CoSo Cloud, LLC (CoSo) aims to protect Personal Data transferred from the European Union (EU)/European Economic Area (EEA) to CoSo’s operations in the United States (U.S.). This Privacy Statement sets forth the standards under which CoSo will treat such Personal Data.
CoSo complies with the EU-U.S. Privacy Shield framework regarding the processing of European Personal Data in the United States and commits to applying the Privacy Shield Principles to all Personal Data received in the United States from the EU/EEA in reliance on the Privacy Shield. CoSo has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.
CoSo’s participation in Privacy Shield is subject to investigation and enforcement by the Federal Trade Commission.
DEFINITIONS
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Subject” means an identified or identifiable natural person to whom any given Personal Data covered by this Privacy Statement refers. An identified or identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
“Personal Data” means information relating to a Data Subject.
“Processor” means a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of a Controller.
“Sensitive Personal Data” means Personal Data regarding any of the following:
“Third Party” is any natural or legal person, public authority, agency, or any other body other than the Data Subject, the Controller, the Processor, and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data.
SCOPE AND RESPONSIBILITY
This Privacy Statement applies to the collection, use, and disclosure in the U.S. of Personal Data of employees (current and former), dependents, beneficiaries, applicants, consultants, and contract workers transferred from countries in the EU/EEA to CoSo’s operations in the U.S.
All employees of CoSo that have access to such Personal Data in the U.S. are responsible for conducting themselves in accordance with this Privacy Statement. CoSo employees responsible for engaging third parties to handle Personal Data covered by this Policy on behalf of CoSo (e.g., temporary staff, independent contractors, sub-contractors, business partners, or vendors) are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Privacy Statement, including any applicable contractual assurances required by the Privacy Shield Principles.
Failure of a CoSo employee to comply with this Privacy Statement may result in disciplinary action up to and including termination.
PRIVACY PRINCIPLES
CoSo complies with the following principles with respect to the Personal Data described in the “Scope and Responsibility” section of this Privacy Statement that is transferred from countries in the EU/EEA to CoSo’s operations in the U.S.
Notice
CoSo collects, uses, discloses, and disposes of Data Subjects’ Personal Data for human resource management and other business purposes, including:
Candidates for Employment with Clients. CoSo provides a wide variety of services and solutions to its business clients (“Clients”) that facilitate the selection, hiring, and internal mobility of individual candidates (“Candidates”) for specific employment. In some instances, CoSo may obtain access to Personal Data about such Candidates while providing the services and solutions. In other specific instances, CoSo may also obtain access to data about our Clients’ existing employees or end users (“End Users”) while providing support services to the Clients. Such data may include contact details, work history, educational history, work preferences, and other information, depending on the Client and application at issue. Wherever we obtain access to Personal Data about Candidates or End Users, we are acting as a Processor on behalf of our Clients, and we therefore conduct such activities strictly in accordance with their instructions and pursuant to our contractual arrangements with them. If you are a Candidate for employment with one of our Clients, or an End User with an existing relationship with one of our Clients, you should refer to the Client’s website or human resources manager to understand the privacy practices that apply to Personal Data that we may maintain about you. Moreover, if you would like to access and review your Personal Data, you should contact our Client (your potential or existing employer) with any such requests. We will cooperate as appropriate with requests from our Clients to assist with such responses.
CoSo may disclose Data Subjects’ Personal Data to third parties acting as its agent such as consultants, accountants, auditors, lawyers, benefit vendors, and financial services vendors for the purposes described above.
Access
Data Subjects have the right to access Personal Data about them that CoSo holds and will be able to correct, amend, or delete such Personal Data if they can demonstrate it is inaccurate (except when the burden or expense of providing access would be disproportionate to the risks to their privacy, or where the rights of persons other than Data Subjects would be violated). To request access to, correct, amend or delete Personal Data, please contact CoSo at: CoSo Privacy Office (privacy@CoSo.com).
Choice
CoSo will notify Data Subjects before (a) disclosing their Personal Data to any Third-Party Controller or (b) using their Personal Data for a purpose that is materially different from the purpose(s) for which the Personal Data was originally collected or subsequently authorized by the Data Subject. That notice will provide Data Subjects with instructions on how they can opt out of such disclosure or use. You may exercise your choice to opt out by contacting CoSo at: CoSo Privacy Office (privacy@CoSo.com).
If CoSo collects Sensitive Personal Data, CoSo will not (a) disclose that information to a Third Party or (b) use that information for a purpose other than that for which the information originally was collected or subsequently authorized by the Data Subject, unless the Data Subject provides prior, explicit consent.
A Data Subject’s decision to opt out of, or refusal to consent to, a particular use or disclosure does not mean that Personal Data already collected will be erased or deleted or that CoSo cannot continue to use or disclose the information already collected for the purpose(s) for which it originally was collected or subsequently authorized by the Data Subject or, with respect to non-Sensitive Personal Data, for compatible purposes.
Accountability for Onward Transfer
Except as otherwise explained in this Privacy Statement, CoSo will transfer Personal Data only to (a) an entity that a Data Subject has specifically authorized to receive the data (and its designated representatives), or (b) Third Parties acting as CoSo’s agents (e.g., service providers that help host or support CoSo’s web site, or that otherwise provide technical assistance). Furthermore, CoSo will transfer Personal Data to such Third Parties only if the transfer is for limited and specified purposes and the Third Party will provide at least the same level of privacy protection as is required by this Privacy Statement and as applicable, the Privacy Shield Principles.
With respect to transfer to its agents, CoSo will transfer only the Personal Data needed for an agent to deliver to CoSo the requested product or service. The agent will be prohibited from using such Personal Data for any other purpose and will be required to maintain commercially reasonable security measures to protect the confidentiality and security of that Personal Data. CoSo remains responsible under the Privacy Shield Principles if an agent processes Personal Data in a manner inconsistent with the Principles, except where CoSo is not responsible for the event giving rise to the damage. Nothing in this Privacy Statement shall be construed as a waiver of any claims or defenses CoSo may have as a result of the agent’s improper use of Personal Data.
In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield, CoSo is potentially liable, subject to any claims and defenses CoSo may assert.
CoSo may also be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Security
CoSo takes reasonable physical, technical, and organizational measures to protect the security of Data Subjects’ Personal Data. Such Personal Data is subject to restricted access in our offices. Only employees who need the information to perform a specific job are granted access to Personal Data. Furthermore, all employees are regularly informed about our security and privacy practices. When new policies are added, our employees are notified and/or reminded about the importance we place on privacy, and what they can do to protect our users’ and customers’ Personal Data. Finally, we maintain reasonable physical, technical, and organizational measures to make sure that the servers on which we store Personal Data are kept in an access-restricted, physically secure, and monitored environment.
Data Integrity and Purpose Limitation
CoSo collects only Personal Data that is necessary for the purposes described above and, with respect to non-Sensitive Personal Data, for compatible purposes. CoSo takes reasonable steps to ensure that the Personal Data it collects is accurate, complete, current, and reliable for its intended use.
Recourse, Enforcement and Liability
CoSo is subject to the investigatory and enforcement powers of the Federal Trade Commission.
CoSo will periodically review and verify its compliance with the Privacy Shield Principles and remedy issues arising out of any failure to comply with those Principles.
In compliance with the EU-US Privacy Shield Principles, CoSo commits to resolve complaints about your privacy and our collection or use of your personal information. Data Subjects with inquiries or complaints regarding CoSo’s collection, use, disclosure, or transfer of their Personal Data should first contact CoSo at: Donald Creston, General Dynamics Information Technology, Inc., 3150 Fairview Park Drive, Falls Church, Virginia 22042; Email: privacy@gdit.com; Telephone: 703-995-1982.
CoSo has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY Shield, located in the United States and operated by BBB National Programs. If your inquiry or complaint does not involve human resource data and you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. This service is provided free of charge to you.
Should your complaint remain fully or partially unresolved after a review by CoSo, BBB EU Privacy Shield and the relevant DPA, you may be able to, under certain conditions, seek arbitration before the Privacy Shield Panel. For more information, please visit https://www.privacyshield.gov.
Human Resources Data
If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by CoSo, and your inquiry or complaint involves human resource data, you may have your complaint considered by an independent recourse mechanism: for EU/EEA Data Subjects, a panel established by the EU data protection authorities (“DPA Panel”). To do so, you should contact the state or national data protection or labor authority in the jurisdiction where you work. CoSo agrees to cooperate and comply with the decisions of the DPA Panel.
LEGAL DISCLAIMER
We may disclose Personal Data when required by law or in the good faith belief that such action is necessary to conform to the edicts of the law, comply with legal mandates, enforce the terms of use of our websites, or to protect the rights, property, or personal safety of CoSo, its users and the public. This may include disclosure in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
QUESTIONS
If you have any questions about this Privacy Statement, or if you would like to request access to Personal Data that we may maintain about you, please contact: CoSo Privacy Office (Security@CoSoCloud.com).
Effective Date: May 16, 2022
FLETC Case Study
General Motors Case Study 
Learning Tree Case Study 
