CONSENT AND TERMS FOR COLLECTION AND PROCESSING OF PERSONAL DATA

 

Definitions

 

The following are definitions of the various terms used throughout this notice and terms of consent.

 

  1. “Data Protection laws” means any relevant and applicable Data Protection Laws within the jurisdictions relevant to the presence, transfer, or processing of data per the terms of the Agreement.

  2. “Data Transfer” means:

    1. A transfer of Client Personal Data from the Client to Company or Contracted Processor, or;

    2. An onward transfer of Client Personal Data from a Contracted Processor to any other Subprocessor;

  3. “Services” means the SaaS services provided in accordance with the Agreement provided by Emptor.

  4. “Subprocessor” means any person or company appointed as a third party by or on behalf of Processor or subsequently by Controller to process Personal Data on behalf of the Controller in connection with the Agreement.  This is whomever Emptor may hire in order to complete or supplement its services.

  5. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.  This is Emptor.

  6. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of such processing are determined by the purposes and means of such processing.  This is Emptor’s Client.

  7. “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physician, physiological, genetic, mental, economic, cultural or social identity of that natural person.  This is you.

  8. “Personal Data” means any information relating to an identified or identifiable natural person (see “Data Subject”)(also may be referred to as “Personal Identifying Information”, or “PII).

  9. “Personal Data Breach” means a breach of security legend to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

  10. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  11. “Supervisory Authority” means an independent public authority which is established as the relevant, recognized, and competent authority for the creation, administration and application of Data Protection Laws and related matters within the jurisdictions relevant to the provisioning of services under the Agreement.

 

For any questions, inquiries, or exercise of rights defined by law or articulated herein, please contact info@emptor.io, or through our web portal at www.emptor.io.

 

 

 

Data Subject Consent to the Collection and Processing of Personal Data

 

By entering and submitting their information into Emptor’s dashboard, you as the Data Subject understand and consents to all of the following.

 

In recognition that Emptor must obtain explicit, affirmative, and informed consent before it may collect or process any personal data for a lawful basis, including employment, the Data Subject does, by entering and submitting my information, I give such consent.  “Personal Data” means any information relating to an identified or identifiable natural person (which may otherwise be known or referred to as a “Data Subject”).  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors attributable to such an identifiable natural person.

 

The accumulation and use of personal data, and the transfer of personal data from the jurisdiction of the Data Subject to Emptor to be processed abroad.  The Data Subject acknowledges and understands that the information gathered and processed is for the purpose of Emptor’s Client making potential decisions regarding the Data Subject’s suitability for employment or for some other lawful purpose by Emptor’s Client.  The Data Subject is not Emptor’s Client.  As such, the Data Subject further acknowledges and agrees that Emptor may accumulate and use information for this purpose.

 

Use of the information given will include processing the personal data as required to execute contractual obligations in connection with the parameters of these terms, and compliance with any and all applicable laws and safety standards, to execute the obligations concerning the processing of the Data Subject’s information.  The Data Subject, by entering and submitting their information onto Emptor’s dashboard, authorizes disclosure and use of personal information to Emptor, the use of which is limited explicitly for the purpose listed herein.  The Data Subject further acknowledges the following notices:

 

  1. Notwithstanding anything to the contrary herein, Emptor may process personal data without the data subject’s consent under certain other lawful bases, including when processing is necessary for the performance of the function for which Data Subject has given its information; when processing is necessary for compliance with a legal obligation; or when processing is necessary to protect a vital interest, such as the life of the Data Subject.

  2. Data Subject information may be subject to use in Quality Control and Assurance testing.  This means that Data Subject information can be pulled to form a random sampling through which Emptor engages subprocessors to process the information for the same purposes articulated herein.  Data Subject information may be subject to being used for these purposes.

  3. Personal data will be handled and processed only by the parties responsible for the necessary purposes listed herein, and personal information of the Data Subject may be transmitted internationally for processing.

  4. That refusal of consent may make it impossible to carry out necessary activities for which the Data Subject is consenting to the processing of their personal data.

  5. That the Data Subject has the right to withdraw consent to the collection and processing of personal data.  If the Data Subject would like to withdraw consent, they may contact Emptor.

  6. Data Subject acknowledges that they have a right to access, rectify, cancel, or oppose any personal information that Emptor has accumulated during the course of the background check by contacting Emptor at the email address listed below.

  7. Emptor is committed to ensuring the security of any and all personal data.  As such, Emptor has reasonable physical, technical, and administrative safeguards designed to prevent unauthorized access to the personal information of the Data Subject.

 

International Transfer of Personal Identifying Information and Use for Processing

 

Information that is collected by Emptor, both PII and the information gathered during processing, is transferred internationally to the United States for processing.  The information, once processed, is then remitted to Emptor’s Client in their jurisdiction (which is usually, but not always, the same jurisdiction as the home country of the Data Subject).  The United States may not have the same legal protections regarding PII.  However, Emptor is committed to the protection of personal data and employs state of the art security, including state of the art encryption when data is transferred and stored, to ensure that any data gathered, processed, and remitted to Emptor’s Client and/or the Data Subject, is protected.

 

Emptor provides security solutions to its Clients by processing PII for the purpose of Background Checks, Identification Verification, Vehicle Verification, Know Your Client, and Anti-Money Laundering.  The background check and identification verification may contain information about the Data Subject concerning character, general reputation, personal characteristics, and criminal records.  The types of information that may be ordered include but are not limited to, national identification number verification, criminal, public, educational, and as appropriate, driving records checks, verification of prior employment, reference, licensing and certification checks, credit reports, and drug testing results.

 

The Data Subject authorizes Emptor, as well as any necessary third party identification verification and background check service provider, to order and undertake the compilation of a background report.  The Data Subject further authorizes the following agencies and entities to disclose to Emptor, and its agents and third party service providers, all information about or concerning the Data Subject, including but not limited to, the Data Subject’s past or present employers; learning institutions (including colleges or universities); any and all relevant law enforcement and other federal, state and local agencies; any and all relevant federal, state, and local courts; the military; credit bureaus; testing facilities; motor vehicle records agencies; all other private and public sector repositories of information; and any other person, organization, or agency with any relevant information about or concerning the fitness of the Data Subject for the position which Data Subject has applied.  Information that can be disclosed to Emptor may also include, but is not limited to, information concerning the employment history, earnings history, education, credit history, motor vehicle history, criminal history, military service, professional credentials, as well as any licenses, or substance abuse testing of the Data Subject.  

 

 

 

Emptor Data Processing Commitment to Data Security

 

  1. Processing of Personal Data

    1. Emptor shall comply with all applicable Data Protection Laws in the Processing of Client Data.  Furthermore, Emptor shall not Process Client Data other than on the relevant Controller’s documented instructions.  The Controller shall instruct the Processor to process its Data.

  2. Emptor Personnel

    1. Emptor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Client or Data Subject Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Data, as strictly necessary for the purposes for which the Data is given, and to comply with Applicable Laws in the context of that individual’s duties to Emptor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

  3. Security

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Emptor shall, in relation to the Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.  This includes, as appropriate:

      1. The pseudonymisation and encryption of personal data;

      2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

      3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

      4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

    2. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

  4. Subprocessing

    1. For Quality Control and testing purposes, Emptor from time to time engages subprocessors in order to measure performance and ensure the quality of services.  At all times during this testing and engagement of subprocessors, Emptor ensures the security of the information being used.

  5. Data Subject Rights

    1. Taking into account the nature of the Processing, Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller obligations, as reasonable understood by the Controller, to respond to requests to exercise Data Subject Rights under the relevant Data Protection Laws.

    2. Processor shall:

      1. Promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data, and;

      2. Ensure that it does not respond to that request except on the documented instructions of Controller, or as required by the relevant applicable laws to which Processor is subject, in which case Processor shall to the extent permitted by the relevant applicable laws inform Controller of that legal requirement before any Contracted Processor responds to the request.

    3. Client acknowledges and agrees that Data Subject has various rights with respect to how their information is processed.  These rights include, but are not limited to, rights of access, rectification, cancellation, and opposition.  For any inquiries regarding the exercise of such rights or information regarding the processing of the Subject’s data, Client, as point of contact, shall forward to Company the Data Subject’s inquiries.  Such inquiries shall be submitted to info@emptor.io.   These rights are defined as follows:

      1. Right to Access – The Data Subject has the right to access, free of charge, their personal data that is being handled by Emptor, as well  as the source of the data.

      2. Right to Rectification – The Data Subject has the right to request and obtain free of charge the rectification of inaccurate or incomplete personal data handled by Emptor.  It should be noted that this is only the data in Emptor’s possession or use.  If the problematic information is held elsewhere (e.g. a public database from which the information was gathered), rectification will need to be requested through the manager of the external database or information registry.

      3. Right to Cancellation – The Data Subject has the right to request and obtain, free of charge, the cancellation of the processing of their personal data at any time and for any reason.

      4. Right to Opposition –  The Data Subject has the right to inform Emptor that their personal data not be subject to a specific treatment.

  6. Personal Data Breach

    1. Emptor must notify Controller without undue delay upon Emptor becoming aware of a Personal Data Breach affecting Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under any and all relevant and applicable Data Protection Laws.

    2. Emptor shall cooperate with the Controller and take reasonable commercial steps as directed by Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

  7. Data Protection Impact Assessment and Prior Consultation

    1. Emptor engages in, and shall provide reasonable assistance to the Controller with, any data protection impact assessments and prior consultations with Supervising Authorities or other competent data privacy authorities, which is  required or considered reasonably necessary by any relevant and applicable Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

  8. Deletion or return of Client Personal Data

    1. Subject to this section 8, Emptor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Client Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of Personal Data.

    2. Emptor provides written certification to Controller that it has fully complied with this Section 8 within 10 business days of the “Cessation Date”.

  9. Data Transfer

    1. Emptor may not transfer or authorize the transfer of Data to countries or territories not otherwise required for the Processing of its data without the prior written consent of the Controller.  Both Emptor and the Controller are required by contract to commit to ensure that personal data is adequately protected in any given transfer, using industry best practices.

  10. Confidentiality

    1. All personal data collected and processed by Emptor maintains the utmost confidentiality.  It is not shared with anyone who is not legally bound by confidentiality and is not transferred to anyone, internally or externally, who is not essential to the provision of Emptor’s services. (See item (2) of this section).

 

 

 

Use of Emptor’s Dashboard or Services by Data Subject

 

Data Subject, by consenting to Emptor’s use of their information, also commits to the lawful use of Emptor’s dashboard.  Any authorized access to or use of Emptor’s dashboard or website by Data Subject will be subject to legal ramifications.