|
Introduction and Policy Statement
infoUSA Inc. ("infoUSA") respects individual privacy and strives to collect, use and disclose Personal Data in a manner consistent with the laws of the countries in which it does business, and prides itself on upholding the highest ethical standards in its business practices. infoUSA, founded in 1972 by Chairman and CEO Vinod Gupta with an initial investment of $100, is the leading compiler of several proprietary databases. These databases capture detailed information on the majority of businesses and consumer households in the United States and Canada. All of the above databases are compiled under one roof in Papillion, Nebraska. infoUSA employs over 600 full time employees to compile and update the databases from thousands of public sources such as yellow page directories, white page directories, newspapers, incorporation records, real estate deed transfers and various other sources. In addition, infoUSA provides data processing and analytic services for its customers. This Safe Harbor Privacy Policy (the "Policy") sets forth the privacy principles that infoUSA follows with respect to Personal Data transferred from the European Union (EU) to the United States. Accordingly, infoUSA will adhere to the Safe Harbor Principles and Frequently Asked Questions published by the U.S. Department of Commerce (collectively referred to as the "Principles") at http://export.gov/safeharbor/ with respect to all such data, and will self-certify to the U.S. Department of Commerce compliance with the Principles.
If there is any conflict between the policies in this statement and the Principles, the Principles will govern. This statement outlines the general policy and practices for implementing the Principles, including the types of information infoUSA gathers, how the information is used, and the choices affected individuals have regarding infoUSA's use of, and their ability to correct, that information.
Background
The EU adopted the Directive on Data Protection ("EU Directive"), which requires EU member states to adopt laws protecting Personal Data collected within their borders. These laws must, among other provisions, restrict the transfer of Personal Data only to countries that have data protection laws deemed "adequate" under standards established in the EU Directive. The U.S. Department of Commerce and the European Commission have agreed on the Principles to enable U.S. Companies to satisfy the requirement under EU law that adequate protection be given to Personal Data transferred from the EU to the U.S.
Definitions
"infoUSA" - means infoUSA Inc., a Delaware corporation, and its domestic and foreign subsidiaries, divisions, groups, and affiliates.
"Identifiable Person" - means a natural person that is or can be identified, directly or indirectly, as a particular person by reference to an identification number or to one or more aspects of the person's physical, physiological, mental, economic, cultural or social identity. Identifiable Persons may include any employee, applicant, former employee, or retiree of infoUSA, its operating divisions, or subsidiaries in the EU.
"Personal Data" - is any information about an Identifiable Person that
- is within the scope of the EU Directive;
- is received by infoUSA in the U.S. from the EU;
- is recorded in any form;
- is about, or pertains to, a specific individual; and
- can be linked to that individual.
Personal Data does not include information that is encoded, anonymized, or publicly available information that has not been combined with non-public Personal Data.
"Processing" - means any online, offline or manual processing and includes such activities as copying, filing, and inputting Personal Data into a database.
"Sensitive Data" - is data that pertains to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or any other data that is identified as "sensitive" by the Identifiable Person.
Publication
This Privacy Policy will be published on the web at http://infousa.com
Guidelines
1. Notice
Where infoUSA collects Personal Data directly from Identifiable Persons in the EU, it will inform them about the type of Personal Data collected, the purposes for which it collects and uses the Personal Data, the types of non-agent third parties to which infoUSA discloses or may disclose that information, and the choices and means, if any, infoUSA offers individuals for limiting the use and disclosure of their Personal Data. Notice will be provided in a clear and conspicuous language when individuals are first asked to provide Personal Data to infoUSA, or as soon as practicable thereafter, and in any event before infoUSA uses or discloses the information for a purpose other than that for which it was originally collected.
Where infoUSA receives Personal Data from their subsidiaries or operating divisions in the EU, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to which the Personal Data relates.
To the extent practical and appropriate, infoUSA collects Personal Data directly from the Identifiable Person. In those cases where infoUSA collects Personal Data from other persons, it takes measures to respect the privacy preferences of the Identifiable Persons. Examples of when infoUSA may seek information from others include, without limitation, evaluating employees, recruiting, benefit administration and succession planning.
2. Choice
Opt-Out Rights. infoUSA will offer Identifiable Person(s) the opportunity to choose (opt-out) whether their Personal Data is (a) to be disclosed to a non-agent third party or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. In addition, where consent of Identifiable Persons or their representatives is required by law, contract or agreement for the collection, use, or disclosure of Personal Data, infoUSA will request such consent and respect the Identifiable Person's choice in such matters.
In certain limited or exceptional circumstances, in accordance with the Safe Harbor Principles, infoUSA may disclose Personal Data without notice or the consent of the Identifiable Person. For example, this may occur when infoUSA is required to disclose information by law or legal process or in the vital interests of the Identifiable Person, such as when life or health are at stake.
Opt-In Requirement. Except as provided by the Safe Harbor Principles or applicable law, an Identifiable Person must give affirmative permission (opt in consent) before infoUSA will disclose Sensitive Data to a third party or use Sensitive Data for a purpose other than those for which it was originally collected or subsequently authorized by the Identifiable Person. infoUSA will provide Identifiable Persons with reasonable mechanisms to exercise their choices.
3. Onward Transfer
infoUSA may transfer Personal Data across state and country borders. infoUSA will comply with the provisions of this Privacy Policy in any such transfer.
4. Security
infoUSA takes commercially reasonable precautions to protect Personal Data against loss, misuse and unauthorized access, disclosure, alteration, destruction and theft.
These precautions include password protections for online information systems and restricted access to Personal Data. Employees are responsible for assisting to maintain security through safeguarding Personal Data, e.g., by protecting passwords used to access infoUSA computer systems, by keeping paper records under lock and key when not in use, and by disposing of files and reports no longer needed in a secure manner.
5. Data Integrity
infoUSA takes reasonable steps to keep Personal Data accurate, complete, and up-to-date. Each Identifiable Person is responsible for informing infoUSA or its EU subsidiaries of any changes in Personal Data so that the information that infoUSA possesses about him or her is accurate, complete and up-to-date. infoUSA retains Personal Data only as long as necessary to meet the purposes for which it was collected or as required by law, contractual agreement or the Safe Harbor Principles. infoUSA uses reasonable procedures, following retention guidelines, to ensure that it archives or destroys Personal Data no longer required for the purposes for which it was originally collected, unless otherwise agreed to by the Identifiable Person.
6. Access
infoUSA provides Identifiable Persons with a reasonable opportunity to examine their Personal Data, to challenge its accuracy and to have it corrected, amended or deleted as appropriate, subject to certain exceptions. Upon request, Identifiable Persons will be given reasonable access to the Personal Data infoUSA possesses about them. Reasonable access means that requests for access are made during normal business hours, following infoUSA standard procedures, and that the frequency of access requests is not excessive. If an Identifiable Person is denied access to Personal Data, infoUSA will provide such Identifiable Person with the reason(s) for denying access and a contact point for further inquiries.
If the Identifiable Person notifies infoUSA that the Personal Data on file is incorrect and provides infoUSA with appropriate supporting documentation, infoUSA will either correct the Personal Data or direct the Identifiable Person to the source of the information for correction. If, upon review, infoUSA believes that the existing Personal Data is correct, infoUSA will inform the Identifiable Person. If the Identifiable Person continues to dispute the accuracy of the Personal Data, infoUSA will note that dispute in the record of the Identifiable Person contained in the infoUSA database upon written request.
The Safe Harbor Principles provides for some exceptions to the obligation to provide access to Personal Data. Access to confidential or proprietary information, such as business reorganization or succession plans, or where granting access has to be balanced against the privacy interests of others, may be restricted. In addition, access may be denied
- when the information requested relates to an ongoing investigation, litigation or potential litigation,
- where the burden or expense of providing access would be disproportionate to the risks to the privacy of the Identifiable Person or
- when the rights of persons other than the Identifiable Person would be violated.
7. Enforcement and Dispute Resolution
Identifiable Persons may contact the Legal Department at infoUSA's Corporate Headquarters in Omaha, Nebraska, U.S.A. to submit data access requests, register complaints or address any other relevant issues under the Safe Harbor Principles. It is the responsibility of all employees to act in accordance with the Privacy Policy and obligations with respect to Personal Data. Failure to do so may result in disciplinary action, if warranted, up to and including termination of employment. infoUSA is committed to assisting Identifiable Persons in protecting their privacy and in exercising their rights under this Privacy Policy and applicable laws. Identifiable Persons making complaints or reporting potential violations of the Privacy Policy shall not be subject to any form of retaliation. In addition, report of potential violations may be made on an anonymous basis. For complaints that cannot be resolved between infoUSA and the complainant, infoUSA commits to cooperate with the Data Protection Authorities (DPAs) of the EU countries in the investigation and resolution of complaints and will comply with any advice given by DPAs.
8. Verification
infoUSA's privacy practices are self-certified annually to the U.S. Department of Commerce. The Chief Administrative Officer is responsible for:
- Ensuring that the privacy guidelines, programs, procedures, training and other measures necessary to implement the Privacy Policy are developed and put into practice;
- Overseeing responses to inquiries and resolutions of complaints relating to the privacy of Identifiable Persons;
- Working with infoUSA's legal department to ensure infoUSA's ongoing compliance with applicable privacy laws and agreements, as well as any obligations infoUSA may enter into voluntarily, such as the Safe Harbor Principles; and
- Overseeing annual assessments of infoUSA internal practices to ensure that they conform to the Privacy Policy and related company obligations.
Changes to this Safe Harbor Privacy Policy
This policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. A notice will be posted on infoUSA's web page www.infousa.com
EFFECTIVE DATE: April 1, 2006
|
