QCS is committed to managing and protecting personal information in an open and transparent way. It is QCS’s policy to ensure that all personal information that it collects, accesses, processes, stores or transfers is always protected.
This Policy sets out how QCS collects, accesses, processes, stores and/or transfers personal information including sensitive information.
The purpose of this policy is to ensure that consistent privacy practices are implemented and managed across the QCS footprint.
This Policy applies to all personal information and sensitive information processed by, or collected and used by QCS and third-party vendors engaged in supporting the organization’s business.
This Policy applies to all QCS personnel in all business divisions/units of QCS, including full- and part-time employees, as well as independent contractors, temporary workers and other third parties and their staff that are hired by QCS on a temporary basis as non-employees to provide consumer contact services. The Chief Operating Officer and VP of Compliance shall be responsible for adding provisions to third party vendor contracts requiring these parties to take appropriate steps to comply with the provisions of this policy as well as all applicable federal and state laws. Failure to adhere to the requirements of this Policy will result in disciplinary action, up to and including termination.
This Policy is designed to ensure compliance with the European Union’s General Data Privacy Regulation (GDPR), U.S. federal, state and local laws and reflects QCS’s best understanding and interpretation of those rules. However, this Policy only addresses items that pertain to QCS compliance practices and should not be construed in any way as providing legal advice on compliance with regulations to any company not affiliated with QCS.
|Data Subject||An individual about whom QCS collects and maintains personal information, including QCS employees.|
|Data breach||Means the loss, unauthorized access to, or disclosure of, personal information.|
|Data Controller||The organization or entity that controls the data collected from or about consumers. The Controller is a defined term in the GDPR.|
|Data Processor||An organization or entity that processes data on behalf of a Data Controller. The Processor is a defined term in the GDPR.|
|FTC||Federal Trade Commission – a U.S. government agency established to ensure that the nation’s markets are vigorous, efficient and free of restrictions that harm consumers.|
|GDPR||General Data Privacy Regulation enacted in the European Union (EU). Entities outside the EU must also comply with GDPR for any individuals from the EU or traveling within the EU.|
|Personally Identifiable Information (PII)||
Includes any data by which a person can be identified or located,
including but not limited to:
– Name and contact information;
– Social security number or other unique identifiers;
– Date of birth;
– Healthcare records;
– Preferred communication methods;
– Business name, title and business address;
– Financial institution account numbers and transactions;
– Membership information, frequent flyer or travel partner program affiliation;
– Residence and geographic records; and
– Sensitive information also known as Sensitive Personal Information (SPI)
|Privacy||The right of an individual to control the collection and handling of their own personal information and relates to the processes for the management and disclosure of personal information in any form whether oral, electronic or written.|
Personal information specifying medical or health conditions, racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade union membership or information that concerns health or sex life.
|Third Party||Individual or organization outside of QCS or QCS legally-affiliated organizations.|
Why we Collect and Process Personal Information
QCS collects personal information for these purposes:
· Employment related activities, recruiting and onboarding new employees, internal human resources files
· Potential clients seeking call center services provide personal information to QCS
· We are a Data Processor acting on behalf of our clients, the Data Controller.
Information We Collect
The information we process or collect may include:
– Name and contact information;
-Social security number or other unique identifiers;
-Date of Birth;
-Preferred communication methods;
-Business name, title and business address;
-Financial institution, frequent flyer or travel program affiliation;
-Membership information, frequent flyer or travel partner program affiliation;
-Residence and geographic records
For the majority of our client programs, QCS is classified as a Data Processor.
Note about International Client Programs:
Due to the strict requirements for compliance with GDPR, it is QCS’s policy to limit the types of data we collect and store for International clients.
Each new international client must undergo a Data Privacy and Security Review prior to the contract being signed.
For Domestic programs we process and if needed, collect information on behalf of our clients, including Personal Information.
Some of the information that QCS collects and processes may be considered sensitive information. QCS only collects sensitive information where it is necessary for the purpose for which it is being collected directly from the individual, unless the collection is required or authorized by law. QCS makes every effort to minimize collecting sensitive personal information.
When We Process Personal Information
When we process personal information, we will process it using the following the privacy principles below:
– All collection and processing will be undertaken in a lawful, fair and transparent manner;
– Any personal information we collect will always be used for specified, legitimate and lawful purposes;
– We will only collect personal information that is adequate, relevant and necessary for the purposes for which we intend to use it. We will review this to ensure the personal information we hold continues to remain adequate, relevant and limited to the minimum information necessary;
– We will establish processes to help confirm the accuracy of, correct and keep up to date any personal information that individuals have provided to us;
– We will only keep personal information for as long as is necessary for the ongoing business purposes for which we use it (or for the period required by law, if longer), and we will only keep client-provided personal information for the period agreed in contracts;
– We will protect personal information against unauthorized or unlawful processing, accidental loss, destruction or damage through appropriate technical and organizational measures; and
– We will be accountable for, and we will take steps to demonstrate our compliance with, data protection laws including the General Data Protection Regulation (GDPR).
How Personal Information Is Retained
Personal information is stored in electronic form in secure databases in the cloud. The QCS network has been reviewed by a 3rd party auditor and received a SOC2 Type 2 Certification report.
QCS does not use or disclose personal information for purposes other than the purpose for which it was collected (the primary purpose) unless:
– the secondary use or disclosure is related to the primary purpose;
– it is otherwise required or authorized by regulation or law; or
– it is necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Any disclosure of personal information for a secondary purpose must be approved by the QCS Chief Operating Officer.
Data Storage and Deletion
QCS will only store personal information needed for a future use and shall only keep such information as long as it is needed or required by contract. Personal information will be kept in a secure manner with limited access to only those who have a need to access and use the information.
When QCS no longer needs to process personal information, and is lawfully able to do so, it will securely destroy such information in accordance with its Data Retention Schedule or contractual obligation. Destruction of data will render the information unreadable and unusable by any means.
It shall be the responsibility of the Chief Operating Officer to regularly review the data storage and deletion practices to ensure the personal information is stored securely and full deleted and rendered unusable and unreadable.
Third Party Vendors
QCS will not disclose personal information to a third party it does not have an agreement with or for purposes for any other purpose than that which it was collected, except with the consent of the individual, when required, or as required by applicable law.
When QCS hires a third-party vendor to process personal information from QCS clients on its behalf it will ensure that the processor complies with all applicable data protection laws. Third party vendors are required to sign a Data Processing Agreement that includes the following minimum elements that requires the vendor to:
– have documented processing procedures that comply with applicable data protection laws;
– include confidentiality obligations on all personnel who process the PII/SPI data;
– have security policies and procedures for processing data;
– include Instructions on obtaining written consent to appoint sub-processors (if applicable);
– implement procedures to assist QCS in complying with its privacy obligations;
– retain or destroy personal data at the end of the relationship except as required by law; and
– report any breach of personal information from QCS clients to QCS immediately.
Each vendor is required to implement appropriate technical and organizational measures to protect QCS Client’s customer and prospect personal information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure of, or access to customer data that is transmitted, or stored by the vendor.
The Chief Operating Officer will ensure that the vendor has implemented appropriate technical and organizational processes to protect QCS’s personal information.
The Chief Operating Officer will ensure that each vendor has signed a privacy agreement, or the applicable privacy language is included in the agreement with vendor.
QCS will use personal information from potential clients only to send information about QCS products and services.
These potential clients have the right at any time to stop QCS from contacting them for marketing purposes. The opt out link is included in each email that is sent out for marketing.
To improve QCS’s services and assist the user, QCS may store information about users of its website to create a digital profile and provide them with information specific to them.
QCS also uses analytics to obtain statistical information about how its website is accessed. These analytics rely upon cookies to gather information for the purpose of providing statistical reports to QCS. The information generated by the cookie about an individual’s use of the QCS website is transmitted to and stored, but it does not include any personally identifying information.
The QCS Chief Operating Officer will regularly review the website cookie processes to ensure they comply with all applicable Cookies laws. The Chief Operating Officer’s review will include, but not limited to, review how cookies are captured, if there is a cookies notice on each applicable website, how cookie information stored, who has access to the information and how it is deleted when no longer needed.
DATA PROTECTION RIGHTS
Every user is entitled to the following:
The right to access – If QCS is the Data Controller, user has the right to request QCS for copies of their personal data.
The right to rectification – If QCS is the Data Controller, user has the right to request that QCS correct any information user believes is inaccurate. User also has the right to request QCS to update information user believes is incomplete.
The right to erasure – If QCS is the Data Controller, user has the right to request that QCS erase their personal data, under certain conditions.
The right to restrict processing – If QCS is the Data Controller, user has the right to request that QCS restrict the processing of their personal data, under certain conditions.
The right to object to processing – If QCS is the Data Controller, user has the right to object to QCS‘s processing of their personal data, under certain conditions.
The right to data portability – If QCS is the Data Controller, user has the right to request that QCS transfer the data that they have collected to another organization, or directly to the user, under certain conditions.
If user makes a request, QCS has one month to respond to them. If user would like to exercise any of these rights, they can contact QCS:
Call QCS at: U.S. at 866-963-2889 or UK at +44 203 807 4422
Or write to us: 102 Grant Street, Aurora, Nebraska 68818
In the event QCS is a Data Processor working on behalf of a Data Controller, QCS will respond to user requests by communicating with the user who they should contact at Data Processor organization with their request.
QCS will ensure appropriate technical and organizational measures are taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal information.
QCS will protect personal information by security safeguards appropriate to the sensitivity of the information. QCS will protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures.
Access to personal information will be limited to business need. Access controls will be utilized so that only those employees of QCS who require access for business reasons, or whose duties reasonably so require, shall be granted access to personal information about client customers and employees.
QCS data security practices include both physical and logical security processes to protect personal information.
In relation to electronic records, when personal information is collected via QCS’s systems including any web-based systems, QCS has implemented security measures to protect the information against loss, misuse, deletion and/or alteration. Where necessary, QCS also uses encryption technology to protect certain information and transactions.
Personal information collected physically, is maintain in a secure manner. Such information is always secured in either locked storage areas such as storage rooms, locked file drawers, files cabinets, and/or by third parties. QCS observes a Clean Desk Policy that prohibits keeping personal information on top of a desk, or the like, unattended.
The VP of Compliance and Administrative Services shall unsure, by audit and review on a regular basis, the QCS systems and processes comply with this policy. Any issues notes during the review will be documented and corrective acts taken to ensure that the issue does not recur.
BREACH AND SECURITY INCIDENTS
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, QCS’s VP of Compliance and Administrative Services will promptly assess the risk to people’s personal information and necessary steps the limit the breach. If required by federal or local law, the VP of Compliance and Administrative Services will report this breach to upper management and make assessment if it required to report the breach to the applicable regulatory authority, news organizations and the data owners as may be required by law.
Where a privacy data breach is known to have occurred (or is suspected) the VP of Compliance and Administrative Services will make an assessment that at a minimum includes the following Information:
– When the breach occurred (time and date);
– Description of the breach (type of personal information involved);
– Cause of the breach (if known) otherwise how it was discovered;
– Which system(s) if any are affected;
– Which location/faculty/vendor is involved;
– Whether corrective action has occurred to remedy the breach (or suspected breach); and
– The number of records impacted.
Consumers and employees may address their concerns about compliance with the QCS privacy policies and how their personal information was processed to the QCS VP of Compliance and Administrative Services and/or his/her designee, or to firstname.lastname@example.org. QCS will investigate all complaints concerning compliance with this policy.
It shall be the responsibility of the VP of Compliance and Administrative Services to thoroughly investigate each such complaint to identify and address all relevant issues and concerns and to provide a written respond to the findings. The VP of Compliance and Administrative Services will document the finds and any corrective actions need to be implemented to ensure that the issue doses not recur as applicable.