Global Privacy Statement
Revised January 2, 2020
In the regular course of business, Khepra acquires Personal Information by interaction and communication with current, former and prospective employees, clients and other third parties. Khepra takes seriously its obligations to protect such Personal Information. As evidence of its commitment to privacy, Khepra’s management has established this Global Privacy Statement (the “Statement”) to articulate the privacy and data protection principles that guide Khepra’s practices around the world.
This Statement reflects consideration of the principles of various privacy frameworks, including the Organization for Economic Cooperation and Development (“OECD”) Fair Information Practices Principles (“FIPPs”) and the American Institute of CPAs (“AICPA”) Generally Accepted Privacy Principles (“GAPP”).
This Statement and related Khepra policies are designed to accomplish the following specific objectives:
• Increase awareness of regulatory, legal, and corporate requirements for handling and protecting Personal Information
• Set forth minimum guidelines for the collection, use, sharing, protection, and other Processing of Personal Information
• Enable Khepra to meet business, legal, and regulatory responsibilities relating to Personal Information
Under no circumstances does this Statement create any legal rights for any employee or any third party, nor is it a contract.
If you do not provide us with the required Personal Information, we may not be able to provide the requested service to you.
2.0 Scope and Applicability
This Statement applies to all Khepra businesses, functions, regions, and subsidiary companies (referred to collectively in this Statement as “Khepra”).
This Statement establishes minimum worldwide guidelines for Khepra for collecting, using, sharing, protecting, and otherwise Processing Personal Information. It applies to any Personal Information that is collected, stored, transferred, or otherwise Processed, whether in electronic or paper form, by or on behalf of Khepra. This includes Personal Information that pertains to Khepra’s customers, vendors, contractors, or other third-parties.
All Personal Information must be handled and protected according to the requirements set forth in this Statement, subject to the circumstances described under the Exceptions (Section D.12) of this Statement. Additional policies and specific practices may be tailored to meet the legal, regulatory, and cultural requirements of the countries and regions where Khepra operates (e.g., through geography-specific data privacy policies).
Khepra uses the following definitions:
• “Data Privacy” means the legal rights and expectations of individuals to control how their Personal Information is collected and used.
• “Personal Information” means any information relating to an identified or identifiable natural person. For purposes of the Khepra Information Classification Standards and Controls, most Personal Information shall be deemed Highly Restricted Information.
• “Processing” means any operation or set of operations that is performed upon Personal Information.
• “Sensitive Personal Information” has definitions that vary from country to country. For example, European data protection laws treat certain categories of Personal Information as especially sensitive, e.g., biometric, information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying medical or health conditions, or sex life.
4.1 Global Fundamentals
The principles that guide Khepra’s practices for handling Personal Information include notice, choice and consent, collection and classification, use and retention, data access, disclosure and onward transfer, data security, and data integrity and data quality.
It is Khepra’s policy to abide by the privacy and data protection laws in the countries in which we do business.
Where required, Khepra provides individuals appropriate notice about the purposes for which it collects, stores, discloses, and/or otherwise Processes Personal Information about them. Depending upon applicable legal requirements, notice to individuals may include some or all of the following information:
• Khepra’s participation in privacy frameworks, such as the EU-U.S. Privacy Shield (“Privacy Shield”), and its commitment to subject to the Privacy Shield Principles all Personal Information received from the EU in reliance on the Privacy Shield;
• The type of Personal Information that is collected;
• The purpose(s) for which the Personal Information is collected;
• If there is a legal requirement to collect the Personal Information, a statement of this fact;
• How the Personal Information will be used or processed;
• If the Personal Information will be collected by or disclosed to third parties, a statement of this fact, the types or identities of third party recipients, and the purpose(s) for doing so;
• If applicable, how individuals can access their Personal Information and correct or delete it if it is inaccurate or processed in violation of the Privacy Shield;
• The choices and means Khepra offers individuals to limit the use and disclosure of their Personal Information;
• If applicable, information appropriate with respect to cross-border data transfers;
• If applicable, any relevant establishment in the EU that can respond to inquiries or complaints under the Privacy Shield;
• How to contact Khepra with questions, corrections, complaints, and disputes;
• The independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge under the Privacy Shield.
• That individuals may be able to invoke binding arbitration in certain circumstances under the Privacy Shield.
• That Khepra is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
• That Khepra may be liable for violations under the Privacy Shield if Khepra transfers Personal Information to certain third parties.
• That Khepra is required to disclose Personal Information in response to lawful requests from public authorities, including to meet national security or law enforcement requirements.
Where feasible, Khepra provides notice to an individual at or before the time of the collection of Personal Information or as soon thereafter as is practicable, but in any event before Khepra uses the Personal Information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
4.3 Choice and Consent
Khepra obtains consent from or provides other choices to individuals regarding the Processing of their Personal Information when required by applicable law. Khepra also appropriately communicates any choices available to individuals with respect to Khepra’s sharing of their Personal Information with third parties or access to their Personal Information by third parties.
Specifically, when consent or choice is required or otherwise determined to be appropriate, Khepra:
• Requests the consent of the individual using a type of consent (opt-out or opt-in, informed or explicit) or other choice mechanism that is appropriate in light of applicable requirements. In some jurisdictions, there may be local legal requirements relating to consent or choice that apply to a category(ies) of Sensitive Personal Information. With respect to data transferred from the EU in reliance on the Privacy Shield, Khepra obtains opt-in consent before disclosing Sensitive Personal Information to a third party or using it for a purpose other than those for which it was originally collected or subsequently authorized by the individual via opt-in consent.
• As appropriate, informs individuals of the consequences for failing to consent or to provide their information.
• As appropriate, informs individuals regarding how they can change their consent decisions or choices.
• Processes an individual’s Personal Information in a manner that is consistent with consent or other choices exercised by the individual.
Consent shall be obtained in accordance with local country laws and regulations. Additional safeguards may be required depending on jurisdiction and the type of information at issue.
4.4 Collection and Classification
Khepra adheres to the following guidelines to ensure that its collection of Personal Information is fair and lawful. Specifically, Khepra:
• Collects only as much Personal Information as is required by law or needed for reasonable and legitimate business purposes.
• Collects Personal Information in a non-deceptive manner.
• Where appropriate, informs individuals which Personal Information is required and which is optional at the time of collection.
• Collects Personal Information from individuals consistent with local legal requirements.
4.5 Legal Basis for Processing Personal Information
Our legal basis for processing Personal Information is prescribed by applicable data protection laws and regulations and is dependent on the purpose of the processing and our relationship with you. Generally, Khepra relies on its legitimate interests, legal obligation or consent for processing Personal Information.
4.6 Use and Retention
Khepra uses, stores, retains and otherwise Processes Personal Information only for reasonable business purposes or as authorized by the individual. Khepra does not disclose Personal Information to third parties for direct marketing purposes, nor does it sell Personal Information. Processing of Personal Information will comply with contractual, regulatory, and local legal requirements.
Personal Information is retained and destroyed in accordance with applicable Khepra data retention policies and procedures and only retained for as long as it serves a purpose of processing for which it was collected or subsequently authorized.
4.7 Data Privacy Rights
Where permitted or required by applicable law, Khepra extends certain data privacy rights to individuals for whom we have collected or processed Personal Information, as described below. Note that we may be unable to provide the individual access to their Personal Information in instances where we have destroyed, erased, or anonymized the data, or if it would reveal personal data about another person. We may also refuse any request if applicable law allows or requires us to do so. We will inform the data subject of the reasons for refusal, if applicable.
Individuals can submit a request to exercise data privacy rights to the Khepra Privacy Office at firstname.lastname@example.org. California residents may also call 805-914-5800.
1. If the individual requests access to their Personal Information Khepra may request specific information from the individual to help confirm their identity and their right to access.
2. Khepra relies on the individual to ensure the information Khepra maintains about them is accurate, complete and current. If any Personal Information is inaccurate or incomplete, the individual may request that their Personal Information be corrected or completed. Khepra will correct or delete Personal Information as required by applicable law. Individuals may also request to correct, amend, or delete Personal Information that has been processed in violation of the EU-U.S. Privacy Shield Principles or applicable data protection law.
3. Where the individual has provided consent to the collection, processing, or transfer of Personal Information, the individual may have the legal right to withdraw consent. Where we have processed the individual’s Personal Information with consent, the individual can withdraw that consent at any time. Note that withdrawing consent will not affect the lawfulness of any processing we conducted prior to withdrawal nor will it affect the processing of the Personal Information conducted in reliance on lawful basis other than consent.
4. The individual may have the right to receive their Personal Information provided by them to Khepra and have the right to send the data to another organization (or ask us to do so if technically feasible) where our lawful basis for processing the Personal Information is consent or necessity for the performance of our contract with you and the processing is carried out by automated means.
5. Individuals may have the right to request to delete, object or restrict processing of their Personal Information.
6. Individuals can opt-out of email marketing communications at any time by selecting the email’s “Opt-out” or “Unsubscribe” link, or following the instructions included in each email subscription communication.
7. If the individual considers that their rights have not been adequately addressed, they have the right to submit a complaint to the Khepra Privacy Office or with the supervisory authority in their country of residence.
Khepra will not discriminate against individuals for exercising any of their privacy rights allowed or required by applicable data protection law or regulation.
4.8 Disclosure and Onward Transfer
Khepra may share an individual’s Personal Information with third parties as required for reasonable business purposes, including providing services and products to clients and administration of employee benefits and provision of other services to employees, and otherwise in accordance with applicable legal requirements
With respect to third parties that Process Personal Information on behalf of Khepra, Khepra will seek to put in place appropriate controls to ensure that such third parties afford the applicable Personal Information an appropriate level of protection.
As a global company operating in many locations around the world, Khepra may use data centers and other data processors located outside of the country where the data is collected to store Personal Information. Khepra will abide by any local laws applicable to collection and transfer of Personal Information.
For Personal Information collected or transferred in reliance on the Privacy Shield, Khepra will abide by the requirements of the Accountability for Onward Transfer Principle, including contracts with third-party data controller recipients that adhere to Privacy Shield requirements.
4.9 Data Security
Khepra has adopted and maintains reasonable and appropriate information security policies, processes and/or procedures to safeguard Personal Information from loss, misuse, unauthorized access, disclosure, alteration, destruction, and other Processing.
Khepra’s information security processes provide for the classification of information and the assignment of protection requirements and information security controls based on the classification of information. The safeguards used to protection Personal Information should be commensurate with the type of Personal Information being Processed and the risks involved.
4.10 Data Integrity and Data Quality
Consistent with the goal of protecting the accuracy, completeness and relevance of Personal Information that it maintains, Khepra collects Personal Information directly from the applicable individual or will seek to put in place measures to verify that Personal Information collected from third parties is reliable and legally obtained. Khepra takes other steps that may be appropriate to comply with applicable legal obligations that relate to the accuracy, completeness, and relevance of Personal Information it maintains.
4.11 EU-U.S. Privacy Shield
Khepra complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union to the United States. Khepra has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.
Khepra’s participation in the Privacy Shield applies to all Personal Information that is transferred from the European Union and European Economic Area and Switzerland to the United States. Khepra will comply with the Privacy Shield Principles in respect of such Personal Information.
Khepra’s accountability for Personal Information that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Khepra remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to Process the Personal Information on its behalf do so in a manner inconsistent with the Privacy Shield Principles, unless Khepra proves that it is not responsible for the event giving rise to the damage. Khepra may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have a Privacy Shield-related (or general privacy-related) question, we encourage you to contact us at email@example.com. Khepra has designated JAMS, an alternative dispute resolution provider, to address complaints and provide appropriate recourse free of charge to individuals with respect to the Privacy Shield. Individuals may contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield. As explained in the Privacy Shield Principles, a binding arbitration option will be made available to you in order to address residual complaints not resolved by any other means. Khepra is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
4.12 Local Standards
Khepra complies with applicable privacy and data protection laws in the locations in which Khepra operates.
In some countries, local laws or regulations may provide stricter requirements than set forth in this Statement. Khepra adopts country-specific privacy policies where it does business reflecting the principles and requirements of this Statement to the extent possible.
Under certain limited or exceptional circumstances, Khepra may, as permitted or required by applicable laws and regulations or the Privacy Shield if applicable, process Personal Information without providing notice, access or seeking consent. Examples of such circumstances may include investigation of specific allegations of wrongdoing, violation of company policy or criminal activity; protecting employees, the public, or Khepra from harm or wrongdoing; cooperating with law enforcement agencies; auditing financial results or compliance activities; responding to court orders, subpoenas or other legally required disclosures; meeting legal or insurance requirements or defending legal claims or interests; satisfying labor laws or agreements or other legal obligations; collecting debts; protecting Khepra’s information assets, intellectual property and trade secrets; in emergency situations, when vital interests of the individual, such as life or health, are at stake; with respect to access requests, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or the privacy interests of others would be jeopardized; and in cases of business necessity.
5.0 Complaints and Questions
Khepra addresses complaints regarding the Processing of Personal Information.
If you have any questions about this statement or our handling of personal information, please contact the Privacy Office by e-mail at firstname.lastname@example.org.