Simplica considers individual privacy paramount, and we take great care in keeping personal data private and secure.
This policy applies to
- Personal Data processed by Simplica in its role as processor
- Personal Data processed by Simplica in its role as business associate
- Personal Data collected by Simplica as Controller, usually as part of its contractual relationship with customer
- Personal Data of visitors to Simplica’s website which may be collected by Simplica as Controller
- Personal Data of Simplica employees and contractors
- Information Security Policy
- Human Resources Policy
Simplica as Data Processor
For purposes of this policy, personal data is defined as any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified by referencing an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
A controller is an entity that determines the purposes and means of processing personal data while a processor is an entity that has the responsibility of processing the personal data only on behalf of a controller.
Simplica provides its customers with hosting infrastructure, has limited knowledge of customer data within that infrastructure, and only processes hosted data in accordance with the customer’s instructions. As such, Simplica is a processor and its customer is the controller of hosted data. Customers are responsible for adhering to legal and regulatory requirements for the data which they collect and process as a controller.
Simplica ensures that any subcontractor it engages for carrying out specific processing activities on behalf of the customer will be subject to the same data protection obligations as Simplica.
Simplica as Business Associate
Simplica’s customers who have direct access to personal medical information such as personal health information (PHI) are both controllers and covered entities under The Health Insurance Portability and Accountability Act (HIPAA). A covered entity is a health plan, health care clearinghouse, or health care provider who electronically transmits any health information in connection with transactions for which the U.S. Department of Health and Human Services (HHS) has adopted standards.
With regard to these customers, Simplica is both processor and business associate which HIPAA defines as a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. The relationship between covered entity/customer and Simplica is governed by a business associate agreement or addendum.
Simplica as Data Controller
Simplica collects and maintains personal data (1) for the offer and maintenance of Simplica services for customer use and for the related communications, (2) for the maintenance of the Simplica.com website, and (3) for internal human resources (HR) purposes. In such cases, Simplica is a controller.
The collection and processing of a customer’s personal data for direct use and administration of our services is based on contractual obligation, necessary to provide the customer with access and use of the services.
Personal Data We Collect
1. Information customer gives us in order to effectively operate in order to carry out our contractual obligation with customer;
2. Information we receive from third parties in order to fulfill our contractual obligation with customer;
3. Information we collect when an individual visits the Simplica.com website such as IP addresses;
5. Information collected through the use of forms on the Simplica.com website, such as name, email address, and demographic information such as city, state and zip code; and
6. Information necessary for HH administration.
How We Use Personal Data
1. To provide a requested service to customer, we use data for
- customer support
- account notifications
- security and safety
- providing our services
2. When an individual visits the Simplica.com website, we use
- IP addresses to help diagnose problems with our server, and to administer our Website and to gather broad demographic information;
- cookies so that we operate the site and provide an acceptable use experience;
- forms which request contact information used to contact you when necessary.
3. For HR purposes, we use information such as
- name and contact information
- work and education history
- work qualification information (e.g. citizenship or visa status)
- compensation and payroll information
- other information necessary to comply with our legal obligations
Reasons We Share Personal Data
This section describes how Simplica may share and disclose personal data. Simplica may share personal data with customer’s consent or as necessary to complete a transaction or to provide a service customer has requested or authorized. For example:
1. If a customer elects to use connected third-party applications, we may share personal data with companies who provide those applications. In those cases, we encourage customers to review and understand the terms and conditions and privacy policies of those third parties over whom we have no control.
2. We may use third-party service providers to help us operate or administer our services. For example, companies we’ve hired to assist in protecting and securing our services and systems may need access to personal data to complete those functions. In such cases, these companies must abide by our data privacy and security requirements and are not permitted to use personal data they receive from us for any other purpose.
3. As we believe to be necessary or appropriate, we may disclose personal data: (a) under applicable laws; (b) to comply with a subpoena or other legal process; (c) to respond to requests from public and government authorities; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our customers or affiliates; and (f) to allow us to pursue available remedies or limit the damages that we may sustain.
Simplica does not share personal data with third parties for marketing purposes. Similarly, personal data collected through the use of the Simplica.com website is not shared. Personal data collected for HR administration is shared only to fulfill an HR purpose.
How We Protect Information
We keep personal data to enable your continued use of Simplica services, for as long as it is required in order to fulfill the relevant purposes described in this Privacy Statement, as may be required by law (including for tax and accounting purposes), or as otherwise communicated to you. How long we retain specific personal data varies depending on the purpose for its use.
Access and Control of Personal Data
Access and control of personal data is managed by the Simplica Privacy Officer. Requests regarding access and control of personal data, whether related to Simplica as processor or controller, should be directed to firstname.lastname@example.org.
General Data Protection Regulation (GDPR)
If an employee, contractor, customer, or visitor to the Simplica.com website is located in the European Union (EU), those individuals have rights to access personal data about them and to limit use and disclosure of their personal data. Those rights include
1. the right to object to processing,
2. the right to be informed,
3. the right of access,
4. the right to rectification,
5. the right to erasure,
6. the right to restrict processing,
7. the right to data portability
8. the right to lodge a complaint with your local Supervisory Authority, and
9. the right to withdraw consent.
Because Simplica, as processor, has limited ability to access data our customers submit to our services, if you wish to request access, to limit use, or to limit disclosure, please provide the name of the Simplica customer who submitted your data to our services. We will refer your request to that customer, and will support them as needed in responding to your request.
EStandard Contractual Clauses & EU/UK-U.S. Privacy Shield Framework
Simplica uses the Standard Contractual Clauses (SCCs), found in Simplica’s Data Processing Addendum (DPA) as the mechanism for the transfer of customer data from EU member countries and the United Kingdom (UK) to the United States.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Simplica is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.
Pursuant to the Privacy Shield Frameworks, EU and UK individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield should direct their query to email@example.com. If requested to remove data, we will respond within a reasonable timeframe.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Simplica’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Simplica remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Simplica proves that it is not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, Simplica commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. EU and UK individuals with Privacy Shield inquiries or complaints should first contact Simplica by email at firstname.lastname@example.org.
Simplica has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints for more information and to file a complaint. This service is provided free of charge to you.
If your complaint involves human resources data transferred to the United States from the EU in the context of the employment relationship, and Simplica does not address it satisfactorily, Simplica commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), as applicable and to comply with the advice given by the DPA panel, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.