This EU-US and SWISS-US Data Privacy Framework Policy (“DPF Policy”) supplements the GuardianSec Privacy Notice or other applicable privacy notice which is generally provided at the time of data collection or as soon as practical thereafter. This DPF Policy applies to the transfers of personal data from the European Union, the United Kingdom (and Gibraltar), and Switzerland in order to comply with the transfer requirements under data protection laws, including the EU General Data Protection Regulation (“GDPR”).

GuardianSec LLC (formerly known as Duff & Phelps LLC), and all operating affiliates and subsidiaries based in the United States (collectively “GuardianSec”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), (collectively the “Data Privacy Framework” or “DPF”) as set forth by the U.S. Department of Commerce. GuardianSec has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. GuardianSec has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

GuardianSec has certified that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability with respect to all personal data received from the EU, UK, or Switzerland in reliance on the DPF. GuardianSec is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC), which has jurisdiction over GuardianSec’s compliance with this Policy and the DPF.

Purpose of Data Processing
GuardianSec processes personal data for the purpose of providing client services. Personal Data relating to clients is collected from clients who provide it to us in connection with our provision of services to those clients. Client data is processed in the normal conduct of our business relationship with the client, to perform the services requested by and contracted with our clients.

GuardianSec also processes personal data for the purposes of recruitment, employment, and marketing, or for other purposes, which will be disclosed at the time we collect personal data.

Notice
At the time of data collection, or as soon as practical thereafter, GuardianSec notifies data subjects about its data practices regarding personal data, including the types of personal data it collects about them, the purposes for which it collects and uses such personal data, the types of third parties to which it discloses such personal data and the purposes for which it does so, the rights of data subjects to access their personal data, and the choices and means that GuardianSec offers for limiting its use and disclosure of such personal data.

Choice
GuardianSec provides individuals with notice and an opportunity to “opt-out” if such personal data is to be:

1. disclosed to a third party (other than a third party acting on behalf of GuardianSec) or
2. used for a reason that is incompatible with the purposes for which it was originally collected.

Access
Individuals for whom GuardianSec may process Personal Data are entitled to obtain confirmation of whether his/her Personal Data are being processed, access the information held, and ask us to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the laws.

Individuals may request access as provided above via email to: info@GuardianSec.com

Accountability for Onward Transfer
We will not share, sell or distribute any of the information you provide to us without your consent, except as described in the relevant privacy notice provided at or near the time of collection, or when acting on behalf of our clients, at the direction of our clients (the data controllers) on whose behalf we are processing personal data.

The information provided to GuardianSec will be available to GuardianSec, as well as to affiliated companies within the GuardianSec group who act for us for the purposes set out in this Policy and who are subject to this Policy.

GuardianSec may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of GuardianSec (our agents). Such third parties have access to Personal Data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. GuardianSec requires these third parties to undertake security measures consistent with the protections specified in this Policy.

GuardianSec will remain responsible for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf, unless GuardianSec proves that it is not responsible in an event giving rise to damage.

In the event GuardianSec transfer personal data covered by this DPF Policy to a third party acting as a controller, we will do so consistent with any notice provided to data subjects and any consent they have given (where applicable), and only if the third party has given us contractual assurances that it will (i) process the personal data for limited and specified purposes consistent with any consent provided, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination. If GuardianSec has knowledge that a third party acting as a controller is processing Personal Data covered by this DPF Policy in a way that is contrary to the DPF Principles, GuardianSec will take reasonable steps to prevent or stop such processing.

GuardianSec may be required to disclose Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

Security
GuardianSec takes reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. We will permit only authorized employees, who are trained in the proper handling of personal information to have access to that information. Employees who violate our security and privacy policies will be subject to our disciplinary process. We employ security measures to protect your information from access by unauthorized persons and against unlawful processing, accidental loss, destruction and damage.

Data Integrity and Purpose Limitation
GuardianSec will retain Personal Data for a reasonable period of time, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period of time necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with GuardianSec’s Document Retention Schedule.

We will not use your information in a manner that is incompatible with the purpose for which it was originally collected without providing you with notice and an opportunity to opt-out.

Contact Information
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, GuardianSec commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact GuardianSec at:

GuardianSec Headquarter
GuardianSec Team
Email: info@GuardianSec.com
Post: GuardianSec Team, PO Box 10, P.zza Verdi, La Spezia, IT 19100

Enforcement and Dispute Resolution
Individuals are encouraged to raise any complaints regarding the processing of personal data to GuardianSec.

In compliance with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, GuardianSec commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Data subjects may contact the relevant independent recourse mechanism listed below:

• EU Data Protection Authorities (DPAs)
• Swiss Federal Data Protection and Information Commissioner
• UK Information Commissioner’s Office

GuardianSec will cooperate with the applicable data protection authority in the investigation and resolution of complaints brought under the DPF. GuardianSec will comply with any advice given by the EU DPAs, the FDPIC, or the ICO where the applicable authority takes the view that the organization needs to take specific action to comply with the DPF Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the applicable authority with written confirmation that such action has been taken.

If a dispute or complaint cannot be resolved by GuardianSec nor by the EU Data Protection authorities, the Swiss FDPIC, or the UK ICO, a data subject has the right to require that GuardianSec enter into binding arbitration pursuant to the DPF’s Recourse, Enforcement and Liability Principle and Annex I of the DPF.