Data Processing Standards
Data Processing Standards
Last Updated May 2018
Letters for customers of Altisource S.à r.l.
May 11, 2018
RE: NOTICE OF DATA PROCESSING STANDARDS
I write on behalf of Altisource S.à r.l. (“Altisource”) in regards to a new regulation that may have a positive impact over the services provided by Altisource to your company.
As you may know, on May 25, 2018 a new landmark privacy law called the General Data Protection Regulation (“GDPR”) takes effect in the European Union (“EU”). Among other things, the GDPR expands the privacy rights granted to individuals and places new obligations on certain organizations that handle Personal Data (as defined below).
Due to our corporate structure, which includes an establishment in Luxembourg, some of our processing operations may be subject to the GDPR. We have analyzed the requirements of the GDPR and send this letter to describe our commitments and confirm that we do not believe the new regulation will require substantial modifications to our current practices.
Definition of Personal Data
- “Personal Data” as used in this letter, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- To the extent the services provided by Altisource to you (the “Services”) involve processing of Personal Data under the GDPR, then Altisource, where acting as the data processor, will comply in all material respects with its obligations as a data processor under the GDPR.
- Altisource will process the Personal Data only: (i) in accordance with the terms of the agreements in place with you, or in accordance with your instructions; (ii) as needed to provide the Services; or (iii) as needed to comply with applicable law.
- Altisource has implemented and will maintain appropriate technical and organizational security measures to protect Personal Data against: (i) unauthorized or unlawful processing; (ii) accidental or unlawful destruction; (iii) accidental loss or alteration; and (iv) unauthorized disclosure or access. Upon your written request Altisource will provide you with general information on the security measures used by Altisource.
- Altisource employees or representatives with access to the Personal Data will be subject to statutory or contractual obligations to protect such Personal Data and keep it confidential.
- If authorized or provided in the applicable agreements under which Altisource provides Services, Altisource may appoint affiliated or third-party contractors and vendors (“Subprocessors”) to deliver the Services. Altisource will provide the list of current Subprocessors upon your written request, such list may be updated by Altisource from time to time. You may object to the use of specific Subprocessors on reasonable grounds.
- Altisource may transfer Personal Data to the United States and to other countries where Subprocessors are established (currently India, the Philippines and Uruguay). Altisource may also transfer the Personal Data based on your instructions or as necessary to deliver the Services. By using our Services, you authorize such transfers. Altisource will secure such transfers through contractual data transfer instruments aligned on model clauses validated by the European Commission or through other lawful means. Upon your written request Altisource will provide additional information around international data transfers.
- Upon termination or expiration of the applicable agreement(s), at your written request, Altisource will delete or return the Personal Data to you. Such actions will not affect the back-up copies kept by Altisource for archival, back-up and compliance purposes. Altisource will provide you with reasonable access to documentation in the event of an audit required by a government regulator. Additionally, you may exercise your audit rights under the GDPR.
Should you have any questions or wish to discuss this matter further, please contact Shaun Sethna (email: Shaun.Sethna@altisource.com).
Very truly yours,
Gregory J. Ritts
[A signed version of this letter is available to customers of Altisource S.à r.l. upon request]