At Digitech we are dedicated to conduct our business in a manner that complies with the EU Safe Harbor Principles published by the US Department of Commerce. The Safe Harbor Principles were developed to aid US businesses in addressing and assessing their privacy policies and practices as they may relate to the European Union’s Directive 95/46/EC on data privacy for “personal data” (including any EU member state’s rules, regulations or laws enabling such Directive, herein the “Directive”). Personal data is information relating to an identified or identifiable natural person. It includes personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships and information concerning the personal activities, undertakings, traits or habits of a particular individual. An identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity. Personal data may be considered transferred outside the EU under the Directive if it falls under one of two situations that are described below. For the Directive to apply, the personal data must be processed, wholly or partly, by automatic means or if not processed to any extent by automatic means, it forms (or is intended to form) part of a filing system.
Processor on Behalf
Digitech provides electronic content management (ECM) computer based service known as ImageSilo®, which is designed to help companies manage their company or customer information more efficiently and effectively. Digitech provides this ECM service though a channel of authorized value added Digitech Resellers (VAR). Digitech does not own or control any of the information stored or processed by any VAR, including by or on behalf of any VAR’s customers. Only the VAR or the VAR’s customer is entitled to process, store, access and retrieve such information. Through careful analyses of specific business requirements, Digitech VARs may recommend that their customers are better served by utilizing Digitech’s ECM service. VAR’s recommending this ECM service to their customers must clearly explain that the customer’s information that originates in the EU will be stored on Digitech’s server located in the US utilizing Digitech’s ECM service and which is accessible over the Internet only by the VAR or the VAR’s customer. Digitech does not own or control, collect, record, organize, use or otherwise disclose or make available to third parties the data that is stored through use of its ECM service by the VAR or a VAR’s customers, and such data is considered owned or controlled only by that customer or the VAR, including if acting on behalf of the customer. Digitech does not actively process the data stored on its server under the ECM service. As a point of fact, Digitech is not aware of what is actually being stored by a VAR or the VAR’s customer on the Digitech ImageSilo® system under the ECM service and has no general direct access to such information or data, except as expressly authorized by the VAR or the VAR’s customer, as applicable. Furthermore, under no circumstances may Digitech independently cause a VAR’s data or VAR’s customer’s data to be transferred to any third party, such action being limited to either the VAR or the VAR’s customer. Also, Digitech’s standard operating policy in this case is not to directly cause a transfer of any such data other than to return it to the applicable VAR or VAR customer. In this capacity, Digitech should be considered only as a processor in behalf as to any personal data that may be considered transferred from the EU to the US subject to the requirements of the Directive. As such, either the VAR or, more particularly, the VAR’s customer is the Data Controller as they or one of them have the actual control over the way any personal data is collected and used as well as the determination of the purposes and means of the processing of such data. Digitech is not responsible for the content of the information stored on its server by the VAR or the VAR’s customers nor is Digitech responsible for the way the VAR or the VAR’s customers treat such information.
The Safe Harbor Principles require that those who collect and determine the purposes and the means of the processing of personal data to fulfill very specific requirements related to compliance with the Directive. The specific functions of a Data Controller will depend on the specific laws of each EU member state. However, since Digitech is not the collector or in control of any personal data, because it, neither alone nor jointly with others, will determine the purposes and means of collecting and the processing and uses of such data, it should not be considered as acting in the capacity of Data Controller with attendant responsibilities under the Directive or the Safe Harbor Principles. Although Digitech, without its actual knowledge, may be provided data or information subject to the Directive by a VAR or a VAR’s customer by means other than use of the ECM service (e.g., by email) in order to aid in the resolution of a technical issue, it should not be considered a data collector or Data Controller as to such data. Furthermore, Digitech requires that its VARs and the VAR’s customers do not include personal data in such transmittal to it, and it may reject and return such data to the sender if it becomes aware that such data is not in compliance with such requirement.
EU VAR Data Controller Contract
Digitech and the EU VAR will enter into a contract to ensure that each party understands its role in complying with the Directive and the Safe Harbor Principles. Any data considered processed or stored by Digitech on behalf of a VAR or any VAR customer will not be further disclosed to third parties, except as directed or required by the VAR or such VAR customer, each acting only in compliance with the Directive. Any information which the Data Controller identifies as sensitive personal information must be treated accordingly.
The contract with an EU VAR also will specify that the VAR is responsible for implementing and maintaining reasonable security measures relating to the VAR’s or the VAR’s customer’s access to the VAR’s or the VAR’s customer’s data stored on the Digitech server, including assignment and administration of all identification codes and passwords authorizing such access. The VAR or the VAR’s customer, as applicable, is responsible for all security measures relating to such identification codes and passwords. Digitech has in place commercially reasonable measures to protect data on its network from loss, misuse, unauthorized access, disclosure and alteration and destruction. The VAR and the VAR’s customers are responsible for the utilization of any optional tools Digitech provides for data protection, including transmission encryption and encrypting data at rest. The return or destruction of data stored on the Digitech server is principally in the control of the VAR or the VAR’s customer, and Digitech will comply with their instructions on such matters.
As merely a processor on behalf of the VAR or the VAR’s customer (who is considered the EU Data Controller), Digitech is not required to apply other Safe Harbor Principles to personal information subject to the Directive and considered received for processing (i.e., storage) from a VAR or the VAR’s customers.
Digitech requires that the VAR and each VAR customer comply with their respective obligations under the Directive and that the VAR customer confirm to the VAR that all applicable EU member state data protection laws shall be complied with prior to any transfer of any non-public personal data from the EU to the US in connection with Digitech’s ECM service.
Digitech is entirely dependent on the VAR’s and the VAR’s customer’s compliance with the Directive in connection with any authorization for access to such VAR’s or the VAR’s customer’s data on the Digitech ImageSilo® system as well as its nature and the form in which it is transmitted. Digitech has no ability to access data located on its ImageSilo® system other than as expressly permitted or directed by the VAR or the VAR’s customer, and, in no case, will Digitech be involved in the further processing or manipulation of such data other than perhaps the return of data in another form of media, as discussed below. Digitech takes reasonable steps to assure that any data that is considered transferred from the EU to the US is maintained in a reliable, accurate and complete state, subject always to any deficiencies in the state in which it was received that may have been caused by others. The steps Digitech undertakes to assure data integrity is provided to take into consideration the Safe Harbor Principles.
As noted above, the control of access to data stored on the ImageSilo® system under ECM service is in the direct and primary control of and subject to the security measures undertaken by the VAR and the VAR’s customer. Furthermore, Digitech recommends to its VARs that all data “at rest” and stored on the ImageSilo® system be encrypted to better assure the protection and confidentiality of such data, but the decision as to the use of such encryption is solely in the control of the VAR or the VAR’s customer. Digitech also requires that personal data not be transmitted to it outside the ImageSilo® closed system, since different security measures may be in place with respect to those systems (e.g., email). Digitech has in place information security procedures and commercially reasonable security measures to protect all information stored on its server from loss, misuse, unauthorized access, disclosure, alteration and destruction. The VAR will be notified of any breach of the security measures implemented by Digitech that Digitech becomes aware of, and the VAR is responsible for notifying the VAR’s customers of such breach. Any measures or actions required to be undertaken by the VAR or the VAR’s customers in connection with such breach are solely the responsibility of the VAR or the VAR’s customers, as applicable. If it is required by a VAR or a VAR’s customer to download data stored on the ImageSilo® system by such VAR or the VAR’s customer onto some form of other data archival or compilation media, Digitech will do so only upon receipt of a written request and directions (including by email) therefore from the VAR or the VAR’s customer, as applicable, and such media will be sent via a reliable carrier or courier, as authorized by the VAR or the VAR’s customer. Upon its delivery to such carrier or courier, Digitech shall have no further obligation thereafter for the security or safety of the data included on such media.
Any compromise of security or potential compromise of security and any inquiries concerning security should be reported or directed to Digitech. Contact information is provided below.
Digitech Systems, Inc.
8400 East Crescent Parkway, Suite 500
Greenwood Village, CO 80111
Federal Trade Commission
Attn: Consumer Response Center
600 Pennsylvania Avenue NW
Washington, D.C. 20580
Limitation on Application of the Safe Harbor Principles
Digitech’s adherence to the Safe Harbor Principles may be limited to the extent expressly permitted by applicable law, rule or regulation.