Effective Date: 10/20/2020
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield
In light of the July 17, 2020, "Schrems II" decisions, the European Court of Justice has decided that the EU-US Privacy Shield is no longer a valid international transfer option. We plan to maintain our Privacy Shield certification as good practice, although no longer relying upon it as a basis for transfer and discussing with any partner still relying on it for EU-US transfers their proposed alternative solutions. The problem is a political difference between the US and the EU view on Mass Surveillance vs Individual Privacy, and therefore we are monitoring the situation to hope for a new political and practical solution to be reached between them.
The option remaining open to us for data transfers from EU to the US are Standard Contract Clauses, however we appreciate that these do not fully alleviate all concerned raised in “Schrems II,” and are therefore engaging with our partners to:
1) review all of our data transfers globally to identify areas which require change.
2) switch Privacy Shield transfers to EU approved Standard Contract Clauses (SCCs) as a default.
3) where such data transfers under SCC's enter countries where we have reason to believe the laws could place our customer data at risk of mass surveillance or capture by authorities without appropriate redress, we will aim to introduce additional contractual, organizational and technical safeguards* to further protect your information.
*Safeguards could include but are not limited to: contractual indemnity clauses with our partners; data minimization of transfer; anonymization to reduce identifiability; data localization in the EU/UK; data encryption to render data transferred unintelligible; and as applicable, contractual terms with require processes, including notice to the controlling company, of any governmental request or seizure as allowed by law; internal policies pertaining to governmental requests, focused on limiting data, approvals and process, and notices; risk assessments against all data transfers, regardless of whether BCRs, derogations, or SCCs are used as the adequacy mechanism.
By default, we keep all data at rest encrypted in datacenters and devices, and by default our standard is to ensure data is encrypted in transit for customers.
Further, we are aware of the UK's exit from the European Union in March 2020, and the end of the current transition period on December 31, 2020. We are aware that the UK Government hopes for a positive adequacy decision from the EU by then to allow data transfers to continue, but we will continue to monitor the situation in case alternative transfer mechanisms from EU to UK or UK to US become available or necessary. We will continue to rely on legal derogations for case by case transfers where appropriate and will identify where this is the case.
CORT Business Services Corporation participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov
CORT Business Services Corporation is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. CORT Business Services Corporation complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, CORT Business Services Corporation is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
1. Categories of Personal Information We Collect
We collect and maintain different types of personal information that you and/or your employer provide to us on a voluntary basis. This may include:
- Personal information such as given name(s), preferred name(s), gender, marital status;
- family information such as names and contact details of spouses and dependents;
- contact information such as address, telephone/mobile number, email address; employment information such as role/title, name of current employer, work address, work telephone, work email address, fax number;
- product and service related information concerning the products and services that we provide to you or programs that we offer;
- for parties with whom we do business, credit and financial information such as your payment methods and preferences, and billing and credit history, where applicable; and
- business relationship information, including information related to your agreements, preferences, advisors and decision-makers, feed-back and information requested by or provided to you.
If you email us a question or request, we may use your email address to process your request and respond to your question.
If you reach out to us through our call center, we may record the call for internal purposes only, and will collect your name, email address, phone number, and any information necessary to provide customer service, potentially including your employer and or payment information.
2. How We Collect Personal Information
In order to provide relocation services, CORT receives information about you from your employer, and collects information directly from you for that purpose. In addition to this direct contact with you and your employer in writing or by phone, as described above, CORT also collects information through the following methods:
Throughout our websites, we have provided Site visitors various forms from which they can request additional information about CORT products and services, or from which they can request to speak with a CORT customer service representative. On these forms, visitors are prompted to provide their names, contact information and, in some cases, other personally identifiable information pertinent to the request.
We also collect information about the nature of your use of the Site. We collect this information and use it in the aggregate to monitor the Site, to improve Site offerings and for targeted promotional or marketing initiatives. Aggregated data are compiled into statistical and demographic information that we use, and may share with others, to show preferences of Site users in the aggregate, but not the preferences of any individual users. If we share this kind of aggregated data with third parties, it will not include a level of detail that would permit a third party to associate an individual user with the user's usage or preferences. We may combine autonomous information with personally identifiable information to identify a user in order to enforce the Website Terms & Conditions.
We collect your location- based information for the purpose of locating a place that you may be searching for in your area. We will only share this information with our mapping provider for the sole purpose of providing you this service. You may opt-out of location based services here
We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. This helps us to update, expand and analyze our records, identify new customers, and provide products and services that may be of interest to you. If you provide us personal information about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. If you believe that one of your contacts has provided us with your personal information and you would like to request that it be removed from our database, please contact us at PrivacyQA@cort.com and include the CORT domain at issue.
Examples of the types of personal information that may be obtained from public sources or purchased from third parties and combined with information we already have about you, may include: Company, Occupation, Job Title, Mailing Address.
3. How We Use the Information We Collect
We use the personally identifiable information we collect on the Site to ensure compliance with the website Terms & Conditions, to offer and render our services and to respond to our users' queries. We also use personal information from you to enable us to manage, maintain, and develop our business and operations, including:
- to establish, maintain and manage our relationship with you so that we can provide the programs, products and services that have been requested;
- to be able to review the products and services that we provide to you so that we may understand your requirements for our programs, products and services and so that we may work to improve our products and services;
- to be able to provide the needed support and customer care;
- to administer or otherwise carry out our obligations in relation to any agreement you or your employer have with us;
- to protect us against error, breach of contract, negligence, fraud, theft, illegal activity and damage to our goods and property;
- to alert you to updated information and other new products and services from us, or third-parties, or to forward promotional materials to you, where you have consented to receive such information;
- to complete a transaction or service requested by you or your employer;
- to respond to inquiries or requests submitted by you or your employer;
- to ensure the Sites are relevant to your needs;
- to help us create and publish content most relevant to you;
- to enable us to comply with applicable law or regulatory requirements; and
- any other reasonable purpose to which you consent.
Personally identifiable information is accessible by our employees, contractors and agents to the extent reasonably necessary for these purposes. In addition, we also use this information to generate a list of email addresses to which we send correspondence from CORT Business Services. Such correspondence may include occasional updates about our products and services, invitations to attend CORT events and to visit our booths at relevant trade shows and information relevant to any business that you may choose to do with CORT. By submitting information to us through the provided forms, you consent to our placing your email address on this "opt-in" list.
As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.
4. How We Share the Personal Information We Collect & Categories of Companies We Share Personal Information With
We may share your information with third-party business partners, for instance, for the purpose of enhancing our products and services. If you do not want us to share your personal information with these companies, contact us at PrivacyQA@cort.com and include the CORT domain at issue.
We may share your information with third parties who provide services on our behalf to help with our business activities. These companies are authorized to use your personal information only as necessary to provide these services to us and use measures to protect the confidentiality and security of your personal information.
These services may include:
- Providing our relocation services, fulfilling orders and delivering packages
- Payment processing
- Providing customer service
- Sending marketing communications
- Conducting research and analysis
We may share your geo-location data with third parties for the purpose of them serving you ads for places (such as restaurants) in your area. If you do not wish to allow us to share your information in this manner please opt-out by contacting us at firstname.lastname@example.org and include the CORT domain at issue.
We have the right to disclose and transfer user lists and related personally identifiable information in connection with any merger, sale or contemplated sale of all or part of our business related to the Site and to treat such information as a business asset in the event of bankruptcy or liquidation. You will be notified via email and/or a prominent notice on our website, of any change in ownership, uses of your personal information, and choices you may have regarding your personal information.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personally identifiable information to a third party if disclosure is required to comply with a subpoena, court order and/or other legal instrument, legal proceeding or relevant law; or if there is an immediate, imminent threat to the safety of any person, CORT or the Site.
We may also disclose your personal information to any other third party with your prior consent.
5. Removal from CORT's "Opt-in" Email List.
Should you wish to stop receiving emails from CORT Business Services, you may remove yourself from the "Opt-in" email list here
You may also contact us in the following ways:
- Phone: 800.962.CORT (2678)
- Fax: 703.968.8502
15000 Conference Center Drive
Chantilly, VA 20151
We use industry-standard security methods such as firewalls, encryption and system access controls. However, as no computer or network-based product exists that can provide "perfect security," we cannot guarantee that the steps we have taken to secure your information will prevent our systems from being compromised and your information from being disclosed. If you have any questions about the security of your personal information, you can contact us at PrivacyQA@cort.com.
7. Modifying Information.
Upon request CORT Business Services Corporation will provide you with information about whether we hold any of your personal information. You may add, access, correct, or request deletion of your personal information by clicking this link PrivacyQA@cort.com. and include the CORT domain at issue. We will respond to your request within a reasonable timeframe.
In certain circumstances we may be required by law to retain your personal information or may need to retain your personal information in order to continue providing a service.
8. Links to Other Websites.
The Site may contain links to websites that are not affiliated with CORT and that may or may not have similar practices in place to protect the privacy of information that you supply. We encourage you to review the privacy statements of each of the sites that are linked to or accessed from the Site so that you will be aware of how each visited site collects, uses and distributes such information.
9. GDPR Individual Rights Policies
Please note: To protect your privacy, we may ask for additional information to verify your identity in order for us to respond to your request.
Users in the European Union only:
Under EU Regulation 2016/679 of the European Parliament and the Council; the General Data Protection Regulation (“GDPR”), you have a number of rights when it comes to your personal information. Further information and advice about your rights can be obtained from the data protection regulator in your country of residence within the EU. You can exercise any of these rights by contacting us through our email or mailing address in Section 11 – “Contact Us” below.
The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this Policy.
The right to rectification. You are entitled to have your information corrected if it is inaccurate or incomplete.
The right to erasure. This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
The right to restrict processing. You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
The right to data portability. You have rights to obtain and reuse your personal data for your own purposes across different services. For example, if you decide to switch to a new provider, this enables you to move, copy or transfer your information easily between our IT systems and theirs safely and securely, without affecting its usability. This is not a general right however and there are exceptions.
The right to object to processing. You have the right to object to certain types of processing, including processing for direct marketing (i.e. receiving emails from us notifying you about other services we provide which we think may be of interest to you or being contacted with varying potential opportunities). You may change your preferences regarding email or newsletters as described above.
The right to lodge a complaint. You have the right to lodge a complaint about the way we handle or process your personal data with your national data protection regulator.
The right to withdraw consent. If you have given your consent to anything we do with your personal data (i.e. we rely on consent as a legal basis for processing your personal information), you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). You can withdraw your consent to the processing of your personal information at any time.
10. Your California Privacy Rights
The California Consumer Privacy Act (“CCPA”) affords the Californian consumer specific rights regarding personal information. These rights have been described in this policy overall and are further highlighted in this section. If you have a specific question or concern about your rights, or questions about our policy in support of your rights as a Californian consumer, please contact us at the address, website or phone number below.
What is Personal Information under the CCPA?
“Personal information” is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Your Rights with regard to your Personal Information:
You have the right as a Californian consumer to expect disclosures as to how we collect, use and care for personal data and whether we, for our benefit or on behalf of another company, share or sell the personal information we collect or process for commercial gain. We have provided these disclosures in the above sections of our Privacy Notice.
You can continue to expect us to disclose how we collect personal information and the sources from which we may obtain that information, and the specific personal information or categories of information that we have collected. You have a right to the disclosure of the business or commercial purposes we have for collecting or selling personal information, the legal basis on which we do so, disclosure of the categories of personal information that have been sold, transferred, shared or disclosed in the preceding 12-month period for commercial purposes, and the categories of recipients to which that personal information has been disclosed, shared, transferred or sold. The CCPA requires opt in consent to data use for minors under the age of 16 and verified parental consent for children under the age of 13. If notified that children have provided data without appropriate process and consent, it will be deleted as immediately as practicable on advisement. Lastly, you have the right to ask what information we have about you specifically.
You may exercise these rights without concern. You cannot be denied benefits or services or charged differently for doing so. We, or our partners, on verification of your identity and legitimate standing to make the request, and if not an undue or unreasonable hardship for the company, shall act on your request, or at a very minimum, advise you as to why we cannot. There are specific reasons under the law which prevent accommodation of some requests, but if denied, we will advise as to why, to whom you may submit a complaint, and your options for challenge, redress or escalation.
You may make a verifiable request to exercise the following rights, free of charge to you, twice in a 12-month period, and we are obligated to respond within a period of 45 days.
You can exercise any of these rights by contacting us through our email or mailing address in Section 11 – “Contact Us” below.
Please note: To protect your privacy, we may ask for additional information to verify your identity in order for us to respond to your request.
Access: You have the right to request disclosure of the personal information we hold, and to receive additional details regarding the personal information the business collects and its use purposes, including any third parties with which it shares information. Much of this information is presented in the above sections of the Privacy Notice, as well.
Delete: You have the right to request that we erase your personal information and for us to direct the same of any third-party service providers processing your data on our behalf.
Portability: Request that any information electronically held be returned in a format permitting its transfer to another service.
WE DO NOT SELL, DISCLOSE, SHARE OR TRANSFER DATA FOR THE COMMERCIAL BENEFIT OF ANY PARTY. PERSONAL DATA OR THE BENEFIT OF ITS USE IS NEVER PROVIDED IN COMPENSATION FOR SERVICES
That does not mean that we do not share your data with other parties; but, as described in the above sections of the Privacy Notice, any disclosure of data is solely performed for the operation of the site and provision of services.
If you would like to submit a complaint about our use of your personal information or our response or handling of your requests regarding your personal information, you may contact us as described above.
For more information on the California Consumer Privacy Act please visit https://www.oag.ca.gov/privacy/ccpa
11. Contact Us.
CORT Business Services Corporation
15000 Conference Center Drive
Chantilly, VA 20151
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Websites owned and operated by CORT Business Services Corporation: