Privacy

GDPR Privacy Statement

Effective May 25, 2018

Opus Solutions, LLC dba Opus Agency, and its wholly owned subsidiaries (“Opus”) is active worldwide as a corporate events marketing agency. Opus may be obliged to comply with the European Union General Data Protection Regulation (Regulation 2016/679/EU, “GDPR”) when Opus acts as a data processor for clients in Europe; when Opus contracts with sub-processor vendors in Europe; or when Opus processes personal data of natural persons in the EU as a data controller or processor.

Opus is aware of these obligations and respects the right of any individual to protect their personal data and to decide on the use and processing of their personal data. This GDPR Privacy Statement provides information regarding the personal data Opus is collecting; the way these data are used; and the legal basis for doing so. It also provides information regarding the measures Opus is taking to protect personal data from unauthorized access.

The principles outlined in this statement are valid for any processing of personal data by Opus that falls under the scope of GDPR. Thus, Opus guarantees a standard of data protection and data security that is designed to comply with the GDPR.

 

1. Opus’ Data Protection: General Principles    

 Processing of personal data by Opus

Opus processes personal data in different functions and contexts. Opus may process personal data as controller or as processor for third parties. As processor, Opus installs and operates registration web sites for events. Opus collects personal data via these web sites and processes the data further to realize the event and to execute payment transactions.

 

Principles governing Opus’ data protection activities

Opus shall process personal data according to the principles stated below. All employees are responsible for proceeding accordingly in their respective areas of responsibility.

  1. Opus shall proceed lawfully, fairly and in a transparent manner when processing personal data.
  2. Opus shall collect personal data only for specified, explicit and legitimate purposes. Opus shall not further process data in a manner that is incompatible with these purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is legitimate.
  3. Opus shall collect or process only personal data that is adequate, relevant and limited to what is necessary in relation for the relevant purpose.
  4. Opus shall make sure that personal data is accurate and up to date. Inaccurate data shall be erased or rectified without delay.
  5. Opus shall keep personal data that permits the identification of data subjects no longer than is necessary for the relevant purposes.
  6. Opus shall ensure appropriate technical and organizational safety measures when processing personal data. This includes protection against unauthorized or unlawful processing, accidental loss, destruction or damage.

Data storage / Erasure of Data

Personal data collected and/or processed by Opus will be stored on Opus’ servers in the USA, and only US-based cloud environments are used. Data will be stored only as long as necessary for the relevant purpose and/or as requested by the relevant legal provisions and will be erased afterwards. The data will be erased at latest after 10 years, unless different legal retention periods apply.

 

Personal data / special categories of personal data

  1. Personal data means any information that identifies, relates to, describes, or is capable of being associated with a particular individual.
  2. In some cases, Opus may also process so-called “special categories” of personal data within the meaning of Art. 9 GDPR. These are particularly sensitive data such as data relating to racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or genetic or biometric data, health data or data concerning a natural person’s sex life or sexual orientation as well as data relating to criminal convictions or offenses which are specially protected by GDPR. They shall only be processed under the strict conditions of Art. 9 and Art. 10 GDPR. In principle, Opus shall only collect and/or process such data if the data subject has given explicit consent or where necessary for the establishment, exercise or defense of legal claims or before court. In exceptional cases, Opus may process such data on other legal grounds of Art. 9 Par. 2 GDPR. Whenever Opus is processing special categories of personal data, special technical and organisational measures shall apply.

 

Data Protection Officer (‘DPO’)

  1. Opus has appointed a data protection officer (“DPO”) as responsible contact for all data protection issues relating to GDPR. This DPO can be reached as follows:

security@opusteam.com

+1 (971) 223-0777

The DPO will fulfill the tasks as specified in the GDPR and will be involved in all data protection-relevant processes from an early stage. They will interact closely with the corporate management. In their area of responsibility, the DPO shall act independently and free from directives and external influences.

  1. The DPO informs and advises the management as well as the employees regarding their data protection obligations. The DPO oversees compliance with data protection provisions.

 

Contact information of Opus and of Opus’ designated representative

All concerns regarding Opus’s data processing activities can be addressed to:

Mail:              Opus Agency

c/o Legal Department

9000 SW Nimbus Avenue

Beaverton, OR 97008

Email:           legal@opusteam.com

Phone:          +1 (973) 221-0777

According to Art. 27 (1) GDPR, Opus has appointed a representative in the EU. This designated representative serves as additional contact in the EU for Data Subjects and the data protection supervisory authorities and thus supports enforcement of the GDPR. The designation of the representative shall be without any prejudice to legal actions that can be taken against Opus as a controller or processor.

The representative of Opus can be reached as follows:

Kleiner Rechstanwalte

Buro Dusseldorf

Breite Strasse 27

40213 Dusseldorf

Tel: +49 (0) 211 30 20 66-12

Fax: +49 (0) 211 30 20 66-11

 

Record of processing

  • Opus maintains a record of its processing activities and shall make the record available to supervisory authorities on request. Where Opus is responsible as a controller for the personal data processed (see Section 2 below), the record shall comprise the information enumerated in Art. 30 (1) GDPR, such as:
    • the name and contact details of the controller and joint controller, the controller’s representative and the data protection officer (DPO);
    • the Purpose of the processing;
    • a description of the categories of data subjects and of the categories of personal data Opus is processing;
    • the categories of recipients of the personal data;
    • where applicable, transfers of personal data to a third country or international organization, documentation of suitable safeguards;
    • where possible, the envisaged time limits for erasure of the different categories of data.
  • If Opus is acting as a processor (see Section 3 below), the information as stated in Art. 30 (2) GDPR will be recorded, such as:
    • the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting; the processor’s representative and the data protection officer;
    • the categories of processing carried out on behalf of each controller;
    • where applicable, transfers of personal data to a third country or an international organization, documentation of suitable safeguards;
    • where possible, a general description of the technical and organizational security measures according to Art. 32 (1) GDPR,

 

Data transfers within the US and to third countries

Being based in the United States (US) and operating servers located in the US, Opus observes the relevant GDPR provisions on data transfer where personal data are transferred from the EU to the US to be processed by Opus as well as where Opus engages sub-processors in non-EU-countries.

  1. Data transfers to Opus will be based on appropriate safeguards as Opus is using the standard data protection clauses in its contracts with the controllers.
  2. Opus will transfer personal data to non-EU-countries only insofar as there is a legal basis for the transfer. If other processors outside the EU in countries for which the European commission has not acknowledged an adequate level of data protection are engaged, and these processors do not commit to the EU-US-Privacy Shield, Opus shall ensure that appropriate safeguards are in place, such as the standard data protection clauses published by the EU Commission. In individual cases where such safeguards cannot be provided, data transfers can be based on individual consent.

 

Co-operation with supervisory authorities / Support regarding the consultation with supervisory bodies

Opus will co-operate with and support supervisory authorities as required by the GDPR.

2. Opus as Controller

Legal grounds

“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

If Opus is acting as a controller, Opus shall be responsible for compliance with the principles relating to processing of personal data resulting from GDPR. In general, these are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data. As a controller, Opus shall ensure that all processing can be based on a legal ground under GDPR.

As a controller, Opus shall implement appropriate technical and organizational measures to ensure that processing is performed in accordance with the GDPR (see Section 4 below). Those measures are reviewed on a regular basis and updated where necessary.

Consent

If the collection, processing and/or use of personal data cannot be based on a legal authorization, it will only be performed if the data subject has validly consented to the processing. Consent shall be obtained from the data subject at the latest when the data is collected. Opus will inform the data subject in a transparent and comprehensive manner about the purpose, type and scope of the intended use of the data before obtaining consent. Opus will ensure that the information in connection with the submission of declarations of consent is available to the data subject in an understandable form.

Opus shall thus ensure that such consent is:

– voluntarily given

– specific

– informed

– unambiguous and

– explicit.

Data subjects are informed that consent can be withdrawn at any time with effect for the future.

Opus will document the declaration of consent, or, if it was given verbally or by an affirmative act due to particular circumstances, Opus will document the relevant circumstances. Opus will also record the withdrawal of consent in this way.

If the consent of a person under the age of 16 is required, the data will only be processed if the consent of the parents or legal guardians is available.

Opus further takes care that processes are in place to promptly implement any withdrawals of consent and guarantees that affected processing operations are stopped accordingly.

Information obligations

  1. Personal data that is collected, processed and stored by Opus is used for different purposes. Opus shall inform the data subject of the individual purpose of the use of its personal data. This information is provided at the time of the data collection. If data is not collected from the data subject, information is provided within a reasonable time after obtaining the data, but within one month at latest.
  2. Opus will inform the data subject in particular of:
  • the identity and the contact details of the controller (Opus) and its representative;
  • the contact details of the data protection officer;
  • the purposes of the processing and the legal basis for the processing;
  • if processing is based on legitimate interest, the legitimate interests pursued by the controller or a third party;
  • any recipients or categories of recipients of the personal data;
  • where applicable, the intention to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission and/or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them;
  • the period for which the personal data will be stored or the criteria used to determine this period;
  • the right to request access to and rectification or erasure of personal data or restriction of processing and the right to data portability;
  • where the processing is based on consent, the right to withdraw consent at any time;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement or a requirement to enter into a contract; possible consequences if the data subject does not provide the requested data;
  • the existence of automated decision-making and, if relevant, of the logic involved as well as the significance and the envisaged consequences of such processing for the data subject;
  1. Opus will inform the data subject of the right to object to the processing of personal data. If the data subject objects, Opus will not use the personal data, unless there are compelling reasons for the processing that are outweighing the data subject’s interests, rights and freedom.

 

  1. If personal data are to be further processed for a purpose other than that for which they were collected, Opus will provide the data subject with information about that other purpose and any other relevant information about the processing prior to further processing.

 

  1. If personal data are not collected from the data subject, Opus will also inform the data subject about the categories of personal data it processes, where the data came from and, if applicable, whether they originate from publicly available sources.

 

  1. Opus may abstain from providing the information where the data subject is already informed or the information is impossible or would require disproportionate effort.

 

Rights of the Data Subjects

  1. Data subjects may contact Opus’ Data Protection Officer at any time with questions, requests or complaints or to make use of their rights Opus will address such concerns and provide the requested information without undue delay.
  2. Opus shall ensure that the following rights of the data subjects as granted by GDPR are protected:
Right to information:

Data Subjects may request information about the purpose of the processing, the data categories concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the envisaged period of storage or the criteria for determining the duration, the right to rectification, erasure or restricted processing of personal data or to object to such processing, the right to lodge complaint with a supervisory authority, the source of information that has not been provided by the data subject or the existence of automated decision making and, if applicable, the logic involved and the envisaged consequences for the data subject.

Right to rectification:

If the Data Subject’s data turns out to be incorrect, Opus will rectify the personal data without undue delay. Incomplete personal data shall be completed.

Right to erasure:

If a review reveals that the purpose of data processing has lapsed due to time or other reasons, Opus will erase such data. Any legal storage obligations remain unaffected.

Opus shall further erase data,

•  if the data subject withdraws the consent on which the processing is based and no other legal basis for the processing is available;

•  if personal data have been processed unlawfully; or

•  if an obligation to erase arises under EU law or the law of a Member State to which Opus is subject; or

•  upon request of the data subject, if the data was collected in relation to information society services offered under Art. 8 para. 1 GDPR and based on consent of a minor.

Rights of objection:

The Data Subject has the right to object to the use of his/her personal data for purposes of direct advertising or market and opinion research. Upon such objection, Opus will lock/encrypt the data in an appropriate manner to avoid such usage.

The Data Subject further has a right to object to the processing of his or her personal data if the processing is based on the public interest, the exercise of public authority or to protect the legitimate interests of the controller or a third party. In this case, the data may only be processed further if Opus, as data controller, can prove compelling grounds for processing worthy of protection. These grounds must outweigh the interests, rights and freedoms of the data subject. The processing also remains legitimate if it serves to assert, exercise or defend legal claims. In the event that an examination reveals that a legitimate interest of the Data Subject outweighs the legitimate interest of Opus (because of his or her particular personal situation), Opus will delete or lock the data concerned.

Right to restriction of processing:

Opus will restrict processing of personal data in the following cases:

•  where accuracy of the personal data is contested by the Data Subject;

•  the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

•  the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims; or

•  the Data Subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

This means that data shall be stored but shall not be processed otherwise, unless with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

Right to data portability:

Opus shall upon request provide personal data of a Data Subject that has been processed based on consent or in the context of a contract with the Data Subject in electronic format to the Data Subject in question or to another Controller.

Notification obligations:

Opus shall communicate any rectification or erasure of personal data or restriction of processing as set out above to each recipient to whom the personal data have been disclosed. This notification may be omitted if this proves impossible or involves disproportionate effort. Opus shall inform the Data Subject about those recipients if the Data Subject requests it.

  1. Data Subjects may contact the responsible data protection authorities to make use of these rights.

 

Engagement of subcontractors

If another company provides services to Opus as a subcontractor and personal data is collected, processed and/or used in this context, Opus ensures that the subcontractor is carefully selected and that the selection is based in particular on the aspect of the protection of personal data. Subcontractors need to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

Prior to each assignment, Opus will inform its Data Protection Officer and carry out an audit of the contractor with regard to the technical and organizational measures taken by him with regard to data protection and data security. Opus will oblige the contractor to comply with the legal requirements for the protection of personal data and, in particular, to prove upon request that the employees who work for Opus as part of the provision of services have been bound to data secrecy. Opus will issue written instructions to the contractor regarding the type, purpose and scope of the processing of personal data and, if necessary, ensure compliance with the specifications by means of controls.

If the subcontractor is located outside the EU, Opus will make sure that data shall be transferred only if an adequacy decision is in place, appropriate safeguards apply or the Data Subject has explicitly consented to the data transfer in question.

 

Data Protection Impact Assessment

Opus may carry out Data Protection Impact Assessments (DPIA) as prescribed by GDPR if a type of data processing controlled by Opus is likely to result in a high risk to the rights and freedoms of natural persons. A determination regardig the necessity of a DPIA will take into account the nature, scope, context and purposes of the processing as well as the possible use of new technologies.

In particular, a DPIA will be made if:

  • a systematic and extensive evaluation of personal aspects relating to natural persons is performed based on automated processing
  • data of special categories is processed on a large scale, or
  • a systematic monitoring of a publicly accessible area on a large scale is at issue (Art. 35 para. 3 GDPR).

 

Obligation to notify authorities and data subjects in case of data protection violations

Opus shall notify authorities about data protection violations promptly and without undue delay. It will inform the authorities about the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. It will describe the likely consequences of the data breach and the measures taken respectively proposed. Where feasible, such information will be delivered within 72 hours after becoming aware of the incident.

Opus shall also notify data subjects of such data protection breaches. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, this will be done without undue delay. The data subjects will be informed transparently and in clear language of the nature of the personal data breach and its possible consequences as well as of the measures taken respectively, as long as risks are likely to materialize and the effort is not disproportionate.

 

3. Opus as Processor

 Activity as processor

Where Opus is processing data on the instructions of a client (the controller), e.g. organizes events and activities for its clients, Opus is acting as a processor. ‘Processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

As a processor, Opus shall only act on instruction of its client. Opus shall co-operate closely with its client and, in particular, support the client in complying with data protection requirements. If Opus has doubts as to the legality of the instructions, Opus will inform the client immediately.

Opus shall ensure that appropriate technical and organisational measures are in place to ensure that processing will meet the requirements of the GDPR and the protection of the rights of the data subject.

Upon completion of its activities as a processor, Opus will delete or return all personal data in connection with the relevant order, provided that there is no obligation to store it in accordance with the law of the EU or a member state.

Where necessary, Opus will cooperate with the supervisory authorities.

Contractual basis

Data Processing on behalf of a controller will only be performed on the basis of a written agreement between Opus and its client.

Essential contract content

Such agreements will include detailed descriptions of the processing agreements between the parties and, in particular, stipulate that Opus:

  1. Shall process data only on documented instruction of the controller, unless obliged to do so under relevant EU or EU Member state law; in the latter case Opus will inform the controller of these obligations before actually processing the data;
  2. Shall state in detail the processes to be performed by Opus and the technical and Shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. shall have adequate information security in place;
  4. shall engage subprocessors only where the controller has declared consent and shall ensure that these subprocessors are obliged to comply with the same data protection requirements as Opus
  5. shall assist the controller by appropriate technical and organizational measures
  6. shall cooperate with the relevant Data Protection Authorities in the event of an inquiry;
  7. shall report data breaches to the controller without delay;
  8. has appointed a Data Protection Officer;
  9. shall keep records of all processing activities;
  10. shall comply with EU trans-border data transfer rules;
  11. shall help the controller to comply with Data Subjects‘ rights;
  12. shall assist the controller in managing the consequences of data breaches;
  13. shall delete or return all personal data at the end of the contract at the choice of the controller;
  14. shall inform of organizational measures in place for the protection of personal data; and
  15. shall inform the controller if it finds that the processing instructions infringe the GDPR.

 

Engagement of Subcontractors

Where engaging other companies as subcontractors, which will be processing personal data on behalf of Opus, Opus ensures that the subcontractor is carefully selected and that the selection is largely oriented towards the protection of personal data. Opus shall only work with companies that can guarantee appropriate technical and organizational measures to ensure that processing is in compliance with GDPR.

If Opus itself provides services through subcontractors, prior approval will be obtained from the client. If approval has already been granted or contractual provisions exist which show that Opus is entitled to establish subcontracting relationships, Opus will inform the client of the planned involvement of a new subcontractor and grant the client a right of objection.

Prior to each assignment, Opus will inform its Data Protection Officer and carry out an audit of the contractor with regard to the technical and organizational measures taken by the contractor with regard to data protection and data security. Opus will ensure that the same data protection obligations as set out in the contract between its client and Opus shall be imposed on that other (sub-)processor by way of a contract or other legal act. In particular, Opus will make sure that sufficient guarantees to implement appropriate technical and organizational measures are included. The security policies by which Opus’ subcontractors are expected to operate are included in its Contractor Security Policy.

If the subcontractor is located outside the EU, data transfers may only occur based on documented instructions of the client. Opus will make sure that data shall be transferred only if an adequacy decision is in place, appropriate safeguards apply, or the data subject has explicitly consented to the data transfer in question.

Notification of security breaches

Opus as a processor is required to protect the personal data it is processing. In doing so, we are obliged to and will immediately report security breaches to the controller.

Support with Data Protection Impact Assessments (DPIAs)

Opus will support the respective controller with its DPIAs. This may also involve consultation with the supervisory authority

 

4. Protection of the Integrity of personal data, technical and organisational measures

a. General

 

1. Internal policies

Opus has internal policies in place to ensure data security. These policies are the Contractor Security Policy for independent contractors and the Employee Security Policy for employees of Opus, both last updated January 1, 2018. For the processing of personal data under this Statement, the herewith self-imposed duties of Opus shall prevail if any conflicts with those policies should occur.

2. Data protection / data security standards

If acting as controller or processor, Opus ensures that the technical and organizational measures that are in place to protect the integrity of personal data comply with the level of protection under GDPR. Increased standards are applied where special categories of data according to Art. 9 GDPR are processed.

If Opus is acting as processor, the controller can contractually opt for increased security measures even outside the scope of Art. 9 GDPR. The relevant level of protection and the specific technical and organisational measures agreed upon are included in the controller-processor agreement under Art. 28 GDPR.

3. Confidentiality

Personal data will only be collected, processed or used by employees that have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. These confidentiality obligations continue to apply even after termination of the employment relationship.

 

b. Technical and organizational measures

Opus ensures that the technical and organizational measures taken to protect personal data processed always reflect the state of the art.

1. Access to technical installations

Access to Opus’ servers is strictly limited and controlled. Access is limited to and managed by IT and Facilities personnel. Server rooms can only be entered after authorization, are secured, and are protected by alarm systems. All entrances to the server rooms are monitored by video. Cloud facilities are vetted for best-practice physical controls.

2. Access to data

IT systems as well as individual accounts are protected by individual and encrypted passwords; password entry is logged. Administrative guidelines for the use of administrative passwords are in place and employees are required to use complex passwords. These passwords are saved using hash functions and need to be changed regularly. Re-use of passwords is excluded.

Opus ensures that the persons authorized to use our data processing systems can only access the data subject to their access authorization. Furthermore, we ensure that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage. Our authorizations are always granted according to the need-to-know principle. This means that only those persons are granted access rights to databases or applications that maintain these applications or databases or which are necessary for the development process. All other persons are only granted access rights to the required extent. The reading access to data is only possible via non-public, encrypted connections. The data on this encrypted connection is also transported using 128-bit SSL/TLS. All data access is logged.

3. Use of IT systems

Hardware and software is procured centrally and in consideration of data protection concerns. The principles privacy by design and privacy by default are respected. Opus restricts the use of corporate accounts or e-mail addresses in public and the use of additional software on Opus workstations or laptops. For the use of mobile devices, special directions are included in the employee security policy. All employees are regularly trained regarding the secure processing of personal data.

4. Pseudonymisation

As a controller, Opus shall pseudonymise data where personal identification is not needed to fulfil the purposes the data has been collected for.

As a processor, Opus will pseudonymise data on instruction of the controller as agreed on in the contract with the controller.

5. Encryption

Opus as a controller will protect the security of personal data by using encryption where possible for the relevant purposes. Special categories of data (sensitive data) as well as payment data will only be stored encrypted. The data backup is also encrypted.

As a processor, the use of encryption will be agreed on in the contract between Opus and the controller in detail. Opus shall use encryption for special categories of data and payment data as standard. Further use of encryption can be agreed with the customer.

6. Separation requirement

Opus takes measures to ensure that data collected for different purposes shall be processed separately. The applications offered by Opus are multi-client capable. The data is stored in various logical data memories. These data stores are separated from each other by separate database users. They can only be accessed by the respective project team and the employees belonging to this project. The backup of these memories is also logically separated.

7. Protection against disclosure

Opus takes measures to ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during transport or storage on data carriers. Data is only transmitted via secure and/or encrypted connections. Access to the systems in the data center  or cloud environments is available only via TLS or VPN tunnel connections.

8. Input Control

Opus ensures that it can be subsequently verified and established whether and by whom personal data has been entered, modified or removed from data processing systems. All read, write and change accesses are logged.

9. Availability / Capacity

Opus takes measures to ensure that personal data is protected against accidental destruction or loss. The availability of the data is achieved through various security measures. The data is always stored on mirrored data carriers and is backed up daily. High availability is achieved by redundantly designed systems.

 

c. Privacy by design / Privacy by default

Opus takes into account data protection principles and appropriate safeguards already when planning and designing processing activities. When developing processes, appropriate safeguards are addressed and implemented.

Opus takes into account that personal data is only collected to the extent necessary for the successful execution of any project. Opus’ products are designed accordingly and also the default settings reflect this principle.

d. Regular review, assessment, evaluation of data Protection measures

1. Review

These provisions regarding appropriate safeguards are regularly evaluated and adapted with regard to their effectiveness. In particular, Opus will make sure that data protection incidents are recognized by all employees and reported immediately to the data protection officer. The DPO will investigate the incident immediately. As far as data are concerned, which are processed on behalf of a client, the respective client will be informed immediately about type and extent of the incident.

2. Further development of the principles

Opus will review these principles on a case-by-case basis or at regular intervals with regard to its need for adaptation and further development. The Data Protection Officer will coordinate and prepare this task. In particular, an adjustment may be necessary if the relevant legal provisions and/or new business processes change or develop.


OPUS AGENCY PRIVACY POLICY

Opus Agency (“Opus”) respects the privacy of individuals who may choose to provide their personal information to us. We recognize the need for appropriate protections and management of personal information that you provide to us. This Privacy Statement will assist you in understanding what types of information we may collect, how that information may be used, and with whom the information may be shared.

This Privacy Statement applies to information collected by Opus through websites that display or link to this statement.

PURPOSE

Opus collects and uses personal information to provide our clients with the services they have contracted us to execute, and to provide you with the ability to take part in said services. Specifically, we use your information to help you complete a transaction or order, to deliver products and services to you, to bill you for products or services you purchased, and to provide ongoing service and support. Occasionally we may use your information to contact you in the case of an issue with your use of our services.

PERSONAL INFORMATION

“Personal Information” means any information that is entered into the Opus database and that identifies, relates to, describes, or is capable of being associated with, a particular individual. The types of Personal Information that Opus collects include but are not limited to:

  • Identification information, such as name, address, telephone number, passport number, driver’s license number, or state ID number.
  • Financial information, such as your credit card number or debit card number.
  • Employment information, such as where you are currently employed.

CHOICE AND CONSENT

Your decision to provide personal information through our websites is voluntary. If you do not provide the personal information requested, however, you may not be able to proceed with the activity or receive the benefit for which the personal information is being requested. You can always unsubscribe or choose not to receive communications from us by following the specific instructions in the email you receive or by notifying us as provided below. If information that was previously collected is to be used for purposes not previously identified in the privacy notice, or if new information is collected, the new purpose will be documented, you will be notified and your consent for this use of information will be sought. If you submit any personal information relating to another person to us or to our service providers in connection with our websites, you represent that you have the authority to do so and permit us to use the information in accordance with this Privacy Policy.

COLLECTION

Opus gathers two types of information from its site users: Data that users provide through voluntary registration on our sites, and non-personally identifiable and anonymous “aggregate Information” which we gather through existing web technologies. Such data may include IP address, browser type and version, operating system, and domain name. This data is used to tally page views as well as to gather demographic information about users of our sites.

COOKIES

Opus also uses cookies on its websites. Cookies are identifiers that can be sent from a website via your browser to be placed on your computer’s hard drive. Thereafter as you navigate the website, a message is sent back to the web server by the browser accessing the website.

  • Session Cookies: Some cookies operate from the time you visit a website to the end of that particular web-browsing session. These cookies expire and are automatically deleted when you close your internet browser. These cookies are called “session” cookies. Opus uses only session cookies on its registration websites.
  • Persistent cookies: Some cookies will stay on your device between browsing sessions – they do not expire when you close your browser. These cookies are called “persistent” cookies. The length of time a persistent cookie stays on your device varies from cookie to cookie. Opus uses persistent cookies on Agenda Builder and the ERC to be able to allow visitors to automatically log into those applications.
  • Right to reject cookies: You may elect not to accept cookies by changing the designated settings on your web browser. However, not utilizing cookies may prevent you from using certain functions and features of websites.

USE AND RETENTION

Opus will retain your personal information only for as long as it is needed to provide you services. If you wish to request that we no longer use your personal information to provide you services, contact us as provided below. We will retain, use and disclose your information as necessary to comply with our legal, ethical or document retention obligations, resolve disputes, and enforce our agreements, and any request to delete personal information is subject to these obligations.

Personal information of our clients’ customers Opus may share personal information with our clients or suppliers to the extent needed to deliver a product or service otherwise enable a business transaction. Opus may also process personal information about our clients’ customers on their behalf when providing services to our clients. In these situations it is our clients rather than we who decide the reasons for which the original information will be processed. For details of how this information will be used and protected, please refer to the privacy policy of the Opus client on whose behalf you submitted your personal information. A link to this policy will be provided where pertinent.

DISCLOSURE TO THIRD PARTIES

Third party service providers and suppliers receiving personal information are expected to apply privacy and security protection that is consistent with this Privacy Statement. These companies are authorized to use your personal information only for the purpose it was originally intended or as required or permitted by law. Unless otherwise dictated by law or agreement, Opus is not responsible for any improper use by such parties; however, Opus will take remedial action in response to misuse of personal information by a third party to whom such information has been transferred.

Opus may also disclose personal information and the content of communications in order to: (a) comply with the law or respond to lawful requests or legal process; or (b) act in good faith to protect the rights or property of our business, employees, suppliers or customers.

SECURITY

Opus is committed to taking reasonable efforts to secure the personal information you choose to provide us. To protect the privacy of any personal information you may have provided, Opus employs Internet firewalls, intrusion detection, anti-virus protection, and network monitoring, and, where appropriate and required by applicable law, Secure Socket Layer (SSL) or similar network encryption. If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential.

QUALITY AND ACCESS

Opus strives to keep your personal information accurate. We have implemented technology, management processes and policies to maintain data integrity. However, though we have implemented these steps, you are responsible for ensuring the accuracy of your personal information when you provide it to us.

We will provide you with access to your information when reasonable, or in accordance with relevant laws, including making reasonable effort to provide you with online access and the opportunity to change your information. To protect your privacy and security, we will take steps to verify your identity before granting access or making changes to your personal information. To access and/or correct information, you can do so online or notify us as provided below.

LINKS TO NON-OPUS WEBSITES

Opus websites may provide links to third-party websites for your convenience and information. If you access those links, you will leave the Opus website. Opus does not control those sites or their privacy practices, which may differ from ours. We do not endorse or make any representations about third-party websites. The personal information you choose to give to unrelated third parties is not covered by this Privacy Statement. We encourage you to review the privacy policy of any company before submitting your personal information.

MONITORING AND ENFORCEMENT

Adherence to this privacy policy is overseen by the Information Security team at Opus Agency, which enforces the policies enumerated above with regard to any qualifying data.

COMMUNICATION TO INDIVIDUALS

If you have questions regarding our compliance with this Privacy Statement you should contact us as provided below.

As we provide more services on our websites and as privacy laws and regulations evolve, it may be necessary to revise or update our Privacy Policy without notice. You can determine if this Privacy Policy has been revised since your last visit by referring to the last updated legend at the bottom of this page. You are encouraged to refer back to this page regularly and also prior to providing any personal information via our websites.

CONCERNS OR COMPLAINTS

Email: web-help@opusteam.com
Phone: 971-223-0777
Mailing address: 9000 SW Nimbus Ave. Beaverton, OR 97008 USA
Last updated January 5, 2015