Data Privacy Framework – EU/UK/Swiss-US Privacy Policy

project44 January 18, 2024

For purposes of this policy (“EU/UK/Swiss-US Privacy Policy”):

• “Client” means any entity that obtains services from project44.
• “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.
• “EU” means the European Union and Iceland, Liechtenstein and Norway.
• “Individual” means any natural person who is located in the EU, UK or Switzerland but excludes any individual acting in his or her capacity as a Worker.
• “Personal Information” means any information, including Sensitive Data, which (i) concerns an identified or identifiable Individual, (ii) is received by project44 in the U.S. from the EU, UK or Switzerland, and (iii) is processed in any form.
• “DPF Principles” means the Principles and Supplemental Principles of the DPF.
• “Processor” means any natural or legal person, public authority, agency or other body that processes Personal Information on behalf of a Controller.
• “project44” means project44, LLC.
• “Sensitive Data” means Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (including trade union-related views or activities), sex life (including personal sexuality).
• “Websites” means project44’s websites, including www.project44.com and www.cloud-v2.p-44.com and any variations or subsites related to these.
• “Worker” means any current, former, or prospective employee of the project44, LLC. or project44, LLC’s subsidiaries, who is located in the EU, UK or Switzerland. For purposes of this EU/UK/Swiss-US Privacy Policy,​“Worker” includes any managing director, temporary worker, intern, other non-permanent employee, contractor, or consultant of project44, LLC. or project44, LLC’s subsidiaries, who is located in the EU , UK or Switzerland.

If you are not an Individual residing in the EU, the United Kingdom or Switzerland, you may refer to project44’s General Website Privacy Policy.

project44’s Data Privacy Framework certification, along with additional information about the DPF Principles, can be found on the official website of the Data Privacy Framework, here.

project44’s privacy practices regarding the processing of Personal Information concerning Individuals comply, as appropriate, with the DPF Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability.

As a Processor, project44 might receive Personal Information about Individuals located in the EU, the United Kingdom and Switzerland from or on behalf of its Clients. For example, in providing visibility, tracking and business intelligence or other services to its Clients, project44 might receive or access Personal Information about its Clients’ or its Clients’ subcontractors’ employees located in EU, the United Kingdom and Switzerland on behalf of such Clients. While the specific information provided to project44 depends on specific Clients and the project44 services such Client obtains, the information typically includes, posi­­tion/lo­­ca­­tion-, sensor- and vehicle data derived from vehicles operating in whole/​part for or subcontracted in the Client, or other information associated with transportation and logistics operations.

When you visit project44’s Websites, you might submit certain types of Personal Information and project44 might collect certain Personal Information through automated means.

In general, Individuals can submit:

1. Contact information (such as name, postal address, telephone number, email address, job title and current employer);
2. Login credentials for the Websites;

• For job applicants, personal information contained in a résumé, C.V., application and/​or our recruitment template, employment history, education history, references, transcripts, and, where legally permissible, ethnicity, race, gender, disability status, and veteran status; and
  

1. Other personal information found in content that you provide (including through surveys).

In addition, project44 may collect certain information by automated means using technologies such as cookies, web server logs, web beacons, and JavaScript.

This might include information such as your device type, operating system type, browser type, domain, and other system settings, as well as the language your system uses, and the country and time zone where your device is located. The web server logs also may record information such as the address of the web page that referred you to our Websites and the IP address of the device you use to connect to the Internet. They also may log information about your interaction with the Websites, such as which pages you visit.

project44 may use third-party web analytics services on our Websites, such as those of Google Analytics. These service providers help us analyze how users and visitors uses the Websites. The information collected for this purpose (including your IP address and other information collected by automated means) will be disclosed to or collected directly by these service providers. To learn more about opting out of these activities, click here.

The Websites might offer third-party plug-ins, such as social sharing tools. Such third-parties may use automated means to collect information regarding your use of the Websites and your interactions with the plug-ins. This information is subject to the privacy policies or notices of the third-party plug-in providers and is not subject to this EU/UK/Swiss-US Privacy Policy. project44 are not responsible for these third-party providers’ information practices.

For further information, please access our General Website Privacy Policy.

When you download project44’s mobile applications, you might submit certain types of Personal Information and project44 might collect certain Personal Information through automated means.

In general, you can submit:

1. Registration information, such as your phone number;

1. Content you upload through the application, such as photos, electronic signatures; and

• Other information you actively provide to project44.

In addition, project44 may collect certain information when you utilize the mobile application, such as location information, information regarding your interactions with the mobile application and information concerning the device on which you have downloaded the mobile application.

For further information, please access our DriverView Privacy Policy.

You may choose to contact and interact with project44 through other means than described above, such as through e-mail, phone or on social medias. To the extent such contact feature Personal Information concerning Individuals, project44 will process any such in accordance with this EU/UK/Swiss-US Privacy Policy.

project44 provides information in this EU/UK/Swiss-US Privacy Policy and the company’s General Website Privacy Policy and DriverView Privacy Policy about its practices in relation to Individuals’ Personal Information, including the types of Personal Information project44 collects, the types of third parties to which project44 discloses the Personal Information and the purposes for doing so, the rights and choices Individuals have for limiting the use and disclosure of their Personal Information, and how to contact project44 about its practices concerning Personal Information.

When project44 acts as a Processor and an Individual’s Personal Information is transferred to project44 in the U.S. on behalf of a Client, the Client and/​or the Client’s subcontractors are responsible for providing appropriate notice to Individuals and obtaining the necessary legal grounds for the processing, such as consent, fulfillment of a contract or a legitimate interest, which supersedes those of the Individual.

Relevant information also may be found in privacy notices pertaining to specific data processing activities.

When project44 collects Personal Information directly from Individuals, the company generally offers those Individuals the opportunity to choose whether their Personal Information may be (i) disclosed to third-party Controllers or (ii) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by the relevant Individuals, if any such disclosure or usage is contingent when the Personal Information is collected.

To the extent required by the DPF Principles, project44 obtains opt-in consent for certain uses and disclosures of Sensitive Data. Individuals may contact project44 as indicated below regarding the company’s use or disclosure of their Personal Information. Unless project44 offers Individuals an appropriate choice, the company uses Personal Information only for purposes that are materially the same as those indicated in this EU/UK/Swiss-US Privacy Policy or the company’s General Website Privacy Policy and DriverView Privacy Policy.

When project44 maintains Personal Information about Individuals with whom project44 does not have a direct relationship because project44 obtained or maintains the Individuals’ data as a Processor, project44’s Clients and/​or Clients’ subcontractors are responsible for providing the relevant Individuals with certain choices with respect to the Clients’ and/​or the Client’s subcontractors use or disclosure of the Individuals’ Personal Information.

project44 might share an Individual’s Personal Information with its affiliates and subsidiaries. project44 may disclose an Individual’s Personal Information without offering an opportunity to opt out, and may be required to disclose the Personal Information, (i) to third-party Processors the company has retained to perform services on its behalf and pursuant to its instructions, (ii) if it is required to do so by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. project44 also reserves the right to transfer Personal Information in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).

This EU/UK/Swiss-US Privacy Policy and project44’s General Website Privacy Policy and DriverView Privacy Policy describes project44’s sharing of Individuals’ Personal Information.

To the extent project44 acts as a Controller, except as permitted or required by applicable law, project44 provides Individuals with an opportunity to opt out of sharing their Personal Information with third-party Controllers. project44 requires third-party Controllers to whom it discloses an Individual’s Personal Information to contractually agree to (i) only process the Personal Information for limited and specified purposes consistent with the consent provided by the relevant Individual, to the extent the processing is based on consent, (ii) provide the same level of protection for Personal Information as is required by the DPF Principles, and (iii) notify project44 and cease processing Personal Information (or take other reasonable and appropriate remedial steps) if the third-party Controller determines that it cannot meet its obligation to provide the same level of protection for Personal Information as is required by the DPF Principles.

To the extent project44 acts as a Processor, project44 will only transfer Individuals’ Personal Information as instructed by the Client and/​or the Client’s subcontractors acting as Controller and subject to (i)-(iii) specified above.

With respect to transfers of Individuals’ Personal Information to third-party Processors, project44 (i) enters into a contract with each relevant Processor, (ii) transfers Personal Information to each such Processor only for limited and specified purposes, (iii) ascertains that the Processor is obligated to provide the Personal Information with at least the same level of privacy protection as is required by the DPF Principles, (iv) takes reasonable and appropriate steps to ensure that the Processor effectively processes the Personal Information in a manner consistent with project44’s obligations under the DPF Principles, (v) requires the Processor to notify project44 if the Processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, (vi) upon notice, including under (v) above, takes reasonable and appropriate steps to stop and remediate unauthorized processing of the Personal Information by the Processor, and (vii) provides a summary or representative copy of the relevant privacy provisions of the Processor contract to the Department of Commerce, upon request. project44 remains liable under the DPF Principles if the company’s third-party Processor recipients process relevant Personal Information in a manner inconsistent with the DPF Principles, unless project44 proves that it is not responsible for the event giving rise to the damage.

project44 takes reasonable and appropriate measures to protect Individuals’ Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the Personal Information.

project44 limits the Individuals’ Personal Information it processes to that which is relevant for the purposes of the particular processing. project44 does not process Individuals’ Personal Information in ways which are incompatible with the purposes for which the information was collected or subsequently authorized by the relevant Individual. In addition, to the extent necessary for these purposes and consistent with its role as a Controller or Processor, project44 takes reasonable steps to ensure that the Personal Information the company processes are (i) reliable for its intended use, and (ii) accurate, complete and current. In this regard, project44 relies on Individuals, Clients and Clients’ subcontractors (with respect to Personal Information of Individuals with whom project44 does not have a direct relationship) to update and correct the relevant Personal Information to the extent necessary for the purposes for which the information was collected or subsequently authorized. Individuals (and Clients, as appropriate) may contact project44 as indicated below to request that project44 update or correct relevant Personal Information.

Subject to applicable law, project44 retains Individuals Personal Information in a form that identifies or renders identifiable the relevant Individual only for as long as it serves a purpose that is compatible with the purposes for which the Personal Information was collected or subsequently authorized by the Individual.

Individuals generally have the right to access their Personal Information. Accordingly, to the extent project44 acts as a Controller, where appropriate, project44 provides Individuals with reasonable access to the Personal Information, which project44 maintains about them. project44 will also provide a reasonable opportunity for those Individuals to correct, amend or delete the information where it is inaccurate or has been processed in violation of the DPF Principles, as appropriate.

project44 may limit or deny access to Personal Information where the burden or expense of providing access would be disproportionate to the risks to the Individual’s privacy in the case in question, or where the rights of persons other than the Individual would be violated. Individuals may request access to their Personal Information by contacting project44 as indicated below.

When project44 maintains Personal Information about Individuals with whom project44 does not have a direct relationship because project44 process the Individuals’ Personal information as a Processor for its Clients, project44’s Clients are responsible for providing Individuals with access to the Personal Information and the right to correct, amend or delete the information where it is inaccurate or has been processed in violation of the DPF Principles, as appropriate. In such circumstances, Individuals should direct their questions to the appropriate project44 Client. When an Individual is unable to contact the appropriate Client, or does not obtain a response from the Client, project44 will provide reasonable assistance in forwarding any such the Individual’s request to the Client.

project44 has mechanisms in place designed to help assure compliance with the DPF Principles. project44 conducts an annual self-assessment of Individuals’ Personal Information practices to verify that the attestations and assertions project44 makes about its DPF privacy practices are true and that project44’s privacy practices have been implemented as represented and in accordance with the DPF Principles.

In compliance with the DPF Principles, project44 commits to resolve complaints about our collection or use of Individuals’ Personal Information. EU, the United Kingdom and Swiss Individuals with inquiries or complaints regarding project44 EU/UK/Swiss-US Privacy Policy should first contact project44 at privacy@project44.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, project44 commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit JAMS website for more information or to file a complaint. The services of JAMS are provided at no cost to you. Following the dispute resolution process, the mediator or the Individuals may refer the matter to the U.S. Federal Trade Commission, which has Data Privacy Framework investigatory and enforcement powers over project44.

You may also invoke binding arbitration by delivering notice to project44, if You believe project4 has violated its obligations under the EU-U.S. DPF and the Swiss-U.S. DPF and the violation remains fully or partially unremedied. You may pursue this option by taking the following steps: (1) raise the claimed violation directly with project44 and afford project44 an opportunity to resolve the issue within a reasonable timeframe; (2) make use of the independent recourse mechanism under EU-U.S. DPF, at no cost to you; and (3) raise the issue through your DPA to the Department and afford the Department an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the Department’s International Trade Administration, at no cost to the you. This arbitration option may not be invoked if your same claimed violation of the EU-U.S. DPF (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to which you were a party; or (3) was previously settled by the parties. In addition, this option may not be invoked if a DPA (1) has authority under the EU-U.S. DPF; or (2) has the authority to resolve the claimed violation directly with the organization. A DPA’s authority to resolve the same claim against an EU data controller does not alone preclude invocation of this arbitration option against a different legal entity not bound by the DPA authority. 

project44 has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Data Privacy Framework complaints concerning human resources data transferred from the EU, the United Kingdom and Switzerland in the context of the employment relationship.

When project44 maintains Personal Information about Individuals with whom project44 does not have a direct relationship because project44 maintains the Individuals’ Personal Information as a Processor for its Clients, Individuals may submit complaints concerning the processing of their Personal Data to the relevant Client, in accordance with the Client’s dispute resolution process. project44 will participate in this process at the request of the Client or the Individual.

Under certain circumstances, project44, may be required to disclose information about you in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In such cases, will seek to (i) inform you about such disclosure, unless prohibited by law to do so, and (ii) limit the disclosure to the necessary extent to meet the minimum requirements of the lawful request.

To contact project44 with questions or concerns about this EU/UK/Swiss-US Privacy Policy or project44’s Personal Information practices, Write to:

project44, Inc.

Attn: Legal Department
222 W. Merchandise Mart Plaza, Suite 1744,
Chicago, IL 60654

or

Email: privacy@project44.com.

This EU/UK/Swiss-US Privacy Policy is effective from the January 2024