Lifeline Children’s Services Privacy Shield Policy

Effective: January 28, 2019

Lifeline Children’s Services (“we”, “us” or “Lifeline”) has certified to the EU-U.S. Privacy Shield frameworks (“Frameworks”) as set forth by the U.S. Department of Commerce regarding the processing of personal data transferred by Lifeline customers and end users from the European Union (“EU”) to Lifeline in the U.S. (“Personal Data”). (For these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein and Norway). Lifeline has certified that it adheres to the Privacy Shield Principles, which include the Supplemental Principles (collectively, “Privacy Shield Principles”), with respect to Personal Data. If there is any conflict between the policies in this Privacy Shield Policy (“Policy”) and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Frameworks and to view our certification page, please visit https://www.privacyshield.gov.

When Lifeline receives Personal Data from enterprise customers in the EU and processes that Personal Data on the customer’s behalf, Lifeline acts as a processor (“Processor”). When Lifeline collects and uses Personal Data on its own behalf or otherwise makes independent decisions about how the Personal Data will be used, Lifeline acts as a controller (“Controller”). This Policy explains how Lifeline complies with the Privacy Shield Principles as a processor and as a controller.

Types of Personal Data Collected

Personal Data we may collect includes demographic, employment, financial, and health of individuals applying for services through Lifeline Children’s Services. We may collect the following categories of sensitive Personal Data including but not limited to: race, religion, social status medical history, or criminal history. When we collect sensitive Personal Data we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive Personal Data to third parties, or before we use your sensitive Personal Data for a different purpose than we collected it for or than you later authorized.  Certain exceptions to our obligation to obtain affirmative opt-in consent to process sensitive personal data are where the processing is: (i) in the vital interests of the individual or another person; (ii) necessary for the establishment of legal claims or defenses; (iii) required to provide medical care or diagnosis; (iv) carried out in the course of legitimate activities by certain foundations, associations, or other non-profit bodies; (v) necessary to carry out employment law-related obligations; (vi) related to data made public by the individual.

We may also collect information about use of our Website and Services by visitors and registered users (“Usage Information”), including through cookies and other technologies. Such information may include IP address or any other unique device identifier of the device used to access our Website or Services; the date and time of visits; the pages viewed; links to/from any page; time spent at our Website or Services. We treat this information as Personal Data if it relates to an identified or identifiable individual and is transferred to us by a Lifeline customer or end user in the EU.

Purposes of Data Collection

When we act as a Processor on behalf of an applicant, we process the Personal Data we receive from that customer for the purposes set forth in the applicable adoption contract.

When we act as a Controller, we use Personal Data for the purpose of evaluating the mental, physical, financial, and spiritual readiness for adoption and/or foster care.

Notice and Choice

When we act as a Controller, we provide notice through this Policy of the Personal Data collected and transferred under the Privacy Shield, including its use, and handling, and how you may exercise your Privacy Shield rights. If we intend to (i) disclose your Personal Data to third parties, except to a third party that is acting as an agent to perform tasks on our behalf and under our instructions, or as you have authorized; or (ii) use your Personal Data for a purpose that is materially different from the purpose for which it was originally collected or that you authorized, we will notify you and give you an opportunity to opt out of such disclosures and/or uses where they involve non-sensitive Personal Data or opt in where sensitive Personal Data is concerned.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents or integrated services the account holder has opted to use, or before we use it for a purpose other than which it was originally collected or subsequently authorized.  To request to limit the use and disclosure of your personal information, please submit a written request to privacy@lifelinechild.org.

Accountability for Onward Transfers

When we act as a Processor on behalf of an applicant, we will only disclose the Personal Data supplied by that customer to third parties where permitted or required by the customer, and then in accordance with the Privacy Shield Principles.

When we act as a Controller, we may disclose Personal Data to appropriate government agencies, third-party contractors, service providers and other businesses involved in the normal operations of our business. These parties may access, process or store Personal Data in the course of performing their duties to us.

In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements and applicable law, rule, order, or regulation.

Lifeline’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Lifeline remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Lifeline proves that it is not responsible for the event giving rise to the damage.

Security

We maintain reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration or destruction, taking into account the nature of the Personal Data and the risks inherent in processing that Personal Data.

Data Integrity and Purpose Limitation

We will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current for as long as long as we retain it. We will not use the Personal Data for a purpose that is incompatible with the purposes for which it has been collected or subsequently authorized by you. We will also retain Personal Data about you in a form identifying or making you identifiable only for as long as it serves a purpose of the data processing.

Access

You have certain rights to access, correct, amend, or delete Personal Data where it is inaccurate, or has been processed in violation of the Privacy Shield Principles. Please address your requests to the following email address: privacy@lifelinechild.org. We will make good faith efforts to accommodate these requests within a reasonable time frame.

When we are acting as a Processor on behalf of an applicant, we will assist the customer in responding to individuals exercising their rights under the Privacy Shield Principles.

Recourse, Enforcement, Liability

In compliance with the Privacy Shield Principles, Lifeline commits to resolve complaints about our processing your Personal Data. Individuals in the EU with inquiries or complaints regarding this Policy should first contact Lifeline at: privacy@lifelinechild.org or by mail at: Lifeline Children’s Services, 100 Missionary Ridge, Birmingham, Alabama 35242.

Lifeline has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

We are subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to Personal Data received or transferred pursuant to the Frameworks.

Changes to the Policy

We reserve the right to amend this Policy from time to time consistent with the Privacy Shield’s requirements.