EU-U.S. Data Privacy Framework Policy
Weil Technology North America LLC, hereafter referred to as WE-NA, complies with the EU-U.S. Data Privacy Framework (DPF) as set forth by the U.S. Department of Commerce and the European Commission regarding the collection, use, and retention of Personal Information received from the European Economic Area (EEA) member countries. WE-NA has certified that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability.
To learn more about the DPF, and to view WE-NA’s certification, please visit https://www.dataprivacyframework.gov/
This DPF Policy describes the collection and use of Personal Information.
WE-NA’s collection, use, and disclosure of Personal Information is managed in a manner consistent with the laws of the countries in which it does business; it also has a tradition of upholding the highest ethical standards in their business practices. This DPF Policy sets forth the privacy principles that WE-NA follows with respect to the protection and transfers of Personal Information from the European Economic Area (EEA) [which includes the member states of the European Union (EU) plus Iceland, Liechtenstein, and Norway] to the United States.
WE-NA periodically reviews its privacy policies and practices; accordingly they may be subject to change. In order to ensure familiarity with the most current version of this policy, we encourage periodic review by our website users.
The Data Privacy Framework
The DPF was developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for Personal Information transfers to the United States from the European Union / European Economic Area that are consistent with EU law. The DPF is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. The DPF enables the transfer of EU Personal Information to participating organizations consistent with EU law. Organizations participating in the DPF may receive Personal Information from the EU / EEA if they self-certify to the ITA and publicly commit to comply with the DPF Principles. Consistent with its commitment to protect personal privacy, WE-NA adheres to the principles set forth in the EU-U.S. DPF.
Scope
This DPF Policy applies to all Personal Information received by WE-NA in the United States from the EEA, in any format, including electronic, paper, or verbal. This policy applies to all Personal Information WE-NA handles (except as noted below), including on-line, off-line, and manually processed data.
Definitions
For purposes of this DPF Policy, the following definitions shall apply: “Data subject” means an individual who is the subject of Personal Information.
“Personal Information” or “Personally Identifiable Information” refers to all personal information concerning an identified or identifiable individual, including all expressions of opinion concerning the individual and all intentions of the data controller, or any person, in respect of the individual. Personal Information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public Personal Information.
“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, views or activities that concern health or sex life, marital status, information about social security benefits, or information on criminal or administrative proceedings and sanctions other than in the context of pending proceedings. In addition, WE-NA will treat as sensitive Personal Information any information received from a third party where that third party treats and identifies the information as sensitive.
“Data controller” means a person or organization who (either alone or jointly or in common with other persons or organizations) determines the purposes for which and the manner in which any Personal Information are, or are to be, processed.
“Data processor” means any third party that collects or uses Personal Information under the instructions of, and solely for the data controller or to which Personal Information are being disclosed on behalf of the data controller. With regard to the Personal Information received from the European Economic Area (EEA) member countries, WE-NA is acting as data controller, in particular cases which are based on further contractual arrangements also as a data processor.
Privacy Principles
The following privacy principles are based on the DPF Framework.
Notice
If WE-NA collects Personal Information directly from individuals in the EEA, it will inform them about
• the purposes for which it collects and uses Personal Information about them,
• the type or identity of third parties to which WE-NA discloses Personal Information, and the purposes for which it does so,
• the fact that WE-NA is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC)
• the possibility, under certain conditions, for the individual to invoke binding arbitration,
• how to contact WE-NA to make a subject access request.
This notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to WE-NA, or as soon as practicable thereafter, and in any event before WE-NA uses or discloses the information for a purpose other than that for which it was originally collected or discloses information to a third party.
WE-NA may receive Personal Information of employees of the Weil Technology GmbH and affiliates residing in the EEA (“EEA Employees”) for human resources purposes such as temporary work contract, visa application and other human resources purposes as are generally undertaken by organizations employing individuals. WE-NA will not, without obtaining the EEA Employee’s prior express consent, use such information for any purpose other than human resources purposes unless the EEA Employees have already consented to such use.
WE-NA collects Personal Information on its website, which is technically required or monitoring purposes. Beyond that it collects Personal Information from website visitors on a voluntary basis for the purpose of providing downloads, product information and newsletters. With respect to this category of Personal Information, WE-NA has created a specific Privacy Notice governing the treatment of Personal Information collected through websites that it operates.
Where WE-NA receives Personal Information from its parent organizations, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Personal Information relates.
Purposes
Personal data that have been provided to WE-NA when establishing a business relationship (for example, contact details on a customer’s business card) will be stored by WE-NA and used for the purpose of developing the business relationship.
WE-NA will process the contact data of its business partners insofar as this is necessary for the fulfilment of a contract to which the business partner is a contracting party or for the implementation of pre-contractual measures that have been taken at your request. If individuals are a contact person of a WE-NA business partner, WE-NA will process the professional contact details for establishing contact and customer communication.
WE-NA uses the telephone numbers of its business partners to contact them by telephone as part of our customer acquisition activities. WE-NA use the business partners’ address information to send them written information, seasonal mailings (for example, Christmas greetings) or birthday greetings. If WE-NA have obtained the customer’s email address in connection with the sale of goods or services,
WE-NA may use it for direct marketing of its own other similar goods or services. Business partners have the right to object to the use of their personal data for these purposes. WE-NA will clearly inform its business partners of their right to object when their e-mail addresses are collected and whenever they are used.
Choice
WE-NA is transparent about the purposes for which it collects and processes Personal Information and gives individuals appropriate privacy notices when collecting their Personal Information. WE-NA will provide data subjects with an easy mechanism to choose:
• whether Personal Information is to be disclosed to a third party,
• whether Personal Information is to be used for a purpose that is incompatible with the purpose or purposes for which it was originally collected,
• how usage and disclosure of Personal Information can be limited
Data subjects provide their Personal Information on a voluntary basis. Should an individual doesn’t consent or would like to revoke its consent to a particular processing, it can inform WE-NAs data protection official at any time, so that WE-NA can specifically exempt that information from processing accordingly. If sensitive Personal Information is involved in the processing, WE-NA will provide explicit choice to this data.
Onward Transfer
In individual cases, WE-NA will pass on contact details to subcontractors in the U.S. if this is necessary for the preparation of cost estimates or the calculation of quotations for externally produced parts of the overall order. WE-NA and the Weil Technology Group have split customer care into sales regions. If one of the regional sales partners or subsidiaries is responsible for answering your enquiry or carrying out pre-contractual or contractual measures, WE-NA will pass on your contact details to the respective regional sales partner.
In order to process your request, it may be necessary to transfer personal data to the parent company and/or sister companies in the European Union.
WE-NA will not disclose an individual’s Personal Information to third parties except when one or more of the following conditions apply:
• The data subject has given his consent to the transfer
• The transfer is necessary for the performance of a contract between the data subject and WE-NA, or for the taking of steps at the request of the data subject with a view to his entering into a contract with WE-NA
• The transfer is necessary for the conclusion of a contract between WE-NA and a person other than the data subject which is entered into at the request of the data subject, or is in the interest of the data subject, or for the performance of such a contract
• The transfer is necessary for reason of substantial public interest.
• The transfer is necessary for the purpose of, or in connection with, any legal proceeding, is necessary for the purpose of obtaining legal advice, or is otherwise necessary for the purpose of establishing, exercising or defending legal rights
• The disclosure is required by means of a court order, if the transfer will assist with the legal or criminal investigations and/or prosecution or if WE-NA is otherwise legally bound to do so.
• The information in question is publicly available.
If Personal Information is disclosed to a third party, WE-NA will apply choice and notice principle. WE-NA ascertains that third parties, who receive such Personal Information (acting as a data processor) adhere to technical and organizational measures that provide for the same level of protection as is available under the EU-U.S. DPF, or are subject to the EU General Data Protection Regulation (EU-GDPR) or another adequacy finding, or enter into a written agreement with WE-NA based on the EU Standard Contractual clauses. Unless WE-NA proves that it is not responsible for the event giving rise to the damage, it shall remain liable under the Principles if one of the data processors so chosen processes the Personal Information received in a manner which is inconsistent with the Principles.
Security
WE-NA will take reasonable precautions and has put in place technical and organizational measures to protect Personal Information in its possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Data Integrity, purpose limitation and retention
WE-NA processes personal information only if it has legitimate grounds for collecting and using the Personal Information and if this is relevant for the purposes of processing. Personal Information will not be used in ways that have unjustified adverse effects on the individual concerned or are incompatible with the purposes for which they have been collected or subsequently authorized by the individual. To the extent necessary for those purposes, WE-NA takes reasonable steps to ensure that data is reliable for its intended use, accurate, complete and current. Personal Information will not be kept for longer than is necessary for the specified purposes.
Access
Data subjects have the right of access to the Personal Information WE-NA holds about them and are entitled to have their information corrected, amended, or deleted where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individuals privacy in the case in question, where the rights of persons other than the data subject would be involved, or as otherwise permitted by the DPF.
If individuals have questions which have not been covered in this document, or would like to have more detailed information on a particular subject, or would like to make a subject access request concerning its Personal Information (e.g. reasons for storage, origin, recipients, etc.) they may contact WE-NAs data protection official. The individual will need to provide sufficient identifying information, such as name, address, birth date, WE-NA may request additional identifying information as a security precaution. In some circumstances, WE-NA may charge a reasonable fee, where warranted, for access to the Personal Information owned by the individual requesting access.
Enforcement and recourse
WE-NA utilizes the self-assessment approach to assure its compliance with this privacy policy and will periodically conduct compliance audits of its relevant privacy practices to verify adherence to this policy. WE-NA ensures that this policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the DPF Principles.
Any employee who is in violation of this policy or other company privacy policies will be subject to disciplinary action up to and including termination of employment.
WE-NA encourages anyone who has a complaint, wishes to make a Subject Access Request, or wishes to invoke arbitration, to contact WE-NA.
Subject access request and further information
Your trust is important to us and WE-NA will gladly answer any questions you have concerning the processing of Personal Information. If you have questions which have not been covered in this document, if you would like to have more detailed information on a particular subject, or if you would like to make a Subject Access Request concerning your Personal Information (for example, reasons for storage, origin, recipients, etc.) please do not hesitate to contact our external Group Data Protection Officer (DPO).
Arbitration
WE-NA encourages interested parties to raise any concerns they may have and to contact us. WE-NA will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this policy. For complaints that cannot be resolved between WE-NA and the complainant, WE-NA has chosen the EU Data Protection Authorities (EU DPAs) to serve as an independent recourse mechanism (IRM) for dispute resolution arising from collection, use, and retention of Personal Information transferred from EU Member States to the United States. The EU DPAs will investigate and resolve each individual’s complaint and dispute by reference to the Principles and will award damages where the applicable law or private sector initiatives so provide.
Before initiating arbitration, we ask the complainant to take the following steps:
(1) Individuals are asked to raise the claimed violation directly with our DPO first. Our DPO will attempt to resolve the issue within 45 days of receiving the complaint.
(2) If the issue cannot be resolved by our DPO, the individual may make use of the IRM provided by the EU DPAs at no cost to the individual.
A list of contact details of the EU DPAs can be found on this website:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
A list of contact details of the German Regional Supervisory Authorities can be found on this website:
https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html
Contact details of the WE-NA external Group Data Protection Officer
Please use these contact details to get in touch with our external DPO:
OBSECOM GmbH
Mr. Florian Wuttke
Königstrasse 40
70173 Stuttgart
Germany
Telephone: +49 711 4605025-42
Fax: +49 711 4605025-49
E-Mail: datenschutz@obsecom.de
E-Mail: datenschutz@weil-technology.com
Website: https://www.obsecom.eu
Limitation on Application of Principles
Adherence by WE-NA to these DPF Principles in the DPF may be limited
• to the extent required to respond to a legal obligation;
• to the extent necessary to meet national security, public interest or law enforcement obligations; and
• to the extent expressly permitted by an applicable law, rule or regulation.
Internet Privacy
WE-NA sees the Internet and the use of other technologies as valuable tools to communicate and interact with business partners and others. However, WE-NA cannot guarantee the security of information on, or transmitted via the Internet. WE-NA recognizes the importance of maintaining the privacy of information collected online and has created a specific Internet Privacy Policy governing the treatment of Personal Information collected through websites that it operates with respect to Personal Information that is transferred from the European Economic Area to the U.S. The Internet Privacy Policy is subordinate to this DPF Privacy Policy.
Children’s Online Privacy Protection Act
Our Services are not designed to attract children under the age of 13. WE-NA does not knowingly solicit or collect personally identifiable information online from children under the age of 13. If WE-NA learns that a child under the age of 13 has submitted personally identifiable information online, we will take all reasonable measures to delete such information from our databases and to not use such information for any purpose (except where necessary to protect the safety of the child or others as required or allowed by law). If you become aware of any personally identifiable information we have collected from children under 13, please contact our data protection official.
