FRA Privacy Notice
Forensic Risk Alliance (FRA) recognizes the importance of your privacy. This privacy notice is meant to inform you about the Personal Data we collect, use, share, or otherwise possesses in connection with your business relationship with FRA. If you have additional questions about FRA’s data collection practices after reading this notice, please contact us at firstname.lastname@example.org. FRA will not sell, share or otherwise disclose any of the information it collects without your permission unless otherwise permitted or required by law to regulators, enforcement authorities, courts or other third parties or also to (i) vendors who monitor our website and assist in preparing notices on firm updates, industry news and our events and (ii) third party parties we work with for the purposes of hosting events. The data gathered also will be shared appropriately with our offices in the United States, Europe and Canada.
Data Privacy Notice
This Privacy Notice explains how FRA collects, uses, shares and otherwise processes your Personal Data in connection with your relationship with us in accordance with applicable data privacy laws and the General Data Protection Regulation (“GDPR”), which is in effect as of 25 May 2018. Should you have any questions about this Privacy Notice, contact us at email@example.com. We may provide supplemental Privacy Notices on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data. Those notices should be read together with this Privacy Notice.
The term “Personal Data” as used in this Privacy Notice means any information relating to you such as your name, contact details, bank account details etc. Personal data does not include data from which you can no longer be identified such as anonymized aggregate data.
What information do we collect about you, how do we collect it and what do we use it for?
We may collect personal data about you for various purposes, including:
- Responding to your request for information – it may be necessary as a part of the relationship you have with FRA to contact us (online or offline) in connection with a request for information or in connection with your business relationship with FRA. For example, we will collect your name, contact information such as email or phone number, and details about your inquiry.
- Contacting employees of our clients, prospective clients and vendors – in our relationship with clients, prospective clients and vendors, they also provide us with business contact information (such as name, business contact details, position or title of their employees, contractors, advisors and authorized users) for purposes such as contract management, invoicing and management of the relationship.
- Visitor information – FRA registers individuals visiting our physical sites and locations (name, identification and business contact information) and in some cases use camera supervision for reasons of security and safety of persons and belongings, as well as for regulatory purposes.
- Marketing and Business Development – most information we collect about you comes from our direct interactions with you or publically available information. We collect the Personal Data you choose to provide to us if you contact us by letter, telephone, email or any other means of electronic or personal communication such as meeting at an event, and during an event, such as participation in sessions and survey results. We combine the Personal Data we collect to develop aggregate analysis and business intelligence for conducting our business and for marketing purposes. We may share information with third parties we work with for the purposes of hosting events. Outside of hosting events, we will get your express opt-in consent before we share your personal data with any company outside FRA for marketing purposes. You can choose to receive information by email, telephone or postal mail about our services, or sign-up for subscriptions. If you wish to opt-out, you can do so via our preference center or by sending an email to firstname.lastname@example.org.
We will process your Personal Data if and to the extent applicable law provides a lawful basis for us to do so. Please note that we may use or disclose Personal Data if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
What we may need from you
We may need to request specific information from you from time to time to help us confirm your identity and ensure your right to access Personal Data (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
What if you do not provide the personal data we request?
It is in your sole discretion to provide Personal Data to us. If you do not provide us with all or some of the Personal Data we request, we may not be able to accept an engagement from you, to provide all or some of our services, to enter into a contract with you or to send you firm updates, industry news and invitations to our events.
We may have to transfer your Personal Data from the European Economic Area (EEA) to an FRA office or a third party outside of the EEA and in a jurisdiction not being subject to an adequacy decision of the European Commission. We will always ensure that there is a legal basis and a relevant safeguard method for such data transfer so that your Personal Data is treated in a manner that is consistent with EU laws and other applicable laws and regulations on data protection. Measures include:
- Where required, FRA implements Standard Contractual Clauses approved by the EU Commission, or similar contractual clauses in other jurisdictions. This includes transfers to suppliers or other third parties.
- FRA certified to the EU-US Privacy Shield Framework. More information can be found below.
Information Security and Accuracy
We intend to protect your Personal Data and to maintain its accuracy. FRA implements reasonable physical, administrative and technical safeguards to help us protect your Personal Data from unauthorized access, use and disclosure. We also require that our suppliers protect such information from unauthorized access, use and disclosure.
Your rights in relation to your information
You have rights you can exercise under certain circumstances in relation to your Personal Data that we hold. You can request access, rectification, erasure and restriction to your Personal Data and request certain information in relation to its processing. If you want to exercise one of these rights please contact us at email@example.com.
Right to withdraw consent
In case you have provided your consent to the processing of your Personal Data, you have the right to fully or partly withdraw your consent. To withdraw your consent, please contact firstname.lastname@example.org or you may change preferences within the website. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there are legitimate grounds for further processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. In case we processed your Personal Data for direct marketing purposes, you have the right to object at any time, in which case we will no longer process your Personal Data for such marketing purposes.
How long will we retain your information?
We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
Upon expiration of the applicable retention period we will securely destroy your Personal Data in accordance with applicable laws and regulations.
Under many circumstances you will not have to pay a fee to exercise any of these rights. However, we may charge a reasonable fee if your request for access is unfounded or excessive – we may also refuse your request in such circumstances.
Changes to this Privacy Notice
We reserve the right to update this Privacy Notice at any time, and we will make an updated copy of such Privacy Notice available on our website.
EU-US and Swiss-US Privacy Shield
In compliance with the Privacy Shield Principles, Forensic Risk Alliance commits to resolve complaints about our collection or use of your Personal Information. EU or Swiss individuals with inquiries or complaints regarding our Privacy Shield Policy should first contact Forensic Risk Alliance at:
Forensic Risk Alliance
c/o Privacy Complaints Department
Kacey Murphy/Gregory Mason
40 Westminster Street
Providence, RI 02903
Forensic Risk Alliance has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to you. Forensic Risk Alliance complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU and Switzerland, including the onward transfer liability provisions. Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Forensic Risk Alliance’s participation in the Privacy Shield applies to Personal Data received from the EU/EEA and Switzerland. Forensic Risk Alliance will comply with the Privacy Shield Principles in respect of such Personal Data. Some types of Personal Information may be subject to additional privacy-related requirements and policies, which are consistent with the Privacy Shield Principles.
Types of data Forensic Risk Alliance can potentially process generally falls into two categories.
1) Personal Information from Client Engagements: Forensic Risk Alliance provides professional consulting services to its clients. Forensic Risk Alliance’s clients may send Personal Information to it for processing on their behalf as part of the consulting services they have purchased. For example, Forensic Risk Alliance may receive Personal Information such as name, email address, employment information or financial data. Forensic Risk Alliance uses any such Personal Information to perform services for its clients and to administer and manage its relationships with its clients. In the event that a client engagement involves a transfer of Personal Information from the EU or Switzerland to the United States, the relevant clients are responsible for providing appropriate notice, where required, to the individuals whose Personal Information may be transferred to Forensic Risk Alliance, including providing individuals with certain choices with respect to the use or disclosure of their Personal Information, and obtaining any requisite consent. Forensic Risk Alliance handles such Personal Information in accordance with its clients’ instructions.
2) Personal Information regarding Forensic Risk Alliance Employees: Forensic Risk Alliance may transfer Personal Information regarding Forensic Risk Alliance personnel. This Personal Information may include, without limitation, business contact information, employee ID, job role and reporting line, demographic information, work history, compensation and performance ratings. Forensic Risk Alliance uses such information to administer and manage its business.
Choice and Accountability for Onward Transfer
Information Security and Data Integrity
Forensic Risk Alliance is ISO 27001 certified has reasonable security policies and procedures in place to protect Personal Information from unauthorized loss, misuse, alteration, or destruction. Forensic Risk Alliance’s ISO 27001 certification can be found here https://www.forensicrisk.com/expertise/certifications/certification-iso27001/. Despite Forensic Risk Alliance’s best efforts, however, security cannot be absolutely guaranteed against all threats. To the best of Forensic Risk Alliance’s ability, access to your Personal Information is limited to those who have a need to know.
When Forensic Risk Alliance collects Personal Information directly from custodians, we generally offer those custodians the opportunity to choose whether their Personal Information may be (i) disclosed to third party contractors, or (ii) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by the relevant custodian. To the extent required by the Privacy Shield Principles, Forensic Risk Alliance obtains opt-in consent for certain uses and disclosures of Sensitive Data. Consumers may contact Forensic Risk Alliance as indicated below regarding the company’s use or disclosure of their Personal Information. Unless Forensic Risk Alliance offers custodians an appropriate choice, the company uses Personal Information only for purposes that are materially the same as those indicated in this Policy.
Forensic Risk Alliance shares Consumer Personal Information with its affiliates and subsidiaries. Forensic Risk Alliance may disclose Consumer Personal Information without offering an opportunity to opt out, and may be required to disclose the Personal Information, (i) to third-party Processors the company has retained to perform services on its behalf and pursuant to its instructions, (ii) if it is required to do so by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. Forensic Risk Alliance also reserves the right to transfer Personal Information in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).
If Forensic Risk Alliance holds your Personal Information, under most circumstances you have the right to reasonable access to that data to correct any inaccuracies. You can also make a request to update or remove information about you by contacting email@example.com, and Forensic Risk Alliance will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards.
Resource, Enforcement and Liability
Forensic Risk Alliance commits to resolve complaints about your privacy and its collection or use of your Personal Information in compliance with the EU-US and Swiss-US Privacy Shield Principles. Please contact Forensic Risk Alliance at: firstname.lastname@example.org should you have a Privacy Shield-related (or general privacy-related) complaint.
If you are a resident of the EU/EEA or Switzerland, and you have a complaint related to this Policy that cannot be resolved with Forensic Risk Alliance directly, you may report your claim to the EU/EEA or Swiss Data Protection Authorities located in your jurisdiction. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means.
Forensic Risk Alliance is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC).
Questions and Comments
Last updated: September 2018