This supplemental section of Huron’s Privacy Statement is directed at and applies to individuals located in the European Union (“EU”), United Kingdom (“UK”), Switzerland, or where applicable EU data protection laws (e.g., the General Data Protection Regulation (“GDPR”)) applies.
International Transfers of Your Personal Data
By using the website or providing Personal Data to Huron, your Personal Data may be transferred to the United States, where Huron is headquartered, or to other Huron locations where we carry out our support activities. Your country’s laws governing data collection and use may differ from those in the United States or other Huron locations. For example, the data protection laws of the United States, India, and most other countries have not been found by the European Commission to provide the same level of protection as EU data protection law. Some of the entities with whom we share your Personal Data are also located in countries whose laws have not been deemed by the European Commission to provide the same level of protection to your Personal Data. Only a small number of countries have been officially recognized by the European Commission as providing an adequate level of protection (list available here). Transfers to Huron entities and others located in countries outside the European Economic Area (“EEA”), UK, or Switzerland take place on the basis of an adequacy finding by the relevant authority (i.e., European Commission, Swiss Federal Data Protection and Information Commissioner (“FDPIC”), UK Information Commissioner’s Office (“ICO”) or other competent supervisory authority), EU Standard Contractual Clauses (or other standard contractual clauses approved by a competent supervisory authority), or other appropriate GDPR or applicable law derogations. Please contact privacy@huronconsultinggroup.com if you want to receive further information.
EU-U.S. and Swiss-U.S. Privacy Shield
Special 2020 Privacy Shield Notice: Please note that with respect to Personal Data received from the EEA, UK, and Switzerland in reliance on Huron’s Privacy Shield certification prior to July 2020, and received from Switzerland prior to September 2020, Huron continues to process such Personal Data (previously transferred) in accordance with the Privacy Shield Principles, as the Privacy Shield framework requires. However, the European Commission’s EU-U.S. Privacy Shield adequacy decision was invalidated by the Court of Justice of the European Union in July 2020, and the Swiss-U.S. adequacy decision was revoked by the Swiss FDPIC in September 2020; and as such, Huron no longer relies on its Privacy Shield certification for current and future transfers of Personal Data from the EEA, UK, and Switzerland to the U.S. As noted above, we rely on other appropriate GDPR Art. 46 and 49, UK Data Protection Act Ch. 5, or Swiss Federal Data Protection Act Art. 6 provisions to validate transfers of Personal Data from the EEA, UK, and Switzerland to third countries.
Huron complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the EEA, UK, and Switzerland to the United States prior to July 2020 with regard to the EEA and UK, and September 2020 with regard to Switzerland. Huron has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. Our Privacy Shield certification applies to all U.S. entities and subsidiaries covered in our Privacy Shield certification record, accessible here. Huron and its controlled U.S. subsidiaries subject to the Privacy Shield Principles hold and process all Personal Data previously received from the EEA, UK, and Switzerland, in reliance on our Privacy Shield certification, to Privacy Shield Principles. If there is any conflict between the terms in this Privacy Statement and the Privacy Shield Principles related to Personal Data transferred in reliance on our Privacy Shield certification, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. Huron is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
When we receive written complaints submitted as instructed herein, we will follow up with the person who made the claim. If you have a complaint or concern, please contact us and we will attempt to resolve it. If we are unable to do so, we have designated JAMS, a worldwide provider of alternative dispute resolution services, as our independent recourse mechanism to address complaints and provide appropriate recourse free of charge to individuals covered by the Privacy Shield. The website for submitting complaints which have not been resolved directly by Huron can be found here. Individuals covered by the Privacy Shield may seek binding arbitration for limited types of claims. For additional information about the Privacy Shield arbitration process, please visit the Privacy Shield website at Privacy Shield Arbitration. If a service provider providing services to Huron processes Personal Data from the EEA, UK, or Switzerland that is subject to the Privacy Shield in a manner inconsistent with the Privacy Shield Principles, Huron will be liable unless we can prove we are not responsible for the event giving rise to the damages.
Your European Privacy Rights
If you are visiting the website from the EU, UK, or Switzerland or where applicable EU data protection laws so provide, you may exercise the following rights regarding your Personal Data:
Access. You have the right to obtain from us confirmation if your Personal Data is being processed and certain information in this regard.
Rectification. You have the right to request the rectification of inaccurate Personal Data and to have incomplete data completed.
Objection. You have the right, when we process Personal Data on the grounds of legitimate interests, to object to the processing of your Personal Data for compelling and legitimate reasons relating to your particular situation, except in cases where legal provisions expressly provide for that processing. In addition, you have the right to object at any time where your Personal Data is processed for direct marketing purposes.
Portability. You may receive your Personal Data that you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit them to other data controllers without hindrance. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.
Restriction. You may request to restrict processing of your Personal Data (i) while we verify your request – if you have contested the accuracy of the Personal Data about you which we hold; (ii) if the processing is unlawful and you oppose the erasure of it and request restriction instead; (iii) if we no longer need it, but you tell us you need it to establish, exercise or defend a legal claim; or (iv) while we verify your request if you have objected to processing based on public or legitimate interest.
Erasure. You may request to erase your Personal Data if it is no longer necessary for the purposes for which we have collected it, you have withdrawn your consent and no other legal grounds for the processing exists, you objected and no overriding legitimate grounds for the processing exist, the processing is unlawful, or erasure is required to comply with a legal obligation.
Right to lodge a complaint. You also have the right to lodge a complaint with a supervisory authority, in particular in the jurisdiction of your residence, or the location where the issue that is the subject of the complaint occurred.
Right to refuse or withdraw consent.Please note that in case we ask for your consent to certain processing, you are free to refuse to give consent and you can withdraw your consent at any time without any adverse negative consequences. The lawfulness of any processing of your Personal Data that occurred prior to the withdrawal of your consent will not be affected.
If you have questions about exercising any of those rights or their applicability to any of our particular processing activities or have questions about any data transfer mechanism or want a copy thereof, you may contact us at privacy@huronconsultinggroup.com or at the address provided below.
EU Representative
VeraSafe has been appointed as Huron’s representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. If you are in the European Economic Area, VeraSafe can be contacted in addition to Huron’s Chief Privacy Officer (available at privacy@huronconsultinggroup.com), only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland