Privacy & GDPR Policy

1.  Introduction
The Association of Professional Social Compliance Auditors (“APSCA” “us”, “we”), is a non-profit corporation incorporated in the District of Columbia, the United States of America.

APSCA exists to enhance the professionalism, consistency and credibility of the individuals and organizations performing independent social compliance audits.

Our website is located at www.theapsca.org (the “Website”).

We are committed to protecting your privacy and will only use the information that we collect about you lawfully. This policy is intended to give you an understanding of how and why we use the information you provide to us both online and otherwise.

As described in this policy, APSCA, as a member organization, stores and maintains personal information on our members, as well as those who interact with us via the Website or other methods of contact. This data is kept secure and confidential and is used in the normal day to day duties of APSCA, as further detailed in this policy, the APSCA Data Security Policy and APSCA Data Collection Fact Sheet, which are incorporated herein by reference.

Please read this policy carefully to understand how we will collect, use and store your data.We may update this policy from time to time without notice to you, so please check it regularly.

2. What information do we collect about you?
We collect personal information about you for a number of reasons, including communicating with you, responding to requests for information, and to administer our member services. We also collect information about the use of our website using cookies (see the Cookies Statement).

The personal data we collect can include:
(a) Your full name;
(b) postal address;
(c) telephone number(s);
(d) email address;
(e) employer and role;
(f) photos of your participation at our events;
(g) records of your correspondence with us;
(h) records of your membership
(i) information you may enter onto the Website; and
(j) information you share with us.

We will never collect sensitive personal data (such as health information) without your explicit consent.

There is also information about your computer hardware and software that is automatically collected by the Website. This information can include: your IP address (the unique identifying number of a computer), the browser you use, for example Internet Explorer (IE), Firefox etc., domain names, access times and referring Website addresses. This information is used by us for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the Website.

Membership Fees that are paid via credit card is via authorize.net which is an approved Merchant Services through the Bank of America. Credit card details provided for payments are not collected or housed by APSCA and are directly entered into the authorize.net website. APSCA simply provides the link to this bank site.

3. How will we use the information about you?
We will process your data for the following reasons:
maintain the membership profile of our members;
deliver services and/or other materials and information you have requested from us;
unless you tell us otherwise, we will send you information that we think you may be interested in, including updates on APSCA’s work and events. We will also send this information by e-mail, where you have provided consent (if required);
for our own internal administrative purposes and keep a record of your relationship with us;
to manage your communication preferences;
to conduct research, for example, via surveys about our pilot program;
to carry out research to find out more information about our members’ backgrounds and interests; and
to comply with applicable laws and regulations, and requests from statutory agencies.
We may also analyze your personal information and create a profile of your interests and preferences. This allows us to ensure communications are relevant and timely and provide an improved experience for our members.

4. Our legal basis for processing personal data
Under the European General Data Protection Regulation (GDPR), organizations who operate in the EU need a lawful basis to collect and use personal data. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Four of these are relevant to the types of processing that APSCA carries out. This includes information that is processed on the basis of:
(a) A person’s consent (for example to send you direct marketing by e-mail);
(b) Processing necessary for the performance of a contract with you (for example, your membership);
(c) Processing that is necessary for compliance with a legal obligation (for example, any reporting obligations to governmental bodies);
(d) Our legitimate interests (please see below for more information).
Personal data may be legally collected and used if it is necessary for a legitimate interest of the organization using the data, as long as that interest is not overridden by the privacy rights of the individual whose data is being used. APSCA’s legitimate interests include:
Governance, including delivery of our exempt purposes, statutory and financial reporting and other regulatory compliance purposes;
Administration and operational management, including responding to queries, regarding examinations, working / consultation groups, how to find an audit firm, register to receive newsletter, complaints;
Members Services, including information about how to join APSCA, information about our membership services, the development of new services and processing the payment of fees.
If you would like to change our use of your personal data in this manner, please get in touch with us using the details in the “How to contact us” section below.

5. Will we share this information with others?
We do not share, sell or rent your information to third parties for marketing purposes. Because of the nature of our organization, we do share information with members (and vice versa). However, this sharing is always done within the framework of our membership services, and in accordance with the APSCA Data Security Policy. If you have any questions about this sharing, please contact us through the contact details below. We may allow our staff, consultants and/or external providers acting on our behalf to access and use your information for the purposes for which you have provided to us (e.g. to deliver mailings, to analyze data and to process payments). We only provide them with the information they need to deliver the relevant service under contract, and we make sure your information is treated with the same level of care as if we were handling it directly.

6. How do we protect the security of personal data?
We aim to ensure that there are appropriate physical, technical and managerial controls in place to protect your personal details. Any payment transactions will be encrypted using SSL technology.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We encourage you to review the privacy statements of websites you choose to link to from the Website so that you can understand how those sites collect, use and share your information. We are not responsible for the privacy statements or other content on sites outside of the Website.

7. How long do we keep your data for?
We will keep your personal data for no longer than is necessary for the purposes for which it is processed, in accordance with our internal policies.

The length of time that data will be kept may depend on the reasons for which we are processing the data and, on the law, or regulations that the information falls under such as financial regulations, statutory limitation periods, or any contractual obligation we might have.
Subject to the above, we will typically store data relating to members for 7 years after their last payment or interaction with us.
Once the retention period has expired, the information will be confidentially disposed, permanently deleted, or in some cases archived.
If you request to receive no further contact from us, we will keep some basic information about you on our suppression list in order to avoid sending you unwanted materials in the future.

8. Your rights
Under the European General Data Protection Regulation (GDPR) European residents have the following rights:

(a) Right of access
You have the right know what information we hold about you and to ask, in writing, to see your records.
We will supply any information you ask for that we hold about you as soon as possible, but this may take up to 21 days. We will not charge you for this. You will be asked for proof of identity as the person dealing with your request may not be the staff member you have met before. We need to be sure we are only releasing your personal data to you.
This is called a data subject access and can be done by writing to us using the “How to contact us” details.

(b) Right to be informed
You have the right to be informed how your personal data will be used. This policy as well as any additional information or notice that is provided to you either at the time you provided your details, or otherwise, is intended to provide you with this information.
(c) Right to withdraw consent
Where we process your data on the basis of your consent (for example, to send you marketing e-mails) you can withdraw that consent at any time. To do this, or to discuss this right further with us, please contact us using the details in the “How to contact us” section below.

(d) Right to object
You also have a right to object to us processing data where we are relying on it being within our legitimate interests to do so (for example, to send you direct marketing by post). To do this, or to discuss this right further with us, please contact us using the details in the “How to contact us” section below.
(e) Right to restrict processing
In certain situations you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.

(f) Right of erasure
In some cases, you have the right to be forgotten (i.e. to have your personal data deleted from our database). Where you have requested that we do not send you marketing materials we will need to keep some limited information in order to ensure that you are not contacted in the future.
(g) Right of rectification
If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. To update your records please get in touch with us using the details in the “How to contact us” section below.

(h) Right to data portability
Where we are processing your personal data because you have given us your consent to do so, you have the right to request that the data is transferred from one service provider to another.

If you would like to exercise any of these rights please get in touch with us using the details in the “How to contact us” section below.
If you are resident outside the European Union and have concerns or questions about your personal information, please do get in contact as we are committed to protecting your privacy, as well.

9. What if you have questions or need to make corrections to your information?
We want to make sure that your personal information is accurate and up to date. Please let us know if your details change. We may also use publicly available sources to keep your records up to date (e.g. checking against deceased records). You may also ask us to correct or remove information you think is inaccurate.

You can also opt-out of receiving all or some of our marketing communications or request that we stop processing data about you for certain purposes (e.g. profiling) at any time by contacting us using the details below.

If you are unhappy with the way in which we have handled your personal data please contact us using the details below. You also may be entitled to make a complaint to the applicable regulatory body in the jurisdiction in which you are located.

If you believe that the information we hold may have been mishandled or a breach in confidentiality has occurred, please contact APSCA’s appointed Data Privacy officer – Jonathan Ivelaw-Chapman – data.privacy@theapsca.org – who will investigate and escalate to APSCA’s Executive Board Chair as necessary.

10. Governing Law
This policy and the privacy practices of APSCA will be subject exclusively to the laws of the District of Columbia within the United States of America. You agree to submit any dispute arising out of your use of this Site to the exclusive jurisdiction of the courts in the District of Columbia. APSCA makes no representation that this policy and such practices comply with the laws of any other state or country. If you reside outside of the United States, by using the Site, you consent to the transfer and use of your information outside your country. This data transfer is necessary to provide the membership services to you.

11. How will we let you know of changes to our privacy policy?
We may update this policy from time to time without notice to you, so please check it regularly. The privacy policy was last updated on 2 July 2018.

12. How to contact us
Please contact us if you have any questions about our privacy policy or information we hold about you:
By phone: +1 630 418 8548
By email: data.administrator@theapsca.org
Or write to us at: 1747 Pennsylvania Ave, Suite 1000, Washington DC 20006 USA