First Orion EU-US Privacy Shield Policy (effective February 1, 2017)
Privacy Shield Certification with Department of Commerce Pending
First Orion Corporation, doing business as PrivacyStarTM, and its subsidiaries (collectively “First Orion”) provide technology and data to give individuals tools to recognize and manage calls they receive and to help businesses reach the right people. Various features of our Apps are available online, through various PrivacyStarTM applications, through customized privately branded applications, and through customized in-network solutions. These Apps include features to identify unknown callers, block unwanted callers, automatically block known scammers, do reverse telephone number lookups, block all private or unknown callers, and report call violations to the proper authority.
Commitment to Privacy Shield
First Orion commits to conducting their business according to the EU-US Privacy Shield and to applying the Principles to all personal data received from the EU. First Orion and other companies who are registered with the U.S. Department of Commerce Privacy Shield program can be found at https://www.privacyshield.gov.
First Orion has appointed a Chief Privacy Officer (“CPO”) and a Chief Security Officer (“CSO”) who are collectively responsible for internal oversight of First Orion’s privacy and security policies and practices, including EU-US Privacy Shield. First Orion’s CPO and CSO are available to individuals and employees who have questions concerning its compliance with Privacy Shield or security related matters.
Collection and Use of Personal Data
Personal information received by First Orion from the EU includes both calling and called telephone numbers, identifying information about the owner of the number, call activity including date, time, how long the call lasted, and the type of equipment used to make the call and called. It also includes complaint information provided by the called party. First Orion also receives human resource data about UK and EU employees. In some instances First Orion acts as a data controller and in other instances as a processor on behalf of our clients. First Orion’s policies and compliance practices for each are described below.
First Orion as a Data Controller
When First Orion provides its call management products and services directly to individuals through Apps the individual has downloaded, it is acting as a data controller over the personal data the individual provides through the App, data about calls received and calls made that the App collects in the normal course of operation, and complaints filed by the called party. This data will be used to deliver, monitor and improve First Orion’s call management services.
When personal data is collected directly from the data subject or through a First Orion App, First Orion provides the data subject with notice and choice in the App, as required by law and by Privacy Shield, regarding the manner and circumstances in which the personal data will be used and transferred to third parties.
First Orion also acts as a data controller when it collects and maintains human resources data on employees, including applications for employment on EU individuals and personnel files on EU employees. Any personal data provided by First Onion employees in the EU during the course of their employment will be handled and transferred in compliance with the requirements of the law of the Member State. Such personal employee data, including sensitive data, will be collected, held, processed and disclosed by First Orion to third party subcontractors, or any other person as may be reasonably necessary, as required by law.
First Orion as a Processor on Behalf of Clients
When First Orion provides its call management products and services through its clients, either through customized privately branded applications, or through customized in-network solutions, it is acting as a processor on behalf of our client. The data First Orion receives will be used to deliver, monitor and improve First Orion’s call management services.
Before starting any processing on behalf of a First Orion client, First Orion will enter into an agreement with the client, an EU controller, that ensures the client is in compliance with all laws applicable to the personal data collected and processed. Furthermore, First Orion agrees to process the data received from the EU controller in accordance with the agreement. This includes, but is not limited to:
- not disclosing the data to a third party except where permitted or required by the processing agreement, Privacy Shield, or the applicable local laws,
- appropriate treatment for any information identified by First Orion’s client as sensitive,
- appropriate security measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction, and
- confirmation that data subjects have been provided proper notice and choice about how their data will be used.
Disclosures and Onward Transfers
First Orion may disclose complaint information provided by individuals to the calling party so they may understand the perspective of the called party about their calling practices.
First Orion complies with all obligations in Privacy Shield regarding disclosure or transfer of personal information to a third party. First Orion takes reasonable steps to ensure that the third party effectively processes the personal information in a manner consistent with First Orion’s obligations under the Principles.
When First Orion uses data processors to perform certain processing tasks on behalf and under the instruction of First Orion, it requires such processors to either certify under Privacy Shield or another adequacy finding, or enter into a written agreement requiring they process the data only for limited and specified purposes and to provide the same level of protection that First Orion provides. In cases of onward transfer to third parties, First Orion is generally liable for the acts of the third party that are in violation of the Privacy Shield Principles.
First Orion may be required to disclose personal information in response to a lawful request by public authorities, including requests to meet national security or law enforcement requirements.
First Orion commits to educating its clients and employees in the U.S. and in the EU about the issues, guidelines and laws related to compliance with Privacy Shield.
Data Integrity and Security
First Orion takes reasonable steps to ensure the information transferred from the EU to the U.S. is reliable, accurate and complete based on the purposes for which the personal information is used.
First Orion has an information security policy in place to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. First Orion’s CSO is responsible for conducting investigations into any alleged breach, incident or problem, and ensuring that proper disciplinary action is taken against those who violate First Orion’s information security policy.
Right to Access, Change or Delete Personal Data
Data subjects and employees, may contact First Orion with inquiries or complaints about its compliance with Privacy Shield. In addition to access and choice rights provided to data subjects in First Orion applications or through customized privately branded applications, and customized in-network solutions, a data subject or an employee has the right to learn whether First Orion has personal data about him or her, and to correct, amend or delete that personal information when it is inaccurate subject to other limitations as defined by law. To exercise these rights, a data subject may contact First Orion by using the following link http://firstorion.com/contact/ or by writing to:
First Orion Corp.
Attention: Privacy Officer
500 President Clinton Avenue, Suite 215
Little Rock AR 72201 USA
An employee may exercise these rights by emailing firstname.lastname@example.org or by writing to the above address.
Enforcement and Disputes
First Orion commits to resolve complaints about the privacy of data subjects and employees and our collection or use of personal information. First Orion will contact the individual and explain the process for filing a complaint.
First Orion is a participant in the U.S. DMA’s Privacy Shield dispute resolution program. If a data subject cannot resolve a complaint after contacting First Orion, they may pursue recourse by contacting the DMA as follows, free of charge:
Direct & Marketing Association (DMA)
Online complaint form: https://thedma.org/shield-complaint-form/
Mail: Privacy Shield Line
1615 L Street, NW, Suite 1100
Washington DC 20036
Under certain conditions, a data subject or employee may invoke binding arbitration to resolve residual claims. In addition, First Orion agrees to cooperate with local EU Data Protection Authorities to resolve an EU First Orion employee’s dispute concerning human resources data or an alleged breach of Privacy Shield Principles.
First Orion is subject to the investigatory powers of the Federal Trade Commission (“FTC”).
© 2016 First Orion Corp. All rights reserved.
First Orion Corp., 500 President Clinton Avenue, Suite 215, Little Rock, Arkansas 72001, USA.