Safe Harbor Policy


Effective August 25, 2015

ExecOnline is committed to protecting the privacy of certain data and respects individual privacy and values the confidence of its Clients, employees, vendors, consumers, business partners and others. ExecOnline strives to collect, use and disclose Personal Data in a manner consistent with the laws of the countries in which it does business, and has a tradition of upholding the highest ethical standards in its business practices. In addition to our general website Privacy Policy, with respect to Personal Data of certain individuals, ExecOnline subscribes to the U.S.-EU Safe Harbor Framework as set forth by the U.S. Department of Commerce in July 2000. ExecOnline also subscribes to the U.S.-Swiss Safe Harbor Framework as set for by the U.S. Department of Commerce in February 2009. This Safe Harbor Privacy Policy (the “Policy”) sets forth the privacy principles that ExecOnline follows with respect to transfers of Personal Data anywhere in the world, including transfers from the European Economic Area (EEA) (which includes the twenty-seven member states of the European Union (EU) plus Iceland, Liechtenstein and Norway) or Switzerland to the United States.

I. DEFINITIONS

For purposes of this Policy, the following definitions shall apply:

“Agent” means any third party that uses Personal Data provided by ExecOnline to perform tasks on behalf of or at the instruction of ExecOnline.

“Client” means a person who has provided the requisite personal information to ExecOnline for the purpose of soliciting ExecOnline’s Educational Services and Products.

“Client Personal Data” means Personal Data (defined below) of a Client that ExecOnline collected and processed as part of its Education Services.

“Client -Services” means Educational Services and Products. ExecOnline provides organizations and executives with access to elite institutions that each offer world-class instruction across a range of subject areas. We facilitate the ability to work with multiple schools in one of their recognized areas of strength, while also providing uniformity and excellence for the organization and the learner.

“Personal Data” means any information or set of information that identifies or could be used by or on behalf of ExecOnline to identify an individual subject to the EU Data Privacy Directive 95/46/EC, as modified, supplemented and/or replaced. Personal Data does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public Personal Data.

“Sensitive Personal Data” means Personal Data that reveals race, ethnic origin, trade union membership, political opinions or that data which concerns health.

“ExecOnline” means ExecOnline, its predecessors, affiliates, successors, subsidiaries, divisions and groups.

II. SAFE HARBOR

The United States Department of Commerce and the European Commission have agreed on a set of data protection principles (“Safe Harbor Principles”) and frequently asked questions (the “U.S.-EU Safe Harbor Framework”) to enables U.S. companies to satisfy the requirement under European Union law that an adequate level of protection is given to Personal Data transferred from the EU to the United States. The EEA also has recognized the U.S. Safe Harbor as providing an adequate level of data protection (OJL 45, 15.2.2001, p.47). The United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland have agreed on a similar set of data protection principles and frequently asked questions (the “U.S.-Swiss Safe Harbor Framework”) to enable U.S. companies to satisfy the requirement under Swiss law that an adequate level of data protection is given to Personal Data transferred from Switzerland to the United States. Consistent with its commitment to protect Personal Data privacy, ExecOnline adheres to the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks. ExecOnline has a Chief Technology and Compliance Officer who assists in ensuring compliance with this Policy and all data security issues. ExecOnline educates its employees concerning compliance with this Policy and has self-assessment procedures in place to assure compliance. ExecOnline’s CEO, CTO and external legal advisors are available to any of its valued employees, Clients, vendors, business partners or others who may have questions concerning this Policy or data security practices. Relevant contact information is provided herein.

III. SCOPE

This Policy applies to all Personal Data received by ExecOnline in any format including electronic and paper. ExecOnline collects and processes Personal Data concerning its Clients via internet websites, its intranet site, electronic mail and manually. Unless specified otherwise in writing between ExecOnline and a Client, ExecOnline is the sole owner of information it collects from its Clients, vendors and others. ExecOnline will not sell or share this information with third parties in ways different than what is disclosed described in this Policy and our Privacy Policy.  For example, if the company enters into bankruptcy, it may need to transfer personal information to another company as part of the resolution of the bankruptcy.

On a global basis, ExecOnline will, and will cause its affiliates to, establish and maintain business procedures that are consistent with this Policy and our Privacy Policy. ExecOnline collects Personal Data for the purpose of providing Educational Services. ExecOnline does not request or gather information regarding political opinions, religion, philosophy or sexual preference.

ExecOnline will conduct Client Services in accordance with the notice given to and/or the consent obtained from the Client. ExecOnline will not disclose Client Personal Data to third parties other than the Agents. All Personal Data collected by ExecOnline will be used for legitimate business purposes consistent with this Policy.

IV. PRIVACY PRINCIPLES

The privacy principles in this Policy are based on the seven Safe Harbor Principles.

  1. NOTICE: Where ExecOnline collects Personal Data directly from individuals requesting Educational Services from ExecOnline, it will inform them about the purposes for which it collects and uses Personal Data about them, the types of non-agent third parties to which ExecOnline discloses that information, if any, and the choices and means, if any, ExecOnline offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to ExecOnline, or as soon as practicable thereafter, and in any event before ExecOnline uses the information for a purpose other than that for which it was originally collected. ExecOnline may disclose Personal Data if required to do so by law or to protect and defend the rights or property of ExecOnline. ExecOnline will collect Client Personal Data only in accordance with the notice to and consent given by the Client. Should you have any complaints or inquiries regarding this Policy or the provisions contained herein, please contact ExecOnline’s Chief Technology and Compliance Officer.
  2. CHOICE: ExecOnline will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Moreover, ExecOnline does not collect Sensitive Personal Data from its Clients. ExecOnline will provide individuals with reasonable mechanisms to exercise their choices should requisite circumstances arise.
  3. DATA INTEGRITY: ExecOnline will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. ExecOnline will take reasonable steps to make sure that Personal Data is relevant to its intended use, accurate, complete and current.
  4. TRANSFERS TO AGENTS: ExecOnline will obtain assurances from its Agents that they will safeguard Personal Data consistently with this Policy. Examples of appropriate assurances that may be provided by Agents include: a contract obligating the Agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), Safe Harbor certification by the Agent, or being subject to another European Commission adequacy finding (e.g., companies located in Switzerland). Where ExecOnline has knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Policy, ExecOnline will take reasonable steps to prevent or stop the use or disclosure. ExecOnline holds its Agents accountable for maintaining the trust our employees and Clients place in the company.
  5. ACCESS AND CORRECTION: Upon request and as part of the Client’s general online profile, ExecOnline will grant individuals reasonable access to Personal Data that it holds about them. In addition, ExecOnline will take reasonable steps to permit individuals to correct, amend or delete information that is demonstrated to be inaccurate or incomplete. Any Client that desires to review or update Personal Data can do so by contacting their ExecOnline account representative.
  6. SECURITY: ExecOnline will take reasonable and commercially viable precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. ExecOnline protects data in many ways. Physical security is designed to prevent unauthorized access to database equipment and hard copies of sensitive Personal Data. Electronic security measures continuously monitor access to our servers and provide protection from hacking or other unauthorized access from remote locations. This protection includes the use of firewalls, restricted access and encryption technology. ExecOnline limits access to Personal Data and data to those persons in ExecOnline’s organization, or as agents of ExecOnline, that have a specific business purpose for maintaining and processing such Personal Data. Individuals who have been granted access to Personal Data are aware of their responsibilities to protect the security, confidentiality and integrity of that information and have been provided training and instruction on how to do so. ExecOnline will disclose Client Personal Data only to the Client who requested the Client Services and in accordance with the Notice provided by the Client to the Client’s employee and/or the consent given by the Client-employee. Of course, no set of safeguards is 100% secure. This means that, for example, despite our best efforts, an unauthorized access or acquisition of your information could occur. In that case, we will do our best to mitigate harm to you and, where appropriate notify you of the incident.
  7. ENFORCEMENT: ExecOnline will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy and the U.S. Department of Commerce Safe Harbor Principles. Any employee that ExecOnline determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.

V. DISPUTE RESOLUTION

Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the ExecOnline Corporate Office at the address given below. ExecOnline will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Policy. For complaints that cannot be resolved between ExecOnline and the complainant, ExecOnline has agreed to cooperate and comply with the EU Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner to investigate all unresolved complaints.

VI. INTERNET PRIVACY

ExecOnline views the Internet, intranets and the use of other technologies as valuable tools for communicating and interacting with consumers, employees, vendors, business partners and others. ExecOnline recognizes the importance of maintaining the privacy of Personal Data collected through websites that it operates. ExecOnline’s sole purpose for operating its website, www.execonline.com, is to provide information concerning products and services to the public. This privacy policy does not apply to information collected through other means such as by telephone or in person, although that information may be protected by other privacy policies. Further, if you access this site from outside the U.S., you acknowledge and agree that you are responsible for compliance with any applicable local or national laws, rules or regulations applicable to such use. In general, visitors can reach ExecOnline on the Web without revealing any Personal Data. Visitors on the Web may elect to voluntarily provide Personal Data via ExecOnline websites but are not required to do so. ExecOnline collects information from visitors to the website who voluntarily provide Personal Data by filling out and submitting online questionnaires concerning feedback on the website, requesting information on products or services, or seeking Education Services. The Personal Data voluntarily provided by website users is contact information limited to the user’s name, business address, phone numbers and business email address. ExecOnline collects this information so it may answer questions and forward requested information. ExecOnline does not sell this information and does not share this information with non-agent third parties.

VII. CHANGES TO THIS SAFE HARBOR PRIVACY POLICY

The practices described in this Policy are current Personal Data protection policies as of August 1, 2015. ExecOnline reserves the right to modify or amend this Policy at any time consistent with the requirements of the Safe Harbor Principles. Appropriate public notice will be given concerning such amendments.

If you have questions about our privacy and security policy, contact us at:

Barry Goldberg
Chief Technology and Compliance Officer
ExecOnline
31 Penn Plaza
17th Floor
New York, NY 10001
800.410.EXEC