Optimist International : Privacy Policy

July 2018 — Page 1

 

Effective Date

July 1, 2018

Version

1.0

 

 

 

 

 

General

Executive Statement

At Optimist International, we believe privacy is important. That's why we have established a comprehensive privacy program, including a global privacy officer and a data privacy officer, designed to help us respect and protect privacy rights. To protect your privacy, Optimist International will ensure all personal data is handled in a secure way and used only as outlined in the sections below. This privacy policy informs you what personal data we collect, how we use it and the measures we take to keep it safe. This policy is our commitment to privacy and includes provisions on processing of personal data related to clients, consumers, citizens and employees.

This privacy policy applies to all Optimist International Districts and personal data-processing activities under the responsibility of Optimist International.

Accountability

Accountability for Optimist International's compliance with this privacy policy rests with the Executive Director. The Executive Director will delegate an individual to act on his or her behalf, named the Optimist International's data privacy officer (DPO). All Optimist International employees and District Officers are responsible for their own compliance with this policy.

Data Privacy Officer

A data privacy officer (DPO) is appointed who will monitor adherence to this privacy policy. If necessary, the DPO will be supported by local representatives, who are responsible on the DPO's behalf for ensuring privacy in the respective Optimist International entities. They will inform the DPO in case of complaints and coordinate breach response procedures, including representation to relevant authorities.

The local representatives will abide by the findings of the DPO. In their duties under this privacy policy, the DPO and local representatives are independent of directions by the local management. The respective management within Optimist International is obligated to support the DPO and the local representatives in carrying out their duties.

All business stakeholders will collaborate with the DPO or a representative, and will assist business units (for example, legal, internal audit and human resources) on privacy matters.

Scope

This privacy policy applies to all personal data processed by full-time and part-time employees, contractors, volunteers, and partners doing business on behalf of Optimist International, as well as all legal entities, all operating locations in all countries, and all business processes conducted by Optimist International that are subject to comply with the contents of the policy.

The national and local laws of every country and legal jurisdiction in which personal data is collected and processed apply. Any mandatory registration provisions that may exist according to legal requirements must be observed. Every legally independent entity within Optimist International is responsible for assessing whether and to what extent such registration obligations exist toward national and/or regulatory authorities. In case of uncertainty, stakeholders must consult the DPO and/or general counsel.

Collection of personal data by — and the disclosure to — governmental institutions and authorities will be carried out only on the basis of specific legal provisions. In all cases, this privacy policy imposes those restrictions that are necessary to meet the legal requirements of the respective laws.

 

 

 

External (Websites)

Logging Practices

Optimist International's web servers automatically record the Internet Protocol (IP) addresses of visitors. The IP address is a unique number assigned to every computer on the internet. Generally, an IP address changes each time you connect to the internet (it is a "dynamic" address). Note, however, that if you have a broadband connection, depending on your individual circumstance, the IP address that we collect may contain information that could be deemed identifiable. This is because, with some broadband connections, your IP address doesn't change (it is "static") and could be associated with your personal computer.

As well as recording the IP addresses of users, Optimist International may also keep track of sites that users visited immediately prior to visiting Optimist International's website and the search terms they used to find it. The web server keeps track of the pages visited on Optimist International's website, the amount of time spent on those pages and the types of searches done on them. Your searches remain confidential and anonymous. Optimist International uses this information only for statistical purposes, to find out which pages users find most useful and to improve the website.

Optimist International servers also capture and store information that your browser transmits. This includes:

1      Browser type/version

2      Operating system used

3      Media Access Control (MAC) address

4      Screen resolution

5      Date and time of the server request

6      Volume of data transferred

7      Access status ("file transferred," "file not found" and so on)

This data will be used to generate statistics that help us to further optimize our websites to meet your individual needs. We will not deduce personal information from this data.

Web Beacons

Optimist International's websites may use a technology known as "web beacons" — sometimes called "single-pixel GIFs" — that allow the sites to collect website log information. A web beacon is a graphic on a web page or in an email message designed to track pages viewed or messages opened. Website log information is gathered when you visit one of our websites. The web server automatically recognizes information such as the date and time you visited our site, the pages you visited, the website you came from, the type of browser you are using, the type of operating system you are using, and the domain name and address of your internet service provider. We may also include web beacons in promotional email messages to determine whether the messages have been opened.

Do Not Track (DNT)

We do not currently use any tracking software. We reserve the option to do so. If we do, our web servers will honor the DNT setting in all web browsers that currently support it. This means that you opt out of our and third-party tracking services, including behavior advertising.

External Links Disclaimer

Some of Optimist International's websites link to other sites created and maintained by other public- and/or private-sector organizations. Optimist International provides these links solely for your information and convenience. When you transfer to an outside website, you are leaving the Optimist International domain, and Optimist International's information management policies no longer apply. Optimist International encourages you to read the privacy statement of each external website that you visit before you provide any personal data.

Communicating With Us

If you choose to contact Optimist International staff using an email address, a discussion forum, a blog, a text message or other electronic communications method, or if you choose to complete an online form provided on an Optimist International website (for example, a request of information or feedback form), we may ask you to provide your name, email address or other personal data. You will be provided with a notice of collection statement, which includes Optimist International's legal authority for the collection; the principal purposes for which the personal data is intended to be used; and the title, business address and business telephone number of an Optimist International employee who can answer questions about the collection.

The purpose of collecting this information is to allow staff to respond to your inquiry or to evaluate individual web services. Only authorized staff will have access to the information provided, and the information will be used only for the purpose it was intended. Completed surveys are sent to staff anonymously. We will ask you to provide us only with a method of contacting you (email, phone, fax or mailing address) if you wish to be included in future surveys or to have us respond to you.

 

Security

Optimist International implements commercially reasonable technical and organizational security controls to protect your personal data against theft, loss or misuse. Your data will be stored in a secure operating environment that is not accessible without authorization. Optimist International applies mitigation measures following periodic risk assessments to ensure an adequate level of protection of your personal data.

Optimist International has put in place appropriate physical, technical and administrative procedures to safeguard and secure the information from loss, misuse, unauthorized access, disclosure, alteration or destruction. Optimist International cannot guarantee the security of information on or transmitted via the internet.

When you enter sensitive information (such as credit card numbers):

  • We encrypt that information to protect against eavesdropping TLS 1.2.
  • We do not store this sensitive data. Credit card information is all entered on the credit card processor’s site.
  • We may limit use of site features in response to possible signs of abuse, may remove inappropriate content or links to illegal content, and may suspend or disable accounts for violations of our terms and conditions.

Certification

If you have any complaints about our privacy policy or practices, please let us know through our "Contact Us" page.

Optimist International is also implementing controls following the guidelines of NIST CSF V.1.1

Personal Data About Minors and Children

If you are under age 13 please do not provide any personal data about yourself to us. If we learn that we have collected personal data from a child under age 13, we will delete that information as quickly as possible. If you believe that we might have any information from a child under the age of 13, without covering parental or guardian consent, please inform us through the "Contact Us" page.

Parental participation: We strongly recommend that minors 13 years of age or older ask their parents for permission before sending any information about themselves to anyone over the internet, and we encourage parents to teach their children about safe internet use practices.

 

 

Applicable Law

This privacy policy is governed and will be interpreted in accordance with the laws of the United States.

If you use our services and reside outside the U.S., your information will be transferred to the U.S. and will be processed and stored there under U.S. privacy standards. By using our services and providing information to us, you consent to such transfer to the U.S. and processing there.

Collaboration With Authorities

Optimist International has established a set of corporate rules for privacy, which in Europe is known as binding corporate rules (BCRs). This is our global privacy standard for all Optimist International companies. These rules have been approved by data protection authorities in the countries of the European Union in which we operate. The rules are our commitment to protect your personal data and honor our privacy obligations, regardless of where your personal data is collected, stored and processed. Depending on where you reside, BCRs may also provide you some additional privacy rights through your local privacy regulator.

Some of the websites of Optimist International may be governed by separate privacy policies. The policy that applies is always the policy that appears at the bottom of the website or is referenced in the terms and conditions for that service. The privacy practices of our corporate family are consistent with those described in this privacy policy and our BCRs.

What Personal Data We Use

Optimist International has appointed and mandated a privacy officer who represents the regulatory authorities inside the Optimist International organization, and in return represents the Optimist International organization to regulatory authorities.

Optimist International's privacy officer will ensure proper communication with the relevant regulatory authority for privacy. The privacy officer will lead investigative action, complaint handling and data breach notification. The privacy officer will also monitor regulatory changes and consult the regulatory authority where implementation of a regulatory or technological change leads to doubt.

How We Use Personal Data

Optimist International uses the following personal data in line with the use purposes explained below:

-       Your name and contact details

-       Communication details

-       Authentication data

-       Online profile data

-       Online activity/profile usage

-       Purchasing information

-       Payment methods and history

-       Information about the device(s) you use

-       Information about the service usage

-       Support information

-       Cookies

-       Social media profile plug-in information

-       Date of birth

-       Subscription preferences

-       Location information and GPS data

-       Photographs or video submitted or collected at Optimist Events

-       Any other information you upload or provide us with

Personal data is collected solely for the purpose of retaining membership information.

How Long We Use Personal Data

Optimist International uses the information collected to provide a safe, efficient and customized experience. Here are some of the details on how we do that:

·         To manage the service We use the information we collect to provide our services and features to you, to measure and improve those services and features, and to provide you with customer support. We use the information to prevent potentially illegal activities and to enforce our terms and conditions. We also use a variety of technological systems to detect and address anomalous activity and to screen content to prevent abuse, such as spam. These efforts may, on occasion, result in a temporary or permanent suspension or termination of some functions for some users.

·         To contact you We may contact you with service-related announcements from time to time. You may opt out of all communications except for essential updates. Club and District officers may not opt out. Email communication is essential to fulfilling their responsibilities.

·         Advertising We do not advertise nor link to advertisements on our website. There is no personal data transferred to any advertiser.

Who Else May Process Personal Data

Following legal requirements:

·         To manage the service We retain the personal data as indicated for this purpose while you are an active member.

·         To contact you We retain the personal data as indicated for this purpose while you are an active member.

·         To serve personalized advertising to you — We never retain the personal data as indicated for this purpose.

 

Optimist International may share the information collected with third parties to provide a safe, efficient and customized experience. Here are some of the details on how we do that:

·         To provide services: Optimist International may share your personal data with agents, contractors or partners of Optimist International in connection with services that these individuals or entities perform for or with Optimist International. These agents, contractors or partners are restricted from using this data in any way other than to provide services for Optimist International, or for the collaboration in which they and Optimist International are engaged (for example, some of our products are developed and marketed through joint agreements with other companies). We may, for example, provide your information to agents, contractors or partners for hosting our databases, data processing or mailing you information that you requested.

·         To make a payment: When you enter into transactions with others or make payments on Optimist International's website, we will share transaction information with those third parties necessary to complete the transaction. We will require those third parties to respect your privacy, and adequately protect your information.

·         To respond to legal requests and prevent harm: Optimist International reserves the right to share your information to respond to duly authorized information requests of governmental authorities or where required by law. In exceptionally rare circumstances where national, state or company security is at issue (such as terrorist attacks), Optimist International reserves the right to share our entire database of visitors and customers with appropriate governmental authorities.

We never sell your personal data to third parties, such as marketers, without your consent. We do not provide any personal data to "people finder," "public directory" or "white pages" sites.

If our company is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your information may be sold or transferred as part of that transaction. The promises in this privacy policy will apply to your information as transferred to the new entity.

Your Right to Access Personal Data

In providing its services, Optimist International makes use of external service providers that may process your personal data on our behalf. Optimist International ensures via contracts and assurance measures that our promise to protect your privacy is extended to apply to the processing of personal data by these third parties, where such processing activities are under the responsibility of Optimist International.

Your Right to Appeal an Access Decision

In addition to the information that is available on Optimist International's website, you have the right to access the personal data that Optimist International holds about you, all subject to the exemptions as contained in applicable laws and regulations. If you request the data, then Optimist International will assist you. Your identity will need to be confirmed before you are provided with access to personal data. Generally, Optimist International does not charge for providing information, but if the request requires significant staff time, Optimist International reserves the right to charge a fee for such requests.

We ask that you put your request in writing. Please include the following:

1      Your full mailing address

2      Your daytime telephone number

3      Names of specific files or types of records to which you request access, including specific dates of those records, where possible

Please provide as much detail as possible.

All formal access requests will be directed to the data privacy officer, who will then review each request to determine whether Optimist International will disclose the requested information. The privacy officer will also receive and address all privacy complaints that Optimist International receives. The privacy officer can be reached at the address listed on the "Contact Us" page.

You will be notified if access to the records you have requested is granted or denied, and which exemptions apply.

Your Right to Correct or Amend Personal Data

Requesters of information can appeal Optimist International's decision about access to FTC To make an appeal, you must complete an appeal form or write a letter to FTC within 10 days of receiving Optimist International's decision. This correspondence must include a description of the circumstances of your case, a copy of Optimist International's decision and, if available, a copy of your original access request to Optimist International. Note there may be a fee payment involved, depending on FTC's instructions.

Once your appeal request has been processed, FTC will send you a written confirmation, explaining how your appeal will be handled or whether it will be dismissed.

Your Right to Take Personal Data With You (Portability)

If you believe there is a mistake in your personal data, you have a right to ask for the information to be corrected. We may ask you to provide documentation to show where Optimist International's files are incorrect. We will amend the erroneous data within 30 days and will notify you once the correction you have requested has been completed. You have the right to request correction of your personal data held by Optimist International if you believe there is an error or omission. You are entitled to attach a statement of disagreement with the information, reflecting any correction you requested, but which was not made by Optimist International.

Your Right to Be Forgotten

You may obtain and reuse the personal data held by Optimist International for your own purposes across different services. Optimist International allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right applies to your personal data held by Optimist International, where the processing was automated and used in the light of our service provision within the contract you have with Optimist International, or where such processing was based on the consent you gave Optimist International for it.

You may either:

-       Follow the instructions at "Your Right to Access the Personal Data" and indicate that you wish to obtain the information for reuse purposes, indicating your desire to take the personal data with you; or

-       Log in to Optimist International's online web portal and download the information provided in the "Export" section of the portal.

Enforcement and Audit

Optimist International does not store personal data without a predefined and documented purpose. We follow laws that require us to delete personal data if the reason for its collection and storage no longer exists. We believe this fulfills the requirements of the privacy principle of "the right to be forgotten."

Where the personal data that Optimist International holds is based on the consent you provided, and you wish to be removed from our systems prior to the retention period indicated in the "How Long We Use Personal Data" section, please contact our privacy officer at Optimist International, 4494 Lindell Blvd., St. Louis, MO 63108.

 

Complaints

Optimist International uses a self-assessment approach to ensure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible, and in conformity with privacy principles.

Automated Decisions

We encourage anyone interested to raise any concerns using the contact information provided in our "Contact Us" page, and we will investigate and attempt to resolve any complaints and disputes regarding the use and disclosure of personal data.

If you would like to address your complaint to a third party, you may consider the following groups <DELETE ALL THAT DO NOT APPLY>:

·         U.S. Federal Trade Commission's Complaint Assistant

·         Privacy Rights Clearinghouse — New Complaints

·         econsumer.gov

·         The European Commission: National Data Protection Authorities

·         TRUSTe Dispute Resolution Program

 

Review and Ratification

Certain countries provide restrictions relating to automated decisions that affect individuals. Such automated decisions that affect individuals are decisions that are the result of the automated processing of personal data and that have a legal effect on the individual, or affect him or her negatively.

Apart from a few specific exceptions (for example, a preselection of job applicants who applied online), Optimist International does not render any automated decisions that affect individuals. In those exceptional cases in which such automated decisions are rendered by Optimist International, the individuals will be notified about the presence of such automated decisions and shall be allowed to comment on the respective decision. In such a case, the decision will be reviewed again.

We may occasionally update or modify this privacy policy. To ensure that the importance of this privacy policy is communicated uniformly throughout the enterprise, all members of Optimist International's board of directors will review, update and ratify this privacy policy at least annually.

For material changes to this privacy policy, we will notify you by placing a prominent notice on the home page of our website or, if legally required, by directly sending you a notification. We encourage you to periodically review this privacy policy to stay informed about how we are helping to protect the personal data we collect. Your continued use of the service constitutes your agreement to this privacy policy and any updates.

Definitions

Complaints and Communication ("Contact Us")

"Personal data" (or "personal information") means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly — in particular, by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

"Special Categories of Personal Data" pertains to personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life.

"Sensitive personal data" either indicates "special categories" (see above), or is personal data of which the sensitivity level has been assessed and classified, indicating potential severe impact on an individual when confidentiality of such data is breached.

"Anonymization" is the deletion or changing of personal data in such a way that this personal data can no longer be assigned to a certain or ascertainable individual or only with a disproportionately high effort in terms of time, cost and work.

"Pseudonymization" is the replacement of an individual's name and other identifiable characteristics with a label to prevent identification of the individual by unauthorized parties or to render such identification substantially difficult. Pseudonymization techniques include certain levels of masking, redaction, tokenization and/or encryption of personal data.

"Consent" is any freely given, specific and transparently, well-informed indication of the will of the individual, whereby the individual agrees that his or her personal data may be processed. Particular requirements about consent can arise from the respective national laws. Where possible, consent is obtained in an explicit manner (unambiguously).

Sources and References

Optimist International's website and all its gateways are governed by the policies and principles outlined above. For more information relating to your privacy, contact:

 

Cheryl Brenn

Optimist International

4494 Lindell Blvd.

St. Louis, Missouri 63108

USA

Phone: 1-314-371-6000

Fax: 1-314-371-6006

Email: privacy@optimist.org

 

Revision History

Date

Version

Approver

Summary of Changes

 

 

 

 

 

 

 

 

 

 

 

 

Standards and frameworks:

1      Asia/Pacific Economic Cooperation (APEC) Privacy Framework

2      BS 10012 specification for a personal information management system (PIMS) — U.K.

3      Bundesdatenschutzgesetz (BDSG) — Germany

4      Cloud Privacy Framework ISO/IEC 27018

5      Data Protection Act — U.K.

6      EU Data Protection Directive (95/46/EC)

7      EU E-Privacy Directive (Directives 2002/58/EC and 2009/136/EC) and/or 2017 Regulation (EU) 2016/679

8      EU General Data Protection Regulation (GDPR)

9      EU-U.S. Privacy Shield Agreement

10   Generally Accepted Privacy Principles (GAPP) — U.S. and Canada

11   Health Insurance Portability and Accountability Act (HIPAA) — U.S.

12   Ley Federal de Protección de Datos Personales en Posesión de los Particulares — Mexico

13   Ley Orgánica de Protección de Datos de Carácter Personal (LOPD) — Spain

14   Loi Informatique et Libertés — France

15   Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada

16   Privacy Act 1988 — Australia

17   Privacy Framework ISO/IEC 29100

18   Privacy Management Plan Template (OAIC) — Australia

19   Wet Bescherming Persoonsgegevens 2016 (Wbp) — The Netherlands