We have received SOC 2 Statement of Controls certification, ensuring that data security and confidentiality controls are suitably designed to meet the AICPA Trust Services criteria.
Mather Economics LLC’s (“Mather”, “Company”, “we” or “us”) operations are based on weekly processing of client data through pre-built and custom Extract Transform Load (ETL) processes, econometric models, and structured output. Every week, clients transfer their customer information in flat files to Mather’s secure file transfer protocol (SFTP) site with key information for processing and evaluation of customer metrics. Specific engagement terms, deliverables, and customer and Company responsibilities, including those related to security and confidentiality considerations are outlined in engagement letters that define service commitments and requirements.
This Privacy Shield Policy (“Policy”) describes how Mather collects, uses, and discloses certain personally identifiable information that we receive in the United States (“US”) from the European Union (“EU Personal Data”).
Mather recognizes that the EU has established strict prohibitions regarding the handling of EU Personal Data, including requirements to provide adequate protection for EU Personal Data transferred outside of the EU. To provide adequate protection for certain EU Personal Data about corporate customers, clients, business partners, job applicants and employees received in the US, Mather has elected to self-certify to the EU-US Privacy Shield Framework administered by the US Department of Commerce (“Privacy Shield”). Mather adheres to the Privacy Shield Principles (the “Principles”) of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement, and Liability.
Mather conducts an annual self-assessment in order to verify that this Policy is published and implemented within Mather and that it continues to conform to the Privacy Shield. In addition, Mather has obtained an outside verification of its security systems in implementing this Policy by virtue of an audit performed by a third-party independent auditor.
For purposes of enforcing compliance with the Privacy Shield, Mather is subject to the investigatory and enforcement authority of the Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce’s Privacy Shield website located at www.privacyshield.gov. To review Mather’s representation on the Privacy Shield list, see the US Department of Commerce’s Privacy Shield self-certification list located at: www.privacyshield.gov/list.
Personal Data Collection and Use
Mather will only process EU Personal Data in ways that are compatible with the purpose that Mather collected it for, or for purposes the individual later authorizes. Before we use your EU Personal Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. Mather maintains reasonable procedures to help ensure that EU Personal Data is reliable for its intended use, accurate, complete and current.
We do not collect the following categories of sensitive EU Personal Data: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data concerning health or sex life. In the event we were to collect sensitive EU Personal Data, we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive EU Personal Data to third parties, or before we use your sensitive EU Personal Data for a different purpose than we collected it for or than you later authorized.
Mather does not collect EU Personal Data from any clients, customers or consumers with whom it transacts business. Pursuant to the terms of engagement between Mather and each Mather client, customer or consumer, Mather requires each client, customer or consumer to transmit all information or data in a form whereby any such information or data is aggregated, scrubbed or “made anonymous” so that any personally identifiable information is not known by Mather at any time, whether prior to, during or following the duration of any engagement.
Human Resource Data Collection and Use
We may receive certain human resource data from our employees in the normal course of their employment with us (“Human Resource Data”) in the US. We utilize Human Resource Data for payroll processing, to meet governmental tax and reporting requirements, for employee benefit plan administration, for employee communication and for emergency contact purposes. Mather will only process Human Resource Data in ways that are compatible with the purpose that Mather collected it for, or for purposes the individual later authorizes. Before we use your Human Resource Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. Mather maintains reasonable procedures to help ensure that Human Resource Data is reliable for its intended use, accurate, complete and current.
We may collect sensitive Human Resource Data such as racial or ethnic origin. In the event we were to collect sensitive Human Resource Data, we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive Human Resource Data to third parties, or before we use your sensitive Human Resource Data for a different purpose than we collected it for or than you later authorized.
Data Transfers to Third Parties
Third-Party Agents or Service Providers. We may transfer EU Personal Data to our third-party agents or service providers who perform functions on our behalf. Where required by the Privacy Shield, we enter into written agreements with those third-party agents and services providers requiring to provide the same level of protection the Privacy Shield requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process EU Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of EU Personal Data that we transfer to them.
Third-Party Data Controllers. In the future we may transfer EU Personal Data to unaffiliated third-party data controllers. These third parties will not act as agents or service providers and will not be performing functions on our behalf. In the event we make such transfers, we will only provide your EU Personal Data to third-party data controllers where you have not opted-out of such disclosures, or in the case of sensitive EU Personal Data, where you have opted-in if the Privacy Shield requires consent. We will enter into written contracts with any unaffiliated third-party data controllers requiring them to provide the same level of protection for EU Personal Data the Privacy Shield requires. We will also limit their use of your EU Personal Data so that it is consistent with any consent you have provided and with the notices you have received. If we transfer your EU Personal Data to one of our affiliated entities within our corporate group, we will take steps to ensure that your EU Personal Data is protected with the same level of protection the Privacy Shield requires.
Disclosures for National Security or Law Enforcement. Under certain circumstances, we may be required to disclose your EU Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
Mather maintains reasonable and appropriate security measures to protect EU Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield. In addition to the policies and procedures contained herein, Mather has instituted various additional internal policies and protocols relating to password and account security, acceptable use of technology, and IT security.
You may have the right to access the EU Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your EU Personal Data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity. In some circumstances we may charge a reasonable fee for access to your information.
Questions or Complaints
You can direct any questions or complaints about the use or disclosure of your EU Personal Data to us at email@example.com. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your EU Personal Data within forty-five (45) days of receiving your complaint. For any unresolved complaints, we have agreed to cooperate with the EU data protection authorities (“DPAs”). Mather commits to cooperating with the DPAs in any investigation and resolution of complaints brought under the Privacy Shield and will comply with any advice given by the DPAs where the DPAs take the view that Mather needs to take specific action to comply with the Privacy Shield. Mather will take any remedial or compensatory measures for the benefit of individuals affected by any non-compliance under the Privacy Shield and will provide the DPAs with written confirmation that such action has been taken. If you are unsatisfied with the resolution of your complaint, you may contact the data protection authorities, http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm, for further information and assistance.
You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with Mather and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see US Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration).
If you have any questions about this Policy or would like to request access to your EU Personal Data, please contact us as follows: Director of Finance and HR at firstname.lastname@example.org.
Changes to this Policy
We reserve the right to amend this Policy from time to time consistent with the Privacy Shield’s requirements.
Effective Date: February 6, 2017
Last Modified: February 2017