The Emmes Company, LLC, Emmes Biopharma Services LLC, OptymEdge, LLC, Essex Management, LLC and Emmes Endpoint Solutions, LLC (collectively “Emmes”) each comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States. Emmes has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) and the UK Extension to the EU-U.S. DPF with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework, and to view our certification, please visit: https://www.dataprivacyframework.gov/.
This EU-U.S. Data Privacy Framework Policy sets forth Emmes’ practices with respect to personal data it receives in the United States from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF respectively.
To view Emmes’ certification, you can view the Data Privacy Framework List at https://www.dataprivacyframework.gov/s/participant-search.
Definitions
“Personal Data” means data about an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to one or more factors specific to the individual, such as an identification number or a person’s physical, physiological, mental, economic, cultural or social identity.
“Processing” of personal data means any operation or set of operations that is performed on personal data, whether or not by automated means. Processing includes, by way of example, collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
Collection and Use of EU and UK Personal Data
Employee Personal Data
We collect personal data from and about contingent workers, employees, former employees, and prospective employees. This can include someone’s name, contact information, social security or government-issued identification number, financial information, education and employment history, information about one’s family (spouse and dependents, for example), and job performance and development.
Our primary purpose in collecting and processing such information is to carry out the employment relationship. This includes but is not limited to payment, compensation planning and related transactions, providing and managing benefits, performance management, career development, training, staffing considering candidates for open positions, personnel security issues, headcount reporting, and statistical analysis.
Customer and Other Personal Data
Emmes collects personal data in connection with Emmes’ business activities, including offering and managing our products, services, and programs. This information can include name and contact information as well as information on demographics, health and wellness, healthcare or medication, inquiries or feedback about our products and programs, and preferences. We collect and process this information in order to provide requested products, services or programs; to personalize product information or provide additional information about our products and programs; to optimize or improve our products, programs, and operations; to manage customer information across Emmes programs and platforms; to conduct market research; to support research and development, including clinical research; for safety and efficacy monitoring; and for purposes of conducting certain legal, audit and regulatory compliance activities.
Sharing of Personal Data
Emmes may share personal data with applicable customers, affiliates, agents, contractors, or business partners so that they may perform services for us or so Emmes may perform services for them. Emmes remains liable under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF if the third-party handles personal data in a manner inconsistent with the Framework, unless Emmes proves that it is not responsible for the third-party’s activities.
In addition, we may disclose personal data (i) as required by law or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, (ii) to protect and defend Emmes’ rights, (iii) as incident to a corporate sale, merger, reorganization, dissolution, bankruptcy, or similar event, (iv) under circumstances we believe reasonably necessary to protect the personal safety of users of Emmes’ products, services and programs, or the public, or (v) as is otherwise described in this policy.
Your Rights and Choices
Under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and this policy, you have the right to request access to personal data about yourself and to request limitations on how Emmes uses or discloses personal data about you. You also have the rights to correct, amend, or delete the data if any information is inaccurate.
In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don't have the appropriate rights to do so. Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time. You can also opt-out of our use of your information for marketing purposes by contacting us, as provided below. When you make such requests, we may need time to investigate and facilitate your request. If there is delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honored or the dispute is resolved.
For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual), Emmes must obtain affirmative, express consent (opt-in) from you if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by you through the exercise of opt-in choice. In addition, Emmes will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.
With our EU-U.S. DPF certification, Emmes has committed to respect these rights. To exercise these rights, please contact us as indicated in the “Contact Information” section of this Policy. Emmes will respond to such requests within a reasonable timeframe.
To opt-out of having personal information disclosed to a third party or used for a purpose for which it was originally collected, please contact DPO@emmes.com. Additionally, Emmes will obtain your explicit consent if sensitive information will be disclosed to a third party or used for a purpose other than that for which it was originally collected.
EU-U.S. DPF Inquiries or Complaints
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Emmes commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
If you have a complaint as described above, you may also contact free of charge the Data Protection Authority (DPA) in your country. The list of DPAs in the European Union is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.html.
Emmes commits to cooperate with the panel established by the EU DPA and comply with the advice given by the panel with regard to human resources data and non-human resources data transferred from the EU.
If you have a complaint related to the transfer or processing of UK personal data, you may contact the UK Information Commissioners office at: https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/.
As further explained in the EU-U.S. DPF, a binding arbitration option will also be made available to address complaints not resolved by any other means. Emmes is subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).
Contact Information
- The Emmes Company, LLC
401 North Washington Street, Suite 700
Rockville, Maryland, U.S.A. 20850 - Emmes Biopharma Services LLC
401 North Washington Street, Suite 700
Rockville, Maryland, U.S.A. 20850 - OptymEdge, LLC
401 North Washington Street, Suite 700
Rockville, Maryland, U.S.A. 20850 - Emmes Endpoint Solutions, LLC
401 North Washington Street, Suite 700
Rockville, Maryland, U.S.A. 20850 - Essex Management, LLC
401 North Washington Street, Suite 700
Rockville, MD 20850