Privacy Shield Policy

Privacy Shield Policy

You are here

EU-U.S. PRIVACY SHIELD AND SWISS-U.S. PRIVACY SHIELD POLICY

Our Commitment to Privacy Pursuant to the EU-U.S. and Swiss-U.S. Privacy Shield Framework

Amber Road, Inc., and its affiliates, (collectively, “Amber Road”) has chosen to voluntarily participate in the Privacy Shield program and certify its adherence to and comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) and its Principles, including the Supplemental Principles (collectively, the “Principles”), as set forth by the U.S. Department of Commerce. Amber Road has certified to the Department of Commerce that it adheres to the Principles.  This Privacy Shield Policy applies to the processing of Personal Data (as defined below) that Amber Road obtains from customers located in the European Union and Switzerland (i.e., transfer of Personal Data between the United States and the EEA and Switzerland). This Privacy Shield Policy does not cover any information or data collected by Amber Road through its website or for other purposes, such as information collected for marketing purposes. Please refer to the website Privacy Policy for more details. If there is any conflict between the terms of this Privacy Shield Policy and the Principles, the Principles shall govern. Amber Road is eligible to participate in Privacy Shield because it falls under the jurisdiction of the Federal Trade Commission (“FTC”).  To learn more about the Privacy Shield program, the Principles and to view Amber Road’s certification, please visit www.privacyshield.gov.

This Privacy Shield Policy outlines Amber Road’s general policy and practices for implementing the Principles, including: (a) the types of Personal Data Amber Road receives from its customers, end users, partners, suppliers, vendors and employees (applicant, current and former), (b) how that Personal Data is collected, used, disclosed and transferred, and (c) individuals’ choices regarding the accuracy, retention, destruction and use of their Personal Data.  In implementing this Privacy Shield Policy, Amber Road has agreed to subject its compliance to the full breadth of regulatory enforcement of the FTC or any other statutory body empowered to enforce compliance with the Principles. Amber Road will only display its EU-U.S. and Swiss-U.S. Privacy Shield certification marks or make other references to its compliance when it is in compliance with the Principles. Evidence of Amber Road’s participation can be found at: www.privacyshield.gov/list.

Amber Road collects, uses, discloses, transfers and otherwise processes data, including Personal Data, in several ways. Amber Road uses the Personal Data collected for four basic purposes: (a) to operate Amber Road’s business, such as when a customer subscribes to and uses our global trade management products or services and certain data is input and stored in our software applications, (b) to process transactions for the sale and support of Amber Road’s products or services, (c) to provide and support the products and services Amber Road offers and sells, and (d) to send certain communications, including promotional communications.  Amber Road also collects, uses, and processes human resources data in the context of an employment relationship with its current employees, applicants and former employees, as further described herein.

Amber Road shares Personal Data with consent or internally as necessary to complete any transaction or provide any product or service requested or authorized.  We do not transfer Personal Data to any unaffiliated third parties.  

This Privacy Shield Policy supplements, but does not replace, all other policies, practices and procedures at Amber Road, including any confidentiality agreements, privacy notices or other agreements, as well as applicable laws.  Amber Road affirms that while it understands that certification to Privacy Shield is voluntary, effective compliance is compulsory.  The Principles apply to Amber Road immediately upon certification.

Amber Road remains responsible and liable under the Principles if third party agents that it engages to process Personal Data on its behalf do so in a manner inconsistent with the Principles, unless Amber Road proves that it is not responsible for the event giving rise to the damage.

Definitions

“Personal Data” means information that is: (a) within the scope of the EU Data Protection Directive (95/46/EC) or General Data Protection Regulation as applicable, (b) received in the U.S. from the EU, EEA or Switzerland, and (c) recorded in any form. The type of Personal Data Amber Road collects depends on the products, services and features used, and can include the following:

  • first and last name
  • home or mailing address
  • email address
  • telephone number
  • IP address
  • business contact information
  • business title or position with the company
  • professional life data

Personal Data collected may also include data pertaining to a client’s employees, business partners, vendors, suppliers, contact people or authorized users of the Amber Road products or services.

“Sensitive Information” means Personal Data that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or other information about an individual’s health.

Application of the Privacy Shield Principles

Amber Road collects a variety of information, including Personal Data, which Amber Road maintains in accordance with the Principles as described below.

Notice

Amber Road shall provide clear and conspicuous notice to inform individuals of the types of Personal Data it collects, uses and retains, and the types of third parties to which Amber Road may disclose that Personal Data.

Choice

In instances where Amber Road is a data importer, it shall provide the individual with the choice and means for limiting the use and disclosure of their Personal Data.  Subject to the limitations in the Principles and Supplemental Principles, individuals have the right to choose (opt out) whether their Personal Data is: (a) to be disclosed to a third party, or (b) to be used for a purpose materially different than the purpose for which it was originally collected or subsequently authorized.  Individuals may send opt out requests to privacy@amberroad.com.

Onward Transfers

Amber Road does not disclose Personal Data to third parties except in accordance with the Principles, including as required by law, necessary in the operation of its business, required to provide its products or services, compelled by tribunals, courts, or government agencies, or as otherwise required, including to meet national security or law enforcement requirements.

Amber Road shall ensure that any third party for which Personal Data may be disclosed subscribes to the Principles or is subject to law providing the same level of privacy protection as is required by the Principles and agrees in writing to provide an adequate level of privacy protection.

In cases of onward transfer of Personal Data to third parties, Amber Road is potentially liable for the acts or omissions of its third-party processors or sub-processors.

Data Security

Amber Road shall only process Personal Data in a way that is compatible with and relevant for the purpose(s) for which it was collected or authorized. Amber Road shall take reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction.  Amber Road has implemented appropriate physical, electronic and administrative procedures to safeguard and secure Personal Data.  Amber Road employs industry standard encryption for transmitting data, as appropriate; however, Amber Road cannot guarantee the security of information on or transmitted via the Internet.

Purpose Limitation & Data Integrity

Amber Road agrees to process Personal Data consistent with the purposes for which it was collected or authorized by an individual.  To the extent practical, Amber Road will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current.  If an individual would like to access or update Personal Data, the individual may contact Amber Road using the contact information below.  Individuals will be required to sufficiently verify their identity.

Access

In instances where Amber Road is a data importer, individuals may access their Personal Data to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual, is required to be unaltered and/or retained for legitimate employment-related purposes, or as otherwise restricted by law.  Individuals may contact Amber Road using the contact information below.

Recourse, Accountability and Enforcement

Amber Road provides mechanisms for assuring its compliance with the Principles.  Amber Road uses a self-assessment approach and, at least once a year, will certify that this Privacy Shield Policy is accurate, comprehensive, prominently displayed, implemented, and in conformity with the Principles.

Amber Road will monitor adherence to the Principles and address questions and concerns regarding its adherence.  Personnel who violate Amber Road’s privacy policies could be subject to a disciplinary process.

Individuals may raise any complaints by contacting Amber Road using the contact information below.  Amber Road will respond to an individual complaint within 45 days.  If an issue cannot be resolved by Amber Road’s internal dispute resolution mechanism, Amber Road has chosen the American Arbitration Association’s international division, the International Centre for Dispute Resolution (“AAA/ICDR”) to be its independent recourse mechanism for Privacy Shield.  Amber Road agrees to be bound by any decision of AAA/ICDR.  To address complaints, individuals may contact:

Jason Cabrera (Amber Road’s International Liaison to AAA/ICDR)

International Centre for Dispute Resolution

A Division of the American Arbitration Association

120 Broadway, 21st Floor

New York, New York 10271

(Tel) +1 212 484 3207

(Fax) +1 646 663 3080

This service is provided at no cost to the individual.  For more information regarding the AAA/ICDR, please see http://info.adr.org/safeharbor/.  In the event that Amber Road or AAA/ICDR determines that Amber Road did not comply with this Privacy Shield Policy, Amber Road will take appropriate steps to address any adverse effects and to promote future compliance.  Under certain circumstances, individuals may invoke binding arbitration before the Privacy Shield Panel for residual claims not otherwise resolved.  In the event Amber Road becomes subject to an order for non-compliance with the Principles, Amber Road shall make public any relevant sanctions or other findings.  Any human resources data complaints can be addressed to the relevant DPA directly.  Amber Road will cooperate with EU data protection authorities (“DPAs”) and comply with any decision of a DPA.  Please contact Amber Road (see contact information below) to be directed to the relevant DPA.

Limitation of the Application of the Principles

Adherence by Amber Road to the Principles (and this Privacy Shield Policy) will be limited as explicitly permitted by the Principles: (a) to the extent necessary to meet national security, public interest or law enforcement requirements, or (b) by statute, government regulation or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, Amber Road’s non-adherence is limited to the extent necessary to meet the overriding legitimate interests.  Where the option is allowable under the Principles and/or U.S. law, Amber Road will opt for the higher protection where reasonably possible.

Adherence to the Supplemental Principles

Amber Road will adhere to the Supplemental Principles:

1.     Sensitive Data.  Amber Road may obtain Sensitive Information such as medical or health information, religious beliefs, or ethnic information.  Certain portions of the Sensitive Information may not require affirmative consent because the processing is necessary: (a) to carry out Amber Road’s employment law obligations, (b) because it is in the vital interest of the individual or another person, (c) for the defense of legal claims, or (d) manifestly made public by the individual.

2.     Journalistic Exceptions.  Amber Road does not engage in journalistic activity.

3.     Secondary Liability.  Amber Road may, as a conduit for or on behalf of others, transmit, route, switch or cache information such that the secondary liability exception applies. 

4.     Performing Due Diligence and Conducting Audits.  Amber Road may conduct due diligence, investigations or audits on its behalf and such activities may require the processing of Personal Data without knowledge of the individual, to the extent required for the legitimate interests of Amber Road.  If Amber Road sells or divests all or part of its business, makes a transfer of assets or otherwise becomes involved in a change of control transaction, or in the unlikely event of bankruptcy, Amber Road may transfer Personal Data covered by this Privacy Shield Policy to one or more third parties as part of the transaction including the due diligence process.

5.     The Role of Data Protection Authorities.  In connection with both human resources and non-human resources Personal Data, Amber Road has committed to adhere to the Principles.  Amber Road shall cooperate with DPAs as the recourse mechanism for complaints related to human resources data.  Amber Road will comply with any advice given by the DPAs in accordance with the Principles.

6.     Self-Certification.  Amber Road will self-certify its Privacy Shield compliance in accordance with the U.S. Department of Commerce’s protocols.

7.     Verification.  Amber Road will verify its Privacy Shield compliance through self-assessment.  Further, Amber Road will audit its compliance with Privacy Shield.  Amber Road will provide training regarding this Privacy Shield Policy to its personnel who may have access to Personal Data.  Amber Road will retain its records on the implementation of Privacy Shield and make them available as required.

8.     Access.  Amber Road understands that the right of access is fundamental to privacy protection. Amber Road provides adequate mechanisms for access as stated herein.  However, the right of access may be restricted in exceptional circumstances where the legitimate rights of a person other than the individual requesting access would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question.

9.     Human Resources Data.  Amber Road collects, uses and processes human resources data in the context of an employment relationship with its current employees, applicants and former employees.  Amber Road will respect the national laws of the EU country where the information was collected or processed prior to transfer and will further respect any conditions for or restrictions pertaining to transfer.

10. Obligatory Contracts for Onward Transfers.  Amber Road shall ensure that a contract is in place between it and any third party entity or agent that participates in an onward transfer of Personal Data.  The contracts will specify that such Personal Data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as stated in the Principles.

11.   Dispute Resolution and Enforcement.  Amber Road meets its obligations for dispute resolution and enforcement by enrolling with AAA/ICDR and by cooperating with the FTC and the U.S. Department of Commerce.

12. Choice – Timing of Opt-Out.  Amber Road will comply with the choice Principle as set forth above.

13. Travel Information.  This Principle does not apply to Amber Road because Amber Road does not transfer travel information.

14. Pharmaceutical and Medical Products.  This Principle does not apply to Amber Road because Amber Road is not engaged in any processing with respect to pharmaceutical or medical products or services.

15.  Public Record and Publically Available Information.  Amber Road will apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability, to Personal Data collected from publicly available sources and public records.

16. Access Requests by Public Authorities.  Amber Road will comply with lawful requests for information from law enforcement and national security agencies.

Amber Road Contact Information

Any questions, inquiries or complaints regarding this Privacy Shield Policy or Amber Road’s participation and compliance with Privacy Shield may be directed to:

Brad Holmstrom, Privacy Officer

Amber Road, Inc.
privacy@amberroad.com

Tel: (201) 935-8588

Complaints about Amber Road’s adherence to the Principles may also be directed to the FTC.

Last Updated: April 12, 2017

Cookie Settings