This policy statement was created to demonstrate our commitment to privacy. It discloses our information gathering and dissemination practices. By using our web site, you consent to the collection and use of this information by Cathedral Corporation. We reserve the right to change our privacy policy as deemed appropriate, and we will update any changes on this page so that you are always aware of what information we collect and how we use such information.
General. This site does not collect personal identifying information about individuals except when specifically and knowingly provided by such individuals. The site may collect personal identifying information in several ways including through e-newsletter lists, mailing lists, online request forms, contests, feedback forms, surveys, or personal interest forms. Cathedral Corporation does not sell this information to third parties. This site does not collect or store any personal information about children under the age of 13 in accordance with the Children's Online Privacy Protection Act.
Cookies. A cookie is a small data file that a web site transfers to a user's hard drive when a user visits the web site. The only personal information a cookie can contain is that which a user supplies. A cookie cannot read data off a hard disk or read cookie files created by other sites. We use cookies to calculate the number of people visiting our site (or a certain page of our site) to allow us to provide you better services in the future. The information we collect is used to improve the content of our web site, used to notify our customers about updates to our web site and used by us to contact customers and potential customers for marketing purposes.
Usage tracking. Cathedral Corporation tracks usage patterns on our sites and breaks down overall usage statistics according to a user's domain name, browser type, and MIME type by reading this information from the browser string (information contained in every user's browser). However, we do not match this information with users' personally identifiable information.
Cathedral Corporation may contain links to other Internet sites maintained by third parties for your convenience only. Please note that when you click on one of these links, you may enter another web site for which Cathedral Corporation has no responsibility. We encourage you to read the privacy statements of all such sites as their policies may be materially different from this privacy statement.
This Privacy Shield Policy ("Policy") describes how Cathedral Corporation, hereinafter “Cathedral”, collects, uses, processes and discloses certain personally identifiable information that we receive in the US from the European Union/European Economic Area (hereinafter "EU/EEA Personal Data" or “Personal Data”). This Policy applies to all of Cathedral’s business locations. This Policy supplements, and is to be incorporated in, our Website Privacy Policy located at wwww.cathedralcorporation.com, and unless specifically defined in this Policy, the terms in this Policy have the same meaning as the Website Privacy Policy. Cathedral recognizes that the EU/EEA has established strict protections regarding the handling of Personal Data, including requirements to provide adequate protection for EU/EEA Personal Data transferred outside of the EU/EEA. To provide adequate protection for certain Personal Data about consumers/corporate customers, their employees, members, clients and/or service recipients received in the US, Cathedral has elected to self-certify to the EU-US Privacy Shield Framework as administered and set forth by the US Department of Commerce ("Privacy Shield"). Cathedral adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. For purposes of enforcing compliance with the Privacy Shield, Cathedral is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce's Privacy Shield website located at: www.privacyshield.gov. To review Cathedral's representation on the Privacy Shield list, see the US Department of Commerce's Privacy Shield self-certification list located at: www.privacyshield.gov/.
Our Website Privacy Policy located at www.cathedralcorporation.com describes the categories of EU/EEA Personal Data that we may receive in the US as well as the purposes for which we use that EU/EEA Personal Data. Cathedral functions as a “Processor” of “Personal Data” received from “Controllers”. We may receive the following categories of Personal Data in the US from businesses you have an established relationship with (such as, your employer, financial institutions, insurance companies, service and health providers) including: your name, identification or account number, Tax identification numbers, non-us tax identification numbers, social insurance numbers, contact data, address, email address, employer name, business name, health provider name, insurer names, lending institution names, as well as physical, physiological, mental, economic, insurance, financial, and other personal data information about you received from such businesses. We process Personal Data for the following purposes: to provide print and mail services, and/or electronic presentment services to you as a member, employee, customer or service recipient of our business customers. Cathedral will only process EU/EEA Personal Data in ways that are compatible with the purpose that Cathedral collected it for, or for purposes the individual later authorizes. Before we use your EU/EEA Personal Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. Cathedral maintains reasonable procedures to help ensure that EU/EEA Personal Data is reliable for its intended use, accurate, complete, and current. We may collect the following categories of Sensitive EU/EEA Personal Data: Health. We process sensitive EU/EEA Personal Data for the following purposes: to provide print and mail services, and/or electronic presentment services to you as a member, employee, customer or service recipient of our business customers, including but not limited to statements, invoices, remittance advice, and other health service related documents. When we collect Sensitive EU/EEA Personal Data, or nonpublic personal information(NPI), protected personal information (PPI), personally identifiable information (PII)and/or protected health information(PHI) we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your Sensitive EU/EEA Personal Data, NPI,PPI,PII,PHI to third parties, or before we use such Sensitive Personal Data or Information for a different purpose than we collected it for or than you later authorized.
Third-Party Agents or Service Providers. We may transfer EU/EEA Personal Data to our third-party agents or service providers who perform functions on our behalf including: managed hosted services, outsourced production operations of folding, and/or finishing, and/or incidental contact by production equipment service technicians. Where required by the Privacy Shield, we enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process EU/EEA Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of EU/EEA Personal Data that we transfer to them.
Under certain circumstances, we may be required to disclose your EU/EEA Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
Cathedral maintains reasonable and appropriate security measures to protect EU/EEA Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield.
You may have the right to access the EU/EEA Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. Typically, we do not hold or retain your Personal Data unless required by Statute, Regulation, Directive or Contract. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your EU/EEA Personal Data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity. In some circumstances we may charge a reasonable fee for access to your information.
You can direct any questions or complaints about the use or disclosure of your EU/EEA Personal Data to us at: Cathedral Corporation, Attention: Compliance Officer, 632 Ellsworth Road, Rome, NY 13441 USA
We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your Personal Data within 45 days of receiving your complaint.
For any unresolved complaints, we have agreed to refer such matters to a non-profit dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment or satisfactory resolution of your claim you contact such dispute resolution provider at: www.bbb.org/EU-privacy-shield/for-eu-consumers for further information and assistance.
You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with Cathedral and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see US Department of Commerce's Privacy Shield Framework: Annex I (Binding Arbitration). - www.privacyshield.gov/article?id=ANNEX-I-introduction
Privacy Shield Principles: the principles contained within the EU-US Privacy Shield
Personal data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Rec.26; Art.4(1)
Sensitive Personal Data: specific to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Rec.10, 34, 35, 51; Art.9(1)
Processing: any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Art.4(2)
Controller: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws. Art.4(7)
Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Art.4(8)
Consent: "The consent of the data subject" means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Rec.32; Art.4(11)
Nonpublic Personal Information (NPI): The Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. Its provisions limit when a "financial institution" may disclose a consumer's "nonpublic personal information" to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain "financial activities." The Privacy Rule protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."
Protected Personal Information (PPI): Per U. S. 32 CFR § 701.101, Protected personal information (PPI) is any information or characteristics that may be used to distinguish or trace an individual's identity, such as their name, SSN, or biometric records.
Personally Identifiable Information (PII): NIST Special Publication 800-122 defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
Protected Health Information (PHI): The U.S. Department of Health and Human Services (“HHS”) issued the “Privacy Rule” to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." “Individually identifiable health information” is information, including demographic data, that relates to:
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
We reserve the right to amend this Policy from time to time consistent with the Privacy Shield's requirements.
Effective Date: 10/20/2017
Last modified: 10/20/2017
If you have any questions about this Policy or would like to request access to your EU/EEA Personal Data, please contact us as follows:
Cathedral Corporation
Attention: Compliance Officer
632 Ellsworth Road
Rome, NY 13441 USA
Cathedral Corporation | All Rights Reserved