PRGX Global, Inc.
September 20, 2016
PRGX Global, Inc. and its subsidiaries and branches (collectively referred to in this Policy as “PRGX,” “we,” “our,” or “us”) are committed to respecting and protecting the privacy of individuals with whom we come into contact including our employees, our clients, our suppliers and vendors, our investors and those individuals who browse and use our websites. We believe in protecting individual rights with respect to the privacy of their personal information.
EU-U.S. PRIVACY SHIELD
PRGX is committed to and complies with the Principles of the EU-U.S. Privacy Shield program as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information of subjects in European Union member states. PRGX USA, Inc. has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement and Liability. If there is any conflict between this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/. PRGX USA, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
U.S.-SWISS SAFE HARBOR FRAMEWORK
PRGX complies with the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and transfer of Personal Information from Switzerland. PRGX USA, Inc. has certified adherence to the U.S.-Swiss Safe Harbor Principles of notice, choice, onward transfer, security, data integrity access, and enforcement. If there is any conflict between this Policy and the Safe Harbor Principles, the Safe Harbor Principles shall govern. To learn more about the U.S.-Swiss Safe Harbor Framework, and to view our certification page, please visit http://www.export.gov/safeharbor/.
Personal Information (“Personal Information”) is information that pertains to or is about any individual, and can be linked to or used to identify that individual. Personal Information does not include information that is encoded or publically available information that has not been combined with non-public Personal Information. Personal Information does not include information that pertains to or is about a specific individual, but from which that individual could not reasonably be identified. Without prejudice to the foregoing, with respect to information received by PRGX under the EU-U.S. Privacy Shield, “Personal Information” is any information about an identified or identifiable individual, as defined under the Privacy Shield Framework.
Sensitive Personal Information (“Sensitive Personal Information”) means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or specifies sex life. PRGX does not knowingly collect Sensitive Personal Information from our clients, suppliers and vendors, investors, or individuals who browse and use our websites.
INFORMATION WE COLLECT
PRGX is a business-to-business information and professional services firm that collects and processes transactional client data for improving clients’ financial performance by reducing costs, improving business processes and increasing profitability. PRGX’s core business segment is recovery audit services which is the processing of procurement-to-payment transactional data (i.e. accounts payable data, vendor file information and line item/product data) to identify client overpayments made to their third party suppliers. Other business segments include providing analytics and advisory services to senior financial executives.
We collect data from, or on behalf of, our clients in order to perform the requested services. Personal Information may be received from clients in limited circumstances, such as when a vendor happens to be a sole proprietor. Information on these data subjects is used as instructed by our clients for accounts payable recovery auditing or other requested services in accordance with client contractual requirements.
Personal Information, such as contact information, may also be collected from our suppliers and vendors, our investors, or from individuals who browse and use our websites.
USE OF PERSONAL INFORMATION
When we collect Personal Information, our use of your Personal Information is limited to:
- Purposes as described in this Policy;
- Purposes stated in the applicable notice or consent form, such as a client contract or terms on one of our websites;
- Purposes for which the individual would reasonably expect the information to be processed;
- Customary internal purposes, such as anonymous benchmarking, reporting or quality assurance purposes; and
- Contacting you about products and/or services that may be of interest to you.
DISCLOSURES AND ONWARD TRANSFERS
PRGX may perform services, including the processing of Personal Information, using one or more of its worldwide affiliates (wholly-owned PRGX company group entities) based in the United Kingdom, other European Union member states, the United States, and India, unless otherwise prohibited by client contractual requirements. In such event, PRGX and its affiliate(s) shall take such measures as are necessary to ensure adequate protection for the Personal Information that it or they process in accordance with relevant data protection laws and regulations. PRGX maintains appropriate technical, administrative, and physical controls to protect the security, confidentiality, and integrity of Personal Information in accordance with this Policy.
Personal Information provided to PRGX may be shared with third party service providers, such as agents and contractors, for customary business purposes. We may also, at the request of an individual client, provide client data, including Personal Information, to a third party agent for additional services, as arranged by the client. In all circumstances, we complete a screening process in which we validate that the third party has appropriate technical, administrative, and physical controls in place to protect the security, confidentiality, and integrity of Personal Information. In addition, we ensure that appropriate contracts are reviewed and executed to ensure adequate controls around confidentiality, limited use, proper disposal, and retention of Personal Information. Under the EU-U.S. Privacy Shield, PRGX remains liable if its service provider or agent processes Personal Information received under the Privacy Shield in a manner inconsistent with Privacy Shield Principles, unless PRGX was not responsible for the event giving rise to the damage.
Please note that we may use or disclose any information, including Personal Information, in order to respond to requests by public authorities, including to meet national security or law enforcement requirements, when necessary for public health or safety purposes, when needed to protect our legal rights, or as otherwise required by law. For example, we may disclose information in response to a subpoena or court order. We may also disclose information in connection with the transfer or sale of all or part of our business.
We may also provide aggregate data (not including any Personal Information) to third parties for various purposes, including facilitation of the improvement of services we provide to our clients.
PRGX is committed to protecting the privacy and security of the data that is provided to us, including Personal Information, through a combination of technical, physical and administrative controls, including internal policies, practices and procedures.
PRGX’s privacy and security framework is based on ISO 27001 standards and, as such, we have a strong focus on establishing, maintaining, and continuously improving information security management systems and identifying, analyzing, and addressing information security risks. The ISO 27001 standards cover all aspects of security including physical protection of equipment and people, hiring practices, employee training, network security, and access controls. This framework combined with regular monitoring and testing of controls, allows us to ensure that appropriate levels of data confidentiality, integrity, and availability are maintained.
What is a cookie?
A cookie is a text file unique to you that is related to your computer or mobile device and it can be picked up by a server, allowing the website to pick up things such as your preferences, what is in your shopping basket or allow us to recognize you when you return. This information helps us dynamically generate web content and design web functionality specifically for users of our sites and enables us to provide you with a customized experience each time that you visit.
What types of cookie do PRGX use?
Most common technologies such as cookies, pixel tags, browser analysis tools, server logs and web beacons are used on most websites.
We may also use flash cookies (also known as Local Stored Objects) and similar technologies to personalize and enhance your online experience. The Adobe Flash Player is an application that allows rapid development of dynamic content, such as video clips and animation. We use Flash cookies for security purposes and to help remember settings and preferences. We do not use Flash cookies or similar technologies for behavioral or interest-based advertising purposes. To manage Flash cookies, you may visit Adobe’s website at http://kb2.adobe.com/cps/526/52697ee8.html or visit www.adobe.com.
Pixel tags and web beacons are tiny graphic images placed on website pages or in emails that allow us to determine whether you have performed a specific action. When you access these pages or open or click on an email, the pixel tags and web beacons generate a notice of that action. These tools allow us to measure response to our communications and improve our web pages and promotions.
How do we collect information using cookies?
We collect many different types of information from cookies and other technologies. For example, we may collect information from the device you use to access our website, your operating system type, browser type, domain, and other system settings, as well as the language your system uses and the country and time zone where your device is located. Our server logs may also record the IP address assigned to the device you are using to connect to the Internet. An IP address is a unique number that devices use to identify and communicate with each other on the Internet. We may also collect information about the website you were visiting before you came to PRGX and the website you visit after you leave our site.
Can cookies be disabled?
CHOICE, ACCESS, AND CORRECTION
With regard to the Personal Information that we collect, we are committed to respecting individual rights of choice, access and correction. Individuals may submit access requests, ask questions or object to our processing of their Personal Information by contacting us at firstname.lastname@example.org. We will use reasonable efforts to respond to all such requests in a timely manner. With regard to Personal Information that PRGX collects from our suppliers and vendors, our investors, or from individuals who browse and use our websites, we will offer the persons concerned a choice to opt out of any uses or disclosures which are materially different from those described in this Policy.
In the exceptional cases where we process Sensitive Personal Information, we collect individuals’ affirmative express consent in case we intend to (i) disclose such information to a third party; or (ii) use for a purpose other than originally collected or authorized by you.
With respect to Personal Information provided to us by, or on behalf of, our clients, we recommend that you contact the client directly to seek access to and to correct, amend, or delete inaccurate data. We assume that our clients have provided any notice required for PRGX to process Personal Information they provide to us, consistent with this Policy, and will provide further notice of any uses or disclosures that are materially different from those described in this Policy. If you need assistance, please contact us and we will request our clients to correct, amend or delete any erroneous information, subject to their own policies and instructions.
EU-U.S. Privacy Shield Principles
In compliance with the EU-U.S. Privacy Shield Principles, PRGX commits to resolve complaints of individuals in the European Union about our processing of their Personal Information. Individuals in the European Union with inquiries or complaints should first contact PRGX at: email@example.com. We will respond to your inquiry or complaint within 45 days.
For unresolved privacy complaints of European Union individuals, PRGX has further committed to cooperate with an independent dispute mechanism established by European Union Data Protection Authorities and to provide this recourse free of charge. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please visit http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm or http://www.uscib.org/privacy-shield/ for further information.
Under certain conditions, European Union individuals may invoke binding arbitration when other dispute resolution procedures have been exhausted. For further information, please see the Privacy Shield website at: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
U.S.-Swiss Safe Harbor
In compliance with the U.S.-Swiss Safe Harbor Principles, PRGX commits to resolve complaints of individuals in Switzerland relating to our processing of their Personal Information. Swiss individuals with inquiries or complaints should contact PRGX at: firstname.lastname@example.org. In connection with its certification under the U.S.-Swiss Safe Harbor Framework, PRGX USA, Inc. is committed to cooperate with the Swiss Federal Data Protection and Information Commissioner on unresolved privacy complaints, and it will do so with respect to Personal Information it has received under U.S.-Swiss Safe Harbor.
INFORMATION ABOUT CHILDREN
We do not knowingly provide products or services to or solicit information from children under the age of 18.
SOCIAL SECURITY NUMBERS
In some cases, PRGX collects Social Security Numbers, mainly in the United States, in the ordinary course of its business, such as from our employees, as well as in certain records we process for our clients. We have implemented reasonable technical, physical and administrative safeguards to protect the Social Security Numbers. All of our employees are required to follow these established procedures. In particular, access to Social Security Numbers is limited to those employees and service providers with an approved business need to access the information to perform tasks for us and our clients.
Social Security Numbers are only disclosed to third parties in accordance with our established policies. We only disclose Social Security Numbers to (i) those service providers, auditors, advisors, and/or successors in interest who are legally or contractually obligated to protect them or (ii) as required or permitted by law.
For Personal Information that PRGX USA, Inc. receives from European Union member states and Switzerland, PRGX USA, Inc. has committed to handling such Personal Information in accordance with, respectively, the EU-U.S. Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles
CHANGES TO THIS POLICY
From time to time, we may decide to make changes to this Policy. If we make a material change, we will post the revised Policy and highlight the change in this section of the Policy.
January 20, 2010: As part of the launch of our new PRGX website, the “Cookie” section of this Policy has been updated to reflect new and limited uses of cookies which are used to monitor the traffic and use within our site as well as to enhance web content and functionality. Cookies on our site do not collect Personal Information.
July 1, 2016: Updated the introductory section to reflect the European Court of Justice’s decision on October 6, 2015 whereby Safe Harbor was deemed invalid.
September 20, 2016: Updated Policy to reflect certification under the EU-U.S. Privacy Shield Framework.
This Policy was last updated on September 20, 2016.
Questions about our Policy may be sent by email to: email@example.com or by contacting:
Vice President, Global Privacy and Security