This Privacy Shield Policy (“Privacy Shield Policy”) describes how Public Consulting Group, Inc. (“PCG,” “we,” or “us”) collects, uses, and discloses certain personally identifiable information that PCG receives in the United States (“U.S.”) from the European Economic Area (“EEA Personal Data”).
- Introduction. PCG recognizes that the EEA has established strict protections regarding the handling of EEA Personal Data, including, but not limited to, the General Data Protection Regulation (“GDPR”) and other requirements to provide adequate protection for EEA Personal Data transferred outside of the EEA. To provide adequate protection for certain EEA Personal Data about consumers, corporate customers, clients, vendors, business partners, job applicants, and/or employees received in the U.S., PCG has elected to self-certify to the EU-US Privacy Shield Framework administered by the U.S. Department of Commerce (“Privacy Shield”). PCG adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability, which may be viewed at: https://www.privacyshield.gov/EU-US-Framework.
- Privacy Shield Information. For purposes of enforcing compliance with the Privacy Shield, PCG is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission. For more information about the Privacy Shield, please see the U.S. Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov. To review PCG’s representation on the Privacy Shield List, please see the U.S. Department of Commerce’s Privacy Shield self-certification list located at: https://www.privacyshield.gov/list.
- Personal Data Collection and Use. In the U.S., PCG may receive EEA Personal Data necessary for financial accounting and human resources purposes, including the following: certain financial transaction detail, vendor / contractor names, client invoices, bank transaction detail, vendor invoices, bank account information, and employee names, demographic, and compensation information. We process EEA Personal Data for the following purposes: maintaining PCG’s financial accounting, and human resources records in the ordinary course of business, which PCG considers to be legitimate interests of the company. PCG will only process EEA Personal Data in ways that are compatible with the purpose for which PCG collected it, or for purposes that the individual later authorizes. Before we use your EEA Personal Data for a purpose that is materially different from the purpose for which we collected it or that you later authorized, we will provide you with the opportunity to opt out. PCG maintains reasonable procedures to help ensure that EEA Personal Data is reliable for its intended use, accurate, complete, and current.
- Sensitive EEA Personal Data. PCG receives certain EEA Personal Data in the U.S. for financial accounting and human resources purposes. However, PCG does not collect or process sensitive EEA Personal Data as defined in Article 9, Section 1 of the GDPR.
- Third-Party Agents or Service Providers. PCG does not sell EEA Personal Data to unaffiliated third parties. Under certain circumstances, PCG may transfer or provide access to EEA Personal Data to third-party agents or service providers that perform functions on PCG’s behalf. The types of third-parties who have access to this kind of data could include:
- Cloud or computer services providers who provide computing or storage services to PCG.
- External professionals who provide services to PCG such as lawyers, accountants, auditors, and HR vendors.
- Government agencies such as tax authorities, as required by law.
- Courts, mediators and litigants if required to do so to protect the rights, property, or safety of PCG, its employees, customers, or others.
We take reasonable and appropriate steps to ensure that third-party agents and service providers process EEA Personal Data in accordance with our Privacy Shield obligations, and to stop and remediate any unauthorized processing. Where required by the Privacy Shield, we enter into written agreements with third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield requires and limiting their use of the data to the specified services provided on our behalf. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of EEA Personal Data that we transfer to them.
- Third-Party Data Controllers. PCG does not transfer EEA Personal Data to unaffiliated third-party data controllers that are not acting as agents or service providers, or performing functions on PCG’s behalf.
- Disclosures for National Security or Law Enforcement. Under certain circumstances, we may be required to disclose your EEA Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
- Security. PCG maintains reasonable and appropriate security measures to protect EEA Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield.
- Access Rights. You may have the right to access the EEA Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your EEA Personal Data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity. In some circumstances, we may charge a reasonable fee for access to your information.
- Questions or Complaints. You can direct any questions or complaints about the use or disclosure of your EEA Personal Data to the PCG Governance, Risk, and Compliance Officer at firstname.lastname@example.org. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your EEA Personal Data within forty-five (45) days of receiving your complaint.
For any unresolved complaints with regard to human resources data, we have agreed to cooperate with the EU data protection authorities (“DPAs”) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship.
For any unresolved complaints with regard to data other than human resources data, we have registered with JAMS, an independent private alternative dispute resolution provider. If you are unsatisfied with PCG’s resolution of your complaint, you may contact JAMS at https://www.jamsadr.com/eu-us-privacy-shield for further information and assistance.
- Binding Arbitration. You also may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with PCG and provided us with the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above in Section 11 of this Agreement; and (3) raised the issue through the relevant data protection authority and allowed the U.S. Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, please see the U.S. Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration) located at: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
- Contact Us.If you have any questions about this Privacy Shield Policy or would like to request access to your EEA Personal Data, please contact us as follows:
PCG Governance, Risk, and Compliance Officer
Public Consulting Group, Inc.
148 State Street, 10th Floor
Boston, MA 02109
Attention: Privacy Shield
For data subjects in the United Kingdom, PCG’s local representative is:
Chief Technology Officer
Public Consulting Group UK Limited
1 Smithy Court, Smithy Brook Road, Wigan WN 6PS
Attention: PCG Privacy Shield
- Changes to This Privacy Shield Policy. We reserve the right to amend this Privacy Shield Policy from time to time consistent with the Privacy Shield’s requirements.