Policy Last Updated 1/3/2020
CDP’s Data Privacy Policy
Objective
This comprehensive Data Privacy Policy (“Policy”) discloses the privacy practices for CDP (hereinafter “CDP,” “we,” “our,” or “us”). This Policy applies to information Collected by this website and information Collected from our Clients.
Because CDP understands the importance of protecting the confidentiality of sensitive data, including our clients’ member, prospect and donor data, CDP safeguards and stewards all non-publicly available data in a controlled manner following guidelines based on CDP’s data classification system, in addition to what is mandated by applicable laws and regulations.
The purposes of this Policy are:
1. To identify the categories of Personal Data that CDP Collects and/or Processes
2. To describe what we do with the Personal Data we Collect
3. To describe individual’s rights in relation to their Personal Data pursuant to applicable Data Privacy Laws
4. To describe the security measures CDP has in place to protect Personal Data
What Personal Data We Collect and How We Use it
CDP Collects and Processes Personal Data in the course of its business activities, including in connection with some Client services. CDP’s Processing includes, but is not limited to, using the information/data received for predictive analysis, research, and performance analysis and report preparation. The findings from these efforts will be shared back with the originating station. Station-specific performance data will not be shared with other public broadcasting stations except in instances where top-performers are identified in each category that is being analyzed. In addition, summarized, aggregated, non-donor-specific data will be shared at industry meetings, webinars and also on password protected sections of the CDP website. Access to this website will only be allowed for stations participating in CDP. Furthermore, we may share aggregated data and statistical trend information with outside parties, but we will not share station-identifiable information. CDP will use the aggregated data and trend information in white papers, studies, and industry presentations. We also Collect and Process Personal Data on certain areas of our Website.
CDP will not intentionally disclose, transfer, or sell your Personal Data to third-parties without your consent or as otherwise permitted by law, whether for such third-parties’ own marketing purposes or otherwise, except as follows. CDP may share your Personal Data with contracted third-party service providers engaged by CDP to provide services related to CDP’s business activities and the activities of CDP’s client member stations, including providing customer support, fundraising, gift processing and related services. We maintain processes designed to ensure that any Processing of Personal Data by third-party service providers is consistent with this Privacy Policy and protects the confidentiality, availability, and integrity of your Personal Data.
Information that has been de-identified is not Personal Data. CDP may de-identify Personal Data only if it:
· Has implemented technical safeguards that prohibit reidentification of the Data Subject to whom the information may pertain;
· Has implemented business processes that specifically prohibit reidentification of the information;
· Has implemented business processes to prevent inadvertent release of deidentified information; and
· Makes no attempt to reidentify the information.
Personal Data Collected from Visitors to Our Website
CDP may Collect Personal Data from visitors to our website. CDP respects the privacy of visitors to our website. You can visit our website without telling us anything about yourself. If you contact us and choose to provide your Personal Data, we will collect and use this Personal Data for the purposes for which you submitted it to us, namely to respond to your inquiry, to provide you with information that you have requested, to bill you for products and services you have requested, to market products and services which we think are of interest to you, or to communicate with you for other purposes which are evident from the circumstances or about which we inform you when we collect Personal Data from you. CDP may Collect and/or Process the following categories of Personal Data from visitors to our website:
· Identifiers, including postal addresses, email addresses, and phone numbers
· Information protected against security breaches, including real names, usernames and passwords
Personal Data Collected in the Course of Business Activities
CDP may Collect Personal Data about you from third-parties, such as our Clients, in the course of its business activities including in connection with some Client services. We will always seek to confirm that the third-party and/or Client has informed you in advance about its use of this data. CDP will Process Personal Data Collected from our Clients solely for the purposes of providing our services and fulfilling our obligations to a Client as described in the Agreement, on a Client’s behalf, and for no other purposes, unless required to do otherwise by law.
CDP may Collect and/or Process the following categories of Personal Data in relation to our Client Services:
· Identifiers, including postal addresses, email addresses, and phone numbers
· Information protected against security breaches, including real names, financial account information, usernames and passwords
· Commercial information
· Internet/electronic activity, including information regarding a consumer’s interaction with our Internet website
· Professional or employment related information
· Geolocation
Individual Rights
Any Data Subject whose Personal Data has been Collected by the CDP retains the following rights:
· The right to request that CDP disclose to you the following:
o The categories of Personal Data we have Collected about you
o The specific pieces of Personal Data we have Collected about you
o The categories of sources from which the Personal Data is Collected
o The business or commercial purpose for Collecting Personal Data
o The categories of third-parties with whom we share Personal Data
· The right to request that your Personal Data be deleted or transferred, to the extent that such deletion or portability is technically possible or permitted by applicable Data Privacy Laws
· The right to have any inaccurate Personal Data rectified
· The right to restrict the Processing of your Personal Data under certain circumstances as outlined by applicable Data Privacy Laws.
Any such requests shall be responded to in a timely manner and in a format complaint with applicable Data Privacy Laws.
CDP will not sell your Personal Data.
CDP will not discriminate against you for exercising your privacy rights.
If you wish to contact us to receive further information regarding our use of your Personal Data, or if you wish to access your Personal Data (e.g., make a verifiable consumer request), please email us at cdp@cdpcommunity.org or call us at (617) 300-2526. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
· Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, and
· Describe your request with sufficient detail that allows us to understand, evaluate and respond to it.
Data Security
We take precautions including administrative, physical and technical safeguards to protect Personal Data that are no less rigorous than accepted industry practices and shall ensure that all such safeguards, including the manner in which Personal Data is collected, accessed, used, stored, processed, disposed of and disclosed, comply with applicable Data Privacy Laws, as well as the terms and conditions of our Agreements with our Clients.
Employee Training
We believe that the best defense for data security is responsible and proactive employees. All permanent CDP employees have passed criminal background checks and past employment and education verifications. All employees are required to comply with the provisions of this Policy and are strictly prohibited from using Personal Data in any nonconforming manner during or after employment with CDP. All CDP employees must review and acknowledge CDP’s Confidential Information Policy and must complete Security Awareness training, in addition to annual refresher courses, and any other ongoing supplemental training as deemed appropriate based on current threats, regulatory changes or changes with the tools utilized by CDP and within the technology landscape.
Third-Party Vendor Agreements
We may disclose Personal Data to Third-Party Vendors insofar as reasonably necessary in providing our services and for the fulfillment of contractual obligations and in the course of conducting our business. CDP exercises appropriate diligence in selecting service providers capable of maintaining appropriate safeguards to sensitive information provided to, accessed, or maintained by them on CDP’s behalf. All new vendors wishing to enter into an agreement with CDP, or existing vendors wishing to renew an agreement, are subject to CDP’s Vendor Security Protocol, which includes guidelines and requirements for handling Personal Data that are compliant with all applicable Data Privacy Laws as well as this Policy.
Data Retention
Personal Data will be retained by CDP for the intended purposes in accordance with applicable Data Privacy Laws and company policies. Once Personal Data is no longer needed, it will be promptly deleted or anonymized in accordance with applicable Data Privacy Laws.
Reporting Attempted or Actual Breaches of Security
CDP will promptly notify its Clients of any Security Breach consistent with contractual commitments and applicable Data Privacy Laws and will follow an established Incident Response Plan. CDP will comply with any Security Breach-related obligations directly applicable to it under Data Privacy Laws, will provide reasonable assistance to Client in Client’s compliance with its Security Breach-related obligations.
Internal Enforcement
Any employee who willfully, or through gross negligence, accesses, discloses, misuses, alters, destroys or otherwise compromises Personal Data without authorization, or fails to comply with this Policy in any other respect will be subject to disciplinary action, including termination.
Children
Our website is not directed at children. We do not knowingly collect Personal Data from children under the age of 16. If you are a parent or guardian and believe your child has provided us with Personal Data without your consent, please contact us at cdp@cdpcommunity.org or call us at (617) 300-2526 and we will take steps to delete such Personal Data from our systems.
Updates to this Policy
CDP may, at any time, revise this privacy Policy by updating this posting. If we revise this Policy, we will update the date at the top of this Policy. The most recent Policy will apply to any Personal Data that we Collect and/or Process.
Definitions
Client
“Client” means any public media organization participating in CDP’s services.
Collect
“Collect” means buying, renting, gathering, obtaining, receiving, or accessing any Personal Data by any means, either actively or passively, or through observation of an individual’s behavior.
Data Custodian
“Data Custodian” means that person responsible for maintaining the technology infrastructure that supports access to the data, safe custody, transport and storage of the data and provide technical support for its use.
Data Privacy Laws
“Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”). For the avoidance of doubt, if CDP’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Policy.
Data Subject
“Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
Payment Gateway
“Payment Gateway” means any merchant service provided by an e-commerce application service provider that authorizes credit card or direct payments Processing for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar.
Personal Data
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
Process
“Process” and its cognates mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as Collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Security Breach
“Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.