Approved TRG Customer Solutions, Inc. d/b/a IBEX Global Non-HR Data Privacy Policy for Privacy Shield

Privacy & Policy

Data Privacy is Important to Us

Please be assured that your privacy is of utmost importance to us. We comply with all applicable data privacy laws including the General Data Protection Regulation regarding personal data collected and processed concerning residents of the European Union and European Economic Area.

The specific practices outlined in this privacy statement apply to privacy practices and procedures maintained by or on behalf of ibex. and its affiliates. Some of our web pages contain links to web sites outside ibex. Please be aware that when you follow a link to another site, you are then subject to the privacy policies of the new site.

What Personal Data We Collect and Process

The Company collects business contact and financial information from our business customers and vendors. We collect personal contact information, purchase information, and customer experience information from individuals who purchase products and services from our business customers.

How and Why We Process Personal Data

The Company processes personal information for the following purposes:

  • Providing products and services to our business customers The Company collects and processes the business contact information of the individuals working for our business customers so that we can enter into and perform contracts with our business customers to provide our products and services.
  • Working with our vendors. The Company collects and processes the business contact information of the individuals working for our vendors so that we can enter into and perform contracts with our vendors.
  • Generating customers for our business customers. The Company collects and processes the personal contact information and business contact information of individuals through Company created websites, display banners, chat boxes, social media platforms, telephone calls, and interviews. Personal information is also collected through forms completed by individuals to register for events and subscribe to publications. This personal information is shared with our business customers to assist them in their customer acquisition efforts.
  • Enhancing the customer experience for the benefit of our business customers. The Company collects and processes personal contact information and business contact information about individuals who purchase products and services from our business customers as well as their impressions of their purchase experience and experience with the products and service. We collect this personal information through surveys, telephone calls and interviews. This personal information is shared with our business customers to assist them in their customer relations efforts.
  • Making our websites more useful. For each HTTP (which is what your web browser generates when you request a page or part of a page from a web site) request received, the Company automatically collect and store only the following information: the date and time, the originating IP address, the type of browser and operating system used (if provided by the browser), the URL of the referring page (if provided by the browser), and the object requested completion status of the request pages visited. We use the information that we collect to measure the number of visitors to the different areas of our sites, and to help us make our sites more useful to visitors. This includes analyzing these logs periodically to determine the traffic through our servers, the number of pages served, and the level of demand for pages and topics of interest.

Interaction with Children

We do not collect personal data of and our websites do not target or provide content to children under the age of 16.

Cookies

Cookies are small files that web servers place on a user’s hard drive. The Company does not use “persistent cookies” or any other persistent tracking methods to collect personal information about visitors to its websites. Cookies serve several functions:

  • They allow the website to identify you as a previous visitor each time you access a site;
  • They track what information you view at a site (important to commercial sites trying to determine your buying preferences);
  • In more advanced cases, they track your movements through many websites but not the whole Web;
  • Businesses use them for customer convenience to allow them to produce a list of items to buy and pay for them all at one time and to garner information about what individuals are buying at their sites;
  • Advertisers use them to determine the effectiveness of their marketing and offer insights into consumer preferences and tastes by collecting data from many websites.
  • They are used to help a website tailor screens for each customer’s preference.

To protect your privacy, be sure to close your browser completely after you have finished conducting business with a website that does use cookies. If you are concerned about the potential use of the information gathered from your computer or mobile device by cookies, you can set your browser to prompt you before it accepts a cookie. Most Internet browsers have settings that let you identify and/or reject cookies. Before collecting personally identifiable information, we will prominently disclose why we are requesting the information; how it will be used; how long it may be retained; under what conditions, and with whom, it may be shared.

We Also Collect and Use Non-Personal Data

In addition to personal information, we collect and store non-personal (such as search engine queries and anonymous survey responses) to help us better understand and meet the needs of our visitors. We may share non-personal information with others, including the public, in aggregated form (for instance, in a list of our most popular search engine queries), in partial or edited form (such as in a report summarizing responses to a questionnaire), or verbatim (for example, in a complete listing of survey responses).

Data Subject Rights of EU Residents

EU residents have the following rights regarding their personal data:

  • Right of Access: You have the right to obtain confirmation from the Company as to whether or not personal data concerning you is being processed and how, what when, why and for how long your personal data is processed and to whom it is disclosed.
  • Right to Rectification: You have the right to request the Company to correct inaccurate personal data and to complete incomplete personal data.
  • Right to Erasure (Right to be Forgotten): You have the right to request the Company to erase personal data concerning you where your personal data is no longer needed for the purposes for which it was collected or processed or has otherwise been improperly processed.
  • Right to Object: You have the right to object to the processing of your personal data if the processing is based upon the Company’s legitimate interest or for the performance of a task carried out in the public interest, including any profiling based on such processing, or if the processing is for direct marketing.
  • Right to Restrict Processing: You have the right to request the Company to restrict the processing of your personal data while your data subject rights requests are being investigated and answered.
  • Right to Portability: You have the right to receive personal data that you have provided to the Company and transmit such personal data to another entity where the processing of such personal data is based on consent and is processed by automated means. Additionally, you have the right to require the Company to transmit such personal data directly to another entity, where technically feasible.
  • Right not to be Subject to Automated Decision-Making, Including Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you.

To make a subject access request, you should send the request to James Ferrato, Chief Information Officer, jim.ferrato@ibex.co. In some cases, the Company may need to ask for proof of identification before the request can be processed. The Company will inform you if it needs to verify your identity and the documents it requires. The Company normally will respond to a request within a period of one month from the date it is received. In some cases, such as where the Company processes large amounts of an individual's personal data, it may respond within three months of the date the request is received. The Company will write to you within one month of receiving the original request to tell you if this is the case.

International data transfers

The Company has certified that it complies with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred to the U.S. from the EU and Switzerland, respectively. This certification covers the following Company entities:

  • TRG Customer Solutions, Inc. d/b/a IBEX Global
  • Digital Globe Services, Inc.
  • iSKY, Inc.

To learn more about the EU-U.S. and Swiss-U.S. Privacy Shield programs, please visit http://www.privacyshield.gov To view the Company’s certification under Privacy Shield, please visit http://www.privacyshield.gov/list.

In addition to the protections provided under other sections of this Data Privacy Policy, the Company will provide the following protections for personal data transferred from the EU or Switzerland to the U.S.:

Choice

You will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether their personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of the Company or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.

Additionally, you will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether their sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice. However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.

Transfer of Personal Data from the EU or Switzerland to Processors in the U.S.

The Company’s EU and Swiss entities may transfer personal information to a processor in the United States solely for processing purposes. A “processor” is a third party who processes personal information on behalf of and in accordance with the instructions of the Company’s EU and/or Swiss entities. When personal information is transferred from the EU and/or Switzerland to the United States solely for processing purposes, the Company’s EU and/or Swiss entities will comply with the applicable data protection laws including the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP), respectively and enter into a contract with the processor to ensure that the processor (1) acts only on instructions of the Company’s EU and/or Swiss entities; (2) provides appropriate technical and organizational measures to protect the personal information against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and understands whether onward transfers are allowed; and (3) assists the Company’s EU and/or Swiss entities in responding to individuals exercising their rights under the Privacy Shield principles, taking into account the nature of the processing.

Onward Transfers to Third Party Agents

After personal information is transferred from the EU and/or Switzerland to Company entities in the United States, the Company may thereafter transfer the personal information to third parties acting as controllers. A “controller” is a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal information. Examples of third party controllers may include banks and healthcare providers, or management personnel in other Company offices outside of the U.S. When the Company makes such onward transfers to third party controllers, the Company will comply with the Privacy Shield notice and choice principles and enter into a contract with the third party controller that provides that (1) such personal information may be processed only for limited and specified purposes consistent with the consent provided by the individual; (2) the third party controller will provide the same level of protections as the Privacy Shield principles; (3) the third party controller will notify the Company if the third party can no longer meet its obligation to provide the same level of protection for the personal information as required by the Privacy Shield principles; and (4) upon such notice by the third party controller, the third party controller will cease processing the personal information and/or take reasonable and appropriate steps to remediate any unauthorized processing.

Onward Transfers for Occasional Employment-Related Operational Needs

After personal information is transferred from the EU and/or Switzerland to Company entities in the United States, the Company may thereafter transfer the personal information of a small number of individuals for occasional employment-related operational needs, if any, such as the booking of a flight, hotel room, or insurance coverage. When the Company makes such onward transfers, it will comply with the Privacy Shield Notice and Choice principles.

Verification

The Company has verified and will verify annually through self-assessment that the attestations and assertions made about its Privacy Shield privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the Privacy Shield principles. This verification has been and will be signed by an officer of the Company or other authorized representative of the Company at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes the following:

  • That the Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
  • That the Policy conforms to the Privacy Shield Principles;
  • That individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
  • That it has in place procedures for training employees in the implementation of this Policy and disciplining them for failure to follow it;
  • That it has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Recourse Mechanisms For Personal Data Transferred Under Privacy Shield

Inquiries or complaints regarding transfers of personal data from the EU or Switzerland to the U.S. pursuant to Privacy Shield should be directed to our Director of Security and Compliance by e-mail at security@ibex.co.

If a complaint remains unresolved, EU residents should contact the state or national data protection authority in the jurisdiction where they reside for resolution. A listing of the EU Data Protection Authorities (DPAs) is located at: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm. Individuals in Switzerland should contact the Swiss Federal Data Protection and Information Commissioner (the Commissioner) for resolution. Information regarding the Commissioner is located at: https://www.edoeb.admin.ch/?lang=en.

The Company will cooperate with the DPA’s and/or the Commissioner and comply with the advice of the DPA’s and/or Commissioner. In the event that the DPA’s and/or the Commissioner determines that the Company did not comply with this Policy or Privacy Shield principles, the Company will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPA’s and/or the Commissioner where the DPA’s and/or the Commissioner has determined that the Company needs to take specific remedial or compensatory measures for the benefit of individuals affected by any non-compliance with this Policy or the Privacy Shield principles, and provide the DPA’s and/or the Commissioner with written confirmation that such action has be taken.

Under certain conditions specified by the Privacy Shield Privacy Principles, you may also be able to invoke binding arbitration to resolve your complaints.

Enforcement

The Company is also subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Liability

In the context of an onward transfer of personal information, the Company has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party agent. The Company will remain liable under the Privacy Shield principles if its third party agent processes such personal information in a manner inconsistent with the Privacy Shield principles, unless the Company proves that it is not responsible for the event giving rise to the damage.

Training

All employees who handle personal data transferred from the EU or Switzerland to the U.S. will receive training regarding the data privacy principles and procedures under Privacy Shield Principles and this Policy.

Privacy Rights of California Residents

Pursuant to Californian Civil Code Section 1798.83, California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to our Director of Security and Compliance by e-mail at security@ibex.co.

Data Security

The Company takes the security of personal data seriously. The Company has internal policies and technical measures in place to protect personal data against loss, accidental destruction, misuse or disclosure. Such internal policies and technical measures include:

  • The use of pseudonymization and encryption of personal data where appropriate;
  • Procedures and controls to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Procedures and controls to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Procedures for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and
  • Procedures to ensure that data is not accessed, except by employees in the proper performance of their duties.

For site security purposes and to ensure that this service remains available to all users, this computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage to the information on our websites. Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986.

The Company retains personal information only for the period of time necessary to meet the purposes for which it was collected, to fulfil the legitimate business interests of the Company, and to comply with any data retention laws or legal requirements. For example,

When the Company engages third parties to process personal data on its behalf, such third parties are required by contract to process the personal data based on the Company’s written instructions, are under a duty of confidentiality, and are required to implement appropriate technical and organizational measures to ensure the security of the personal data.

When the Company shares personal information of EU residents with affiliated companies, vendors, and business customers located outside of the EU, such as the U.S., the Company uses appropriate safeguards such as standard contract clauses to protect the personal information.

Changes to Our Privacy Policy

It is our policy to post any changes we make to our privacy policy on this page. If we make material changes to how we handle personal information, we will provide notice of the changes on the website home page.

Questions and Concerns

Any questions or concerns regarding how the Company processes personal information should be directed to our Director of Security and Compliance by e-mail at security@ibex.co. EU residents also have the right to lodge a complaint with the local or national data protection authority in the jurisdiction where they reside. A listing of the EU Data Protection Authorities (“DPAs”) is located at: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm. Dispute resolution: If for some reason you believe this site has not adhered to these principles, please notify James Ferrato, Chief Information Officer, at jim.ferrato@ibex.co. . If our web pages are not fully in compliance with our stated policies, they will be corrected.

34720383.1