[Last updated: December 16, 2019]
Zander Sterling, LLC (“Zander Sterling,” “we,” or “us”) is concerned about privacy issues and wants to ensure that our clients, their employees, and any affected data subjects (“you”) are informed about the security and use of the personal information that we receive and process on your behalf.
As a CPA firm, we have been and continue to be bound by professional standards of confidentiality that are, in many respects, more stringent than those required by law. However, such standards don’t always require the level of detailed public disclosures that are necessary to satisfy the mandates of privacy-related regulations.
Accordingly, we have undertaken the steps required to comply with the EU General Data Protection Regulation (“GDPR”), where applicable, as well as the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively.
In many instances, we are engaged directly by corporations or businesses, which results in the processing of employee information at their request. Where we refer to “employer” below, it is in these circumstances where corporations or other business groups have engaged us to act. You may at any time, if you prefer, address any concerns directly to your employer, where applicable.
PERSONAL INFORMATION WE COLLECT & HOW WE USE IT
Zander Sterling collects certain personal information about you and, if required, your family members and employer for the purposes of providing tax consulting, compliance and ancillary services. We will not be able to provide the services requested if we are not provided with all relevant personal information. Below are set forth the purposes for which personal information is used, examples of the types of information that may be required, and the lawful bases for processing that information. If, through the course of providing our services, you and/or your employer request additional services, such as payroll advice, representation on tax authority notices or audits, tax equalization calculations, and Totalization Agreement applications, we may be required to collect additional types of personal information to provide the requested services.
For purposes of providing the client services you and/or your employer request, Zander Sterling collects and processes personal information such as name, gender, physical address, e-mail address, telephone number, date of birth, marital status, passport number, visa number, employment history, employee number, job title and function, and resident status. Where required for the services, Zander Sterling collects certain personal documents such as passport copies, educational documents, medical records, visa copies, birth certificates, and other documents.
We obtain the personal information from a number of sources, such as through our online portals, our website or applications, online questionnaires and forms you complete, and other information you provide directly to us, including by email or in conversation with our consultants and staff. In addition, we may obtain personal information from third-party sources, such as other tax services providers, financial services companies, relocation companies, and your current or prospective employer. We use this information to provide tax compliance and consulting services, including analyzing, completing and processing personal income tax returns – and related filings and submissions to relevant government agencies, FinCEN and FATCA regulatory filings, ITIN applications, payroll forms, providing tax consultative advice and minimization strategies, and assisting with relocation and other global mobility issues.
In many instances such as responding to tax authority notices and audits, the services we provide require follow-up services. If such follow-up is required, the information we have collected previously is used to provide the additional related services for which we have been engaged.
We also use your personal information in other instances in connection with the services we provide. This use occurs only when there is a legitimate interest to do so that is not overridden by your data protection rights as required by law, such as assisting in the management and administration of our clients’ global mobility programs (e.g., tax services eligibility tracking, annual tax compliance status reporting, Totalization certificate of coverage expiration tracking, etc.), providing access to online case-management tools, where applicable, and the invoicing of our services. Where we are engaged by your employer, we process your personal information because it is in our legitimate interests to do so in order to fulfill our contract with your employer for client services.
In addition to providing you or your employer with our services, we process personal information to comply with our legal and regulatory obligations including record-keeping requirements.
The lawful bases for the types of processing described above—all of which involve the provision of client services to you or your employer—include one or more of the following: (i) you have provided clear consent for the processing, (ii) the processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract, (iii) the processing is necessary for compliance with a legal obligation to which we are subject; and/or (iv) the processing is necessary for the purposes of our legitimate interests, including but not limited to providing services to you or your employer.
If you request information about our services directly, you may choose to provide personal information such as your name, address, email address and telephone number. We use your information to respond to your request.
OTHER USES OF INFORMATION
Where it is in our legitimate interests and not outweighed by your data protection rights, we use personal information we collect and process for client and Zander Sterling administration, compliance audits, compliance with Zander Sterling policies and procedures, ensuring the security and integrity of our services and in ensuring that our IT systems function effectively.
In addition, we process your personal information with your consent, such as when we use your contact details to respond to a request or question by you, or where required by law.
SENSITIVE PERSONAL INFORMATION
Governments worldwide require the collection and processing of a wide variety of personal information in order to properly determine and process income, social, payroll and other taxes. Certain categories of personal information may be considered “sensitive” and are subject to a higher level of data protection. These categories may include race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, physical or mental health or condition, data relating to offenses and/or criminal convictions, and biometric data, such as fingerprints, when used to uniquely identify you.
In the context of the services we provide, Zander Sterling collects sensitive personal information when the submission of such data is necessary to comply with legal obligations in a country. In addition, Zander Sterling may need to inquire about certain sensitive information in order to provide relevant tax or consultative advice. In some instances, the laws of EU member states require that we process sensitive personal information for these purposes as permitted by the terms of the EU General Data Protection Regulation (GDPR). On other occasions, we will ask for your explicit consent before processing any such data.
INFORMATION WE COLLECT BY AUTOMATED MEANS
Most browsers will tell you how to stop accepting new cookies, how to be notified when you receive a new cookie, and how to disable existing cookies. Please note, however, that without cookies, you may not be able to take advantage of all our website features.
Log Files, Usage Data and IP Addresses
Log files are web server files (containing information such as domain name or IP address, URL, http response code, or the date and duration of your visit) that are automatically created when an Internet user visits a website. An IP address is an identifier that certain electronic devices use to identify and communicate with each other on the Internet. When you visit our website, our servers log your IP address. In combination with other data, this information helps us understand which features are of interest to our visitors and the regions of the world where these visitors are located. In addition, log files help detect disruptions that may interfere with the provision of our website.
INFORMATION WE SHARE
We will not sell, share, transfer, rent, use, or distribute your information for purposes other than those disclosed here unless required by law or as authorized by you.
We share the information you provide among our employees, as appropriate or necessary in connection with the services, or to protect the interests of any person, where permitted by applicable law.
Where our services are retained by your employer on your behalf, we may share your personal information as instructed by your employer, for tax purposes, for immigration services, to facilitate coordination of services delivered by a relocation management firm selected by your employer, and for any other purpose required to provide the services as permitted by applicable law.
In addition, we will disclose information about you: (1) if we are required to do so by law or legal process, (2) to law enforcement authorities or other government officials, (3) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss in connection with an investigation of suspected or actual illegal activity; or (4) if necessary to protect the vital interests of any person.
HOW WE PROTECT PERSONAL INFORMATION
We seek to ensure that any personal information that we hold about you is accurate, complete, current and otherwise reliable based on data you or an employer provide in order to provide the tax consulting, compliance and ancillary services. We seek to collect only that personal information that is adequate, relevant and not excessive for these purposes.
We maintain appropriate administrative, technical, organizational, and physical safeguards to protect against loss, misuse or unauthorized access, disclosure, alteration, or destruction of personal information.
We educate our employees and strive to maintain appropriate standards of conduct with regard to the protection of personal information.
We take steps to require that third parties who assist in our provision of services abide by all applicable privacy and data protection laws and prohibit them from using your information other than in connection with the services they have been engaged to provide.
We retain personal information for only as long as we need it to provide the services you or your employer has requested, to comply with professional standards, for our own administration and internal purposes, and for any periods that are mandated by law or otherwise agreed to with our clients, after which, we take steps to delete or anonymize the information.
INFORMATION WE TRANSFER
Transfers Required For The Services
Transfers To Other Service Providers
YOUR CHOICES AND RIGHTS
As set out above, Zander Sterling may collect certain information about you in conjunction with providing tax consulting, compliance and ancillary services. We will respect your decision if subsequently either your employer informs us or you directly inform us that you wish to opt-out of personal information. If sensitive personal information is involved for the delivery of a new purpose we will only use your information if you actively communicate your consent to this processing to your employer or us, as applicable, when it is necessary to deliver requested service, or in accordance with the requirements of applicable laws. We will follow the identical procedure if we disclose personal information to third parties that are expected to process the personal information for their own independent purposes.
We also will assist our clients to provide you, or provide you directly, where appropriate, with access to your personal information and, as applicable, with the ability to review and correct inaccuracies, delete unnecessary personal information, and receive a copy of your personal information in a structured machine-readable format. We may, where applicable, use reasonable efforts to assist your employer in responding to a request to access, correct, delete or restrict processing of your personal information or, where required by law, to respond directly to such a request within a reasonable period of time. In the event that either you or your employer informs us in writing that you wish to opt-out of future processing of personal information, we will respect your request.
To help protect your privacy and the security of your information, Zander Sterling takes reasonable steps to verify your identity before granting access to information. Where we rely solely on your consent, you may withdraw it at any time. You may also object to processing that is based on our legitimate interests alone. In such instances, our business interests must be found to be compelling and to not jeopardize your individual rights before further processing may continue.
For users from the European Economic Area (the “EEA”) or as required by applicable law, users have the following rights:
- To access the personal information we maintain about you;
- To be provided with information about how we process your personal information;
- To correct your personal information;
- To have your personal information erased;
- To object to or restrict how we process your personal information; and
- To request your personal information to be transferred to a third party.
To exercise the above rights, please contact us at the information provided below. We will consider and process your request within a reasonable period of time. Please be aware that under certain circumstances, the GDPR may limit your exercise of these rights.
You may also contact us using the contact information provided below to be directed to the appropriate DPA contact(s).
HOW TO CONTACT US
Zander Sterling, LLC
Attn: Christopher Cornelius
201 N. Illinois Street
Indianapolis, IN 46204
HOW TO WITHDRAW CONSENT
At any time, users from the EEA (or other users to the extent required by applicable law) may withdraw consent you have provided to us for using, disclosing, or otherwise processing your personal information. You may withdraw your consent by contacting us at the information above and following the instructions in our communication to you.
Please note that your withdrawal of consent to process certain personal information about you (1) may limit our ability to deliver services to you and (2) does not affect the lawfulness of our processing activities based on your consent before its withdrawal.
USE OF WEBSITE BY MINORS
Our website is directed only to individuals who are permitted to share their personal information without parental consent and we request that all other individuals, including individuals under the age of 18, not provide personal information through the site.
We notify individuals about the personal information we collect from them, how we use it, and how to contact us with privacy concerns. We obtain personal information only as permitted by the Privacy Shield Principles or with the consent of the affected individual. Consent for personal information to be collected, used, and/or disclosed in certain ways may be required in order for an individual to obtain or use our services.
To the extent permitted under the Privacy Shield Principles, Zander Sterling reserves the right to process your personal information in a manner consistent with the purposes for which the information was collected and without your knowledge.
When required by the Privacy Shield Principles, we offer individuals the opportunity to opt out of disclosures of personal information to a third party or the use of personal information for a purpose that is different from the purpose(s) for which it was originally collected or subsequently authorized by the individual.
We will comply with the Privacy Shield Principles with respect to disclosures of sensitive personal information, including, when applicable, obtaining the explicit consent (i.e., opt-in consent) of the individual prior to disclosing sensitive personal information to a third party or using sensitive personal information for purposes other than those for which it was originally collected or subsequently authorized by the individual.
Accountability for Onward Transfers
Zander Sterling is potentially accountable in cases of onward transfers of personal information to third parties, such as when third parties acting as agents on our behalf process personal information in a manner inconsistent with the Privacy Shield Principles. We will ensure that any third party to which we disclose personal information provides the same level of privacy protection as is required by the Privacy Shield Principles and agrees in writing to provide an adequate level of privacy protection.
We may transfer personal information to third-party agents, or service providers, who perform functions on our behalf, such as tax software vendors or other third parties who facilitate the provision of our services to you such as email, website and managed IT service providers. We enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield requires and limiting their use of the personal information to the specified services provided on our behalf.
Under some circumstances, we may be required to disclose personal information when necessary to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Data Security and Integrity
We apply administrative, technical, and physical safeguards designed to provide the personal information in our possession with reasonable protection loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, we cannot guarantee the security of personal information accessible on or transmitted via the Internet.
We process personal information in ways compatible with the purpose for which the personal information was collected, or as otherwise authorized by the individual. To the extent necessary for such purposes, we take reasonable steps to make sure that personal information is accurate, complete, current, and otherwise reliable with respect to its intended use.
As a customer, you have the right to obtain our confirmation of whether Zander Sterling maintains personal information relating to you. Further, we will provide you access to the personal information Zander Sterling maintains about you upon your request and within a reasonable time period. If you become aware that personal information we maintain about you is inaccurate, or if you would like to update, delete, review your personal information, you may contact us using the contact information above. In addition, we may limit or deny access to personal information where providing such access would be unreasonably burdensome or expensive in the circumstances, or as otherwise permitted by the Privacy Shield Principles. If we determine that your access should be restricted in a particular instance, we will provide you with an explanation of our determination and respond to any inquiries you may have. In some circumstances, we may charge a reasonable fee, where warranted, for access to personal information.
Recourse, Enforcement, and Liability
In compliance with Privacy Shield Principles, Zander Sterling commits to resolve complaints about our collection or use of your personal information.
European Union and or Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact their employer or Zander Sterling as appropriate.
Zander Sterling has further committed to refer unresolved Privacy Shield complaints to JAMS Mediation, Arbitration, ADR Services (JAMS). If you do not receive timely acknowledgement of your complaint from us, or if we have not resolved your complaint, please contact or visit JAMS at https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a formal complaint. The services of JAMS are provided at no cost to individuals.
Under certain circumstances, it is possible for individuals to invoke binding arbitration regarding Privacy Shield compliance issues unresolved by us. Arbitration, if any, will be conducted in accordance with JAMS’s arbitration rules then in effect. The services of JAMS are provided at no cost to individuals.