This Statement is effective as of December 2018
As the Privacy Shield only applies to personal data transferred from European Economic Area (EEA) and from Switzerland to the United States, this Statement only applies to personal data from the EEA and Switzerland that is hosted in the United States through the Privacy Shield-Certified Cloud Services or for select offerings when the data is hosted outside the United States but the Cloud Service processing is temporarily directed to a United States data center to enable continued availability and resiliency. This Policy does not otherwise apply when clients choose to have their offering content hosted in other countries.
HCMI’s Privacy Shield-Certified Cloud Services process content (which may include the personal data of individual end users) on behalf of enterprise clients. In this scenario, and as provided below, HCMI may direct inquiries from individual end users to the enterprise client that oversees the use of their personal data.
All personal data received from the EEA and Switzerland in connection with Privacy Shield-Certified Cloud Services is subject to the Privacy Shield principles as described in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, respectively, which apply to all HCMI affiliates that process personal data associated with Privacy Shield-Certified Cloud Services.
To learn more about the Privacy Shield Program, or to view the certification applicable to certain HCMI Cloud Services, please visit www.privacyshield.gov.
Personal Data: Types and Purpose for Use
The types of personal data that Privacy Shield-Certified Cloud Services collect will vary based on the type and nature of each offering, and is described in its offering documentation or as otherwise provided by HCMI. HCMI uses such personal data as needed to deliver the Cloud Service, along with additional purposes that may be described in the corresponding TD or Attachment.
Use of Subprocessors
HCMI may use processors and subprocessors (including personnel and resources) in locations worldwide to deliver the Cloud Services. A list of subprocessors is available upon request. If HCMI subcontracts the performance of any of the Cloud Services pursuant to any Attachment or TD, HCMI will be liable to the Client for the acts and omissions of HCMI subcontractors as if they were the acts or omissions of HCMI under the agreement governing the Cloud Services (subject to the limits and exclusions of liability).
Regulatory Authority and Disclosures
HCMI is subject to investigatory and enforcement powers of the Federal Trade Commission in the United States in connection with its Privacy Shield program. HCMI may also be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Additional Information for End Users
If end users have any questions or complaints concerning HCMI’s processing of personal data on behalf of an HCMI enterprise client, they are invited to contact the enterprise client directly, or they may contact HCMI here. End users who wish to access the personal data that HCMI hosts on behalf of an enterprise client, or to make choices concerning their data, are invited to contact the enterprise client directly.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield. In addition, and as described in the Privacy Shield Principles, you may also have the option of invoking binding arbitration after other dispute resolution procedures have been exhausted.
Account data -- i.e. all information about HCMI’s clients or their users provided to or collected by HCMI (including through tracking and other technologies, such as cookies) – is covered by the HCMI Online Privacy Statement.