This Privacy Shield Policy (the “Policy”) sets forth the privacy principles that Hyland follows when processing Personal Data received from customers or prospective customers located in the European Economic Area (“EEA”), Switzerland, and the United Kingdom while providing services. This Policy does not apply to information collected through onbase.com, lawlogix.com, or other Hyland websites or to information collected during Hyland sponsored sales and marketing activities. This Policy also does not apply to Personal Data collected through Hyland’s recruiting process. For purposes of this Policy, Personal Data means information about an identified or identifiable individual that is received by Hyland in the United States from the EEA, Switzerland, or the United Kingdom and recorded in any form.
Hyland’s Role as a Service Provider to its Customers and Prospective Customers
Hyland is the creator of certain software products, and in connection with these software products, Hyland provides product demonstrations, product development, product enhancements, cloud services, solution engineering services, professional technical services, data migration services, and product technical support services (collectively “Services”) for the benefit of its customers and prospective customers in the EEA, Switzerland, and the United Kingdom through employees who may be located in the U.S. These U.S.-based employees may process Personal Data to provide Services to customers and prospective customers located in the EEA, Switzerland, or the United Kingdom.
Customers using Hyland’s cloud solutions are responsible for managing the data that they store within Hyland’s cloud solutions. Except as stated in the paragraph immediately below, customers determine the categories of Personal Data and other information that are stored by Hyland. Similarly, Hyland's customers and prospective customers who share data with Hyland in connection with any of its Services determine which categories of Personal Data will be shared and for what purposes. Consequently, except as stated in the paragraph immediately below, Hyland does not generally know the categories of Personal Data to be processed or the purpose(s) of the processing unless and until Hyland receives this information from its customers or prospective customers.
Specifically, in regard to Hyland’s Guardian and Edge software products, Hyland may store the following categories of Personal Data to create completed I-9 forms on behalf of customers or to assist customers in the creation, management, and submission of immigration cases: full name, mailing address, email address, phone number, social security number and/or other identification number, date of birth, citizenship or immigration status, employment authorisation information, work history, job-related information, immigration status, and other personally identifiable information as may be required to fulfil a customer’s Form I-9 employment eligibility verification responsibilities or as required by various government agencies responsible for administering immigration benefits.
When Hyland processes Personal Data, Hyland does so only for the purpose of providing Services.
The Customer’s and Prospective Customer’s Responsibilities with Respect to Personal Data
Hyland customers and prospective customers may choose to include Personal Data among the data stored within the Hyland cloud or shared with Hyland in connection with its provision of Services.
Hyland processes only the Personal Data that its customers or prospective customers have chosen to share with Hyland. Hyland has no direct or contractual relationship with the subject of such Personal Data (a "Data Subject"). As a result, when a customer or prospective customer shares Personal Data, the customer or prospective customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.
Hyland’s Compliance with the Privacy Shield Principles
Hyland employees located in the United States may provide Services for customers and prospective customers located in the EEA, Switzerland, or the United Kingdom. To provide such Services, Hyland may access and use Personal Data. Hyland will apply the following Privacy Shield Principles to Personal Data physically or remotely transferred from the EEA, Switzerland or the United Kingdom to the United States.
Data Subjects have the right to access the Personal Data an organisation holds about them. If such Personal Data is inaccurate or processed in violation of the Privacy Shield Principles, a Data Subject may also request that Personal Data be corrected, amended, or deleted.
When Hyland receives Personal Data, it does so on its customer's or prospective customer's behalf. To request access to, or correction, amendment or deletion of, Personal Data, Data Subjects should contact the Hyland customer or prospective customer that collected their Personal Data. Hyland will cooperate with its customers' and prospective customers' reasonable requests to assist Data Subjects to exercise their rights under the Privacy Shield.
Data subjects have the right to opt out of (a) disclosures of their Personal Data to third parties not identified at the time of collection or subsequently authorised, and (b) uses of Personal Data for purposes materially different from those disclosed at the time of collection or subsequently authorised. Hyland’s customers and prospective customers are responsible for informing Data Subjects when they have the right to opt out of such uses or disclosures.
Data Subjects who wish to limit the use or disclosure of their Personal Data should submit that request to Hyland’s customer or prospective customer that controls the use and disclosure of their Personal Data. Hyland will cooperate with its customers’ and prospective customers’ instructions regarding Data Subjects’ choices.
Hyland is committed to safeguarding the Personal Data that it receives. While Hyland cannot guarantee the security of Personal Data, Hyland takes reasonable and appropriate measures to protect Personal Data in Hyland’s possession from loss, misuse, unauthorised access, disclosure, alteration and destruction.
Hyland utilises a combination of online and offline security technologies, procedures and organisational measures to help safeguard Personal Data. For example, facility security is designed to prevent unauthorised access to Hyland computers. Electronic security measures — including, for example, network access controls, passwords and access logging — provide protection from hacking and other unauthorised access. Hyland also protects Personal Data through the use of firewalls, role-based restrictions and, where appropriate, encryption technology. Hyland limits access to Personal Data to employees, subcontractors, and third-party agents that have a specific business reason for accessing such Personal Data. Individuals granted access to Personal Data are aware of their responsibilities to protect such information and are provided appropriate training and instruction.
PURPOSE LIMITATION AND DATA INTEGRITY
Hyland's customers and prospective customers are responsible for limiting their collection of Personal Data to that which is necessary to accomplish the purposes disclosed to Data Subjects and compatible purposes. They also are responsible for providing Hyland with instructions or authorisation for the processing of Personal Data consistent with such purposes.
Hyland's customers and prospective customers also are responsible for ensuring that (a) Personal Data they collect is accurate, complete, current and reliable for its intended uses; and (b) Personal Data is retained only for as long as is necessary to accomplish the customer's or prospective customer's legitimate business purposes disclosed to the Data Subject and for compatible purposes. Hyland will cooperate with customers' and prospective customers' reasonable requests for assistance in meeting these obligations.
In the performance of Services, Hyland will request only the minimum amount of information required to perform the applicable Services and will retain such information only for as long as necessary to provide the Services or for compatible purposes, such as to provide additional Services, to comply with legal requirements, or to preserve or defend Hyland’s legal rights.
Hyland will not disclose Personal Data to a third party, except as stated below:
Hyland may disclose Personal Data to subcontractors and third-party agents who assist Hyland in providing Services to its customers and prospective customers. Before disclosing Personal Data to a subcontractor or third-party agent, Hyland will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist Hyland in providing the Services; (b) provide at least the same level of protection for Personal Data as required by the Principles; and (c) notify Hyland if the recipient is no longer able to provide the required protections. Upon notice, Hyland will act promptly to stop and remediate unauthorised processing of Personal Date by a recipient. Hyland will remain liable for onward transfers to its subcontractors and third-party agents.
Hyland may also be required to disclose, and may disclose, Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. To the extent permitted, Hyland will inform its relevant customer or prospective customer before making such disclosure and provide it with a reasonable opportunity to object to such disclosure.
RECOURSE, ENFORCEMENT & LIABILITY
In compliance with the EU-US and Swiss-US Privacy Shield Principles, Hyland commits to resolve complaints about your privacy and Hyland’s collection or use of Personal Data transferred to the United States pursuant to this Policy.
European Union, Swiss, and United Kingdom individuals with Privacy Shield inquiries or complaints should first contact Hyland’s Legal Department by emailing [email protected] or by calling 440-788-5000.
Hyland has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent recourse mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus (“BBB”), which is based in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. This service is provided free of charge.
If your compliant cannot be resolved through the above channels, under certain conditions, Data Subjects may invoke binding arbitration for some residual claims not otherwise resolved by other redress mechanisms. For more information about binding arbitration, visit https://www.privacyshield.gov.
The Federal Trade Commission has jurisdiction over Hyland’s compliance with the Privacy Shield.
For More Information
Data Subjects with questions about how Hyland processes Personal Data should first contact the Hyland customer or prospective customer that collected the Personal Data. Hyland's Legal Department can be contacted by emailing [email protected] or by calling 440-788-5000.
This policy is executed in English and may be translated into other languages. In the event of any conflict or discrepancy between the English language version and a translated version, the English language version of this policy shall control.
Hyland may revise this Policy at any time. If Hyland decides to materially change this Policy, Hyland will post the revised Policy at this location.
Effective Date: September 20, 2016; last revised September 9, 2019.