EU Safe Harbor
Acxiom pledges to conduct its business according to the EU Safe Harbor Principles and the frequently asked questions (FAQs) issued by the U.S. Department of Commerce on July 21, 2000.
Personal information that is transferred to Acxiom in the United States from the European Union (EU) falls under one of the following two situations:
Processor on Behalf
Acxiom provides customized computer services designed to help companies manage their customer information more effectively, increase profitability of their marketing and reduce the operational costs of processing customer transactions. In this capacity, Acxiom does not own or control any of the information it processes on behalf of Acxiom’s clients. All such information is owned and controlled by Acxiom’s clients. In this capacity Acxiom receives information transferred from the EU to the United States merely as a processor on behalf of our clients.
Acxiom also provides business and consumer information products designed to help companies market more successfully, integrate and improve the accuracy of their customer information and reduce the operational costs of processing customer data. In this function, Acxiom acts as a data controller of the personal information contained in these information products. To the extent required by local law, Acxiom subsidiaries located in the member states act as the data controller with respect to personal data collected, processed and stored.
Acxiom has appointed a corporate leader of fair information practices who is responsible for the internal supervision of Acxiom’s privacy policies. Acxiom has also appointed a corporate leader for data security. Acxiom is committed to educating its customers and associates (employees) in the United States and in the EU about the issues, guidelines and laws surrounding compliance with EU Safe Harbor.
The corporate leader for fair information practices and Acxiom’s internal legal team is available to any associate who has questions concerning Acxiom’s EU Safe Harbor Policy or data security practices.
Since the requirements for compliance with EU Safe Harbor vary depending on whether Acxiom is acting as a processor on behalf of Acxiom’s clients or as a data controller, Acxiom’s policies and manner of compliance are described separately below.
(1) Acxiom as a Processor on Behalf of Clients
When Acxiom acts as a processor on behalf of its clients, the policies outlined below apply to all data processing operations concerning personal information that has been transferred from the EU to the United States.
Before starting any processing on behalf of Acxiom’s clients, Acxiom will enter into a processing contract with the EU data controller responsible for the personal information pursuant to the applicable EU Member State Data Protection law.
The processing contract ensures that the EU data controller will be in compliance with the Member State Data Protection law.
Any data processed by Acxiom will not be further disclosed to third parties except where permitted or required by the processing contract, EU Safe Harbor or the applicable Member State Data Protection law. Any information Acxiom’s client (acting as the EU controller) identifies as sensitive will be treated accordingly.
The processing contract will also specify that the processing will be carried out with appropriate data security measures. Acxiom has in place measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
As a processor on behalf of Acxiom’s clients (who is the EU controller), Acxiom is not required to apply other EU Safe Harbor Principles to the personal information received for processing from a customer.
(2) Acxiom as a Data Controller
When Acxiom acts as a data controller of personal information, the policies outlined below apply to all personal information that has been transferred from the EU to the United States.
Acxiom, in association with its subsidiaries located in the EU, develop and maintain databases containing personal information on data subjects, households and businesses located throughout EU Member States. These databases are developed from public records, publicly available information, information acquired through information providers and information collected directly from data subjects.
Acxiom’s databases contain information that is provided to qualified businesses for marketing and customer data integration purposes. The information contained in these databases may also be used to provide information services, to enhance the understanding a company has about its customers, to aid in accurate integration of a company’s customer information, and be used as lists for direct marketing purposes.
As a data controller, Acxiom is required to comply with all principles of the EU Safe Harbor.
Prior to the transfer of any non-public personal information from the EU to the United States, Acxiom requires contractual confirmation from the EU controller from whom Acxiom acquired the information that the personal data has been provided to Acxiom in accordance with the applicable EU Member State Data Protection law, thereby ensuring the data subjects have been provided with proper notice regarding how their personal data will be used. In addition, when personal data is collected directly from data subjects, Acxiom provides the data subject with notice regarding the manner and circumstances in which the personal data will be used and transferred to third parties.
Prior to the transfer of any non-public personal information from the EU to the United States, Acxiom requires contractual confirmation from the EU controller from whom Acxiom acquired the information that the personal data has been collected in accordance with applicable EU member State Data Protection law, thereby ensuring the data subjects have been provided with the proper choice regarding how their personal data may be used. In addition, when personal data is collected directly from the data subjects, Acxiom provides the data subject with a choice regarding the manner and circumstances in which their personal data may be used and shared with third parties.
In addition to choice regarding the use of information, Acxiom will remove an individual’s name and related information from its direct marketing information products.
Consumers may request an opt-out form by writing Acxiom at the address below, leaving a message on our Consumer Advocate Hotline at 501-342-2722 (toll free 1-877-774-2094) or sending an e-mail to us at email@example.com.
To request an opt-out form by mail, write to:
EU Safe Harbor Opt-Out at Acxiom
P.O. Box 2000
Conway, Arkansas, USA 72033-9928
Acxiom takes reasonable steps to ensure the information transferred from the EU to the United States is reliable, accurate and complete. The steps Acxiom takes to assure data integrity are based on the purposes for which the personal information is used.
Acxiom complies with the notice and choice principles as described above for all data disclosed or transferred to a third party.
However, when Acxiom uses data processors to perform processing tasks on behalf and under the instruction of Acxiom, Acxiom requires that its data processors either:
- Subscribe to the EU Safe Harbor Principles, the EU Data Protection Directive or another adequacy finding; or
- Enter into a written agreement with Acxiom requiring them to provide the same level of protection as Acxiom provides.
Acxiom has in place an information security policy to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. Acxiom’s security officer is responsible for conducting investigations into any alleged computer or network breaches, incidents or problems and ensuring the proper disciplinary action is taken against those who violate Acxiom’s information security policy.
Any security compromises or potential security compromises and any inquiries concerning security should be reported to the Acxiom consumer advocate. Contact information is provided below.
An individual may request access to the information Acxiom maintains in its information products. The individual has the right to learn whether or not data about him or her is found in Acxiom’s information products and to correct, amend or delete that information when it is inaccurate. This right applies only to personal information about the individual making the request and is subject to other limitations as defined by law.
Individuals can request access by writing or calling:
P.O. Box 2000
Conway, Arkansas USA 72033-9928
Consumer Advocate Hotline: 501-342-2722 (toll free 1-877-774-2094)
Acxiom’s consumer advocate will explain the process for making an access request. In order to confirm the identity of the individual and have the necessary information to retrieve the individual’s information, Acxiom provides a form which the individual fills out, signs and mails to Acxiom. The form must be accompanied by a $10 personal check. Filing a request in English will expedite the process.
Acxiom agrees to process all reasonable requests for access within a reasonable time period, but reserves the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual’s privacy or in the case of an unwarranted or fraudulent request.
Individuals who wish to file a complaint or who take issue with Acxiom’s EU Safe Harbor policies should contact Acxiom’s consumer advocate at the above address. Acxiom’s consumer advocate will explain the process to be followed when filing a complaint. Filing a complaint in English will expedite the process.
Acxiom has registered under the Direct Marketing Association’s safe harbor complaint resolution process. If consumers can’t resolve a complaint after contacting Acxiom’s consumer advocate, they may file a written complaint with the Direct Marketing Association:
Acxiom is also subject to the jurisdiction of the U.S. Federal Trade Commission. Consumers unable to resolve a complaint through The Direct Marketing Association’s Safe Harbor Complaint process may contact the Federal Trade Commission:
Acxiom agrees to participate with local EU regulatory and legal authorities to resolve an Acxiom associate’s dispute concerning human resources data and an alleged breach of the Safe Harbor principles.
Companies who are currently registered with the U.S. Department of Commerce Safe Harbor program can be found by going to https://safeharbor.export.gov/list.aspx. More information about the program can be found at http://export.gov/safeharbor/.