VITAL4DATA PRIVACY POLICY
Introduction
VITAL4DATA, LLC (VITAL4DATA) regards the lawful and proper treatment of Personal Identifiable Information (PII) and individual’s data critical to a robust and successful operation. It is our policy to maintain the confidentiality and privacy of any personal data submitted voluntarily to us in writing, electronically, through our service system, or while visiting our website. This Privacy Policy statement outlines how we collect, use and transfer personal data for operation, privacy in the performance of our services, and the rights of individuals and our clients for whom we may maintain personal information on their behalf.
What We Collect
VITAL4DATA collects highly sensitive PII regarding data subjects including, but not limited to, full name, previous/alternative names, national identity numbers, date of birth, telephone, email addresses, residential address history, credit information, employment history, education history, and criminal record history.
In addition to the data submitted to us by our clients, we may collect data from our partners, sub-processors, and sources as needed (such as credit agencies, employers, academic institutions, public information sources, law enforcement agencies, city, state, country, and federal courts, and military services). Prior employers, references, or business affiliates may be contacted, and the report may include information obtained through personal interviews regarding the data subject’s character, general reputation, personal characteristics, or mode of living. Information is collected as needed to process requested academic, residential, achievement, job performance, attendance, litigation, personal history, credit reports, driving records, criminal history records, and other lawful checks.
We may also collect email correspondence from visitors to this site who request information about the services that we provide. We do not collect or process any PII of data subjects that are under the age of 16 years.
Cookies
When you visit our website, it may place a text file, called a cookie, in the browser directory of the individual’s computer hard drive. A cookie is a small piece of information that a website can store on the individual’s web browser and later retrieve. The information that cookies may collect includes the date and time of the visit, registration information, and navigational activity. Cookies cannot be used to run programs or deliver viruses to an individual’s computer. Cookies are uniquely assigned to individual users and can only be read by a web server in the domain that issued the cookie. Most browsers allow you to decline cookies, but if elect to do so, these pages may not display correctly. An individual is free to delete cookies after their session, and the browser should contain instructions on how to do this.
Why We Collect
Our clients provide us with your PII to procure a background report (may be referred to by several different names including Consumer Report, Background Check Report, Background Screening Report, Background Report Search). Information is collected as needed to process requested academic, residential, achievement, job performance, attendance, litigation, personal history, credit reports, driving records, criminal history records, and other lawful regulatory compliance checks. We only provide services to businesses only with a legitimate and permissible purpose with your authorization and consent.
We collect only minimal personal information that is necessary to the requested search. Consistent with privacy principles, our use of your information is limited to the information that is relevant for processing. We do not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by you. We adhere to the privacy principles for as long as we retain such information.
To the extent necessary for those purposes, VITAL4DATA has policies and procedures in place and takes reasonable steps to ensure that your data is consistent with its intended use. We assure your data is accurate, complete, and current. Because we create, maintain, use or disseminate your information, we take reasonable and appropriate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Taking into due account the risks involved in the processing and the nature of your data, we adopt and follow reasonable and appropriate measures in complying with this provision.
Sharing
To provide our services, such as background reports, to our clients who request the results of the background search on you, we may use sub-contracted third-party partners or sub-processors to perform searches on our behalf. We only provide the minimum required PII data to perform the background check carried out in the country that is requested. We do not share any data about you for any other purpose than what is required to perform the background check in that country. Once the details of the background search are conducted, we share that information with our client who requested the background search on your behalf. All such entities are contractually obligated to use and maintain the confidentiality of your information in a manner consistent with this Privacy Policy, which includes not sharing any such information with any other third parties. Except as described in this Privacy Policy, or required by law, we do not use or otherwise disclose any of your information provided or collected from our partners, sub-processors, or other sources.
Keeping your Information Secure
When PII is transmitted to us, it is protected through the use of a robust 256-bit Secure Sockets Layer (SSL) protocol. Email communications also utilize secure encryption technology such as TLS, Escrow, PGP, or S/MIME and meet or exceed HIPPA and other communication security regulations and policy standards. Our servers securely store personal data. Access is strictly limited to authorized personnel who are trained to protect against the loss, misuse, unauthorized access, disclosure, alteration, or destruction of your data under our control.
We utilize a risk-based approach when it to comes protecting your data. We are a proactive, not reactive company when securing your information. Security and privacy are looked at as default setting and is embedded into the design of the processes. We implement appropriate technical and organizational measures to protect your information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, regardless of how it is collected, recorded, and used- whether on paper, computer, or recorded on other material. We implement technical and organizational policies and procedures to ensure proper data security measures are in place. We implement privacy protection that offers end-to-end security in all our processes and procedures. Our safeguards exceed the ethical expectations and statutory regulation worldwide.
Onward Transfers and International Transfers
VITAL4DATA provides international background screening services and may sub-contract other third-party agents and partners to perform background searches outside the United States on our behalf. Your data may be transferred internationally to a third-party agent or partner to complete the requested international background service. We transfer only the minimum required personal data that is needed for our third-party agents or partners to perform the requested background service.
Accountability for Onward Transfers of EU and the UK and Swiss PII Pursuant to the Privacy Shield Frameworks
Taking into account that data will be transferred internationally, in the context of onward transfers, we are responsible for the processing of personal information we receive under the EU and the UK/US and Swiss/US Privacy Shield Frameworks and subsequently transfer to our partners and third-party agents acting as an agent on its behalf. We remain liable under the Privacy Shield Principles if its agent processes such PII in a matter inconsistent with the Principles unless we prove we are not responsible for the event given rise to the damage.
To transfer personal information to a third party acting as a controller, we comply with the Notice and Choice Principles of the Privacy Shield Frameworks. We will also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by you and that the recipient will provide the same level of protection as the Principles and will notify us if it makes a determination that it can no longer meet this obligation. The contract provides that when such a decision is made, the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.
To transfer personal data to a third party acting as an agent, we: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under vi), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vii) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Under the Privacy Shield, we apply the principles of Notice and Choice of EU and the UK-PII and Swiss-PII that are transferred to third parties. The EU and the UK-PII and Swiss-PII are only to provide to third parties for purposes described in the Notice section or otherwise disclosed to you, and will not be disseminated to a third party where you have “opted-out” or, in the case of “sensitive” information, failed to “opt-in.”
EU, the UK, and Swiss individuals have the right to access their personal data pursuant to the Privacy Shield. You may contact us, as set out at the end of this Privacy Policy, at any time to determine if we hold any personal information about you.
We use EU and the UK-PII human resources-related data transferred from the EU, the UK, and Switzerland and commit to cooperating with the DPAs concerning such data. Where an organization in the EU, the UK, and Switzerland transfers personal information about its employees (past or present) collected in the context of the employment relationship to us, the transfer enjoys the benefits of the EU and the UK-US or Swiss-US Privacy Shield.
We commit to cooperate with EU Data Protection Authorities (DPA’s), The UK Information Commissioner’s Office (ICO), and Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and the UK in the context of the employment relationship. EU and the UK individuals wishing to file a complaint with the appropriate DPA may go to http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm. Swiss individuals wishing to file a complaint with the appropriate FDPIC office should go to https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection—switzerland.html.
VITAL4DATA complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and Switzerland to the United States in reliance on Privacy Shield. VITAL4DATA has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
Note that pursuant to the Privacy Shield we are obliged to inform EU, the UK, and Swiss individuals that we may be required to share personal data in response to lawful requests from public authorities including to meet national security and law enforcement requirements.
We are liable for the onward transfer of EU, the UK, and Swiss personal data to third parties unless we can prove we were not a party to the actions giving rise to the damages.
We acknowledge the right of EU, the UK, and Swiss individuals to access the personal data we hold about them pursuant to the Privacy Shield. Individuals wishing to access their personal data may do so by contacting us at the address and/or email below.
We commit to handle all EU, the UK, and Swiss personal data under the Privacy Shield in keeping with the original purpose for which it was supplied or subsequently authorized. If this practice should change in the future, we will update this policy accordingly and allow individuals to opt-out (in the case of personal data) or opt-in (in the case of sensitive personal data) choice as is applicable.
In compliance with the EU and the UK-US and Swiss-US Privacy Shield Principles, we commit to resolving complaints about your privacy and our collection or use of your personal information. European Union, the United Kingdom, and Swiss data subjects with inquiries or complaints regarding their personal data handled under the Privacy Shield should first contact us at:
Dawn Marchand
3901 Mary Eliza Trace NW, Suite 203
Marietta, GA 30064
770-763-8931
compliance@VITAL4.net
VITAL4DATA has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.
Finally, as a last resort and in limited circumstances EU, the UK, and Swiss data subjects with residual complaints may invoke a binding arbitration option before a Privacy Shield Panel.
An individual may invoke binding arbitration as the method for dispute resolution in accordance with the requirements and procedures set forth in Annex 1 of the Privacy Shield Framework. As set forth in Annex I, we recognize that an arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that data subject, and whether any such violation remains fully or partially un-remedied. Annex I provides the terms under which Privacy Shield organizations are obligated to arbitrate claims, pursuant to the Recourse, Enforcement, and Liability Principle. This option is available only for these purposes. It can be found in its entirety at the Privacy Choice website URL: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
We are subjected to the investigatory and enforcement powers of the Federal Trade Commission (FTC). If we should ever become subject to an FTC or court order based on non-compliance, we will make public any relevant Privacy Shield related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
Compliance Cooperation with Regulators
We support the enforcement and accountability of information industry standards and practices. We verify the adherence to this Privacy Policy through in-house verification and internal policies and procedures implemented by the senior management of the company. We periodically review policies and procedures of our objectives for compliance to ensure it meets the laws and regulations of the industry.
We endorse entirely and comply with all applicable United States and international laws governing the privacy and protection of personal data that is collected, processed, transferred/exported, organized, altered, recorded, used, disclosed, combined, destroyed, or being held throughout the globe, including but not limited to the following:
- California Consumer Privacy Act (CCPA)
- Fair Credit Reporting Act (FCRA)
- EU and the UK-GDPR
- EU and the UK-US Privacy Shield Principles
- Swiss-U.S. Privacy Shield Principles
- Foreign Corruption Practices Act (FCPA)
- EU Employment Practices Data Protection Code
- Internationally accepted Fair Information Handling Practices
- APEC Privacy Framework
- OECD Privacy Guidelines
- PIPEDA
Data Subject Rights
We respect your rights as data subjects for whose personal information we hold. We have policies and procedures in place to ensure data subjects’ rights are upheld and easily exercised.
Our clients further attest that they will collect consent or authorization from you before requesting a background report. If you wish not to have your information made available to us, you have the choice to “opt-out” or not authorize our clients to procure a background report. By filling out, signing, and therefore giving your explicit consent to the procurement of a background report, and submitting information to our clients, you agree (“opt-in”) to allow us to disclose information about you to our clients and to share your information with our partners and sub-processors in accordance with this Privacy Policy.
FCRA
We offer services in the name of background reports (“Consumer Reports”), as the term is defined under the federal Fair Credit Reporting Act (“FCRA”). When providing background reports to our clients, we act as a Consumer Reporting Agency (“CRA”) as the term is defined under the FCRA, operating under the requirements of the FCRA. We adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner that is fair and equitable to the consumer, concerning the confidentiality, accuracy, relevancy, and proper utilization of such information following the requirements of the FCRA.
We obtain and process information on you only upon the request of a client who has a “permissible purpose” under the FCRA to request information on you for us to provide background checks (“Consumer Reports).” The FCRA requires our client to certify to us that it has a “permissible purpose” for the report and has obtained your written consent to request information before we process the requested information. All clients must certify that they have a “permissible purpose” to request a report, such as for pre-and post-employment screening. Our clients agree to keep your information confidential and secure.
Under the FCRA, our clients have attested to us that they will provide a disclosure notice to you (the “consumer”) that a background search will be performed in accordance with this Privacy Policy and that your data is collected for completing the background checks (“Consumer Report),” as further described within this Privacy Policy.
We allow you the opportunity under FCRA to correct, amend (rectify), or request a copy of your information, or delete information that you feel is inaccurate or incomplete. We also give you the right for you to restrict your data from being processed (restriction).
For dispute resolution or questions regarding your rights under FCRA, please contact:
Dawn Marchand
3901 Mary Eliza Trace NW, Suite 203
Marietta, GA 30064
770-763-8931
compliance@VITAL4.net
To learn more about the federal FCRA, please visit https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/fair-credit-reporting-act.
EU and the UK GDPR (General Data Protection Regulation)
All EU, UK, and Swiss citizens have the right of access to any reports we produce and maintain on you, except where the burden or expense of providing access would be disproportionate to the risks to your privacy, or where the rights of persons other than you would be violated. Pursuant to GDPR, EU, the UK, and Swiss individuals may request that we make your data portable for your use as well.
We allow you the opportunity to correct, amend (rectify), or request us to delete information that you feel is inaccurate or incomplete. We also give you the right for you to restrict your data from being processed (restriction).
Before disclosing information, under regulatory laws and for your protection, we will require proof of identity, including proper verification and confirmation that you are the data subject who is entitled to request access. We will notify you if, for a good reason, we are unable to provide access to your data or to correct data. If the data subject is an EU, the UK, and Swiss data subject or any other non-US data subject, please contact our DPO. A copy of your report will be received within 30 days, at no charge (as mandated by the GDPR).
EU, UK, and Swiss individuals have the right, pursuant to GDPR, to file a complaint regarding the handling of their personal data directly with the appropriate Data Protection Authority (DPA). For more information on how to locate DPA’s please go to http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
EU and the UK GDPR (General Data Protection Regulation)
All EU, UK and Swiss citizens have the right of access to any reports we produce and maintain on you, except where the burden or expense of providing access would be disproportionate to the risks to your privacy, or where the rights of persons other than you would be violated. Pursuant to GDPR, EU, the UK and Swiss individuals may request that we make your data portable for your use as well.
We allow you the opportunity to correct, amend (rectify), or request us to delete information that you feel is inaccurate or incomplete. We also give the right for you to restrict your data from being processed (restriction).
Before disclosing information, under regulatory laws and for your protection, we will require proof of identity, including proper verification and confirmation that you are the data subject who is entitled to request access. We will notify you if, for a good reason, we are unable to provide access to your data or to correct data. If the data subject is an EU, the UK and Swiss data subjects or any other non-US data subject, please contact our DPO. A copy of your report will be received within 30 days, at no charge (as mandated by the GDPR).
EU, UK and Swiss individuals have the right, pursuant to GDPR, to file a complaint regarding the handling of their personal data directly with the appropriate Data Protection Authority (DPA). For more information on how to locate DPA’s please go to http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
Data Protection Officer
We are required under The European Union’s General Data Protection Regulation (GDPR) to appoint a dedicated Data Protection Officer (DPO). Our DPO and contact information is detailed below:
Dawn Marchand
Director of Compliance
United States
1-770-763-8931
compliance@vital4.net
Updates
This Privacy Policy may be amended to reflect new products and services, or as necessary to reflect a new business practice. We will post any revised policy on the website.
Our Commitment
We commit to resolving complaints about your privacy and our collection or use of your personal information. Inquiries or complaints regarding this privacy policy should first contact us at:
Dawn Marchand
3901 Mary Eliza Trace NW, Suite 203
Marietta, GA 30064
770-763-8931
compliance@VITAL4.net