Privacy Shield Policy – EU and Switzerland
The European Union (“EU”) adopted Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“EU Directive”), which requires EU member countries to adopt laws protecting personal data collected within their borders. Switzerland adopted the Swiss Federal Data Protection Act (“SFDPA”) and the Data Protection Ordinance (“DPO”), which regulate all acts of personal data processing. In accordance with Article 2a of the EU Directive, and the SFDPA and DPO, personal data includes any information relating to an identified or identifiable natural person (“Personal Data”). The EU Directive, SFDPA and DPO allow the transfer of Personal Data only to countries that have data protection laws deemed “adequate” under the respective legal frameworks. The US Department of Commerce has agreed on the requirements to enable US Companies to satisfy the mandate under EU law and Swiss law that adequate protection be given to Personal Data transferred from the EU or Switzerland to the US. For EU and Swiss citizens’ Personal Data, these requirements are memorialized in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
NightOwl Discovery Inc. “NightOwl” self-certifies with the Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.
NightOwl complies with EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. NightOwl has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. As an e-discovery company, data we collect and store is done so at the direction of and on behalf of our customers, rather than directly from individuals. All data NightOwl collects and/or retains on behalf of our customers is kept pursuant to strict privacy and confidentiality practices, and NightOwl does not disclose data to third parties.
The United States Federal Trade Commission (FTC) is the enforcement authority with jurisdiction over this compliance with the Privacy Shield.
NightOwl Discovery Inc.
Attention: General Counsel
1000 Parkers Lake Rd
Minneapolis, MN 55391
NightOwl is committed to provide an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved. NightOwl has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to an independent dispute resolution provider, Judicial Arbitration and Mediation Services, Inc. (JAMS). If you do not receive acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information.
Processor on Behalf of Customers
NightOwl provides software as a service designed to help companies manage their legal hold notification and preservation process, as well as collect and process data related to corporate legal and IT needs. In this capacity, NightOwl does not own or control any of the information it processes on behalf of its customers. NightOwl receives information transferred from the EU and Switzerland to the United States merely as a processor on behalf of our customers.
NightOwl has appointed a corporate leader of fair information practices who is responsible for the internal supervision of NightOwl’s privacy policies. NightOwl has also appointed a corporate leader for data security. NightOwl is committed to educating its customers and associates (employees) in the United States about the issues, guidelines and laws surrounding compliance with the Privacy Shield Framework.
The corporate leader for fair information practices is available to any associate who has questions concerning NightOwl’s Privacy Shield Policy or data security practices.
NightOwl’s policies and manner of compliance are described separately below.
NightOwl as a Processor on Behalf of Customers
When NightOwl acts as a processor on behalf of its customers, the policies outlined below apply to all data processing operations concerning personal information that has been transferred from the EU and Switzerland to the United States.
Before starting any processing on behalf of NightOwl’s customers, NightOwl will enter into a processing contract with the EU and Swiss data controller responsible for the personal information pursuant to the applicable EU Member State Data Protection law.
The processing contract ensures that the EU and Swiss data controller will be in compliance with the Member State Data Protection law. The processing contract will also specify that the processing will be carried out with appropriate data security measures. NightOwl has in place measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Any information NightOwl’s customer (acting as the EU and Swiss controller) identifies as sensitive will be treated accordingly. Further, any data processed by NightOwl will not be disclosed to third parties except where permitted or required by the processing contract, EU Privacy Shield, Swiss-US Privacy Shield or the applicable Member State Data Protection law. NightOwl will not disclose personally identifiable information to third parties unless specifically agreed to and at the direction of the data owner, or when we are required by law in response to lawful requests by public authorities to meet national security or law enforcement requirements including subpoenas, court orders or legal process.
As a processor on behalf of NightOwl’s customers (who is the EU controller), NightOwl is not required to apply other EU Privacy Shield Principles to the personal information received for processing from a customer.
Prior to the transfer of any non-public personal information from the EU and Switzerland to the United States, NightOwl requires contractual confirmation from the EU and Swiss controller from whom NightOwl acquired the information that the personal data has been provided to NightOwl in accordance with the applicable EU Member State Data Protection law, thereby ensuring the data subjects have been provided with proper notice regarding how their personal data will be used. In addition, when personal data is collected directly from data subjects, NightOwl provides the data subject with notice regarding the manner and circumstances in which the personal data will be used and transferred to third parties.
Prior to the transfer of any non-public personal information from the EU and Switzerland to the United States, NightOwl requires contractual confirmation from the EU and Swiss controller from whom NightOwl acquired the information that the personal data has been collected in accordance with applicable EU member State Data Protection law, thereby ensuring the data subjects have been provided with the proper choice regarding how their personal data may be used.
NightOwl takes reasonable steps to ensure the information transferred from the EU and Switzerland to the United States is reliable, accurate and complete. The steps NightOwl takes to assure data integrity are based on the purposes for which the personal information is used.
NightOwl complies with the notice and choice principles as described above for all data disclosed or transferred to a third party. However, when NightOwl uses data processors to perform processing tasks on behalf and under the instruction of NightOwl, NightOwl requires that its data processors enter into a written agreement with NightOwl requiring them to provide the same level of protection as NightOwl provides and retains liability for onward transfers to such agents when under the direction of NightOwl.
NightOwl has in place an information security policy to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. NightOwl has received SOC 2® Type 2 Report certification that it complies with this policy, providing for independent third-party validation that it has controls in place to protect against unauthorized access (both physical and logical).
NightOwl’s security officer is responsible for conducting investigations into any alleged computer or network breaches, incidents or problems and ensuring the proper disciplinary action is taken against those who violate NightOwl’s information security policy.
Any security compromises or potential security compromises and any inquiries concerning security should be reported to the NightOwl consumer advocate. Contact information is provided below.
NightOwl acknowledges the right of EU and Swiss individuals to access information held about them. When NightOwl acts as a Data Processor, NightOwl’s customers are responsible, pursuant to their contractual agreements with the company, for providing individuals with access to their Personal Information and allowing individuals to correct, amend and delete their information, as required by applicable law. NightOwl requires its customers to maintain appropriate procedures for handling individuals’ requests to access, correct or delete their Personal Information, in accordance with applicable law. To exercise these rights, individual should contact the appropriate NightOwl customer that transferred their Personal Information to NightOwl. NightOwl will cooperate fully with its customers in responding to any such request. In the event a request is made directly to NightOwl, customers are required to cooperate with NightOwl in promptly addressing such requests.
NightOwl agrees to process all reasonable requests for access within a reasonable time period but reserves the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual’s privacy or in the case of an unwarranted or fraudulent request as provided under “How to Contact Us.”
NightOwl acts as a Data Processor. Individuals should submit complaints concerning the processing of their Personal Information to the company’s customer that originally collected their information in accordance with the customer’s relevant dispute resolution mechanism (if available). NightOwl will participate in the customer’s dispute resolution process at the request of the individual.
How to Contact Us
Please address any questions or concerns regarding this Policy or NightOwl’s practices concerning Personal Information by contacting NightOwl’s VP of Product Strategy by telephone at (800) 267-9695, by email at firstname.lastname@example.org, or in writing addressed to:
NightOwl Discovery Inc.
Attention: General Counsel
1000 Parkers Lake Road
Wayzata, MN 55391