EU-US Privacy Shield and US-Swiss Safe Harbor Privacy Statement
Innodata Inc., including its subsidiaries referenced below, (collectively “Innodata”) participates in the EU/US Privacy Shield program and the US-Swiss Safe Harbor program administered by the United States Department of Commerce. Innodata has self-certified to both programs upon the terms set forth herein and is subject to the investigatory and enforcement powers of the US Federal Trade Commission or any other applicable authorized statutory body. To learn more about the Privacy Shield program, please visit: www.commerce.gov/privacyshield. To learn more about the Safe Harbor program, please visit www.export.gov/safeharbor.
The following definitions apply for purposes of this Privacy Statement:
“Affiliate” means a legal entity that controls, is controlled by, or is under common control with Innodata Inc., but only while that control relationship exists; “control” means the direct or indirect ownership or control of 50% or more of the stock or other equity interest entitled to vote for the election of directors or equivalent governing body.
“Personal Data” means data received by Innodata in any form or medium (i.e., electronic, paper, etc.) that either identifies an individual, or can be used to identify an individual.
“Principles” means the Privacy Shield program principles as well as the US-Swiss Safe Harbor program principles, as may be applicable.
“Sensitive Information” means Personal Data that specifies medical or health conditions, personal sexuality, racial or ethnic origin, political opinions, religious, ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions (which are treated outside pending proceedings).
Please note, except as set forth herein, Innodata generally provides services to entities that involve the processing of data on the entities’ behalf. Accordingly, when Innodata acts in such a capacity, it is acting as an agent and/or on behalf of the customer entity, and the customer entity, rather than Innodata, owns and/or controls the Personal Data. Therefore, to the extent Innodata receives Personal Data from a customer entity in this context, it is relying on the customer entity’s compliance with any applicable law governing the privacy and security of Personal Data with respect to the manner in which the Personal Data has been collected from individuals by the customer entity and the uses or disclosures of the Personal Data that are permitted or required to be made pursuant to law or the contract with the customer entity. Any distinction in this Privacy Statement with respect to the applicability of a standard when Innodata is acting as an agent and/or on behalf of a customer entity is noted below.
Types of Personal Data Collected
Innodata collects Personal Data from individuals who visit our public and customer-facing websites (“EU and Swiss Website Visitors”), and from certain corporate customers, suppliers and business partners in connection with the services we provide (“EU and Swiss Business Contacts”). Innodata also collects from time to time Personal Data available on public websites or directly from other third-parties relevant to products and services offered by Innodata (“EU and Swiss Third-Parties”).
The following types of Personal Data may be collected by Innodata from EU and Swiss Website Visitors, Business Contacts and Third-Parties:
Purposes of Collection and Use
Innodata collects and uses Personal Data of EU and Swiss Website Visitors, Business Contacts and Third-Parties as permitted by law, including for the following purposes:
We reserve the right to transfer and/or sell aggregate data collected as indicated above for lawful purposes.
How We Share Personal Data We Collect
Innodata may share Personal Data collected about individuals or companies in the EU or Switzerland with third-parties only in the ways that are described in this Privacy Statement or as otherwise permitted by applicable law. We may share your Personal Data with our Affiliates, subsidiaries, and contractors. We also sometimes hire other companies to provide certain business related functions (“Service Providers”). These Service Providers have access to Personal Data as necessary to provide their respective services to us.
We also may disclose Personal Data: (a) in response to a lawful request by public authorities, such as to comply with a subpoena, or similar legal process, including to meet national security or law enforcement requirements; (b) under a good faith belief that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud or respond to a government request; (c) in connection with a corporate sale, merger, reorganization, dissolution or similar event (in this case, Personal Data may be a part of assets transferred from our company to the acquiring company); and (d) to any third-party as set forth herein or with your prior consent to do so.
In the event Innodata collects Personal Data directly from individuals in the EU or Switzerland it shall inform the individuals of (i) the purpose for which it collects and uses the Personal Data; (ii) the types of third parties to which Innodata discloses or may disclose the Personal Data; (iii) the choices and means Innodata offers individuals for limiting the use and/or disclosure of the Personal Data; and (iv) how to contact Innodata with any inquiries or complaints concerning the use or disclosure of the Personal Data. Innodata shall provide this notice in clear and conspicuous language when the individuals are first asked to provide the Personal Data to Innodata or as soon thereafter as is practicable, but in any event before Innodata uses such information for a purpose other than that for which it was originally collected.
In the event Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity.
Innodata may collect or receive Personal Data from individuals, such as employees of its customers, in the course of providing or prospecting its services to its customers, and Innodata may use and/or disclose such information in furtherance of providing or prospecting its services or for purposes of Innodata’s business operations.
In the event Innodata collects Personal Data directly from individuals in the EU or Switzerland, and unless an exception applies, it shall offer the individuals the opportunity to choose (opt-out) as to whether their Personal Data is (i) to be disclosed to a third-party (see “Onward Transfer” section below); or (ii) to be used for a purpose other than the purpose for which the Personal Data was originally collected or subsequently authorized by the individuals. For Sensitive Information Innodata collects directly from individuals in the EU or Switzerland, and unless an exception applies, Innodata will provide individuals the opportunity to affirmatively or explicitly consent (opt-in) to the disclosure of the Sensitive Information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individuals.
In the event Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data or Sensitive Information directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity. Innodata shall treat information as Sensitive Information where it receives the information from a third party and the third-party treats and identifies the information as Sensitive Information.
In the event Innodata collects Personal Data directly from individuals in the EU or Switzerland, in order to disclose such Personal Data to a non-Affiliate third-party, Innodata will apply the “Notice” and “Choice” principles described above. Where Innodata wishes to transfer such Personal Data from the EU or Switzerland to a non-Affiliate third-party, unless an exception applies, it will (i) ensure that the third-party is contractually obligated to process the subject Personal Data only for limited, specific purposes consistent with the consent provided by the individual; and (ii) ensure that the third-party recipient provides at least the same level of privacy protection as is required by the relevant Principles and notify Innodata if it makes a determination that it can no longer meet this obligation. Innodata may potentially be liable if these requirements are not met.
In the event Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Information directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity.
Innodata shall take reasonable precautions to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Innodata only processes Personal Information that is relevant to the products and services it provides and only for purposes compatible with those for which the Personal Data was collected, received, or otherwise authorized. To the extent necessary for such purposes, Innodata shall take reasonable steps to do either of the following: (i) where Innodata receives Personal Data directly from an individual, ensure that the Personal Data is accurate, complete and current, and is reliable for its intended use; or (ii) where Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from an individual, notify the customer entity of any potential data integrity concerns known to Innodata.
In the event Innodata collects Personal Data directly from individuals in the EU or Switzerland, Innodata shall allow individuals access to their Personal Data and permit individuals to correct, amend or delete inaccurate information, unless an exception applies, such as where the burden or expense of providing such access would be disproportionate to the risks to the privacy of the individuals in the case in question or where the rights of persons other than the individuals would be violated.
In the event Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from the individual who is the subject of the information, it will cooperate with the customer entity and take any reasonable steps necessary to allow the customer entity to provide any requested access to the individual in accordance with the contract with the customer entity.
Innodata uses a self-assessment approach to assure compliance with this Privacy Statement and periodically verifies that this Privacy Statement is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in adherence to the Principles.
In compliance with the Principles, Innodata is committed to resolve any concerns with respect to your privacy. Individuals with inquiries or complaints regarding this Privacy Statement should first contact Innodata using the contact information provided below, in which case Innodata will investigate and attempt to internally resolve any complaints and disputes regarding the use and disclosure of Personal Information.
If you are an individual in the EU or Switzerland and have utilized Innodata’s internal dispute resolution process, but your complaint or dispute remains unresolved, Innodata is committed to utilizing the independent dispute resolution process of the International Centre for Dispute Resolution/American Arbitration Association (ICRD/AAA) based in the United States with respect to all unresolved privacy complaints (except complaints regarding Human Resources Data) under the EU-US Privacy Shield and the US-Swiss Safe Harbor Frameworks. If you do not receive timely acknowledgement of your complaint, or if your compliant is not satisfactorily addressed, please visit the ICRD/AAA website at https://apps.adr.org/webfile/ for more information on how to file a complaint. Note that in some limited cases with respect to compliance with the EU-US Privacy Shield, you may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the US Department of Commerce and European Commission.
Innodata reserves the right to change this Privacy Statement from time to time consistent with the Privacy Shield Principles and the Safe Harbor Principles as well as applicable law. Innodata will post any revised policy on this website.
Questions, requests, comments or complaints regarding this Privacy Statement can be mailed or emailed to:
Office of General Counsel
3 University Plaza
Hackensack, New Jersey 07601
Innodata Subsidiaries also adhering to this Privacy Statement:
Last Updated: September 20, 2016