Last reviewed: October 3, 2022
(Including Statement of Compliance with the Data Privacy Framework Program)
This Policy is the sole authorized statement of Scherzer International Corporation’s practices with respect to its online and offline collection of personally identifiable information (“PII”) and the usage of such information. Any summary of this Policy generated by third-party software or otherwise (for example, in connection with the “Platform for Privacy Preferences” or “P3P”) shall have no legal effect, is in no way binding upon Scherzer International Corporation, shall not be relied upon in substitute for this Policy, and neither supersede nor modify this Policy.
This Policy applies to both our online and offline information-gathering and dissemination practices in the United States, where we operate exclusively. If we have a need to obtain information from sources outside the United States, we access the sources from within the United States, or contract with trusted independent third parties to obtain the information.
SI reviews its privacy practices on a regular basis, and those practices are subject to change. We ask that you periodically review this page to ensure continuing familiarity with the most current version of the Policy. You can determine when this Policy was last revised by checking the “Last Revised” legend at the top. To contact SI about privacy issues, report a violation of the Policy, or raise any other issue, email us at email@example.com.
COMPLIANCE WITH LAWS AND REGULATIONS
SI is a leading provider of comprehensive background reports. Our distinct portfolio includes scalable purpose-specific reports for business transaction due diligence, client acceptance or continuation, employment, corporate governance, and regulatory compliance (collectively, the “Search Services”). A complete description of the Search Services is posted on our website.
SI provides its Search Services domestically and internationally and complies in all material respects with applicable federal, state, and local laws, regulations, and orders and any amendments thereto, including, without limitation, and to the extent applicable, the following:
- Fair Credit Reporting Act (the “FCRA”) (15 U.S.C. § 1681, et seq.)
- California Consumer Credit Reporting Agencies Act (California Civil Code § 1785, et seq.)
- Investigative Consumer Reporting Agencies Act (California Civil Code § 1786, et seq.)
- Gramm-Leach-Bliley Act (15 U.S.C. § 6801, et seq.)
- Driver Protection Privacy Act (18 U.S.C. § 2721, et seq.)
- Health Insurance Portability and Accountability Act (42 U.S.C. § 1320d)
- Fair Information Practice Principles published by the United States Federal Trade Commission
- California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (“CPRA”) (California Civil Code § 1798.100, et seq.)
- European Union General Data Protection Regulation (GDPR)
- United Kingdom General Data Protection Regulation (UK-GDPR) and Data Protection Act of 2018 (DPA)
When the foregoing or other laws and regulations require that we observe privacy restrictions beyond those specifically stated in this Policy, we undertake our activities in compliance with their requirements, and, if the privacy restrictions conflict in any way with these provisions, we abide by the stricter requirements of the relevant laws, rules, and regulations.
PREPARATION AND PROCESSING OF CONSUMER REPORTS AND INVESTIGATIVE CONSUMER REPORTS
SI performs Search Services that constitute consumer reports and investigative consumer reports in accordance with the Fair Credit Reporting Act (the “FCRA”) and analogous state and local laws. In connection with these reports, under the FCRA, SI is defined as a consumer reporting agency (“CRA”). In California, SI is considered an Investigative Consumer Reporting Agency (“ICRA”) and has obligations under the California Investigative Consumer Reporting Agencies Act (the “ICRAA”), which is broader in scope than the federal FCRA. SI maintains policies and procedures designed to limit the purposes for, and circumstances under which, it furnishes such reports. SI requires that prospective users of the information identify themselves, certify the purposes for which the report is sought, and that the information will be used for no other purpose, and in compliance with applicable laws and regulations. We perform due diligence on all prospective users (and audit thereafter) and the purpose certified by such users prior to furnishing a consumer report. We will not furnish a consumer report to anyone if we have reasonable grounds for believing that the report will not be used for a purpose listed in FCRA section 604. You can review the Consumer Financial Protection Bureau’s notice of legal obligations to users of consumer reports here.
SI follows reasonable procedures to ensure the maximum possible accuracy of the report’s information regarding the subject (consumer) and conducts reinvestigations of disputed information at the consumer’s request. SI provides consumers with means, upon proper identification, to request access to information that we have collected about them. Any consumer may exercise their right to inspect any data about themselves and to dispute any information pursuant to the FCRA and applicable state law.
If you wish to dispute information that SI provided in a consumer report, obtain a copy of the report or view your file, please contact AJ Lawler by phone at 800-3834336, via email at firstname.lastname@example.org or by postal mail at Scherzer International, 21650 Oxnard Street, Suite 300, Woodland Hills, CA 91367.
A summary of your rights under the FCRA can be found here. California Civil Code §1786.22 provides you additional rights, which can be accessed here in English followed by its Spanish translation.
FACT ACT DISCLOSURE
The FACT Act of 2003 that amended the FCRA allows a consumer to obtain a free copy of their consumer file from certain consumer reporting agencies once during a 12-month period. The free annual file disclosure under FCRA § 609(g) is defined as: “…all of the information on [you] recorded and retained by a consumer reporting agency regardless of how the information is stored, at the time of [your] request” and is provided pursuant to the Free Annual File Disclosure Rule, 16 C.F.R. Part 610, as follows:
- Once in a 12-month period from national specialty consumer reporting agencies.
- Within 60 days of receiving an adverse action notification.
- Upon providing written certification that the consumer is unemployed and intends to apply for employment within 60 days.
- Upon providing written certification that the consumer i
s a recipient of public welfare assistance.
- Upon providing written certification that the consumer has reason to believe that the file contains inaccurate information due to fraud.
SI is not a nationwide consumer reporting agency or a nationwide specialty consumer reporting agency, as defined by §§ 603(p) and 603(w) of the FCRA, 15 U.S.C. 1681a(p) and (w), respectively. SI does not create or maintain commercial databases on consumers.
Even if none of the above situations apply, if we prepared a consumer report on you and you would like to obtain a free copy of your consumer file, contact AJ Lawler by phone at 800-800-383-4336, via email at email@example.com or by postal mail at: Scherzer International, 21650 Oxnard Street, Suite 300, Woodland Hills, CA 91367. As indicated above, to protect your personal information, we require that you provide certain identification before we release any information.
PERSONAL INFORMATION DISCLOSURE: UNITED STATES OR OVERSEAS
SI is a United States company with no foreign offices or “offshoring” of operations. SI prepares its reports based on information available in the United States. Even if a report requires information from a foreign country, SI will attempt to obtain the information through domestic means and sources. In instances that necessitate an in-country verification or research, SI obtains the information directly from the source or, if applicable, through research by a member of our established network of vetted contractors. Documentation or information such as passport numbers and dates of birth are not sent to anyone overseas other than the actual verification provider (e.g., school registrar) whenever possible and only as necessary to establish positive identification of records with the subject. SI takes reasonable measures to ensure that its handling of personal data on an international basis is safe and secure, which includes requiring its contractors to contractually agree that they will perform SI’s assignments in accordance with applicable laws and regulations and maintain appropriate safeguards with respect to the protection of data privacy and security and the corresponding rights of individuals.
DATA PRIVACY FRAMEWORK PROGRAM
GDPR AND PERSONAL DATA TRANSFERS FROM THE EUROPEAN UNION
The General Data Protection Regulation (GDPR), which became effective May 25, 2018, is designed to harmonize data privacy laws across the European Union (EU) and European Economic Area (EEA) to protect EEA individuals and empower them to control their personal data.
The GDPR applies to any company processing personal data in the EEA and to companies outside the EEA that are processing data of individuals located in the EEA, where the activities relate to the offering of goods or services. (Note: the EU is an economic and political union of 28 countries plus some of their territories. The EU countries are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. Territories following EU law are Aruba, Azores, Balearic Islands, Bonaire, Ceuta, Curacao, French Guiana, Gibraltar, Madeira, Martinique, Mayotte, Reunion, Saba, Sint Eustatius, Sint Maarten, Saint Barthélemy, Saint Helena, Saint Martin, and Saint Pierre & Miquelon. Countries that are EEA members but not a part of the EU are Iceland, Liechtenstein, and Norway. Switzerland is not an EU or EEA member but is part of the single market.)
As part of its formal risk management program, SI has performed an assessment of GDPR’s requirements and made the applicable technical, administrative, and documentation changes to meet its compliance obligations in all material respects. We have also posted a notice on our website (see https://scherzer.com/gdpr-notice/) that provides an overview of rights regarding your personal data if you are an individual located in the EEA.
UK-GDPR, DPA, AND PERSONAL DATA TRANSFERS FROM THE UNITED KINGDOM
The Data Protection Act (DPA) was passed in 2018 to implement the EU’s GDPR into United Kingdom (UK) law. The DPA was amended on January 1, 2021, by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU (commonly referred to as “Brexit”). In anticipation of Brexit, the UK enacted a new domestic data privacy law called the UK-GDPR that took effect on January 31, 2020, which alongside the DPA governs all processing of personal data from individuals located inside the UK (Note: The UK is made up of England, Scotland, Wales, and Northern Ireland.) The UK-GDPR is heavily derived from the EU’s GDPR, and generally, the terms and core concepts used in the UK-GDPR have the same meaning as they do in the EU’s GDPR.
As part of its formal risk management program, SI has performed an assessment of the DPA and UK-GDPR’s requirements and made the applicable technical, administrative, and documentation changes to meet its compliance obligations in all material respects. We have also posted a Notice on our website (see https://scherzer.com/uk-gdpr-and-dpa-notice/) that provides an overview of rights regarding your personal data if you are an individual located in the UK.
The UK-GDPR also requires a reliable mechanism for personal data transfers from the UK to the US. As noted above regarding EEA data subjects, SI complies with the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data. SI will follow the same framework and principles regarding UK data subjects. For questions regarding the UK-GDPR, DPA, or the Data Privacy Framework Principles, send an email to firstname.lastname@example.org.
NOTICE OF INFORMATION WE COLLECT
SI collects PII (information from which an individual can be identified, such as full name, email address, physical address, Social Security number, and other data) that both individuals and entities choose to provide to us, only as permitted by law and necessary to perform our Search Services.
We collect some of this data through our password-protected, client-access-only portal. All such transactions are strictly between SI and its registered clients, whose legitimate need for the information and permissible purpose has been verified pursuant to section 607(a) of the FCRA, or for other purposes, as applicable.
We also collect information from our clients and others in the course of the Search Services that we provide, and by conducting research using the Internet and other resources.
We do not knowingly collect PII from children (minors y
ounger than 18 years of age).
If Consent cannot be obtained, the Search Service may be performed when a client has a legitimate interest in obtaining the individual’s PII or needs the PII to perform a contract; provided, however, that the client gives notice to the individual of the client’s intention to process the data. Notice can be given in several different ways, including directly to the individual, in an engagement letter or similar document, or by publication on the website. The way the client gives notice is their decision.
SI collects PII in connection with its Search Services only as requested by its clients for a Purpose-specific Background Check such as business transaction due diligence; employment background screening; evaluation of accounting firm engagement acceptance or continuation; corporate governance; and regulatory compliance. Examples of PII collected include identification data; educational and professional licensing credentials; employment information; driving records; criminal records; sex offender registry records; civil litigation; tax lien; judgment; UCC and bankruptcy or insolvency filings; credit history; officer affiliations; public company directorships; securities law violations; industry-specific regulatory and disciplinary actions; various global lists that identify high-risk individuals or politically exposed persons and parties subject to economic sanction programs administered by the Office of Foreign Assets Control; parties excluded from federal procurement and non-procurement programs; and media sources information.
We must disclose PII in response to lawful requests by public authorities and to meet national security or law enforcement requirements.
As provided under the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, in cases where SI discloses public records or publicly available information from the EU without combining that information with non-public information, its general policies regarding Notice, Choice, and Accountability (as noted below) for Onward Transfer may not apply.
USE AND DISCLOSURE OF INFORMATION
We only use the information that we collect for the purposes for which it is provided and to enhance our Search Services, as follows.
- Performance of Search Services
We use information that has been provided to us by the client and/or we have collected concerning entities and individuals, pursuant to their authorizations, if applicable, to research or check their representations on applications / resumes and in other contexts relevant to the particular Search Services. Our collection process includes obtaining information from public or contracted (licensed) databases, court records, and other sources, as permitted by law. We retain reasonably vetted independent contractors or other third parties to obtain certain information for the client-requested Search Services, all of whom are contractually bound or have otherwise certified to us, among other terms, that they will protect all PII and use it only for the purpose for which the information was collected.
- Client Data
We collect information regarding our clients, including business contact information, and retain and use such information in providing our Search Services, or to periodically send informational or promotional emails concerning our Search Services. We do not sell the information to third parties.
- Other Uses of Information
SI does not actively solicit PII. Our Site options allow visitors to send us comments, resumes and other communications. We may keep a record of your contact information and correspondence and use any information in your message to respond to your inquiry. We keep all PII that you voluntarily provide as confidential. Our software development partners also may use such information for purposes of modifying, improving, refining and validating technology in connection with the research and development of our systems. For compliance and emergencies, and subject to applicable laws, we reserve the right to use and release any information that we have collected when we believe in good faith that: the law requires it; that unlawful activity may have taken place; to enforce our other policies or published guidelines; to protect the rights, property, safety or security of SI, our visitors or the public; or to respond to an emergency.
The individual is provided with a choice—no PII is processed without the individual’s Consent. As noted above, we do not use PII for a purpose that is materially different from the purpose for which it was originally collected or authorized by the individual. Sensitive information, such as PII specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual, or information designated by the transferring organization as sensitive, is rarely processed, but in instances that may necessitate the processing of such information, SI will provide individuals the opportunity to affirmatively and explicitly opt-in through reasonable mechanisms.
ACCOUNTABILITY FOR ONWARD TRANSFER
When transferring PII to a controller – defined as a person or organization which, alone or jointly with others, determines the purposes and means of the processing of the PII (the “Controller”) – or to agents acting on our behalf who are typically retained by SI to perform a part of our Search Services, such as manually searching court records (the “Sub-Processors”), the above Notice and Choice principles apply. SI enters into contracts with such Controllers and Sub-Processors, as applicable, to ensure compliance with the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively referred to as “DPF Principles”). For Controllers, the contract terms include provisions that (i) PII may only be processed for limited and specified purposes consistent with the individual’s Consent; (ii) the Controller will provide at least the same level of protection as required by the DPF Principles; and (iii) the Controller will notify us if it makes a d
etermination that it can no longer meet its obligations; and (iv) when such a determination is made, will cease processing or take other reasonable and appropriate remedial measures to cure the deficiency. In connection with a transfer of PII to a Sub-Processor, the contract terms are materially similar to those of a Controller, with the additional provision that the Sub-Processor will take reasonable and appropriate steps to ensure that it effectively processes the PII transferred in a manner consistent with SI’s obligations under the principles.
In the context of an onward transfer, SI has the responsibility for the processing of the PII it receives under DPF Principles and subsequently transfers to a Sub-Processor. SI shall remain liable under the DPF Principles if its Sub-Processor processes such PII in a manner inconsistent with the DPF Principles unless SI proves that it is not responsible for the event giving rise to the damage.
SI holds ISO 27001:2013 certification for its Information Security Management System (ISMS). ISO 27001:2013, an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), underscores our dedication to upholding rigorous information security standards. We have a formal risk management program, which includes reasonable administrative, technical, physical, and managerial procedures and measures to protect PII from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing of and the nature of the PII.
DATA INTEGRITY AND PURPOSE LIMITATION
SI limits the PII it collects to information that is relevant and necessary for the purposes of processing and does not process PII in a way that is incompatible with the purposes for which it has been collected or authorized by the subject. SI takes reasonable steps to ensure that the PII is reliable, accurate, complete, and current. SI will adhere to the DPF Principles for as long as it retains the PII transferred in reliance on the Privacy Framework.
SI takes reasonable and appropriate measures to retain PII only for as long as there is a legitimate legal or business need, which may include needs that reasonably serve compliance and legal considerations, auditing, security, and fraud prevention, preserving or defending SI’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
SI provides access to PII to the individual about whom it has information and will correct, amend, or delete that information where it is inaccurate or has been processed in violation of the DPF Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of persons other than the individual would be violated.
RECOURSE, ENFORCEMENT, AND LIABILITY
In compliance with the DPF Principles, SI commits to resolving complaints about our collection or use of your PD. EU individuals with inquiries or complaints regarding our policy should first contact Joann Gold, Executive Vice President and Chief Compliance Officer at 818-227-2571 or via email at email@example.com or by postal mail at Scherzer International Corporation, 21650 Oxnard Street, Suite 300, Woodland Hills, CA 91367.
SI has further committed to refer unresolved complaints regarding DPF Principles to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive a timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please visit https://www.jamsadr.com/eu-us-privacy-shield. The services of JAMS are provided at no cost to you.
Under certain conditions, binding arbitration for complaints regarding DPF Principles compliance not resolved by any of the other DPF Principles may be invoked. For further information, visit https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
As noted in the onward transfer principle, in the context of such a transfer, SI is responsible for processing PII it receives under the DPF Principles and subsequent transfers to a Sub-Processor. SI shall remain liable under the DPF Principles if its Sub-Processor processes such PII in a manner inconsistent with the DPF Principles unless SI proves that it is not responsible for the event giving rise to the damage.
The Federal Trade Commission (FTC) has jurisdiction over SI’s compliance with the DPF Principles — SI is subject to its investigatory and enforcement powers. If SI should become subject to an FTC or court order based on non-compliance, SI shall make public any relevant DPF Principles-related sections of any compliance or assessment report submitted to the FTC to the extent consistent with confidentiality requirements.
As noted previously, SI has a formal risk management program and shall monitor its compliance with DPF Principles internally.
USE OF DATA BY CLIENTS AND OTHERS
We cannot and do not assume any responsibility for the actions or omissions of third parties, such as clients, service providers or strategic partners, including the manner in which they use information received either from SI or from other independent sources.
The Site may contain links to other Internet websites. Unless expressly stated otherwise, we are not responsible for the privacy practices or the content of these websites, including these sites’ use of any information collected through cookies or other technologies when visitors to our Site click through links to those sites.
You should review the privacy policies associated with these other sites to understand how their operators collect and use information. THIS POLICY DOES NOT ADDRESS THE PRIVACY OR INFORMATION PRACTICES OF ANY THIRD PARTIES.
SI monitors visitor traffic patterns throughout the Site by logging tracking data, which is collected automatically from each Site visitor. Tracking data may include information such as the IP address of the visitor’s computer, its browser type and operating system, the referring site, and which pages of the Site were visited, the order in which they were visited, and which hyperlinks were clicked. SI uses tracking data and other non-personally identifiable information in aggregate form to perform statistical analyses of the collective characteristics and behavior of our visitors, and to measure demographics and interests regarding specific areas of the Site.
We do not use “cookies” (small text files placed on a visitor’s computer hard drive) or other technologies on the Site to determine PII.
“Sensitive data,” for the purposes of our Search Services is defined as data regarding health conditions, racial or ethnic status, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation and activity, and is generally not collected, used and/or retained by SI.
CERTAIN PUBLIC RECORDS
From time to time, we encounter various forms of certain public records that may or may not be relevant to the searches we perform. For example, while searching for court records, we may find divorce, custody, or probate records. We treat this information on a case-by-case basis. Absent a specific request from a client, it is our general policy not to include these records in our reports because they are either irrelevant to the purpose of our report or ambiguous as to a personal involvement, fault,
or culpability. If a client requests the information, then we will deliver it, if we are legally permitted to do so.
SI may occasionally implement special features on the Site and additional privacy information may be posted. That privacy information, to the extent it conflicts with this Policy, will govern that particular feature.
DISPOSAL OF INFORMATION
SI has a formal records retention and disposal policy. The majority of SI’s records are digitized. If SI destroys any documents containing PII during the course of its relevant Search Services, such destruction is accomplished in accordance with the approved document disposal rules formulated by the FTC. Unless legally required otherwise, it is SI’s policy to retain information in connection with our Search Services for a minimum of seven years.
DATA BREACH NOTIFICATION
In the event of a data breach, we will respond in accordance with the particular circumstances that trigger a notice requirement under federal, state and international laws, taking into consideration that different and sometimes conflicting laws may apply to the same data security incident depending on factors such as the industry sector involved and the residency of the affected individuals. If we have an obligation under the GLBA, we will conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If we determine that misuse has occurred or is reasonably possible, we will notify the affected consumer(s) as soon as possible. However, a consumer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with criminal investigation and provides to us a written request for the delay. We then will notify the consumers as soon as notification will no longer interfere with the investigation.
OUR CONTACT INFORMATION
- For policy questions or to obtain copy of this policy, please contact us by email at firstname.lastname@example.org or by postal mail at:
Scherzer International Corporation
Attn: Privacy Coordinator
21650 Oxnard Street, Suite 300
Woodland Hills, CA 91367
- To dispute information
If you are a consumer who wants to dispute the accuracy or completeness of information contained in a consumer report/investigative consumer report prepared by SI, please contact AJ Lawler at 800-383-4336, via email at email@example.com or by postal mail at the address noted above indicating which part(s) of the report you are contesting, the reasons you believe the information is incorrect or incomplete, and any other information you deem relevant to your dispute. We will promptly investigate your dispute and advise you of the results within 30 days of receipt.
- To obtain a free copy of your consumer report or consumer file
If you know or believe that SI has prepared a consumer report on you, and you would like to receive a free copy of the report or your consumer file from SI, please also contact AJ Lawler at 800-383-4336, via email at firstname.lastname@example.org or by postal mail at the address noted above.
For us to release any information, “proper identification” is required. Proper identification includes documents such as a valid driver’s license, Social Security number, military identification card and credit cards.