Corporate Escrow Services, Inc. (“CSE”) is committed to protecting the privacy of our employees, our customers, and their employees. As part of this commitment, CSE has established a privacy program that demonstrates our due diligence to privacy laws.
Customer – A company who has entered into a business relationship with CSE for CSE to perform a service.
Individual – The person whose data CSE has processed, for example, an employee of CSE, an employee of a customer, or a person using a CSE website, service or tool.
Personal Information – Any data element or combination of data elements that enables the identification of an individual, including, but not limited to, name, address, human resources data, personal health information, government identification such as social security number, name, biometric identifier, home address, driver’s license number, credit card number, or account number.
Processed – personal information that is in CSE’s possession or under its control.
CSE, its employees, and contractors take responsibility for personal information in accordance with CSE policies and standards. CSE’s Chief Legal Officer is responsible for defining the requirements of this policy and for ensuring compliance with its provisions. This policy replaces and supersedes all other prior policies regarding the same or similar subject matter, as of the Policy Version Effective Date of 07.10.2018. CSE reserves the right to alter, amend or discontinue this policy at any time without notice. CSE is liable for personal information it processes and for personal information CSE provides to contractors for processing. With respect to personal information that has been transferred to a contractor to be processed, contractual requirements are used to provide a comparable level of protection. CSE’s liability for a third party’s performance of its obligations is set forth in each agreement that CSE signs with its Customers, and CSE assumes liability for the performance of the services and obligations subcontracted to such contractors, including those related to protection of PII. Where CSE does not have a direct relationship with a third party processing personal information, it shall not be liable for the processing of data in that parties possession. These third parties have their own independent obligations with respect to the data, usually by operation of law or through contracts. CSE trains its employees with respect to its privacy policies and practices.
4. Notice, Choice and Consent
CSE provides notice as to the purposes for which personal information is collected, used, retained, and disclosed. In most cases, customers are responsible for notification of purpose and for obtaining appropriate consent when they collect personal information and personal information that is transferred to CSE by our customers to be processed shall be deemed to have been collected with appropriate notification. CSE assumes no responsibility for obtaining or validating that appropriate consent has been obtained in respect of data transferred to CSE by organization(s)/customers. In some cases, CSE collects personal information directly from the individual, for example, when individuals visit a CSE website, or when individuals use certain confidential services. In these cases, CSE is responsible for obtaining appropriate consent, except where inappropriate or if the collection is required/permitted by law without consent. Where appropriate, CSE describes any choices available within the services to individuals and obtains appropriate consent. Individuals who seek to vary or withdraw consent that has been obtained by CSE directly may do so in writing. If any party decides they do not want to receive commercial emails from CSE they can “opt-out” by clicking on the “unsubscribe” link provided at the bottom of every commercial email. Subject to legal or contractual restrictions, CSE shall abide by the withdrawal or variation of consent, and shall advise the individual of the consequences of a change in the scope of consent. In cases where consent has been obtained by the customer, the individual will be referred to the customer. Unless required by law, CSE shall not use or disclose personal information for any purpose other than the purpose for which it was originally collected without first identifying and documenting the new purpose and obtaining the appropriate consent. Once data has been de-identified, aggregated or summarized it shall no longer be considered personal information, and individuals cannot seek to have their information removed from an aggregated data set, nor is consent for further use required.
5. Collection and Use
CSE does not collect data indiscriminately. CSE collects personal information only for the purposes of providing and promoting the services we offer and limits use to those purposes, including initiating, maintaining, enhancing, and terminating the employee- employer relationship. Personal information shall be collected by fair and lawful means, and not by misleading or deceiving individuals about the purpose for which information is collected. CSE may also collect personal information from other sources, either with the consent of the individual or where permitted or required by law. Indirect sources of personal information include background checks, employers or personal references.
6. Retention and Disposal
CSE retains personal information only as long as necessary to fulfill the stated purposes or as legally required and thereafter disposes of such information. CSE will specify minimum and maximum retention periods for the various personal information records. When personal information is not necessary or relevant to fulfill a legal or business requirement, it shall be securely destroyed. CSE will either physically or electronically erase the personal information or make it anonymous in a non- recoverable manner.
Unless CSE is permitted or required by law to prohibit access, CSE makes personal information available for review and updating, either directly through the self- service feature in its products, by directing individuals to the employer for access, or through an access request made to established contacts within CSE. CSE responds to requests within the time limit set out by the applicable privacy legislation and, if applicable, provides the individual with an estimate of the cost associated with administering and responding to the request. CSE requires sufficient information to authenticate requests for access.
CSE does not use or disclose personal information for purposes other than those for which it is collected, unless required by law. CSE discloses personal information to the following third parties to fulfill the specified purposes: Corporate Entities – In the event that CSE, or any portion of our assets, are acquired, sold, or transferred, CSE may disclose Personal Information with the company involved to complete the business transition. ï Service Providers and Subsidiaries, Affiliates and Contractors – CSE may disclose Personal Information to service providers or to CSE’s subsidiaries, affiliates, and contractors to fulfill the services CSE offers. These services may include, among other things, providing products or services to you or your employer on our behalf, creating or maintaining our databases, researching and analyzing the usage and performance of the application, preparing and distributing communications, responding to inquiries, or as part of our process. ï Employer Designated Third Parties – As part of the services CSE delivers to employers, CSE transfers data to third parties such as banks, tax agencies, and benefit providers. ï Legal Parties – In response to a legal inquiry, CSE may disclose Personal Information to law enforcement or the applicable party involved in the inquiry to fulfill the request. When required to provide information in response to a legal enquiry, CSE exercises reasonable caution to ensure that the order or request is valid and only legally required Personal Information is disclosed. If CSE has knowledge that a third party uses or discloses personal information in an unapproved manner, CSE takes reasonable steps to prevent or stop the use or disclosure. Where applicable, to limit or opt out of the disclosure of personal information, individuals should contact CSE in the manner set out in the Enforcement Section. CSE does not sell any personal information to third parties for marketing or any other commercial purposes.
9. Cross Border Transfer
Should CSE for any reason transfer personal information outside of a local jurisdiction, it shall only be done with adequate protections in place and in compliance with applicable laws and standards. For data transfers to the U.S. from the E.U. CSE complies with all applicable laws and standards in the U.S. & E.U (and as it may be amended over time) regarding the collection, use, retention and disclosure of personal information from the E.U. and E.E.A. to the U.S., and certifies its adherence to the law and these policy principles of notice, choice, onward transfer, security, data integrity, access, enforcement, and the applicable supplemental principles.
CSE has implemented policies, procedures and practices to protect personal information. CSE protects personal information using recognized industry standard security safeguards appropriate to the sensitivity of the information. CSE reviews its security policies and procedures on a regular basis and updates them as needed to maintain their relevance. CSE makes reasonable security arrangements to protect personal information in its custody or under its control from and against risks, such as loss or theft, as well as unauthorized access, collection, use, disclosure, copying, modification, disposal and destruction. The methods of protection include physical measures, organizational measures and technological measures. CSE requires all third parties to whom it may transfer personal information as required to perform its services, to maintain adequate security safeguards in compliance with applicable laws and standards to protect personal information.
In delivering services, CSE relies on customers, contractors, employers and employees to supply CSE with accurate, complete and up-to-date information that is relevant to CSE’s delivery of the services. Individuals are asked to review their records on a regular basis and make the appropriate updates or notify of errors promptly. CSE makes reasonable efforts to maintain the integrity of the data within its products as necessary to fulfill the purposes for which the information is to be used. Where CSE collects information outside of service delivery, CSE makes reasonable efforts to keep personal information as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used. CSE provides a means for individuals to update or correct the personal information CSE possesses.