Privacy Shield Policy
QlikTech Inc. (“Qlik”) is committed to protecting the privacy and security of personal information (as defined below). Due to the global nature of its business, Qlik shares certain personal information across national boundaries. Qlik participates in the EU/UK/Swiss-U.S. Privacy Shield. Privacy Shield Frameworks (collectively, the “Privacy Shield Frameworks”) and commits to be subject to the Privacy Shield principles (as set out in the Privacy Shield Frameworks). This Policy applies to all personal information (as defined below) received by Qlik.
To learn more about the Privacy Shield Frameworks, and to view Qlik’s certification page, please visit https://www.privacyshield.gov.
GDPR as used within this Policy means the EU General Data Protection Regulation as amended from time to time.
“Personal information/data” as used within this Policy means any information or set of information of EU/EEA/UK/Swiss origin which Qlik receives in reliance on the Privacy Shield principles that identifies or could be used by or on behalf of Qlik to identify an individual and as the term “personal data” is defined in the GDPR. This may include, but is not necessarily limited to, personal data received for human resources and marketing activities in the United States from the European Economic Area or the UK, in any form or format with respect to any identified or identifiable person covered by the GDPR.
“Special Categories” of Personal information as used within this Policy means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Qlik develops and sells software and related services to business customers across the world. Qlik receives mostly business-related information from Europe and elsewhere, but also contact information related to individual representatives of customers, potential customers, resellers, vendors and other business partners. The vast majority of such information includes (but is not limited to) names, job titles, work addresses, work phone numbers, and work email addresses. Such personal information is collected and processed to enable Qlik to provide its software and related services, including for marketing campaigns, product news, contacting customers regarding potential orders, liaising with customers regarding current orders, communicating regarding software licenses, delivering software, services and related information, and to support customer queries. Product usage information may also be sent to Qlik, for example to activate a product or to facilitate technical support. Customer and internal employee information may also be collected by Qlik to administer our whistleblowing helpline (and by third parties acting on our behalf). Personal information may also be collected from business partners (e.g. resellers) to administer and develop our relationship with those partners. Such personal information may also be collected and processed to enable Qlik to comply with its legal requirements.
Qlik also receives personal information in connection with the management and administration of its internal human resource functions. This information is used in relation to pre-employment, employment and post-employment matters, including but not limited to recruiting and hiring activities, staff evaluation, implementation and administration of human resource, compensation and benefits functions, payroll, human resources recordkeeping, and compliance with legal requirements and other employment related purposes.
With regard to any Cloud (hosting) service from time to time available by Qlik, Qlik does not control the content of information we may receive or host in such services, nor what steps the relevant third parties using such services (i.e. customers) have taken to ensure that any personal information is reliable for its intended use, accurate, complete, and current. In relation to Cloud offerings, from an EU/EEA/UK/Swiss data protection law perspective, the relevant third party utilizing any Qlik Cloud acts as data controller of the relevant personal information, and not Qlik. Qlik does not directly access its Cloud information except when acting on behalf of the relevant data controller. The customer remains responsible for such personal data that it collects and processes and for compliance with applicable law, including privacy/data requirements, such as accuracy. We will retain such information for the duration stipulated in our relevant agreements with those third parties, or longer as necessary to comply with our legal obligations.
Qlik may be required to disclose personal information in response to lawful requests by public authorities, including the meet national security or law enforcement requirements. Qlik does not use personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.
To the extent required by the Privacy Shield principles, Qlik will offer individuals the opportunity to choose (opt out) when their personal information is (a) to be disclosed to a third party (other than a third party acting as an agent to perform task(s) on behalf of and under the instruction of Qlik as under the “Accountability for Onward Transfer” principles below), or (b) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. For example, subscribers to Qlik’s marketing materials may at any time unsubscribe by using Qlik’s website http://www.qlik.com/opt-out or by contacting Qlik directly.
Special requirements apply to Special Categories of personal information. For such sensitive personal information, to the extent required by the Privacy Shield principles, Qlik will offer individuals the opportunity to give affirmative express (opt in) choice if the sensitive personal information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of the opt in choice.
Qlik will also treat as sensitive any information received from a third party where the third party identifies and treats it as sensitive. Affirmative express (opt in) choice is not required when necessary for the establishment of legal claims or defenses, when required to provide medical care or diagnosis, in the vital interests of the data subject or another person, related to personal information manifestly made public by the individual and when necessary to carry out the organization’s legal obligations.
ACCOUNTABILITY FOR ONWARD TRANSFER
Qlik may transfer personal information to members of its company group or to authorized third parties acting as data controllers (such as regulatory authorities or partners), third parties acting as agents to perform task(s) on behalf of and under Qlik instructions, such as payroll, employee expenses management, marketing/CRM vendors and/or invoice processing vendors.
When personal information is disclosed to a third party data acting as a data controller, Qlik will enter into a contract with the third party data controller that provides that such personal information may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the third party data controller will provide the same level of protection as the Privacy Shield principles and will notify Qlik if it makes a determination that it can no longer meet this obligation. The contract shall provide that if the third party data controller makes such a determination, the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
When personal information is disclosed to a third party acting as an agent, Qlik will enter into a written contract with the agent, transfer such personal information only for limited and specified purpose, ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield principles, take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organizations’ obligations under the Privacy Shield principles, require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles, take reasonable and appropriate steps to stop and remediate unauthorized processing upon notice that the agent makes a determination that it can no longer meet its obligations, and provide a summary or representative copy of the relevant privacy provisions of its contract with that agent upon request. Qlik will only share personal information to the extent needed to perform the uses for which the personal information was provided. Qlik does not sell or rent personal information to third parties unless the data subject has given Qlik permission to do so.
Qlik has responsibility for the processing of personal information it receives under the Privacy Shield Frameworks and subsequently transfers to a third party acting as an agent on its behalf. Qlik shall remain liable under the Privacy Shield principles if its agent processes such personal information in a manner inconsistent with the Privacy Shield principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Qlik will employ reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration or destruction, taking into account the risks involved in the processing and the nature of the personal information. Such measures may include the use of password protection and restricting access to personal information to those with a legitimate purpose in receiving the personal information. Employees who have access to such personal information shall be trained regarding this Policy, relevant law (including the GDPR) and the Privacy Shield principles embodied in it, advised that they are responsible for fully complying with the principles articulated in this Policy and instructed that violations of these principles shall result in appropriate disciplinary action, up to and including termination.
DATA INTEGRITY AND PURPOSE LIMITATION
Personal information must be limited to the information that is relevant for the purposes of processing. Personal information shall not be processed in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, reasonable steps will be taken to ensure that the personal information is reliable for its intended use, accurate, complete and current. Reasonable steps shall also be taken to accommodate privacy preferences, such as restricting access to the personal information to those who have a legitimate business need to know the personal information, anonymizing certain personal information, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.
To the extent required by the Privacy Shield principles, Qlik will, in relation to relevant individual’s personal data:
- provide confirmation of whether or not Qlik is processing personal information relating to them;
- communicate data to them so that they can verify its accuracy and the lawfulness of the processing; and
- correct, amend or delete the personal information where it is inaccurate or processed in violation of the Privacy Shield principles except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in question, or where the rights of persons other than the individual would be violated. Access may be restricted when granting such access would prejudice employee security investigations or grievance proceedings or in connection with employee succession planning, corporate re-organizations or confidential information of a customer or potential customer.
To exercise access rights, an individual may contact Qlik as set forth in the Recourse and Enforcement section of this Policy.
VERIFICATION, RECOURSE AND ENFORCEMENT
Qlik has verified and will verify annually that the attestations and assertions made about its Privacy Shield related privacy practices are true and that those privacy practices have been implemented as represented, in accordance with the Privacy Shield principles and, in particular, with regard to cases of non-compliance. This verification has been and will be signed by a corporate officer or other authorized representative of Qlik at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes that:
- Qlik’s published Policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
- the Policy conforms to the Privacy Shield principles;
- individuals are informed of any in-house arrangements for handling complaints and of the mechanisms through which they may pursue complaints; Qlik has in place procedures for training employees in its implementation and disciplining them for failure to follow it; and
- Qlik has in place internal procedures for periodically conducting objective reviews of compliance with the above.
Recourse and Enforcement
Inquiries or complaints regarding employment data under this Policy should be directed to the local Qlik Culture and Talent representative. Inquiries or complaints regarding external personal data (e.g. customer) under this Policy should be directed to the relevant sales or marketing contact, or firstname.lastname@example.org.
If the inquiry cannot be answered or the complaint resolved, the matter should be directed to Office of the General Counsel, 211 South Gulph Road, Suite 500, King of Prussia, PA 19406 United States; phone: +1 (888) 828-9768; fax: +1 (610) 975-5987; e-mail: email@example.com.
Qlik will investigate and attempt to resolve complaints and disputes regarding the use and disclosure of personal information by reference to the Privacy Shield principles as contained in this Policy. If a complaint remains unresolved, Qlik will cooperate with the European Union /UK/ Swiss data protection authorities in the investigation and resolution of the complaint and comply with the advice of such authorities, including as required by regulations and participation in the dispute resolution procedures of European Union /UK/ Swiss data protection authorities in order to resolve disputes pursuant to the Privacy Shield principles. This recourse mechanism is free of charge to the individual. You can find information on how to file a complaint and/or the complaint forms on the websites of your local data protection authority (e.g., for Sweden, which is where Qlik’s operations in Europe are predominantly based, you can find such information here http://www.datainspektionen.se/om-oss/arbetssatt/klagomal/).
In the event that Qlik or the authorities determine that Qlik did not comply with this Policy, Qlik will take appropriate steps to address any adverse effects and to promote future compliance.
Under certain conditions, individuals have the option to invoke binding arbitration to determine, for residual claims, whether Qlik has violated its obligations under the Privacy Shield principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes.
Qlik is subject to the investigatory and enforcement powers of the Federal Trade Commission.
MODIFICATIONS TO THIS POLICY
This Policy may be amended from time to time in compliance with the requirements of the Privacy Shield principles. Appropriate notice will be given concerning such amendments. To the extent there is any conflict between the Privacy Shield principles and this Policy, the Privacy Shield principles shall take precedence.
Last updated: March 16, 2021