Last reviewed July 31, 2023
Software Platform Users
Data Protection Legislation
PMC complies with the EU/UK Data Protection Law and California Consumer Privacy Act regarding the collection, use, and retention of Personal Data, and with regard to the EU/UK Data Protection Law, data transferred from the European Union or United Kingdom to the United States.
PMC is responsible for the processing of personal data it receives, under these data protection legislation frameworks, and subsequently transfers to a third party acting as an agent on its behalf.
EU-U.S. Data Privacy Framework (EU-U.S. DPF)
PMC is responsible for the processing of personal data it receives, under the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. In addition to compliance with current Data Protection Legislation, PMC complies with the EU-U.S. DPF Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
“Data Protection Legislation” means, as applicable to a party and its Processing of Personal Data: (i) CCPA and any national data protection laws made under the CCPA, and (ii) EU/UK Data Protection Law;
“EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR“); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
“Personal Data” means any information that (i) is protected as “personal data”, “personal information” or “personally identifiable information” under Data Protection Legislation
Scope and Responsibility
Some types of Personal Data may be subject to other privacy-related requirements and policies. For example:
- Personal Data regarding and/or received from a client is also subject to any specific agreement with, or notice to, the client, as well as additional applicable laws and professional standards.
If you are an employee of a company that is a customer (client entity) of PMC, as part of our Software as a Service (SaaS) or other service offerings, we may collect the following Personal Data from your employer about you such as: First Name, Middle Initial, Last Name, Tax ID, Address, Office Phone, Cell Phone, Fax, Email address, Equity Plan Grants, Securities Holdings, Date of Birth, Hire Date, Retirement Eligibility Date, Annual Compensation, Transfer Agent Account Number, Financial Account Number, or Broker Account Number. PMC collects information submitted by client entities in order to facilitate the management and administration of equity compensation plans and shareholder and securities transactions. Not all of these fields are required and hence they may or may not be stored in our database.
Data Privacy Principles
The Personal Data PMC receives comes from use of our services and software platform by company administrators on behalf of employees and share plan participants of a client entity, and from use of our software platform by employees or share plan participants of a client entity. In some circumstances, Personal Data may be received from a third party agent authorized by the client entity to provide such data to PMC for the sole purpose of providing the requested services. PMC uses this Personal Data solely to directly contact individuals who express interest in receiving our services or to provide such services. PMC does not sell any Personal Data to any third parties.
PMC informs client entities providing their employees’, shareholders’ and share plan participants’ Personal Data of the purpose for which PMC collects and uses the Personal Data and the types of non-agent third parties to which PMC discloses or may disclose that Information. If the individual is providing his or her Personal Data directly, then PMC shall provide the individual with the choice and means for limiting the use and disclosure of their Personal Data for any purpose other than those necessary for the processing of services for which it was originally collected.
Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to PMC, or as soon as practicable thereafter, and in any event before PMC uses or discloses the Information for a purpose other than for which it was originally collected.
If in connection with providing its services, PMC receives Personal Data indirectly through an administrator employee or client entity authorized third party, and not the individual with respect to which the Personal Data is regarding, then the administrator employee or authorized third party agent has received the express or implied consent of the applicable employee with whose Personal Data is being provided.
We will provide an individual opt-out or opt-in choice before we share their data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected subsequently authorized.
To limit the use and disclosure of your personal information, please submit a written request to [email protected]
By using PMC’s services and providing Personal Data to PMC through such use, individuals or administrators on behalf of those individuals, have opted to authorize PMC to use the Personal Data for the purpose it was intended but for no other purpose.
PMC may provide Personal Data to third parties performing services on PMC’s behalf for the benefit of such individuals whose Personal Data is being disclosed (agent third parties) provided that such third parties have agreed in writing with PMC that they will provide at least the same level of privacy protection as is required by the Principles. Such agent third parties may include the following:
- Web hosting service providers that host PMC software and servers,
- Financial brokers where the client entity or individual has a brokerage account and authorized PMC to share data for equity transaction execution,
- Client entity transfer agent/ share registrars providing share settlement and delivery services
- Client entity payroll/ HR system providers,
- Client entity accounting system or service providers,
- Data exchange service providers where the client entity has requested system integration and a data exchange service provider is used to format, configure, or exchange the data as requested
Other than as permitted in the prior paragraph, prior to disclosing Personal Data for any other purpose, PMC shall notify the individual or company administrator employee of such disclosure and allow the individual the choice (opt out) of such disclosure. PMC shall ensure that any third party for which Personal Data may be disclosed subscribes to the Data Protection Legislation or are subject to law providing the same level of privacy protection as is required by the Data Protection Legislation and agree in writing to provide an adequate level of privacy protection.
Cookies and Related Technologies
PMC shall take reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. PMC has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. PMC cannot guarantee the security of Information on or transmitted via the Internet.
PMC acknowledges the right of EU individuals to access their personal data.
Access for Individuals who are employees or share plan participants of our Clients: PMC has no direct relationship with the individuals whose personal data it processes on behalf of our clients and we are acting in the role of data processor for that information. An individual who seeks access, or who wishes to correct, amend, or delete their personal data should contact the PMC Client Entity, who is the data controller.
Access for Individuals who Place Their Data Directly with PMC: Upon request PMC will provide you with information about whether we hold any of your Personal Data. You may access your Personal Data by logging in to your account, or by contacting your employer or administrator directly. You may correct or request deletion of your Personal Data by contacting your employer or administrator directly, or by contacting us at [email protected].
All requests for data access will be handled within a reasonable timeframe and may be limited where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Recourse, Enforcement, and Liability
With respect to personal data received or transferred pursuant to the EU-U.S. DPF or the UK Extension to the EU-U.S. DPF, PMC is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. With respect to personal data received or transferred pursuant to the EU-U.S. DPF or the EU/UK Data Protection framework, in certain situations, PMC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the EU-U.S. Data Privacy Framework program Principles, PMC commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, United Kingdom individuals with DPF inquiries or complaints should first contact PMC at:
Plan Management Corp.
Attn: Elena Thomas, Chief Operating Officer
1001 Conshohocken State Road
Building 1, Suite 205
West Conshohocken, PA 19428
Telephone: (610) 359-5870
Fax: (610) 688-1323
PMC has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
Finally, as a last resort and under limited circumstances, if your DPF complaint cannot be resolved through the above channels, EU and UK individuals may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
PMC uses a self-assessment approach to assure compliance with this DPF and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles. If a complaint or dispute cannot be resolved through our internal process, we agree to dispute resolution using (an independent resource mechanism) as a third-party resolution provider as outlined above.