MFXCHANGE US, INC. SAFE HARBOR PRIVACY STATEMENT

This Safe Harbor Privacy Statement (this “Statement”) sets forth the privacy principles followed by MFXchange US, Inc. and its affiliates (collectively, “MFX”) in connection with the transfer and protection of European Personal Data (as defined below) received from countries in the European Union (“EU”) or Switzerland. This Statement describes how MFX handles European Personal Data from its employees and from its customers in connection with the services provided by MFX. This Statement may be changed at any time in accordance with the requirements of the Safe Harbor program. MFX also collects certain information from our Website visitors. More detail about what information we collect on our Website, how it is used, and each visitor’s rights and obligations may be found in MFX’s Privacy Policy which is located at www.mfxfairfax.com/privacy-policy.

About The Safe Harbor

MFXchange US, Inc. complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. MFXchange US, Inc. has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view MFXchange US, Inc.’s certification, please visit http://export.gov/safeharbor/.

Scope

This Statement governs European Personal Data transferred from countries in the EU or Switzerland to the United States on behalf of MFX or its customers. It applies to European Personal Data in electronic and off-line formats.
“European Personal Data” means information that can directly or indirectly lead to the identification of a living person, such as an individual’s name, address, e-mail, telephone number, license number, social security number, medical identification number, photograph, or other identifying characteristic. The identification can occur by reference to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity. European Personal Data does not include information that has been anonymized, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.

Safe Harbor Privacy Principles

The following privacy principles apply to the transfer, collection, use or disclosure of European Personal Data from countries in the EU or Switzerland by MFX.

Notice

Where MFX collects personal information directly from an individual in the EU or Switzerland, it will inform the individual about the purposes for which it collects and uses personal information about them and the choices and means, if any, MFX offers the individual for limiting the use and disclosure of their personal information.
Where MFX receives personal information from its subsidiaries or affiliates, it will use and disclose such information in accordance with the notices provided by such subsidiaries or affiliates and the choices made by the individuals to whom such personal information relates.

Choice

Where MFX collects personal information directly from an individual in the EU or Switzerland, it will offer individuals the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

Purpose of Collection and Use of European Personal Data

MFX may receive European Personal Data from its customers for purposes of providing services to its customers. Where permitted by law or contract, MFX may also disclose such data to its subsidiaries, affiliates, business partners and independent contractors for the same purposes. In such instances, MFX obtains promises from its subsidiaries, affiliates, business partners and independent contractors that such entities will use and disclose the European Personal Data for purposes of MFX services only.

In connection with providing the services, MFX may collect passwords, user names, and other data from customer networks, which may incidentally include European Personal Data for the exclusive purposes of performing the services on behalf of its customers. MFX will control the European Personal Data it receives from its customers as the European Personal Data is securely transmitted to MFX by its customers’ network assets. The European Personal Data is merely stored and processed by MFX at the request of its customers, and customers are informed that the data may be transmitted outside the EU or Switzerland. Customers are responsible for warranting that they have the full authority to transmit such European Personal Data to MFX for purposes of the services. At all times with respect to European Personal Data collected on behalf of its customers, and not for any other purpose under US federal or state law, MFX acts as a mere “data processor” (as that term is defined under applicable EU or Swiss law or otherwise referred to under the Safe Harbor program as an “agent”).

Security, Data Integrity and Access

MFX takes commercially reasonable precautions to protect European Personal Data from loss, misuse and unauthorized access, disclosure, alteration, and destruction.

MFX has established internal mechanisms to verify its ongoing adherence to this Statement. MFX also encourages individuals covered by this Statement to raise any concerns about its processing of their personal information by contacting MFX’s Data Privacy Officer at the address below. MFX will seek to resolve any concerns. MFX will participate in dispute resolution through the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA).

To the extent necessary or appropriate, and consistent with its role as a data processor, MFX makes commercially reasonable efforts to keep data, including European Personal Data, reliable for its intended use, accurate, current and complete.

As a data processor, MFX has no direct relationship with the individuals whose European Personal Data may be included in the data processed by MFX. Individuals, who may be MFX’s customers’ customers or employees, seeking to correct, amend or delete European Personal Data included in the data should first contact their company’s representative (i.e., MFX’s customer), the data controller, who provided the data to MFX. MFX’s customer will then provide access to the individual as determined under the applicable local data protection law, and MFX will cooperate with its customer per the established contractual arrangements.

Onward Transfer

MFX will only transfer European Personal Data to third parties where the third party (a) has provided satisfactory assurances to MFX that it will protect the information consistently with this Statement; or (b) is located in the EU or Switzerland, or a country considered “adequate” for privacy by the EU Commission or Swiss Federal Data Protection and Information Commissioner, and therefore is required to comply with the EU or Swiss data protection laws or substantially equivalent privacy laws depending upon where the personal information originated; or (c) the third party has also certified to the Safe Harbor program, and is accordingly independently responsible for complying with the Safe Harbor requirements.

Where MFX has knowledge that a third party to whom it has provided European Personal Data is processing such European Personal Data in a manner contrary to this Statement or the Safe Harbor requirements, MFX will take reasonable steps to prevent or stop the processing. Consistent with the Safe Harbor requirements, MFX may not be in a position to furnish notice in certain limited situations. Specifically, notice is not required where the processing of European Personal Data is necessary to respond to a government inquiry; is required by applicable laws, court orders or government regulations; or is necessary to protect MFX’s legal interests and providing notice would interfere with those interests.

Enforcement

MFX has established procedures for periodically verifying implementation of and compliance with the Safe Harbor principles. We conduct an annual self-assessment of our practices with respect to European Personal Data to verify that representations we make about our European Personal Data privacy practices are true and that related policies have been implemented as represented.

Other Disclosures

MFX may also disclose European Personal Data as necessary in connection with the sale or transfer of all or part of its business. In situations where MFX discloses European Personal Data to any third parties acting as “agents” on behalf of MFX, MFX will require the recipient to protect the European Personal Data in accordance with the relevant principles of the Safe Harbor program, or otherwise take steps to ensure that the European Personal Data is appropriately protected. MFX may also disclose European Personal Data where required or permitted by law, where MFX believes that such disclosures are appropriate in connection with a law enforcement request or otherwise permitted by the Safe Harbor program, or in order to investigate, prevent, or take action regarding illegal activities or suspected fraud, or enforce, administer or apply MFX’s agreements.

Questions

If you have any questions about this Statement, or if you would like to request access to European Personal Data that MFX may maintain about you, please contact MFX at Privacy@mfxfairfax.com or in writing at:
MFXchange US, Inc. Attention: Privacy Officer, 412 Mt Kemble Avenue, Suite 200 Morristown, NJ 07960

Any questions regarding this Statement and MFX’s adherence to the Safe Harbor principles should first be directed to the MFX contact above. If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed, you may then contact the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA).
©2016 MFX all rights reserved.