隱私政策

最后修订日期 2023 年 12 月 1 日

(A)  本政策

本政策由下文第 P 節所列各管理者實體（統稱「KLDiscovery」、「我們」或「我方」）頒佈。本政策適用對象：與我們有交涉的我方組織以外的個體，包括顧客、企業顧客人員、我方網站（我方「網站」）訪客、合夥人、供應商、求職者和我方服務的其他使用者（統稱「您」）。本政策所用術語的定義參見下文第 (R) 節。本政策也適用於我方社群媒體（參見下文）。

本政策可能不時修訂或更新，以便顯示事關個人資料處理的操作變更或者適用隱私權法變更。我們鼓勵您仔細閱讀本政策，定期檢查本頁面，以便查看我們根據本政策條款作出的任何變更。

KLDiscovery 在以下品牌下營運：KLDiscovery、Ontrack、Ibas 和 ReadySuite。

(B)  處理您的個人資料

個人資料收集：我們經由以下來源收集或獲取您的個人資料：

• 提供給我們的資料：當您透過電郵、電話或任何其他管道聯繫我們或者當您向我們提供您的名片或者當您提交求職履歷表時。
• 關係資料：我們與您建立關係的正常過程中（例如我們為您或您的雇主提供服務過程中所獲取的個人資料）。
• 您公開的資料：您明確選擇公開的個人資料，包括經社群媒體公開的資料。
• 網站資料：當您訪問任何我方網站以及註冊或使用網站或經由網站提供的任何功能或資源，我們所收集或獲取的個人資料。
• 內容和廣告資訊：如果您與某網站的任何第三方內容或廣告或者第三方外掛程式和網路 cookie 有交涉，則我們會接收到您提供該內容或廣告相關第三方的個人資料。
• 第三方資訊。我們收集或獲取的個人資料來自向我們提供這些內容的第三方（例如徵信機構或執法機構）。

創建個人資料：我們也可能在提供服務的過程中創建您的個人資料，例如您我雙方的交涉記錄和訂單歷史詳情。我們還可能結合以下內容：利用任何我方網站和服務所獲取的個人資料以及經由不同來源收集的個人資料。  

個人資料類別：我們處理的個人資料類別包括：

• 個人詳情： 姓名；性別；出生日期/年齡；國籍；和照片。
• 聯繫詳情：通訊或送貨位址（例如用於退回原媒體和/或儲存裝置）；電話號碼；電郵地址；社群媒體資料詳情。
• 同意記錄：徵得您任何同意的記錄以及同意日期、時間、手段和任何相關資訊（例如同意標的物）。
• 付款詳情：購買資訊、定價、發票記錄、帳單位址；銀行帳號或信用卡號；持卡人或開戶人姓名；卡片或帳戶安全詳情；卡片‘生效’日期；卡片到期日。
• 看法和意見：您選擇發送給我們的任何看法和意見，或者在社群媒體平臺上公開發佈的關於我們的任何看法和意見。
• 申請詳情：您可能提交的所有類型的申請文件（職業經歷、簡歷、資格、證書、推薦信等）
• 雇主詳情：您以第三方雇員身份與我們交涉的情況下；您雇主的相關姓名、地址、電話號碼和電郵地址。
• 我方網站相關資料：裝置型號；作業系統；瀏覽器類型；瀏覽器設定；IP 地址；語言設定；聯網日期和時間；其他技術通訊資訊（其中一些可能構成個人資料）；用戶名；密碼；安全登錄詳情；使用資料；綜合統計資訊。

處理目的和法律基礎

Sensitive Personal Data

We do not seek to collect or otherwise Process Sensitive Personal Data but where we do so, it is on the following basis.

Lawful basis for Processing Sensitive Personal Data: In Processing your Sensitive Personal Data in connection with the purposes set out in this Policy, we may rely on one or more of the following legal bases, depending on the circumstances:

• we have obtained your prior express consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way);
• the Processing is necessary in connection with any contract that you may enter into with us to provide you with Services;
• the Processing is required or permitted by Applicable Privacy Laws; the Processing is necessary for the establishment, exercise or defence of legal claims;
• the Processing is necessary to protect the vital interests of any individual; or
• we have a legitimate interest in carrying out the Processing for the purpose of managing, operating or promoting our business, and that legitimate interest is not overridden by your interests, fundamental rights, or freedoms.

Voluntary provision of Personal Data and consequences of non-provision: The provision of your Personal Data to us is voluntary and will usually be a necessary requirement in order to enter into a contract with us and to enable us to fulfil our contractual obligations towards you. You are under no statutory obligation to provide your Personal Data to us; however, if you decide not to provide us with your Personal Data, we will not be able to conclude a contractual relationship with you and to fulfil our contractual obligations towards you.

Sale of your data: In accordance with Applicable Privacy Laws, we do not sell your data in exchange for compensation or non-monetary consideration.

(C) Disclosure of Personal Data to third parties

We disclose your Personal Data to other entities within the KLDiscovery group, in order to fulfil our contractual obligations towards you or for legitimate business purposes (including providing Services to you and operating our Websites) in accordance with Applicable Privacy Laws. In addition, we disclose your Personal Data to:

• you, and where appropriate, your appointed representatives, or if we are providing Services to your employer, your employer;
• third party Controllers with whom we share Personal Data in order to provide you with our Services;
• legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
• accountants, auditors, consultants, lawyers and other outside professional advisors to KLDiscovery, subject to binding contractual obligations of confidentiality;
• third party Processors (such as payment services providers, channel and retail partners, shipping/courier companies; technology suppliers, customer satisfaction survey providers, operators of “live-chat” services and processors who provide compliance services such as checking government issued prohibited lists, like the US Office for Foreign Asset Control), located anywhere in the world, subject to the requirements noted below in this Section (C);
• any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights, or any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
• any relevant third-party acquirer(s) or successors in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation), but only in accordance with the Applicable Privacy Laws; and
• any relevant third-party provider where our Websites may use third party content, advertising, plugins or content. If you choose to interact with any such content, your Personal Data may be shared with the third-party provider of the relevant third-party provider. We recommend that you review that third party’s privacy policy before interacting with its content.

If we engage a third-party Processor to Process your Personal Data, we will conclude a data processing agreement and sufficient guarantees as required by the Applicable Privacy Laws with such third-party Processor so that the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data; together with any additional requirements under Applicable Privacy Laws.  In all cases, KLDiscovery is primarily liable for the acts and omissions of such third parties to whom KLDiscovery has entrusted personal data. KLDiscovery shall ensure that all such third parties maintain security and data handling measures to standards prescribed by KLDiscovery prior to transferring such personal data to the applicable third party.

We may anonymize Personal Data about the use of the Websites (e.g., by recording such data in an aggregated format) and share such anonymized data with our business partners (including third party business partners).

(D) International transfer of Personal Data

Because of the international nature of our business, we may need to transfer your Personal Data within the KLDiscovery Group, and to third parties as noted in Section (C) above, in connection with the purposes set out in this Policy. For this reason, we may transfer your Personal Data to other countries that may have lower standards for data protection than the EU due to different laws and data protection compliance requirements to those that apply in the country in which you are located.

Where we transfer your Personal Data to other countries, we do so, where required, on the basis of the applicable European Union Standard Contractual Clauses and, where relevant, the appropriate amendments to incorporate compliance with English and Swiss law. You may request a copy of our Standard Contractual Clauses using the contact details provided in Section (P) below.

Transfers of Personal Data to the United Kingdom on the basis of the Adequacy Decision dated 28 June 2021

On 28 June 2021, the European Commission determined that the United Kingdom, following its withdrawal from the European Union and becoming a “third country” from December 31, 2020, ensures an adequate level of protection within the meaning of Article 45 of the General Data Protection Regulation 2016/679 (“GDPR”) (the “Adequacy Decision”) and that the United Kingdom benefits from such decision in relation to transfers of Personal Data to the United Kingdom. 

Where we transfer your Personal Data from the European Union, Switzerland or another member of the EEA to the United Kingdom in connection with the purposes set out in this Policy, from the date of the Adequacy Decision, we will do so on the basis of the Adequacy Decision.

(E) Accreditation from U.S. Department of Commerce

KLDiscovery complies with the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (the “Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. KLDiscovery has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (the “EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. KLDiscovery has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (the “Swiss-U.S. DPF Principles”) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Pursuant to the Data Privacy Framework Principles, KLDiscovery attests to the following:

• We are subject to the jurisdiction and enforcement authority of the U.S. Federal Trade Commission;
• We remain liable in the onward transfer of Personal Data to agent third parties unless we can prove we were not a party to the event giving rise to the damages;
• We may be required release Personal data in response to lawful requests by public authorities including to meet national security and law enforcement requirements; and
• We acknowledge the right of European Union, United Kingdom and Swiss individuals to access their information that is transferred into the United States and to update, amend or correct inaccurate or outdated information.  Furthermore, said individuals can delete Personal Data that has been handled in violation of the DPF Principles.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, KLDiscovery commits to resolve complaints about our collection or use of your Personal Data transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. European Union, United Kingdom and Swiss individuals with inquiries or complaints should first contact KLDiscovery using the contact information set out in Section P.   

KLDiscovery has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

(F) Data Security & Confidentiality

We have implemented appropriate technical and organizational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of Processing, in accordance with Applicable Privacy Laws. Further, as required under Applicable Privacy Laws, we only process your Personal Data subject to all contractual requirements of confidentiality, imposing equivalent measures upon employees and subcontractors with access to such Personal Data.

Because the internet is an open system, the transmission of information via the internet is not completely secure. Although we will implement all reasonable measures to protect your Personal Data, we cannot guarantee the security of your data transmitted to us using the internet – any such transmission is at your own risk, and you are responsible for ensuring that any Personal Data that you send to us are sent securely.

(G) Data Accuracy

We take every reasonable step to ensure that:

• your Personal Data that we Process are accurate and, where necessary, kept up to date; and
• any of your Personal Data that we Process that are inaccurate (having regard to the purposes for which they are Processed) are erased or rectified without delay.

From time to time we may ask you to confirm the accuracy of your Personal Data.

(H) Data Minimisation

We take every reasonable step to ensure that your Personal Data that we Process are limited to the Personal Data reasonably required in connection with the purposes set out in this Policy (including the provision of Services to you).

(I) Data Retention

We take every reasonable step to ensure that your Personal Data is only Processed for the minimum period necessary for the purposes set out in this Policy. We will retain copies of your Personal Data in a form that permits identification only for as long as:

• we maintain an ongoing relationship with you (e.g., where you are a user of our services, or you are lawfully included in our mailing list and have not unsubscribed);
• your Personal Data are necessary in connection with the lawful purposes set out in this Policy, for which we have a valid legal basis (e.g., where your personal data are included in a contract between us your employer, and we have a legitimate interest in processing those data for the purposes of operating our business and fulfilling our obligations under that contract); or
• we receive your consent to store the data for a longer period of time (e.g., in the case of application documents for a later job offer).

Additionally, we will retain Personal Data for the duration of:

• any applicable limitation period under Applicable Privacy Laws (i.e., any period during which any person could bring a legal claim against us in connection with your Personal Data, or to which your Personal Data may be relevant); and
• an additional two (2) month period following the end of such applicable limitation period (so that, if a person brings a claim at the end of the limitation period, we are still afforded a reasonable amount of time in which to identify any Personal Data that are relevant to that claim),

In the event any relevant legal claims are brought, we may continue to Process your Personal Data for such additional periods as are necessary in connection with that claim.

During the periods noted above in relation to legal claims, we will restrict our Processing of your Personal Data to storage of, and maintaining the security of, the Personal Data, except to the extent that the Personal Data needs to be reviewed in connection with any legal claim, or any obligation under applicable law.

Once the periods above, each to the extent applicable, have concluded, we will either: (i) permanently delete or destroy the relevant Personal Data; or (ii) anonymize the relevant Personal Data.

(J) Your legal rights

Subject to Applicable Privacy Laws, you may have a number of rights regarding the Processing of your Personal Data, including:

• the right not to provide your Personal Data to us (however, please note that we will be unable to provide you with the full benefit of our Websites or Services, if you do not provide us with your Personal Data – e.g., we might not be able to process your requests without the necessary details);
• the right to request access to, or copies of, your Personal Data that we Process or control, together with information regarding the source, purpose and nature of processing and disclosure of those Personal Data;
• the right to request rectification of any inaccuracies in your Personal Data that we Process or control;
• the right to request, on legitimate grounds:
  • erasure/deletion of your Personal Data that we Process or control; or
  • restriction of Processing of your Personal Data that we Process or control;
• the right to object, on legitimate grounds, to the Processing of your Personal Data by us or on our behalf;
• the right to have your Personal Data that we Process or control transferred to another Controller, to the extent applicable and in a structured, commonly used and machine-readable form;
• the right to know the Personal Data held by KLDiscovery and details of the collection of the same, no more than twice in any 12 (twelve) month period;
• the right to withdraw your consent to Processing, where the lawfulness of processing is based on consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
• the right to lodge complaints with a Data Protection Authority regarding the Processing of your Personal Data by us or on our behalf. Addresses of Authorities can be found on: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

This does not affect your statutory rights. We do not discriminate against you for any exercise of your rights provided for under Applicable Privacy Laws. We reserve our rights for verification of your identity in the event that you exercise any such rights under Applicable Privacy Laws.

IMPORTANT NOTICE

Subject to Applicable Privacy Law, you may also have the following additional rights regarding the Processing of your Personal Data:

• the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR; and
• the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Policy, or about our Processing of your Personal Data, please use the contact details provided in Section (P) below.

If we are providing you with Services based on orders, such provision of Services is regulated by contractual terms provided to you. In case of discrepancies between such terms and this Policy, this Policy is supplementary.

(K) Cookies and Similar Technologies

A cookie is a small file that is placed on your device when you visit a website (including our Websites). It records information about your device, your browser and, in some cases, your preferences and browsing habits. We may Process your Personal Data through cookie technology, in accordance with our Cookie Policy, which also describes how our Cookie Consent Tool works.  Using our Cookie Consent Tool, you are able to approve or reject the setting of cookies that are not strictly necessary.      

(L) Analysis Tools and Tools by Third-Party Providers

There is a possibility that your browsing patterns will be statistically analysed when your visit this website. Such analyses are performed primarily with what we refer to as analysis programs. You can find detailed information about these different analysis programs here: Use of Third-Party Tools.

(M) Use of Social Media

We do not use Social Media plug-ins on our Website. Social Media websites can only be reached via links from our Website. Therefore, no Personal Data is transmitted to any Social Media website when visiting our Website.  You can find detailed information about our use of Social Media here: Use of Social Media.

(N) Terms of Use

All use of our Websites is subject to our Terms of Use. We recommend that you review our Terms of Use regularly, in order to review any changes we might make from time to time.

(O) Direct Marketing

Subject to applicable law, where you have provided explicit consent in accordance with the applicable law or where we are sending you advertising and marketing communications relating to our similar products and services, we may Process your Personal Data to contact you via email, telephone, direct mail or other communication formats to provide you with information or Services that may be of interest to you. If we provide Services to you, we may send information to you regarding our Services, upcoming promotions and other information that may be of interest to you, using the contact details that you have provided to us and always in compliance with applicable law.

You may unsubscribe from our promotional email list or newsletters at any time by simply clicking on the unsubscribe link included in every email or newsletter we send. After you unsubscribe, we will not send you further emails, but we may continue to contact you to the extent necessary for the purposes of any Services you have requested.

(P) Details of Controllers

The Controllers in respect of whom this policy is issued are as follows:

Please note that, where a Controller is listed outside the European Union, you may contact the entity in your jurisdiction.

(Q) Representatives

Each of the controllers established outside the EEA and listed in Section (P) above has appointed KLDiscovery Ontrack GmbH, Hanns-Klemm-Str. 5, 71034 Böblingen, Germany to be its representative the purposes of Article 27 of the GDPR. 

Each of the controllers established outside the UK and listed in Section (P) above has appointed KLDiscovery Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB to be its representative the purposes of Article 27 of the UK GDPR.

(R) Definitions

• ‘Applicable Privacy Laws’ means, jointly, the GDPR, UK GDPR, California’s Consumer Privacy Act as subsequently amended by the California Privacy Rights Act (commonly referred to as “CCPA”/ “CPRA”), the Virginia Consumer Data Protection Act (commonly referred to as “VCDPA”), the Colorado Privacy Act (commonly referred to as “CPA”), the Utah Consumer Privacy Act (commonly referred to as “UCPA”), and the Connecticut Data Privacy Act (commonly referred to as “CTDPA”).
• ‘Controller’ means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws.
• ‘Data Protection Authority’ means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
• ‘EEA’ means the European Economic Area.
• “GDPR” means the General Data Protection Regulation (EU) 2016/679.
• ‘Personal Data’ means information that is about any individual, or from which any individual is directly or indirectly identifiable in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
• ‘Process’, ‘Processing’ or ‘Processed’ means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• ‘Processor’ means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller).
• ’Services' means any services or products provided by KLDiscovery.
• ‘Sensitive Personal Data’ means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed to be sensitive under applicable law.
• “Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission.
• ”UK GDPR“ means the GDPR as it forms part of the laws applicable in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as applied and modified by Schedule 2 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) or as modified time to time by other laws applicable in the UK).

December 1, 2023