May 2021 (v8)
With the July 2020 invalidation of the U.S. Privacy Shield framework by the E.U. Court of Justice in the Schrems II decision, and while the European Commission and the U.S. Department of Commerce continue to negotiate a new data privacy regime between the E.U. and the US, Syntrio continues to work with the EU Standard Contractual Clauses in all agreements with its customers subject to EU GDPR compliance, and that makes this request. This approach is reaffirmed as valid in the March 25, 2021, joint statement by the European Commission and the U.S. Department of Commerce.
Meanwhile, Syntrio remains a signatory and complies with the U.S. Privacy Shield.
This Policy relates to Personal Information (i.e., Information that identifies a specific individual) and related data that Syntrio, Inc. (“Syntrio”) collects or otherwise receives, through its website, directly from customers, and through other means. It does not include Syntrio Human Resources information.
Syntrio collects and otherwise receives the following types of Personal Information and related data:
- Customer Service: Syntrio receives Personal Information from business customers related to their employees and third parties through its learning management system (LMS) and online courses. This data may include name, email, employee number, department, function, and other non-sensitive Personally Identifiable Information (PII) about an employee’s demographic characteristics. In addition, Syntrio records certain educational Information such as employee course completion, course bookmark, course quiz score, course review, and other data, enabling the customer to understand their employees’ performance and help Syntrio improve its course quality.
- The Lighthouse Services division of Syntrio receives and processes anonymous hotline reports. Anonymous hotline report information can contain a name, email, employee information, and complainant details regarding the reported incident. The information contained in an anonymous hotline report may include PPI.
- Customers may input PII, including Sensitive PII, into the Case Management System at their discretion. The Lighthouse Services division does not collect this Information on behalf of the customer. Lighthouse division staff may access this Information for technical maintenance purposes only. This staff has signed confidentiality agreements concerning the protection and non-disclosure of this Information.
- Marketing: Syntrio subscribes to various services that provide individuals’ names, titles, business email addresses, and other contact information of prospective and current customers for marketing purposes. Syntrio gathers customer and prospect names, telephone numbers, email addresses, and contact information at trade shows and other events. Syntrio collects the contact information from visitors to our website when these individuals provide this data to us directly.
An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. The following link provides additional information regarding binding arbitration:
Onward Transfers of Data
Syntrio provides Personal Information to the following types of third parties for the identified purposes:
Business partners serve as sub-processors to assist us in delivering our products and services to customers. This data is not accessible by the third party under contract.
In transferring Personal Information to these parties as sub-processors, we:
- Only provide data for limited and specific purposes related to delivering our products and services or other Company operations;
- Ascertain that the sub-processors’ policies maintain commensurate compliance regarding this data.
- Take reasonable steps to ensure the sub-processor effectively processes this data in a manner consistent with our duties under the Principles;
- Require the sub-processor to notify us if it decides that it can no longer meet obligations commensurate with the Principles; upon such notice, we take reasonable steps to stop and remediate unauthorized processing;
- We will provide a summary or a representative copy of relevant privacy provisions of our contract with that agent to the U.S. Department of Commerce upon request.
In addition, Syntrio provides Personal Information to:
Business partners for co-marketing purposes (where we market to their customers and the market to our customers).
In transferring Personal Information to these parties as data controllers, we seek to:
- Only transfer data for limited and specified purposes;
- Determine that the organization is obligated to provide at least the same level of privacy protection as is required of Syntrio;
- Take reasonable steps to ensure the organization effectively processes Personal Information in a manner consistent with Syntrio’s data privacy duties;
- Expect the organization to notify us if it decides that it can no longer meet its data protection obligation; upon notice, take reasonable steps to stop and remediate unauthorized processing;
- Provide a summary or a representative copy of relevant privacy provisions of our contract with that organization or our third-party partners’ policies to the U.S. Department of Commerce upon request.
Syntrio does not provide its third-party Processors with Personal Information. However, Syntrio remains liable under the Privacy Shield Principles if Syntrio’s third-party Processor onward transfer recipients process relevant Personal Data in a manner inconsistent with the Privacy Shield Principles unless Syntrio proves that it is not responsible for the event giving rise to the damage.
Individuals from whom Syntrio collects and for whom it maintains Personal Information may limit the use and disclosure of this Personal Information through the following:
- To be disclosed to a third party other than as an agent, or
- To be used for a purpose that is materially different from the purpose(s) for which it was initially collected or subsequently authorized by the individuals.
Syntrio provides opt-out mechanisms in related communications that allow individuals to remove themselves from future or unrelated communications. Specifically, we offer an opt-out mechanism where we intend to share an email address with a third party for a purpose other than that for which the Personal Information was collected. Individuals can always contact us directly to exercise their choice regarding these communications.
Note that Syntrio must process certain Personal Information to provide its products and services to its customers. For example, Syntrio may need to provide product/service update information to fulfill the terms of its service. No opt-out mechanism exists in such situations other than canceling the product or service.
For Sensitive Personal Information: If Syntrio collects Sensitive Personal Information, such as personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or Information identifying the sex life of the individual, we will provide an opt-in mechanism before using it or sharing it with third parties if such use would be for a purpose other than what it was intended for when initially collected.
Lighthouse Services Division
The Lighthouse Services division collects Information from clients’ employees and related parties to report ethics and compliance violations. Data can be submitted to LIGHTHOUSE via web form, facsimile, mail, email, text message, and telephonically. Lighthouse Services may collect Information from users automatically when they contact us, which may include the name of the domain and host from which the users access the Internet; the Internet protocol (I.P.) address of their computer; the type of browser and software operating system being used; weblog data, including the date and time of access to our website; the Internet address of the website from which the user linked to our site; and the phone number which the user called from.
For most communications with Lighthouse Services, we do not require PII. There are opportunities where the user will be given the option to provide PII. The Information the user, may provide may include name, email address, telephone number, and address. Other Information may be collected depending on the request and other circumstances. It is the user’s discretion and determination whether to provide such Information.
Lighthouse Services may disclose aggregated data and statistics to describe the use of our services to our prospective and existing clients, partners, and other third parties and for other lawful purposes. Lighthouse Services may disclose part or all of a user’s PII when Lighthouse Services believes, in good faith, that the law requires such disclosure. Additionally, Lighthouse Services must disclose PII in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
Lighthouse Services does not share any specific user information outside of Syntrio.
Anonymous Website Data
Syntrio uses tracking technologies to provide visitors with certain features, better understand how visitors use our website, and advertise to visitors, sometimes through relationships with third parties, such as Google or Yahoo. Visitors can control certain tracking technologies through their browsers to visit our website.
Syntrio’s website may provide links to other organizations’ websites. Syntrio is not responsible for these organizations’ privacy practices or website content.
Syntrio takes reasonable and appropriate measures to protect the Personal Information that it creates, maintains, uses, or disseminates from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.
Data Integrity and Purpose Limitation
Personal Information is limited to the Information relevant to the processing.
Syntrio strives not to process Personal Information in a way incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, Syntrio takes reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete, and current. Syntrio adheres to the Principles for as long as it retains such Information.
Syntrio retains Personal Information in a form identifying or making identifiable the individual only for as long as it serves the purpose of processing. Syntrio takes reasonable and appropriate measures to comply with this provision.
Syntrio seeks to maintain its support’s accuracy, completeness, and relevance. It provides individuals subject to this data with an opportunity to review their Personal Information upon request to ensure that it is accurate, complete, current, timely, and reliable for its intended use. The Company will work with these individuals to provide Personal Information that meets these objectives.
Syntrio provides individuals with Personal Information that the Company maintains with an opportunity to review their Personal Information upon request to ensure that it is accurate, complete, current, timely, and reliable for its intended use and make corrections, as warranted. The Company may charge a fee for this service in certain instances, provided the cost is not high.
Individuals can also raise any complaints regarding the Company’s data privacy practices. The Company will respond within a reasonable time to any request or complaint, not to exceed 45 days.
Syntrio may change this Policy to remain consistent with governing law and other sound data privacy protection practices. When changes are made to this Policy, the Company will communicate these changes to all employees, update it on the Company’s website and maintain a copy of the previous privacy policies. The Company will also notify customers of any material changes to this Policy to allow them to choose how we will use their Personal Information.
Recourse, Enforcement, and Liability
Syntrio uses Judicial Arbitration and Mediation Services, Inc. as its independent dispute resolution organization that individuals can contact for any disputes regarding Syntrio their Personal Information. You can contact this organization at:
Syntrio may be required to disclose Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Syntrio has further committed to refer unresolved privacy complaints to an independent dispute resolution mechanism provided above.
If you do not receive timely acknowledgment of your complaint or are not satisfactorily addressed, please visit the independent dispute resolution service listed above for more information and to file a complaint.
Syntrio will assess its adherence to its privacy policies annually. This assessment will include the following:
- A review of Syntrio privacy policies for ongoing conformance with applicable law.
- Review the Personal Data that Syntrio collects and the means of collecting this data.
- Inclusion of mechanisms, and related communications, so individuals can review their Personal Data, correct it, ask questions, or file a complaint.
- Training for Syntrio employees based on their involvement with Personal Data.
Suppose Syntrio should undergo a business transfer, such as a merger, acquisition, divestiture, or other such action, that will likely lead to Personal Information being transferred to a new entity. In that case, the Company will notify our website of any change in ownership or uses of this Personal Information and any choices related parties may have regarding this Personal Information.