Effective: March 31, 2006
Last updated: March 5, 2020
The Debt Exchange, Inc. (“DebtX” or the “Company”) voluntarily complies with the Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU) member countries to the United States. DebtX has certified to the Department of Commerce that it adheres to the Privacy Shield Principles (“Principles”) of Notice, Choice, Accountability of Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. For more information about the Privacy Shield Framework, please visit the U.S. Department of Commerce’s Website at https://www.privacyshield.gov/welcome . This statement outlines our general policy and practices for implementing the Principles, including the types of information DebtX is in contact with, how we use it, and the choices affected individuals have regarding our use of, and their ability to correct, that information. If there is any conflict between the policies in this statement and the Principles, the Principles will govern.
The Principles apply to information that pertains to an identifiable individual residing in the European Union (“EU Personal Data”) which DebtX receives either directly from such individuals or pursuant to its performance of services for its clients situated in the European Union (“EU Clients”). The Principles do not apply to: (a) data collected and used by DebtX which is not EU Personal Data; or (b) the subsidiaries of DebtX who do not receive EU Personal Data.
Methods of Data Acquisition
DebtX acquires EU Personal Data in the following ways:
- Directly from individuals at institutions that are interested in registering as sellers of assets on the DebtX platform (“Sellers”);
- Directly from individuals at institutions that are interested in buying assets via the DebtX platform (“Buyers”); and
- Debt-related data is sent to DebtX for processing directly from EU Clients or from their agents which may contain EU Personal Data (“Client Data”).
Notice and Choice
With regards to Client Data, DebtX is acting in accordance with instructions from its EU Clients as set out in its agreements with such clients. Under these agreements, the EU Client is responsible for providing any required notice to its customers as to what data will be collected and for what purpose the data will be used. The EU Client is also responsible for receiving consent, if required, based on such notice. Where DebtX is a processor of Client Data, the EU Client is also responsible for conveying any choices of the owner of such Client Data and DebtX will comply with such choice.
DebtX uses Seller and Buyer data for the following purposes:
- Buyers – to identify institutions that may be interested in reviewing specified assets.
- Sellers – to allow individuals access to the platform to review their own data.
With regards to Client Data, DebtX uses this data to perform its obligations under its EU Client agreements:
- The negotiation of the sale of debt assets to qualified buyers.
- The processing of due diligence material related to asset sales.
Disclosure to Third Parties
To provide the above services, DebtX will disclose Client Data to Buyers, but only if authorized to do so in the EU Client agreement and only where Buyers are within the scope of the agreement with the EU Client. Before disclosing Client Data to a Buyer, DebtX assures itself that it is: (a) an active participant in the EU-U.S. Privacy Shield Framework; (b) situated in the EU, or a jurisdiction which is recognized by an adequacy finding of the EU data protection authorities; or (c) bound by a written agreement with DebtX regarding data privacy protection with contractual assurances that it will (i) process the Client Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Client Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If DebtX has knowledge that a third party acting as a controller is processing Client Data covered by this Privacy Shield Policy in a way that is contrary to the Privacy Shield Principles, DebtX will take reasonable steps to prevent or stop such processing.
Legal Requirement to Disclose
As a result of legal requirements, DebtX may be required to provide personally identifiable information to authorized organizations in order to comply with legally mandated reporting or process requirements. Please be aware that DebtX may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Data Integrity and Information Security
DebtX is committed to ensuring that EU Personal Data received from its EU Buyers, EU Sellers, and EU Clients is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction while it is under the control of DebtX, its affiliates or agents.
DebtX’s processing technologies and operations employ a wide range of security measures including: physical, electronic, and procedural safeguards; sophisticated security monitoring tools; documented security policies; use of encryption and/or private leased lines for transmissions of EU Personal Data to and from EU Clients; restricted access of personally identifiable information only to those of its employees that need to know the information; and, periodic security audits by internal audit group and third party security experts.
Access to personal data
Buyers and Sellers can contact DebtX to view and correct their data either on-line, by phone or in writing.
An individual whose data is included in Client Data, and who wishes to access any of his or her EU Personal Data that is in DebtX’s possession may contact the EU Client to which he or she submitted the data and request access. On receipt of an access request from the EU Client, DebtX will provide access except where the burden or expense of providing the access would be disproportionate to the risks to the individual’s privacy or where the rights of a person other than the individual would be violated by such access.
If the EU Client advises DebtX that the information pertaining to an individual is found to be inaccurate, DebtX will correct, amend or delete it as directed by the EU Client.
U.S. Federal Trade Commission Jurisdiction
DebtX’s commitments under the Principles are subject to the jurisdiction and enforcement and investigatory authority of the United States Federal Trade Commission.
Compliance, Enforcement and Liability
DebtX has an internal audit group which audits the Company’s compliance with this policy and its EU-U.S. Privacy Shield Framework commitment.
An individual whose data is included in Client Data, and who has a complaint or dispute should contact the EU Client who provided the data to DebtX. If after contacting the EU Client, the individual’s complaint or dispute has not been resolved, s/he can contact JAMS. To contact JAMS and/or learn more about the company’s dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. This organization will provide independent dispute resolution and, should it determine it appropriate, it can also assess sanctions, including damages, for violation of the Principles.
A Buyer or Seller who has a complaint or dispute should contact DebtX. If after contacting DebtX, the individual’s complaint or dispute has not been resolved, s/he can contact JAMS. To contact JAMS and/or learn more about the company’s dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. This organization will provide independent dispute resolution and, should it determine it appropriate, it can also assess sanctions, including damages, for violation of the Principles.
Under certain conditions detailed in the Privacy Shield, individuals in the EU may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.
In accordance with the Privacy Shield Principles, DebtX is liable for any processing of personal data by a third party acting as an agent on its behalf that is inconsistent with the Privacy Shield Principles unless DebtX was not responsible for the event giving rise to any alleged damage.
If you have any questions about the Principles or the Privacy Shield Framework practices of DebtX, please contact us at +1-617-531-3400, or write to:
The Debt Exchange, Inc.
Attention: General Counsel
100 Summer, Suite 1900
Boston, MA 02110