is necessary for ExecOnline to comply with our obligations under any and all laws, regulations and sector specific guidelines, including all relevant data protection laws and regulations, to which ExecOnline is subject (“Applicable Laws”), including:
  • compliance with subpoenas or similar court orders and financial reporting obligations;
  • to protect your vital interests or of those of other individuals (e.g. matching names of Clients and Service Providers against denied parties’ lists, or for fraud);
  • to defend against threatened or actual claims;
  • to establish or exercise our legal rights or to protect our or our Partners’ property, including intellectual property;
  • investigate, prevent, or take action regarding illegal or suspected illegal activities; and
  • that necessary for the legitimate interests of ExecOnline, except where such interests are overridden by your interests or fundamental rights and freedoms.
  • Where otherwise appropriate or required, we will ask for your consent.

Business Purposes.

• Where not strictly required or permitted by contractual or legal grounds, ExecOnline will only collect, use or otherwise process Personal Data if the processing falls within the scope of one (or more) of the legitimate business purposes listed below:

• • Response to your requests for ExecOnline information about ExecOnline and its Offerings, your subscription to email communication, blogs and newsletters, event registrations for webcasts, conferences or you agree to participate in surveys. When you send us an email message or otherwise contact us, we may use the information provided by you to respond to your communication and/or as described in this Privacy Policy. We may also archive this information and/or use it for future communications with you where we are legally entitled to do so. Where we send you emails, we may track the way that you interact with these emails (such as when you open an email or click on a link inside an email) for the purposes of optimizing and better tailoring our communications to you.

• • Improvement of ExecOnline Offerings. This includes the analysis, development and improvement of ExecOnline Offerings and Sites, solicitation of your feedback and performance of data analytics.
  • Relationship management and marketing. This includes the management of a relationship with a prospective or current Client, performing of targeted marketing activities in order to promote Offerings, special events and promotions to a Client. 
  • Business process execution and internal management. This includes the management of its ExecOnline’s assets and resources, working with ExecOnline’s Partners and ExecOnline’s third-party contractors, vendors, suppliers, licensors and school partners and service providers (“Service Providers”), the conduct of internal audits and investigations, finance and accounting, implementing business controls and management reporting and analysis.
  • Safety and security. ExecOnline may process Personal Data for activities such as those involving safety, the protection of ExecOnline, Clients or Partners (e.g. for fraud prevention and protection).

• • Protecting the vital interests of individuals. This includes processing of Personal Data when necessary to protect your vital interests or of other individuals (e.g. for urgent medical reasons).

• • Aggregate information and non-identifying information. ExecOnline may anonymize Personal Data provided to create anonymised data sets, which will then be used to create insights that do not identify you, and to improve ExecOnline Offerings and Sites. We may also share aggregated and anonymised Personal Data with Clients, prospective Clients, Partners or the press in order to demonstrate usage of the Offerings, identify industry and advertising trends and to generate publicity for the ExecOnline Offerings. If we directly combine non-identifying information with Personal Data that we receive, we will treat the combined information as Personal Data and handle it in accordance with this Privacy Policy for as long as it remains combined.

• • Application for employment. If you apply for ExecOnline employment or we receive your Personal Data in connection with a potential role at ExecOnline, we may use your information to evaluate your candidacy and to contact you. If you become a candidate, you will receive more information about how ExecOnline handles candidate Personal Data at the time of application.

5.  Who has access to your Personal Data?

ExecOnline may share your Personal Data with third parties in the following circumstances:

• With ExecOnline’s affiliates and Service Providers. As appropriate, ExecOnline will provide access to such Personal Data to its affiliates and Service Providers only if and to the extent necessary for the purposes described above. Any ExecOnline Service Providers provided with Personal Data will be bound by obligations of confidentiality and compliance with this Privacy Policy and all Applicable Laws. 

• With ExecOnline’s employees and representatives. In such a case, access will be granted to ExecOnline employees and representatives (“Personnel”) only if and to the extent necessary for the purposes described above. Any ExecOnline Personnel provided with Personal Data will be bound by confidentiality obligations, and obligations to comply with this Privacy Policy and all Applicable Laws.

• With law enforcement or other governmental agencies if and when required to do so by law, court order, or other legal process (such as a court order or subpoena). We will attempt to notify data subjects about legal demands for their Personal Data when appropriate in our judgment, unless prohibited by Applicable Laws, court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge every demand.

• Change of control or sale. This would include to establish or exercise our legal rights or in connection with a corporate transaction, such as a merger, asset sale or change of control, or in the unlikely event of bankruptcy. Any other entity which purchases all or  a part of our business will have the right to continue to use your Personal Data, but only in the manner set out in this Privacy Policy.

6.  How long will ExecOnline process your Personal Data?

ExecOnline will retain your Personal Data no longer than necessary for the purposes for which we process your Personal Data (unless a longer retention period is required or permitted by law), (ii) until you object to ExecOnline’s use of your Personal Data (if ExecOnline uses your Personal Data based on legitimate interest) or  (iii) until you withdraw your consent (if ExecOnline uses your Personal Data based on your consent).

The criteria used to determine our retention period include:

• The length of time we have had an ongoing relationship with and have provided the Offerings to you;
• Whether there is a legal obligation to which we are subject (e.g. law enforcement request, records regulatory requirement, etc.);
• Whether retention is advisable considering our legal position (such as, for dispute resolution, statutes of limitations, audits, litigation or regulatory investigations); and
• Whether you have consented to continuing to receive information from us, such as for consideration of renewal of Offerings or marketing communications.

After the retention period we will delete or anonymise your Personal Data. We will retain anonymised information after the retention period.

Information you may have shared with others (e.g., through email, updates or group posts) may remain visible after the retention period or you have closed an account and we do not control data that you or others may have copied out of our Offerings. 

7.  What measures does ExecOnline take to protect your Personal Data?

Technical and organisational measures. 

ExecOnline has taken appropriate technical and organisational measures to protect your Personal Data:

• Against unauthorised access;
• To assure its confidentiality;
• To maintain its integrity and availability;
• By training ExecOnline Personnel in information security requirements; and
• By reporting actual or suspected data breaches in accordance with Applicable Laws.

ExecOnline also has certification for compliance with   ISO/IEC 27001:2013. Unfortunately, even with such technical and organisational measures, no data transmission or storage system can be guaranteed to be 100% secure. There is no guarantee that data may not be accessed, disclosed, altered or destroyed by breach of any of our physical, technical or managerial safeguards. If you have reason to believe that your interaction with us is no longer secure or has been compromised, please immediately notify us in accordance with the “Contact Information” section above.

Social and professional media sites. ExecOnline uses social and professional media widgets and sites as dynamic information sharing tools on our Sites (such as Twitter, LinkedIn, YouTube) to engage in dialogue, share information and media, and collaborate with our visitors. Your activity on these Sites is governed also by the security and privacy policies of the respective third-party sites. ExecOnline does not control, moderate or endorse the comments or opinions provided by visitors to these sites even if on our own Sites. You should review the privacy policies of all sites before using them and ensure that you understand how your information may be used. You should also adjust privacy settings on your account on any third-party site to match your preferences

Links to non-ExecOnline sites. ExecOnline’s Sites may provide links to unaffiliated, third-party sites or integrations or affiliated Partner sites for your convenience and information. Our inclusion of those links does not constitute ExecOnline’s endorsement or control over such sites and services. If you access these links, you will leave the ExecOnline Sites. ExecOnline has no control over these  third-party sites and is not responsible or liable for the policies and practices followed by third parties. The Personal Data you choose to provide to or that is collected by these third parties is not covered by this Privacy Policy. .

Potential candidate for employment. If you are a potential candidate for employment with ExecOnline, we may have received your Personal Data from third parties such as recruiters or external websites. We will use the Personal Data we receive to contact you about a potential opportunity or in evaluating your candidacy for ExecOnline employment. If you did not provide us your Personal Data directly, we will inform you of the source when we first contact you regarding your candidacy. For research and development purposes, we may use datasets such as those that contain images or other data that could be associated with an identifiable person. When acquiring such datasets, we do so in accordance with Applicable Laws in the jurisdiction in which the dataset is hosted. 

8.  Where does ExecOnline store or transfer your Personal Data?

Cross-border transfers. ExecOnline’s Offerings and Sites are operated and managed in the United States (“U.S.”) by ExecOnline, Inc. headquartered in New York City, New York. 

By using our Offerings, interacting with or accessing our Sites or otherwise providing your Personal Data to us, your Personal Data will be transferred to, accessed and processed to and in the U.S. and may be transferred outside the country where you reside or where the Personal Data originated, including to countries that may not or do not provide the same level of protection for your Personal Data. Where the laws of your country allow you to do so, you authorize us to transfer, store and process your data in the United States and in any other country where we operate. 

Transfers of Personal Data

ExecOnline makes available the transfer mechanisms listed below, which shall apply to any transfers of Personal Data (“Transfers”) from the EU, the EEA and/or their member states, Switzerland and the United Kingdom, to the extent such Transfers are subject to data protection laws (“Restricted Transfers”):

• Transfers to countries providing adequate data protection. Some countries are recognized by the European Commission or the Swiss Office of the Information and Data Protection Commissioner (“Swiss IDPC”), as applicable, as providing an adequate level of data protection. For further details, see European Commission: Adequacy of the protection of Personal Data in non-EU countries and Swiss IDPC: Countries having Data Protection Adequacy, as both lists may change from time to time.
• Standard Contractual Clauses. In many cases, we will use Standard Contractual Clauses, as approved by the European Commission and by the Swiss IDPC, as a legal mechanism for Personal Data transfers from the EEA or from Switzerland, respectively. These Standard Contractual Clauses are contractual commitments between companies transferring personal data (for example, from a Client in the EEA or Switzerland to ExecOnline in the U.S.), binding them to protect the privacy and security of the data. For further details, see: Standard contractual clauses for the transfer of Personal Data to third countries.
• Privacy Shield Frameworks and Notice. ExecOnline complies with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, retention and processing of Personal Data where such data is transferred from the European Union and Switzerland, respectively, to the U.S. ExecOnline has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. 

Accordingly, our privacy practices for Personal Data received in the U.S. from the E.U. and Switzerland are subject to these respective frameworks and are consistent with the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity and purpose limitation, access and enforcement. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. ExecOnline’s participation in the Privacy Shield does not apply at this time to ExecOnline’s human resources data or to any other personal data not described in this notice.

ExecOnline’s accountability for Personal Data that it receives under the Privacy Shield and subsequently transfers to a Service Provider is described in the Privacy Shield Principles. If we transfer Personal Data received under the Privacy Shield to a Service Provider, the Service Provider access, processing and disclosure of the Personal Data must also be in compliance with our Privacy Shield obligations, and ExecOnline will remain liable under the Privacy Shield for any failure to do so by the Service Provider unless we prove we are not responsible for the event giving rise to the damage.

For further details and to view our certification, see: Privacy Shield Framework or contact us should you have a Privacy Shield-related question or concern.

For any complaints that cannot be resolved with ExecOnline directly, ExecOnline has chosen to cooperate, for purposes of the EU-U.S. Privacy Shield, with EU data protection authorities (“DPAs”) and comply with the information and advice provided to it by an informal panel of DPAs in relation to such unresolved complaints (as further described in the Privacy Shield Principles). Please contact us to be directed to the relevant DPA contacts. With regard to Personal Data transferred under the Swiss-U.S. Privacy Shield, ExecOnline will cooperate with the Swiss IDPC for the resolution of such unresolved complaints. The U.S. Federal Trade Commission has jurisdiction over our compliance with the Privacy Shield.

9.  What rights can you exercise in relation to your Personal Data?

Based on laws applicable to the use of your Personal Data, you may have rights that you can exercise in relation to your Personal Data. Note that in some cases we are not required to – fully – comply with your request, as such rights may be conditional or because we have to balance your rights against our rights and obligations to process your Personal Data and to protect the rights and freedoms of others. A number of the rights you have in relation to your Personal Data, as applicable in the EEA, are explained below:

Right of access

You are entitled to a copy of the Personal Data we hold about you and to learn details about how we use it. Your Personal Data will usually be provided to you digitally. We may require you to prove your identity before providing the requested information.

Right to rectification

We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you believe this is not the case, you have the right to request that any incomplete or inaccurate Personal Data that we process about you is amended.

Right to erasure

You have the right to ask us to erase all or some of your Personal Data, for example where the Personal Data we collected is no longer necessary for the original purpose, where Personal Data has become obsolete or where you withdraw your consent. However, this will need to be balanced against other factors, such as certain legal or regulatory obligations.

Right to restriction of processing

You are entitled to ask us to temporarily stop using your Personal Data, for example where you think that the Personal Data we hold about you may be inaccurate or where you think that we no longer need to use your Personal Data.

Right to data portability

You may have the right to ask that we transfer Personal Data that you have provided to us to a third party of your choice. This right can only be exercised when you have provided the Personal Data to us, and when we are processing that data by automated means on the basis of your consent or in order to perform our obligations under a contract with you.

Right to object to processing

You have the right to object to processing which is based on our legitimate interests. In case of the processing of Personal Data for marketing purposes, you have the right to object at any time. When you ask us to stop using your Personal Data for marketing purposes, ExecOnline will cease using your Personal Data. For other purposes based on our legitimate interests, we will no longer process the Personal Data on that basis when you file an objection based on your grounds relating to your particular situation, unless we have a compelling legitimate ground for the processing. Note, however, that we may not be able to provide certain Offerings, programs or benefits to you if we are unable to process the necessary Personal Data for that purpose.

Rights relating to automated decision-making

You have the right not to be subjected to automated decision-making, including profiling, which produces legal effect for you or has a similar significant effect. 

Right to withdraw consent

We may ask for your consent to process your Personal Data in specific cases. When we do this, you have the right to withdraw your consent at any time. ExecOnline will stop the further processing as soon as possible after the withdrawal of your consent. However, this does not affect the lawfulness of the processing before consent was withdrawn. Please be aware that you cannot optout of receiving service messages from us, including security and legal notices.

10.  What if you have questions, requests or complaints?

Contact us. You may send questions, requests and complaints regarding the processing of your Personal Data to ExecOnline by using the contact information as provided at the top of this Privacy Policy. We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.

You also may contact our Data Protection Officer via DPO@execonline.com. 

Data Protection Authority. You also have the right to lodge a complaint with the competent local Data Protection Authority in the jurisdiction where you work, where you live or where an alleged infringement takes place. A listing of the European Data Protection Authorities can be found here. For the Swiss IDPC, please refer here.

11.  Will there be updates to this Privacy Policy?

ExecOnline may amend this Privacy Policy from time to time, so please review it frequently. The “Last Updated” legend at the top of this page indicates when this Privacy Policy was last revised. Any amendments to the policy will become effective when we post the revised Privacy Policy. Your continued use of any of the Offerings or Sites after those amendments constitutes your agreement with the amended Privacy Policy; if you do not agree with any part of or changes to the Privacy Policy, you should immediately cease using the Offerings or the Sites.