Novus Privacy Shield Policy

Novus Law, LLC (Chicago, USA) and its affiliates (collectively ”Novus”) comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States respectively. Novus has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program and to view our certification, please visit https://www.privacyshield.gov/.

Novus is committed to educating its clients and employees about the issues, guidelines, and laws surrounding compliance with Privacy Shield.  Novus works as a “processor” on behalf of its clients, and our policies and manner of compliance are appropriate to the nature of our work. As outlined in this policy, the practices Novus follows under the EU-U.S. Privacy Shield also apply to data transferred from Switzerland to the United States in compliance with the Swiss-US Privacy Shield Framework.

Definitions

Data Subject: the individual covered by this Privacy Shield Policy to whom the Personal Data is related.
Personal Data: any information relating to an individual residing in the European Union and Switzerland that can be used to identify that individual on its own or in combination with other readily available data.
Sensitive Personal Data: Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual orientation.

Novus as a Processor on behalf of its Clients

Novus is a legal service provider, and client confidential information (including Personal Data) is made available to Novus to provide its services to corporate legal departments and Law Firms. Novus does not collect this data, and its use is strictly limited to providing services according to executed agreements with its clients. In this capacity, Novus does not own or control any of the information it processes on behalf of its clients. All such information is owned and controlled by its clients. In this capacity, Novus receives information transferred from the EU or Switzerland to the United States merely as a processor on behalf of our clients.

When Novus acts as a processor on behalf of its clients, the policies outlined below apply to all Novus data processing operations accessing personal data that has been transferred from the EU, Switzerland, or the UK to the United States.

Scope and Responsibility

This Privacy Shield Policy applies to Personal Data transferred from European Union member countries and Switzerland to Novus in the US in reliance on the respective Privacy Shield framework and does not apply to Personal Data transferred under Standard Contractual Clauses or any approved derogation from the EU Directive. Some types of Personal Data may be subject to other privacy-related requirements and policies, including but not limited to:

  • Novus website privacy policies;
  • Personal Data received from a client is subject to a written agreement with that client, as well as additional applicable laws and professional standards;
  • Employee Personal Information is subject to human resource policies, including the Employee Data Privacy Notice;
  • All Novus employees who have access in the US to Personal Data covered by this Privacy Shield Policy are responsible for conducting themselves following this Privacy Shield Policy.  Adherence by Novus to this Privacy Shield Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations. Personal Data covered by this Privacy Shield Policy shall not be collected, used, or disclosed in a manner contrary to this policy without prior written permission by the Novus Information Privacy Representative.

Novus commits to adhere to the Privacy Shields Principles for all Personal Data received by Novus in the US from European Union member countries and Switzerland in reliance on the respective Privacy Shield framework.

Processing Agreements

Before starting any processing on behalf of Novus clients, Novus will agree with the EU and Swiss data controller responsible for the personal information according to the applicable EU Member State Data Protection law.

The agreement includes reasonable and appropriate assurances that the EU and the Swiss data controller will comply with the Member State Data Protection law. The agreement will also specify that the processing will be carried out with reasonable and appropriate data security measures. Novus has measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.

Any information from a Novus client (acting as the EU and Swiss controllers) identified as sensitive will be treated per the agreement. Further, any data processed by Novus will not be disclosed to third parties except where required by the agreement, EU Privacy Shield, Swiss-US Privacy Shield, or the applicable Member State Data Protection law. Novus will not disclose personally identifiable information to third parties unless expressly agreed to and at the direction of the data controller or when required by law in response to lawful requests by public authorities to meet national security or law enforcement requirements, including subpoenas, court orders, or legal process.

As a processor on behalf of Novus clients (acting as the EU controllers), Novus is not required to apply other EU Privacy Shield Principles to the personal information received for processing from a client.

Notice

Before the transfer of any non-public personal information from the EU and Switzerland to the United States, Novus will take reasonable and appropriate measures to ensure that the EU and Swiss controller (from whom Novus acquired the information) follows the applicable EU and Swiss Member State Data Protection laws including notice regarding any transfer of data. Novus does not receive any personal data directly from data subjects.

Choice

Before the transfer of any non-public personal information from the EU and Switzerland to the United States, Novus will take reasonable and appropriate measures to ensure that the EU and Swiss controller (from whom Novus acquired the information) follows applicable EU and Swiss Member State Data Protection laws, including that data subjects have been provided with the proper choice regarding how their data may be used.

Any Personal Data covered by this Privacy Shield Policy will not be used for a new purpose that is materially different from the one for which the Personal Data was initially received or subsequently authorized and will not be disclosed to a non-agent third party.

Data Integrity

Novus takes reasonable steps to ensure the information transferred from the EU and Switzerland to the United States is reliable, accurate, and complete. The steps Novus takes to assure data integrity are based on the purposes for which the personal information is used.

Disclosures & Accountability for Onward Transfers

Consistent with the Principles, Novus may be required to provide services to clients that include transferring personal information to third parties, including transfers from one country to another. Novus will only disclose an individual’s non-public personal information to third parties under one or more of the following conditions:

  • The disclosure is to a third party providing services to Novus in connection with the operation of its business and is consistent with the purpose for which the personal information was collected. Written agreements with these third parties are maintained and require that the third parties provide at least the same level of privacy protection and security as required by the Privacy Shield Principles;
  • With the client’s permission to make the disclosure;
  • Where required to the extent necessary to meet a legal obligation to which Novus is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation.
  • Where reasonably necessary for compliance or regulatory purposes or the establishment of legal claims.

In cases where Novus must transfer non-public personal information to a third party acting as an agent for Novus’ behalf, Novus will remain liable under the Principles unless Novus Proves it is not responsible for an event giving rise to the damage.

Access

Individuals whose Personal Data is covered by this Privacy Shield Policy have the right to contact Novus when Personal Data if it is inaccurate or has been processed in violation of the Privacy Shield Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the individuals would be violated.

Security

Novus takes reasonable and appropriate measures to protect the Personal Data covered by this Privacy Shield Policy from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Data.

Novus has an information security management system (“ISMS”) to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Novus ISMS is certified for ISO/IEC 27001:2013, providing for independent third-party validation that it has controls in place to protect against unauthorized access (both physical and logical).

Novus’ ISMS Team is responsible for conducting investigations into any alleged computer or network breaches, incidents, or problems and ensuring proper disciplinary action is taken against those violating the Novus information security policy.

Any security compromises or potential security compromises and any inquiries concerning security should be reported to the contact identified in this policy.

Data Integrity and Purpose Limitation

Novus limits the collection of Personal Data covered by this Privacy Shield Policy to information provided to us by clients and is relevant for processing in association with the provision of services to that client. Novus does not process Personal Data in a way that is incompatible with the purposes for which it has been provided to Novus by a client.

Novus takes reasonable and appropriate measures to ensure that Personal Data is accessed for its intended use and that it is accurate, complete, and current. Novus takes reasonable and appropriate measures to comply with the requirements under the Privacy Shield to retain Personal Data in identifiable form only for as long as it serves a purpose during processing and the provision of services to clients.

Enforcement

The Federal Trade Commission has jurisdiction over Novus’ compliance with the Privacy Shield.

In compliance with the Principles, Novus commits to resolve complaints about Personal Data that has been processed in violation of the Privacy Shield Principles. Individuals with inquiries or complaints regarding Novus’ Privacy Shield Policy should contact the Novus Information Privacy Representative. Novus will respond to individuals within forty-five (45) days of an inquiry or complaint. If an individual has an unresolved complaint or concern that is not addressed satisfactorily, that individual may contact Novus’ U.S.-based third-party dispute resolution provider (free of charge), the International Centre for Dispute Resolution/American Arbitration Association (“ICDR/AAA”). Please contact or visit ICDR/AAA for more information or to file a complaint.

Under certain circumstances, the option of selecting binding arbitration under the Privacy Shield Panel is available. For further information, please see the Privacy Shield website. To learn more about the Privacy Shield Framework and to view Novus’ certification, please visit https://www.privacyshield.gov.

Modifications

Novus may update this policy anytime by publishing an updated version here. We will not update this Privacy Shield Policy in contravention of the Principles.

Contact Us

For any questions regarding the Novus Privacy Shield Policy, please contact our Information Privacy Representative at privacy@novuslaw.com.