Extreme Reach Privacy Shield Supplemental Policy

Extreme Reach, Inc.; Extreme Reach Talent, Inc; Extreme Reach Services Group, LLC; CMC Crew Services, Inc; and Extreme Reach Payroll Solutions, Inc.; Slate and Extreme Reach UK Limited (collectively “Extreme Reach,” “ER,” “our,” “we” or “us”) are committed to respecting and protecting your privacy.

We have created this Privacy Shield Privacy Policy to help you learn about how we handle Personal Information that is collected in the European Economic Area (the “EEA”) and transferred to the U.S.

ER commits to adhere to the EU-U.S. Privacy Shield Framework by adopting and implementing the EU-U.S. Privacy Shield Principles, which include a set of Supplemental Principles. Our certification can be found at https://www.privacyshield.gov/list.

This Privacy Shield Supplemental Policy supplements Extreme Reach’s application and website specific Privacy Policies. Unless specifically defined in this Supplemental Policy, the terms in this Privacy Shield Supplemental Policy have the same meaning as in our Privacy Policies. In case of conflict between our Privacy Policies and this Privacy Shield Supplemental Policy, this Privacy Shield Supplemental Policy prevails. In case of conflict between this Privacy Shield Supplemental Policy and the Privacy Shield Principles, the Principles will govern.

1. How We Obtain Personal Information

We obtain and process Personal Information in various capacities.

As a data controller or co-controller, we collect and process EEA Personal Information from individuals, either directly from such individuals or via our customer, partner, and vendor relationships.

As a data processor, we process and store EEA Personal Information obtained from our customers when providing them services, such as Talent Payroll Services. In this context, we only process Personal Information on behalf of and at the instructions of our customers, which are the data controllers.

2. Notice

We provide information in our Privacy Policies regarding our privacy practices. Where appropriate (for instance, where we act as a data co-controller for Talent Payroll Services), we also provide notice directly to Data Subjects.

Where Extreme Reach is the data processor and our customers are data controllers,, customers determine the categories of data they upload into our systems and the purposes for which the data is processed. Accordingly, customers are responsible for providing notice to the individuals from whom they have collected Personal Information.

3. Choice and Access

We process Personal Data in a manner consistent with our Privacy Policies, or as otherwise authorized by you. We take reasonable steps to limit the collection and usage of Personal Information to that which is relevant for the intended purposes for which it was collected, and to ensure that such Personal Information is reliable, accurate, complete, and current. We will adhere to the Principles for as long as we retain the Personal Information collected under the Privacy Shield.

When we process Personal Information in the context of our Services, we process, disclose, and retain Personal Information only as necessary to provide our Services, or as required or permitted under applicable law.

Where appropriate, ER provides you with access to the Personal Information that we maintain about you and the ability to correct, amend or delete that information when it is inaccurate or has been processed in violation of the Principles. To obtain this information, send a written request as indicated in “Contact Information” below. We will review your request in accordance with the Principles, and may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles.

If we intend to use your Personal Information for a purpose that is materially different from the purposes listed in this policy or if we intend to disclose it to a third party acting as a controller not previously identified, we will offer you the opportunity to opt-out of such uses and disclosures where it involves non-sensitive information or opt-in where sensitive information is involved.

At times, ER may be required to provide your Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

4. Data Security

We use reasonable and appropriate measures to protect your Personal Information from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information.

5. Recourse, Enforcement, and Liability

ER’s participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework is subject to investigation and enforcement by the Federal Trade Commission.

In compliance with the Privacy Shield Principles, ER commits to resolve complaints about your privacy and our collection or use of your Personal Data. Data Subjects with inquiries or complaints regarding this Privacy Shield Policy should first contact ER at: privacy@extremereach.com; or mail to: Extreme Reach, ATTN: Legal, 75 2nd Avenue, Suite 720, Needham, MA 02494.

ER has further committed to refer unresolved privacy complaints under the EU-U.S. and Privacy Shield Principles to an independent U.S.-based third party dispute resolution provider. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Under certain conditions detailed in the Privacy Shield, Data Subjects may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.

ER agrees to periodically review and verify its compliance with the Privacy Shield Principles, and to remedy any issues arising out of failure to comply with the Privacy Shield Principles. ER acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of Privacy Shield participants.

6. Accountability

ER remains liable under the Privacy Shield Principles if an agent processes Personal Data covered by this Privacy Shield Policy in a manner inconsistent with the Principles, except where ER is not responsible for the event giving rise to the damage.

7. Contact Information

For requests related to rights of erasure, correction, restriction of processing, and portability, EU residents can contact privacy@extremereach.com or mail to: Extreme Reach, ATTN: Legal, 75 2nd Avenue, Suite 720, Needham, MA 02494.

8. Changes to the Privacy Shield Privacy Policy

This Privacy Shield Privacy Policy may be changed from time to time, consistent with the requirements of the Privacy Shield. You can determine when this Privacy Shield Privacy Policy was last revised by referring to the “Last Updated” legend at the bottom of this page. Any changes to this Privacy Shield Privacy Policy will become effective when we post the revised version on our website.

Last updated: July 2020