Privacy Policy

The purpose of this privacy policy is to inform our clients, employees, business partners and the general public how we protect and handle private and sensitive information. At Prophet, we are committed to protecting your privacy through stringent privacy practices and adherence to the Privacy Shield Principles of the Privacy Shield Program. As of 2016, The EU-U.S. Privacy Shield Framework replaces the Safe Harbor Framework, and the Swiss-U.S. Privacy Shield Framework replaces the U.S.-Swiss Safe Harbor Framework. Prophet Brand Strategy in the U.S., as well as all of its subsidiaries including Prophet Brand Strategy Limited (GB), Prophet HK Limited (HK), Prophet (Shanghai) Company Limited (CN), Prophet GmbH (CH), and Prophet Germany GmbH (DE), adheres to the Privacy Shield Principles.

Prophet complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworkas set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland, to the United States. Prophet has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Prophet is a diverse, global consultancy with offices across the United States, and in London, Berlin, Zurich, Hong Kong and Shanghai. Our business practices and processes are shared between our global offices, which means that our client and employee data is shared between our US, European and other international offices. Prophet is fully committed to the proper handling and privacy of the personal information that it collects or uses for all individuals within the European Union and Switzerland. To protect the individual’s information, Prophet complies with both the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework designed by the U.S. Department of Commerce, the European Commission and the Swiss Administration.

Prophet is under the jurisdiction of the U.S. Federal Trade Commission for investigations and enforcement related to compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. All of Prophet’s privacy practices comply with the following Privacy Shield Principles, as detailed in the policy section of this document:

• Notice
• Choice
• Accountability for Onward Transfer
• Security
• Data Integrity and Purpose Limitation
• Access
• Recourse, Enforcement and Liability

This Privacy Policy applies to all data and information collected by Prophet that allows for identification of an individual (Personal Information [PI] or Personal Identifiable Information[PII]), including all personal data received from the EU and Switzerland. The personal information (for either clients or employees) may include names, email addresses, mailing and/or business addresses, telephone and fax numbers and employee identification information.

Adherence to this policy applies to all employees who work for Prophet, or one of its subsidiary companies in the United States, United Kingdom, Germany, Switzerland and China.

The following sections of the Prophet Privacy Policy comply with the seven Principles and sixteen Supplemental Principles of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.

Prophet collects, handles and processes your personal information only for business purposes with you and/or your company. If your personal information is collected and used, Prophet will notify you, usually at the time of collection or as soon as possible after the information is collected. Prophet may disclose your personal information to comply with any lawful requests from public authorities, law enforcement, or matters of national security.

Prophet does not sell or rent your personally identifiable information to anyone. Prophet may disclose your personal data to third parties for legitimate business purposes. The types of third parties that may be used by Prophet, and the purposes for disclosing personal information, include but are not limited to:

• Vendors that assist with payroll, benefits and HR support for employees
• Vendors that supply Software as a Service (SaaS) for internal communications and sales tracking
• Credit card companies that have employee credit card information
• Travel expense vendors who manage employee travel expense information
• Vendors who provide project support or project management support
• Vendors who provide analytics services for projects
• Vendors who provide backup or storage services for data

In addition to your personal and demographic information, when you visit a Prophet website your web browser software may automatically provide us with information such as the browser name and version, your computer type, operating system and the previous website you visited if you clicked a link to our site from another website. We also automatically determine your internet IP address or your internet service provider’s IP address. Any of this information may be recorded in our system logs or securely collected on our behalf via third-party services. This information will only be used internally in anonymous, aggregate reporting.

You may choose to provide Prophet with additional personal information by completing our online forms. We will inform you of how your personal information will be used at the point of collection, and Prophet will only use your personal information as described in this Privacy Policy.

Certain parts of our website use cookies to provide a more optimal web experience. A cookie is a small piece of data sent to your web browser and saved on your computer. On subsequent visits to our site, your browser will automatically re-transmit the cookie data to our site. We may use cookies to customize the content shown to you, to provide conveniences to your browsing experience or to track aggregate traffic trends on our site. You are not required to accept and store cookies to browse our websites. However, to access any of our protected websites which require a username and password, you will need to accept and store an authentication-related cookie for the duration of your visit.

Our website contains links to other sites. Prophet does not share your personal information with these sites, nor do we have any control over the privacy policies of those sites. We encourage you to learn about the privacy policies of the companies responsible for those sites.

We collect and use employee information only for business purposes, and our employees’ personal information is never sold or rented to third parties. Data may be collected and stored from potential candidates for hire with Prophet, which includes direct employment and contractors. Employee information, including personal identifiable information (PII), performance and disciplinary information, health related information or other sensitive employee information is only accessible by Prophet employees who have legitimate human resource purposes, and/or a business need to know.

European Union and Swiss employees are notified at the time of their employment how their personal information will be used. Prophet will comply with any investigations from EU or Swiss Authorities, as applicable by law.

Prophet will provide you with the opportunity to opt-out of having your personal information (1) disclosed to a third party who is not currently working for Prophet, and (2) used for a purpose that is different from the original use purpose when it was collected or authorized for use by you. The only exception to this choice is the requirement of disclosure of personal information by government or judicial order, or other legal requirements.

You can choose to opt-out of marketing materials from Prophet at any time. To exercise your rights to limit how your data is used as described above, contact us at dpo@prophet.com with instructions on which opt-out options you would like applied to your personal data. Prophet system administrators will manually apply the appropriate control measures to any records that contain your personal information.

In addition, to opting out of how your information is used for marketing purposes, you have the right to request that your data be forgotten (known as the right of erasure), and removed in the following circumstances:

• when your personal data is no longer necessary to achieve the purposes for which it is collected or processed
• when you have withdrawn your consent
• where you object to the processing of your personal data
• where consent is provided by a child who is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet
• where the processing of personal data does not otherwise comply with the GDPR

The right to erasure does not apply where personal data is necessary for compliance with legal or regulatory requirements, legal claims, if the data is required for the good of public health or public interest, or if the data is needed for scientific or historical archival purposes. To exercise your right to be forgotten, contact us at dpo@prophet.com and we will respond to your request as quickly as possible. Prophet system administrators will manually remove your personal data where possible and contact you when the data has been successfully removed. Prophet is required to comply with your request unless the data is impossible to remove or requires a disproportionate cost or effort to remove, in which case Prophet will respond with information concerning where your data could and could not be removed.

Under the Privacy Shield Program, organizations do not have to obtain express consent (opt-in) with respect to sensitive data under the following processing conditions – If the data processing is in the vital interest of the data subject or another person, if it is necessary for the establishment of legal claims or defenses, if it is required to provide medical care or diagnosis, if the data processing is carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects, if it is necessary to carry out an organization’s obligations in the field of employment law, or if it is related to data that has been made public by the individual.

Prophet will not transfer personal information originating in the EU or Switzerland to third parties unless such third parties have entered into an agreement in writing that requires them to provide at least the same level of privacy protection to your personal information as required by the Principles of the EU-US Privacy Shield Framework or the Swiss-US Privacy Shield Framework. Prophet only transfers data to agents or third-party service providers who have a legitimate need to the information in order to provide services on behalf of Prophet. Prophet will be liable for these data transfers to third parties.

Prophet is committed to protecting the personal information that it collects and stores, and we have implemented technical, operational, and administrative security measures to prevent the loss, misuse, disclosure, alteration, theft, or destruction of such information.

Prophet only collects and retains personal information that is relevant to the purposes for which it is collected. Personal information will not be used in a way that is incompatible with such purposes, unless such use as been explicitly authorized by you. Prophet will take reasonable steps to preserve the integrity of your personal information and to ensure that it is reliable for its intended use, accurate, complete, and current. Prophet may contact you to verify that the data we have is accurate and current.

Per Privacy Shield Supplemental Principle 2, personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Privacy Shield Principles.

You have the right to access and correct your personal information data that is used by Prophet. You can correct, amend, or request that information is deleted if it is inaccurate or has been processed in violation of the Privacy Shield Principles. The only exception to an access request for personal information is where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. To confirm that Prophet has personal data relating to you, or to make any other access or correction requests, contact us at dpo@prophet.com or call us at +1 415 677 0909. Prophet Employees may request and review their personal information by emailing employeehr@prophet.com.

If you have any questions or concerns about Prophet’s compliance with our Privacy Policy or the Privacy Shield Principles, please contact us at dpo@prophet.com or call us at +1 415 677 0909. We will investigate your complaint thoroughly and will respond to you within 45 days from the time we were notified.

In compliance with the Privacy Shield Principles, Prophet commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Prophet at: dpo@prophet.com or call us at +1 415 677 0909.

If you are not satisfied with Prophet’s response to your complaint, we will provide an additional recourse mechanism at no cost to you. Prophet cooperates and complies with the EU data protection authorities (DPAs) under the EU-U.S. Privacy Shield Framework, and with the Swiss Federal Data Protection and Information Commissioner (FDPIC) under the Swiss-U.S. Privacy Shield Framework and complies with the advice given by such authorities with regard to human resources and non-human resources data transferred from the EU and Switzerland. Contact information for the EU DPA and the Swiss Federal Data Protection Information Commissioner are as follows:

European Data Protection Supervisor

Rue Wiertz 60
1047 Bruxelles/Brussel
Office: Rue Montoyer 63, 6th floor
Tel. +32 2 283 19 00
Fax +32 2 283 19 50
e-mail: edps@edps.europa.eu
Website: http://www.edps.europa.eu/EDPSWEB/

Swiss Federal Data Protection and Information Commissioner

Verantwortliche Person Adrian Lobsiger

Adresse Feldeggweg 1, 3003 Bern

Telefonnummer +41 (0)58 462 43 95 (Mo. bis Fr., 10.00 bis 12.00 Uhr)

Email-Adresse Kontaktformular

Webseite www.edoeb.admin.ch

Additional lists of more specific DPAs by country, city or region can be found here- http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm and here- https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection—switzerland.html.

Under certain conditions, if you are not satisfied with the recourse mechanisms provide by Prophet or Prophet’s compliance with the Privacy Shield Principles, you may be able to invoke binding arbitration to address your complaint.

Regarding onward transfers of personal data, Prophet is responsible for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Prophet shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless Prophet proves that it is not responsible for the event giving rise to the damage.

Any changes to the EU-U.S. Privacy Shield Framework or the Swiss-U.S. Privacy Shield Framework, or the addition of new or updated applicable laws will result in changes to the Prophet Privacy Policy. Prophet reserves the right to amend this Privacy Policy and its related business procedures at any time.

It is the responsibility of all Prophet employees to read and adhere to this policy, and by signing this policy each employee agrees to abide by its contents. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.