CARCO Group, Inc., including its subsidiary CARCO Driver IQ LLC, (collectively "CARCO") participates in the EU/US Privacy Shield program administered by the United States Department of Commerce ("Privacy Shield") and has certified to the Department of Commerce that CARCO adheres to the Privacy Shield Principles. As part of our participation in the Privacy Shield, CARCO has committed to processing all personal data CARCO receives from EU member states and other participating countries in reliance on the Privacy Shield ("from the EU") in accordance with its Privacy Shield commitments. This privacy statement applies only to personal data transferred pursuant to the Privacy Shield. To learn more about the Privacy Shield program, and to view CARCO Group, Inc.'s certification, please visit: https://www.privacyshield.gov/list.
CARCO also complies, where applicable, with U.S. laws, particularly the Fair Credit Reporting Act ("FCRA" 15 U.S.C. §§ 1681 et seq.) and its state counterparts, which provide privacy protections for consumer personal data contained in "consumer reports." In the event of a conflict between this Privacy Shield Privacy Statement and the FCRA or other applicable laws, CARCO will comply with its obligations under the FCRA or other applicable US law. CARCO's Privacy Shield Privacy Statement is organized around the following principles:
1. NOTICE
At CARCO, we notify individuals about the purposes for which we collect and use information about them, choices they have regarding certain uses and disclosures of their personal data, and how to contact us with inquiries or complaints. We provide this notice either directly, such as through this privacy statement, or through our customers.
CARCO collects personal data for the purpose of providing a variety of information products and services to employers and other CARCO customers. For example, CARCO may collect identification information and information such as information about an individual's employment history, educational qualifications, credit history, or criminal history for the purpose of preparing and providing employment screening services to our customers. CARCO may collect employment application information on behalf of our customers, such as through a customer-branded applicant portal. We also may collect similar information for investigative or due diligence purposes and other non-employment purposes.
2. CHOICE
In many cases, the reports that we prepare are prepared with the express consent of the individual. For example, the subject of a consumer report issued for employment purposes must provide express authorization ("opt-in"), typically through the employer or prospective employer, before CARCO may furnish the report. In other cases, CARCO offers individuals the opportunity to choose (opt out) whether their personal data is (i) to be disclosed to a third party (other than our service providers performing tasks on CARCO's behalf pursuant to a contract or a customer on whose behalf we are processing it) or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.
For sensitive information (i.e., personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual or information designated by the transferring organization as sensitive), CARCO obtains (directly or through a third party, such as our customer) affirmative express consent (opt-in) from individuals, with certain exceptions permitted by the Privacy Shield program, if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.
We are committed to providing individuals with clear, conspicuous, and readily available mechanisms to exercise choice. Therefore, in addition to any other mechanisms that may be provided in particular cases, individuals may opt-out by contacting CARCO using the points of contact in the "Contact Us" section below.
3. ACCOUNTABILITY FOR ONWARD TRANSFER
CARCO discloses personal data that it collects to its customers for employment screening, due diligence, or similar purposes. CARCO may disclose personal data to its service providers. CARCO also may be required to disclose personal data in response to lawful requests by public authorities, including disclosures to meet national security or law enforcement requirements. CARCO's disclosure of personal data to third parties is governed by the Notice and Choice Principles described above, and, for the purpose of providing consumer reports to third parties, CARCO complies with FCRA requirements.
When transferring personal data to our customers or other third-party controllers (i.e., entities that will control how personal data is processed), we comply with the Notice and Choice Principles as described above. Consistent with Privacy Shield timing requirements for onward transfer compliance, CARCO will enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made, the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
As noted above, CARCO also may transfer personal data to service providers acting on its behalf. In such cases, consistent with Privacy Shield timing requirements for onward transfer compliance, CARCO will
- transfer such data only for limited and specified purposes;
- ascertain that the service provider is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield Principles;
- take reasonable and appropriate steps to ensure that the service provider effectively processes the personal data transferred in a manner consistent with CARCO's obligations under the Principles;
- require the service provider to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
- upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- provide a summary or a representative copy of the relevant privacy provisions of its contract with that service provider to the Department of Commerce upon request.
4. SECURITY
CARCO takes reasonable and appropriate measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alternation, and destruction, taking into account the risks involved in the processing and nature of the personal data.
5. DATA INTEGRITY AND PURPOSE LIMITATION
CARCO limits the personal data it collects to information that is relevant for the purposes of processing. CARCO does not process personal data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, CARCO takes reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. In the case of consumer reports, CARCO meets this obligation by complying with FCRA requirements, including a requirement that consumer reporting agencies follow reasonable procedures to ensure maximum possible accuracy.
CARCO takes reasonable and appropriate measures to retain personal data only for as long as CARCO has a legitimate legal or business need to do so, such as customer service, compliance with legal or contractual retention obligations, retention for audit purposes, security and fraud prevention, preservation of legal rights or other reasonable purposes consistent with the purpose of the collection of the information. CARCO will adhere to the Principles for as long as it retains personal data transferred in reliance upon the Privacy Shield.
6. ACCESS
It is CARCO's policy to provide individuals with access to personal data about them that CARCO holds about them and provides them with a means to request the correction, amendment, or deletion of that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
Many CARCO products are governed by the FCRA. Where applicable, CARCO provides access and correction rights in accordance with FCRA requirements. The FCRA specifies the rights of consumers to obtain a disclosure of the contents of the consumer reporting file that CARCO maintains about them, if any. The FCRA also provides consumers with rights to dispute the contents of their file and, if warranted, to have the contents corrected or deleted.
Of course, whether the consumer personal data is covered by the FCRA or by our Privacy Shield Principles, CARCO requires that an individual provide reasonable verification of their identity before we provide access to personal data. To access your CARCO file and obtain any of the remedies discussed in this section please contact CARCO using the points of contact in the "Contact Us" section below.
7. RECOURSE, ENFORCEMENT AND LIABILITY
CARCO internally monitors and assesses our compliance with our Privacy Shield Privacy statement and our Privacy Shield obligations. Under the Privacy Shield Principles, CARCO may be liable in the event that a service provider to whom CARCO transfers personal data such personal data in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. An individual with an inquiry or complaint may contact us using the mailing or email address below.
In the case of human resources data CARCO has agreed to cooperate with a panel of European Data Protection Authorities created for that purpose.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/reques
Individuals also may be able to invoke binding arbitration, under certain circumstances where permitted by the Privacy Shield program, if the individual believes there has been a violation of Privacy Shield requirements that has not been appropriately addressed by CARCO.
CARCO's compliance with its Privacy Shield obligations also is subject to investigation and enforcement by the U.S. Federal Trade Commission. CARCO also is required by the Privacy Shield program to respond promptly to inquiries and requests for information from the U.S. Department of Commerce.
8. PUBLIC RECORD AND PUBLICLY AVAILABLE INFORMATION
In accordance with Privacy Shield, in cases where CARCO discloses public records or publicly available information from the EU without combining that information with non-public information, our general policies on Notice, Choice, and Accountability for Onward Transfer may not apply.
9. CONTACT US
If you have any inquiries or complaints regarding this policy or our privacy practices, contact us at 5000 Corporate Court, Suite 203, Holtsville, NY, 11742 or privacypolicy@carcogroup.com.
10. POLICY CHANGES
CARCO reserves the right to change their policy from time to time, consistent with the Privacy Shield Principles.
Effective 09/01/2016