Donnelley Financial Solutions, Inc. and its worldwide subsidiaries (DFIN) respect your privacy and know that you care about how we use and share your information. This notice describes how DFIN collects, shares, uses and protects personal information. By using this website and other websites that we operate and where we post a direct link to this Privacy Notice (Our Site), you are accepting and consenting to the practices described in this Privacy Notice.
Our Privacy Notice explains:
- Personal information we collect, and why we collect it.
- DFIN products.
- Cookies and other technologies.
- How we use your personal information.
- How we share your personal information.
- Third Party Websites.
- How we protect your personal information.
- How long we keep your personal information.
- Your rights and choices.
- Data transfers.
- How we monitor and enforce.
- California Consumer Privacy Act (California).
- New York SHIELD Act (New York).
- PIPEDA (Canada).
- GDPR (EU).
- Children’s Online Privacy Protection Act (COPPA).
- Changes to this privacy notice.
- How to contact us.
Personal Information We Collect and Why We Collect
Information you give us. This is information about you that you provide to us by filling in forms on our site DFINsolutions.com, participating at events organized or attended by DFIN, corresponding with us by phone, electronic mail or otherwise or visiting our offices. It includes information that you provide when you register to use our site, subscribe to our service, engage in social media functions on our site or other activities commonly carried out on the site, as well as when you report a problem with our site.
Personal information, also known as personally identifiable information (PII) or personal data, for purposes of this Privacy Notice, means any information that (i) directly and clearly identifies an individual, or (ii) can be used in combination with other information to identify an individual. Personal information does not include such information if it is anonymous or if it has been rendered de-identified by removing personal identifiers.
The information you provide may include basic personal information such as your name, address, e-mail address, phone number, title and company. DFIN may collect more sensitive information from you such as financial and credit card information, social security and other government identification numbers where it is appropriate or necessary for conducting business. DFIN limits its collection and use of personal information to the minimum identifiers that are necessary for performing the specific task related to the purpose for which the personal information is collected.
Information we collect about you. With regard to each of your visits to our site, we may automatically collect information such as:
- Technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, source domain names, your login information, browser type and version, time zone setting, length of time spent on our site and operating system and platform.
- Information about your visit even if you have not created an account or logged in, including the full Uniform Resource Locators (URL), specific web pages, clickstream to, through and from our site including date and time, products and services you viewed or searched for, page response times, download errors, length of visits to certain pages and any phone number used to call our customer service number.
DFIN may also supplement the personal information we collect from you with information we receive from third parties, including our business partners, contractors, analytics and other service providers.
We process personal information for certain legitimate reasons as well as to help us improve the overall accuracy of the information and its completeness, better tailor our interactions with you and to identify and prevent fraud. The personal information we collect and process may include both HR and non-HR data depending on your engagement with DFIN.
The information assists in enhancing the security of our information systems and assessing the effectiveness of our promotional and advertising campaigns. The information is also used to aggregate statistical data, facilitate system administration and improve our site.
DFIN has a strong corporate commitment to data privacy. We commit to using data privacy principles and strategies to implement Privacy by Design and Default whenever possible within our applications, practices, and organization. DFIN incorporates various technologies into our applications to streamline data-gathering and reporting processes, protect and secure data, enhance user experience, and efficiently improve performance. Depending on the product(s) in scope, these technologies may include but are not limited to: artificial intelligence (AI) powered contract analysis software, automated data extraction, natural language processing technology combined with machine learning, study of algorithms, tokenized redaction, proprietary pattern matching technology, redaction masking or anonymization to data files, single sign-on (SSO) access, built-in and customized exception and audit reporting, data integration, built-in safeguards to flag non-compliance requirements, streamlined features for safe real-time collaboration and accurate ﬁnancial reporting, AES 256-bit encryption at rest and in transit, multifactor authentication (MFA), robust role-based access control (RBAC), cloud-based workflow tools, in-app automated publishing capabilities, and Straight Through Processing (STP). These and other technologies continuously provide effective, robust, and innovation forward protections over DFIN’s clients, employees, and stakeholders personal information.
When you apply for an employment opportunity at DFIN, we may collect certain personal information from your job application through our Careers site or when you apply through an agent or other third-party platforms. Such personal information may include name, postal address, email address, phone number, details of your qualifications, job history, curriculum vitae, contact details of your references and any other personal information submitted along with your application.
We may also collect this information from, where applicable, your personal references (provided by you), your educational institute, or any other relevant professional body.
DFIN processes your personal information as necessary for the purposes of fulfilling certain legal obligations related to recruitment, for example where employment law or other laws require the processing of your personal information. We may process personal information due to reliance on our legitimate business interests in the selection, evaluation and appointment of new employees, and the management and administration of recruitment and HR processes. On occasion, legal grounds such as protection of your vital interests may also apply. For example, for health and safety reasons, if you attend an interview at one of our offices or in relation to agreements with employee representation groups, if applicable.
We retain the personal information that we obtain about you during the recruitment process for no longer than is necessary for the purposes for which it is processed. The duration for which we keep your information will depend on whether your application is successful and you become employed by us, the nature of the information concerned, and the purposes for which it is processed. The personal information collected for recruitment and employment purposes may include both HR and non-HR data.
Cookies and Other Technologies
When you visit our site, we may automatically collect information such as your IP address, browser type and language, operating system, location, date and time using cookies. A cookie is a small amount of data that is sent to your browser from a web server and stored on your device such as a phone or computer. The cookies are then sent back to the originating website on each subsequent visit to that website. As an example, a cookie may allow us to recognize your browser, whereas another cookie may store your preferences. This helps us to provide you with a good experience when you browse our site and allows us to improve our site. Cookies are a technology that can be used to help personalize your use of our site.
How We Use Your Personal Information
DFIN uses, stores and processes the personal information we collect to:
- Where relevant, operate and provide DFIN’s products and services.
- Where relevant, register you as a customer.
- Perform our obligations under a contract with you.
- Provide you with information, products and services which you request from us or similar products or services which you have already requested.
- Where appropriate, provide you with marketing communications for products and services from DFIN, including personalized offers and content based on your interactions with us and usage of our products.
- Enforce or apply the terms of any of our user agreements.
- Improve our existing services and the content of our site.
- Help solve any issues that you might be facing.
- Protect the rights, property or safety of DFIN, DFIN’s users, or others.
- Manage our everyday business needs, such as for our internal account management, client reporting, contract management, website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance.
DFIN reserves the right to transfer and disclose your information if DFIN becomes involved in a business divestiture, change of control, sale, merger, or acquisition of all or a part of its business.
When we use your personal information for the purposes specified above, we do so on the basis of:
- Consent: where you have given us clear consent for us to process your personal information for a specific purpose.
- Contract: where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
- Legal obligation: where our use of your personal information is necessary for us to comply with the law.
- Vital interests: where our use of your personal information is necessary to protect you or someone else’s life.
- Legitimate interests: where our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third party.
Please note that if you do not provide us with certain personal information, depending on the purposes for which we have collected it, we may not be able to provide the information, products or services you have asked for or process your requests, applications, subscriptions or registrations, and may not be able to perform or discharge applicable legal obligations.
How We Share Your Personal Information
DFIN may have to share your personal information with entities and persons set out below, for the purposes listed herein. We may share your personal information we collect about you with:
- Our affiliates, subsidiaries, vendors, consultants and other service providers to perform the services on our behalf and to ensure the efficient operation of our business.
- Where required, with professional advisors or consultants, including lawyers, banks, auditors, accountants and insurers providing consultancy, legal, banking, audit, accounting or insurance services to us; any person or entity to whom we are required or requested to make such disclosure by any court of competent jurisdiction or by any governmental, taxation or other regulatory authority, law enforcement agency or similar body.
- Service providers who provide information technology and system administration services to us.
DFIN may share your information in response to a request for information, if upon review we determine that disclosure is in accordance with, or required by, any applicable law, regulation or legal process.
DFIN may share your personal information in connection with or during negotiations of any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company.
We may also share your personal information with our customers when they need access to such information to fulfil specific transactions related to services you requested such as promotional campaigns. You may opt out of sharing your information with our customers for related services by sending an email to email@example.com. Upon receipt of your request to opt out of this information sharing, we will acknowledge your request and take appropriate measures in response.
We may also share your personal information if we determine that your actions are inconsistent with our user agreements or policies, or if we must protect the rights, property and safety of DFIN or others in accordance with, or required by, any applicable law, regulation or legal process.
Third Party Websites
DFIN may post links to third party websites as a service to you. These third-party websites are operated by companies that are outside of our control, and your activities at those third-party websites will be governed by the policies and practices of those third parties. We encourage you to review the privacy policies of these third parties before disclosing any information, as we are not responsible for the privacy policies of those websites.
How We Protect Your Personal Information
The security of your personal information is important to us. We use reasonable physical, electronic and procedural safeguards to protect the personal information we collect from loss, theft, misuse, alteration and unauthorized access or destruction. In addition, we maintain appropriate physical, electronic, and procedural safeguards to protect your personal information, including:
- Restricting access to personal information to our employees or service providers on a “need-to-know” basis.
- Enforcing policies and procedures for our employees in their handling of personal information.
- Using technologies designed to safeguard data during its transmission, such as SSL encryption for the information you provide on some parts of our site and using appropriate security to safeguard the data that we have received.
DFIN also employs industry-standard measures and processes for detecting and responding to inappropriate attempts to breach our systems.
There is, however, no method of transmission over the Internet, or method of electronic storage that can be 100% secure. Therefore, DFIN cannot guarantee the absolute security of your information. The Internet by its nature is a public forum, and DFIN encourages you to use caution when disclosing information online. Often, you are in the best situation to protect yourself online. You are responsible for protecting your username and password from third party access, and for selecting passwords that are secure.
How Long We Keep Your Personal Information
We will keep your personal information while you have an account with us or we are providing products services to you. Thereafter, we will keep your personal information for as long as is necessary to:
- Respond to any questions, complaints or claims made by you or on your behalf.
- Keep records required by applicable laws and regulations or DFIN's retention and deletion processes.
We will not retain your personal information for longer than necessary for the purposes set out in this privacy notice.
Your Rights and Choices
You may have the right to access and review the personal information stored by us to confirm its accuracy, and if necessary you may request that personal information is updated if it is inaccurate. You may also request that certain personal information be deleted from our files. You may be required to log into your account to exercise these rights, or contact us at firstname.lastname@example.org.
DFIN will make reasonable efforts to comply with such requests, unless such requests are prohibited by law, or there is a legitimate business purpose to retain personal information. We reserve the right to verify your identity before any request to update or delete your personal information is processed by us. Please direct any questions about your personal information to DFIN’s Global Privacy department at email@example.com.
In accordance with this Privacy Notice, but excluding any transfers of data to third parties performing tasks directly on our behalf and pursuant to our instructions, where we receive personal information directly from an individual to which such personal information relates, where applicable, we will offer the individual the opportunity to choose (opt out) whether his or her personal information is (1) disclosed to a third party; or (2) used for a purpose that is materially different than the purpose it was originally collected or subsequently authorized by the individual.
Any individual who wishes to opt out can do so by contacting DFIN at the address provided below under the section of this Privacy Notice entitled “HOW TO CONTACT US”.
In situations where we receive personal information pertaining to individuals directly from our clients (and not the individual to whom the personal information relates), we will cooperate with our clients’ reasonable requests to:
- Assist them in informing the impacted individuals about (a) the possibility that we may disclose such individuals’ information to third parties and (b) the individual’s ability to opt out of such disclosures (except for disclosures to third parties performing tasks directly on our behalf and pursuant to our instructions).
- Reasonably ensure that we process the information for purposes compatible with the purposes for which it was originally collected or subsequently authorized by the impacted individuals. After we have notified our clients, they will then inform us if any individuals have opted out of such disclosures.
In situations where DFIN processes “sensitive personal information” (which may include personal information relating to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the sex life of the individual, ideological views or activities, social security measures pertaining to an individual, or administrative or criminal proceedings and sanctions), we will seek informed express consent (opt in) from individuals if such information is to be disclosed to a third-party (except for disclosures to third parties performing tasks directly on our behalf and pursuant to our instructions) or used for purposes that are materially different from the purpose it was originally collected or subsequently authorized by the individual.
DFIN is a global organization with legal entities and business processes in operation across borders and cannot always limit the processing of personal information to the country in which an individual is based. In the course of providing you services, DFIN may need to transfer personal information to locations outside the jurisdiction in which it is provided or where our site is viewed. We comply with applicable legal requirements providing adequate safeguards for the transfer of personal information to countries other than the country where you are located.
Data transfers between the U.S., EU, and other countries will only be done subject to compliance with applicable law and appropriate technical and organization safeguards of such data. This includes onward transfers to third parties. DFIN requires our third parties to implement the necessary safeguards to best protect personal information both in transit and at rest. In the event that such onward transfers are not conducted per our terms, we acknowledge that we may be liable for any resulting outcomes. DFIN transfers personal information to third parties only for limited and specified purposes.
- In compliance with the Privacy Shield Principles, DFIN commits to resolve complaints about our collection or use of your personal information at no cost to the individual. EU and Swiss individuals with inquiries or complaints regarding DFIN’s use of their personal information should contact our Global Privacy department at firstname.lastname@example.org. DFIN will respond to your inquiry within 45 days.
- For complaints submitted to a data protection authority (DPA) in the EU, the Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days.
In the event of a reported complaint that DFIN does not resolve itself, DFIN commits to cooperate with EU DPAs and the Swiss Federal Data Protection and Information Commissioner (FDPIC). We will comply with the advice given by each respective regulatory body with regard to human resource (HR) and non-human resource data transferred from the EU. As well as non-human resource data transferred from Switzerland to DFIN. DFIN does not transfer HR data from Switzerland. In the U.S., DFIN has chosen the EU DPAs to serve as an independent recourse mechanism (IRM) for dispute resolution. We have designated the United States Council for International Business (USCIB) to act as the trusted third party for this purpose.
Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted. DFIN is accordingly subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). In certain circumstances, DFIN may also be subject to the investigatory and enforcement powers of the U.S. Department of Transportation or any other U.S. authorized statutory body.
DFIN takes appropriate technical and organizational measures to safeguard all personal information against unauthorized or unlawful processing of, or accidental loss, damage, misuse, unauthorized access, unauthorized disclosure, unauthorized alteration, or destruction, and maintains reasonable procedures to help ensure that such information is relevant for its intended use, accurate, complete, current and not excessive and that such information is not retained longer than is reasonably necessary.
With respect to any sharing of business contact information for the purposes of marketing DFIN products and services, DFIN obtains assurances from its affiliates, subsidiaries and business partners that such entities will use and disclose such business contact information for purposes of marketing DFIN products and services only. In alignment with our Privacy Shield certification, we acknowledge that we may be required by applicable law to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. DFIN agrees to work effectively with these parties to support their initiatives and ensure any data is processed lawfully.
How We Monitor and Enforce
DFIN regularly reviews our compliance with our Privacy Notice. We also adhere to several self-regulatory frameworks in addition to complying with applicable laws. If we receive formal written complaints, we will follow up with the person making the complaint. We work with the appropriate regulatory authorities to resolve any complaints that cannot be resolved directly.
California Consumer Privacy Act (California)
The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1, 2020. CCPA provides California residents with specific rights regarding their personal information. Please refer to DFIN’s CCPA Notice for more information.
New York SHIELD Act (New York)
The New York Stop Hacks and Improve Electronic Data (SHIELD) Security Act went fully into effect on March 21,2020. The SHIELD Act applies to any person or business that owns or licenses computerized data which includes private information, regardless of corporate structure, revenues or location. DFIN conducts business within New York (NY) state and has realigned its processes and procedures to adhere to the requirements established within the SHIELD Act to support the protection of New York residents’ personal and private information.
Under the SHIELD Act, businesses are required to have an established security program and provide proper notice in the event of a data breach involving any New York resident’s private information. DFIN has a strong and robust security program that works diligently to protect the personal information of all individuals. Proper controls and safeguards are in place that align with the requirements under the SHIELD Act. These controls and safeguards provide essential protection over New York residents’ private information. A breach notification process has also been established to address reporting requirements under the SHIELD Act.
DFIN recognizes and has controls in place to ensure that the privacy of personal information about an “identifiable individual” used in the course of “commercial activity” is protected and managed in such a manner which meets or exceeds the guidelines set out in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation.
GDPR (EU and UK)
DFIN may act as a Controller or a Processor under the EU and United Kingdom (UK) General Data Protection Regulation (GDPR). In respect of business customers located in the U.S., UK and EU and other locations worldwide, DFIN operates as a data processor. DFIN’s business customers remain the data controllers with respect to any customer data that they provide to DFIN for our provision of services. DFIN therefore acts in accordance with the instructions of such customers regarding the collection, processing, storage, deletion, access, rectification, portability and transfer of customer data.
DFIN is a global entity with offices in five continents around the globe, including nine offices (and correspondent offices) in Europe. The handling and safeguarding of personal data concerning EU-based and UK-based citizens is a matter of course for the business globally and an integral part of DFIN’s corporate governance.
Children’s Online Privacy Protection Act – COPPA
DFIN does not sell or offer its services and products to children. As such, our sites are designed for adult user interaction. We do not intentionally collect personally identifiable information from children under the age of 13. If you are a parent or legal guardian of a minor under the age of 13 and believe that the minor has disclosed personal information to us, please contact us by following the “How to Contact Us” below.
Changes to this Privacy Notice
DFIN reserves the right at its absolute discretion to change this Privacy Notice from time to time. If this Privacy Notice changes, the revised version will be posted at the “Privacy Notice” link on our site’s home page. In the event that the change is significant or material, we will notify you of such a change by revising the link on the home page to read “Newly Revised Privacy Notice.” Please check the Privacy Notice frequently. Your continued use of our sites constitutes acceptance of such changes in the Privacy Notice, except where further steps are required by applicable law. This Privacy Notice was last updated on April 29, 2022.
How to Contact Us
If you have any questions regarding DFIN’s privacy practices, the use of your personal information, or about this Privacy Notice, please contact us at:
Donnelley Financial Solutions (DFIN)
Global Data Privacy
35 West Wacker Drive
Chicago, IL 60601
United States of America
For country specific inquiries, please contact:
Paul Maloney (VP Europe and APAC GIM Ops)
Robin Yeo (DPO)
JungYun Moon (DPO)