ACA COMPLIANCE GROUP
Effective January 3, 2014
Updated May 26, 2017
NM GRC Holdco, LLC and its U.S. subsidiaries, NM GRC Acquisition, LLC, ACA Compliance Group Holdings, LLC, Adviser Compliance Associates, LLC, Broker-Dealer Compliance Associates, LLC, ACA Performance Services, LLC, ACA Technology, LLC, ACA Risk Strategies, LLC, ACA Corporate Holdings, Inc., ACA Technology Surveillance, Inc., and ACA AML Strategies, Inc. (collectively, “ACA US”) are committed to respecting your privacy.
ACA US, together with ACA Compliance (Europe) Limited and ACA Performance (Europe) Limited, are hereinafter referred to as the “ACA Group.”
Participation in the EU-U.S. and Swiss-U.S. Privacy Shield Programs
ACA US complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. ACA US has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/
Organizations that participate in the U.S.-E.U. and Swiss-U.S. Privacy Shield Programs must comply with the seven Privacy Shield Principles, which require the following:
- Notice. Organizations must publish online privacy notices containing specific information about their participation in the Privacy Shield (including, where applicable, the entities or subsidiaries of the organization also adhering to the Principles); their practices around collecting, using and sharing personal data with third parties; their privacy practices, including an individual’s rights to access and correct data, and the choices they make available to individuals regarding limiting data collection and use. The thirteen specific items to be addressed in the notice also include (i) any relevant establishment in the EU and Switzerland, respectively, that can respond to inquiries or complaints, (ii) the independent dispute resolution mechanism designated to address complaints, a hyperlink to the complaint submission form of that dispute resolution body, (iii) the possibility, under certain circumstances, for EU and Swiss individuals to invoke additional binding arbitration; (iv) the possibility that the organization may be held liable for unlawful transfer of personal data to third parties; and (v) the organization’s obligation to disclose personal data in response to national security or law enforcement requests.
- Choice. Participants must provide a mechanism for individuals to opt out of having personal information disclosed to a third party or used for a materially different purpose than that for which it was provided. Opt-in consent is required with respect to the sharing of sensitive information with a third party or its use for a new purpose.
- Accountability for Onward Transfer. a. To transfer personal information to a third party acting as a data controller, a participant must comply with the Notice and Choice Privacy Shield Principles. It must also enter into a contract with the third party controller limiting the purposes for which the data may be processed and ensuring that the recipient will provide the same level of protection as the Principles. b. To transfer personal data to a third party acting as an agent (such as a service provider), an organization has additional obligations. It must: transfer the data for limited and specified purposes; ascertain that the agent is obligated to provide at least the same level of privacy protection as required by the Principles; take reasonable steps to ensure that the agent effectively processes this data in a manner consistent with Principles; upon notice, take reasonable steps to stop and remediate unauthorized processing; and upon request, provide a summary or copy of privacy provisions of its contract with the agent to the Department of Commerce.
- Security. An organization creating, maintaining, using or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into “due account” the risks involved in the processing and the nature of the personal data.
- Data Integrity and Purpose Limitation. An organization must take reasonable steps to limit processing to the purposes for which it was collected, and to ensure that personal data is reliable for its intended use, accurate, complete, and current. It must only retain personal information for as long as needed for the purpose of collection. An organization must adhere to the Privacy Shield Principles for as long as it retains such information.
- Access. An organization must provide a mechanism by which data subjects may request access to personal information the organization holds about them and enable them to correct, amend, or delete information that is either inaccurate or processed in violation of the Principles.
- Recourse, Enforcement and Liability. This Principle addresses three topics: recourse for individuals affected by non-compliance; consequences to organizations for non-compliance, and compliance verification.
User Consent to Policy
By accessing, browsing, or using a Site, each User acknowledges that he or she has read, understands, agrees and consents to the terms and conditions of this Policy. Each User consents to the collection, use, and disclosure of his or her information, including personal information, non-personal information, and anonymous browsing information (“Information”), pursuant to the terms of this Policy. If you do not consent to these terms and conditions, you should not access, browse, or use any Site or provide any Information to ACA US via any Site.
Information Collected by ACA US
A. Personal Information
ACA US may collect the name, title, company name, address, phone and/or fax number, job title, email address, credit card number, and other personal information provided by a User who contacts ACA Group or any of ACA Group’s representatives through a Site, via email or otherwise, submits a request for information, proposals, or to receive periodic updates, subscribes to ACA Insight, attends a webcast, live conference, or other ACA Group-sponsored or hosted event, participates in a discussion forum available through a Site, or engages in any other activity through a Site in which personal information is provided to ACA US.
By submitting Information to ACA US on or through the Site, a User acknowledges that he or she has read this Policy, understands it, agrees to its terms, and authorizes ACA US to collect, use and disclose Information pursuant to the terms of this Policy.
B. Non-Individually Identifying Browsing Information
Users can browse a Site without revealing personal information. In this context, ACA US’s servers may collect certain non-individually identifying (i.e., anonymous) browsing information, such as your Internet Protocol address, your computer’s operating system, the name of the domain you used to access the Internet, the website you came from, and the website you visit next. This information is collected passively through the use of certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, or other technologies, examples of which are explained further in Section C below. Anonymous browsing information is not used, nor is it intended to be used, by ACA US to personally identify an individual.
C. Passive Gathering of Information Electronically
ACA US and any third parties that may advertise or provide other services on a Site may automatically and passively collect certain types of anonymous information whenever you use a Site or certain Site services or click on advertisements on a Site or in ACA Group’s periodicals, such as ACA Insight. If ACA US or such third parties collect this anonymous information, it will be done passively through the use of certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, and similar technologies as explained below.
Web beacons, Pixels and Clear GIFs: ACA US and certain third-party advertising partners may use web beacons, pixels, and clear GIFs. These electronic technologies are transparent image files that, if used, allow ACA US and its advertising partners to track website usage information, such as the number of times a website has been viewed and whether and when you have opened a HTML email, how many times the email was forwarded and which links in the email were clicked. Unlike cookies, these technologies are not placed on your Equipment. If used, this information will help ACA US to improve a Site and ACA US’s advertising materials and will help ACA US’s advertising partners by measuring the effectiveness of such communications to you. These technologies may be used in association with cookies to understand how Users interact with a Site or advertisements.
How ACA US Uses the Information
ACA US uses the Information collected from Users to respond to Users’ questions and/or comments, market or provide products, services or information to Users, process Users’ purchases, or provide related account status to the applicable User. Personal information, non-personal information, and anonymous browsing information may be used to gather broad demographic information used in marketing, promotion, analytics, or similar activities. This information may be aggregated to measure the number of visits, average time spent, page views and other statistics about Users of a Site. ACA US also may use this Information to monitor Site performance and to make a Site easier and more convenient to use. ACA US also may use Information collected from its Users to enforce its agreements with Users, prevent fraud and other prohibited or illegal activities, for other legally permissible purposes and generally to ensure that ACA Group complies with applicable laws.
ACA US Sharing of your Information
ACA US only will share Information that it collects or receives regarding its Users with third parties under the following circumstances:
- Consent: If ACA US has a User’s consent to share any Information, it may do so.
- Agents: ACA US may utilize other companies and individuals to perform functions on its behalf such as marketing new or additional ACA Group products and services, sending postal and electronic mail to Users, processing credit card payments, fulfilling orders, delivering products and services, hosting discussion forums, and providing customer service. These third parties have access to Information needed to perform their functions, but may not use it for other purposes.
- Aggregate Anonymous Information: ACA US may provide to others the aggregate statistics about our Users’ Site activity for purposes of marketing, promotion, analytics, or similar activities. None of these statistics will identify Users personally.
- Protection of ACA Group or Others: ACA US may disclose Information about our Users to others if ACA US has a good faith belief that it is required or permitted to do so by law or legal process to respond to claims, to protect the rights, property or safety of ACA Group or others, or take action regarding illegal activities or suspected fraud, or in response to national security or law enforcement requests.
- Business Transfers: In the event that ACA Group decides to sell all or part or its assets, ACA Group reserves the right to include Information among the assets transferred to the acquiring company.
- Affiliates: ACA US may share Information among its affiliates.
- Conference and Roundtable Attendees. ACA US may provide the names, titles, company names, addresses, phone information, and email addresses of conference or roundtable attendees to current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors.
ACA US may be held liable for unlawful transfer of personal data to third parties.
Accessing, Changing or Deleting Your Personal Information
ACA US allows you to correct inaccuracies in or make other changes or delete your Information by contacting ACA US at (301) 495-7850 or sending an email to firstname.lastname@example.org. In addition, you may correct inaccuracies in or make other changes or delete your Information collected through ACA Insight by updating your account in the My Profile section of www.acainsight.com or sending an email to email@example.com.
Users are responsible for the accuracy of the Information they provide to ACA US. ACA US will use reasonable efforts to maintain the accuracy and integrity of Information.
Choices for Use or Sharing of Certain Information
ACA US values your concerns about the privacy of your Information. Therefore, ACA US offers you the opportunity to choose how certain of your Information is used by ACA US.
Any emails sent by ACA US that are subject to the U.S. CAN-SPAM Act will include an option to unsubscribe from further correspondence. Please note that even if you opt-out from receiving certain email from ACA US, you will continue to receive transactional and/or relationship messages, such as messages confirming a product purchase or your registration for an event.
As stated above, ACA US may share names, titles, company names, addresses, phone information, and email addresses of conference and roundtable attendees with current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors. If you do not wish to receive further communications from these persons, you must contact them directly and make such a request. ACA US is not responsible for how such third parties handle such Information.
Linked Internet Websites
The Site may provide hyperlinks, which are highlighted words or pictures within a hypertext document that, when clicked, take you to another place within the document, to another document altogether, or to other websites not controlled by ACA US. These hyperlinked websites may contain privacy provisions that are different from those provided herein. ACA US is not responsible for the collection, use, or disclosure of information collected through these websites, and ACA US expressly disclaims any and all liability related to such collection, use, or disclosure.
Children’s Privacy Protection
No Site is directed towards children under 13 years of age, and ACA US does not knowingly collect any information from children under 13 years of age through any Site. If you are under 13 years of age, you are not permitted to submit any information to ACA US through any Site.
Each Site has commercially reasonable security measures to protect against the loss, theft, misuse, and alteration of Information that is submitted to ACA US and remains under ACA US’s control. You should be aware, however, that ACA US has no control over the security of other websites that you might visit or use, even when a link to those websites is available on or through the Site. If you share your Equipment or use Equipment that is accessed by the general public, remember to sign off and close your browser when you finish using the Site.
ACA US wants you to feel confident using the Site; however, no system can be completely secure. Therefore, ACA US makes no representations or warranties with regard to the sufficiency of its security measures. ACA US shall not be responsible for any damages, including without limitation consequential damages, resulting from a lapse in compliance with this Policy as a result of a security breach or technical malfunction. Certain information may be transmitted to you by email. Although it is illegal to intercept or disclose such messages under U.S. Federal law, such transmissions are not secure. In addition, Users’ communications through a Site are, in most cases, viewed only by you and anyone to whom you address your message. As the operator of a Site, ACA US may need to review or monitor your electronic mail and other communications through a Site from time to time as may be required by law. Therefore, you should not expect to have a right to privacy in any of your electronic communications through a Site.
In the event of a breach of the confidentiality or security of your personal information, ACA US will notify you if reasonably possible and as reasonably necessary under applicable law so that you can take appropriate protective steps. ACA US may notify you under such circumstances using the email address or addresses that it has on record for you. You should also take care with how you handle and disclose your personal information. Please refer to the U.S. Federal Trade Commission’s website for information about how to protect yourself against identity theft.
ACA US may occasionally update this Policy, as noted by the “updated date” at the beginning of this Policy. If ACA US updates this Policy in a manner that allows it to collect, use, or disclose your personal information in a materially less restrictive manner than under a prior version of this Policy, ACA US will provide you with prior notice of the pending update and seek your consent by posting notice on the Site or by contacting you using the email address or addresses that ACA US has on record for you. ACA US encourages you to periodically review this Policy to stay informed about its collection, use, and disclosure of your Information. Your continued use of a Site constitutes your agreement to this Policy and any updates.
Your California Privacy Rights
California law permits customers of ACA US who are California residents to request certain information regarding our disclosure of their personal information to third parties for direct marketing purposes. At this time, ACA US does not disclose personal information of “customers,” as defined under the California “Shine the Light” Act, to third parties for direct marketing purposes. If ACA US changes this policy, it will update this provision and provide instructions on how you may make a request for details concerning such use of information.
Enforcement and Dispute Resolution
ACA US has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
ACA US is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. There is the possibility, under certain circumstances, for EU and Swiss individuals to invoke additional binding arbitration.
ACA US retains sole and absolute discretion in resolving all questions relating to the administration, interpretation and application of this Policy. This authority includes construing the terms of this Policy, including any disputed or doubtful terms.
No Rights of Third Parties
This Policy does not create rights enforceable by third parties.
How to Contact ACA US
If you have any questions about this Policy, please
Call: (301) 495-7850
Write: Legal Department – Privacy
8401 Colesville Road, Suite 700
Silver Spring, MD 20910
© 2017 NM GRC Holdco, LLC, NM GRC Acquisition, LLC, ACA Compliance Group Holdings, LLC, Adviser Compliance Associates, LLC, Broker-Dealer Compliance Associates, LLC, ACA Performance Services, LLC, ACA Technology, LLC, ACA Risk Strategies, LLC, ACA Corporate Holdings, Inc., ACA Technology Surveillance, Inc., and ACA AML Strategies, Inc. All rights reserved.