Introduction to Evolver’s Privacy Shield Policy
Evolver receives and processes information (in paper and electronic form) in accordance with its clients’ instructions for the purpose of providing legal data support services, including legal review, repository holding, data management and forensics. Evolver provides services from forensic collection, to managed hosting and document review. Examples of personal data that may be collected include: full name, address, telephone or mobile number, business and home contact details including e-mail addresses and telephone numbers, health information, medication adherence information, video information including images of a user’s face, audio information, and demographic information. Personal data may further include any information that identifies an individual, but does not include information that has been encoded, encrypted, or otherwise anonymized. This data shared only with the clients’ outside counsel and the client for their review and preparation in response to U.S. litigation. At Evolver, we recognize the importance of privacy to our clients and we strive to safeguard all personal information we may receive and may need to use in support of our clients.
Evolver adheres to the set of data protection principles developed in consultation by the United States Department of Commerce (DOC), in collaboration with the European Commission, producing the U.S.-European Union Privacy Shield Framework Documents.
This Policy applies to all personal information received by Evolver from the EU. In most cases, the data we receive will be in electronic form and relates to our clients and their business activities. It may include personal information about our clients’ employees, business contacts, customers and any other individuals with whom our clients have dealings. When we receive and process personal information provided to us by our clients, we do so as “data processors” acting on the instructions of our clients and/or the court system. Evolver does not actively collect personal information from individuals in the EU. Evolver’s possession and use of personal information is incidental to our primary task of providing electronic discovery services to our clients.
- Collectively, “Information” means “Personal Information” that (1) is transferred from the EU to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual; and/or “Sensitive Personal Information” that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, or that concerns an individual’s health.
- “Agent” is any third party that collects, uses, or stores Information at Evolver’s direction in support of Evolver engagements.
PRIVACY SHIELD PRINCIPLES
Evolver affirms its participation in the Privacy Shield. The practices to which Evolver is committed are based on the seven EU Privacy Shield Principles negotiated between their respective government agencies and the United States Department of Commerce. Adherence by Evolver to these Privacy Shield Principles provides the necessary level of protection required by the EU Directives for the transfer of personal information outside the EU. Evolver’s execution of these principles may be limited in certain circumstances, in particular:
- (a) where there is a conflicting or overriding legal obligation;
- (b) to the extent expressly permitted by any applicable law, rule or regulation; or
- (c) where Evolver receives personal information as a “data processor” acting on the instructions of a client. As Evolver will be receiving personal information from the EU merely for processing, its principle obligations are limited to onward transfer, security, access, and enforcement. Evolver’s client remains responsible for notice, choice, and data integrity.
NOTICE: Evolver receives data to be processed and/or stored, the contents of which may, or may not be Information. Should Evolver be engaged to collect Information from individuals in the EU, it will inform individuals of the purposes for which it collects and uses their Information, the types of third parties (if any) to which Evolver may disclose that Information, and the choices and means, if any, that Evolver offers individuals for limiting the use and disclosure of their Information. Notice will be provided in clear language when individuals are first asked to provide Information to Evolver, or as soon as practicable thereafter, and in any event before Evolver uses such Information for a purpose other than that for which it was originally collected or processed by the transferring organization, or discloses it for the first time to a third party.
CHOICE: Given that Evolver’s services are directed by our clients and frequently by legal proceedings, choice may be limited. Where Evolver is the collector of Information and Choice is permissible, it will offer individuals the opportunity to choose (opt-out) whether their Information is
- (a) to be disclosed to a third party (unless that disclosure is allowed or required by contract), or
- (b) to be used for a purpose that is not consistent with the purpose for which that Information was originally collected, or subsequently authorized by the individual.
Individuals may opt out of providing personal data, upon request. To the extent that personal data has been collected, individuals have the right to review personal data held about them and have certain inaccurate information corrected, unless the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. If you wish to do so, or to notify us of a change in your details, please contact the Ethics and Compliance Officer.
We will provide an individual opt-out or opt-in choice before we share their data with third parties other than our agents or before we use it for a purpose other than which it was originally collected or subsequently authorized.
A formal request from an individual for information that we hold about them must be made in writing. A fee is payable by the data subject for provision of this information. Any member of staff who receives a written request is required to forward the request to the Ethics and Compliance Officer.
To exercise their choice to opt-in or opt-out, and individual may contact us. Upon receipt, Evolver will provide individuals with reasonable mechanisms to exercise their choices.
ONWARD TRANSFERS: In the event Evolver must transfer Information to a document review company, Evolver will obtain assurances from its Agents, prior to such transfer, that they will safeguard the Information in a manner consistent with this Policy. The document review company is engaged by the client, not Evolver. The client shall give written approval to Evolver to allow the document review company selective access based on litigation review requirements. Every Agent utilized enters into a contractual relationship with Evolver, which includes confidentiality and non-disclosure clauses, and provides the same level of commitment to and protections, as required by the Privacy Shield Principles. We also may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield, Evolver may be liable.
SECURITY: Evolver takes reasonable precautions to protect Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. Evolver utilizes a Tier III, ISO 27001:2005 certified data facility which employs an array of security equipment, techniques and procedures to control, monitor and record access to the facility, including individual cages.
DATA INTEGRITY: Evolver will use Information only in ways that are relevant and compatible with the purpose for which that information was collected or provided to Evolver. Evolver will take reasonable steps to ensure that all data collected, processed and/or stored is protected from destruction, corruption, or use in a manner inconsistent with the purpose for which it received the information.
ACCESS: Evolver acknowledges that EU individuals have the right to access the personal Information that we maintain about them. Upon request, and where permissible by law and purpose for which it possesses the Information, Evolver will grant individuals reasonable access to Information that it holds about them. In addition and where permissible, Evolver will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete, except where the burden or expense of providing access would be disproportionate to the risks of the individual’s privacy, or where the rights of another individual may be violated. A reasonable fee may be charged as compensation for our expenses incurred in accessing, changing or deleting the personal information.
ENFORCEMENT: Evolver will conduct compliance audits at least annually of its relevant privacy practices to verify adherence to this Policy and will self-certify with the U.S. Department of Commerce. Further, Evolver will conduct follow up investigations to verify that attestations and assertions regarding practices are true. Evolver maintains an Ethics hotline to which violations and/or complaints may be made and Evolver engages in training to support implementation and compliance. Any employee that Evolver determines is in violation of this Policy will be subject to disciplinary action.
Evolver is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Ethics and Compliance Officer
1943 Isaac Newton Square, Suite 260
Reston, VA 20190
Evolver, Inc. has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
CONTACT INFORMATIONPlease refer all questions or comments regarding this Policy to:
Ethics and Compliance Officer
1943 Isaac Newton Square, Suite 260
Reston, VA 20190
This Privacy Shield Policy is available at www.evolverinc.com
CHANGES TO THIS PRIVACY SHIELD POLICY
This Policy may be amended from time to time to remain consistent with the requirements of the Privacy Shield Principles.
The effective date of this Privacy Shield Policy is: July 2016