The Financial Services Information Sharing and Analysis Center (hereinafter “FS-ISAC”, “we, “us” or similar) is an organization with its main office in the state of Virginia, United States of America. We collect and process several categories of personal data about you from third parties, including publicly available sources such as traditional media, social, media, and the Internet. Insofar as European Economic Area data protection law applies, we are a controller with regard to the personal data we process. We take your privacy seriously and this privacy notice describes our practices regarding our collection and use of your personal data.
We collect the following information about you: name, contact information, title, organization, and professional experience. This data is collected by us and we process it for purpose of providing membership information to you. This processing is based on our legitimate interest to increase membership and provide other valuable services to you.
We will disclose your personal data only for the purposes and to those third-parties as described below. We will take appropriate steps to ensure that your personal data are processed, secured and transferred according to applicable law.
2.1 Disclosure to third-parties
We will share the strictly necessary parts of your personal data, on a need-to-know basis with the following categories of third-parties
(a) Companies that provide products and services to us (processors) and are located in the United Kingdom, the United States, or your jurisdiction, such as:
(b) Other parties such as public authorities and institutions, accountants, auditors, lawyers and other outside professional advisors located in the United States, the United Kingdom, and in your jurisdiction, where their activity requires such knowledge or where we are required by law to make such a disclosure.
We will also disclose your personal information to third-parties:
We, as well as some of these recipients, may use your data in countries which are outside of the European Economic Area. Please see Section 3 below for more detail on this aspect.
2.2 Restrictions on use of personal information by recipients
Any third-party processors with whom we choose to share your personal information pursuant to the above are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we choose to share your personal information are subject to privacy and security obligations consistent with this Privacy Notice and applicable laws. However, for the avoidance of doubt this cannot be applicable where the disclosure is not our decision, including where you request it.
Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and, if applicable, obtaining your consent.
3.1 Transfers of information outside of the European Union
Since we are an organization based in the United States, we process your personal data outside of the European Union.
Where your personal data is transferred to other entities as mentioned in Section 3 above, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Notice. These measures include entering into European Commission approved standard contractual arrangements with them or ensuring they have signed up to the EU-US Privacy Shield (see further https://www.privacyshield.gov/welcome).
Further details on the steps we take to protect your personal information in these cases is available from us on request by contacting our Chief Privacy Officer, firstname.lastname@example.org at any time.
3.2 Your rights
We are committed to protecting personal information from loss, misuse, disclosure, alteration, unavailability, unauthorized access and destruction and take all reasonable precautions to safeguard the confidentiality of personal information, including through use of appropriate organizational and technical measures. Organizational measures include physical access controls to our premises, staff training and locking physical files in filing cabinets. Technical measures include use of encryption, passwords for access to our systems and use of anti-virus software.
In the course of provision of your personal data to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information between you and us over the internet is not completely secure. As such, we cannot guarantee the security of your personal information transmitted to us over the internet and that any such transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to prevent unauthorized access to it.
We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy notice at any time. For this reason, we encourage you to refer to this privacy notice on an ongoing basis. This privacy notice is current as of the date stated in this document. We will treat your personal data in a manner consistent with the privacy notice under which they were collected.
Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to our Chief Privacy Officer at email@example.com.
We will investigate and attempt to resolve any request or complaint regarding the use or disclosure of your personal information. If you are not satisfied with our reply and you are from the European Union, you may also make a complaint to the data protection authority in your country.
Effective as of 5 June 2019.