Evolver LLC EU-U.S. Data Privacy Framework
Introduction
Evolver LLC, (“Evolver,” “we,” “us,” or “our”) receives and processes information (in paper and electronic form) in accordance with its clients’ instructions for the purpose of providing legal data support services, including legal review, repository holding, data management and forensics. Evolver provides services from forensic collection, to managed hosting and document review. Examples of personal data that may be collected include: full name, address, telephone or mobile number, business and home contact details including e-mail addresses and telephone numbers, health information, medication adherence information, video information including images of a user’s face, audio information, and demographic information. Personal data may further include any information that identifies an individual, but does not include information that has been encoded, encrypted, or otherwise anonymized. This data shared only with the clients’ outside counsel and the client for their review and preparation in response to U.S. litigation. At Evolver, we recognize the importance of privacy to our clients and we strive to safeguard all personal information we may receive and may need to use in support of our clients.
Evolver adheres to the set of data protection principles developed in consultation by the United States Department of Commerce (DOC), in collaboration with the European Commission, producing the EU-U.S. Data Privacy Framework Documents.
Evolver LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Evolver has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Evolver has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
The Federal Trade Commission has jurisdiction and enforcement authority over Evolver’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
SCOPE
This Policy applies to all personal information received by Evolver from the EU, the UK, Gibraltar and Switzerland. In most cases, the data we receive will be in electronic form and relates to our clients and their business activities. It may include personal information about our clients’ employees, business contacts, customers and any other individuals with whom our clients have
dealings. When we receive and process personal information provided to us by our clients, we do so as “data processors” acting on the instructions of our clients and/or the court system. Evolver does not actively collect personal information from individuals in the EU and Swiss. Evolver’s possession and use of personal information is incidental to our primary task of providing electronic discovery services to our clients.
DEFINITIONS
1. Collectively, “Information” means “Personal Information” that (1) is transferred from the EU, the UK, Gibraltar, and Switzerland to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual; and/or “Sensitive Personal Information” that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, or that concerns an individual’s health.
2. “Agent” is any third party that collects, uses, or stores Information at Evolver’s direction in support of Evolver engagements.
DATA PRIVACY FRAMEWORK PRINCIPLES
Evolver affirms its participation in the EU-US and Swiss-US Data Privacy Frameworks as well as the UK extension. The practices to which Evolver is committed are based on the DPF Principles negotiated between their respective government agencies and the United States Department of Commerce. Adherence by Evolver to these Principles provides the necessary level of protection required by the EU, the UK and Swiss Directives for the transfer of personal information outside the EU, the UK and Switzerland. Evolver’s execution of these principles may be limited in certain circumstances, in particular:
(a) where there is a conflicting or overriding legal obligation;
(b) to the extent expressly permitted by any applicable law, rule or regulation; or
(c) where Evolver receives personal information as a “data processor” acting on the
instructions of a client. As Evolver will be receiving personal information from the EU merely for processing, its principle obligations are limited to onward transfer, security, access, and enforcement. Evolver’s client remains responsible for notice, choice, and data integrity.
Evolver affirms its participation in the EU-US and Swiss-US Data Privacy Frameworks as well as the UK extension. Adherence by Evolver to these Principles provides the necessary level of protection required by the EU, the UK and Swiss Directives for the transfer of personal information outside the EU, the UK, Gibraltar, and Switzerland. Evolver’s execution of these principles may be limited in certain circumstances, in particular:
(a) where there is a conflicting or overriding legal obligation;
(b) to the extent expressly permitted by any applicable law, rule or regulation; or
(c) where Evolver receives personal information as a “data processor” acting on the
instructions of a client. As Evolver will be receiving personal information from the EU, UK, Gibraltar and/or Switzerland merely for processing, its principle obligations are limited to onward transfer, security, access, and enforcement. Evolver’s client remains responsible for notice, choice, and data integrity.
NOTICE: Evolver receives data to be processed and/or stored, the contents of which may, or may not be identifiable Information. Should Evolver be engaged to collect Information from individuals in the EU, the UK, Gibraltar and/or Switzerland, it will inform individuals of the purposes for which it collects and uses their Information, the types of third parties (if any) to which Evolver may disclose that Information, and the choices and means, if any, that Evolver offers individuals for limiting the use and disclosure of their Information. Notice will be provided in clear language when individuals are first asked to provide Information to Evolver, or as soon as practicable thereafter, and in any event before Evolver uses such Information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
CHOICE: Given that Evolver’s services are directed by our clients and frequently by legal proceedings, choice may be limited. Where Evolver is the collector of Information and Choice is permissible, it will offer individuals the opportunity to choose (opt-out or opt-in) whether their Information is:
(a) to be disclosed to a third party (unless that disclosure is allowed or required by contract), or
(b) to be used for a purpose that is not consistent with the purpose for which that
Information was originally collected, or subsequently authorized by the individual.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to [email protected]
ONWARD TRANSFERS: In the event Evolver must transfer Information to a document review company, Evolver will obtain assurances from its Agents, prior to such transfer, that they will safeguard the Information in a manner consistent with this Policy. The document review company is engaged by the client, not Evolver. The client shall give written approval to Evolver to allow the document review company selective access based on litigation review requirements. Every Agent utilized enters into a contractual relationship with Evolver, which includes confidentiality and non-disclosure clauses, and provides the same level of commitment to and protections, as required by the DPF Principles.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Evolver’s accountability for personal data that it receives in the United States under the DPF and subsequently transfers to a third party acting as its agent is described in the DPF Principles. In particular, Evolver remains responsible and liable under the DPF Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Evolver proves that it is not responsible for the event giving rise to the damage.
SECURITY: Evolver takes reasonable precautions to protect Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. Evolver utilizes a Tier III, ISO 27001:2005 certified data facility which employs an array of security equipment, techniques and procedures to control, monitor and record access to the facility, including individual cages.
DATA INTEGRITY: Evolver will use Information only in ways that are relevant and compatible with the purpose for which that information was collected or provided to Evolver. Evolver will take reasonable steps to ensure that all data collected, processed and/or stored is protected from destruction, corruption, or use in a manner inconsistent with the purpose for which it received the information.
ACCESS: Pursuant to the DPF Principles, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also may correct or amend the personal information we hold about you. You also demand the erasure of data that has been handled in violation of the DPF Principles. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under DPF, should direct their query to [email protected]. If requested to remove data, we will respond within a reasonable timeframe.
ENFORCEMENT: Evolver will conduct compliance audits at least annually of its relevant privacy practices to verify adherence to this Policy and will self-certify with the U.S. Department of Commerce. Further, Evolver will conduct follow up investigations to verify that attestations and assertions regarding practices are true. Evolver maintains an Ethics hotline ([email protected]) to which violations and/or complaints may be made and Evolver engages in training to support implementation and compliance. Any employee that Evolver determines is in violation of this Policy will be subject to disciplinary action.
DISPUTE RESOLUTION AND RECOURSE FOR PRIVACY COMPLAINTS: In compliance with the DPF Principles, Evolver commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union and Swiss individuals with DPF inquiries or complaints should first contact Evolver by email at [email protected] via post at:
Evolver LLC
Ethics and Compliance Officer
11800 Sunrise Valley, Suite 900
Reston, VA 20191
Evolver has further committed to refer unresolved privacy complaints under the EU-US Data Privacy Framework Principles (DPF) to an independent dispute resolution mechanism, the BBB NP Data Privacy Framework Services (formerly BBB EU-US Privacy Shield). If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction
CONTACT INFORMATION
Please refer all questions or comments regarding this Policy to:
Evolver LLC
Ethics and Compliance Officer
11800 Sunrise Valley Drive, Suite 900
Reston, VA 20191
(703) 742-4090
(888) 742-4090
(703) 889-9255 – Hotline [email protected]
This EU-US Data Privacy Framework policy is available at www.evolverinc.com/data-privacy-framework
CHANGES TO THIS EU-US Data Privacy Frameworks
This Policy may be amended from time to time to remain consistent with the requirements of the EU-US Data Privacy Frameworks Principles.
The effective date of this EU-US Data Privacy Frameworks is: July 2024