EU and Switzerland Safe Harbor Policy
Diamond Resorts International® ("Diamond") acknowledges the EU's standard for personal data protection. Through its relationship with a global customer base, Diamond has access to Personally Identifiable Information (PII) of customers and employees in the EU and Switzerland. This Policy addresses the privacy concerns of European/Swiss customers and employees due to data transfer between Diamond's European/Swiss and U.S. business units.
To affect this Policy, Diamond will adhere to the United States Department of Commerce Safe Harbor Principles and will self-certify to the United States Department of Commerce compliance with the European/Swiss Safe Harbor Principles. This Policy applies to all PII data transmissions from Diamond operations in the EU/Switzerland to the United States. This includes transmission of data over phone lines, computer lines, and hard copy and includes such material as payroll records, telephone records, business information, club membership information, performance evaluations, and any material that identifies a particular individual employee or customer.
The use of EU/Swiss employee or customer PII will include personal telephone numbers, addresses, credit card or bank account information, and any other material that identifies a particular individual employee or customer of Diamond.
In implementing this policy, Diamond will annually self-certify to the Department of Commerce, that it agrees to adhere to the EU/Swiss Safe Harbor Principles.
Diamond acknowledges that its failure to provide an annual self-certification to the Department of Commerce will result in the removal of Diamond from the list of participants.
Questions regarding the transmission of personal data from the EU/Switzerland to the United States or any other non-EU/non-Swiss location, or any further transmission of the personal data once received in the United States, should be referred to Diamond’s Information Security Team at firstname.lastname@example.org.
Alternatively, you can opt-out of our e-mail communications by ticking the opt-out box at the bottom of the email.
Diamond has adopted the seven Safe Harbor principles of notice, choice, onward transfer (transfer to third parties), access, security, data integrity and enforcement with respect to PII and sensitive data to be transferred to the U.S. from Diamond operations in the EU/Switzerland.
Notice – Diamond will notify employees and customers in the EU/Switzerland about the purposes for which personal data will be collected and used. Information will be provided on how employees and customers can contact Diamond with inquiries or complaints regarding personal data. Diamond will give notice to employees and customers regarding third parties to which it discloses the information, and restrictions that limit the information’s use and disclosure. In certain situations, data is “anonymized” so that the names of the data subjects are not known by data processors within Diamond. In these cases, data subjects do not need to be notified.
Choice – Prior to releasing personal data to a third party, Diamond will give an individual employee or customer the opportunity to choose whether their personal data is disclosed to that third party, used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by that individual. For sensitive data, an affirmative choice will be given to the employee or customer if the personal data is to be disclosed to a third party or used for a purpose other than its original purpose or the purposes authorized subsequently by the individual.
Onward transfer – (transfer to third parties) – Prior to disclosing personal data to a third party, Diamond will apply the notice and choice principles, enumerated above. Diamond will commit to ensuring that the third party keeper of personal data also subscribes to the EU/Swiss Safe Harbor Principles or any other EU/Swiss adequacy finding. Diamond will also enter into a written agreement with such third party requiring that the third party provide at least the same level of personal data protection as is maintained by Diamond.
Access – Employees and customers covered under this policy will have access to personal information about them that Diamond holds and will be able to correct, amend or delete information if it is inaccurate (the exception is when the burden or expense of providing access would be disproportionate to the risks of the individual privacy in the case in question or the rights of persons other than the individual would be violated.)
Security – Diamond will take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Access to personally identifiable personal data of EU/Swiss employees and customers will be to a limited number of users on a need to know basis.
Data Integrity – Personal data kept by Diamond will be relevant for the purposes for which it is to be used. Diamond will take reasonable steps to ensure that the data is reliable and that it is applied to its intended use. Diamond will also ensure that the information is accurate, complete and correct.
Enforcement – To ensure compliance with these Safe Harbor Principles, Diamond will:
• Commit to cooperate with the Data Protection Authorities (DPAs) of the EU/Switzerland in the investigation and resolution of complaints and will comply with any advice given by DPAs;
• Employ a procedure for verifying that the commitment the company has made to adhere to the Safe Harbor Principles has been implemented;
• Remedy issues arising out of any failure to comply with the Principles. Diamond acknowledges that its failure to provide an annual self-certification to the Department of Commerce will remove it from its list of participants and the transfers of information will not be allowed unless Diamond otherwise complies with the EU/Swiss Data Protection Directive.
• Diamond will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that Diamond determines is in violation of this policy will be subject to disciplinary action, up to and including termination of employment.
Dispute Resolution– The Diamond Information Security Council (“ISC”) will be the internal mechanism for ensuring compliance with the Safe Harbor Principles and facilitating the independent recourse mechanism referenced in the “Enforcement” section above.
Any questions or concerns regarding the use or disclosure of personal information should be directed to the ISC at the address given below. Diamond will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information by reference to the principles contained in this Policy. For complaints that cannot be resolved between Diamond and the complainant, Diamond has agreed to participate in the following dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Safe Harbor Principles:
• For disputes involving employment-related personal information received by Diamond from the EU/Switzerland, Diamond has agreed to cooperate with the data protection authorities in the EU/Switzerland and to participate in the dispute resolution procedures of the panel established by the European/Swiss data protection authorities (“DPAs”);
• For disputes involving all other personal information received by Diamond from the EU/Switzerland, Diamond has agreed to BBB dispute resolution. Individuals who submit a question or concern to Diamond and who do not receive acknowledgment from Diamond of the inquiry, or who think their question or concern has not been satisfactorily addressed, should then contact the BBB Safe Harbor Dispute Resolution Program on the Internet at www.bbb.org/us/safe-harbor-complaints. BBB will act as a liaison to Diamond to resolve these disputes. The BBB dispute resolution process shall be conducted in English.
Limitation of Appliance of Principles
Adherence by Diamond to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.
Questions or comments regarding this Policy should be submitted to the Information Security Council by mail to:
Diamond Resorts International®
10600 W. Charleston Blvd.
Las Vegas, Nevada 89138
or by e-mail to email@example.com
Diamond / Diamond Resorts International® - Means Diamond Resorts Corporation, its predecessors, successors, parents, subsidiaries, divisions, and groups in the United States.
European Union – The European Union ("EU") consists of 27 independent sovereign states: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
Personally Identifiable Information (PII or Personal Data, for the purposes of this policy) - Any personal information relating to an identified or identifiable natural person who is a Diamond employee or customer and who can be identified, directly or indirectly, in particular by a reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Sensitive Data - Sensitive data is data that pertains to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, income records, health, sexual orientation or alleged commission of any offense. This data may not be transferred to a third party unless an individual gives explicit consent.