Digital Bedrock EU-U.S. and UK Extension Data Privacy Framework Notice
Date: 2024-07-11
Digital Bedrock complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Digital Bedrock has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
This Privacy Notice is for residents of the European Economic Area (EEA), the European Union (EU), and the United Kingdom (UK). It supplements the information in our general Privacy Notice (https://www.digitalbedrock.com/privacy), in which we describe how we collect and use your personal data, what we do with the collected data, with whom we share the data, and how you can exercise your privacy rights. In this supplemental notice, we provide additional information that is required under European and UK data protection laws.
Digital Bedrock is a "Data Controller," a legal term which means we make decisions regarding how and why we collect and use your Personal Information. As the "Data Controller," we are responsible for ensuring that your Personal Information is only used for the purposes for which it was originally collected and in compliance with all applicable data protection laws.
Digital Bedrock is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. We will follow the guidelines from the Federal Trade Commission should there be any data breach: https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
While Digital Bedrock is careful to keep personal data confidential and inaccessible to third parties, we could be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have any concerns with how Digital Bedrock collects or uses your personal information, or want to request your information be deleted, please contact:
Linda Tadic, CEO
Email: Ltadic@digitalbedrock.com
Tel. (888) 938-7386 x700
Mailing address:
PO Box 86311
Los Angeles, CA 90086-0311
We will respond within 45 days to your request.
Purpose of Data Collection
We collect two types of information: contractual, and personal information for sending occasional marketing emails.
Marketing lists. We collect personal data for marketing through users entering their information on our website to download brochures or ask questions, and through attendee lists at conferences and trade shows where attendees have opted in to share their contact information with vendors.
Information collected through our website consists of name and email address.
Information provided from conferences and trade shows is usually name, email address, and sometimes organization.
We do not use cookies for tracking purposes on our website.
We use Mailchimp to manage our marketing mailing lists for occasional e-blasts with announcements on our services or attendance at conferences. When we sponsor a conference, sometimes we are given names and email address of attendees who opt in to give their information to sponsors. Or, visitors to our booth at conferences provide their names and emails. People can opt out of receiving these emails by clicking to unsubscribe.
We do not sell, trade, or otherwise transfer to outside parties any personally identifiable information.
We do not include or offer third-party products or services on our website.
Contractual information. Names and contact information for persons related to client contracts is kept strictly confidential. Client contact information is kept in password-protected files on Box.
Our General Privacy Policy is available on our website: https://www.digitalbedrock.com/privacy
Choice
We do not transfer personal data to third parties. If this policy changes in the future, we will provide individuals with an opt-out or opt-in choice before sharing their data with third parties or using it for purposes other than those for which it was originally collected.
Individuals can opt-out from being on our marketing mailing lists. They can click on “Unsubscribe” when they receive a marketing email from us, or notify us through email or in writing.
Unsubscribing means the individual is removed from Mailchimp, the email marketing service where our marketing lists are stored and managed. Their name and email address are blocked and cannot be re-added. (See “Accountability for Onward Transfer” for more information on our relationship with Mailchimp.)
We do not collect sensitive information.
Accountability for Onward Transfer
Digital Bedrock has contracts with Mailchimp and Box, the two agents that store personal information for our business purposes.
Digital Bedrock uses Mailchimp to store and manage its mailing lists and marketing emails/campaigns. The data security and privacy policies of Mailchimp can be reviewed at https://mailchimp.com/about/security/ Information on Mailchimp and European Data Transfers: https://eepurl.com/dyikdv Mailchimp has a Data Processing Addendum that describes how it conforms to European Data Protection Laws.
Digital Bedrock uses Box to store its company files, including customer contracts. Box is not used to process customer data, only to store our files. Box has certified to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension to the EU-U.S DPF. https://www.box.com/gdpr Digital Bedrock has signed the Box Data Processing Addendum.
Security
Digital Bedrock password-protects the individual files that can contain personal data (both marketing and contractual). Files’ access is on a “need-to-know” basis; only staff who need access to those files can access them.
Customer information is not stored on any staff’s personal computers.
Data Integrity and Purpose Limitation
Personal data is strictly limited to its intended purpose. If a customer’s designated contractual contacts leave their company, then the former person’s name and information is removed and replaced with the new person.
Legacy personal data for people no longer with a company could be retained in original contracts, since the original contracts are retained for legal purposes.
Access
Individuals can request to see their personal information at any time. Since that data is not publicly available, they must contact Digital Bedrock by email, phone, or letter. They can request to have their data changed or removed.
Recourse, Enforcement and Liability
Digital Bedrock will adhere to the mechanisms enforced by The U.S. Federal Trade Commission. We will follow the guidelines from the Federal Trade Commission should there be any data breach: https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Digital Bedrock commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. To learn more about the Data Privacy Framework (DPF) program, please visit https://www.dataprivacyframework.gov/
Digital Bedrock will respond promptly to inquiries and requests by the Department of Commerce for information relating to the EU-U.S. DPF. We will respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department.
An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. For more information and details on when an individual can invoke binding arbitration, see Paragraph C of the DPF Annex I: https://www.dataprivacyframework.gov/framework-article/C%E2%80%93Pre-Arbitration-Requirements
Under the Onward Transfer Principle, Digital Bedrock has responsibility for the processing of personal information it receives under the EU-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. See the above sections on Choice and Accountability for Onward Transfer for information on third parties where Digital Bedrock stores personal information. Digital Bedrock does not authorize its current agents Mailchimp or Box to transfer data to fourth parties. If in the future Digital Bedrock does transfer personal information to a third party acting as an agent on its behalf and authorizes the agent to transfer data, Digital Bedrock shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless Digital Bedrock proves that it is not responsible for the event giving rise to the damage.
The Federal Trade Commission has jurisdiction over Digital Bedrock’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.