Boxlight also continues to comply with ongoing Privacy Shield obligations with respect to EU Personal Data transferred to us from the EU or European Economic Area (EEA) in reliance on the EU-U.S. Privacy Shield Framework (as set forth by the U.S. Department of Commerce). Despite a July, 16, 2020 ruling the by the Court of Justice of the European Union invalidating the EU-U.S. Privacy Shield Framework, it continues to be administered by the Department of Commerce. The commitments made by Boxlight in respect of Personal Data remain subject to the enforcement powers of the United States Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov.
This means that Boxlight certifies that it adheres to the principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability as defined in the Privacy Shield (“Privacy Shield Principles”). If there is any conflict between the terms in the Boxlight Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
For purposes of enforcing compliance with the Privacy Shield, Boxlight is subject to the investigatory and enforcement authority of the US Federal Trade Commission.
In this Privacy Shield Policy:
“EU Personal Data” means any information relating to you that identifies or can be used to identify you, either separately or in combination with other readily available data that is received by Boxlight in the U.S. from the EEA or Switzerland in connection with the Services.
“Sensitive Personal Data” means EU Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.
“Standard Contractual Clauses” means the standard data protection clauses for the transfer of EU Personal Data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
Boxlight commits to comply with the Privacy Shield Principles with respect to the EU Personal Data received you in connection with your use of the Services. This Privacy Shield Policy does not apply to EU Personal Data transferred under Standard Contractual Clauses or any approved derogation under EU data protection law.
3. Privacy Shield Principles
Boxlight commits to processing EU Personal Data in accordance with the Privacy Shield Principles as follows:
The EU Personal Data that Boxlight collects from you depends on how you uses the Services.
Before Boxlight uses EU Personal Data for a purpose that is materially different from the purpose for which Boxlight collected it or that was later authorized, Boxlight will provide you with the opportunity to opt out.
If Boxlight collects Sensitive Personal Data, Boxlight will obtain opt-in consent if Privacy Shield requires, including before Sensitive Personal Data is used for a different purpose than that purpose for which it was collected or later authorized.
3.3. Accountability for Onward Transfer
If Boxlight transfers EU Personal Data covered by this Privacy Shield Policy to a third party, Boxlight takes reasonable and appropriate steps to ensure that each third party transferee processes EU Personal Data transferred in a manner consistent with Boxlight’s obligations under the Privacy Shield Principles. Boxlight will ensure that each transfer is consistent with any privacy notice provided to you. Boxlight requires a written contract with any third party receiving EU Personal Data that ensures that the third party (i) processes the EU Personal Data for limited and specified purposes consistent with any notice provided to you, (ii) provides at least the same level of protection as is required by the Privacy Shield Principles, (iii) notifies Boxlight if it cannot comply with Privacy Shield; and (iv) ceases processing EU Personal Data or takes other reasonable and appropriate steps to remediate.
In the event Boxlight transfers Personal Data covered by this Privacy Shield Policy to a third party acting as a controller, Boxlight will comply with the Notice and Choice Principles. Boxlight will also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify Boxlight if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
In the event Boxlight transfers Personal Data to a third party acting as an agent, Boxlight will: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with Boxlight’s obligations under the Principles; (iv) require the agent to notify Boxlight if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
Under certain circumstances, Boxlight may be required to disclose EU Personal Data in response to valid requests by public authorities, including for national security or law enforcement requirements.
Boxlight remains liable under the Privacy Shield Principles if an agent processes EU Personal Data covered by this Privacy Shield Policy in a manner inconsistent with the Privacy Shield Principles unless Boxlight is not responsible for the event giving rise to the damage.
Boxlight takes reasonable and appropriate measures to protect EU Personal Data covered by this Privacy Shield Policy from loss, misuse and unauthorized access, disclosure, alteration and destruction. In determining these measures, Boxlight takes into account the risks involved in the processing and the nature of the EU Personal Data.
3.5. Data Integrity and Purpose Limitation
Boxlight takes reasonable steps to ensure that such EU Personal Data is reliable for its intended use, accurate, complete and current. Boxlight adheres to the Privacy Shield Principles for as long as it retains EU Personal Data in identifiable form. Boxlight takes reasonable and appropriate measures to comply with the requirement under the Privacy Shield to retain EU Personal Data in identifiable form only for as long as it serves a purpose of processing.
Boxlight limits the collection of EU Personal Data covered by this Privacy Shield Policy to information that is relevant for the purposes of processing. Boxlight does not process EU Personal Data in a way that is incompatible with the purpose for which it was collected or subsequently authorized by you.
If you are covered by this Privacy Shield Policy you may have the right to access your EU Personal Data and to correct, amend or delete the EU Personal Data if the EU Personal Data is inaccurate or processed in violation of the Privacy Shield Principles. Boxlight is not required to grant the rights to access, correct, amend and delete EU Personal Data if the burden or expense of providing access, correction, amendment or deletion is disproportionate to the risks to your privacy or if the rights of persons other than you are or could be violated.
3.7. Recourse, Enforcement, and Liability
In compliance with the Privacy Shield Principles, Boxlight commits to resolve complaints about your privacy and our collection or use of your EU Personal Data. Please first contact Boxlight with inquiries or complaints regarding this Privacy Shield Policy at firstname.lastname@example.org.
3.7.1. Customer Inquiries. Boxlight has further committed to refer unresolved customer privacy complaints under the Privacy Shield Principles to the International Centre for Dispute Resolution an independent dispute resolution mechanism operated by the American Arbitration Association. If your complaint is not satisfactorily addressed, please visit http://go.adr.org/privacyshield.html for more information and to file a complaint.
Under certain conditions detailed in the Privacy Shield, you may be able to invoke binding arbitration before the Privacy Shield Panel created by the U.S. Department of Commerce and the European Commission. To learn more, please see Privacy Shield Framework Annex I (Binding Arbitration) at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Boxlight commits to periodically review and verify its compliance with the Privacy Shield Principles and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. Boxlight acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.
4. Changes to this Privacy Shield Policy
Boxlight may amend this Privacy Shield Policy consistent with the requirements of the Privacy Shield, including notice about any amendment.
5. How to Contact Boxlight
If you have any questions about this Privacy Shield Policy or would like to request access to your EU Personal Data, please contact us as follows:
Phone: (360) 464.2119
Mail: Attention: Boxlight Data Protection Lead
2750 Premiere Parkway, Suite 900
Duluth, GA 30097