EMPTOR, INC. LEGAL COMPLIANCE PRINCIPLES

General Statement of Legal Compliance

Emptor, Inc. is a company incorporated under the laws of the United States, and provides services in Central and South America.  Emptor, Inc.’s markets include, but are not limited to, Mexico, Peru, Colombia, Costa Rica, Ecuador, Chile, and Brazil.  In order to ensure compliance to the greatest extent practicable, Emptor Inc. endeavors to adhere to the strict ISO 27001 standards, and implements many policies regarding safety and practices during the collection and processing of client and data subject information.  

Any acute difference between Emptor Inc.’s policies and practices and data processing and protection laws within the Country in which Emptor, Inc. is providing services are accounted for and reflected in the   contracts between Emptor, Inc. and the client in the aforementioned Country. Furthermore, as an employer and contractor of individuals in each of the markets in which Emptor Inc. operates, we are aware of the legal constraints regarding the rights and responsibilities of workers and employers in each of these jurisdictions.  Emptor Inc. monitors updates regarding worker and data subject rights in these jurisdictions to ensure the safe exchange of information, as well as compliance with any and all applicable laws.

Emptor, Inc. does not engage in any secondary market, accumulating client and data subject information for sale to third parties.  Client data is only used for the explicit purpose of performing a background check or identification verification.  Once client and data subject information is transferred to Emptor for processing, it is returned to the client and data subject and summarily deleted from Emptor, Inc.’s databases using industry best practices either at the termination of the Emptor-Client contractual relationship with a data deletion request or upon client’s request.  

Data Acquisition and Use

Web scraping and information accumulation is the actual service that Emptor performs. The information that we pull is from publicly available sources and is not otherwise confidential. Furthermore, the information is pulled from formal sites run by the respective government of the markets we are serving or other public institutions. The manner in which Emptor accumulates and uses information is more akin to publishing news from public sources than disseminating confidential information. It is the responsibility of the client and potential employer (hereinafter, the “Client”) to receive consent from the data subject to whom the personally identifiable information corresponds (hereinafter, the “Data Subject”) to have this information conveyed by Emptor – the guarantee of which is required in our contracts.  Emptor requires as a contractual condition to engage in business with any client that the client warrants that the data subject has affirmatively consented to giving and using its data, and that the data subject is aware of the purpose for which it’s information will be used.  Furthermore, the client itself is vetted by Emptor to ensure that Emptor’s services are not used for illicit or illegal purposes.

Data Accumulated for the Performance of Emptor Services

The sources used by Emptor for the performance of its services are all from databases made available to the public from government or government backed sources.  Any and all data accumulated by Emptor for the purpose of rendering its services is provisioned for use by the general public, and used in a manner that is compliant with any and all use regulations.

Data Processing

In order to safeguard the fairness and integrity of evaluation and profiling pipelines, we take a number of steps to limit the scope of data processing to those needed to fulfill the profiling’s stated purpose. We carry out processing only to the extent and the purpose indicated by Emptor and the client, and authorized by the initial data subjects. We employ a set of automated and manual means to ensure that an automated decision can be reviewed by a human with expertise on the record and legal context. All automated processes will be reviewed by a human reviewer in cases where profiling may have legal or similarly significant effects. If information that is not personally identifiable is included in the process, Emptor ensures to take reasonable steps to confirm the accuracy and relevance of the information to the extent possible in a legal and data context.

Emptor’s Legal Responsibilities

Under the law of the United States, Emptor is classified as a Consumer Reporting Agency under the Fair Credit Reporting Act (FCRA).  As such, Emptor is a third party service provider that aids clients with services such as background checks that aid in general hires, as well as know-your-client and anti-money laundering.  As a third party service provider of these background checks, Emptor’s independent compliance with federal and state laws will primarily concern client and subject data protection, as well as accuracy and completeness of information.  These responsibilities include, but are not limited to; ensuring client warranties for permissible use purpose from data subjects for the gathering of information and  re-investigating inaccuracies and processing disputes.

Client’s Legal Responsibilities

Ultimately, the parameters of the background checks and hiring decisions are made by the client company, which will be responsible for complying with regulations regarding the conditions of employment.  Clients may not be subject to the FCRA as foreign entities, though similar responsibilities are likely to attach through local regulations.  As such, Emptor provides its services in a manner that is compliant with, but is not responsible for a client’s compliance with, any applicable laws of the Country in which Emptor, Inc. is providing services, unless the client company gives Emptor parameters for background check pass conditions that are in violation of such laws in which case Emptor will refuse to perform background checks in such a manner.  Engaging in Emptor’s services is no guarantee of a client’s compliance with the laws of the jurisdiction in which the client is operating, which is the sole responsibility of the client.  Ultimate decisions of employment, and the legal compliance of the manner in which such decisions are made, are ultimately the responsibility and liability of the hiring company.  This information should not be construed as independent legal advice, and Clients should seek independent legal counsel regarding their obligations under domestic laws.

Mexico Specific Considerations

While Emptor’s operations comply with the laws and regulations of every market in which we operate, within the context of Mexican Law, the relevant laws to which Emptor is subject include but are not limited to; Ley Federal de Protección de Datos Personales en Posesión de los Particulares, Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares, and Lineamientos del Aviso de Privacidad. Despite the fact that the information is taken from public sources, the Data Subject still has a reasonable expectation of privacy to their information. The Data Subject’s information is restricted to limited use, is maintained in secured servers for the duration that the information is processed, and is only exchanged between the client and Emptor with the consent of the Data Subject. Therefore, to the best of our knowledge, the services that Emptor provides are compliant with any and all applicable laws and regulations. 

Under the Mexican Law, in connection with the Data Subject’s rights to access, rectify, cancel or oppose to the treatment of its PII, (hereinafter, the “ARCO Rights”), the Client is classified as a “Data Controller”, and must comply with the legal responsibilities inherent to that categorization. Emptor is legally classified as a “Data Processor”, and as such must comply with the following: 

• To process personal data in accordance with the Data Controller’s instructions; 

• To refrain from processing personal data for purposes other than those permitted by the Data Controller; 

• To implement appropriate security measures to protect personal data; 

• To keep confidentiality in respect of the personal data processed;

• To delete personal data upon the request of the Data Controller or when the relationship with the Data Controller is terminated, and; 

• To refrain from transferring personal data unless the Data Controller has determined otherwise, the communication arises from a subcontract or due to a requirement from a competent authority. 

While Emptor is beholden to the ARCO regulations, Emptor generally does not accumulate and maintain a database of PII in the manner that ARCO considers. Regardless, in the event that Client needs Emptor to provide any Data Subject the rights of access, cancellation, and/or opposition regarding any Data Subject’s PII in Emptor’s possession, Client must submit such request, on Data Subject’s behalf and with the consent of the Data Subject, in writing to privacidad.mx@www.emptor.io. Such request must include: 

• Full name of the Data Subject, a scan or photocopy of official identification, and a notarized letter or power of attorney (in the case of appearing on behalf of a third party) 

• A valid email address to receive a response; 

• The information the Data Subject wishes to access, cancel or oppose, including the file number, court and state to which it refers, if the Data Subject were a party to a trial;

• In the case that there are several files contemplated in the request, all the PII referring to each of the files to which the request refers must be specified; 

• Emptor, for reasons of homonymy, will not assume that someone is the owner of a file that is not specified in the application, even if the name of the Data Subject is the same as one of the parties in a certain trial or report. 

Emptor will respond as soon as is practicable. It should be noted that petitioning any Data Controller or Processor under ARCO rights will only compel rectifying information held by such parties. Emptor cannot rectify information found on public databases, including those from which information is gathered. Therefore, to do so, the Client should instruct the Data Subject to petition whatever public institution or company responsible for maintaining the database that stores the information the Data Subject wishes to amend.