Novus Data Privacy Framework Policy
Novus Law, LLC (Chicago, USA) and its US affiliate, Novus Lex, LLC (collectively “Novus”), comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Novus certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Novus has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the UK Extension, or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Novus is committed to educating its clients and employees about the issues, guidelines, and laws surrounding compliance with the DPF. Novus works as a “processor” on behalf of its clients, and its policies and manner of compliance are appropriate to the nature of its work. As outlined in this policy, the practices Novus follows under the EU-U.S. DPF also apply to data transferred from Switzerland to the United States in compliance with the Swiss-US DPF and the UK in compliance with the UK Extension to the EU-U.S. DPF.
Definitions
Data Subject: Individuals covered by this Data Privacy Framework Policy to whom the Personal Data is related.
Personal Data: Information that is specific to an individual, or in combination with other information relating to an individual, residing in the European Union, the UK, or Switzerland that can be used to identify that individual.
Sensitive Personal Data: Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual orientation.
Novus as a Processor on behalf of its Clients
Novus is a legal service provider, and client confidential information (including Personal Data) is made available to Novus to provide its services to corporate legal departments and law firms. Novus does not collect this data, and its use is strictly limited to providing services according to executed agreements with its clients. In this capacity, Novus does not own or control any of the information it processes on behalf of its clients. All such information is owned and controlled by its clients. In this capacity, Novus receives information transferred from the EU, UK, or Switzerland to the United States merely as a processor on behalf of its clients.
When Novus acts as a processor on behalf of its clients, the policies outlined below apply to all Novus data processing operations accessing personal data in the US that has been transferred from the EU, UK or Switzerland to the United States.
Scope and Responsibility
This DPF Policy applies to Personal Data transferred from European Union member countries, the UK, and Switzerland to Novus in the US in reliance on the respective DPF and does not apply to Personal Data transferred under Standard Contractual Clauses or any approved derogation from the EU Directive. Some types of Personal Data may be subject to other privacy-related requirements and policies, including but not limited to:
- Novus website privacy policies
- Personal Data received from a client is subject to a written agreement with that client, as well as additional applicable laws and professional standards
- Employee Personal Information is subject to human resource policies, including the Employee Data Privacy Notice
- All Novus employees who have access to Personal Data covered by this Policy are responsible for conducting themselves following the principles of this policy. Adherence by Novus to this Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations. Personal Data covered by this DPF Policy shall not be collected, used, or disclosed in a manner contrary to this policy without prior written permission by the Novus Information Privacy Representative.
Data Privacy Framework Principles
Novus commits to adhere to the DPF Principles for all Personal Data received by Novus in the US from EU member countries, the UK, and Switzerland in reliance on the respective DPF.
Processing Agreements
Before starting any processing on behalf of Novus clients, Novus will agree with the EU, UK, and Swiss data controller responsible for the personal information according to the applicable EU, UK and Swiss Member State Data Protection laws.
The agreement includes reasonable and appropriate assurances that the EU, UK, and Swiss data controller will comply with the applicable Member State Data Protection laws. The agreement will also specify that the processing will be carried out with reasonable and appropriate data security measures. Novus has measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
Any information from a Novus client (acting as EU, UK, or Swiss controllers) identified as sensitive will be treated per the agreement. Further, any data processed by Novus will not be disclosed to third parties except where required by the agreement, EU – U.S. DPF, UK Extension to the EU-U.S. DPF, or Swiss-US DPF, or the applicable Member State Data Protection laws. Novus will not disclose personally identifiable information to third parties unless expressly agreed to and at the direction of the data controller or when required by law in response to lawful requests by public authorities to meet national security or law enforcement requirements, including subpoenas, court orders, or legal process.
As a processor on behalf of Novus clients (acting as the EU, UK or Swiss controllers), Novus is not required to apply other EU DPF, UK Extension DPF, or Swiss DPF principles to the personal information received for processing from a client.
Notice
Before the transfer of any non-public personal information from the EU, UK, and Switzerland to the US, Novus will take reasonable and appropriate measures to ensure that the EU, UK, and Swiss controllers (from whom Novus acquired the information) follow the applicable EU, UK, and Swiss Member State Data Protection laws including notice regarding any transfer of data. Novus does not receive any personal data directly from data subjects.
Choice
Before the transfer of any non-public personal information from the EU, UK, or Switzerland to the US, Novus will take reasonable and appropriate measures to ensure that the EU, UK, and Swiss controllers (from whom Novus acquired the information) follow the applicable EU, UK, and Swiss Member State Data Protection laws, including that data subjects have been provided with the proper choice regarding how their data may be used.
Any Personal Data covered by this DPF Policy will not be used for a new purpose that is materially different from the one for which the Personal Data was initially received or subsequently authorized and will not be disclosed to a non-agent third-party.
Data Integrity
Novus takes reasonable steps to ensure the information transferred from the EU, UK, and Switzerland to the US is reliable, accurate, and complete. The steps Novus takes to assure data integrity are based on the purposes for which the personal information is used.
Disclosures & Accountability for Onward Transfers
Consistent with the DPF Principles, Novus may be required to provide services to clients that include transferring personal information to third-parties, including transfers from one country to another. Novus will only disclose an individual’s non-public personal information to third-parties under one or more of the following conditions:
- The disclosure is to a third-party providing services to Novus in connection with the operation of its business and is consistent with the purpose for which the personal information was collected. Written agreements with these third parties are maintained and require that the third-parties provide at least the same level of privacy protection and security as required by the DPF Principles
- With the client’s permission to make the disclosure
- Where required to the extent necessary to meet a legal obligation to which Novus is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation
- Where reasonably necessary for compliance or regulatory purposes or the establishment of legal claims
In cases where Novus must transfer non-public personal information to a third-party acting as an agent on Novus’ behalf, Novus will remain liable under the principles unless Novus proves it is not responsible for an event giving rise to the damage.
Access
Individuals whose Personal Data is covered by this DPF Policy have the right to contact Novus when Personal Data is inaccurate or has been processed in violation of the DPF Principles except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the individuals would be violated.
Security
Novus takes reasonable and appropriate measures to protect the Personal Data covered by this DPF Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, considering the risks involved in the processing and the nature of the Personal Data.
Novus has an information security management system (“ISMS”) to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Novus ISMS is certified for ISO/IEC 27001:2013, providing for independent third-party validation that it has controls in place to protect against unauthorized access (both physical and logical).
Novus’ ISMS Team is responsible for conducting investigations into any alleged computer or network breaches, incidents, or problems and ensuring proper disciplinary action is taken against those violating the Novus information security policy.
Any security compromises or potential security compromises and any inquiries concerning security should be reported to the contact identified in this policy.
Data Integrity and Purpose Limitation
Novus limits the collection of Personal Data covered by this DPF Policy to information provided to us by clients and that is relevant for processing in association with the provision of services to that client. Novus does not process Personal Data in a way that is incompatible with the purposes for which it has been provided to Novus by a client.
Novus takes reasonable and appropriate measures to ensure that Personal Data is accessed for its intended use and that it is accurate, complete, and current. Novus takes reasonable and appropriate measures to comply with the requirements under the DPF to retain Personal Data in identifiable form only for as long as it serves a purpose during processing and the provision of services to clients.
Enforcement
The Federal Trade Commission has jurisdiction over Novus’ compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Novus commits to refer unresolved complaints concerning its handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution/American Arbitration Association (“ICDR/AAA”), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit the ICDR/AAA website https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR/AAA are provided at no cost to you.
Under certain circumstances, the option of selecting binding arbitration under the DPF Panel is available. To learn more about the DPF or to view Novus’ certification, please visit https://www.dataprivacyframework.gov.
Modifications
Novus may update this policy anytime by publishing an updated version here. This policy will not be updated in contravention of the DPF Principles.
Contact Us
For any questions regarding the Novus DPF Policy, please contact our Information Privacy Representative at privacy@novuslaw.com