With the July 2020 invalidation of the U.S. Privacy Shield framework by the EU Court of Justice in the Schrems II decision, and while the European Commission and the US Department of Commerce continue to negotiate a new data privacy regime between the EU and the US, Syntrio continues to work with the EU Standard Contractual Clauses in all agreements with its customers subject to EU GDPR compliance and that make this request. This approach is reaffirmed as valid in the March 25, 2021 joint statement by the European Commission and the US Department of Commerce.
Meanwhile, Syntrio continues to remain a signatory to and comply with the US Privacy Shield.
This Policy relates to Personal Information (i.e., information that identifies a specific individual) and related data that Syntrio, Inc. (“Syntrio”) collects or otherwise receives, through its website, directly from customers and through other means. It does not include Syntrio Human Resources information.
Syntrio collects and otherwise receives the following types of Personal Information and related data:
- Customer Service: Syntrio receives directly from business customers Personal Information related to their employees and third parties through its learning management system (LMS) and online courses. This data may include: name, email, employee number, department, function, and other non-sensitive Personally Identifiable Information (PII) pertaining to an employee’s demographic characteristics. In addition, Syntrio records certain education information such as employee course completion, course bookmark, course quiz score, course review, and other data that enables the customer to understand their employees’ performance and to help Syntrio improve its course quality.
- The Lighthouse Services division of Syntrio receives and processes anonymous hotline reports. The information contained on an anonymous hotline report may contain PPI. Anonymous hotline report information can contain name, email, employee information, and complainant details regarding the incident being reported.
- Customers may directly input PII, including Sensitive PII, into the Case Management System at their own discretion. The Lighthouse Services division does not collect this information on behalf of the customer. Lighthouse division staff may access this information for technical maintenance purposes only. This staff have signed confidentiality agreements with respect to protection and non-disclosure of this information.
- Marketing: Syntrio subscribes to various services that provide individuals’ names, titles, business email addresses and other contact information of prospective and current customers for marketing purposes. Syntrio gathers customer and prospect names, telephone numbers, email addresses and related contact information at trade shows and other events. Syntrio gathers the above contact information from visitors to our website when these individuals provide this data to us directly.
An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. The following link provides additional information regarding binding arbitration:
Onward Transfers of Data
Syntrio provides Personal Information to the following types of third parties for the identified purposes to:
Business partners, serving as sub-processors, to assist us in delivering our products and services to customers. This data is not accessible by the third party under contract.
In transferring Personal Information to these parties as sub-processors, we:
- Only provide data for limited and specific purposes related to delivering our products and services or other Company operations;
- Ascertain that the sub-processor’s policies maintain a commensurate level of compliance regarding this data.
- Take reasonable steps to ensure the sub-processor effectively processes this data in a manner consistent with our duties under the Principles;
- Require the sub-processor to notify us if it makes a determination that it can no longer meet obligation commensurate with the Principles; upon such notice, we take reasonable steps to stop and remediate unauthorized processing;
- Will provide a summary or a representative copy of relevant privacy provisions of our contract with that agent to the U.S. Department of Commerce upon request.
In addition, Syntrio provides Personal Information to:
Business partners for co-marketing purposes (where we market to their customers and they market to our customers).
In transferring Personal Information to these parties as data controllers, we seek to:
- Only transfer data for limited and specified purpose;
- Determine that the organization is obligated to provide at least the same level of privacy protection as is required of Syntrio;
- Take reasonable steps to ensure the organization effectively processes Personal Information in a manner consistent with Syntrio’s data privacy duties;
- Expect the organization to notify us if it makes a determination that it can no longer meet its data protection obligation; upon notice, take reasonable steps to stop and remediate unauthorized processing;
- Provide a summary or a representative copy of relevant privacy provisions of our contract with that organization or our third-party partners’ policies to the U.S. Department of Commerce upon request.
Syntrio does not provide its third-party Processors with personal information. However, Syntrio remains liable under the Privacy Shield Principles if Syntrio’s third-party Processor onward transfer recipients process relevant Personal Data in a manner inconsistent with the Privacy Shield Principles, unless Syntrio proves that it is not responsible for the event giving rise to the damage.
Individuals from whom Syntrio collects and for whom it maintains Personal Information may limit use and disclosure of this Personal Information through the following:
- To be disclosed to a third party, other than as an agent, or
- To be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.
Syntrio provides opt-out mechanisms in related communications that allows individuals to remove themselves from future or unrelated communications. Individuals can always contact us directly to exercise their choice regarding these communications. Specifically, we provide an opt-out mechanism where we intend to share an email address with a third-party for a purpose other than that for which the Personal Information was collected.
Note that Syntrio must process certain Personal Information to provide its products and services to its customers. For example, Syntrio may need to provide product/service update information to fulfill the terms of its service. In such situations, no opt-out mechanism is available, other than cancelling the product or service.
For Sensitive Personal Information: If Syntrio collects Sensitive Personal Information, such as personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual, we will provide an opt-in mechanism before using it or sharing it with third parties if such use would be for a purpose other than what it was intended for when initially collected.
Lighthouse Services Division
The Lighthouse Services division collects information from clients’ employees and other related parties to report ethics and compliance violations. Information can be submitted to LIGHTHOUSE via web form, facsimile, mail, email, text message and telephonically. Lighthouse Services may collect information from users automatically when they contact us, which may include the name of the domain and host from which the users accesses the Internet; the Internet protocol (IP) address of their computer; the type of browser and software operating system being used; web log data, including the date and time of access to our website; the Internet address of the website from which the user linked to our site; and the phone number which the user called from.
For most communications with Lighthouse Services, we do not require PII. There are opportunities where the user will be given the option to provide PII. The information that may be provided by the user may include name, email address, telephone number and address. Depending on the request and other circumstances, other information may also be collected. It is the user’s discretion and determination whether to provide such information.
Lighthouse Services may disclose aggregated data and statistics in order to describe the use of our services to our prospective and existing clients, partners, and other third parties, and for other lawful purposes. Lighthouse Services may disclose part or all of a user’s PII when Lighthouse Services believes, in good faith, that the law requires such disclosure. Additionally, Lighthouse Services is required to disclose PII in response to lawful requests by public authorities, including to meet national security or law enforcement requirements..
Lighthouse Services does not share any specific user information outside of Syntrio.
Anonymous Website Data
Syntrio uses tracking technologies on its website to provide our visitors with certain features, to better understand how visitors use our website, and to advertise to visitors, sometimes through relationships with third parties, such as Google or Yahoo. Our website visitors are able to control certain tracking technologies through their own browsers they use to visit our website.
Syntrio’s website may provide links to other organizations’ websites. Syntrio is not responsible for these organizations’ privacy practices or their website content.
Syntrio takes reasonable and appropriate measures to protect Personal Information that it creates, maintains, uses or disseminates from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
Data Integrity and Purpose Limitation
Personal Information is limited to the information that is relevant for the purposes of processing.
Syntrio strives not to process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, Syntrio takes reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete, and current. Syntrio adheres to the Principles for as long as it retains such information.
Syntrio retains Personal Information in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing. Syntrio takes reasonable and appropriate measures in complying with this provision.
Syntrio seeks to maintain the accuracy, completeness and relevance of Personal Information it maintains. It provides individuals subject to this data with an opportunity to review their Personal Information, upon request, to ensure that it is accurate, complete, current, timely and reliable for its intended use. The Company will work with these individuals to ensure Personal Information meets these objectives.
Syntrio provides individuals with Personal Information that the Company maintains with an opportunity to review their Personal Information, upon request, to ensure that it is accurate, complete, current, timely and reliable for its intended use, and make corrections, as warranted. In certain instances, the Company may charge a fee for this service, provided that the fee is not excessive.
Individuals also can raise any complaints regarding the Company’s data privacy practices as follows. The Company will respond within a reasonable time to any request or complaint, not to exceed 45 days. Individuals can contact the following regarding any questions or complaints regarding their Personal Information:
Syntrio may change this policy to remain consistent with governing law and other good practices of data privacy protection. When changes are made to this Policy, the company will communicate these changes to all employees, update it on the Company’s website and maintain a copy of the previous privacy policies. The Company will also notify customers of any materials changes to this policy to allow them to make any choices of how we will use their Personal Information going forward.
Recourse, Enforcement and Liability
Syntrio uses Judicial Arbitration and Mediation Services, Inc. as its independent dispute resolution organization that individuals can contact for any disputes regarding with Syntrio their Personal Information. You can contact this organization at:
Syntrio may be required to disclose Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Syntrio has further committed to refer unresolved privacy complaints to an independent dispute resolution mechanism provided above.
If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the independent dispute resolution service provide listed above for more information and to file a complaint.
Syntrio will assess its adherence to its privacy policies annually. This assessment will include the following:
- A review of Syntrio privacy policies for ongoing conformance with applicable law.
- Review of the Personal Data that Syntrio collects and means of collecting this data.
- Inclusion of mechanisms, and related communications, that individuals can review their Personal Data, correct it, ask questions or file a complaint.
- Training for Syntrio employees, based on their degree of involvement with Personal Data.
If Syntrio should undergo a business transfer, such as a merger, acquisition, divestiture, or other such action, that will likely lead to Personal Information being transferred to a new entity, the Company will provide a notification on our website of any change in ownership or uses of this Personal Information, as well as any choices related parties may have regarding this Personal Information.