CDS GLOBAL DATA PRIVACY FRAMEWORK STATEMENT
CDS GLOBAL DATA PRIVACY FRAMEWORK STATEMENT
Last Updated: October 9, 2023
CDS Global, Inc. (“CDS Global”, “we”, “our” or “us”) complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred to us from the European Union as well as Norway, Liechtenstein and Iceland, the United Kingdom (and Gibraltar) or Switzerland (collectively, the “EEA, UK and Switzerland”) to the United States. CDS Global has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. CDS Global has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Data Privacy Framework Statement and the principles set forth in the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF or Swiss-U.S. DPF (“Data Privacy Framework Principles”), the Data Privacy Framework Principles shall govern. The Federal Trade Commission has jurisdiction over CDS Global’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). To learn more about the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework and to view our certification, please visit https://www.dataprivacyframework.gov
CDS Global obtains personal information about EEA, UK and Swiss consumers as a data processor when providing services on behalf of and as instructed by our clients or our affiliates (collectively, “Clients”). In addition, we obtain as a data controller personal information about EEA, UK and Swiss representatives of Clients, potential Clients, service providers, suppliers and other business partners in association with our business operations and in connection with the operation of the CDS Global website, www.cds-global.com and the country-specific webpages that link to the CDS Global Privacy Notice (collectively, the “Site”). CDS Global also obtains personal information about EEA, UK and Swiss consumers who directly engage with certain CDS Global products directed to consumers (e.g., our digital authentication service (single sign-on)) (collectively, the “Consumer Offerings”), which products may be offered on Clients’ websites or apps.
For the purposes of this Data Privacy Framework Statement, the personal information transferred from the EEA, UK and Switzerland to us, when operating as a data processor or as a data controller, is referred to collectively as “DPF Information.” As our processing activities vary depending on whether we are acting as a processor or controller, we have described our processor and controller policies and compliance practices separately below.
In accordance with the Data Privacy Framework Principles, CDS Global remains liable for any processing of DPF Information by third parties that provide services or handle transactions on our behalf where such processing is inconsistent with the Data Privacy Framework Principles, unless CDS Global was not responsible for the event giving rise to any alleged damage.
CDS Global may be required to disclose DPF Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
DISPUTE RESOLUTION
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we commit to resolve Data Privacy Framework Principles-related complaints about the collection and use of your DPF Information. EEA, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact us at info@cds-global.com.
In addition, in compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we commit to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to the claimant. In certain circumstances, the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework provide the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Data Privacy Framework.
CDS GLOBAL AS A PROCESSOR
CDS Global provides services to Clients pursuant to Client instructions. Such services include order management, fulfillment, customer support, and marketing. As a data processor acting on behalf of our Clients, CDS Global obtains DPF Information about EEA, UK and Swiss consumers. The information obtained varies from Client to Client and is specified by each Client. Typically this includes names, mailing addresses, email addresses, telephone numbers, payment information, demographics and information about interactions with emails or digital platforms.
As a data processor, CDS Global does not have a direct relationship with Clients’ consumers. When processing DPF Information of EEA, UK and Swiss Consumers, CDS Global applies the Data Privacy Framework Principles as follows:
- Before processing on behalf of Clients established in the EEA, UK and Switzerland, CDS Global will enter into processing contracts with such Clients to comply with applicable data protection laws.
- Such processing contracts will contain data privacy and data security requirements.
- CDS Global accesses and discloses DPF Information of EEA, UK and Swiss consumers to third parties only as permitted or required by the relevant processing contracts, Data Privacy Framework Principles, and applicable European data protection laws.
- CDS Global has in place measures to protect DPF Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
EEA, UK and Swiss individuals have rights to access personal information about them and to limit use and disclosure of such information. EEA, UK and Swiss consumers who wish to request access to, limit the use of, or limit disclosures of DPF Information we process on behalf of a Client can contact the relevant Client who is the controller of the DPF Information. CDS Global cooperates with Clients to address EEA, UK and Swiss consumers’ requests in relation to DPF Information and supports Clients as needed to respond to the request.
CDS GLOBAL AS A CONTROLLER
CDS Global receives DPF Information in association with providing its Consumer Offerings and operating the Site, and we receive personal information of EEA, UK and Swiss representatives of current and prospective Clients, vendors, and service providers. CDS Global is a data controller in relation to this type of DPF Information.
The Consumer Offerings: We collect and handle personal information obtained in connection with our Consumer Offerings as described in the Privacy Notice applicable to each Consumer Offering. If in connection with a Consumer Offering information is transferred to us from the EEA, UK and Switzerland, we process the information in accordance with the Data Privacy Framework Principles. The applicable Privacy Notice to each Consumer Offerings provides further information about:
- The types of personal information we collect;
- The purposes for which we collect and use personal information; and
- The types of third parties with which we share personal information.
The Site: We collect and handle personal information in association with the operation of the Site as described in the CDS Global Privacy Notice posted on the Site. When the information is transferred to us from the EEA, UK and Switzerland, we process the information in accordance with the Data Privacy Framework Principles. The CDS Global Privacy Notice provides further information about:
- The types of personal information we collect;
- The purposes for which we collect and use personal information; and
- The types of third parties with which we share personal information.
Business Operations: In the ordinary course of business, CDS Global receives personal information of EEA, UK and Swiss representatives of current and prospective Clients, vendors, and service providers. The information we receive in such contexts typically consists of names, business contact information, job titles, and organizational affiliations. We use and share such information to enter into and fulfill our contracts; for our legitimate business purposes, including in the context of corporate transactions or restructuring; and as needed to comply with applicable laws. Where such information is transferred to us from the EEA, UK and Switzerland, CDS Global handles this information in accordance with the Data Privacy Framework Principles.
EEA, UK and Swiss individuals have the following rights with regard to DPF Information for which CDS Global is a data controller:
- To obtain confirmation of whether CDS Global is processing such information;
- To access such information so that they can verify its accuracy and the lawfulness of processing;
- To limit the use and disclosure of their personal data; and
- To have such information corrected, amended, or deleted where it is inaccurate or processed in violation of the Data Privacy Framework Principles, except where the legitimate rights of persons other than the individual would be violated or the burden or expense of providing these rights would be disproportionate to the risks to the individual’s privacy in the case in question.
EEA, UK and Swiss individuals who wish to discuss or exercise such rights should contact CDS Global using the details provided below.
If CDS Global, as a controller, processes DPF Information for a new purpose that is materially different from that for which the information was originally collected or subsequently authorized, or if such DPF Information is to be disclosed to a non-agent third party, CDS Global will provide an opportunity for EEA, UK and Swiss individuals to choose whether to have their DPF Information so used or disclosed. Requests to opt out of such uses or disclosures of personal information should be sent using the details provided below.
CONTACT US
To contact CDS Global with regard to any issues under this Data Privacy Framework Statement, please write to us at info@cds-global.com.