Data Privacy Framework Policy

Overview

This Data Privacy Framework Policy (the “Policy”) outlines the Data Privacy Principles followed by Alfa Financial Software Inc. (referred to as “Alfa”), a subsidiary of Alfa Financial Software Limited, regarding the transfer and protection of Personal Data received from the European Union (EU), the United Kingdom (UK), and Switzerland in reliance on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework established by the U.S. Department of Commerce (collectively, the “DPF”)

Alfa complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Alfa has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of “Personal Data” (as described below) received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Alfa has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

This Policy applies to the Personal Data covered by Alfa's DPF certification, encompassing the following categories of Personal Data:

• Personal Data regarding current, former and prospective employees and partners for the purposes of performing human resource administration and maintaining contact with individuals.
• The Personal Data, concerning former and potential clients, as well as their personnel, customers, or other individuals utilising Alfa services.
• Personal Data regarding Alfa suppliers, service providers, and other third parties, and their personnel for the purposes of managing and administering Alfa’s business relationships with such third parties.

The collection and processing of Personal Data under this Policy adhere to the guidelines set forth in the DPF Principles. Individuals are informed about the collection and use of their Personal Data either through this Policy, Alfa’s Privacy Policy, or direct communication channels, such as contracts or agreements. When deemed necessary and appropriate, consent for the collection, use, and/or transfer of Personal Data may also be obtained through these channels, including obtaining opt-in consent for sensitive Personal Data.

Alfa only collects and processes Personal Data to the extent that it is compatible with the purposes for which it was collected or subsequently authorised by the individual. This includes processing Personal Data necessary for the performance of and compliance with employment contracts or other applicable engagement contracts with Alfa, complying with legal or regulatory obligations, and for legitimate interests that are not overridden by the individual's interests or rights. Alfa does not retain Personal Data after it no longer serves the purposes for which it was collected or subsequently authorised. Alfa takes reasonable steps to ensure that Personal Data is accurate, complete, current, and reliable for its intended use.

The Federal Trade Commission has jurisdiction over Alfa’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In compliance with the DPF Principles, Alfa commits to address complaints related to the collection or use of Personal Data in accordance with the DPF Principles. Alfa provides individuals with the opportunity to address complaints or make inquiries directly through contact with our data protection team (information available in our Privacy Policy) or using other methods outlined in the "How to Contact Alfa" section. In cases where disputes cannot be resolved directly with Alfa, the company commits to facilitating access to an independent dispute resolution body dedicated to handling privacy-related complaints from EU, the UK and Swiss individuals.

• For Human Resources Data: In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Alfa commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
• For Non-Human Resources Data: Alfa has established an independent recourse mechanism, the International Centre for Dispute Resolution, the international division of the American Arbitration Association ("ICDR/AAA"). To address issues, individuals can contact the ICDR/AAA for resolution by visiting https://go.adr.org/dpf_irm.html

If a DPF complaint cannot be resolved through the aforementioned channels, individuals may, under certain conditions, have the option to seek binding arbitration for unresolved claims related to the DPF Principles. Further information can be found at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

Alfa commits to periodically reviewing and verifying its compliance with the DPF Principles and addressing any issues stemming from non-compliance. Alfa acknowledges that failure to provide an annual self-certification to the U.S. Department of Commerce will result in its removal from the Department’s list of DPF participants.

Individual rights

Individuals whose Personal Data is covered by this Policy have the right to access the Personal Data that Alfa maintains about them, as specified in the DPF Principles. Individuals may contact Alfa to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated). Individuals may also have the right to limit the use and disclosure of their Personal Data (opt-out) under certain circumstances, such as marketing. Requests to access, correct, amend, delete, or limit the use and disclosure of Personal Data (opt-out) can be made by contacting Alfa at DPO@alfasystems.com.

Accountability for onward Transfers

Alfa may engage with third parties, resulting in the transfer of Personal Data from one jurisdiction to another. This engagement assists in operating and managing Alfa, providing specific professional services as specified within the contractual framework established between Alfa and its clients, or supporting and administering Alfa’s business relationships with partners and suppliers. Alfa maintains written contracts with these third parties, ensuring that they are obligated to provide at least the same level of privacy protection and security as required by the DPF Principles. To the extent provided by the DPF Principles, Alfa remains responsible and liable if a third party engaged to process Personal Data on its behalf does so inconsistently with the DPF Principles. This responsibility persists unless Alfa can demonstrate that it is not accountable for the issue leading to the damage. Additionally, Alfa may disclose Personal Data:

• Where required to meet a legal obligation to which Alfa is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation.
• Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal claims.

Security

Alfa will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by processing the Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed in accordance with the Data Protection Laws, including as a minimum.

How to contact Alfa

If you have any questions or comments about this Policy, would like to exercise any of your rights under applicable data protection law, or believe that Alfa has not adhered to this Policy please contact Alfa in the U.S. at:

Alfa Financial Software, Inc.
ATTN: Data Protection Officer
124 E Hudson Ave
Royal Oak, MI 48067

Updates

Alfa may update this Policy at any time by publishing an updated version here, however we will not update this Policy in contravention of the DPF Principles.

Last updated: 07 May, 2024