Donnelley Financial Solutions, Inc. and its worldwide subsidiaries (DFIN) respect your privacy and know that you care about how we use and share your information. DFIN is a global business with offices in five continents around the globe, including nine offices (and correspondent offices) in Europe. This notice describes how DFIN collects, shares, uses, and protects personal information in accordance with the requirements of privacy laws in the jurisdictions that we operate in, including but not limited to, the EU and UK General Data Protection Regulation (GDPR) and California Privacy Rights Act (CPRA).
By using this website and other websites that we operate (Our Site(s)) and where we post a direct link to this Privacy Notice, you are accepting and consenting to the practices described in this Privacy Notice.
Our Privacy Notice explains:
- Personal Information we collect, and why we collect it.
- How we use your Personal Information.
- How we share your Personal Information.
- Sale or Sharing of Personal Information.
- Data transfers.
- How we protect your Personal Information.
- DFIN Products.
- How we monitor and enforce.
- How long we keep your Personal Information.
- Your Rights and Choices.
- California consumer rights and choices.
- Global Privacy Laws.
- New York SHIELD Act (New York).
- PIPEDA (Canada).
- GDPR (EU and UK).
- Children’s Online Privacy Protection Act (COPPA).
- Cookies and other technologies.
- Third Party Websites.
- Changes to this Privacy Notice.
- How to contact us.
Personal Information We Collect and Why We Collect
This is information about you that you provide to us by filling in forms on our Sites(s), participating at events organized or attended by DFIN, corresponding with us by phone, electronic mail or otherwise, or visiting our offices. It includes information that you provide when you register to use our Site(s), subscribe to our services, engage in social media functions on our Site(s) or other activities commonly carried out on the respective site, as well as when you report a problem with our Site(s).
Personal Information, also known as personally identifiable information (PII) or personal data, for purposes of this Privacy Notice (including other similar terms under applicable privacy laws), means any information that (i) directly and clearly identifies an individual, or (ii) can be used in combination with other information to identify an individual. Personal information does not include such information if it is anonymous or if it has been rendered de-identified by removing personal identifiers. We may automatically collect information such as:
- Technical information including but not limited to the Internet Protocol (IP) address used to connect your computer to the Internet, source domain names, your login information, browser type and version, time zone setting, length of time spent on our Site(s), operating system, and platform.
- Uniform Resource Locators (URL) including but are not limited to, specific web pages, clickstream to, through, and from our Site(s) including date and time, anything you viewed or searched for, page response times, download errors, length of visits to certain pages, and any phone number used to call our customer service number.
DFIN may also collect sensitive personal information (which may include information relating to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the sex life of the individual, ideological views or activities, social security measures pertaining to an individual, or administrative or criminal proceedings and sanctions) from you where it is appropriate or necessary for conducting business. DFIN limits its collection and use of personal information to the minimum identifiers that are necessary for performing the specific task related to the purpose for which the personal information is collected.
- DFIN may also supplement the personal information we collect from you with information we receive from third parties, including our business partners, contractors, analytics, and other service providers.
Categories of Personal Information Collected by DFIN
Within the last twelve (12) months, we may have collected the following categories of personal information. This collection of data is reasonable and proportionate to the business, commercial, and regulatory activities of DFIN.
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name and login information, Social Security number, driver's license number, passport number, or other similar identifiers.
Personal information categories listed under applicable laws.
A name, signature, Social Security number, physical characteristics or description, address, telephone number, text messages, email, passport number, driver's license or state identification card number, insurance policy number, education, bank account number, credit card number, debit card number, or any similar information.
Protected classification characteristics under applicable laws.
Age, race, national origin, citizenship, religion, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, pregnancy, childbirth, and related medical conditions), sexual orientation, veteran, or military status.
Information collected as part of the products and services we provide to you.
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other similar network activity.
Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
Professional or employment-related information.
Current or past employment history or performance evaluations.
We obtain the categories of personal information listed above from the following categories of sources:
- Directly from you or our clients. For example, from forms you complete or products and services you purchase.
- Indirectly from you. For example, from observing your actions on our sites.
How We Use Your Personal Information
DFIN uses, stores, and processes the personal information we collect to:
- Where relevant, operate and provide DFIN’s products and services, including creating, maintaining, customizing, and securing your account with us.
- Where relevant, register you as a customer.
- Fulfil our obligations under a contract with you.
- Provide you with information, products, and services which you request from us or similar products or services which you have already requested.
- Process your requests, purchases, transactions, and payments.
- Where appropriate, provide you with marketing communications for DFIN products and services, including personalized offers and content based on your interactions with us and usage of our products.
- Enforce or apply the terms of any of our user agreements.
- Provide testing, research, analysis, and product development, including developing and improving our Site(s), products, and services.
- Provide technical support, respond to inquiries, investigate and address concerns, and monitor and improve our responses.
- Maintain the safety, security, and integrity of our Site(s), rights, property, products and services, databases and other technology assets, and business of DFIN, DFIN’s users, or others.
- Cooperate with law enforcement requests and as required by applicable law, court orders, or governmental regulations.
- Manage our everyday business needs, such as internal account management, client reporting, contract management, site administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance.
- As described to you when collecting your personal information or sensitive personal information.
- Any other basis that lawfully entitles us to process your personal information.
DFIN reserves the right to transfer and disclose your information if DFIN becomes involved in a business divestiture, change of control, sale, merger, or acquisition of all or a part of its business.
Certain privacy laws, such as the GDPR, require that we inform you of the legal bases for our processing of your personal information. We process personal information for the following legal bases:
- Consent: where you have given us clear consent for us to process your personal information for a specific purpose.
- Contract: where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
- Legal obligation: where our use of your personal information is necessary for us to comply with the law.
- Vital interests: where our use of your personal information is necessary to protect you or someone else’s life.
- Legitimate interests: where our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third party.
Please note that if you do not provide us with certain personal information, depending on the purposes for which we have collected it, we may not be able to provide the information, products or services you have asked for or process your requests, applications, subscriptions or registrations, and may not be able to perform or discharge applicable legal obligations.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing notice. DFIN does not use or disclose sensitive personal Information for purposes other than those specified in this Notice or as permitted under applicable laws.
How We Share Your Personal Information
DFIN may have to share your personal information with entities and persons set out below, for the purposes listed herein:
- Our affiliates, subsidiaries, vendors, consultants, and other service providers to perform the services on our behalf and to ensure the efficient operation of our business.
- Where required, with professional advisors or consultants, including lawyers, banks, auditors, accountants, and insurers providing consultancy, legal, banking, audit, accounting, or insurance services to us; any person or entity to whom we are required or requested to make such disclosure by any court of competent jurisdiction or by any governmental, taxation or other regulatory authority, law enforcement agency or similar body.
- Service providers who provide information technology and system administration services to us.
Categories of Personal Information Shared by DFIN
In the preceding twelve (12) months, DFIN has disclosed personal information for a business purpose to the following categories of third parties:
Category of Third-Party Recipients
Business Purpose Disclosures
California Customer Records personal information categories.
Internet or other similar network activity.
Professional or employment related information.
DFIN may also share your personal information in connection with or during negotiations of any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company.
We may also share your personal information with our customers when they need access to such information to fulfil specific transactions related to services you requested. You may opt out of sharing your information with our customers for related services by sending an email to email@example.com. Upon receipt of your request to opt out of this information sharing, we will acknowledge your request and take appropriate measures in response.
We may also share your personal information if we determine that your actions are inconsistent with our user agreements or policies, or if we must protect the rights, property, and safety of DFIN or others in accordance with, or required by, any applicable law, regulation, or legal process.
Sale or Sharing of Personal Information
In the preceding twelve (12) months we have not “sold” personal information for the purposes of the CPRA. DFIN does not sell the personal information of its employees, contractors, customers, third parties, or any other affiliation to others.
We do not have actual knowledge that we sell or share personal information of minors under 16 years of age. DFIN does not conduct business directly with individual consumers. Our business partnerships are business-to-business (B2B).
As a global organization with legal entities and business processes in operation across borders, we cannot always limit the processing of personal information to the country in which an individual is based. In the course of providing our services, DFIN may need to transfer personal information to locations outside the jurisdiction in which our clients are located or where our Site(s) are viewed. We comply with applicable legal requirements to ensure adequate safeguards for the transfer of personal information.
Data transfers between the U.S., EU, UK, and other countries will only be done subject to compliance with applicable law and appropriate technical and organization safeguards. This includes onward transfers to third parties. DFIN requires our third parties to implement the necessary safeguards to protect personal information both in transit and at rest. In the event such onward transfers are not conducted per our terms; we acknowledge that we may be liable for any resulting outcomes. DFIN transfers personal information to third parties only for limited and specified purposes.
DFIN complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and/or Switzerland to the United States in reliance on Privacy Shield. DFIN has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. DFIN commits to respond promptly to any inquiries or requests made by the Department of Commerce relating to the Privacy Shield Framework. If there is any conflict between the terms in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. eBrevia, a wholly subsidiary of DFIN, also adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
- In compliance with the Privacy Shield Principles, DFIN commits to resolving complaints about our collection or use of your personal information at no cost to the individual. EU and Swiss individuals with inquiries or complaints regarding DFIN’s use of their personal information should contact DFIN’s Global Data Privacy department at firstname.lastname@example.org. DFIN will respond to your inquiry within 45 days.
- For complaints submitted to a data protection authority (DPA) in the EU, the Department of Commerce has committed to receive, review, and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days.
In the event of a reported complaint that DFIN does not resolve itself, DFIN commits to cooperate with EU DPAs and the Swiss Federal Data Protection and Information Commissioner (FDPIC). We will comply with the advice given by each respective regulatory body regarding human resource (HR) and non-human resource data transferred from the EU, as well as non-human resource data transferred from Switzerland to DFIN. DFIN does not transfer HR data from Switzerland. In the U.S., DFIN has chosen the EU DPAs to serve as an independent recourse mechanism (IRM) for dispute resolution. We have designated the United States Council for International Business (USCIB) to act as the trusted third party for this purpose.
Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted. DFIN is accordingly subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). In certain circumstances, DFIN may also be subject to the investigatory and enforcement powers of the U.S. Department of Transportation, or any other U.S. authorized statutory body.
DFIN takes appropriate technical and organizational measures to safeguard all personal information against unauthorized or unlawful processing of, or accidental loss, damage, misuse, unauthorized access, unauthorized disclosure, unauthorized alteration, or destruction, and maintains reasonable procedures to help ensure that such information is relevant for its intended use, accurate, complete, current and not excessive and that such information is not retained longer than is reasonably necessary.
With respect to any sharing of business contact information for the purposes of marketing DFIN products and services, DFIN obtains assurances from its affiliates, subsidiaries, and business partners that such entities will use and disclose such business contact information for purposes of marketing DFIN products and services only. In alignment with our Privacy Shield certification, we acknowledge that we may be required by applicable law to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. DFIN will use commercially reasonable efforts to ensure any data is processed lawfully.
How We Protect Your Personal Information
The security of your personal information is important to us. We use reasonable physical, electronic, and procedural safeguards to protect the personal information we collect from loss, theft, misuse, alteration and unauthorized access or destruction. In addition, we maintain appropriate physical, electronic, and procedural safeguards to protect your personal information, including:
- Restricting access to personal information to our employees or service providers on a “need-to-know” basis.
- Enforcing policies and procedures for our employees in their handling of personal information.
- Using technologies designed to safeguard data during its transmission, such as SSL encryption for the information you provide on some parts of our Site(s) and using appropriate security to safeguard the data that we have received.
DFIN also employs industry-standard measures and processes for detecting and responding to inappropriate attempts to breach our systems.
There is, however, no method of transmission over the Internet, or method of electronic storage that can be 100% secure. Therefore, DFIN cannot guarantee the absolute security of your information. The Internet by its nature is a public forum, and DFIN encourages you to use caution when disclosing information online. Often, you are in the best situation to protect yourself online. You are responsible for protecting your username and password from third party access, and for selecting passwords that are secure.
DFIN has a strong corporate commitment to data privacy. We commit to using data privacy principles and strategies to implement Privacy by Design and Default whenever possible within our applications, practices, and organization. DFIN incorporates various technologies into our applications to streamline data-gathering and reporting processes, protect and secure data, enhance user experience, and efficiently improve performance. Depending on the product(s) in scope, these technologies may include but are not limited to: artificial intelligence (AI) powered contract analysis software, automated data extraction, natural language processing technology combined with machine learning, the study of algorithms, tokenized redaction, proprietary pattern matching technology, redaction masking or anonymization to data files, single sign-on (SSO) access, built-in and customized exception and audit reporting, data integration, built-in safeguards to flag non-compliance requirements, streamlined features for safe real-time collaboration and accurate ﬁnancial reporting, AES 256-bit encryption at rest and in transit, multifactor authentication (MFA), robust role-based access control (RBAC), cloud-based workflow tools, in-app automated publishing capabilities, and Straight Through Processing (STP). These and other technologies continuously provide effective, robust, and innovative forward protections over DFIN’s clients, employees, and stakeholders' personal information.
How We Monitor and Enforce
DFIN regularly reviews our compliance with our Privacy Notice. We also adhere to several self-regulatory frameworks in addition to complying with applicable laws. If we receive formal written complaints, we will follow up with the person making the complaint. We work with the appropriate regulatory authorities to resolve any complaints that cannot be resolved directly.
How Long We Keep Your Personal Information
We will keep your personal information while you have an account with us, or we are providing products or services to you. Thereafter, we will keep your personal information for as long as is necessary to:
- Respond to any questions, complaints or claims made by you or on your behalf.
- Keep records required by applicable laws and regulations or DFIN's retention and deletion policies.
We will not retain your personal information for longer than necessary for the purposes set out in this Privacy Notice.
Your Rights and Choices
Under specific global privacy laws, individuals are afforded certain rights related to the handling and processing of their personal information. DFIN respects your rights and your exercising of these rights. DFIN will make reasonable efforts to comply with your requests, unless such requests are prohibited by law, or there is a legitimate business purpose to retain personal information. We reserve the right to verify your identity before complying with such requests.
You may have the right to access (as permitted under applicable law) and review the personal information stored by us to confirm its accuracy. If necessary, you may request that personal information is updated if it is inaccurate. You may also request that certain personal information be deleted from our files. You may be required to log into your account to exercise these rights or contact us at email@example.com.
Please direct any questions about your personal information to DFIN’s Global Data Privacy department at firstname.lastname@example.org.
In accordance with this Privacy Notice, but excluding any transfers of data to third parties performing tasks directly on our behalf and pursuant to our instructions, where we receive personal information directly from an individual to which such personal information relates, where applicable, we will offer the individual the opportunity to choose (opt-out) whether their personal information is (i) disclosed to a third party or (ii) used for a purpose that is materially different from the purpose it was originally collected or subsequently authorized by the individual.
Any individual who wishes to opt out can do so by contacting DFIN at the address provided below under the section of this Privacy Notice entitled “How to Contact Us”.
In situations where we receive personal information pertaining to individuals directly from our clients (and not the individual to whom the personal information relates), we will cooperate with our clients’ reasonable requests to:
- Assist them in informing the impacted individuals about (i) the possibility that we may disclose such individuals’ information to third parties and (ii) the individual’s ability to opt out of such disclosures (except for disclosures to third parties performing tasks directly on our behalf and pursuant to our instructions).
- Reasonably ensure that we process the information for purposes compatible with the purposes for which it was originally collected or subsequently authorized by the impacted individuals. After we have notified our clients, they will then inform us if any individuals have opted out of such disclosures.
In situations where DFIN processes “sensitive personal information”, we will seek informed express consent (opt in) from individuals if such information is to be disclosed to a third-party (except for disclosures to third parties performing tasks directly on our behalf and pursuant to our instructions) or used for purposes that are materially different from the purpose it was originally collected or subsequently authorized by the individual.
California Consumer Rights and Choices
The California Privacy Rights Act of 2020 (CPRA) went into effect on January 1, 2023. CPRA enhances and builds upon what was previously set out with the California Consumer Privacy Act of 2018 (CCPA). CCPA and CPRA provide California residents with specific rights regarding their personal and sensitive personal information. California residents have the right to request that we disclose certain information to you about our collection and use of your personal information over the past twelve (12) months, including the Right to:
- Know which categories of personal information are being collected.
- Know the categories of sources for the personal information being collected.
- Know if personal information is being sold or shared, and to whom.
- Know the business or commercial purpose for collecting, selling, or sharing personal information.
- Object to the sale of personal information.
- Access one's own personal information.
- Equal service and price, even for consumers who exercise their privacy rights.
- Request deletion of personal information that we collected from you, subject to certain exceptions.
- Correct inaccurate personal information.
- Limit the use and disclosure of sensitive personal information.
The CPRA has extended these rights to be afforded to all employees who are residents of California. Under the CPRA, employees are defined as: full or part-time employees, independent contractors, and/or job applicants who are residents of California.
A Right to Know request may only be submitted twice within a 12-month period.
Exercising the Right to Deletion of personal information is subject to certain exceptions under CPRA.
- DFIN is not required to delete personal information if it is still needed in order to complete the transaction for which the information was collected, provide a product or service requested by you (or that we reasonably anticipate based on our relationship with you), perform a contract with you, comply with legal obligations, or accomplish any other objective recognized as an exception to the right to deletion under CPRA.
Exercising Your Rights
DFIN will never charge you or discriminate against you for choosing to exercise your rights. DFIN will make reasonable efforts to comply with all consumer rights requests. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.
An authorized agent can make a request on a California residents’ behalf by providing a power of attorney valid under California law, or providing: (i) proof that the consumer authorized the agent to do so; (ii) verification of their own identity with respect to a right to know categories, right to know specific pieces of personal information, or requests to delete which are outlined above; and (iii) direct confirmation that the consumer provided the authorized agent permission to submit the request.
You may also make a verifiable consumer request on behalf of your minor child. DFIN reserves the right to verify your identity before any request to know, access, update, correct or delete your personal information is processed by us. The verifiable consumer request must provide sufficient information that allows DFIN to reasonably verify you are the person about whom we collected personal information or an authorized representative, as well as describe your request with sufficient detail that allows DFIN to properly understand, evaluate, and respond to it. We will verify your identity to a reasonable degree of certainty by matching the data points provided by you against information in our systems which are considered reasonably reliable for the purposes of verifying a consumer’s identity.
The CPRA grants businesses 45 days to respond to a consumer rights request. An extension period of up to an additional 90 days is allowed.
All California Consumer Rights requests including deletion requests can be emailed directly to email@example.com.
Individuals who would like to opt-out of correspondence or modify their online communications preferences with DFIN, should go to DFIN’s online Preference Center at: https://info.dfinsolutions.com/preferencecenter.
This section does not address or apply to our handling of:
- Publicly available information from government records.
- Information excluded from the CPRA's scope, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), or the Gramm-Leach-Bliley Act (GLBA).
- De-identified or aggregated consumer information. De-identified information is data that has had all personally identified information removed from it. Aggregated information is numerical or non-numerical information that is compiled into data summaries or summary reports for data statistics or public reporting.
Global Privacy Laws
- New York SHIELD Act (New York). The New York Stop Hacks and Improve Electronic Data (SHIELD) Security Act applies to any person or business that owns or licenses computerized data which includes private information, regardless of corporate structure, revenues or location. DFIN conducts business within New York (NY) state and has realigned its processes and procedures to adhere to the requirements established within the SHIELD Act to support the protection of New York residents’ personal and private information.
- PIPEDA (Canada). DFIN has controls in place to ensure that the privacy of personal information about an “identifiable individual” used in the course of “commercial activity” is protected and managed in such a manner which meets or exceeds the guidelines set out in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation.
- GDPR (EU and UK). DFIN may act as a Controller or a Processor under the EU and United Kingdom (UK) General Data Protection Regulation (GDPR). In respect of business customers located in the U.S., UK, EU, and other locations worldwide, DFIN operates as a data processor. DFIN’s business customers remain the data controllers with respect to any customer data that they provide to DFIN for our provision of services. DFIN therefore acts in accordance with the instructions of such customers regarding the collection, processing, storage, deletion, access, rectification, portability, and transfer of customer data. The handling and safeguarding of personal information concerning EU-based and UK-based citizens is a matter of course for DFIN globally and an integral part of DFIN’s corporate governance.
- Children’s Online Privacy Protection Act (COPPA). DFIN does not sell or offer its services and products to children. As such, our sites are designed for adult user interaction. We do not intentionally collect personally identifiable information from children under the age of 13. If you are a parent or legal guardian of a minor under the age of 13 and believe that the minor has disclosed personal information to us, please contact us by following the “How to Contact Us” below.
When you apply for an employment opportunity at DFIN through our Careers site or through other third-party platforms, we may collect certain personal information from your job application or where applicable from your personal references (provided by you), your educational institute, or any other relevant professional body. This may include name, postal address, email address, phone number, details of your qualifications, job history, curriculum vitae, contact details of your references and any other personal information submitted along with your application.
DFIN processes your personal information as necessary for the purposes of fulfilling certain legal obligations related to recruitment, for example where employment law or other laws require the processing of your personal information. We may process personal information in reliance on our legitimate business interests in the selection, evaluation and appointment of new employees, and the management and administration of recruitment and HR processes. On occasion, legal grounds such as protection of your vital interests may also apply. For example, for health and safety reasons, if you attend an interview at one of our offices or in relation to agreements with employee representation groups, if applicable.
We retain the personal information that we obtain about you during the recruitment process for no longer than is necessary for the purposes for which it is processed. The duration for which we keep your information will depend on whether your application is successful, and whether you become employed by us, the nature of the information concerned, and the purposes for which it is processed.
Cookies and Other Technologies
Third Party Websites
DFIN may post links to third party websites as a service to you. These third-party websites are operated by companies that are outside of our control and your activities at those third-party websites will be governed by the policies and practices of those third parties. We encourage you to review the privacy policies of these third parties before disclosing any information, as we are not responsible for the privacy policies of those websites.
Changes to this Privacy Notice
DFIN reserves the right at its absolute discretion to change this Privacy Notice from time to time. If this Privacy Notice changes, the revised version will be posted at the “Privacy Notice” link on our Site’s home page. In the event the change is significant we will revise the link on the home page to read “Newly Revised Privacy Notice.” Please check the Privacy Notice frequently. Your continued use of our sites constitutes acceptance of such changes in the Privacy Notice, except where further steps are required by applicable law. This Privacy Notice was last updated on January 1, 2023.
How to Contact Us
If you have any questions regarding DFIN’s privacy practices, the use of your personal information, or about this Privacy Notice, please contact us at:
Donnelley Financial Solutions (DFIN
Global Data Privacy
35 West Wacker Drive
Chicago, IL 60601
United States of America
For country specific inquiries, please contact:
Paul Maloney (VP Europe and APAC GIM Ops)
Robin Yeo (DPO)
JungYun Moon (DPO)