Effective January 3, 2014
Updated January 1, 2021
This Policy also explains how we comply with applicable privacy statutes, rules, and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among others. This Policy sets forth how we handle personal information we collect (i) through a Site, (ii) when individuals engage with us or use our products or services (our “Services”), (iii) in connection with providing Services to our clients, and (iv) from applicants for employment opportunities with us. For the purposes of this Notice, “personal information” means information relating to an identified or identifiable person.
As used in this Policy, the term “ACA U.S.” shall mean, collectively, the following U.S.-based ACA entities:
SIH ACA Topco, L.P.;
ACA Intermediate Co 1, LLC;
ACA Intermediate Co 2, LLC;
ACA Intermediate Co 3, LLC;
NM GRC Holdco, LLC;
ACA Corporate Holdings, Inc.;
ACA Compliance Group Holdings, LLC; and
Adviser Compliance Associates, LLC.
User Consent to Policy
By accessing, browsing, or using a Site, or following links through a Site to apply for employment with ACA, each User acknowledges that he or she has read, understands, agrees, and consents to the terms and conditions of this Policy. Each User consents to the collection, use, and disclosure of his or her information, including personal information, non-personal information, and anonymous browsing information (“Information”), pursuant to the terms of this Policy. If you do not consent to these terms and conditions, you should not access, browse, or use any Site or provide any Information to ACA via any Site.
Information Collected by ACA
A. Personal Information
We may collect personal information directly from you, including through your use of a Site, when you contact us or request information from us, when you apply for an employment opportunity with us, when you engage us for Services, or as a result of your attendance at one of our conferences or digital marketing events. With respect to personal information collected directly by ACA, including through a Site, we are the independent data controller responsible for your personal information. The information we collect directly from you typically consists of your contact information, including your name, address, business affiliation, business title, email address, and telephone number.
We only use, disclose, or otherwise process personal information when we have a lawful basis for doing so under applicable law, including fulfilling our contractual obligations, complying with legal obligations, protecting the vital interests of a person, furthering our legitimate interests as a company and employer, and otherwise for reasons you have consented to such processing.
For example, we use the personal information you provide directly to us to provide you with the information you requested (such as ACA blog posts or other informational materials) or to evaluate your application for employment. To the extent required by law, by providing personal information to us, you consent to our use of such personal information as explained herein.
We also may obtain personal information indirectly from or on behalf of our clients. We typically are retained by corporate entities, primarily in the financial services industry. In connection with providing Services pursuant to contracts with our corporate clients, we often obtain personal information of our clients’ customers, employees and/or agents. This personal information varies based on the Services provided, but may include names, contact information, account numbers, and other similar financial data. With respect to personal information that we receive from or on behalf of our clients in connection with providing Services, our client remains the independent data controller and ACA acts as a processor of such personal information.
B. Non-Individually Identifying Browsing Information
Users can browse a Site without revealing personal information. In this context, ACA’s servers may collect certain non-individually identifying (i.e., anonymous) browsing information, such as your Internet Protocol address, device screen size, device type (unique device identifiers), browser information, geographic location (country only), the preferred language used to display our website, your computer’s operating system, the name of the domain you used to access the Internet, the website you came from, and the website you visit next. This information is collected passively by using certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, or other technologies, examples of which are explained further in Section C below. Anonymous browsing information is not used, nor is it intended to be used, by ACA to personally identify an individual.
C. Passive Gathering of Information Electronically
ACA and any third parties that may advertise or provide other services on a Site may automatically and passively collect certain types of anonymous information whenever you use a Site or certain Site services or click on advertisements on a Site or in ACA’s periodicals, such as ACA Insight. If ACA or such third parties collect this anonymous information, it will be done passively by using certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, and similar technologies as explained below.
Web beacons, Pixels and Clear GIFs: ACA and certain third-party advertising partners may use web beacons, pixels, and clear GIFs. These electronic technologies are transparent image files that, if used, allow ACA and its advertising partners to track website usage information, such as the number of times a website has been viewed and whether and when you have opened a HTML email, how many times the email was forwarded and which links in the email were clicked. Unlike cookies, these technologies are not placed on your Equipment. If used, this information will help ACA to improve a Site and ACA’s advertising materials and will help ACA’s advertising partners by measuring the effectiveness of such communications to you. These technologies may be used in association with cookies to understand how Users interact with a Site or advertisements.
How ACA Uses the Information
ACA uses Information collected from Users to respond to Users’ questions and/or comments, market, develop, or provide products, services or information to Users, process Users’ purchases, evaluate applications for employment with ACA, or provide related account status to the applicable User. Personal information, non-personal information, and anonymous browsing information may be used to gather broad demographic information used in marketing, promotion, analytics, or similar activities. This information may be aggregated to measure the number of visits, average time spent, page views and other statistics about Users of a Site. ACA also may use this Information to monitor Site performance and to make a Site easier and more convenient to use. ACA also may use Information collected from its Users to enforce its agreements with Users, prevent fraud and other prohibited or illegal activities, for other legally permissible purposes and generally to ensure that ACA complies with applicable law.
ACA Sharing of Your Information
ACA only will share Information, including personal information, that it collects or receives with third parties under the following circumstances:
- Lawful basis: If ACA has a lawful basis to share Information, it may do so.
- Agents: ACA may utilize other companies and individuals to assist with ACA’s business, and such third parties have access to Information needed to perform their functions but may not use it for other purposes. Such third parties may include the following:
- Sub-contractors we have engaged in connection with providing Services to our clients.
- Our professional advisers, including our attorneys and accountants.
- Our insurers and insurance brokers.
- Third parties to which we outsource certain services to assist with operating our business, such as document shredding services, software providers, information storage providers and other related service providers.
- Third parties to which our clients have directed us to share information in connection with our Services, such as our clients’ attorneys and accountants.
- Third-party service providers that assist us with client data analytics.
- Third-party postal or courier providers that assist us with delivering marketing and other documents to you.
- Aggregate Anonymous Information: ACA may provide to others the aggregate statistics about our Users’ Site activity for purposes of marketing, promotion, analytics, or similar activities. None of these statistics will identify Users personally.
- Protection of ACA or Others: ACA may disclose Information about our Users to others if ACA has a good faith belief that it is required or permitted to do so by law or legal process to respond to claims, to protect the rights, property or safety of ACA or others, or take action regarding illegal activities or suspected fraud, or in response to national security or law enforcement requests.
- Business Transfers: If ACA decides to sell all or part or its assets, ACA reserves the right to include Information among the assets transferred to the acquiring company.
- Affiliates: ACA may share Information among its affiliates.
- Conference and Digital Marketing Event Attendees. ACA may provide the names, titles, company names, addresses, phone information, and email addresses of conference, roundtable, and digital marketing event attendees to current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors.
We do not share or sell personal information with unaffiliated third parties, other than for the reasons stated herein.
As described above, we may provide certain third parties (“Sub-Processors”) with your personal information. Our Sub-Processors process personal information for us at our direction. We conduct reasonably appropriate due diligence on our Sub-Processors and include in our contracts with our Sub-Processors provisions requiring them to keep the personal information confidential, to process the personal information in accordance with our instructions, and to maintain reasonably appropriate information security systems. We may be liable for any unauthorized processing of personal information by our Sub-Processors.
We may appoint new Sub-Processors to assist us with providing Services and/or conducting our business. By using our services and products, you consent to our use of Sub-Processors, a current list of which can be viewed at www.acaglobal.com/GDPRSub-processors. We will provide notice to you of the addition of new Sub-Processors by updating this list.
Where We Transfer Personal Information
ACA is primarily located in the United States and the United Kingdom. Your personal information could be stored in either or both jurisdictions. ACA also maintains an office in Malta, and your personal information could be shared with ACA employees in Malta if required to perform Services.
For transfers of personal information from the European Economic Area (EEA) to the United States (U.S.) or United Kingdom (UK), and for transfers from the UK to the U.S., we rely on the Standard Contractual Clauses (SCCs) issued by the European Commission, a copy of which can be viewed at [link]. These SCCs are included as part of all service and product agreements where GDPR is applicable. If GDPR does not apply to your ACA service or product agreement, then the SCCs will not apply.
Period of Retention
ACA retains personal information in compliance with our obligations under applicable law. We may destroy personal information without notice or liability.
Confidentiality and Information Security
ACA is committed to keeping your personal information secure. We have taken reasonably designed steps to protect personal information from unauthorized access, use or disclosure. We also require our vendors to maintain reasonably appropriate information security policies and procedures and to maintain personal information confidentially.
Participation in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Notwithstanding its reliance on the SCCs with respect to the transfer of personal data subject to GDPR, ACA U.S. also complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU, the UK, and Switzerland to the U.S., respectively. ACA U.S. has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
Organizations that participate in the EU-U.S. and Swiss-U.S. Privacy Shield Programs must comply with the Privacy Shield Principles, which require the following:
- Notice. Organizations must publish online privacy notices containing specific information about their participation in the Privacy Shield (including, where applicable, the entities or subsidiaries of the organization also adhering to the Principles); their practices around collecting, using and sharing personal data with third parties; their privacy practices, including an individual’s rights to access and correct data, and the choices they make available to individuals regarding limiting data collection and use. The thirteen specific items to be addressed in the notice also include (i) any relevant establishment in the EU, UK, and Switzerland, respectively, that can respond to inquiries or complaints, (ii) the independent dispute resolution mechanism designated to address complaints, a hyperlink to the complaint submission form of that dispute resolution body, (iii) the possibility, under certain circumstances, for EU, UK, and Swiss individuals to invoke additional binding arbitration; (iv) the possibility that the organization may be held liable for unlawful transfer of personal data to third parties; and (v) the organization’s obligation to disclose personal data in response to national security or law enforcement requests.
- Choice. Participants must provide a mechanism for individuals to opt out of having personal information disclosed to a third party or used for a materially different purpose than that for which it was provided. Opt-in consent is required with respect to the sharing of sensitive information with a third party or its use for a new purpose.
- Accountability for Onward Transfer. (a) To transfer personal information to a third party acting as a data controller, a participant must comply with the Notice and Choice Privacy Shield Principles. It must also enter into a contract with the third-party controller limiting the purposes for which the data may be processed and ensuring that the recipient will provide the same level of protection as the Principles. (b) To transfer personal data to a third party acting as an agent (such as a service provider), an organization has additional obligations. It must: transfer the data for limited and specified purposes; ascertain that the agent is obligated to provide at least the same level of privacy protection as required by the Principles; take reasonable steps to ensure that the agent effectively processes this data in a manner consistent with Principles; upon notice, take reasonable steps to stop and remediate unauthorized processing; and upon request, provide a summary or copy of privacy provisions of its contract with the agent to the U.S. Department of Commerce.
- Security. An organization creating, maintaining, using or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into “due account” the risks involved in the processing and the nature of the personal data.
- Data Integrity and Purpose Limitation. An organization must take reasonable steps to limit processing to the purposes for which it was collected, and to ensure that personal data is reliable for its intended use, accurate, complete, and current. It must only retain personal information for as long as needed for the purpose of collection. An organization must adhere to the Privacy Shield Principles for as long as it retains such information.
- Access. An organization must provide a mechanism by which data subjects may request access to personal information the organization holds about them and enable them to correct, amend, or delete information that is either inaccurate or processed in violation of the Principles.
- Recourse, Enforcement and Liability. This Principle addresses three topics: recourse for individuals affected by non-compliance, consequences to organizations for non-compliance, and compliance verification.
Accessing, Changing or Deleting Your Personal Information
ACA allows you to make a request to correct inaccuracies in or make other changes or delete your Information by contacting ACA at (301) 495-7850 or sending an email to [email protected]. ACA will use commercially reasonable efforts to promptly accommodate such requests.
Users are responsible for the accuracy of the Information they provide to ACA. ACA will use reasonable efforts to maintain the accuracy and integrity of such Information based on the input received from Users.
Choices for Use or Sharing of Certain Information
ACA values your concerns about the privacy of your Information. Therefore, ACA offers you the opportunity to choose how certain of your Information is used by ACA.
Any emails sent by ACA that are subject to the U.S. CAN-SPAM Act will include an option to unsubscribe from further correspondence. Please note that even if you opt-out from receiving certain emails from ACA, you will continue to receive transactional and/or relationship messages, such as messages confirming a product purchase or your registration for an event.
As stated above, ACA may share names, titles, company names, addresses, phone information, and email addresses of conference and roundtable attendees with current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors. If you do not wish to receive further communications from these persons, you must contact them directly and make such a request. ACA is not responsible for how such third parties handle such Information.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to [email protected].
Linked Internet Websites
Each Site may provide hyperlinks, which are highlighted words or pictures within a hypertext document that, when clicked, take you to another place within the document, to another document altogether, or to other websites not controlled by ACA. These hyperlinked websites may contain privacy provisions that are different from those provided herein. ACA is not responsible for the collection, use, or disclosure of information collected through these websites, and ACA expressly disclaims any and all liability related to such collection, use, or disclosure.
Children’s Privacy Protection
No Site is directed towards children under 13 years of age, and ACA does not knowingly collect any Information from children under 13 years of age through any Site. If you are under 13 years of age, you are not permitted to submit any Information to ACA through any Site. If ACA becomes aware that it has collected Information from children under 13 years of age, ACA will take commercially reasonable efforts to promptly purge such Information from its systems.
Each Site has commercially reasonable security measures to protect against the loss, theft, misuse, and alteration of Information that is submitted to ACA and remains under ACA’s control. You should be aware, however, that ACA has no control over the security of other websites that you might visit or use, even when a link to those websites is available on or through any Site. If you share your Equipment or use Equipment that is accessed by the general public, remember to sign off and close your browser when you finish using any Site.
ACA wants you to feel confident using each Site; however, no system can be completely secure. Therefore, ACA makes no representations or warranties regarding the sufficiency of any Site’s security measures. ACA shall not be responsible for any damages, including without limitation consequential damages, resulting from a lapse in compliance with this Policy as a result of a security breach or technical malfunction. Certain information may be transmitted to you by email. Although it is illegal to intercept or disclose such messages under U.S. Federal law, such transmissions are not secure. In addition, Users’ communications through each Site are, in most cases, viewed only by you and anyone to whom you address your message. As the operator of each Site, ACA may need to review or monitor your electronic mail and other communications through each Site from time to time as may be required by law. Therefore, you should not expect to have a right to privacy in any of your electronic communications through any Site.
In the event of a breach of the confidentiality or security of your personal information, ACA will notify you if reasonably possible and as reasonably necessary under applicable law so that you can take appropriate protective steps. ACA may notify you under such circumstances using the email address or addresses that it has on record for you. You should also take care with how you handle and disclose your personal information. Please refer to the U.S. Federal Trade Commission’s website for information about how to protect yourself against identity theft.
ACA may occasionally update this Policy, as noted by the “updated date” at the beginning of this Policy. If ACA updates this Policy in a manner that allows it to collect, use, or disclose your personal information in a materially less restrictive manner than under a prior version of this Policy, ACA will provide you with prior notice of the pending update and seek your consent by posting notice on www.acaglobal.com or by contacting you using the email address or addresses that ACA has on record for you. ACA encourages you to periodically review this Policy to stay informed about its collection, use, and disclosure of your Information. Your continued use of any Site constitutes your agreement to this Policy and any updates.
Enforcement and Dispute Resolution
If you have any questions, complaints, or disputes regarding how ACA handles or protects your Information, please bring it to ACA’s attention (see “How to Contact ACA” below). In compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Principles, ACA commits to resolve complaints about your privacy and our collection or use of personal information from EU, UK, or Swiss residents. EU, UK, or Swiss individuals with inquiries or complaints regarding this Policy should first contact ACA (see “How to Contact ACA” below).
ACA has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/bbb-privacy-shield/file-a-complaint for more information and to file a complaint.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
If your complaint involves human resources data transferred to the U.S. from the EU, UK, and/or Switzerland in the context of the employment relationship, and ACA does not address it satisfactorily, ACA commits to cooperate with the panel established by the EU or UK data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.
ACA is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
ACA retains sole and absolute discretion in resolving all questions relating to the administration, interpretation and application of this Policy, except as required by law or the Privacy Shield Frameworks. This authority includes construing the terms of this Policy, including any disputed or doubtful terms.
No Rights of Third Parties
This Policy does not create rights enforceable by third parties.
How to Contact ACA
If you have any questions about this Policy, please
Call: +1 301 495.7850
CCPA toll-free number: +1 833 741.0222
Email: [email protected]
Write: ACA Compliance Group
Legal Department – Privacy
8401 Colesville Road, Suite 700
Silver Spring, MD 20910
© 2014-2020 SIH ACA Topco, L.P. All rights reserved.