SSPC: THE SOCIETY FOR PROTECTIVE COATINGS
Effective Date: May 25, 2018 (Revised: January 9, 2019)
1. Data Controller and Data Protection Officer
For purposes of the European Union General Data Protection Regulation (the “GDPR”), SSPC: The Society for Protective Coatings is the data controller (the “Data Controller”) for the processing of Personal Data as set forth herein.
You may contact us as follows:
Data Privacy Officer
SSPC: The Society for Protective Coatings
800 Trumbull Drive
Pittsburgh, PA 15205
United States of America
You may contact our Data Protection Officer as follows:
Schneider Downs & Co., Inc.
1 PPG Plaza, Suite 1700
Pittsburgh, PA 15222
2. Personal Data & Special Categories of Data
For the purpose of performing SSPC’s information and related services with respect to surface preparation, coating selection, coating application, environmental regulations, and health and safety issues that affect the protective coatings industry (as further detailed below, the “Services”), we collect the types of personal information described below (“Personal Data”).
- Personal Information – We collect personal details about you, including without limitation legal name, place of residence, phone numbers, email addresses, birthdate, age, employment-related information (including without limitation employer, position, time of service etc.), education-related information (including without limitation high school and college transcripts, majors, etc.), banking information (including without limitation credit card and checking information) and other certification-related information.
- Special Categories of Data (Consent) – We may ask our members and customers if they are members of any trade unions and such information shall be processed solely as described in Section 4(c) below. Additionally, we may collect the first name of the spouse of each of our Board Members as further detailed below. To the extent such spousal information reveals information about your sexual orientation, such Personal Data may constitute a special category of data under the GDPR.
3. How We Obtain Personal Data
We collect Personal Data in a variety of ways including, without limitation: via phone call, our website (including without limitation when you sign up for courses, apply for certification or a scholarship, purchase a product or service, register for a conference or event, register for training or other educational course, submit your name for a committee or board position or for other employment with us, etc.), information submitted via email, physical mail, online or physical questionnaires or forms, business cards collected by SSPC and/or our affiliates or service providers while at events, conferences, or otherwise, orally, or otherwise collected by us during our provision of services in the ordinary course of business. We may also collect Personal Data from third-party sources, with the understanding that we take steps to obtain assurances from such sources that you gave your consent to the sharing of such information when you provided such information to such third party.
4. Personal Data Processing and Data Retention – Subject always to your rights as set forth in Section 9 below:
- SSPC Services – “SSPC Services” hereunder include: SSPC membership services for individuals and entities who have registered and paid for SSPC membership, audits and certifications of contractors against specified standards, setting up, and operating, conferences and events for people in our industry under the SSPC banner, or for others, industry certifications for individuals and entities (including publishing a searchable, public directories of certified individuals and entities), and selling and offering industry-related online courses . We use Personal Data that we collect hereunder as necessary to provide the SSPC Services as requested by you, including without limitation processing applications and registrations to participate in SSPC Services (membership, certification, classes, conferences, etc.) communicating with you about the SSPC Services, , and providing you with the benefits of SSPC Services.
- Directories – Certain aspects of SSPC Services will involve the publication of Personal Data in a directory format. In many cases, we view such publication as a necessary and integral part of providing you with the benefits of the SSPC Service you have requested. For example, one of the benefits of successfully completing a SSPC certification program, is that we will declare your certification publicly by adding your Personal Data (name, contact information, gender, company affiliation, position, educational experience and other certifications) to a public, searchable online directory so that individuals and companies seeking to engage the services of certified individuals and contractors can contact you. Similarly, when you become an SSPC member, we will include all of your relevant Personal Data for contacts in a restricted access membership directory (e.g., name, title, company affiliation, mailing address, email address and phone number) which can only be accessed through our website by other members. Also, when you register to participate as an exhibitor at one of our conferences or events, we will include you in a directory of exhibitors that may be published/made available through our website, other promotional materials promoting the conference or event and/or distributed or made available to attendees. In other instances, we may identify you by name, title, company affiliation, and/or mailing address when you join our Board, our Advisory Council or one of our SME Committees. In addition, Advisory Council directory publications may also include the email address and country information for Council members. In some cases we are required by applicable law to identify you (e.g., certain tax filings require listing of Board members) and in other cases we will do so when there is a legitimate interest that is addressed by such identification that is not overridden by your data protection rights as required by applicable law (e.g., publication of basic identifying information for participation in SME Committees to satisfy legitimate interests to establish credibility, accountability, transparency, etc.). In other cases, when required, we will ask for your express consent to our inclusion of your Personal Data in directories (for example, when required we will ask for you consent to include specified Personal Data in an attendee directory provided to interested exhibitors when you register to attend one of our conferences or other events).
- Union Membership (Consent) – We may collect information about you regarding your union membership status or affiliation. We process this information solely for purposes of determining union status so that we may offer you special union-member discounts, to verify your eligibility to participate in union-specific programming that we may offer, and to send you invitations and other marketing materials and communications in connection with the foregoing. We will only process such information for such purposes with your express consent.
- Accounting and Billing – We may use Personal Data for our own administrative, accounting, and business needs including billing, invoicing, internal accounting and record-keeping requirements as well as other related administrative and business purposes. Certain processing is undertaken as necessary to complete a contract for services (collecting payments, making payments for authorized transactions such as membership fees, registration fees, payment for services rendered, etc.). In other instances our processing of Personal Data as described in this paragraph is required for us to fulfill legal obligations to which we are subject (e.g., record keeping mandated by applicable law).
- Scholarships – We may offer, from time to time, scholarships to pre-college, college and/or post-college students (“Scholarships”). We use Personal Data that we collect hereunder as necessary for purposes of our Scholarships as requested by you including without limitation, processing your application, contacting you regarding the Scholarship and otherwise as necessary in connection with the Scholarships. You acknowledge and agree that only SSPC members (or their children or grand-children) are eligible for our Scholarships. Therefore, if you are applying for a Scholarship, you agree that you will either have satisfied the membership requirement before you apply for a Scholarship or, if not, then for your convenience and with your express consent, when we process your application for a Scholarship, we will use Personal Data that you provide as part of your application to enroll you in a free student membership with SSPC. We will ask for your express consent before using your Personal Data to enroll you in a free student membership as described above, and you are free to grant, or withhold, such consent. In the event that you withhold, refuse or withdraw your consent with respect to the foregoing, your scholarship application will still be processed and reviewed, but you must still meet all of the eligibility criteria to be considered.
- SSPC Service Roles – As part of the Services, we hire and/or locate instructors, teachers and speakers, seek and obtain candidates for our board, seek and obtain members for certain “subject matter expert” committees and advisory councils related to our industry, and grant certain people the right to our courses on our website for their own purposes (collectively, the “SSPC Service Roles”). We use Personal Data that we collect hereunder as necessary in connection with the SSPC Service Roles as may be requested by you from time to time, including without limitation communicating with you about the SSPC Service Roles, sharing your name and other Personal Data to identify you as a candidate for Board Membership on ballots, completing and processing applications for board, committee and/or council positions, paying you (if applicable) in connection with the SSPC Service Roles, and otherwise as necessary in connection with the SSPC Service Roles.
- Legitimate Interests - We may also use Personal Data collected hereunder in circumstances other than as expressly described above in connection with the services we provide and/or our own operations; provided, however that any such additional processing may only occur when there is a legitimate interest to do so that is not overridden by your data protection rights as required by applicable law. The types of processing/uses contemplated hereunder may include, without limitation, for our own administrative and business needs, audits and self-assessments for compliance with applicable laws, regulations, court order, and applicable firm or Employer policies, for information technology purposes including without limitation trouble shooting, business continuity, disaster recover, data backup and recovery.
- Personal Data Retention – We generally retain Personal Data in accordance with and for the time periods required by our document retention/filing polices and applicable retention requirements imposed on us by applicable law, rule, regulation or court order, unless there is reasonable basis for retaining such data for a longer period (including, without limitation, in connection with the establishment, exercise or defense of legal claims).
5. Optional Data Processing. In addition to processing Personal Data in the ways set forth above, you may also choose to allow us to use certain Personal Data at your direction and/or with your express consent, as detailed below. The types of data processing described in this Section 5 are not necessary or integral to the performance of SSPC Services and we will not use Personal Data for such optional purposes except as expressly set forth in this Section 5;
- Information Requested – If you request information about us or our products and/or services, you may elect to provide Personal Data. We will use such Personal Data to respond to your request.
- Marketing (Consent) – From time to time we may offer you the option of signing up, or having us sign you up, for various mailing lists, emailing list or other directory-related list used to send communications from us for purposes of keeping our members and prospective members updated with respect to developments in our Services, our industry, conferences that we or our service providers operate, or otherwise (“Marketing Updates”). In order to register you on such lists, we will ask for your Personal Data. We will specifically ask for your consent to use such Personal Data on an opt-in basis and contact you with such Marketing Updates from time to time.
- Information Provided by Non-Members – From time to time customers of our services or products and visitors to our websites, conferences and other programs (in each case who are not members of ours), may provide us with Personal Data, and we may keep such Personal Data and use it to market and communicate with such persons about our products and services; provided that we will ask for your express consent to use such Personal Data for such purposes.
- Performance of Services – In order for us to perform Services we disclose Personal Data hereunder to third parties as we may be directed in the course of providing Services.
- Advisory Committees (Consent) –We may provide Personal Data to our international Advisory Committees for the purpose of allowing such committees to communicate with our members and customers about committee activities, participation and potential participation on Advisory Committees. We process Personal Data in this manner only with your express consent.
- International Licensees and Resellers (Consent) –We may provide Personal Data to our international resellers and licensees so that such resellers and licenses may market their respective products and services with respect to SSPC course content to you. We process Personal Data in this manner only with your express consent.
- Exigent Circumstances – In addition to the disclosures set forth above, we will disclose Personal Data about you: (1) if we are required to do so by law or legal process, (2) to law enforcement authorities or other government officials, (3) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss in connection with an investigation of suspected or actual illegal activity; or (4) if necessary to protect the vital interests of any person.
7. Transfer of Personal Data Outside of the EEA.
- SSPC is Headquartered In the United States - SSPC processes Personal Data as described above in our home country, the United States of America. The United States of America is a country outside of the EEA (a “third-country”) that is not the subject to a European Commission finding of adequacy (the European Commission has not found that U.S. laws ensure an adequate level of protection for personal data with reference to the GDPR). When applicable, we process Personal Data in the U.S. on the basis of our participation in the EU-US Privacy Shield. Otherwise, we process Personal Data in the U.S. on the basis of your consent.
8. Tracking and Traffic Data
In addition to Personal Data that we collect hereunder, we may, through our website, collect data generated automatically by traffic our website (“Traffic Data”). Traffic Data may include, without limitation, internet protocol address(es), operating system(s) and browser specifics of your device, device characteristics, geographic (geo-location) information, user ID(s), clickstream data, and specifics regarding your interactions with (i.e., the path you take through) the website. Traffic Data may also include your mobile device information (e.g., device model, operating system version, device date and time, unique device identifiers, mobile network information) and how you use the website. These types of information do not generally identify or relate to you as an individual; however we may associate these types of information with you as an individual.
Our website may require you to accept session “cookies” to provide customer experience and efficiencies such as enabling you to login, personalizing your experience, and/or automatically filling in standard information on return visits. "Cookies" are small pieces of information that are stored locally on your device by your browser and passed back to the server whenever a request for a new page on the site is made. The session cookie is never saved or written to disk. It is discarded when the browser exits, when you log out of the website, or when you have not visited a page on the website for a given period of time, for example 60 minutes. Most web browsers automatically accept session cookies, but most browsers also allow you to configure your web browser to refuse them or to notify you before a cookie is set. You also can manually view (and delete) any cookies stored on your computer. If you do not allow session cookies to be set, you may not be able to use our website, access the full content otherwise available through our website and/or use the full features and functionality of our website.
Our website may use Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies" to help the website analyze how users use and view the website. Any information generated by the cookie about your use of our website (including your IP address, and particulars about your browser and configuration as reported by your browser) may be transmitted to and stored by Google on servers in the United States. Please note any information collected by Google Analytics cookies do not include personalized identification information (such as names, e-mail addresses, and payment information). Google may use the information collected for the purpose of enabling us to evaluate your use of our website, certain aspects of your user experience thereon, compiling reports on activity for us and providing other services relating to our website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. More information on the Google Analytics cookies are available from Google at https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage.
9. Your Rights and Options –
- Generally – If you have any questions or concerns about our privacy practices or the Personal Data we store and process about you, please contact us as outlined herein.
- If you are based in the European Economic Area (“EEA”) – You have rights under the GDPR to: (i) access your Personal Data by asking us in writing for a copy of your Personal Data; (ii) to review and correct inaccuracies in your Personal Data; (iii) delete Personal Data that is no longer necessary or relevant; (iv) restrict processing of your Personal Data; and (v) to receive a copy of your Personal Data in a structured machine-readable format. Additionally, you can object to the continued processing of your Personal Data hereunder in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement). Likewise, where we rely solely on your consent as our grounds for processing your Personal Data above, you may withdraw your consent at any time; subject to the limitations and disclosures set forth above regard the effect such demands or withdrawals may have on our ability to continue providing the products and/or services in the manner originally requested.
- Privacy Shield Complaints, Concerns, Recourse - If you have unresolved concerns about the processing of your Personal Data, you may have the right to complain to a data protection authority where you reside, where you work or where you believe there has been an infringement of data protection laws, all in accordance with, and subject to, applicable local law.
- SSPC has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.
- Under certain, specific conditions, individuals have the possible additional recourse of invoking binding arbitration before a Privacy Shield Panel (arbitral body), created by the US Department of Commerce and the European Commission.
You may also object to processing that is described above as being based on our legitimate interests alone. In such instances, our business interests must be found to be compelling and to not jeopardize your individual rights before further processing may continue.
Your rights above are subject to certain limitations under the GDPR.
In order to meet our obligations under applicable law, we may take reasonable steps to verify your identity before responding to demands as set forth in this Section 9.
If you have unresolved concerns about the processing of your Personal Data, you may have the right to complain to a data protection authority where you reside, where you work or where you believe there has been an infringement of data protection laws, all in accordance with, and subject to, applicable local law.
10. Verification – SSPC has engaged Schneider Downs & Co. , Inc. as our third party for the assessment and verification of SSPC’s compliance with Privacy Shield requirements on an ongoing basis.
HOW TO CONTACT US