Privacy Policy

CSC TCI, Inc. (“CSC TCI”) recognizes the importance of maintaining privacy of information. This CSC TCI Privacy Policy (“Policy”) addresses how CSC TCI collects, uses processes and protects data and other information (“Data”). Data includes, but is not limited to personal information governed by the privacy principles under the EU-US Privacy Shield Framework (“Framework”), agreed to between the European Commission and the US Department of Commerce regarding the collection, use and retention of personal information from European Union (“EU”) member countries. As set forth with further detail below, where applicable CSC TCI complies with the EU-US Privacy Shield Framework. CSC TCI has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/.

I. Definitions

In addition to other terms defined herein, the following definitions shall apply to this Policy:
“PI” means personal Data about an identified or identifiable individual, such as names and addresses.
“Processing” or “Processes” are operations involving PI.
“EU Person” is an individual in an EU member state.
“EUPI” is PI that is within the scope of the Framework, received by CSC TCI from an EU Person located in an EU
member state, and recorded in any form.

II. Collection, Use and Disclosure

CSC TCI only collects, obtains access to, Processes and uses Data as necessary for and/or relevant to its proper business purposes of: offering and providing tax related software, support and services, backing up Data for business continuity, disaster recovery and archival purposes; maintaining security of services, systems, networks, and Data, and complying with laws, regulations, professional standards, contract terms, court orders, administrative or judicial processes, subpoenas and search warrants (“Purposes”). When appropriate, CSC TCI provides clients and personnel with access to their Data to correct, amend or delete such Data. Unless restricted by law, regulation, professional standards or contract, CSC TCI may disclose certain Data to its personnel or to third-parties: for Purposes; with regard to a merger, sale, assignment or other transfer of CSC TCI, Inc.; to protect CSC TCI’s legal interests; in connection with internal business practices; with consent by the Data owner; and when necessary to respond to an emergency that may threaten risk of harm to or destruction of person, property or Data. Except as part of a merger, sale or other significant entity change, CSC TCI will not sell, rent or lease PI. CSC TCI requires most personnel to execute confidentiality agreements, and assesses all third-party agents and subcontractors for suitability and reliability, given the nature of the Processing activity and Data involved. Third-party contracts typically address confidentiality, privacy and security obligations, as well as notification of known or suspected security breaches, misappropriation, or unauthorized disclosure and use of Data.

III. Framework Principles

With regard to collection, use, retention and Processing of EUPI, CSC TCI adheres to the Privacy Shield Principles set forth in the Framework.

1. Notice

If CSC TCI obtains EUPI directly from any EU Person, it will notify such EU Person of: the purposes for which it collects and uses their EUPI; how the individual can contact CSC TCI with inquiries or complaints about such use; the types of third parties (if any) to which CSC TCI discloses such EUPI; and the choices and means that CSC TCI offers for limiting the use and disclosure of their EUPI. Choices and means of limiting use and disclosure of PI may include use of encryption technology, limiting support options, providing separate backup mechanisms, and/or ceasing provision of certain products and services. Notice will be provided in clear and conspicuous language when CSC TCI first asks any EU Person to provide PI to CSC TCI, or as soon as practicable thereafter, and in any event before CSC TCI Processes such information for a purpose other than that which it was originally collected, or discloses it for the first time to a third party. If EUPI is provided to CSC TCI by its entity clients, notice will not be provided to the relevant EU Person by CSC TCI, however CSC TCI will use and disclose such EUPI in accordance with the purpose for which it was originally collected by the client and with consents made, so long as the client makes CSC TCI aware of such purpose and consents. CSC TCI clients are responsible for providing notice to all EU Persons who are the subject of Data
and PI provided by such client to CSC TCI.

2. Choice

CSC TCI will offer EU Persons providing EUPI directly to CSC TCI, the opportunity to choose (opt-out) whether their PI will (a) be disclosed to a third party (unless that disclosure is required or allowed by contract),or (b) be used for a purpose that is incompatible with the purpose for which that information was originally collected or subsequently authorized by the EU Person. CSC TCI will provide EU Persons with clear and conspicuous, readily available and affordable mechanisms to exercise their choices. For sensitive EUPI (which specifies medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or regarding gender and sexuality), CSC TCI will give EU Persons the explicit choice to consent (opt-in) to disclosure to a third party, or use for a purpose other than that for which that information was originally collected or subsequently authorized by the EU Person via exercise of the opt in choice. If any EUPI is provided to CSC TCI by its clients, choice will not be provided to the EU Person by CSC TCI, however CSC TCI will use and disclose such EUPI in accordance with the purpose for which it was originally collected by the entity client and with consents made, so long as the client makes CSC TCI aware of such purpose and consents. CSC TCI clients are responsible for obtaining consent from and providing choice to all EU Persons who are the subject of Data and PI provided by such client to CSC TCI.

3. Accountability for Onward Transfer

CSC TCI will apply the notice and choice principles in providing EUPI collected directly from a EU Person and thereafter provided to a third party. CSC TCI is potentially liable in cases of onward transfers of EUPI to third parties. Accordingly, CSC TCI will obtain assurances that its agents and subcontractors subscribe to the EU-US Privacy Shield Privacy Principles or otherwise use safeguards consistent with this Policy.

4. Security

CSC TCI will take reasonable precautions to protect EUPI in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. CSC TCI follows industry standard security measures, which include physical, administrative and technical safeguards and controls designed to protect EUPI and other Data from loss, misuse, unauthorized access, disclosure, alteration or destruction. CSC TCI takes precautions in its efforts to ensure that access to EUPI is available only to those who are authorized. No protocol, encryption, or other precaution can provide complete security for electronic Data, so CSC TCI does not provide a guarantee of total security. Moreover, the privacy of information regarding the employees, customers and business associates of CSC TCI’s clients are the responsibility of such clients; CSC TCI clients have the only direct relationship with these Data subjects. CSC TCI follows commercially reasonable measures for retention and destruction of Data, including EUPI. Where appropriate, Data is deleted and/or disposed of effectively and securely. Even if destruction is requested by a client, personnel or EU Person, it may still be necessary for CSC TCI to retain certain Data pursuant to law, contract terms or to comply with internal retention and destruction policies.

5. Data Integrity and Purpose Limitation

CSC TCI will use EUPI only in ways that are relevant for the Purposes for which it was collected or authorized by the relevant EU Person. CSC TCI will take reasonable steps designed so that EUPI Processing is performed as intended, and in an accurate, complete and current manner.

6. Access

Upon request, CSC TCI will grant EU Persons reasonable access to their EUPI held by CSC TCI, and will take reasonable steps to permit corrections, amendments, or deletions of inaccurate or incomplete EUPI, except where the burden or expense of providing access would be disproportionate to the risks to the EU Person’s privacy in the case in question, or whether the rights of other persons would be violated.

7. Recourse, Enforcement and Liability

8. Self-Assessment Verification

To ensure compliance with Framework Privacy Principles set forth in Section III of this Policy, CSC TCI will conduct an annual independent audit of its practices, which shall include confirming (a) the Policy and posting revised versions of the Policy in a conspicuous place on CSC TCI’s website where employees and clients can see them; (b) the Policy is accurate, comprehensive and conforms to the Framework’s principles; (c) annual renewal of EU-US Privacy Shield self-certification with the US Department of Commerce; (d) inclusion of CSC TCI’s name on the US Department of Commerce’s EU-US Privacy Shield list of compliant companies; (e) appropriate employee training and internal procedures exist for periodic reviews of CSC TCI’s compliance with the Policy. Any employee that CSC TCI determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment.

9. Dispute Resolution

In compliance with the EU-US Privacy Shield Principles, CSC TCI commits to resolve complaints about privacy and the collection or use of EUPI free of charge. EU Persons with inquiries or complaints regarding this Policy may first contact Corptax, Attention Ivy Jacobson, Associate General Counsel, either by mail at Corptax, Inc., 2100 E. Lake Cook Road, Buffalo Grove, IL 60089, and/or by phone at 917.353.9643. CSC TCI has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. In addition, the Federal Trade Commission has jurisdiction to hear any claims of unfair or deceptive practices or violations of laws or regulations governing privacy. Under certain limited conditions, EU Persons may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.

9.1 Limitations

CSC TCI’s adherence to the Framework principles may be limited and CSC TCI may be required to disclose EUPI in response to a lawful request by public authorities; to meet national security or law enforcement requirements; where there is a conflicting or overriding legal obligation; to the extent expressly permitted by any applicable law, rule or regulation; or where CSC TCI receives EUPI as a Processor acting on the instructions of a client, in which case CSC TCI will receive such EUPI merely for Processing in accordance with Purposes. CSC TCI clients will remain responsible for compliance with applicable laws and the Framework Privacy Shield Principles with regard to all PI provided by such clients to CSC TCI. CSC TCI client contracts contain strict restrictions that prohibit clients from accessing or reviewing other clients’ Data.

IV. Application and Exceptions

This Privacy Policy applies to CSC TCI’s internal business matters, website, hosting, and provision of products and services. Except with regard to Section III, Framework Principles: (a) CSC TCI may modify or discontinue this Policy at any time, as it deems appropriate, without prior notice or consent, and new versions will become effective immediately, and (b) CSC TCI’s compliance with this Policy may be limited in certain circumstances, such as when the burden or expense of providing access to or disclosure of Data is disproportionate to the privacy risks; when the rights of individuals would be violated; when necessary to protect CSC TCI’s legal interests, or abide by laws, regulations, professional standards or contract terms; and when necessary to respond to a court order, administrative or judicial process, subpoena or search warrant. Employment with CSC TCI or use of CSC TCI’s website, hosting or other products and services is voluntary and signifies agreement and acceptance of the terms herein. Any person or entity that disagrees with this Policy should not provide CSC TCI with access to any Data.

V. Questions

Questions and concerns regarding this Policy and its terms or regarding suspected misuse of Data should be directed to Ivy Jacobson, CSC TCI Associate General Counsel, 917.353.9643. CSC TCI will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Data in accordance with the principles contained in this Policy. The effective date of this Policy is: August 1, 2016.