This Policy outlines the general practices for implementing the requirements of the EU-U.S. Privacy Shield and the Swiss- U.S. Privacy Shield in connection with personal data that is transferred from the EEA and Switzerland to the U.S.: including the types of information that is collected and transferred; how it is used; and, the choices individuals located in the EEA and Switzerland have regarding the use of, and their ability to correct, that information
This Policy applies to all Billtrust U.S. operations, divisions and subsidiaries as far as personal information from the EEA and Switzerland is received in any format whatsoever, including electronic, paper or oral transmission. This Policy also applies to Agents (defined below) that handle and process EEA and Switzerland personal data on behalf of Billtrust.
1 The EEA currently includes the following countries: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and United Kingdom.
2 Information about the U.S. Department of Commerce EU-U.S. Privacy Shield certification and the Swiss-U.S. Privacy Shield certification can be found at https://www.privacyshield.gov/.
For purpose of this Policy, the following definitions shall apply: “Agent” means any third party processor that collects and/or uses personal information provided by Billtrust to perform tasks on behalf of and under the instructions of Billtrust. “Personal Data” and “Personal Information” are data about an identified or identifiable individual that are within the scope of the Directive 95/46/EC, received by an organization in the United States from the European Union and Switzerland, and recorded in any form. Personal information does not include information that is anonymous (e.g. statistical information not relating to an identifiable person). “Sensitive Personal Information” means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or personal information received from a third party that is identified and treated as sensitive by the third party. “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
4. Processing of EEA Personal Data
Billtrust may from time to time process certain EEA and Switzerland Personal Information about current or prospective clients, their customers, business partners, suppliers, vendors, independent contractors and consumers, including information recorded on various media as well as electronic data. Billtrust will process these data in conformity with the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles and will continue to apply the Principles to personal data received under the application of the Privacy Shield.
Billtrust will use Personal Information to provide information and services and to help Billtrust personnel better understand the needs and interests of these business partners and/or current and prospective clients and their customers. Specifically, Billtrust uses information to help complete a transaction or order, to facilitate communication, to deliver products/services, to bill for purchased products/services, to provide ongoing service and support, to communicate to individuals about products, services and related issues, to facilitate Billtrust’s internal administrative processes, to book travel, accommodation and event registration, for business continuity and/or disaster recovery, to select service and personnel, to access sales and order portals, for business planning, accounting and reporting, to organize and manage joint projects and joint ventures. Occasionally Billtrust personnel may use Personal Information to contact clients and business partners to complete surveys that are used for marketing and quality assurance purposes.
Billtrust may also share Personal Information with its service providers and suppliers (Agents) for the sole purpose and only to the extent needed to support the clients’ business needs. Service providers and suppliers are required to keep confidential Personal Information received from Billtrust and may not use it for any purpose other than originally intended. In case of data transfers to third parties acting as controllers the affected individuals will be informed about the transfer and the underlying purposes respectively.
5. Privacy Principles
A detailed description of the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles can be found on the website of the U.S. Department of Commerce.
Where Billtrust collects Personal Information directly from our clients’ customers in the EEA and Switzerland, it will inform those individuals about the purposes for which it collects and uses Personal Information about them; the types or identity of third parties acting as controllers to which Billtrust discloses that information, the purposes for which it does so; and the choices and means, Billtrust offers individuals for limiting the use and disclosure of their Personal Information, and about the right of individuals to access their personal data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Billtrust, or as soon as practicable thereafter, and in any event before Billtrust uses the information for a purpose other than that for which it was originally collected or discloses it for the first time to a third party.
5.3 Accountability for Onward Transfer
Billtrust will obtain assurances from its Agents that they will safeguard Personal Information consistent with this Policy and will transfer personal data only for limited and specific purposes. Examples of appropriate assurances that may be provided by Agents include: a contract obligating the Agent to provide at least the same level of protection as is required by the relevant EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles, being subject to EU Data Protection Directive 95/46/EC or GDPR, EU-U.S. Privacy Shield certification and Swiss- U.S. Privacy Shield certification by the Agent, or being subject to another European Commission adequacy finding. Billtrust recognizes its responsibility and potential liability for onward transfers to Agents. Where Billtrust has knowledge that an Agent is using or disclosing Personal Information in a manner contrary to this Policy and/or the level of protection as required by the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles, Billtrust will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure.
If Billtrust transfers personal information to non-agent third parties acting as a controller, Billtrust will apply the Notice and Choice Principles unless a derogation for specific situations under European data protection law applies and will obtain assurance from these parties that they will provide the same level of protection as is required under the Principles.
Billtrust will take reasonable and appropriate precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
5.5 Data Integrity and Purpose Limitation
Billtrust will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual (see 5.2.). Billtrust will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current. Billtrust will adhere to the Principles as long as it retains personal information received under its EU-U.S. Privacy Shield certification and Swiss- U.S. Privacy Shield certification. Billtrust will keep Personal Information only as long as necessary for the purpose of processing or for statistical analysis, research or another approved purpose.
Upon request, Billtrust will grant individuals reasonable access to Personal Information that it holds about them. In addition, Billtrust will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete or has been processed in violation of the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles. Billtrust may limit an individual’s access to Personal Information where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.
5.7 Recourse, Enforcement and Liability
Any questions or concerns regarding the use or disclosure of personal information should be directed to Billtrust Client Support using the contact information provided below. Billtrust will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy.
Within the scope of this Privacy Shield Policy, if a privacy complaint or dispute cannot be resolved through Billtrust’s internal processes, Billtrust has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.
In the event that Billtrust or the independent dispute resolution mechanism determines that Billtrust did not comply with this Policy, Billtrust will take appropriate steps to address any adverse effects and to promote future compliance. Billtrust is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body and enforcement authority under the Privacy Shield.
Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, individuals have a right to invoke binding arbitration under the Privacy Shield Panel as recourse mechanism of ’last resort’.
Billtrust’s adherence to the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, e.g. in the course of lawful requests by public authorities (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.
7. Contact Information
In compliance with the Privacy Shield Principles, Billtrust commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Billtrust at:
ATTN: Client Support
Address:1009 Lenox Drive , Suite 101, Lawrenceville, New Jersey 08648
Phone: 1 (888) 580-BILL
Fax: 1 (609) 235-1011
E-Mail: [email protected]
Billtrust has further committed to refer unresolved Privacy Shield complaints to VeraSafe, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit www.verasafe.com/about-verasafe/contact-us/ for more information or to file a complaint. The services of Verasafe are provided at no cost to you. Please use the following addresses:
USA: VeraSafe | P.O. Box 8203 | Essex, VT 05451 | USA
EU: VeraSafe | Zahradníčkova 1220/20A | Prague 15000 | Czech Republic
8. Billtrust’s Data Protection Office (DPO)
VeraSafe has been appointed as Billtrust’s DPO in accordance with Article 38 of the General Data Protection Regulations (GDPR). VeraSafe can be contacted in addition to Billtrust only on matters related to the processing of personal data and to exercise your rights under the GDPR. To make such an inquiry, please contact VeraSafe at:
ATTN: James D. Cormier
Address: 22 Essex Way #8203, Essex, VT 05451 USA
Phone: +1 (888) 376-1079
E-mail: [email protected]
9. Billtrust’s GDPR Article 27 EU Representative
VeraSafe has been appointed as Billtrust’s representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. VeraSafe can be contacted in addition to Billtrust only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative. Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road Cork T23AT2P
10. Changes to this Policy
This Policy may be amended from time to time, consistent with the requirements of the EU-U.S. Privacy Shield principles. Appropriate public notice will be given concerning such amendments.
Effective Date: January 1, 2019