Skip to content

EU-U.S. and the UK Extension to the EU-U.S. and SWISS -U.S. DPF

At Commercial Services Group (CSG), we recognize the importance of securing the private information of our customers, employees, business partners and others. Not only does CSG strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices. This Privacy Policy Statement (the “Policy”) sets forth the privacy principles CSG follows in respect to transfers of personal information to and from the European Union, United Kingdom, and Switzerland. 

CSG may process personal data that encompasses a range of information crucial to our operations. This includes customer/client data such as names, contact details, social security numbers, birthdates, financial histories, death records, employment histories, and credit bureau data. These details are sourced from direct communications with consumers, creditor-provided information, credit bureaus, and public records. 

We adhere strictly to legal and regulatory standards, implementing robust data protection measures like encryption, access controls, and regular audits to ensure confidentiality and prevent unauthorized access or breaches. When necessary, we may disclose relevant personal data to authorized third parties, such as auditors, creditors, credit bureaus, IT service providers, internal databases, legal advisors, and payment processors, in compliance with applicable laws. 

EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles

The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions to enable U.S. companies to satisfy the requirement under European Union law that adequate protection be given to personal information transferred from the EEA to the United States.

PRIVACY PRINCIPLES

Commercial Services Group, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Commercial Services Group, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Commercial Services Group, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Commercial Services Group, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Commercial Services Group, Inc. at:

Commercial Services Group

2001 Newmarket Drive

Louisville, Kentucky 40222

ATTN: Compliance 

Or by email to: [email protected]

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Commercial Services Group, Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to BBB EU DPF, operated by the Council of Better Business Bureaus, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information or to file a complaint. The services of the BBB Data Privacy Framework Services are provided at no cost to you.

Please note that if an EU and UK individuals and Swiss individual’s complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available. Commercial Services Group, Inc.  is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to your organization and following the procedures and subject to conditions set forth in Annex I of Principles.

The United States Federal Trade Commission (FTC) is the enforcement authority with jurisdiction over this compliance.

NOTICE: Where CSG collects personal information directly from individuals in the EEA, it will inform them about the purposes for which it collects and uses personal information about them, the types of non-agent third parties to which CSG discloses that information, the choices and means, if any, CSG offers individuals for limiting the use and disclosure of personal information about them, and how to contact CSG. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to CSG, or as soon as practicable thereafter, and in any event before CSG uses or discloses the information for a purpose other than that for which it was originally collected.

Where CSG receives personal information from its subsidiaries, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.

CHOICE: We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information, in any way, shape, or form. CSG under no circumstances will release personal information to a third party except where required by law or by court order and personal data will not be used for any purpose other than that for which it was originally collected. But in the event CSG shares individual personal information, we will first contact that individual and give them the choice to opt-out.

ACCOUNTABILITY FOR ONWARD TRANSFER: CSG’s disclosure of personal information to third parties will comply with the Notice and Choice principles, except in certain instances where we may be required by law to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Specific examples of instances when CSG may disclose personal information without notice or choice include when responding to court orders, legal process, or to establish or exercise legal rights or defend against claims. 

CSG will enter into a contract with any Business Partner or Vendor limiting the purposes for which the data may be processed and ensuring that the recipient will provide the same level of protection as the Principles. CSG will take reasonable steps to ensure that the agent effectively processes data in a manner consistent with Principles; upon notice, take reasonable steps to stop and remediate unauthorized processing; and upon request, provide a summary or copy of privacy provisions of its contract with the agent to the Department of Commerce.

In cases of onward transfer to third parties of data of EU and UK individuals and Swiss individuals received pursuant to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), Commercial Services Group is potentially liable.

SECURITY: CSG will take reasonable precautions to protect personal information in its possession from loss, misuse, and unauthorized access, disclosure, alteration and destruction. All privileged information, whether stored in system or out of system (via information media) will be protected by data protection mechanisms to ensure the highest levels of confidentiality, integrity and availability. Non-privileged information will be protected to ensure the highest levels of integrity and availability.

Only personnel who have previously been authorized are allowed to enter information into an information system. Inputs will be restricted according to granted permissions, though these restrictions may be lifted on a temporary basis based on predefined project responsibilities. In such circumstances, additional authorization is required and must be granted before restrictions are lifted.

Where possible, information systems will check entered information for accuracy, completeness, validity and authenticity. These checks will be performed as close to the point of information entry as possible and will attempt to ensure that data corruption does not occur or that entered information cannot be interpreted as system commands by the information system.

Information systems will be configured such that they prevent unauthorized and unintended information transfer. Further, information systems will protect the integrity and confidentiality of transmitted information using session authentication, session encryption and data encryption where applicable.

Data is not transported off site in any non-secure manner, including, but not limited to USB device, external hard drive, flash drive, etc.  In the event that client data would need to be transferred to removable media, permission would be obtained from the client.

DATA INTEGRITY AND PURPOSE LIMITATION: CSG will use personal data in ways that are compatible with the purpose for which the data was collected or subsequently authorized by the individual or customer/client, as the case may be. CSG will take reasonable steps to ensure personal data is relevant to its intended use, accurate, complete and current. 

We will retain personal information in an identifiable form only for the period necessary to fulfill the purposes of the processing and subject to our legitimate business needs, unless a longer retention period is required or permitted by law or by the Principles.  We will adhere to the Principles for as long as we retain personal information collected under the Principles.

ACCESS: EU and UK individuals and Swiss individuals have the right to access their personal information.  Upon written request, using the Commercial Services Group address below, CSG will grant individuals reasonable access to personal information that it holds about them. In addition, CSG will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. 

RECOURSE, ENFORCEMENT AND LIABILITY: CSG will conduct compliance audits of its relevant privacy practices to verify adherence with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and this Policy. Any employee that CSG determines to be in violation of this policy will be subject to disciplinary action up to and including termination of employment.  CSG is liable for appropriate onward transfers of personal data to third parties.

POLICY CHANGES: CSG reserves the right to change this policy from time to time, consistent with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). In the event that CSG, at some point in the future, were to choose to withdraw from the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), personal information transferred pursuant to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) would continue to be subject to EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) requirements and protections even after withdrawal. 

LIMITATION ON APPLICATION OF PRINCIPLES: Adherence by CSG to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.

INTERNET PRIVACY: CSG sees the Internet and the use of other technology as valuable tools to communicate and interact with consumers, employees, business partners, and others. CSG recognizes the importance of maintaining the privacy of information collected online and has created a specific Privacy Policy (PP) governing the treatment of personal information collected through the web sites that it operates. With respect to personal information that is transferred from the EEA or Switzerland to the U.S. the PP is subordinate to this Policy. However, the PP also reflects additional legal requirements and evolving standards with respect to privacy. 

Questions or comments regarding this Policy should be submitted to the CSG Compliance Office by mail: 

Commercial Services Group

2001 Newmarket Drive

Louisville, Kentucky 40222

ATTN: Compliance

Or by email to: [email protected]