EU-US Data Privacy Framework and the UK Extension to the EU-U.S. DPF Statement

Crawford Communications Group, including its subsidiaries referenced below, (collectively “Crawford Group ”) complies with the EU-US Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the United States Department of Commerce. Crawford Group has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union (EU) in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. The Federal Trade Commission has jurisdiction over Crawford Group’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF. To learn more about the Data Privacy Framework (DPF) program, please visit: https://www.dataprivacyframework.gov/.

Definitions

The following definitions apply for purposes of this Privacy Statement:

“Affiliate” means a legal entity that controls, is controlled by, or is under common control with Crawford Communications Group, but only while that control relationship exists; “control” means the direct or indirect ownership or control of 50% or more of the stock or other equity interest entitled to vote for the election of directors or equivalent governing body.

“Personal Data” means data received by Crawford Group in any form or medium (i.e., electronic, paper, etc.) that either identifies an individual, or can be used to identify an individual.

“Principles” means the EU-U.S. DPF Principles.

“Sensitive Data” means Personal Data that specifies medical or health conditions, personal sexuality, racial or ethnic origin, political opinions, religious, ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions (which are treated outside pending proceedings).

Scope

This Privacy Statement applies only to Personal Data, other than Human Resources Data, transferred pursuant to the Data Privacy Framework (DPF) program. All such Personal Data is subject to the Principles. “Human Resources Data” refers to Personal Data about employees, past or present, collected in the context of the employment relationship. Our privacy policy dealing with Human Resources Data is entitled “Crawford Group Employee Data Privacy Policy” and is available to employees on our organization’s intranet, via email distribution or by such other means as Crawford Group may deem reasonable.

Please note, except as set forth herein, Crawford Group generally provides services to entities that involve the processing of data on the entities’ behalf. Accordingly, when Crawford Group acts in such a capacity, it is acting as an agent and/or on behalf of the customer entity, and the customer entity, rather than Crawford Group, owns and/or controls the Personal Data. Therefore, to the extent Crawford Group receives Personal Data from a customer entity in this context, it is relying on the customer entity’s compliance with any applicable law governing the privacy and security of Personal Data with respect to the manner in which the Personal Data has been collected from individuals by the customer entity and the uses or disclosures of the Personal Data that are permitted or required to be made pursuant to law or the contract with the customer entity. Any distinction in this Privacy Statement with respect to the applicability of a standard when Crawford Group is acting as an agent and/or on behalf of a customer entity is noted below.

Types of personal data collected

Crawford Group collects Personal Data from individuals who visit our public and customer-facing websites (“EU or UK Website Visitors”), and from certain corporate customers, suppliers and business partners in connection with the services we provide (“EU or UK Business Contacts”). Crawford Group also collects from time-to-time Personal Data available on public websites or directly from other third-parties relevant to products and services offered by Crawford Group (“EU or UK Third-Parties”).

The following types of Personal Data may be collected by Crawford Group from EU or UK Website Visitors, Business Contacts and Third-Parties:

  • company information;
  • activities, interactions, preferences, and other computer and connection information (such as IP addresses) relating to the use of our websites and services;
  • cookies and information collected by similar technologies that gather statistical data on how users use our websites;
  • images, photographs and voice recordings
  • names, addresses and usernames in connection with the services we provide;
  • resume and applicant information for those applying to job openings;
  • contact information; and
  • financial and billing information.

 

Purposes of collection and use

Crawford Group collects and uses Personal Data of EU or UK Website Visitors, Business Contacts and Third-Parties as permitted by law, including for the following purposes:

  • to provide products and services as well as support to our customers;
  • to personalize our customers’ experience with Crawford Group;
  • to keep our customers informed of our products and services that may be of interest;
  • to gather demographic data and aggregate such data for trends and statistical purposes;
  • to communicate with corporate suppliers and business partners about business matters; and
  • to invoice, collect and remit payments to EU Business Contacts.

We reserve the right to transfer and/or sell aggregate data collected as indicated above for lawful purposes.

How we share personal data we collect

Crawford Group may share Personal Data collected about individuals or companies in the EU or UK with third parties only in the ways that are described in this Privacy Statement or as otherwise permitted by applicable law. We may share your Personal Data with our Affiliates, subsidiaries, and contractors. We also sometimes hire other companies to provide certain business-related functions (“Service Providers”). These Service Providers have access to Personal Data as necessary to provide their respective services to us.

We also may disclose Personal Data: (a) in response to a lawful request by public authorities, such as to comply with a subpoena, or similar legal process, including to meet national security or law enforcement requirements; (b) under a good faith belief that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud or respond to a government request; (c) in connection with a corporate sale, merger, reorganization, dissolution or similar event (in this case, Personal Data may be a part of assets transferred from our company to the acquiring company); and (d) to any third-party as set forth herein or with your prior consent to do so.

Notice

In the event Crawford Group collects Personal Data directly from individuals in the EU or UK it shall inform the individuals of (i) the purpose for which it collects and uses the Personal Data; (ii) the types of third parties to which Crawford Group discloses or may disclose the Personal Data; (iii) the choices and means Crawford Group offers individuals for limiting the use and/or disclosure of the Personal Data; and (iv) how to contact Crawford Group with any inquiries or complaints concerning the use or disclosure of the Personal Data. Crawford Group shall provide this notice in clear and conspicuous language when the individuals are first asked to provide the Personal Data to Crawford Group or as soon thereafter as is practicable, but in any event before Crawford Group uses such information for a purpose other than that for which it was originally collected.

In the event Crawford Group is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity.

Crawford Group may collect or receive Personal Data from individuals, such as employees of its customers, in the course of providing or prospecting its services to its customers, and Crawford Group may use and/or disclose such information in furtherance of providing or prospecting its services or for purposes of Crawford Group’s business operations.

Choice

In the event Crawford Group collects Personal Data directly from individuals in the EU or UK, and unless an exception applies, it shall offer the individuals the opportunity to choose (opt-out) as to whether their Personal Data is (i) to be disclosed to a third-party (see “Onward Transfer” section below); or (ii) to be used for a purpose other than the purpose for which the Personal Data was originally collected or subsequently authorized by the individuals. For Sensitive Data Crawford Group collects directly from individuals in the EU or UK, and unless an exception applies, Crawford Group will provide individuals the opportunity to affirmatively or explicitly consent (opt-in) to the disclosure of the Sensitive Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individuals.

In the event Crawford Group is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data or Sensitive Data directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity. Crawford Group shall treat information as Sensitive Data where it receives the information from a third party and the third-party treats and identifies the information as Sensitive Data.

Onward Transfer

In the event Crawford Group collects Personal Data directly from individuals in the EU or UK, in order to disclose such Personal Data to a non-Affiliate third-party, Crawford Group will apply the “Notice” and “Choice” principles described above. Where Crawford Group wishes to transfer such Personal Data from the EU or UK to a non-Affiliate third-party, unless an exception applies, it will (i) ensure that the third-party is contractually obligated to process the subject Personal Data only for limited, specific purposes consistent with the consent provided by the individual; and (ii) ensure that the third-party recipient provides at least the same level of privacy protection as is required by the relevant Principles and notify Crawford Group if it makes a determination that it can no longer meet this obligation. Crawford Group may potentially be liable if these requirements are not met.

In the event Crawford Group is acting as an agent and/or on behalf of a customer entity and does not receive Personal Information directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity.

Security

Crawford Group shall take reasonable precautions to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration, and destruction.

Data Integrity

Crawford Group only processes Personal Information that is relevant to the products and services it provides and only for purposes compatible with those for which the Personal Data was collected, received, or otherwise authorized. To the extent necessary for such purposes, Crawford Group shall take reasonable steps to do either of the following: (i) where Crawford Group receives Personal Data directly from an individual, ensure that the Personal Data is accurate, complete and current, and is reliable for its intended use; or (ii) where Crawford Group is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from an individual, notify the customer entity of any potential data integrity concerns known to Crawford Group.

Crawford Group will retain Personal Information for as long as it continues to serve the purposes for which it was collected, received, or otherwise obtained.

Access

In the event Crawford Group collects Personal Data directly from individuals in the EU or UK, Crawford Group shall allow individuals access to their Personal Data and permit individuals to correct, amend or delete inaccurate information, unless an exception applies, such as where the burden or expense of providing such access would be disproportionate to the risks to the privacy of the individuals in the case in question or where the rights of persons other than the individuals would be violated.

In the event Crawford Group is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from the individual who is the subject of the information, it will cooperate with the customer entity and take any reasonable steps necessary to allow the customer entity to provide any requested access to the individual in accordance with the contract with the customer entity.

Recourse

Crawford Group uses a self-assessment approach to assure compliance with this Privacy Statement and periodically verifies that this Privacy Statement is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in adherence to the Principles.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Crawford Group commits to resolve DPF Principles-related concerns about our collection and use of your Personal Data. EU and UK individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact Crawford Group using the contact information provided below, in which case Crawford Group will investigate and attempt to internally resolve any complaints and disputes regarding the use and disclosure of Personal Information within forty-five (45) days of an inquiry or complaint.

If you are an individual in the EU or UK and have utilized Crawford Group’s internal dispute resolution process, but your complaint or dispute remains unresolved, Crawford Group is committed to utilizing the independent dispute resolution process of the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA) based in the United States with respect to all unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF (except complaints regarding Human Resources Data). If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please contact the ICDR/AAA (free of charge) at https://www.icdr.org/dpf for more information on how to file a complaint. Note that in some limited cases with respect to compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, you may be able to invoke binding arbitration for complaints regarding EU-U.S. DPF and the UK Extension to the EU-U.S. DPF compliance not resolved by any of the other EU-U.S. DPF or the UK Extension to the EU-U.S. DPF mechanisms. For further information please see https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

 

Amendments

Crawford Group reserves the right to change this Data Privacy Framework Statement from time to time consistent with the Principles as well as applicable law. Crawford Group will post any revised policy on this website.

Contact Information

Questions, requests, comments or complaints regarding this Data Privacy Framework Statement can be mailed or emailed to:

Crawford Communications Group

51 E. Campbell Avenue, Suite 110-G

Campbell, CA. 95008

privacy@crawfordgroup.com

 

Last Updated: May 1, 2024