Last reviewed March 25, 2022
Software Platform Users
EU-U.S. Privacy Shield
PMC is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. PMC complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions
“Personal Data” or “Information” means information relating to an individual residing in the European Union and (1) is recorded in any form; (2) is about, or pertains to a specific individual; and (3) can be linked to that individual.
Scope and Responsibility
This Privacy Shield Policy applies to Personal Data transferred from European Union member countries including Norway, Lichtenstein and Iceland to PMC’s operations in the U.S. in reliance on the respective Privacy Shield framework and does not apply to Personal Data transferred under Standard Contractual Clauses or any approved derogation from the EU Directive.
Some types of Personal Data may be subject to other privacy-related requirements and policies. For example:
All employees of PMC that have access in the U.S. to Personal Data covered by this Privacy Shield Policy are responsible for conducting themselves in accordance with this Privacy Shield Policy. Adherence by PMC to this Privacy Shield Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations, but Personal Data covered by this Privacy Shield Policy shall not be collected, used, or disclosed in a manner contrary to this policy without the prior written permission of PMC’s Chief Operating Officer.
PMC employees responsible for engaging third parties to which Personal Data covered by this Privacy Shield Policy will be transferred are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Privacy Shield Principles, including any applicable contractual assurances required by Privacy Shield.
If you are an employee of a company that is a customer (client entity) of PMC, as part of our Software as a Service (SaaS) or other service offerings, we may collect the following Personal Data from your employer about you such as: First Name, Middle Initial, Last Name, Tax ID, Address, Office Phone, Cell Phone, Fax, Email address, Equity Plan Grants, Securities Holdings, Date of Birth, Hire Date, Retirement Eligibility Date, Annual Compensation, Transfer Agent Account Number, Broker Account Number. PMC collects information submitted by client entities in order to facilitate the management and administration of equity compensation plans and shareholder and securities transactions. Not all of these fields are required and hence they may or may not be stored in our database.
Privacy Shield Principles
The Personal Data PMC receives comes from use of our services and software platform by company administrators on behalf of employees and share plan participants of a client entity, and from use of our software platform by employees or share plan participants of a client entity. In some circumstances, Personal Data may be received from a third party agent authorized by the client entity to provide such data to PMC for the sole purpose of providing the requested services. PMC uses this Personal Data solely to directly contact individuals who express interest in receiving our services or to provide such services. PMC does not sell any Personal Data to any third parties.
PMC informs client entities providing their employees’, shareholders’ and share plan participants’ Personal Data of the purpose for which PMC collects and uses the Personal Data and the types of non-agent third parties to which PMC discloses or may disclose that Information. If the individual is providing his or her Personal Data directly, then PMC shall provide the individual with the choice and means for limiting the use and disclosure of their Personal Data for any purpose other than those necessary for the processing of services for which it was originally collected.
Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to PMC, or as soon as practicable thereafter, and in any event before PMC uses or discloses the Information for a purpose other than for which it was originally collected.
If in connection with providing its services, PMC receives Personal Data indirectly through an administrator employee or client entity authorized third party, and not the individual with respect to which the Personal Data is regarding, then the administrator employee or authorized third party agent has received the express or implied consent of the applicable employee with whose Personal Data is being provided.
If Personal Data covered by this Privacy Shield Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized or is to be disclosed to a non-agent third party, PMC will provide individuals providing their Personal Data directly, and administrator employees, with an opportunity to choose whether to have their Personal Data so used or disclosed.
We will provide an individual opt-out or opt-in choice before we share their data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected subsequently authorized.
To limit the use and disclosure of your personal information, please submit a written request to [email protected]
By using PMC’s services and providing Personal Data to PMC through such use, individuals or administrators on behalf of those individuals, have opted to authorize PMC to use the Personal Data for the purpose it was intended but for no other purpose.
PMC may provide Personal Data to third parties performing services on PMC’s behalf for the benefit of such individuals whose Personal Data is being disclosed (agent third parties) provided that such third parties have agreed in writing with PMC that they will provide at least the same level of privacy protection as is required by the Principles. Such agent third parties may include the following:
Other than as permitted in the prior paragraph, prior to disclosing Personal Data for any other purpose, PMC shall notify the individual or company administrator employee of such disclosure and allow the individual the choice (opt out) of such disclosure. PMC shall ensure that any third party for which Personal Data may be disclosed subscribes to the Principles or are subject to law providing the same level of privacy protection as is required by the Principles and agree in writing to provide an adequate level of privacy protection.
With respect to our agents, we will transfer only the Personal Data covered by this Privacy Shield Policy needed for an agent to deliver to PMC the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with PMC’s obligations under the Privacy Shield Principles; and (iv) require the agent to notify PMC if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.
PMC remains liable under the Privacy Shield Principles if an agent processes Personal Data covered by this Privacy Shield Policy in a manner inconsistent with the Principles, except where PMC is not responsible for the event giving rise to the damage.
Cookies and Related Technologies
PMC shall take reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. PMC has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. PMC cannot guarantee the security of Information on or transmitted via the Internet.
PMC limits the collection of Personal Data covered by this Privacy Shield Policy to information that is relevant for the purposes of processing. PMC does not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual or company client administrator on behalf of the individual.
PMC acknowledges the right of EU individuals to access their personal data.
Access for Individuals who are employees or share plan participants of our Clients: PMC has no direct relationship with the individuals whose personal data it processes on behalf of our clients and we are acting in the role of data processor for that information. An individual who seeks access, or who wishes to correct, amend, or delete their personal data should contact the PMC Client Entity, who is the data controller.
Access for Individuals who Place Their Data Directly with PMC: Upon request PMC will provide you with information about whether we hold any of your Personal Data. You may access your Personal Data by logging in to your account, or by contacting your employer or administrator directly. You may correct or request deletion of your Personal Data by contacting your employer or administrator directly, or by contacting us at [email protected]
All requests for data access will be handled within a reasonable timeframe and may be limited where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Recourse, Enforcement, and Liability
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, PMC is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, PMC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Plan Management Corp.
Attn: Elena Thomas, Chief Operating Officer
1001 Conshohocken State Road
Building 1 Suite 600
West Conshohocken, PA 19428
Telephone: (610) 359-5870
Fax: (610) 688-1323
PMC has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint.
Finally, as a last resort and under limited circumstances, EU individuals with residual complaints may invoke a binding arbitration option before the Privacy Shield Panel as described on the Privacy Shield website at https://www.privacyshield.gov