Mather Economics LLC’s (“Mather”, “Company”, “we” or “us”) operations are based on weekly processing of client data through pre-built and custom Extract Transform Load (ETL) processes, econometric models, and structured output. Every week, clients transfer their customer information in flat files to Mather’s secure file transfer protocol (SFTP) site with key information for processing and evaluation of customer metrics. Specific engagement terms, deliverables, and customer and Company responsibilities, including those related to security and confidentiality considerations are outlined in engagement letters that define service commitments and requirements.
This Privacy Shield Policy (“Policy”) describes how Mather collects, uses, and discloses certain personally identifiable information that we receive in the United States (“US”) and from the European Union (“EU Personal Data”) and the United Kingdom ("UK Personal Data").
Mather conducts an annual self-assessment in order to verify that this Policy is published and implemented within Mather and that it continues to conform to the Privacy Shield. In addition, Mather has obtained an outside verification of its security systems in implementing this Policy by virtue of an audit performed by a third-party independent auditor.
For purposes of enforcing compliance with the Privacy Shield, Mather is subject to the investigatory and enforcement authority of the Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce’s Privacy Shield website located at www.privacyshield.gov. To review Mather’s representation on the Privacy Shield list, see the US Department of Commerce’s Privacy Shield self-certification list located at: www.privacyshield.gov/list.
Personal Data Collection and Use
Mather will only process EU and UK Personal Data in ways that are compatible with the purpose that Mather collected it for, or for purposes the individual later authorizes. Before we use your EU, Swiss and UK Personal Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. Mather maintains reasonable procedures to help ensure that EU, Swiss and UK Personal Data is reliable for its intended use, accurate, complete and current.
We do not collect the following categories of sensitive EU, Swiss and UK Personal Data: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data concerning health or sex life. In the event we were to collect sensitive EU, Swiss and UK Personal Data, we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive EU, Swiss and UK Personal Data to third parties, or before we use your sensitive EU, Swiss and UK Personal Data for a different purpose than we collected it for or than you later authorized.
Mather does not collect EU, Swiss and UK Personal Data from any clients, customers or consumers with whom it transacts business. Pursuant to the terms of engagement between Mather and each Mather client, customer or consumer, Mather requires each client, customer or consumer to transmit all information or data in a form whereby any such information or data is aggregated, scrubbed or “made anonymous” so that any personally identifiable information is not known by Mather at any time, whether prior to, during or following the duration of any engagement.
Mather does not collect EU Personal Data from any clients, customers or consumers with whom it transacts business. Pursuant to the terms of engagement between Mather and each Mather client, customer or consumer, Mather requires each client, customer or consumer to transmit all information or data in a form whereby any such information or data is aggregated, scrubbed or “made anonymous” so that any personally identifiable information is not known by Mather at any time, whether prior to, during or following the duration of any engagement.
Human Resource Data Collection and Use
We may receive certain human resource data from our employees in the normal course of their employment with us (“Human Resource Data”) in the US. We utilize Human Resource Data for payroll processing, to meet governmental tax and reporting requirements, for employee benefit plan administration, for employee communication and for emergency contact purposes. Mather will only process Human Resource Data in ways that are compatible with the purpose that Mather collected it for, or for purposes the individual later authorizes. Before we use your Human Resource Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. Mather maintains reasonable procedures to help ensure that Human Resource Data is reliable for its intended use, accurate, complete and current.
We may collect sensitive Human Resource Data such as racial or ethnic origin. In the event we were to collect sensitive Human Resource Data, we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive Human Resource Data to third parties, or before we use your sensitive Human Resource Data for a different purpose than we collected it for or than you later authorized.
Data Transfers to Third Parties
Third-Party Data Controllers. In the future, we may transfer EU, Swiss and UK Personal Data to unaffiliated third-party data controllers. These third parties will not act as agents or service providers and will not be performing functions on our behalf. In the event we make such transfers, we will only provide your EU, Swiss and UK Personal Data to third-party data controllers where you have not opted-out of such disclosures, or in the case of sensitive EU, Swiss and UK Personal Data, where you have opted-in if the Privacy Shield requires consent. We will enter into written contracts with any unaffiliated third-party data controllers requiring them to provide the same level of protection for EU Personal Data the Privacy Shield requires. We will also limit their use of your EU, Swiss and UK Personal Data so that it is consistent with any consent you have provided and with the notices you have received. If we transfer your EU, Swiss and UK Personal Data to one of our affiliated entities within our corporate group, we will take steps to ensure that your EU, Swiss and UK Personal Data is protected with the same level of protection the Privacy Shield requires.
Disclosures for National Security or Law Enforcement. Under certain circumstances, we may be required to disclose your EU, Swiss and UK Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
Mather maintains reasonable and appropriate security measures to protect EU, Swiss and UK Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield. In addition to the policies and procedures contained herein, Mather has instituted various additional internal policies and protocols relating to password and account security, acceptable use of technology, and IT security.
You may have the right to access the EU, Swiss and UK Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your EU, Swiss and UK Personal Data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity. In some circumstances we may charge a reasonable fee for access to your information.
Questions or Complaints
In compliance with the Privacy Shield Principles, Mather Economics commits to resolve complaints about our collection or use of your personal information. EU, Swiss and UK individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Mather Economics at: email@example.com. Mather Economics has further committed to cooperate with the panel established by the EU and UK data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data and non-human resource data transferred from the EU, UK and Switzerland in the context of the employment relationship.
We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your EU, UK and Swiss Personal Data within forty-five (45) days of receiving your complaint. For any unresolved complaints, we have agreed to cooperate with the EU, UK and Swiss data protection authorities (“DPAs”). Mather commits to cooperating with the DPAs in any investigation and resolution of complaints brought under the Privacy Shield and will comply with any advice given by the DPAs where the DPAs take the view that Mather needs to take specific action to comply with the Privacy Shield. Mather will take any remedial or compensatory measures for the benefit of individuals affected by any non-compliance under the Privacy Shield and will provide the DPAs with written confirmation that such action has been taken. Mather’s liability for the onward transfers are defined in our data processing agreements and other agreements with our clients.
If you are unsatisfied with the resolution of your complaint, you may contact the data protection authorities, http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm, for further information and assistance.
You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with Mather and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see US Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration).
“Authorized Persons” means Mather’s employees, agents, and contractors that have a need to know or otherwise access Personal Data to enable Mather to provide the Services.
“Controller” means a data controller as defined under the GDPR.
“Data Protection Laws” means all international, federal, national and state privacy and data protection laws and regulations to the extent applicable to Mather and the Services. The Data Protection Laws include GDPR, to the extent applicable to Mather.
“Data Security Incident” means any accidental, unauthorized or unlawful access, acquisition, theft, destruction, or disclosure of Personal Data that occurs while such Personal Data is in the possession of or under the control of Mather.
“GDPR” means the EU General Data Protection Regulation 2016/679.
“Personal Data” means information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or “Processing” means any operation or set of operations that are performed upon Personal Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.
“Processor” means a processor as defined under the GDPR.
“Services” means Mather’s applied economics consulting services.
“Sub-Processor” shall mean an entity engaged by Mather to assist it in Processing Personal Data in fulfillment of its obligations with regard to the Services.
“Third Party” is any person or entity other than Mather and Client.
2. Data Privacy
Compliance with Laws. Mather agrees to comply with all Data Protection Laws that are applicable to Mather and the Services.
Distribution of Personal Data. Client should provide Mather only with Personal Data that is requested by Mather or that is otherwise necessary for Mather to provide the Services. Mather is not responsible for any other Personal Data. Client must obtain consents from any applicable data subjects before sending Personal Data to Mather.
Limitations on Use of Personal Data. Mather will not Process Personal Data other than for the purpose of providing the Services or as otherwise specified by Client. Mather will not Process Personal Data for the benefit of any Third Party unless directed to do so by Client. Mather will access only the Personal Data that it needs to perform the Services (i.e., no more than necessary).
Restrictions. Except with Client's prior, written approval, on a case-by-case basis, Mather will not: (a) use Personal Data other than as necessary for Mather to provide the Services, (b) disclose, sell, assign, lease or otherwise provide Personal Data to Third Parties (other than to its affiliates or Sub-Processors) except to the extent required or permitted by Data Protection Laws, or (c) merge Personal Data with other data, modify or commercially exploit any Personal Data.
Sensitive Personal Data. Client is advised not to provide Mather with Sensitive Personal Data. "Sensitive Personal Data" means (a) information that reveals a natural person's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, (b) information or data concerning a natural person's health or sex life or sexual orientation; or (c) genetic data or biometric data about a natural person.
Mather may engage Sub-Processors in connection with the provision of the Services, provided, however, that Mather will not provide a Sub-Processor with access to Personal Data unless the Sub-Processor has: (i) a business need to know/access the relevant Personal Data, as necessary for the purposes of the Services; (ii) signed a written obligation fo confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect Personal Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access.
Data Subject Rights:
Cooperation. Mather will use commercially reasonable efforts to cooperate and assist with a data subject's exercise of his/her rights under applicable Data Protection Laws with respect to Personal Data Processed by Mather, including, without limitation, the right to be forgotten, the right to data portability, and the right to access data under the GDPR.
Return or Destruction of Data:
Upon the written request of a Client or a data subject, Mather will return Personal Data to Client or the data subject or securely delete Personal Data as soon as reasonably practicable. However, if Mather is required by law to retain Personal Data or if Personal Data is stored in a manner such that it cannot readily be returned or destroyed without affecting other data, then Mather will continue to protect such Personal Data in accordance with this Statement and limit any use to the purposes of such retention.
Security Program Requirements. Mather will maintain a security program that contains administrative, technical, and physical safeguards that are reasonable and appropriate to the complexity, nature and scope of its activities. Mather's security program shall be designed to protect the security and confidentiality of Personal Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of Personal Data. At a minimum, Mather's security program shall include: (a) limiting access of Personal Data to Authorized Persons; (b) implementing network, application, database, and platform security; (c) means for securing information transmission, storage, and disposal within Mather's possession or control; (d) means for encrypting Personal Data stored on media within Mather's possession or control by using modern acceptable cyphers and key lengths, including backup media; (e) means for encrypting Personal Data transmitted by Mather over public or wireless networks by using modern acceptable cyphers and key lengths; and (f) means for keeping firewalls, routers, servers, personal computers, and all other resources current with appropriate security-specific system patches.
Mather will ensure that its security measures are regularly reviewed and revised to address evolving threats and vulnerabilities.
Data Security Incident Procedures.:
Notification. Mather shall notify Client as promptly as reasonably feasible, but in any event within forty-eight (48) hours of becoming aware of Data Security Incident. Mather shall provide Client with a detailed description of the Data Security Incident, the type of data that was the subject of the Data Security incident and, to the extent known to Mather, the identity of each affected person, as soon as this information can be collected or otherwise becomes available, as well as all other information and cooperation that Client may reasonably request relating to the Data Security Incident.
Mitigation. Mather agrees to take action immediately, at its own expense, to investigate the Data Security Incident and to identify, prevent, and mitigate the effects of the Data Security Incident and, with Client's prior agreement, to carry out any recovery or other action necessary to remedy the Data Security Incident. Mather will inform Client of the steps it is taking to mitigate the effects of the Data Security Incident and to minimize the chances of another Data Security Incident happening again.
Mather will not issue, publish or make available to any third party any press release or other communication concerning the Data Security Incident without Client's prior written approval or request.
Cooperation. Mather shall provide full cooperation and assistance to Client to enable Client to fulfil its obligations to enable Data Subjects affected by the Data Security INcident to exercise their rights under the Data Protection Laws. Mather will notify Client within three (3) business days of all communications Client receives from an affected Data Subject seeking to exercise his/her right in connection with the Data Security Incident.
Location. Except as is otherwise disclosed to Client, Mather's Processing of Personal Data will occur within the United States of America.
Before providing Personal Data of a European citizen to Sub-Processors, Mather will use commercially reasonable efforts to ensure that the Sub-Processors will either be certified under the EU-US Privacy Shield or that the Sub-Processors execute EU-prescribed Standard Contractual Clauses.
Audits Reports. A copy of Mather's Service Organization Control (SOC) 2 report can be provided upon request. Any such audit reports shall be Mather's confidential information.
If you have any questions about this Policy or would like to request access to your EU, Swiss and UK Personal Data, please contact us at firstname.lastname@example.org.
Changes to this Policy. We reserve the right to amend this Policy from time to time consistent with the Privacy Shield’s requirements.
Effective Date: February 6, 2017 | Last Modified: February 10, 2020