Privacy Shield

Cherwell and the EU-U.S. Privacy Shield

As of July 16, 2020, the EU-US Privacy-Shield has been invalidated as a result of the decision by the Court of Justice of the European Union in “Schrems II”. Cherwell, however, continues to comply with the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred before July 16, 2020, from the European Union, Switzerland or the United Kingdom to Cherwell in the United States. For transfers of personal information after July 16, 2020, from the European Union or Switzerland to Cherwell in the United States, Cherwell will rely on (a) a data transfer mechanism deemed adequate by the relevant data protection authority, or (b) an applicable derogation from the general prohibition on cross-border data transfers under the relevant data protection law.

This Cherwell EU-U.S. Privacy Shield Policy (“Cherwell Privacy Shield Policy”) is intended to be read in conjunction with Cherwell’s Privacy Statement, available at www.cherwell.com/privacy-statement and Cherwell’s other websites (as defined in Cherwell’s Privacy Statement) that display the terms of Cherwell’s Privacy Statement. If you are a customer of Cherwell located in the European Economic Area (“EEA”) or Switzerland, the Cherwell Privacy Shield Policy is intended to be read in conjunction with Cherwell’s Privacy Statement and your applicable End-User License Agreement (“EULA”), End-User Subscription Agreement (“EUSA”), or other customer agreement.

Cherwell Software, LLC (“Cherwell”) complies with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (“Privacy Shield”) set forth by the U.S. Department of Commerce regarding the Processing of Personal Data of Data Subjects in the European Union (“EU”) and the United Kingdom (“UK”) and Switzerland, respectively. Cherwell, through its participation in the Privacy Shield, adheres to the Privacy Shield principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability (the “Privacy Shield Principles”). For individuals located in the EU and the UK and Switzerland, if there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. If you are a customer of Cherwell located in the EU and the UK and Switzerland and there is any conflict between the terms of your EULA, EUSA, or other customer agreement and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

To learn more about the Privacy Shield framework, and to view our certification, please visit www.privacyshield.gov.

The Company’s Collection And Use Of Personal Data

Cherwell notifies visitors to its Websites and Cherwell customers about the Personal Data it collects, how Cherwell uses Personal Data, Personal Data disclosed to Third Parties, choice, data integrity and security, and access in its Privacy Statement at www.cherwell.com/privacy-statement. If you are a customer of Cherwell located in the EEA or Switzerland, more information about the foregoing may be found in your EULA, EUSA, or other customer agreement.

The Company’s Disclosure Of Personal Data The Company may disclose the Personal Data of its current and prospective customers or website users located in the EU, the UK, or Switzerland to the following third parties:


The Company may be liable for the onward transfer of Personal Data to third parties.

Choices For Limiting The Use And Disclosure Of Personal Data

For those customers and visitors to Cherwell’s websites located in the EU, the UK, or Switzerland whose Personal Data has been transferred to the United States, the Company will provide the opportunity to opt out from: (a) the disclosure of their Personal Data to a non-agent third party; and (b) the use of their Personal Data for purpose(s) that are materially different from the purpose(s) for which the Personal Data was originally collected or subsequently authorized by the individual. The Company will provide individuals with clear, conspicuous and readily available mechanisms to exercise their choices should such circumstances arise. Individuals who otherwise wish to limit the use or disclosure of their Personal Data should submit their request to Privacy@cherwell.com.

Your Right To Access And Correct Your Personal Data

Upon request, the Company will grant current and prospective customers and website users access to their Personal Data, and will permit them to correct, amend or delete Personal Data that is inaccurate or incomplete or that is being processed in violation of the Privacy Shield Principles. Individuals who wish to exercise these rights can do so by contacting Cherwell through the following email address: Privacy@cherwell.com. For security purposes, the Company may require verification of the requester’s identity before providing access to Personal Data.

More Information And What To Do If You Have A Complaint

As further explained in the “Questions or Complaints” section of the Cherwell Privacy Statement, we encourage you to contact us should you have a Privacy Shield-related (or general privacy-related) complaint. Cherwell will respond to an individual complaint within forty-five (45) days. If an issue cannot be resolved, Cherwell will refer such complaints under the Privacy Shield to JAMS, an independent dispute resolution body based in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. JAMS’ services are provided at no cost to you. Under certain conditions, as further explained in the Privacy Shield Principles, individuals in the EEA may invoke binding arbitration before the Privacy Shield Panel in order to address residual complaints not resolved by any other means. Cherwell is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Cherwell provides a mechanism for assuring compliance with the Privacy Shield Principles. Cherwell uses a self-assessment, and at least once a year Cherwell will certify that this Privacy Shield Policy and its Privacy Statement are accurate, comprehensive, prominently displayed, implemented and in conformity with the Privacy Shield Principles. Cherwell will monitor adherence to the Privacy Shield Principles. Any employee who intentionally violates this Privacy Shield Policy will be subject to disciplinary action up to and including termination of employment.

Adherence to the Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, Cherwell can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contests.

This Policy may be amended from time to time, consistent with the requirements of the Privacy Shield Principles.

In compliance with the Privacy Shield Principles, Cherwell commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Cherwell at:

Contact Information

For all matters on Privacy Shield at Cherwell Privacy@cherwell.com

https://www.cherwell.com/about/contact-us/

Definitions

The following definitions apply to this Privacy Shield Policy:

a.    “Data Subject” means an identified or identifiable natural person.

b.    “Identifiable natural person” means one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

c.     “Personal Data” means any information relating to a Data Subject received by Cherwell in the United States from the EEA or Switzerland, and recorded in any form. Personal Data does not include information that is anonymous, de-identified, or publicly available.

d.    “Processing personal data” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

 

 

Updated: August 2020