CSI Leasing, Inc. EU-U.S. and Swiss Data Privacy Framework Policy
Effective: December 14, 2023.
CSI Leasing, Inc., and its subsidiaries are committed to complying with the laws and regulations enacted to protect the privacy of our customers, employees, agents, and contractors everywhere we do business. This E.U.-U.S. and Swiss-U.S. Data Privacy Framework Policy (“Policy”) sets forth the principles that CSI Leasing, Inc., and its wholly-owned US subsidiary, Executive Personal Computers, Inc., (collectively, “CSI”) agree to follow with respect to the collection, use, preservation and transfer of Personal Information from the European Union member countries (the “EU”) the United Kingdom (“UK”) and Switzerland to the United States.
CSI complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and Swiss-U.S. Data Privacy Framework set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from persons in the EU member countries, the UK, and Switzerland. CSI has certified that it adheres to the Data Privacy Framework Principles (“DPF Principles”) of notice, choice, accountability for onward transfer, security, data integrity, limitation of purpose, access, and recourse, enforcement and liability. If there is any conflict between this Policy and the DPF Principles, the DPF Principles shall govern.
The Federal Trade Commission has jurisdiction over CSI’s compliance with the EU-U.S. DPF and Swiss-U.S. DPF.
All CSI employees who handle Personal Information from any EU member country, the UK, or Switzerland are required to comply with the DPF Principles stated in this Policy.
To learn more about the EU-U.S. DPF and Swiss-U.S. DPF and view CSI’s certification, please visit https://www.privacyframework.gov.
Definitions
Capitalized terms in this Policy have the following meanings:
Personal Information. The term “Personal Information” means data or information that personally identifies or may be used to personally identify an individual, including an individual’s name, date and place of birth, address, phone number, marital status, education, terms of employment, and salary information.
Sensitive Personal Information. The term “Sensitive Personal Information” means any Personal Information that reveals the race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns the health, sex life, or sexual orientation of the Individual.
Notice to Individuals
CSI notifies Individuals of its adherence to the DPF Principles through its publicly available website at www.csileasing.com/dpf. CSI will strive to ensure that its collection and use of Personal Information remains transparent to the relevant individuals. CSI will take reasonable steps to notify individuals about (i) the purposes for which CSI collects and uses the Personal Information, (ii) how to contact CSI if the individual has any issues or concerns about CSI’s use of the Personal Information, (iii) the types of third parties with whom CSI’s shares the Personal Information (including international transfers of the Personal Information and disclosures within CSI), and (iv) the choice and means CSI offers individuals for limiting the use and disclosure of the Personal Information, unless furnishing notice would be impracticable or impossible under the circumstances.
Notices will be provided in plain language, and be furnished to individuals before their Personal Information is first collected or, if that is not possible, as soon as practicable thereafter.
Individual Choice
CSI believes individuals should be able to decide how CSI collects and uses their Personal Information to the greatest extent possible. Whenever possible or required by law, CSI should obtain the consent of an individual before collecting or processing their Personal Information and, where an individual withholds or later withdraws their consent, CSI will respect their indicated wishes. CSI will strive in particular to obtain the consent of individuals where CSI collects and processes Sensitive Personal Information, while recognizing it may in some instances be necessary to process such Information to protect adequately CSI’s legal rights and interests. When seeking an individual’s consent, CSI should provide the individual with sufficient information to allow the individual to make an informed decision, allow the individual to later withdraw their consent, and refrain from penalizing the individual for withholding their consent.
Onward Transfer of Personal Information
CSI will notify individuals when their Personal Information may be disclosed to third parties, if practicable. CSI will not disclose Personal Information to third parties except when required by law or when the individual has given his or her consent for such disclosure, or when reasonable assurances are given that the Personal Information will be legitimately processed and appropriately protected in accordance with the DPF Principles.
Prior to the international transfer of Personal Information, CSI should implement any additional measures that are required under any applicable laws regulating such transfer and only transfer Personal Information in furtherance of CSI’s own legitimate business needs. CSI commits to cooperate and comply with the advice given by EU or UK data protection authorities with regard to human resources data transferred from the EU or the UK in the context of the employment relationship.
Security
CSI has implemented reasonable administrative, technical, and organizational measures to safeguard the Personal Information under its control or in its possession against loss, theft, misuse, unauthorized access, modification, disclosure, or destruction.
Data Integrity
CSI will only use Personal Information in accordance with any notices furnished to or consents obtained from individuals. CSI shall not process Personal Information for any additional, incompatible purposes unless it has re-notified the individual where required or as expressly permitted by law. CSI shall only collect Personal Information that is relevant to the business purposes for which is was lawfully obtained, and shall endeavor to keep the Personal Information accurate, complete, up-to-date and reliable.
Limited Purpose
CSI shall only collect, use, or disclose Personal Information by lawful and fair means, in accordance with applicable laws, and fully observing the legal rights of individuals. CSI shall only obtain or use Personal Information in order to fulfill CSI’s legitimate business purposes, such as (but not limited to) maintaining CSI’s customer accounts, maintaining regular communications with CSI customers, furnishing services to customers, complying with applicable legal and regulatory requirements, evaluating prospective applicants for positions at CSI, making hiring decisions, administering payroll and benefits to our employees, and protecting CSI’s legal rights and interests. CSI prohibits any unauthorized use of Personal Information by CSI personnel or its agents.
Access and Correction
CSI allows individuals to review the Personal Information that CSI holds relating to them unless such access would be inappropriate or unnecessary. Instances where access may legitimately be denied include where such access would materially prejudice CSI’s legitimate business interests or legal rights, adversely affect the privacy rights of third parties, or impose a disproportionate burden upon CSI given the attendant privacy risks to the individual. Where access is refused, CSI will, to the extent possible, inform individuals as to the reasons for the denial. If an individual establishes to CSI’s satisfaction that their Personal Information is inaccurate or incorrect, CSI should promptly correct or amend the relevant Personal Information.
Compliance
CSI maintains an active privacy and data protection compliance program. The Chief Compliance Officer is responsible for implementing and overseeing the administration of this Policy. All CSI personnel are required to adhere to this Policy and any associated or supporting policies. Failure to do so may be grounds for disciplinary action up to and including termination.
Enforcement & Complaint Resolution
CSI routinely assesses its compliance with this Policy and has procedures to verify that it has implemented the Policy in conformity with the DPF Principles. CSI is committed to assisting individuals in protecting their privacy and in providing opportunities to raise concerns about the processing of their Personal Information. Any questions, concerns, or complaints regarding the use or disclosure of personal information should be directed to the EU-U.S. Data Privacy Framework Officer (“DPF Officer”) as set forth below or to his designee located in the country in which you reside. CSI will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy.
For complaints that cannot be resolved between CSI and the complainant not involving EU or UK human resources information, there is an independent recourse mechanism. CSI has agreed to participate in the dispute resolution procedures of JAMS pursuant to the DPF Principles. Under certain conditions, an individual may invoke binding arbitration and CSI may be found liable for wrongful onward transfers of Personal Information to third parties. JAMS may be contacted at https://www.jamsadr.com/dpf-dispute-resolution
CSI has designated its Chief Compliance officer as its DPF Officer. Questions, comments or complaints regarding this Policy or data collection and processing practices can be mailed or emailed to:
CSI LEASING, INC.
Attn: Chief Compliance Officer
9990 Old Olive Street Road, Ste. 101
St. Louis, Missouri 63141
Tel: 800‐955‐0960 or +1 (314) 997-7010
Amendments
This Policy may be amended from time to time consistent with the requirements of the EU-U.S. or Swiss-U.S. Data Privacy Framework. Amendments to the Policy will be made public on this website as soon as reasonably practicable after they are adopted.