FRA Privacy Notice
Forensic Risk Alliance (FRA) recognizes the importance of your privacy. This privacy notice is meant to inform you about the Personal Data we collect, use,share, or otherwise process in connection with your business relationship with FRA. If you have additional questions about FRA’s data collection practices after reading this notice, please contact us at firstname.lastname@example.org.
This privacy notice is provided in a layered format so you can click through to the specific areas set out below. Alternatively, you can download a pdf version of the notice here. Please also use the Glossary at the end of this document to understand the meaning of some of the terms used in this privacy notice.
1. IMPORTANT INFORMATION AND WHO WE ARE
2. WHAT PERSONAL DATA WE COLLECT?
3. HOW DO WE COLLECT YOUR PERSONAL DATA?
4. FOR WHAT PURPOSES DO WE COLLECT, HOLD, AND USE YOUR PERSONAL DATA?
5. TO WHOM DO WE DISCLOSE YOUR PERSONAL DATA?
6. INTERNATIONAL TRANSFERS
7. INFORMATION SECURITY AND ACCURACY
8. HOW LONG WILL WE RETAIN YOUR INFORMATION?
9. YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
Purpose of this Privacy Notice
This Privacy Notice explains how FRA collects, uses, shares and otherwise processes your Personal Data in connection with your relationship with us in accordance with applicable data privacy laws, including, without limitation,the General Data Protection Regulation (“GDPR”), which is in effect since 25 May 2018. We may provide supplemental privacy notices on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data.
Please note that this notice covers the processing that we carry out as a “data controller” of your Personal Data. FRA is made up of different legal entities which make up the FRA Group,details of which can be found here. This privacy notice is issued on behalf of the FRA Group so when we mention “FRA”, “we”, “us” or“our” in this privacy notice, we are referring to the relevant company in the FRA Group responsible for processing your data. The EU representative of the FRA Group is Forensic Risk Alliance Limited. Forensic Risk Alliance, Inc. is responsible for this website.
FRA may process your Personal Data where we provide services to our clients. On certain client engagements, we are required to process your data on our client’s behalf and per their instructions and, in such circumstances, we are acting as a“processor”. In such a situation, the data controller of your Personal Data is the company or other business entity which is our client and which instructs us to process your data in connection with using our services. This notice does not cover the processing of your personal data that we carry out as a“processor”.
We have centralized all responsibilities for data protection matters at the FRA Group by appointing a global data privacy manager who is responsible for overseeing all questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your privacy rights, please contact us by email at email@example.com. If you are based in the European Union (EU) you also have the right to make a complaint at any time to your national data protection supervisory authority. We would, however,appreciate the chance to deal with your concerns before you approach the regulator so please contact us in the first instance.
The term “Personal Data” as used in this privacy notice means any information relating to you from which you can be identified, such as your name, contact details, bank account details etc. Personal Data does not include data from which you can no longer be identified such as anonymized aggregate data.
We may collect different types of Personal Data about you which we have grouped together as follows: Identity Data, Contact Data, Employment Data, Financial Data, Transaction Data, Technical Data, Usage Data and Marketing and Communications Data.
We use different methods to collect Personal Data from and about you including through:
Where you use third-party social networking sites, the third-party social networking site controls the information it collects from you. For information about how they may use and disclose your information, including any information you make public, please consult their respective privacy policies. FRA is not responsible for the content or privacy practices of those other third-party websites.
We collect Personal Data about you for various purposes including so that we can perform our business activities and functions, comply with our legal, regulatory and contractual obligations, and to provide our services to you.
Most commonly, we will use your Personal Data:
Click here to find out more about the types of lawful bases that we will rely on to process your Personal Data.
We have set out below, in a table format, a description of the ways we plan to use your Personal Data, and,information on which of the legal bases we rely on to do so. Where we rely on legitimate interests as the legal basis, we have also identified what our legitimate interests are, where appropriate.
Please note that we may use or disclose Personal Data if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
What we may need from you
We may need to request specific information from you from time to time to help us confirm your identity and ensure your right to access Personal Data (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
What if you do not provide the personal data we request?
It is in your sole discretion to provide Personal Data to us. If you do not provide us with all or some of the Personal Data we request, we may not be able, to provide all or some of our services, to enter into a contract with you or to send you company updates, industry news and invitations to our events.
Marketing and Business Development
We collect or generate information about you for the purposes of client relationship management, including marketing, business development and event management. Specifically information regarding email and/ or mailing preferences, event and meeting attendance, areas of business interest, records of correspondence with you and individuals connected to your business via post,telephone, email or online. Most information we collect about you comes from our direct interactions with you or publicly available information.
We may send you marketing communications if you have asked to receive such communications, if you are a client or if you are a business contact on the basis of legitimate interests and if you have not opted out of receiving that marketing.
We may share your Personal Data with third parties we work with for the purposes of hosting events.
We provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising. You can view and make certain decisions about the use of your Personal Data at our preference center.
You can ask us to stop sending you marketing messages at any time by unchecking relevant boxes to adjust your marketing preferences through our preference center, by following the opt-out links on any marketing message sent to you, or by contacting us at anytime by sending us an email at firstname.lastname@example.org.
Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us as a result of service purchase, service experience or other transactions.
We may share your Personal Data with the parties set out below for the purposes for which we willuse your Personal Data as set out in Section 4.
We may have to transfer your Personal Data from the European Economic Area (EEA) to an FRA office or a third party outside of the European Economic Area. When we do we will always ensure that there is a legal basis and a relevant safeguard method for such data transfer so that your Personal Data is treated in a manner thatis consistent with EU laws and other applicable laws and regulations on data protection. Measures include:
Please contact us at email@example.com if you want further information on the specific mechanism used by us when transferring your Personal Data out of the EEA.
We have implemented appropriate physical, administrative and technical safeguards to help us protect your Personal Data from unauthorized access, use and disclosure. We also require that our suppliers protect such information from un authorizedaccess, use and disclosure. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your Personal Data for as long as necessary to fulfil the purposes for which itwas collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
Upon expiration of the applicable retention period we will securely destroy your Personal Data in accordance with applicable laws and regulations.
We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
You have rights you can exercise under certain circumstances in relation to your Personal Data that we hold, such as:
You may have additional rights applicable to you under local law. If you wish to exercise any of the rights set out above, please contact us by email at firstname.lastname@example.org
Changes to this Privacy Notice
We reserve the right to update this privacy notice at any time, and we will make an updated copy of such privacy notice available on our website.
The last revision date of revision will be updated so that you will always be able to understand what data we collect, how we use your data, and under what circumstances we may share your data with others.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed by sending us an email at email@example.com if your Personal Data changes during your relationship with us.
Types of Personal Data:
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your information where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to.
EU-US and Swiss-US Privacy Shield
In compliance with the Privacy Shield Principles, Forensic Risk Alliance commits to resolve complaints about our collection or use of your Personal Information. EU or Swiss individuals with inquiries or complaints regarding our Privacy Shield Policy should first contact Forensic Risk Alliance at:
Forensic Risk Alliance
c/o Privacy Complaints Department
Kacey Murphy / Gregory Mason
40 Westminster Street
Providence, RI 02903
Forensic Risk Alliance has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you.
Forensic Risk Alliance complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU and Switzerland, including the onward transfer liability provisions. Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Forensic Risk Alliance’s participation in the Privacy Shield applies to Personal Data received from the EU / EEA and Switzerland. Forensic Risk Alliance will comply with the Privacy Shield Principles in respect of such Personal Data. Some types of Personal Information may be subject to additional privacy-related requirements and policies, which are consistent with the Privacy Shield Principles.
Types of data Forensic Risk Alliance can potentially process generally falls into two categories.
Choice and Accountability for Onward Transfer
Information Security and Data Integrity
Forensic Risk Alliance is ISO 27001 certified has reasonable security policies and procedures in place to protect Personal Information from unauthorized loss,misuse, alteration, or destruction. Forensic Risk Alliance’s ISO 27001 certification can be found here https://www.forensicrisk.com/certification-iso27001/. Despite Forensic Risk Alliance’s best efforts, however, security cannot be absolutely guaranteed against all threats. To the best of Forensic Risk Alliance’s ability, access to your Personal Information is limited to those who have a need to know.
When Forensic Risk Alliance collects Personal Information directly from custodians, we generally offer those custodians the opportunity to choose whether their Personal Information may be (i) disclosed to third party contractors, or (ii) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by the relevant custodian. To the extent required by the Privacy Shield Principles, Forensic Risk Alliance obtains opt-in consent for certain uses and disclosures of Sensitive Data. Consumers may contact Forensic Risk Alliance as indicated below regarding the company’s use or disclosure of their Personal Information. Unless Forensic Risk Alliance offers custodians an appropriate choice, the company uses Personal Information only for purposes that are materially the same as those indicated in this Policy.
Forensic Risk Alliance shares Consumer Personal Information with its affiliates and subsidiaries. Forensic Risk Alliance may disclose Consumer Personal Information without offering an opportunity to opt out, and may be required to disclose the Personal Information, (i) to third-party Processors the company has retained to perform services on its behalf and pursuant to its instructions, (ii) if it is required to do so by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. Forensic Risk Alliance also reserves the right to transfer Personal Information in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).
If Forensic Risk Alliance holds your Personal Information, under most circumstances you have the right to reasonable access to that data to correct any inaccuracies. You can also make a request to update or remove information about you by contacting firstname.lastname@example.org, and Forensic Risk Alliance will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards.
Resource,Enforcement and Liability
Forensic Risk Alliance commits to resolve complaints about your privacy and its collection or use of your Personal Information in compliance with the EU-US and Swiss-US Privacy Shield Principles. Please contact Forensic Risk Alliance at: email@example.com should you have a Privacy Shield-related (or general privacy-related) complaint.
If you are a resident of the EU/EEA or Switzerland, and you have a complaint related to this Policy that cannot be resolved with Forensic Risk Alliance directly, you may report your claim to the EU/EEA or Swiss Data Protection Authorities located in your jurisdiction. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means.
Forensic Risk Alliance is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC).
Questions and Comments