HOW DO WE PROTECT COLLECTED PERSONAL INFORMATION?
Our Data Security Program
We will take all reasonable security precautions to protect your personal information provided to our online and mobile resources. We have adopted, implemented and maintain an enterprise-wide corporate information security program that includes technical, organizational, administrative, and other security measures designed to protect, in a manner consistent with accepted industry standards and applicable law, against anticipated or actual threats to the security of personal information (the “Security Program”).
We cannot, however, guarantee that your information, whether during transmission or while stored on our systems or otherwise in our care, will be free from unauthorized access or that loss, misuse, destruction, or alteration will not occur.
Except for our duty to maintain the Security Program under applicable law, we disclaim any other liability for any such theft or loss of, unauthorized access or damage to, or interception of any data or communications including personal information. We have every reason to believe our Security Program is reasonable and appropriate for our business and the nature of foreseeable risks to the personal information we collect.
We further periodically review and update our Security Program, including as required by applicable law.
Our Incident Response and Management Plan
Despite the significant investment we’ve made in, and our commitment to, the Security Program including enforcement of our third-party oversight procedures, we cannot guarantee that your personal information, whether during transmission or while stored on our systems, otherwise in our care or the care of our vendors and business partners, will be free from either failed or successful attempts at unauthorized access or that loss or accidental destruction will never occur. Except for our duty under applicable law to maintain the Security Program, we necessarily disclaim, to the maximum extent the law allows, any other liability for any such theft or loss of, unauthorized access or damage to, or interception of any data or communications including personal information.
All that said, as part of our Security Program, we have a specific incident response and management procedures that are activated whenever we become aware that your personal information was likely to have been compromised. Those procedures include mechanisms to provide, when circumstances and/or our legal obligations warrant, notice to all affected data subjects within the timeframes required by law, as well as to give them such other mitigation and protection services (such as the credit monitoring and ID theft insurance) as may be required by applicable law. We further require, as part of our vendor and business partner oversight procedures, that such parties notify us immediately if they have any reason to believe that an incident adversely affecting the personal information we provided to them has occurred.
THE CALIFORNIA CONSUMER PRIVACY ACT
When we collect personal information from California residents we become subject to, and those residents have rights under, the California Consumer Privacy Act or “CCPA”. This section of our statement is used to allow us to fulfill our CCPA obligations and explain your CCPA rights. For purposes of this section, the words “you” and “your” mean only such California residents.
What did we collect from California Residents?
We collected the following categories of personal information within the last 12 months:
identifiers such as name, address, IP address, and other similar identifiers
the personal information described in subdivision (e) of Section 1798.80 (California customer records statute) such as a name, address, telephone number, credit card number
commercial information such as products or services purchased
internet/electronic activity such as browsing history and search history
geolocation data including geographic coordinates/physical location
audio, video, electronic or other similar information
We may have disclosed this information for one or more business purposes permitted by the CCPA. Please re-review this part of this privacy statement to understand the scope of purposes and the sources from which we collect it. Similarly, we urge you to re-read this part of this statement where we describe the categories of third parties with which we may share your personal information and why. We do not sell, and within the last 12 months have not sold, personal information to third parties.
Rights of California Residents
You have the following rights under the CCPA. It’s important to us that you know that if you exercise these rights, we will not “discriminate” against you by treating you differently from other California residents who use our sites and mobile resources or purchase our services but did not exercise their rights.
Disclosure – the right to request that we disclose to you, specifically beyond the general statement immediately above, the categories and specific elements of personal information collected including the source of the information, our use of it and, if the information was disclosed or sold to third parties, the categories so disclosed or sold as well as the categories of the third party who received or purchased it.
Access – the right to receive a copy of the categories and specific elements of personal information we collected about you in the preceding 12 months.
Delete – the right to request that we delete the personal information we collected about you under certain circumstances.
You can exercise these rights up to two different times every 12 months. To do so, just contact us at firstname.lastname@example.org or 310.736.7173. We may ask you to fill out a request form. The CCPA only allows us to act on your request if we can verify your identity or your authority to make the request so you will also need to follow our instructions for identity verification.
If you make a verifiable request per the above, we will confirm our receipt and respond in the time frames prescribed by the CCPA.
THE EU GENERAL DATA PROTECTION REGULATION
We do collect or otherwise obtain personal information from data subjects located in the GDPR Jurisdictions. When we do so, we become subject to, and those data subjects have rights under, the GDPR. We fulfill our GDPR obligations with respect to our workforce/job applicants, our customers (and their own end-clients), and our vendors and business partners through a series of separate notices, contracts or other terms provided to them at the time, and in the manner and form, GDPR and local law within each GDPR Jurisdiction require.
We describe, in the immediately following section of this statement, how we comply with the GDPR for personal information collected from visitors to and users of our online and mobile resources while they were in a GDPR Jurisdiction. Thus for purposes of that section, the words “you” and “your” mean only such GDPR Jurisdiction-based visitors and users.
What do we collect from you in the GDPR Jurisdictions and how do we use it?
We collect from you the categories of personal information already described here. The lawful basis on which we rely for such collection, later use and disclosure is what the GDPR refers to as legitimate interest. We urge you to re-read this part of our statement where we describe how we use your personal information and our legitimate interests as described in that part of our statement, as well as for fraud prevention and similar security-related activities. We urge you to also re-read this part where we describe the categories of third parties with whom we may have shared it. As stated elsewhere in this statement, we do not sell, any of your personal information to third parties nor do we use it for automated decision making.
Cross-border Data Transfers and Third Party Processors
If we transfer personal information from the GDPR Jurisdictions to a location that has not been deemed by the European Commission to have adequate privacy protections, we do so in the manner the GDPR permits
under Article 45 as we have self-certified to the EU-US and Swiss-US Privacy Shield.
Rights of Data Subjects in the GDPR Jurisdictions
While we attempt to allow all visitors and users of our online and mobile resources to exercise a degree of control over their personal information, under the GDPR we have a legal obligation to do so for you. More specifically, with respect to personal information collected from you while you were in a GDPR Jurisdiction, you have the below-listed rights:
Transparency – you have the right to ask us to explain the contents of this statement and the notices it provides. You also have the right to ask us whether we have collected any personal information about you. If we have, you then have these additional rights:
Access – you have the right to access the personal information we’ve collected about you.
Correction and Deletion – you have the right, under certain circumstances, to request that we correct inaccuracies, remedy incompleteness, and/or delete the personal information we collected about you.
Portability – you have the right, under certain circumstances, to request a copy of the personal information we have and receive that copy in a GDPR-prescribed form that permits portability either for yourself or by asking us to send it to another controller.
Who, What, Why and Where – you have the right to request that we tell you, specifically, beyond the general statement immediately above
what categories of personal information we have about you and whether it was collected directly or via another source
why we collected it and use it including whether we use it for automated decision making
who we disclose or transfer it to
where they are located, if outside the GDPR Jurisdictions, and
how long we plan to store it and how we decide whether to delete it
Restriction and Objection – you have the right, under certain circumstances, to restrict us from engaging in some types of further processing of your personal information, as well as to object, at any time, to profiling, direct marketing or other uses of your personal information if we have stated our right to undertake those uses is based on “public interest” or legitimate business interests.
If you would like to exercise any of these rights, please contact email@example.com. Your ability to exercise these rights is subject to certain conditions and exemptions that you can read about in Articles 12 through 23 of the GDPR. Among those conditions is our right to decline part or all of a request if we cannot satisfy our reasonable doubts and concerns about your identity in a manner that helps us minimize the risk that unauthorized persons might use a GDPR right to access your personal information. We will respond to all requests without undue delay, and in accordance with the time frames, if any, prescribed by the GDPR. If you are not satisfied with how we use your personal information or respond to your requests, you have the right to complain to your data protection regulator. Contact information for the EU data protection regulators can be found here.
de la Peña, LLC is fully committed to complying with the US-EU Privacy Shield Framework and Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from EEA member nations, the United Kingdom and/or Switzerland to the United States. de la Peña, LLC has certified to the Department of Commerce that it adheres to both the US-EU and Swiss-US Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability (the “Principles”). The United States Federal Trade Commission (“FTC”) has jurisdiction over our compliance with the Privacy Shield and we are subject to the FTC’s investigatory and enforcement powers. Information regarding the Privacy Shield program and evidence of our certification can be found by visiting https://www.privacyshield.gov/.
Our adherence to the Privacy Shield may be limited to the extent required to satisfy legal obligations including national security or law enforcement requirements. If there is any conflict between the policies in this privacy statement and the Principles, the Principles shall govern with respect to personal information collected from data subjects in the GDPR Jurisdictions.
In compliance with the EU-US and Swiss-US Privacy Shield Principles, de la Peña, LLC commits to resolve complaints about your privacy and our collection or use of your personal information. Inquiries or complaints regarding our Privacy Shield compliance can be directed to us at the email or physical address/phone number. Directing such inquiry/complaint to the specific attention of “Privacy Shield Inquiries and Complaints” will facilitate a more prompt response.
de la Peña, LLC has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
We remain responsible and liable under the Privacy Shield Principles if third-party agents that we engage to process your personal information on our behalf do so in a manner inconsistent with the Principles unless we can prove that we are not responsible for the event giving rise to any harm you may incur.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel for European Union individuals.
CHANGES TO THIS PRIVACY STATEMENT
We reserve the right to change or update this statement from time to time. Please check our online and mobile resources periodically for such changes since all information collected is subject to the statement in place at that time. Typically, we will indicate the effective/amendment date at the beginning of this statement. If we feel it is appropriate, or if the law requires, we’ll also provide a summary of changes we’ve made near the end of the new statement.
If you have questions about our privacy statement or privacy practices, please contact us at:
de la Peña, LLC
Attn: Russell de la Peña
412 N Main St Suite 100
Buffalo, Wyoming 82834