Skip to main content

personally-identifiable-information

Personally Identifiable Information

The Disclosure Schedule describes the types of Personally Identifiable Information collected (and the process by which such information is collected) by the Company or any of its Subsidiaries through Internet websites owned, maintained or operated by the Company or any of its Subsidiaries (“Company Sites”), and through any Company Products, including the types of Personally Identifiable Information and the method of its collection from the Employees. For all purposes of this Agreement, “Personally Identifiable Information” means any information that alone or in combination with other information held by the Company or any of its Subsidiaries can be used to specifically identify a Person. The Company and each of its Subsidiaries has complied with all applicable Laws, contractual and fiduciary obligations, and its internal privacy policies relating to (i) the privacy of users of Company Sites and (ii) the collection, storage, transfer and any other processing of any Personally Identifiable Information collected or used by the Company or any of its Subsidiaries in any manner or maintained by third parties having authorized access to such information. Copies of all current and prior privacy policies of the Company or any of its Subsidiaries that apply to the Company Sites, Company Products, and the Employees have been Made Available to Parent and Section 4.14(r) of the Disclosure Schedule identifies, with respect to each privacy policy, the period of time during which such policy was or has been in effect, whether the terms of a later privacy policy apply to the data or information collected under such privacy policy; and, if so, the mechanism (e.g., opt-in, opt-out, notice) used to apply the later privacy policy to such data or information. Each such privacy policy and all materials distributed or marketed by the Company or any of its Subsidiaries have at all times made all disclosures to users or customers and the Employees required by applicable Laws, and none of such disclosures made or contained in any such privacy policy or in any such materials has been inaccurate or in violation of any applicable Laws. Neither this Agreement nor the transactions contemplated by this Agreement, nor the transfer to Parent or Parent’s possession or use (as such information has been used by the Company or any of its Subsidiaries) of any Personally Identifiable Information, will result in any violation of any Law or Company privacy policy.

Protection of Personally Identifiable Information. With respect to all Personally Identifiable Information, the Company and each of its Subsidiaries has at all times taken all commercially reasonable steps (including, without limitation, implementing and monitoring compliance with industry standard measures with respect to technical and physical security) to ensure that the Personally Identifiable Information is protected against damage, loss and against unauthorized access, use, modification, disclosure or other misuse. There has been no unauthorized access to or other misuse of that Personally Identifiable Information.

legal compliance / regulations when handling Personally Identifiable Information (PII)

1. Data Privacy Laws:

  • GDPR: The General Data Protection Regulation (EU) sets a high standard for data protection, requiring companies to obtain consent for data collection, provide data access and deletion rights, and implement data security measures.
  • CCPA: The California Consumer Privacy Act (US) grants consumers rights to know what PII is collected, to opt-out of its sale, and to request deletion.
  • Other Laws: Many countries and states have their own data privacy laws, such as the LGPD (Brazil) and the PDPA (Singapore).

2. Financial Regulations:

  • GLBA: The Gramm-Leach-Bliley Act (US) requires financial institutions to protect the security and confidentiality of customer financial information.
  • PSD2: The Payment Services Directive 2 (EU) regulates electronic payments and requires strong customer authentication and data protection.
  • Other Regulations: Depending on the specific financial services offered, companies may need to comply with regulations related to anti-money laundering (AML), know-your-customer (KYC), and fraud prevention.

3. Data Security Standards:

  • PCI DSS: The Payment Card Industry Data Security Standard applies to any organization that handles credit card information.
  • ISO 27001: An international standard for information security management systems.
  • NIST Cybersecurity Framework: A set of standards, guidelines, and best practices to manage cybersecurity risks.

4. Contractual Obligations:

  • Data Processing Agreements: Companies that share PII with third-party vendors need to have data processing agreements in place to ensure compliance with data privacy laws.
  • Service Level Agreements: Contracts with customers should include provisions on data protection, security, and breach notification.

Examples of Compliance Measures:

  • Data Minimization: Collect only the PII that is necessary for the service.
  • Data Encryption: Encrypt PII both in transit and at rest.
  • Access Control: Implement strict access controls to limit who can access PII.
  • Data Retention: Establish clear data retention policies and securely dispose of PII when no longer needed.
  • Incident Response: Have a plan in place to respond to data breaches and notify affected individuals and authorities.
  • Employee Training: Train employees on data protection and security policies and procedures.
  • Regular Audits: Conduct regular audits to ensure compliance with applicable laws and regulations.

Additional Considerations:

  • Cross-Border Data Transfers: If PII is transferred across borders, companies need to comply with relevant data transfer mechanisms, such as the EU-US Privacy Shield or Standard Contractual Clauses.
  • Emerging Technologies: Companies need to consider the data privacy implications of new technologies, such as artificial intelligence and blockchain.
  • Ongoing Monitoring: The regulatory landscape is constantly evolving, so companies need to stay up-to-date on new laws and regulations and adapt their compliance programs accordingly.

By implementing these measures, SaaS companies working on FinTech can ensure legal compliance for PII and build trust with their customers.