EU-U.S. AND SWISS-U.S. PRIVACY SHIELD POLICY

Last revised: April 7, 2023

Scherzer International Corporation (SI) subscribes to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively “Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data (“PD”) of a natural person transferred from the European Union (EU), the United Kingdom, and Switzerland to the United States, respectively. SI adheres to the Privacy Shield principles, including any supplemental principles (collectively the “Privacy Shield Principles”) issued by the Department of Commerce, and has certified to the department that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program and to view our certification, please visit https://www.privacyshield.gov/.

Notice

SI includes a link to this privacy policy (or to our general privacy policy, which includes a link to this privacy policy) when individuals are first asked to provide PD to SI or as soon after that as is practicable, but in any event, before SI discloses it for the first time to a third party. Disclosure of PD is made only as necessary in connection with performing our background search services which include searching public records either manually or through contracted databases, internet searches, and contacting sources provided by the subject (collectively “Search Services). SI may disclose PD to our reasonably vetted agents, who, for example, may conduct court record searches at our direction or to an educational institution, professional licensing body, or other entities acting as record keepers. SI does not use PD for a purpose that is materially different from the purpose for which it was initially collected or authorized by the individual.

In most situations, SI clients provide a written disclosure and authorization (collectively the “Consent”) to individuals subject to the Search Services for a Purpose-Specific Background Check (as defined below). (Clients are responsible for providing all legally required notices, obtaining all legally required authorizations, and ensuring that the notices and authorizations are consistent with the client’s policies and comply with applicable laws.) By reviewing and completing the Consent, individuals expressly agree to the use of their PD and consent to SI’s use of that information under this privacy policy. If the individual opts out or revokes the Consent, the PD will be deleted unless its retention is required by law or sound business judgment.

If Consent cannot be obtained, the Search Service may be performed when a client has a legitimate interest in obtaining the individual’s PD or needs the PD to perform a contract; provided, however, that the client gives notice to the individual of the client’s intention to process the data. Notice can be given in several different ways, including directly to the individual, in an engagement letter or similar document, or by publication on the website. The way the client gives notice is their decision.

SI collects PD in connection with its Search Services only as requested by its clients for a Purpose-specific Background Check such as business transaction due diligence; employment background screening; evaluation of accounting firm engagement acceptance or continuation; corporate governance; and regulatory compliance. Examples of PD collected include identification data; educational and professional licensing credentials; employment information; driving records; criminal records; sex offender registry records; civil litigation; tax lien; judgment; UCC and bankruptcy or insolvency filings; credit history; officer affiliations; public company directorships; securities law violations; industry-specific regulatory and disciplinary actions; various global lists that identify high-risk individuals or politically exposed persons and parties subject to economic sanction programs administered by the Office of Foreign Assets Control; parties excluded from federal procurement and non-procurement programs; and media sources information.

We must disclose PD in response to lawful requests by public authorities and to meet national security or law enforcement requirements.

As provided under the Privacy Shield, in cases where SI discloses public records or publicly available information from the EU without combining that information with non-public information, its general policies regarding Notice, Choice, and Accountability (as noted below) for Onward Transfer may not apply.

Choice

The individual is provided with a choice—no PD is processed without the individual’s Consent. As noted above, we do not use PD for a purpose that is materially different from the purpose for which it was originally collected or authorized by the individual. Sensitive information, such as PD specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual, or information designated by the transferring organization as sensitive, is rarely processed, but in instances that may necessitate the processing of such information, SI will provide individuals the opportunity to affirmatively and explicitly opt-in through reasonable mechanisms.

Accountability for Onward Transfer

When transferring PD to a controller – defined as a person or organization which, alone or jointly with others, determines the purposes and means of the processing of the PD (the “Controller”) – or to agents acting on our behalf who are typically retained by SI to perform a part of our Search Services, such as manually searching court records (the “Sub-Processors”), the above Notice and Choice principles apply. SI enters into contracts with such Controllers and Sub-Processors, as applicable, to ensure compliance with the Privacy Shield. For Controllers, the contract terms include provisions that (i) PD may only be processed for limited and specified purposes consistent with the individual’s Consent; (ii) the Controller will provide at least the same level of protection as required by the Privacy Shield Principles; and (iii) the Controller will notify us if it makes a determination that it can no longer meet its obligations; and (iv) when such a determination is made, will cease processing or take other reasonable and appropriate remedial measures to cure the deficiency. In connection with a transfer of PD to a Sub-Processor, the contract terms are materially similar to those of a Controller, with the additional provision that the Sub-Processor will take reasonable and appropriate steps to ensure that it effectively processes the PD transferred in a manner consistent with SI’s obligations under the principles.

In the context of an onward transfer, SI has the responsibility for the processing of the PD it receives under the Privacy Shield and subsequently transfers to a Sub-processor. SI shall remain liable under the Privacy Shield Principles if its Sub-Processor processes such PD in a manner inconsistent with the Privacy Shield principles unless SI proves that it is not responsible for the event giving rise to the damage.

Security

SI has a formal risk management program, which includes reasonable administrative, technical, physical, and managerial procedures and measures to protect PD from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing of and the nature of the PD.

Data Integrity and Purpose Limitation

SI limits the PD it collects to information that is relevant and necessary for the purposes of processing and does not process PD in a way that is incompatible with the purposes for which it has been collected or authorized by the subject. SI takes reasonable steps to ensure that the PD is reliable, accurate, complete, and current. SI will adhere to the Privacy Shield principles for as long as it retains the PD transferred in reliance on the Privacy Shield.

SI takes reasonable and appropriate measures to retain PD only for as long as there is a legitimate legal or business need, which may include needs that reasonably serve compliance and legal considerations, auditing, security, and fraud prevention, preserving or defending SI’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.

Access

SI provides access to PD to the individual about whom it has information and will correct, amend, or delete that information where it is inaccurate or has been processed in violation of the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of persons other than the individual would be violated.

Recourse, Enforcement, and Liability

In compliance with the Privacy Shield principles, SI commits to resolving complaints about our collection or use of your PD. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Joann Gold, Executive Vice President and Chief Compliance Officer at 818-227-2571 or via email at jgold@scherzer.com or by postal mail at Scherzer International Corporation, 21650 Oxnard Street, Suite 300, Woodland Hills, CA 91367.

SI has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive a timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please visit https://www.jamsadr.com/eu-us-privacy-shield. The services of JAMS are provided at no cost to you.

Under certain conditions, binding arbitration for complaints regarding SI’s Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms may be invoked. For further information, visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

As noted in the onward transfer principle, in the context of such a transfer, SI is responsible for processing PD it receives under the Privacy Shield and subsequently transfers to a Sub-Processor. SI shall remain liable under the principle if its Sub-Processor processes such PD in a manner inconsistent with the Privacy Shield Principles unless SI proves that it is not responsible for the event giving rise to the damage.

The Federal Trade Commission (FTC) has jurisdiction over SI’s compliance with the Privacy Shield—SI is subject to its investigatory and enforcement powers. If SI should become subject to an FTC or court order based on non-compliance, SI shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC to the extent consistent with confidentiality requirements.

As noted previously, SI has a formal risk management program and shall monitor its compliance with this Privacy Shield policy internally.