Alfa's Data Privacy Framework Policy

Overview

This Data Privacy Framework Policy (the “Policy”) outlines the Data Privacy Principles followed by Alfa Financial Software Inc. (referred to as “Alfa”), a subsidiary of Alfa Financial Software Limited, regarding the transfer and protection of “Personal Data” received from the European Union (E.U.) and Switzerland in reliance on the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework established by the U.S. Department of Commerce (collectively, the “DPF”)

Alfa has certified to the U.S. Department of Commerce, demonstrating its commitment to the DPF Principles concerning the “Personal Data” (as described below) transferred from the European Union and its Member States, the European Economic Area and/or Switzerland to the United States. To view Alfa’s certification, please visit https://www.dataprivacyframework.gov/list.

This Policy applies to the Personal Data covered by Alfa's DPF certification, encompassing the following categories of Personal Data:

  • Personal Data regarding current, former and prospective employees and partners for the purposes of performing human resource administration and maintaining contact with individuals.
  • The Personal Data, concerning former and potential clients, as well as their personnel, customers, or other individuals utilising Alfa services.
  • Personal Data regarding Alfa suppliers, service providers, and other third parties, and their personnel for the purposes of managing and administering Alfa’s business relationships with such third parties.

The collection and processing of Personal Data under this Policy adhere to the guidelines set forth in the DPF Principles. Individuals are informed about the collection and use of their Personal Data either through this Policy, Alfa’s Privacy Policy, or direct communication channels, such as contracts or agreements. When deemed necessary and appropriate, consent for the collection, use, and/or transfer of Personal Data may also be obtained through these channels, including obtaining opt-in consent for sensitive Personal Data.

Alfa only collects and processes Personal Data to the extent that it is compatible with the purposes for which it was collected or subsequently authorised by the individual. This includes processing Personal Data necessary for the performance of and compliance with employment contracts or other applicable engagement contracts with Alfa, complying with legal or regulatory obligations, and for legitimate interests that are not overridden by the individual's interests or rights. Alfa does not retain Personal Data after it no longer serves the purposes for which it was collected or subsequently authorised. Alfa takes reasonable steps to ensure that Personal Data is accurate, complete, current, and reliable for its intended use.

Alfa provides individuals with the opportunity to address complaints or make inquiries directly through contact with our data protection team (information available in our Privacy Policy) or using other methods outlined in the "How to Contact Alfa" section. In cases where disputes cannot be resolved directly with Alfa, the company commits to facilitating access to an independent dispute resolution body dedicated to handling privacy-related complaints from EU and Swiss individuals. Alfa is also subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

  • For Human Resources Data: Alfa will collaborate with EU Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner (collectively referred to as "Data Protection Authority") to investigate and resolve unresolved complaints related to its reliance on the DPF. This includes compliance with advice provided by Data Protection Authorities as outlined in the Data Privacy Framework Principles. Individuals can directly contact their Data Protection Authority to resolve disputes.
  • For Non-Human Resources Data: Alfa has established an independent recourse mechanism, the International Centre for Dispute Resolution, the international division of the American Arbitration Association ("ICDR/AAA"). To address issues, individuals can contact the ICDR/AAA for resolution by visiting https://go.adr.org/dpf_irm.html

Under specific circumstances, more fully described on the Data Privacy Framework website, individuals may have the option to choose binding arbitration through the EU-U.S. Data Privacy Framework Panel for complaint resolution.

Individual rights

Individuals whose Personal Data is covered by this Policy have the right to access the Personal Data that Alfa maintains about them, as specified in the DPF Principles. Individuals may contact Alfa to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated). Individuals may also have the right to limit the use and disclosure of their Personal Data (opt-out) under certain circumstances, such as marketing. Requests to access, correct, amend, delete, or limit the use and disclosure of Personal Data (opt-out) can be made by contacting Alfa at DPO@alfasystems.com.

Accountability for onward transfers

Alfa may engage with third parties, resulting in the transfer of Personal Data from one jurisdiction to another. This engagement assists in operating and managing Alfa, providing specific professional services as specified within the contractual framework established between Alfa and its clients, or supporting and administering Alfa’s business relationships with partners and suppliers. Alfa maintains written contracts with these third parties, ensuring that they are obligated to provide at least the same level of privacy protection and security as required by the DPF Principles. To the extent provided by the DPF Principles, Alfa remains responsible and liable if a third party engaged to process Personal Data on its behalf does so inconsistently with the DPF Principles. This responsibility persists unless Alfa can demonstrate that it is not accountable for the issue leading to the damage.

Additionally, Alfa may disclose Personal Data:

  • Where required to meet a legal obligation to which Alfa is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation.
  • Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal claims.

Security

Alfa will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by processing the Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed in accordance with the Data Protection Laws, including as a minimum.

How to contact Alfa

If you have any questions or comments about this Policy, would like to exercise any of your rights under applicable data protection law, or believe that Alfa has not adhered to this Policy please contact Alfa in the U.S. at:

Alfa Financial Software, Inc.
ATTN: Data Protection Officer
124 E Hudson Ave
Royal Oak, MI 48067

Updates

Alfa may update this Policy at any time by publishing an updated version here, however we will not update this Policy in contravention of the DPF Principles.

Last updated: 23 February, 2024