etherFAX GDPR Privacy Notice
The Board of Directors and executive management of etherFAX, LLC. located at 101 Crawfords Corner RD., Holmdel, NJ 07733, which is in the business of facilitating the transfer of documents amongst and between other business and organizations, are committed to preserving the confidentiality and integrity of electronic information assets in compliance withthe European Union’s General Data Protection Regulation (GDPR) while in its custodial care. This Notice explains how GDPR affects you as a user, defines key terms, and answers questions regarding who is covered by GDPR, what GDPR requires, and how etherFAX operates within those requirements.
etherFAX’s Commitment to Data Protection
etherFAX is committed to fulfilling its responsibilities in relation to the collection, retention, use, and communication of personal data within the scope of the customer data definitions as defined by General Data Protection Regulation. In scope personal data will be processed only for lawful and appropriate purposes. etherFAX has implemented measures designed specifically to ensure the security of personal data and to prevent unauthorized or accidental access, erasure, or other misuse of personal data. etherFAX will also enable the exercising of data subject rights in an effective and transparent manner.
|The European Union’s (EU) General Data Protection Regulation (EU 2016/679)|
|A legal entity (excluding etherFAX or its affiliates) that has contracted with etherFAX to provide Services|
Customer Data Subject
|An identified or identifiable individual authorized by an etherFAX Customer to use the Services or to interact with etherFAX on behalf of the etherFAX Customer|
|An entity that determines the purposes and means of the Processing of Personal Data|
|Any information relating to an identified or identifiable natural person|
|Any operation(s) performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction|
|The products and services provided by etherFAX under a contractual agreement between etherFAX and the etherFAX Customer|
Special Categories of Personal Data
|Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of Personal Data relating to criminal convictions and offenses may also have additional safeguards under Member State law.|
|Communicating Parties are an etherFAX Customer and at least an originator or recipient who establish communication through the Services, any of which may be a Customer Data Subject|
This GDPR Privacy Notice applies when:
- A Customer Data Subject instantiates Personal Data through the use of etherFAX’s Services within the European Union (EU) or the European Economic Area (EEA) in connection to an etherFAX Customer
- etherFAX otherwise Processes Personal Data of a Customer Data Subject who is in an EU or EEA country in connection to an etherFAX Customer
- Services provided by etherFAX are within the scope of GDPR
- etherFAX functions as a Data Controller when Processing the Personal Data of a Customer Data Subject.
Categories of Customer Data Subjects Personal Data Processed
etherFAX generally Processes the following categories of data, which may include Personal Data of Customer Data Subjects:
- Contact Information: General contact information for administration purposes, which may include, but not limited to name, address, phone number, and email address
- Device Identification Information: Attributes that identifies a device from which (or to which) electronic communications are sent (or received); may include, but not limited to a network identifier (Internet Protocol IP address, phone number, etc.), serial number, capabilities, etc.
- Electronic Communications Metadata: Data processed in an electronic communications network for the purposes of transmitting, distributing, or exchanging electronic communications content (but not including electronic communications content); includes data used to trace and identify the source and destination of a communication, the date, time, duration, and type of communication.
- Authentication Data: Username, password, authorization tokens, and similar data to authenticate users or devices in connection with use of the Services or access to information related to the Services.
- Document Content Information: Document Content Information is the information contain within a document that is being transferred between all communicating parties
Reasons etherFAX Process’s Customer Data Subjects Personal Data
etherFAX Processes Personal Data when a Customer Data Subject uses the Services or when an etherFAX Customer provides the Personal Data to etherFAX. During etherFAX Customer provisioning, etherFAX will generally Process Personal Data of Customer Data Subjects for the purposes of:
- Providing the Services to the etherFAX customer
- Performing the obligations and exercising the rights with respect to the Services
- Complying with legal obligations
- Evaluating, supporting, and enhancing the performance, efficiency, and security of the Services.
etherFAX Processes Personal Data of Customer Data Subjects only pursuant to appropriate lawful bases for Processing as necessary for:
- Performing Services to which the Customer Data Subject is a party;
- Complying with a legal obligation(s) to which etherFAX is subject; and/or
- Legitimate interests pursued by etherFAX, such as performing its contract obligations to, or exercising its legal or contract rights with the etherFAX Customer, or for improving services and network operations.
In limited circumstances, etherFAX may Process Personal Data as necessary for:
- Protecting the vital interests of the Customer Data Subject or another natural person; and/or
- Performing a task carried out in the public interest.
Customer Data Subjects acknowledge that the Document Content Information being transfer through the Services is under the sole discretion and control of the Communicating Parties. etherFAX acknowledge that the Document Content Information may contain “Special Categories” of Personal Data. etherFAX does not Process Customer Data Subject’s Document Content Information, whether it contains “Special Categories” of Personal Data or not, for any business purpose other than to facilitate the transfer of the Document Content Information between the Communicating Parties, unless specifically authorized by law, for example where the Customer Data Subject has given explicit consent; as necessary for carrying out obligations and exercising specific rights in the field of employment, social security, or social protection law; if compelled to do so by a court of law or lawfully requested to do so by a relevant governmental authority; and/or as necessary for the establishment, exercise, or defense of legal claims.
Access to Customer Data Subjects Personal Data
Personal Data about Customer Data Subjects will be disclosed, to the extent required for Service delivery, to appropriate and authorized recipients. Recipients may include: etherFAX personnel; third party service providers and subcontractors performing services for etherFAX in the delivery of the Services. Personal Data may also be provided to the etherFAX Customer and their agents.
etherFAX may disclose Personal Data if compelled to do so by a court of law or lawfully requested to do so by a relevant governmental authority using the appropriate means of request. etherFAX may disclose Personal Data if etherFAX determines it is necessary or appropriate to comply with the law or to protect or defend etherFAX’s rights, property or employees.
Location Where Customer Data Subjects Personal Data is Processed
etherFAX business activities are centralized within the United States of America. This centralization may result in the transfer of Personal Data to countries outside of the EEA. For example, a Customer Data Subject’s may be transferring information with an etherFAX Customer within the United States. A Customer Data Subject may request to review the safeguards etherFAX uses for cross border transfers.
etherFAX may additionally rely on other approved mechanisms for export of Personal Data from the EEA, such as a determination by the European Commission that the recipient country offers adequate protection of Personal Data or pursuant to established derogations for specific situations. Wherever Personal Data is Processed, etherFAX uses appropriate security measures consistent with GDPR requirements.
Deletion of Customer Data Subjects Personal Data
First and foremost, etherFAX maintains a zero data retention policy for all Document Content Information communicated through the Services, whether it belongs to a Customer Data Subject or not. Upon completion of a transfer of the Document Content Information between the Communicating Parties, etherFAX purges the Document Content Information from its system. Certain Personal Data will be retained as needed for business administration, tax, or legal purposes and as consistent with applicable law, including GDPR, such as Electronic Communications Metadata and Device Identification Information. While Personal Data is retained, etherFAX implements appropriate technical and organizational measures designed to make the Personal Data collected secure. Such measures include:
- Maintaining and protecting the security of computer storage and network equipment and using security procedures that require usernames and passwords to access sensitive data;
- Applying encryption, deidentification, or other appropriate security controls to protect Personal Data when stored or transmitted; and
- Limiting access to Personal Data to only those with jobs requiring such access.
Customer Data Subject Rights regarding Processing of Personal Data
GDPR grants the Customer Data Subject certain rights regarding Processing of Personal Data. etherFAX is committed to honoring these rights and has established effective and transparent policies and procedures to do so. A Customer Data Subject’s rights with respect to his or her own Personal Data include:
- Right to Notice. This Notice detailing how Personal Data is Processed.
- Right of Access. Customer Data Subject’s may obtain confirmation of whether Personal Data is being Processed and, if it is, request the Personal Data and additional information about the Processing of that data.
- Right to Rectification. Customer Data Subjects may have inaccurate Personal Data corrected and have incomplete Personal Data made complete.
- Right to Erasure. Customer Data Subjects may have Personal Data erased, in certain circumstances.
- Right to Restriction of Processing. Customer Data Subjects may have additional Processing of Personal Data temporarily prohibited while the accuracy or Processing of Personal Data is contested.
- Right to Data Portability. Customer Data Subjects may be able to receive Personal Data for the purpose of providing that Personal Data to another Controller.
- Right to Object. A Customer Data Subject may object to Processing of Personal Data at any time and on grounds relating to his or her particular situation.
- Right to Information Regarding Automated Individual Decision-Making. etherFAX Processing of Personal Data generally does not include automated decision-making that produces legal effects concerning the Customer Data Subject or similarly significantly affects the Customer Data Subject. In the event etherFAX implements such automated decision making, etherFAX will provide meaningful information about the logic involved and the significance and the envisaged consequences of such Processing for the Customer Data Subject.
Whether and how a right applies will depend upon the lawful basis pursuant to which the data is Processed, the nature of the Personal Data, and etherFAX’s ability to determine that it holds Personal Data of interest. As the Personal Data is processed as part of etherFAX’s contract obligations to the etherFAX Customer, for authentication purposes etherFAX will coordinate responses to requests of Customer Data Subjects with the etherFAX Customer. etherFAX therefore recommends the Customer Data Subject directly contact the etherFAX Customer to initiate a rights request. etherFAX will work with the etherFAX Customer to determine the appropriate response to a request. Provision of Personal Data in response to a Customer Data Subject’s request shall not adversely affect the rights and freedoms of others.
A Customer Data Subject may choose to file a complaint with the relevant data protection regulator. Questions on this Notice may be sent to etherFAX’s Data Protection Officer at firstname.lastname@example.org. Please include “customer data subject question” in the email’s subject line.