Effective January 3, 2014
Updated May 29, 2019
As it is used in this Policy, the term “ACA US” shall mean, collectively, the following U.S.-based ACA entities:
- SIH ACA Topco, L.P.;
- ACA Intermediate Co 1, LLC;
- ACA Intermediate Co 2, LLC;
- ACA Intermediate Co 3, LLC;
- NM GRC Holdco, LLC;
- ACA Corporate Holdings, Inc.;
- ACA Compliance Group Holdings, LLC;
- Adviser Compliance Associates, LLC;
- ACA Performance Services, LLC; and
- ACA AML Strategies, LLC.
EU GDPR Privacy Notice
ACA also has developed an EU GDPR Privacy Notice (the “GDPR Notice”), available at https://www.acacompliancegroup.com/GDPRNotice. The GDPR Notice contains additional information about ACA’s processing of personal information that is subject to the European Union’s General Data Protection Regulation (“GDPR”) and other applicable EU data protection laws. Personal information of Users may be subject to the GDPR Notice.
Participation in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
ACA US complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. ACA US has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
Organizations that participate in the EU-U.S. and Swiss-U.S. Privacy Shield Programs must comply with the Privacy Shield Principles, which require the following:
- Notice. Organizations must publish online privacy notices containing specific information about their participation in the Privacy Shield (including, where applicable, the entities or subsidiaries of the organization also adhering to the Principles); their practices around collecting, using and sharing personal data with third parties; their privacy practices, including an individual’s rights to access and correct data, and the choices they make available to individuals regarding limiting data collection and use. The thirteen specific items to be addressed in the notice also include (i) any relevant establishment in the EU and Switzerland, respectively, that can respond to inquiries or complaints, (ii) the independent dispute resolution mechanism designated to address complaints, a hyperlink to the complaint submission form of that dispute resolution body, (iii) the possibility, under certain circumstances, for EU and Swiss individuals to invoke additional binding arbitration; (iv) the possibility that the organization may be held liable for unlawful transfer of personal data to third parties; and (v) the organization’s obligation to disclose personal data in response to national security or law enforcement requests.
- Choice. Participants must provide a mechanism for individuals to opt out of having personal information disclosed to a third party or used for a materially different purpose than that for which it was provided. Opt-in consent is required with respect to the sharing of sensitive information with a third party or its use for a new purpose.
- Accountability for Onward Transfer. a. To transfer personal information to a third party acting as a data controller, a participant must comply with the Notice and Choice Privacy Shield Principles. It must also enter into a contract with the third-party controller limiting the purposes for which the data may be processed and ensuring that the recipient will provide the same level of protection as the Principles. b. To transfer personal data to a third party acting as an agent (such as a service provider), an organization has additional obligations. It must: transfer the data for limited and specified purposes; ascertain that the agent is obligated to provide at least the same level of privacy protection as required by the Principles; take reasonable steps to ensure that the agent effectively processes this data in a manner consistent with Principles; upon notice, take reasonable steps to stop and remediate unauthorized processing; and upon request, provide a summary or copy of privacy provisions of its contract with the agent to the Department of Commerce.
- Security. An organization creating, maintaining, using or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into “due account” the risks involved in the processing and the nature of the personal data.
- Data Integrity and Purpose Limitation. An organization must take reasonable steps to limit processing to the purposes for which it was collected, and to ensure that personal data is reliable for its intended use, accurate, complete, and current. It must only retain personal information for as long as needed for the purpose of collection. An organization must adhere to the Privacy Shield Principles for as long as it retains such information.
- Access. An organization must provide a mechanism by which data subjects may request access to personal information the organization holds about them and enable them to correct, amend, or delete information that is either inaccurate or processed in violation of the Principles.
- Recourse, Enforcement and Liability. This Principle addresses three topics: recourse for individuals affected by non-compliance; consequences to organizations for non-compliance, and compliance verification.
User Consent to Policy
By accessing, browsing, or using a Site, or following links through the Site to apply for employment with ACA, each User acknowledges that he or she has read, understands, agrees and consents to the terms and conditions of this Policy. Each User consents to the collection, use, and disclosure of his or her information, including personal information, non-personal information, and anonymous browsing information (“Information”), pursuant to the terms of this Policy. If you do not consent to these terms and conditions, you should not access, browse, or use any Site or provide any Information to ACA via any Site.
Information Collected by ACA
- Personal Information
ACA may collect the name, title, company name, address, phone and/or fax number, job title, email address, credit card number, and other personal information provided by a User who contacts ACA or any of ACA’s representatives through a Site, via email or otherwise, submits a request for information, proposals, or to receive periodic updates, subscribes to ACA Insight, accesses ACA’s web-based training, attends a webcast, live conference, or other ACA-sponsored or hosted event, participates in a discussion forum available through a Site, follows a link through the Site to apply for employment with ACA, or engages in any other activity through a Site in which personal information is provided to ACA.
By submitting Information to ACA on or through the Site, a User acknowledges that he or she has read this Policy, understands it, agrees to its terms, and authorizes ACA to collect, use and disclose Information pursuant to the terms of this Policy.
- Non-Individually Identifying Browsing Information
Users can browse a Site without revealing personal information. In this context, ACA’s servers may collect certain non-individually identifying (i.e., anonymous) browsing information, such as your Internet Protocol address, your computer’s operating system, the name of the domain you used to access the Internet, the website you came from, and the website you visit next. This information is collected passively by using certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, or other technologies, examples of which are explained further in Section C below. Anonymous browsing information is not used, nor is it intended to be used, by ACA to personally identify an individual.
- Passive Gathering of Information Electronically
ACA and any third parties that may advertise or provide other services on a Site may automatically and passively collect certain types of anonymous information whenever you use a Site or certain Site services or click on advertisements on a Site or in ACA’s periodicals, such as ACA Insight. If ACA or such third parties collect this anonymous information, it will be done passively by using certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, and similar technologies as explained below.
Web beacons, Pixels and Clear GIFs: ACA and certain third-party advertising partners may use web beacons, pixels, and clear GIFs. These electronic technologies are transparent image files that, if used, allow ACA and its advertising partners to track website usage information, such as the number of times a website has been viewed and whether and when you have opened a HTML email, how many times the email was forwarded and which links in the email were clicked. Unlike cookies, these technologies are not placed on your Equipment. If used, this information will help ACA to improve a Site and ACA’s advertising materials and will help ACA’s advertising partners by measuring the effectiveness of such communications to you. These technologies may be used in association with cookies to understand how Users interact with a Site or advertisements.
How ACA Uses the Information
ACA uses Information collected from Users to respond to Users’ questions and/or comments, market or provide products, services or information to Users, process Users’ purchases, evaluate applications for employment with ACA, or provide related account status to the applicable User. Personal information, non-personal information, and anonymous browsing information may be used to gather broad demographic information used in marketing, promotion, analytics, or similar activities. This information may be aggregated to measure the number of visits, average time spent, page views and other statistics about Users of a Site. ACA also may use this Information to monitor Site performance and to make a Site easier and more convenient to use. ACA also may use Information collected from its Users to enforce its agreements with Users, prevent fraud and other prohibited or illegal activities, for other legally permissible purposes and generally to ensure that ACA complies with applicable laws.
ACA Sharing of Your Information
ACA only will share Information that it collects or receives regarding its Users with third parties under the following circumstances:
- Consent: If ACA has a User’s consent to share any Information, it may do so.
- Agents: ACA may utilize other companies and individuals to perform functions on its behalf such as marketing new or additional ACA products and services, sending postal and electronic mail to Users, processing credit card payments, fulfilling orders, delivering products and services, hosting discussion forums, and providing customer service. Such third parties have access to Information needed to perform their functions but may not use it for other purposes.
- Aggregate Anonymous Information: ACA may provide to others the aggregate statistics about our Users’ Site activity for purposes of marketing, promotion, analytics, or similar activities. None of these statistics will identify Users personally.
- Protection of ACA or Others: ACA may disclose Information about our Users to others if ACA has a good faith belief that it is required or permitted to do so by law or legal process to respond to claims, to protect the rights, property or safety of ACA or others, or take action regarding illegal activities or suspected fraud, or in response to national security or law enforcement requests.
- Business Transfers: If ACA decides to sell all or part or its assets, ACA reserves the right to include Information among the assets transferred to the acquiring company.
- Affiliates: ACA may share Information among its affiliates.
- Conference and Roundtable Attendees. ACA may provide the names, titles, company names, addresses, phone information, and email addresses of conference or roundtable attendees to current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors.
ACA may be held liable for unlawful transfer of personal data to third parties. In particular, ACA US remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless ACA US proves that it is not responsible for the event giving rise to the damage.
Accessing, Changing or Deleting Your Personal Information
ACA allows you to make a request to correct inaccuracies in or make other changes or delete your Information by contacting ACA at (301) 495-7850 or sending an email to firstname.lastname@example.org. In addition, you may correct inaccuracies in or make other changes or delete your Information collected through ACA Insight by updating your account in the My Profile section of www.acainsight.com or sending an email to email@example.com. ACA will use commercially reasonable efforts to promptly accommodate such requests.
Users are responsible for the accuracy of the Information they provide to ACA. ACA will use reasonable efforts to maintain the accuracy and integrity of Information based on the input received from Users.
Choices for Use or Sharing of Certain Information
ACA values your concerns about the privacy of your Information. Therefore, ACA offers you the opportunity to choose how certain of your Information is used by ACA.
Any emails sent by ACA that are subject to the U.S. CAN-SPAM Act will include an option to unsubscribe from further correspondence. Please note that even if you opt-out from receiving certain emails from ACA, you will continue to receive transactional and/or relationship messages, such as messages confirming a product purchase or your registration for an event.
As stated above, ACA may share names, titles, company names, addresses, phone information, and email addresses of conference and roundtable attendees with current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors. If you do not wish to receive further communications from these persons, you must contact them directly and make such a request. ACA is not responsible for how such third parties handle such Information.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to firstname.lastname@example.org.
Linked Internet Websites
Each Site may provide hyperlinks, which are highlighted words or pictures within a hypertext document that, when clicked, take you to another place within the document, to another document altogether, or to other websites not controlled by ACA. These hyperlinked websites may contain privacy provisions that are different from those provided herein. ACA is not responsible for the collection, use, or disclosure of information collected through these websites, and ACA expressly disclaims any and all liability related to such collection, use, or disclosure.
Children’s Privacy Protection
No Site is directed towards children under 13 years of age, and ACA does not knowingly collect any Information from children under 13 years of age through any Site. If you are under 13 years of age, you are not permitted to submit any Information to ACA through any Site. If ACA becomes aware that it has collected Information from children under 13 years of age, ACA will take commercially reasonable efforts to promptly purge such Information from its systems.
Each Site has commercially reasonable security measures to protect against the loss, theft, misuse, and alteration of Information that is submitted to ACA and remains under ACA’s control. You should be aware, however, that ACA has no control over the security of other websites that you might visit or use, even when a link to those websites is available on or through any Site. If you share your Equipment or use Equipment that is accessed by the general public, remember to sign off and close your browser when you finish using any Site.
ACA wants you to feel confident using each Site; however, no system can be completely secure. Therefore, ACA makes no representations or warranties regarding the sufficiency of any Site’s security measures. ACA shall not be responsible for any damages, including without limitation consequential damages, resulting from a lapse in compliance with this Policy as a result of a security breach or technical malfunction. Certain information may be transmitted to you by email. Although it is illegal to intercept or disclose such messages under U.S. Federal law, such transmissions are not secure. In addition, Users’ communications through each Site are, in most cases, viewed only by you and anyone to whom you address your message. As the operator of each Site, ACA may need to review or monitor your electronic mail and other communications through each Site from time to time as may be required by law. Therefore, you should not expect to have a right to privacy in any of your electronic communications through any Site.
In the event of a breach of the confidentiality or security of your personal information, ACA will notify you if reasonably possible and as reasonably necessary under applicable law so that you can take appropriate protective steps. ACA may notify you under such circumstances using the email address or addresses that it has on record for you. You should also take care with how you handle and disclose your personal information. Please refer to the U.S. Federal Trade Commission’s website for information about how to protect yourself against identity theft.
ACA may occasionally update this Policy, as noted by the “updated date” at the beginning of this Policy. If ACA updates this Policy in a manner that allows it to collect, use, or disclose your personal information in a materially less restrictive manner than under a prior version of this Policy, ACA will provide you with prior notice of the pending update and seek your consent by posting notice on www.acacompliancegroup.com or by contacting you using the email address or addresses that ACA has on record for you. ACA encourages you to periodically review this Policy to stay informed about its collection, use, and disclosure of your Information. Your continued use of any Site constitutes your agreement to this Policy and any updates.
Your California Privacy Rights
California law permits customers of ACA who are California residents to request certain information regarding our disclosure of their personal information to third parties for direct marketing purposes. At this time, ACA does not disclose personal information of “customers,” as defined under the California “Shine the Light” Act, to third parties for direct marketing purposes. If ACA changes this policy, it will update this Policy and provide instructions on how you may make a request for details concerning such use of information.
Enforcement and Dispute Resolution
If you have any questions, complaints, or disputes regarding how ACA handles or protects your Information, please bring it to ACA’s attention (see “How to Contact ACA” below). In compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Principles, ACA commits to resolve complaints about your privacy and our collection or use of personal information from EU or Swiss residents. European Union or Swiss individuals with inquiries or complaints regarding this Policy should first contact ACA (see “How to Contact ACA” below).
ACA has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
There is the possibility, under certain circumstances, for EU and Swiss individuals to invoke additional binding arbitration for some residual claims not resolved by other redress mechanisms as described in Privacy Shield Annex 1.
If your complaint involves human resources data transferred to the United States from the EU and/or Switzerland in the context of the employment relationship, and ACA does not address it satisfactorily, ACA commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.
ACA is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
ACA retains sole and absolute discretion in resolving all questions relating to the administration, interpretation and application of this Policy, except as required by law or the Privacy Shield Frameworks. This authority includes construing the terms of this Policy, including any disputed or doubtful terms.
No Rights of Third Parties
This Policy does not create rights enforceable by third parties.
How to Contact ACA
If you have any questions about this Policy, please
Call: (301) 495-7850
Write: ACA Compliance Group
Legal Department – Privacy
8401 Colesville Road, Suite 700
Silver Spring, MD 20910
© 2014-2019 SIH ACA Topco, L.P. All rights reserved.