Policy Statement

Varolii acknowledges the EU’s standard for personal data protection. Through its relationship with a global customer base, Varolii has access to Personally Identifiable Information (PII) of employees in the EU. This Policy addresses the privacy concerns of European employees, companies based in the US that have EU offices, and Varolii’s own business concerns.


To affect this Policy, Varolii will adhere to the United States Department of Commerce Safe Harbor Principles and will self-certify to the United States Department of Commerce compliance with the Safe Harbor Principles. This Policy applies to all PII data transmissions from Varolii employee or client operations in EU countries to the United States. This includes transmission of data over phone lines, computer lines, and hard copy.


The use of EU employee or customer PII will include personal telephone numbers, addresses, credit card or bank account information, and any other material that identifies a particular individual employee or customer that Varolii’s clients may provide during the course of service delivery.

Guidelines

 
Varolii has adopted the seven Safe Harbor principles of notice, choice, onward transfer (transfer to third parties), access, security, data integrity and enforcement with respect to PII and sensitive data to be transferred to the U.S. from Varolii or Client operations in the EU.

  1. Notice – Varolii relies on its clients to meet the notification requirements for employees or customers in the EU about the purposes for which PII will be collected and used. Information will be provided on how employees or customers can contact Varolii with inquiries or complaints regarding PII. Varolii will give notice to the clients owning the PII on third parties to which information may be disclosed, and restrictions that limit the information’s use and disclosure. Where a Varolii employee is the data subject, direct notification will occur through internal communication processes at the time of collection.  Inquiries or complaints about the use of their personal information should be directed to either the Chief Security Officer or the General Counsel.
  2. Choice – Prior to releasing PII to a third party, Varolii will notify the client owning the data of the potential release and afford the client the opportunity to choose whether their PII is disclosed to that third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by that individual. An affirmative choice will be given to the Varolii employee if PII/sensitive data is to be disclosed to a third party or used for a purpose other than its original purpose or the purposes authorized subsequently by the individual.
  3. Onward transfer – (transfer to third parties) – Prior to disclosing PII/sensitive information to a third party, Varolii will apply the notice and choice principles, enumerated above. Varolii will ensure third parties also subscribes to the Safe Harbor Principles or any other EU adequacy finding. Varolii will enter into a written agreement with such third party requiring that the third party provide at least the same level of personal data protection as is maintained by Varolii.
  4. Access – Employees covered under this policy will have access to personnel information about them that Varolii holds and will be able to correct, amend or delete information if it is inaccurate (the exception is when the burden or expense of providing access would be disproportionate to the risks of the individual privacy in the case in question or the rights of persons other than the individual would be violated.) Varolii relies on its Clients to afford access to their employees and customers to meet the Principal of Access.
  5. Security – Varolii’s security and privacy program subscribes to industry standards to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
  6. Data Integrity – PII kept by Varolii will be relevant for the purposes for which it is to be used as defined in Client contracts and service descriptions, or in the case of Varolii employees, as enumerated at the time of collection. Varolii will take reasonable steps to ensure that the data is reliable and that it is applied to its intended use. Varolii relies on Clients to ensure data provided is accurate, complete and correct.  Specific to Varolii employees, Varolii will also ensure that the information is accurate, complete and correct.
  7. Enforcement – To ensure compliance with these Safe Harbor Principles, Varolii will:
  8. cooperate with the Data Protection Authorities (DPAs) of the EU countries in the investigation and resolution of complaints and will comply with any advice given by DPAs;
  9. employ a procedure for verifying that the commitment the company has made to adhere to the Safe Harbor Principles has been implemented;
  10. remedy issues arising out of any failure to comply with the Principles. Varolii acknowledges that its failure to provide an annual self-certification to the Department of Commerce will remove it from its list of participants and the transfers of information will not be allowed unless Varolii otherwise complies with the EU Data Protection Directive.

Responsibilities

The Chief Security Officer and the General Counsel are the internal mechanism for ensuring compliance with the Safe Harbor Principles and facilitating the independent recourse mechanism referenced in Principal 7 above.


Questions regarding the transmission of PII from the European Union (EU) to the United States or any other non-EU location, or any further transmission of the personnel data once received in the United States, should be referred to the Varolii Chief Security Officer. That individual is responsible for the Varolii Privacy program as well as th maintenance of this document.


The Chief Security Officer is also responsible for certifying annually, in writing, to the Department of Commerce that it agrees to adhere to the Safe Harbor Principles. 
Varolii employees receive annual training on this Policy, the Privacy Principals, and the accompanying grievance procedures.

Definitions

Client – businesses contracting with Varolii for services.

Customer – an individual that provides personal information to a Client, who in turn transfers that same information to Varolii.

Employee – refers to an individual that is employed by either Varolii or a Client who’s  personal information may be disclosed during the provision of the services.

European Union – The European Union (“EU”) consists of 27 member countries: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, France, Finland, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.

Personal Identifiable Information (PII) – per the EU Privacy Directive: “shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”

Sensitive Data – information pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, income records, health, sexual orientation or alleged commission of any offense. This data may not be transferred unless an individual gives explicit consent.