Effective Date: 02/01/19
 

1. Purpose

Skyline Technologies, Inc., (“Skyline”) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. These frameworks govern the processing of Personal Data that Skyline collects and/or accesses from clients or prospective clients located in the European Economic Area (“EEA”) and Switzerland.  Skyline commits to abide by all Privacy Shield Framework Principles when handling Personal Data received from clients or prospective clients located in the EEA or Switzerland.  To learn more about the Privacy Shield Framework see Privacy Shield.  To review the list of certified firms, including Skyline, see Privacy Shield List.
 

2. Definitions

Associates – Individuals employed by Skyline (whether full-time, part-time, or limited-term).

Data Subject – An identified or identifiable natural person to whom the Personal Data relates. 

European Economic Area (EEA) – A free-trade zone composed of the states of the European Union together with Iceland, Norway, and Liechtenstein.

Personal Data – For purposes of this Policy, Personal Data means information about an identified or identifiable individual that is received by Skyline in the U.S. from the EEA or Switzerland and recorded in any form. 

Sensitive Personal Data – Personal Data that requires much stronger security and privacy controls.  This data includes Personal Data collected from a minor as well as any person’s:
 
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Sexual orientation or sex life
  • Medical or Health information
  • Genetic data
  • Biometric data (e.g., facial recognition or fingerprints logins)
 
Skyline Users – Skyline Users, which are defined as associates (whether full-time, part-time, or limited-term), independent contractors, consultants, or any other third-party agent having authorized access to, and use of Skyline’s computers, electronic communications resources, and data.
 

3. Scope

This Privacy Shield Privacy Policy (the “Policy”) sets forth the privacy principles that Skyline follows when processing Personal Data received from clients or prospective clients located in the EEA and Switzerland, while providing services.  This policy does not apply to Personal Data collected through Skyline’s recruiting process.
 

4. What Information do we Collect and How is it Used?

Skyline may handle both Skyline Controlled and Client Controlled Personal Data.
 

4.1 Skyline Controlled Personal Data

Skyline Controlled Personal Data (SCPD) is personal data collected by Skyline from clients or prospective clients.  Skyline determines the purpose and means of processing SCPD.  SCPD may be collected through email, social media, mobile applications, Skyline’s website, marketing events and activities, business calls, meetings, etc. As a general matter, Skyline collects the following types of SCPD:
 
  • Contact Information – This includes a contact person's name, work email address, work mailing address, work telephone number, title, and company name.  This information is used to conduct business.
  • Information about your Business – This includes demographic information such as industry, Skyline services that are of interest, corporate events of interest, and any other details a client or potential client may provide.
  • Automatically Collected Information – Skyline automatically collects information, such as IP addresses, when visitors access its website. Skyline may also track user activity (e.g. pages visited) and use cookies and other tracking technologies on the website. Cookies are small text files that web servers place on a visitor’s device; they are designed to store basic information and to help websites and applications recognize a browser. Cookies help Skyline track and target the interests of visitors to enhance their experience with our website. We use IP address to derive a visitor’s approximate location. We work with analytics providers such as Google Analytics, which use cookies and similar technologies to collect and analyze information about use of the Services and report on activities, trends, and demographics. Visitors can learn about Google’s practices by going to http://www.google.com/policies/privacy/partners/, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at http://tools.google.com/dlpage/gaoptout.
  • Voluntarily Provided Information – Skyline also collects information that is voluntarily submitted during meetings, via webforms, through email, Facebook, Twitter, etc. For example, Skyline’s website allows users to provide information when downloading case studies and presentations, or when signing up for Skyline’s newsletter. The visitor decides whether they provide Skyline this information.
Skyline does not generally seek to collect sensitive personal data through its website or mobile applications. Should Skyline seek to collect such data, it will ask a Data Subject to consent to the proposed uses of that data.
 

4.2 Client Controlled Personal Data

Client Controlled Personal Data (CCPD) is collected and managed by Skyline’s client, or prospective client, and then accessed, processed, stored and/or transmitted by Skyline to facilitate the delivery of Skyline services.  Skyline may be provided a copy of CCPD (e.g., a database, spreadsheet, XML file, etc.) or may be provided access to CCPD in a client’s, or prospective client’s, production or development environments to facilitate the delivery of the following Skyline services. 
 
  • Testing – Test applications and/or systems that create, read, update, delete, or analyze Personal Data to ensure that these applications and/or systems function as designed.  
  • Performance Evaluation – Test the performance of an application and/or system (e.g., page load times, simulation or optimization times, database access times, etc.) that processes and/or stores Personal Data.
  • Assessments – Analyze a given application and/or system that processes and/or stores Personal Data to ensure compliance with development, performance, security, privacy, best practices.
  • Model Construction – Construct models, based upon the analysis of data that is linked to Personal Data.  These models are then built into our software solutions (e.g., models related to data warehouses, data analytics, machine learning, image processing algorithms, etc.).
  • Data Analysis – Perform data analysis designed to generate business insights for a client.  This data is often linked to Personal Data.
  • Support – Maintain or support a production application and/or system hosted in a public cloud (e.g., Microsoft Azure (Azure), Amazon Web Services (AWS), etc.) or on-premises at a client or prospective client facility.  Duties may include debugging and/or correcting production issues or outages, improving performance, improving scalability, etc.

Skyline will process only CCPD that its clients or prospective clients have chosen to share with Skyline.  Skyline has no direct or contractual relationship with the subject of such CCPD (a Data Subject).  As a result, when a client or prospective client shares CCPD, the client or prospective client is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.  Skyline will, however, cooperate with its clients’ and prospective clients’ reasonable requests to assist Data Subjects to exercise their rights under the Privacy Shield.
 

4.3 Children Under the Age of 13

Skyline does not conduct business with and will not knowingly collect personal information from children under the age of 13. Data Subjects under 13 should not provide to Skyline any information about themselves including their name, address, telephone number, e-mail address or any screen name or username they may use. If Skyline learns it has collected or received Personal Data for a child under the age of 13, Skyline will delete that information. If you believe Skyline might have any information from or about a child under 13, contact Skyline’s Security Office by emailing Security@SkylineTechnologies.com.
 

5. Data Subject Consent

Skyline will, at times, gather SCPD from Data Subjects in the normal course of business, through its website, marketing efforts, etc. as described above.  Prior to the direct collection of Personal Data Skyline will obtain consent from the Data Subject in a manner appropriate to the context. Most of the time, consent is implied from the circumstances. For example, if a client provides Personal Data when engaging Skyline to deliver a service, they expect that the data they provide be used in the provisioning of that service.  They would not, however, expect the data to be sold to a third party for marketing or some other purpose.

When SCPD is used in ways that are not reasonably implied from the apparent circumstances, Data Subjects will be given the ability to opt-out or opt-in as described below. 
 
  • Data Subjects have the right to opt-out of (a) disclosures of their Personal Data to third parties not identified at the time of collection or subsequently authorized, and (b) uses of the Personal Data for purposes materially different from those disclosed at the time of collection or subsequently authorized. 
  • Data Subjects have the right to opt-in to the (a) disclosure of their Sensitive Personal Data to third parties not identified at the time of collection or subsequently authorized, and (b) use of their Sensitive Personal Data for purposes materially different from those disclosed at the time of collection or subsequently authorized.

CCPD is collected by Skyline’s client, or prospective client, and then used by Skyline in the delivery of its services.  As such, it is the client’s or prospective client’s responsibility to ensure that the CCPD it collects can be legally collected in the country of origin.  The client or prospective client is also responsible for providing to the Data Subject any notices required by applicable law and for responding appropriately to the Data Subject's request to exercise his or her rights with respect to the CCPD.  In addition, the client or prospective client is responsible for ensuring that its use of Skyline’s services is consistent with any privacy policy the client or prospective client has established and any notices it has provided to Data Subjects.  Skyline will, however, cooperate with its clients’ and prospective clients’ reasonable requests to assist Data Subjects to exercise their rights under the Privacy Shield. 

Skyline is not responsible for its clients’ or prospective clients’ privacy policies or practices nor for the clients’ or prospective clients’ compliance with such policies or practices. Skyline does not review, comment upon, nor monitor its clients’ or prospective clients’ privacy policies or their compliance with such policies.  Skyline also does not review instructions or authorizations provided to Skyline to determine whether the instructions or authorizations comply with  the terms of a client’s or prospective client’s published privacy policy or with any notice provided to Data Subjects.  Clients and prospective clients are responsible for providing instructions and authorizations that comply with their policies, notices, and applicable laws.

Skyline will not access or take possession of CCPD without explicit, documented permission from the client or prospective client.  Moreover, Skyline will not disclose CCPD to non-affiliated third parties without the express permission of Skyline’s client or prospective client.
 

6. Data Subject Access to Personal Data

The right to access one’s own Personal Data is fundamental to privacy protection.  Data Subjects have the right to obtain confirmation from Skyline regarding whether it is, or is not, processing, storing and/or transmitting Personal Data relating to them. 

Data Subjects also have the right to request access to their Personal Data and receive that data in a format that will allow them to verify its accuracy and determine if it is processed in violation of the Privacy Shield Principles.  Finally, when Personal Data is inaccurate or processed in violation of the Privacy Shield Principles, Data Subjects have the right to request that their Personal Data be corrected, amended, or deleted.

Skyline will make a good faith effort to respond to and grant all access requests in a reasonable time period.  A Data Subject can contact Skyline’s Security Office by emailing Security@SkylineTechnologies.com.

When Skyline receives CCPD, it does so on its client’s or prospective client’s behalf.  To request access to, or correction, amendment or deletion of, CCPD, Data Subjects should contact the Skyline client or prospective client that collected their Personal Data.  Skyline will cooperate with its clients’ and prospective clients’ reasonable requests to assist Data Subjects to exercise their rights under the Privacy Shield. 
 

7. Security

Skyline’s Information Security Program was created in late 2013 to govern Skyline’s security and privacy efforts.  The program was approved by Skyline’s Executive Team and is managed, on a day-to-day basis, by Skyline’s Director of Security (DoS).  The director reports to and works closely with Skyline’s Chief Financial Officer who is a member of the Executive Team. 

Skyline is committed to safeguarding the SCPD and CCPD that it receives directly, or indirectly, from the EEA and Switzerland.  While Skyline cannot fully guarantee the security of Personal Data, Skyline takes reasonable and appropriate measures to protect Personal Data in Skyline’s possession from loss, misuse, unauthorized access, disclosure, alteration and destruction. 

When handling SCPD or CCPD, Skyline will provide a level of security and privacy commensurate with the sensitivity of the Personal Data being handled.  Skyline uses a combination of online and offline security technologies, procedures and organizational measures.  For example, facility security is designed to prevent unauthorized access to Skyline computers.  Electronic security measures — including, for example, network access controls, strong passwords and access logging — provide protection from hacking and other unauthorized access.  Skyline also protects Personal Data using firewalls, role-based restrictions, antivirus/antimalware software and, where appropriate, encryption technology.   

Skyline may use secure, client-owned, operational environments built in Microsoft Azure (Azure) consisting of IaaS, PaaS, and SaaS solutions along with other secure Microsoft services and tools in the delivery of Skyline services.  Azure is a world-class public cloud that is compliant with many recognized privacy and security certifications and attestations such as ISO/IEC 27001 and ISO/IEC 27002 (See Microsoft Trust Center).  Skyline policies and procedures guide the construction and use of Azure resources.

Prior to taking possession of CCPD, Skyline will conduct a risk assessment and formulate a CCPD protection plan as outlined in Skyline’s High Security Client Program Policy (contact Skyline’s Security Office by emailing Security@SkylineTechnologies.com for more details).

Skyline prefers that its client or prospective client anonymize all CCPD prior to Skyline receiving access or taking receipt.  If this is not possible, Skyline prefers that Skyline Users receive access or take receipt of CCPD using digital resources provided by our clients or prospective clients, that are compliant with all client or prospective client privacy and security policies.  If this is not possible, Skyline will process, store, and/or transmit CCPD using digital resources agreed to in the CCPD protection plan.  For example, Skyline may use a secure, client-owned Azure operational environment to facilitate the processing and/or storage of CCPD.  Users would access the environment using Skyline provided, secure laptops, and would conduct all work using only virtual digital resources located within the environment.   Skyline Users would never remove CCPD from this environment. 

Regardless of the level of sensitivity, Skyline limits SCPD and CCPD access to Skyline Users that have a specific business reason for accessing such Personal Data.  Skyline Users granted access to SCPD and CCPD are aware of their responsibilities to protect such information and are provided appropriate training and instruction.
 

8. Purpose Limitation and Data Integrity

Skyline will limit its collection of SCPD to that which is necessary to accomplish the purposes disclosed to Data Subjects, upon collection, and to compatible purposes.

Skyline is also responsible for ensuring (a) that the SCPD collected is accurate, complete, current and reliable for its intended uses; and (b) that the SCPD is retained only for as long as is necessary to accomplish the client’s or prospective client’s legitimate business purposes disclosed to the Data Subject and for compatible purposes.

Skyline’s clients and prospective clients are responsible for limiting their collection of CCPD to that which is necessary to accomplish the purposes disclosed to Data Subjects and compatible purposes. They also are responsible for providing Skyline with instructions for the processing of Personal Data consistent with such purposes.  Skyline will process Personal Data only in accordance with the client’s or prospective client’s instructions.

Skyline's clients and prospective clients also are responsible for ensuring that (a) CCPD they collect is accurate, complete, current and reliable for its intended uses; and (b) CCPD is retained only for as long as is necessary to accomplish the client’s or prospective client’s legitimate business purposes disclosed to the Data Subject and for compatible purposes. Skyline will cooperate with clients’ and prospective clients’ reasonable requests for assistance in meeting these obligations.

When delivering services, Skyline will not modify or change production CCPD.  If Skyline should need to make changes to CCPD (e.g., while testing, in the construction of a model, etc.), Skyline will only make these changes to a copy of the CCPD.  In this case, integrity is preserved as changes to the copied CCPD will not be reflected in the production CCPD.  If access to a client’s or prospective client’s production systems is required to deliver services, Skyline Users are taught, through mandatory privacy training, not to add, modify, or delete production CCPD.

Skyline will request only the minimum amount of CCPD required to perform the applicable Services and will retain such information only for as long as necessary to provide the Services or for compatible purposes, such as to provide additional Services, to comply with legal requirements, or to preserve or defend Skyline’s legal rights.
 

9. Onward Transfer

Skyline will not sell, lease, or rent any SCPD or CCPD and will not disclose Personal Data to a third party, except as stated below:

Skyline may disclose Personal Data for limited and specific purposes to independent contractors, consultants, and third-party agents who assist Skyline in providing Services to its clients and prospective clients. Before disclosing CCPD to an independent contractor, consultant, or third-party agent, Skyline will obtain permission from its client or prospective client.  Before disclosing CCPD or SCPD to an independent contractor, consultant, or third-party agent Skyline will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist Skyline in providing the Services; (b) provide at least the same level of protection for Personal Data as required by this Privacy Shield Policy; and (c) notify Skyline if the recipient is no longer able to provide the required protections.  Upon notice, Skyline will act promptly to stop and remediate unauthorized processing of Personal Data by a recipient. 

Skyline will remain liable for onward transfers to its independent contractors, consultants, and third-party agents.

Skyline may also be required to disclose, and may disclose, Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. To the extent permitted, Skyline will inform its relevant client or prospective client before making such disclosure and provide it with a reasonable opportunity to object to such disclosure.
 

10. Dispute Resolution

In compliance with the EU-US and Swiss-US Privacy Shield Principles, Skyline commits to resolve complaints concerning its processing of Personal Data in accordance with the Privacy Shield Principles.

Any Data Subject who has a complaint about Skyline’s processing of his/her SCPD should first contact Skyline’s Security Office by emailing Security@SkylineTechnologies.com.

Skyline has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles and Swiss-US Privacy Shield Principles to the VeraSafe Privacy Shield Dispute Resolution Procedure.  See the section below entitled, “VeraSafe Dispute Resolution,” for instructions and further details.

In addition to the above dispute resolution mechanisms, Data Subjects may invoke binding arbitration if their complaint is not resolved by Skyline, VeraSafe, or by the Department of Commerce after referral from the relevant data protection authority in the EEA or Switzerland. For more information about binding arbitration, visit https://www.privacyshield.gov.

Skyline is subject to the investigatory and enforcement powers of the Federal Trade Commission.
 

VeraSafe Dispute Resolution

Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Skyline Technologies, Inc.’s internal processes, Skyline Technologies, Inc. has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here:  https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.
 

11. Policy Enforcement

Skyline will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Adherence to this policy as well as other policies, procedures, and guidelines laid out in Skyline’s information security program is a condition of continued employment at Skyline. Violations of the policy may, at Skyline’s sole discretion, result in disciplinary action up to and including separation from employment.
 

12. For More Information

Data Subjects with questions about how Skyline processes SCPD should contact Skyline’s Security Office by emailing Security@SkylineTechnologies.com.

Data Subjects with questions about how Skyline’s clients or prospective clients process CCPD should first contact the Skyline client or prospective client that collected the CCPD. Skyline’s Security Office can be contacted by emailing Security@SkylineTechnologies.com.
 

13.Changes to this Privacy Policy

Skyline may revise this Policy at any time.  If Skyline decides to materially change this Policy, Skyline will post the revised Policy at this location.