PRIVACY POLICY and NOTICE
EU-U.S. DATA PRIVACY FRAMEWORK (DPF)
SWISS-U.S. DATA PRIVACY FRAMEWORK
UK EXTENSION TO THE EU-U.S. DPF
COMMITMENT TO COMPLY WITH THE EU-U.S. Data Privacy Framework (DPF), THE UK EXTENSION TO THE EU-U.S. DPF, AND THE SWISS-U.S. DPF
Saturn Corporation complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, Switzerland the United Kingdom. Saturn Corporation has certified that it adheres to the Data Privacy Framework of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the EU-U.S. DPF Framework and to view Saturn Corporation’s certification, please visit the U.S. Department of Commerce at: https://www.dataprivacyframework.gov.
COMMITMENT TO COMPLY WITH GDPR
The General Data Protection Regulation (GDPR) in the EU, UK and Switzerland applies to controllers and processors. The controller says how and why personal data is processed and the processor acts on the controller’s behalf. The processor is Saturn Corporation.
INFORMATION COLLECTION & DATA SUBJECT’S CHOICE
The Saturn Corporation as a data processor and a SAAS provider collects and maintains on behalf of its clients for the purpose of maintaining the clients’ database for fundraising and membership applications. Data subjects have the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. See mechanism for data privacy complaints.
DATA SUBJECTS ACCESS
Saturn Corporation as a processor on behalf of its clients will provide access to personal information about them that an organization holds and specifically with the organizations permission will be able to correct, amend or delete that information where it is inaccurate or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of persons other than the individual would be violated.
AUDITS AND INSPECTIONS
The Saturn Corporation will submit to audits and inspections provided by its clients with whatever information it needs to ensure that both Saturn and our client meet their Article 28 obligations. Saturn Corporation will communicate with our client immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
THIRD-PARTY DATA SOURCES
The Saturn Corporation does not share this information with anyone without the consent of the client for whom the service is provided. On limited occasions, the Saturn Corporation may transfer data to third parties to deliver their services that have been contracted to perform and they are prohibited from using the data for any other purpose. In the case of onward transfers to third parties, the Saturn Corporation is potentially liable.
INFORMATION SECURITY
The Saturn Corporation has implemented responsible industry-standard security policies, standards, and practices designed to protect information from internal and external threats by using state of the art firewall and virus protections and password secure access.
WEBSITE PRIVACY
Saturn Corporation website is available to the public and is used for advertising its products and services to give prospective business clients the opportunity to communicate with us if they desire. Saturn Corporation may collect contact details if provided by the prospect if they are interested in our services. This information is shared with our business development and sales teams who will respond to their inquiries. Saturn Corporation does not share this information with third party outsiders. Saturn Corporation does not use cookies on its website.
ONWARD TRANSFERS
The Saturn Corporation acts a processor on behalf of its clients with appropriate contracts with its clients in the European Union, Switzerland and the United Kingdom. In the case of onward transfers to third parties, the Saturn Corporation is potentially liable.
DATA SECURITY
The Saturn Corporation will not disclose to third parties personal data processed in this capacity, except as permitted or required by the processing agreement with its clients; Data Privacy Principles, applicable Member State data protection law or as otherwise required by law. The Saturn Corporation has reasonable security measures in place to help protect the data. See Data Management Manual for further information.
INDEPENDENT RECOURSE MECHANISM FOR PRIVACY COMPLAINTS
In compliance with the Data Privacy Principles, the Saturn Corporation commits to resolve complaints about our collection or use of your personal information. EU, Swiss and the United Kingdom individuals with inquiries or complaints regarding our Data Privacy policy should first contact the Saturn Corporation at:
Email: fielding@saturncorp.com
Mail:
Saturn Corporation
9701 Apollo Drive
Suite 237
Largo, MD 20774
Telephone: 301-772-4510
The Saturn Corporation has further committed to refer unresolved complaints to the ASSOCIATION OF NATIONAL ADVERTISERS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit the ASSOCIATION OF NATIONAL ADVERTISERS for more information or to file a complaint. The services of the ASSOCIATION OF NATIONAL ADVERTISERS are provided at no cost to you for personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Online complaint form: https://ana.net/dpf-consumers
Mail:
ANA DPF Dispute Resolution
Association of National Advertisers
2020 K Street, NW- Suite 660
Washington, DC 20006
Web: https://www.ana.net/dpf-consumers
In the event complaints to Saturn Corporation and the ASSOCIATION of NATIONAL ADVERTISERS do not result in a satisfactory resolution, a consumer may seek binding arbitration. Additionally, if the consumer has a national security concern, you can contact the Ombudsperson at the Department of State at https://www.state.gov/s/ombudsman/
ENFORCEMENT
Saturn Corporation is subject to the investigatory and enforcement power of the Federal Trade Commission. We are required to disclose personal information in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
CONTACT INFORMATION
For questions or comments related to the Saturn Corporation’s Privacy Policy, please contact the following:
Fielding W. Yost
Saturn Corporation
9701 Apollo Drive
Suite 237
Largo, MD 20774
301-772-4510
fielding@saturncorp.com
Saturn Corporation provides a cloud based SAAS enterprise class CRM technology solutions. ©2018. All Rights Reserved.
Saturn collects no information on consumers who browse our Web page. Saturn does not share information with other organizations for commercial purposes. If Saturn is supplied by a client with a postal address on-line, the client will only receive the information for which the client provided us the address.
Saturn complies with the EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework and the United Kingdom Extension to the EU-U.S. Data Privacy Framework set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, United Kingdom and Switzerland. Saturn has certified that it adheres to the Data Privacy Framework principles of notice, choice, onward transfer, security, data integrity, access and enforcement.
The General Data Protection Regulation (GDPR) in the EU, UK and Switzerland applies to “controllers” and “processors”. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.
Saturn as a data processor and a SAAS provider collects and maintains data on behalf of our clients for the purpose of maintaining the client’s database for fundraising and the recording of supporter engagement. Data subjects have the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was original collected or subsequently authorized by the individuals. See mechanism for privacy complaints
Saturn as a processor on behalf of our clients and their data subjects will provide access to personal information about them that the client holds and specifically with the organizations permission will be able to correct, amend or delete that information where it is inaccurate or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of the persons other than the individual would be violated.
Saturn does not share this information with anyone without the consent of our clients for whom the service is provided. Saturn has implemented responsible industry-standard security policies, standards and practices designed to protect information from internal and external threats by using state of the art firewall and virus protections and password secure access. See Data Management manual.
Saturn acts as a processor on behalf of our clients with appropriate contracts with its clients and in the case of onward transfers to third parties will not disclose personal data processed except as permitted or required by the processing agreement. See Data Management Manual for information.
Saturn Corporation will submit to audits and inspections, provided the controller with whatever information it needs to ensure that both are meeting their article 28 obligations. And tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
In compliance with the Data Privacy Framework Principles, the Saturn Corporation commits to resolve complaints about our collection or use of the data of the client’s data subjects personal information.
See the Saturn website for the independent recourse mechanism for Data Privacy Framework Principles complaints. www.saturncorp.com.
EU REPRESENTATIVE
In compliance with Article 27 of the general data protection Regulations that require companies that are not established in the EU, United Kingdom and Switzerland, but that monitor or process the personal data of people within the EU, United Kingdom and Switzerland, Saturn has appointed an EU-based representative to act as their Europe-facing point of contact for individuals and local data protection authorities. The temporary representative is:
Belinda Meacher-Davies
+447788253327
bmeacher@saturncorp.com
Associations:
PCI DSS
Association of National Advertisers
- Home
- Privacy
- California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. This landmark law secures new privacy rights for California consumers, including:
Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.
Frequently Asked Questions (FAQs)
These FAQs provide general consumer information about the CCPA and how you can exercise your rights under the CCPA. They are not legal advice, regulatory guidance, or an opinion of the Attorney General. We will update this information periodically.
A. GENERAL INFORMATION ABOUT THE CCPA
If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information and not to sell your personal information. You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.
Only California residents have rights under the CCPA. A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state.
Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.
Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records.
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
No. The CCPA does not apply to nonprofit organizations or government agencies.
You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. If you want to sue for statutory damages, you must give the business written notice of which CCPA sections it violated and give it 30 days to give you a written statement that it has cured the violations in your notice and that no further violations will occur. You cannot sue for statutory damages for a CCPA violation if the business is able to cure the violation and gives you its written statement that it has done so, unless the business continues to violate the CCPA contrary to its statement.
For all other violations of the CCPA, only the Attorney General can file an action against businesses. The Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If you believe a business has violated the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with our office, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint.
You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:
- Your social security number
- Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person’s identity
- Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
- Your medical or health insurance information
- Your fingerprint, retina or iris image, or other unique biometric data used to identify a person’s identity (but not including photographs unless used or stored for facial recognition purposes)
This personal information must have been stolen in nonencrypted and nonredacted form.
Back To Top
B. REQUESTS NOT TO SELL PERSONAL INFORMATION
(RIGHT TO OPT-OUT OF SALE)
You may request that businesses stop selling your personal information (“opt-out”). With some exceptions, businesses cannot sell your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale of your personal information.
Businesses can only sell the personal information of a child that they know to be under the age of 16 if they get affirmative authorization (“opt-in”) for the sale of the child’s personal information. For children under the age of 13, that opt-in must come from the child’s parent or guardian. For children who are at least 13 years old but under the age of 16, the opt-in can come from the child.
Businesses that sell personal information are subject to the CCPA’s requirement to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request.
Make sure you submit your opt-out request through the “Do Not Sell My Personal Information” link or through another method that the business designates for opt-out requests, which may be different from its normal customer service contact information. If you can’t find a business’s “Do Not Sell” link, review its privacy policy, which must include that link.
If a business’s “Do Not Sell” link or other designated method of submitting opt-out requests is not working, notify the business in writing and consider submitting your request through another designated method if possible.
While businesses are not required to verify that the person submitting an opt-out request is really the consumer for whom the business has personal information, they may need to ask you for additional information to make sure they stop selling the right person’s personal information. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.
There are some exceptions to the opt-out right. Common reasons why businesses may refuse to stop selling your personal information include:
- If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
- If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA
See Civil Code section 1798.145 for more exceptions.
If you do not know why a business denied your opt-out request, follow up with the business to ask it for its reasons.
Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.
The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to opt-out to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.
If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.
Back To Top
C. REQUESTS TO KNOW PERSONAL INFORMATION
(RIGHT TO KNOW)
You may request that businesses disclose to you what personal information they have collected, used, shared, or sold about you, and why they collected, used, shared, or sold that information. Specifically, you may request that businesses disclose:
- The categories of personal information collected
- Specific pieces of personal information collected
- The categories of sources from which the business collected personal information
- The purposes for which the business uses the personal information
- The categories of third parties with whom the business shares the personal information
- The categories of information that the business sells or discloses to third parties
Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge.
Businesses must designate at least two methods for you to submit your request—for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests to know.
Businesses cannot make you create an account just to submit a request to know, but if you already have an account with the business, it may require you to submit your request through that account.
Make sure you submit your request to know through one of the business’s designated methods, which may be different from its normal customer service contact information. If you can’t find a business’s designated methods, review its privacy policy, which must include instructions on how you can submit your request.
If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting your request through another designated method if possible.
Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.
If you submitted a request to know and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.
Businesses must verify that the person making a request to know is the consumer about whom the business has personal information. Businesses may need to ask you for additional information for verification purposes. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.
There are some exceptions to the right to know. Common reasons why businesses may refuse to disclose your personal information include:
- The business cannot verify your request
- The request is manifestly unfounded or excessive, or the business has already provided personal information to you more than twice in a 12-month period
- Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information
- Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims
- If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA
See Civil Code section 1798.145 for more exceptions.
If you do not know why a business denied your request to know, follow up with the business to ask it for its reasons.
Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.
The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to know to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.
If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.
Back To Top
D. REQUIRED NOTICES
The CCPA requires businesses to give consumers certain information in a “notice at collection.” A notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. (To find out how you can learn what specific information a business has collected about you, see the Right to Know section.) If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.
This notice must be provided at or before the point at which the business collects your personal information. For example, you might find a link to the notice at collection on a website’s homepage and on a webpage where you place an order or enter your personal information for another region. On a mobile app, you might find a link to the notice in the settings menu. In a retail store, you might find the notice on a printed form used to collect your personal information.
A business’s privacy policy is a written statement that gives a broad picture of its online and offline practices for the collection, use, sharing, and sale of consumers’ personal information. The CCPA requires business privacy policies to include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination.
Most businesses post their privacy policy on their websites. A link to it can usually be found at the bottom of the homepage and other webpages. The link’s title may include “Privacy” or “California Privacy Rights.” In a mobile app, the privacy policy may be linked on the download page for the app or in the app’s settings menu.
Back To Top
E. REQUESTS TO DELETE PERSONAL INFORMATION
(RIGHT TO DELETE)
You may request that businesses delete personal information they collected from you and to tell their service providers to do the same. However, there are many exceptions that allow businesses to keep your personal information.
Businesses must designate at least two methods for you to submit your request—for example, a toll-free number, email address, website form, or hard copy form. Businesses do not have to provide an online form for requesting deletion.
Businesses cannot make you create an account just to submit a deletion request, but if you already have an account with the business, it may require you to submit your request through that account.
Make sure you submit your deletion request through one of the business’s designated methods, which may be different from its normal customer service contact information. If you can’t find a business’s designated methods, review its privacy policy, which must include instructions on how you can submit your request.
If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting your request through another designated method if possible.
Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.
If you submitted a request to delete and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.
Businesses must verify that the person making a request to delete is the consumer about whom the business has personal information. Businesses may need to ask you for additional information for verification purposes. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.
There are exceptions to the right to delete. Common reasons why businesses may keep your personal information include:
- The business cannot verify your request
- To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes
- For certain business security practices
- For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided
- To comply with legal obligations, exercise legal claims or rights, or defend legal claims
- If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA
See Civil Code sections 1798.105(d) and 1798.145 for more exceptions.
If you do not know why a business denied your request to delete, follow up with the business to ask it for its reasons.
Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.
The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to delete to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.
If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.
Creditors, collection agencies, and other debt collectors can still try to collect debts that you owe even if you asked them to delete your personal information. Learn more about debt collectors—including what they can and can’t do—here.
Credit reporting agencies like Equifax, Experian, and TransUnion can still collect and disclose your credit information, subject to regulation under the Fair Credit Reporting Act. Learn more about your rights under the Fair Credit Reporting Act here. Learn more about how to check and fix your credit report here.
Back To Top
F. RIGHT TO NON-DISCRIMINATION
Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.
However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction.
Businesses can also offer you promotions, discounts and other deals in exchange for collecting, keeping, or selling your personal information. But they can only do this if the financial incentive offered is reasonably related to the value of your personal information. If you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information. If you are not sure how your request may affect your participation in a special offer, ask the business.
Back To Top
G. DATA BROKERS AND THE CCPA
Another California law, Civil Code section 1798.99.80, defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This law exempts certain businesses that are regulated by other laws from this definition. Exempted businesses include consumer reporting agencies (commonly known as credit bureaus) and certain financial institutions and insurance companies.
Data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker analyzes and packages the data for sale to other businesses.
The California law on data brokers requires data brokers covered by the law to register with the Attorney General and to provide certain information on their practices. The Data Broker Registry can be found on the Attorney General’s website at https://oag.ca.gov/data-brokers.
Data brokers are subject to the CCPA. On the Data Broker Registry website, you will find contact information and a website link for each registered data broker, as well as additional information to help you exercise your CCPA rights.
|