On July 16, 2020, the European Court of Justice invalidated Privacy Shield as a Transfer Mechanism for data between EU and US companies. Acxiom intends to utilize the alternate transfer mechanism of Standard Contractual Clauses going forward for data transfers. Even though Privacy Shield was invalidated, Acxiom will continue to honor its commitments with respect to EU personal data transferred pursuant to Privacy Shield before July 16, 2020.
Acxiom LLC (referred to herein as “Acxiom,” “we,” “us,” or “our” as applicable), has created this Privacy Shield Privacy Notice to help you understand how we are subject to and comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. These frameworks are established by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (“EU”), the United Kingdom (“UK”), and Switzerland to the United States. Acxiom has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
Acxiom is committed to educating individuals, our clients, and employees in the United States and in the EU, the UK, and Switzerland about the issues, guidelines and laws surrounding compliance with Privacy Shield. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list.
We provide customized computer services designed to help companies manage their customer information more effectively, increase marketing profitability and reduce the operational costs of processing customer transactions.
The type of Personal Data transferred to Acxiom from the EU, the UK and Switzerland pursuant to Privacy Shield consists of Personal Data from clients in the EU, the UK and Switzerland that Acxiom processes on behalf of its clients, such as end-user name, address, email and transaction information. Since the requirements for compliance with Privacy Shield vary depending on whether we are acting as a Processor on behalf of our clients or as a Controller, our policies and manner of compliance are described separately below.
The practices we employ under the EU-U.S. Privacy Shield, as outlined also apply to data transferred from Switzerland to the United States in compliance with the Swiss-US Privacy Shield Framework. Acxiom will adhere to the Privacy Shield Principles with respect to data transferred pursuant to the Privacy Shield Principles for as long as it retains such data.
Purposes of Data Processing
Acxiom acts as a data processor with respect to Personal Data we receive from our clients and process such information only under the instruction of our clients and are controlled by our clients in the EU, the UK and/or Switzerland. In this capacity, we do not own or control any of the information we process on behalf of our clients. All such information is owned and controlled by our clients. In this capacity, we receive information transferred from the EU, the UK and Switzerland to the United States merely as a Processor on behalf of our clients.
Before starting any processing on behalf of our clients, we enter into a processing contract with the Controller that ensures the Controller is in compliance with the General Data Protection Regulations (“GDPR”) or Member State Data Protection law that may apply. The processing contract will also specify that the processing will be carried out with appropriate data security measures. We have measures in place designed to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Any data processed by us will not be further disclosed to third parties except where permitted or required by the processing contract, Privacy Shield, GDPR, or the applicable Member State Data Protection law. Any information our client (acting as the Controller) identifies as sensitive, will be treated accordingly.
When Acxiom provides business and consumer information products, we act as a Controller of the Personal Data contained in the information products. As a Controller, we share Personal Data with third parties that fall into various categories: clients, vendors and partners. Our clients include financial, retail, insurance, and automotive companies (for a complete list of the categories our clients fall into, click here). Our vendors include data suppliers and service providers. We also share Personal Data with partners such as other data resellers for marketing purposes. When we act as a Controller of Personal Data, the policies outlined apply to all Personal Data that has been transferred from the EU, the UK or Switzerland to the United States.
Acxiom and its affiliates located in the EU, the UK or Switzerland, develop and maintain Personal Data on data subjects, households, and businesses located throughout EU Member States, the UK or Switzerland. This information is obtained from public records, publicly available information, information acquired through information providers, and information collected directly from data subjects.
This information is provided to qualified businesses for marketing, customer data integration, and connectivity purposes. This information may also be used to provide information services, enhance the understanding a company has about its customers, aid in accurate integration of a company’s customer information, and be used as lists for direct marketing purposes.
We may be required to disclose Personal Data in response to lawful requests by public authorities, including requests to meet national security or law enforcement requirements. Prior to the transfer of Personal Data from the EU, the UK or Switzerland to the United States, we require contractual confirmation from the Controller from whom we acquired the information that the Personal Data has been provided to us in accordance with GDPR, Privacy Shield, or the applicable EU Member State Data Protection law, thereby ensuring the data subjects have been provided with proper notice regarding how their Personal Data will be used. In addition, when Personal Data is collected directly from data subjects, we provide the data subject with notice regarding the manner and circumstances in which the Personal Data will be used and transferred to third parties.
We provide choices and means for individuals to limit the use of their Personal Data. In addition to providing individuals with choices regarding our use of their information, we will remove an individual’s name and related information from our direct marketing information products if they request it. Consumers may request an opt-out form by writing Acxiom at the address below, leaving a message on our Consumer Advocate Hotline at 877-774–2094, or sending an e-mail to us at email@example.com.
To request an opt-out form by mail, write to:
EU-US Privacy Shield Opt-Out
P.O. Box 2000
Conway, Arkansas, USA 72033-9928
Since we share Personal Data with third parties as referenced above, we comply with the notice and choice principles as described above for all data disclosed or transferred to a third party. We take reasonable and appropriate steps designed to ensure that the third party effectively processes the Personal Data transferred in a manner consistent with our obligations under the Principles.
When we use data processors to perform processing tasks on our behalf and at our direction and instruction, we require our data processors either:
- Subscribe to the Privacy Shield (in the case of US-based processors), comply with the General Data Protection Regulations (in the case of EU, UK or Switzerland -based processors), or another adequacy finding (in the case of processors in countries outside the US, EU, UK, or Switzerland); or
- Enter into a written agreement with us requiring the data processor(s) to process the data only for limited and specified purposes and to provide the same level of protection as Acxiom
In cases of onward transfer to third parties, we may be liable for the acts of the third party that are in violation of the Privacy Shield Principles.
We have an information security policy in place designed to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Our Chief Information Security Officer is primarily responsible for conducting investigations into any alleged computer or network breaches, incidents or problems and ensuring that proper disciplinary action is taken against those who violate our Information Security Policy.
We take reasonable steps designed to ensure the information transferred from the EU, the UK or Switzerland to the United States is reliable, accurate, and complete. The steps we take to assure data integrity are based on the purposes for which the Personal Data is used.
An individual may request access to the Personal Data processed pursuant to the Privacy Shield we maintain in our information products. Individuals have the right to learn whether data about him or her is found in our information products and to correct, amend or delete that information when it is inaccurate. This right applies only to Personal Data about the individual making the request and is subject to other limitations as defined by law. Individuals can request access by completing a request located at https://isapps.acxiom.com/optout/optout.aspx, by writing or calling the Acxiom Consumer Advocate as described below, or by sending an email request to firstname.lastname@example.org.
P.O. Box 2000
Conway, Arkansas USA 72033-9928
Consumer Advocate Hotline: 877-774-2094
Acxiom’s Consumer Advocate will explain the process for making an access request. In order to confirm the identity of the individual and the necessary information to retrieve the individual’s information, Acxiom’s Consumer Advocate will provide a form for the individual to fill out, sign, and return to Acxiom.
We agree to process all reasonable requests for access within a reasonable time period but reserve the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual’s privacy or when the request is manifestly unfounded or excessive.
Recourse, Enforcement and Liability
We have Annual Security Awareness and Global Data Ethics Training and Certification requirements for each of our employees. This training includes our Privacy Shield compliance program implementation. Our employee policies contain clear statements that training and annual refresher courses in our privacy practices, including our participation in the Privacy Shield Frameworks, are required and failure to complete such training and annual refresher courses may result in discipline up to and including termination. Part of this program includes a certification log which provides an objective review of employee compliance with our Privacy Shield certification training.
Individuals who wish to make inquiries, file a complaint, or who take issue with our Privacy Shield practices or policies as described herein should contact Acxiom’s Consumer Advocate at 877-774-2094 or email@example.com.
Acxiom’s Consumer Advocate will explain the process to be followed when filing a complaint.
We are a participant in the Association of National Advertiser’s Privacy Shield dispute resolution programs. If a consumer cannot resolve a complaint after contacting Acxiom’s Consumer Advocate, they may pursue recourse with the ANA, free of charge:
Association of National Advertisers
Attn: Privacy Shield Program
225 Reinekers Lane, Suite 325
Alexandria, VA 22314
Under certain conditions, an individual may invoke binding arbitration to resolve residual claims. We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. In addition, we agree to cooperate with local EU Data Protection Authorities or the Swiss Federal Data Protection and Information Commissioner to resolve a dispute concerning an alleged breach of the Privacy Shield Principles.
Effective: March 15, 2022. Click here for previous version.