December 1, 2023
(A) This Policy
This Policy is issued by each of the Controller entities listed in Section P below (together, “KLDiscovery”, “we”, “us” or “our”). This Policy is addressed to individuals outside our organisation with whom we interact, including customers, personnel of corporate customers, visitors to our websites (our “Websites”), partners, suppliers, applicants for employment and other users of our Services (together, “you”). Defined terms used in this Policy are explained in Section (R) below. This Policy also applies to our social media presence (see below).
This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in Applicable Privacy Laws. We encourage you to read this Policy carefully, and to regularly check
this page to review any changes we might make in accordance with the terms of this Policy.
KLDiscovery operates under the following brands: KLDiscovery, Ontrack, Ibas and ReadySuite.
(B) Processing your Personal Data
Collection of Personal Data: We collect or obtain Personal Data about you from the following sources:
- Data provided to us: When you contact us via email, telephone or by any other means or when you provide us with your business card, or when you submit a job application.
- Relationship data: In the ordinary course of our relationship with you (e.g., Personal Data we obtain in the course of providing a Service to you, or to your employer).
- Data you make public: Personal Data that you manifestly choose to make public, including via social media.
- Website data: We collect or obtain Personal Data when you visit any of our Websites, register or use any features or resources available on or through a Website.
- Content and advertising information: If you interact with any third-party content or advertising on a Website or third party plugins and cookies) we receive your Personal Data from the relevant third party provider of that content or advertising.
- Third party information. We collect or obtain Personal Data from third parties who provide it to us (e.g., credit reference agencies or law enforcement agencies).
Creation of Personal Data: In providing our Services, we may also create Personal Data about you, such as records of your interactions with us and details of your order history. We may also combine Personal Data
from use of any of our Websites and Services with Personal Data collected from different sources.
Categories of Personal Data: The categories of Personal Data about you that we Process include:
- Personal details: name(s); gender; date of birth / age; nationality; and photograph.
- Contact details: correspondence or shipping address (e.g., for returning original media and/or storage devices); telephone number; email address; and social media profile details.
- Consent records: records of any consents you have given, together with the date and time, means of consent, and any related information (e.g., the subject matter of the consent).
- Payment details: purchase information, pricing, invoice records, billing address; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; and card expiry date.
- Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.
- Application details: all kind of application documents which you may submit (professional history, curriculum vitae, qualifications, certificates, references, etc.)
- Employer details: where you interact with us in your capacity as an employee of a third party; the name, address, telephone number and email address of your employer, to the extent relevant.
- Data relating to our Websites: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a Website; and other technical communications
information (some of which may constitute Personal Data); username; password; security login details; usage data; and aggregate statistical information.
Purposes of Processing and Legal Basis
Provision of Websites and Services: communicating with you in relation to those Websites and Services.
Operating our business: operating and managing our Websites, our Services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our Websites, or our Services; and notifying you of changes to any of our Websites, or our services.
Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under Applicable Privacy Laws; personalising our Websites, and Services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; enabling and recording your choice to opt-out or unsubscribe, where applicable.
Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.
Health and safety: health and safety assessments and record keeping; providing a safe and secure environment at our premises; and compliance with related legal obligations.
Financial management: sales; finance; corporate audit; and vendor management.
Surveys: engaging with you for the purposes of obtaining your views on our Websites, or our Services.
Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).
Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with Applicable Privacy Laws.
Legal compliance: compliance with our legal and regulatory obligations under Applicable Privacy Laws.
The Processing is necessary for compliance with a legal obligation.
Improving our Websites and Services: identifying issues with and planning improvements to our Websites and creating new Websites or Services.
Fraud prevention: Detecting, preventing and investigating fraud.
Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; exercise and defence of legal rights and claims, including formal legal proceedings.
Sensitive Personal Data
We do not seek to collect or otherwise Process Sensitive Personal Data but where we do so, it is on the following basis.
Lawful basis for Processing Sensitive Personal Data: In Processing your Sensitive Personal Data in connection with the purposes set out in this Policy, we may rely on one or more of the following legal bases, depending on the circumstances:
- we have obtained your prior express consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way);
- the Processing is necessary in connection with any contract that you may enter into with us to provide you with Services;
- the Processing is required or permitted by Applicable Privacy Laws; the Processing is necessary for the establishment, exercise or defence of legal claims;
- the Processing is necessary to protect the vital interests of any individual; or
- we have a legitimate interest in carrying out the Processing for the purpose of managing, operating or promoting our business, and that legitimate interest is not overridden by your interests, fundamental rights, or freedoms.
Voluntary provision of Personal Data and consequences of non-provision: The provision of your Personal Data to us is voluntary and will usually be a necessary requirement in order to enter into a contract with us and to enable us to fulfil our contractual obligations towards you. You are under no statutory obligation to provide your Personal Data to us; however, if you decide not to provide us with your Personal Data, we will not be able to conclude a contractual relationship with you and to fulfil our contractual obligations towards you.
Sale of your data: In accordance with Applicable Privacy Laws, we do not sell your data in exchange for compensation or non-monetary consideration.
(C) Disclosure of Personal Data to third parties
We disclose your Personal Data to other entities within the KLDiscovery group, in order to fulfil our contractual obligations towards you or for legitimate business purposes (including providing Services to you and operating our Websites) in accordance with Applicable Privacy Laws. In addition, we disclose your Personal Data to:
- you, and where appropriate, your appointed representatives, or if we are providing Services to your employer, your employer;
- third party Controllers with whom we share Personal Data in order to provide you with our Services;
- legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
- accountants, auditors, consultants, lawyers and other outside professional advisors to KLDiscovery, subject to binding contractual obligations of confidentiality;
- third party Processors (such as payment services providers, channel and retail partners, shipping/courier companies; technology suppliers, customer satisfaction survey providers, operators of “live-chat” services and processors who provide compliance services such as checking government issued prohibited lists, like the US Office for Foreign Asset Control), located anywhere in the world, subject to the requirements noted below in this Section (C);
- any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights, or any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
- any relevant third-party acquirer(s) or successors in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation), but only in accordance with the Applicable Privacy Laws; and
- any relevant third-party provider where our Websites may use third party content, advertising, plugins or content. If you choose to interact with any such content, your Personal Data may be shared with the third-party provider of the relevant third-party
If we engage a third-party Processor to Process your Personal Data, we will conclude a data processing agreement and sufficient guarantees as required by the Applicable Privacy Laws with such third-party Processor so that the Processor will be subject
to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data; together with any additional requirements
under Applicable Privacy Laws. In all cases, KLDiscovery is primarily liable for the acts and omissions of such third parties to whom KLDiscovery has entrusted personal data. KLDiscovery shall ensure that all such third parties maintain security
and data handling measures to standards prescribed by KLDiscovery prior to transferring such personal data to the applicable third party.
We may anonymize Personal Data about the use of the Websites (e.g., by recording such data in an aggregated format) and share such anonymized data with our business partners (including third party business partners).
(D) International transfer of Personal Data
Because of the international nature of our business, we may need to transfer your Personal Data within the KLDiscovery Group, and to third parties as noted in Section (C) above, in connection with the purposes
set out in this Policy. For this reason, we may transfer your Personal Data to other countries that may have lower standards for data protection than the EU due to different laws and data protection compliance requirements to those that apply in the country in which you are located.
Where we transfer your Personal Data to other countries, we do so, where required, on the basis of the applicable European Union Standard Contractual Clauses and, where relevant, the appropriate amendments to incorporate compliance with English and Swiss
law. You may request a copy of our Standard Contractual Clauses using the contact details provided in Section (P) below.
Transfers of Personal Data to the United Kingdom on the basis of the Adequacy Decision dated 28 June 2021
On 28 June 2021, the European Commission determined that the United Kingdom, following its withdrawal from the European Union and becoming a “third country” from December 31, 2020, ensures an adequate level of protection within the meaning of Article 45 of the General Data Protection Regulation 2016/679 (“GDPR”) (the “Adequacy Decision”) and that the United Kingdom benefits from such decision in relation to transfers of Personal Data to the United Kingdom.
Where we transfer your Personal Data from the European Union, Switzerland or another member of the EEA to the United Kingdom in connection with the purposes set out in this Policy, from the date of the Adequacy Decision, we will do so on the basis of the Adequacy Decision.
(E) Accreditation from U.S. Department of Commerce
Pursuant to the Data Privacy Framework Principles, KLDiscovery attests to the following:
- We are subject to the jurisdiction and enforcement authority of the U.S. Federal Trade Commission;
- We remain liable in the onward transfer of Personal Data to agent third parties unless we can prove we were not a party to the event giving rise to the damages;
- We may be required release Personal data in response to lawful requests by public authorities including to meet national security and law enforcement requirements; and
- We acknowledge the right of European Union, United Kingdom and Swiss individuals to access their information that is transferred into the United States and to update, amend or correct inaccurate or outdated information. Furthermore, said individuals can delete Personal Data that has been handled in violation of the DPF Principles.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, KLDiscovery commits to resolve complaints about our collection or use of your Personal Data transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. European Union, United Kingdom and Swiss individuals with inquiries or complaints should first contact KLDiscovery using the contact information set out in Section P.
KLDiscovery has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf.
(F) Data Security & Confidentiality
We have implemented appropriate technical and organizational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised
forms of Processing, in accordance with Applicable Privacy Laws. Further, as required under Applicable Privacy Laws, we only process your Personal Data subject to all contractual requirements of confidentiality, imposing equivalent measures upon employees
and subcontractors with access to such Personal Data.
Because the internet is an open system, the transmission of information via the internet is not completely secure. Although we will implement all reasonable measures to protect your Personal Data, we cannot guarantee the security of your data transmitted to us using the internet – any such transmission is at your own risk, and you are responsible for ensuring that any Personal Data that you send to us are sent securely.
(G) Data Accuracy
We take every reasonable step to ensure that:
- your Personal Data that we Process are accurate and, where necessary, kept up to date; and
- any of your Personal Data that we Process that are inaccurate (having regard to the purposes for which they are Processed) are erased or rectified without delay.
From time to time we may ask you to confirm the accuracy of your Personal Data.
(H) Data Minimisation
We take every reasonable step to ensure that your Personal Data that we Process are limited to the Personal Data reasonably required in connection with the purposes set out in this Policy (including the provision of Services to you).
(I) Data Retention
We take every reasonable step to ensure that your Personal Data is only Processed for the minimum period necessary for the purposes set out in this Policy. We will retain copies of your Personal Data in a form that permits identification only for as long
- we maintain an ongoing relationship with you (e.g., where you are a user of our services, or you are lawfully included in our mailing list and have not unsubscribed);
- your Personal Data are necessary in connection with the lawful purposes set out in this Policy, for which we have a valid legal basis (e.g., where your personal data are included in a contract between us your employer, and we have a legitimate interest in processing those data for the purposes of operating our business and fulfilling our obligations under that contract); or
- we receive your consent to store the data for a longer period of time (e.g., in the case of application documents for a later job offer).
Additionally, we will retain Personal Data for the duration of:
- any applicable limitation period under Applicable Privacy Laws (i.e., any period during which any person could bring a legal claim against us in connection with your Personal Data, or to which your Personal Data may be relevant); and
- an additional two (2) month period following the end of such applicable limitation period (so that, if a person brings a claim at the end of the limitation period, we are still afforded a reasonable amount of time in which to identify any Personal
Data that are relevant to that claim),
In the event any relevant legal claims are brought, we may continue to Process your Personal Data for such additional periods as are necessary in connection with that claim.
During the periods noted above in relation to legal claims, we will restrict our Processing of your Personal Data to storage of, and maintaining the security of, the Personal Data, except to the extent that the Personal Data needs to be reviewed in connection
with any legal claim, or any obligation under applicable law.
Once the periods above, each to the extent applicable, have concluded, we will either: (i) permanently delete or destroy the relevant Personal Data; or (ii) anonymize the relevant Personal Data.
(J) Your legal rights
Subject to Applicable Privacy Laws, you may have a number of rights regarding the Processing of your Personal Data, including:
- the right not to provide your Personal Data to us (however, please note that we will be unable to provide you with the full benefit of our Websites or Services, if you do not provide us with your Personal Data – e.g., we might not be able to process your requests without the necessary details);
- the right to request access to, or copies of, your Personal Data that we Process or control, together with information regarding the source, purpose and nature of processing and disclosure of those Personal Data;
- the right to request rectification of any inaccuracies in your Personal Data that we Process or control;
- the right to request, on legitimate grounds:
- erasure/deletion of your Personal Data that we Process or control; or
- restriction of Processing of your Personal Data that we Process or control;
- the right to object, on legitimate grounds, to the Processing of your Personal Data by us or on our behalf;
- the right to have your Personal Data that we Process or control transferred to another Controller, to the extent applicable and in a structured, commonly used and machine-readable form;
- the right to know the Personal Data held by KLDiscovery and details of the collection of the same, no more than twice in any 12 (twelve) month period;
- the right to withdraw your consent to Processing, where the lawfulness of processing is based on consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
- the right to lodge complaints with a Data Protection Authority regarding the Processing of your Personal Data by us or on our behalf. Addresses of Authorities can be found on: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
This does not affect your statutory rights. We do not discriminate against you for any exercise of your rights provided for under Applicable Privacy Laws. We reserve our rights for verification of your identity in the event that you exercise any such rights under Applicable Privacy Laws.
Subject to Applicable Privacy Law, you may also have the following additional rights regarding the Processing of your Personal Data:
- the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR; and
- the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.
To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Policy, or about our Processing of your Personal Data, please use the contact details provided in Section (P) below.
If we are providing you with Services based on orders, such provision of Services is regulated by contractual terms provided to you. In case of discrepancies between such terms and this Policy, this Policy is supplementary.
(K) Cookies and Similar Technologies
(L) Analysis Tools and Tools by Third-Party Providers
There is a possibility that your browsing patterns will be statistically analysed when your visit this website. Such analyses are performed primarily with what we refer to as analysis programs. You can find detailed information about these different analysis programs here: Use of Third-Party Tools.
(M) Use of Social Media
We do not use Social Media plug-ins on our Website. Social Media websites can only be reached via links from our Website. Therefore, no Personal Data is transmitted to any Social Media website when visiting our Website. You can find detailed information about our use of Social Media here: Use of Social Media.
(O) Direct Marketing
Subject to applicable law, where you have provided explicit consent in accordance with the applicable law or where we are sending you advertising and marketing communications relating to our similar products and services, we may Process your Personal
Data to contact you via email, telephone, direct mail or other communication formats to provide you with information or Services that may be of interest to you. If we provide Services to you, we may send information to you regarding our Services,
upcoming promotions and other information that may be of interest to you, using the contact details that you have provided to us and always in compliance with applicable law.
You may unsubscribe from our promotional email list or newsletters at any time by simply clicking on the unsubscribe link included in every email or newsletter we send. After you unsubscribe, we will not send you further emails, but we may continue to contact you to the extent necessary for the purposes of any Services you have requested.
(P) Details of Controllers
The Controllers in respect of whom this policy is issued are as follows:
Registered Address and Contact
KLDiscovery Ontrack Limited
UK Data Privacy Queries, Nexus, 25 Farringdon Street, London, EC4A 4AB
UK Data Privacy Queries, Nexus, 25 Farringdon Street, London, EC4A 4AB
Irish Data Privacy Queries, 25-28 North Wall Quay, Dublin 1, DO1 H104
Ibas Ontrack ApS
Danish Data Privacy Queries, C/O Regus Center Christians Brygge 28, 1559 København V
Ibas Ontrack Oy
Finnish Data Privacy Queries, Mannerheimintie 12 B, 00100 Helsinki
KLDiscovery Ontrack B.V.
Dutch Data Privacy Queries, De Brand 22, 3823 LJ Amersfoort
Ibas Ontrack AB
Swedish Data Privacy Queries, Box 1005, 751 40 Uppsala
Ibas Ontrack AS
Norwegian Data Privacy Queries, Fjellgata 2, 2212 Kongsvinger
KLDiscovery Ontrack GmbH
German Data Privacy Queries, Hanns-Klemm-Str. 5, 71034 Böblingen
KLDiscovery Ontrack Srl
Italian Data Privacy Queries, Gallarte (VA) Via Marsala 34/A CAP 21013
KLDiscovery Ontrack Sp. z o.o
Polish Data Privacy Queries, Katowice (40-082), ul. Jana III Sobieskiego 11
KLDiscovery Ontrack Pte Ltd
Singapore Data Privacy Queries, 10 Collyer Quay 10 - 01, Ocean Financial Centre, 049315
KLDiscovery Ontrack Information Technology Service (Shanghai) Co., Ltd
Chinese Data Privacy Queries, Room 1004, Floor 10, Jing'An Kerry Centre Building 1 (North Building), No. 1515, West Nanjing Road, Jing'an District, Shanghai
KLDiscovery Ontrack K.K.
Japanese Data Privacy Queries, 2-2-3 Uchisaiwaicho Chiyoda-ku, Tokyo 100-0011
KLDiscovery Ontrack (HK) Limited
Hong Kong Data Privacy Queries, Room 1702, 17/F Central Plaza, 18 Harbour Road, Wanchai
KLDiscovery Ontrack SL
Spanish Data Privacy Queries, Paseo de la Castellana, Num 81, Planta 11, 28046, Madrid
KLDiscovery Ontrack Sarl
French Data Privacy Queries, 2, impasse de la Noisette, 91371 Verriéres-le-Buisson Cedex 413
KLDiscovery Ontrack (Switzerland) GmbH
Swiss Data Privacy Queries, Hertistrasse 25, 8304 Wallisellen
KLDiscovery Ontrack Pty Ltd
Australian Data Privacy Queries, 9/28 Donkin St, West End QLD 4101
KLDiscovery Ontrack, LLC
American Data Privacy Queries, Attn: Andy Southam, 9023 Columbine Road, Eden Prairie, MN 55347
American Data Privacy Queries, Attn: Andy Southam, 9023 Columbine Road, Eden Prairie, MN 55347
KLDiscovery Franchising, LLC
American Data Privacy Queries, Attn: Andy Southam, 9023 Columbine Road, Eden Prairie, MN 55347
KLDiscovery Ontrack Canada Co
Canadian Data Privacy Queries, 1871 Hollis Street, Suite 200, Halifax, NS, B3J 0C3
KLDiscovery Ontrack Single Member Private Company
Greek Data Privacy Queries, 15 Theanos Street, 11854 Athens
KLDiscovery India Technology Services Private Limited
India Data Privacy Queries, Door No. 18, RMS Apartments, 3rd Floor No.12, Gopalakrishna Street, Pondy Bazaar, T. Nagar, Chennai – 600 017
Please note that, where a Controller is listed outside the European Union, you may contact the entity in your jurisdiction.
Each of the controllers established outside the EEA and listed in Section (P) above has appointed KLDiscovery Ontrack GmbH, Hanns-Klemm-Str. 5, 71034 Böblingen, Germany to be its representative the purposes of Article 27 of the GDPR.
Each of the controllers established outside the UK and listed in Section (P) above has appointed KLDiscovery Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB to be its representative the purposes of Article 27 of the UK GDPR.
- ‘Applicable Privacy Laws’ means, jointly, the GDPR, UK GDPR, California’s Consumer Privacy Act as subsequently amended by the California Privacy Rights Act (commonly referred to as “CCPA”/ “CPRA”), the Virginia Consumer Data Protection Act (commonly referred to as “VCDPA”), the Colorado Privacy Act (commonly referred to as “CPA”), the Utah Consumer Privacy Act (commonly referred to as “UCPA”), and the Connecticut Data Privacy Act (commonly referred to as “CTDPA”).
- ‘Controller’ means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws.
- ‘Data Protection Authority’ means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
- ‘EEA’ means the European Economic Area.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679.
- ‘Personal Data’ means information that is about any individual, or from which any individual is directly or indirectly identifiable in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
- ‘Process’, ‘Processing’ or ‘Processed’ means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ‘Processor’ means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller).
- ’Services' means any services or products provided by KLDiscovery.
- ‘Sensitive Personal Data’ means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed to be sensitive under applicable law.
- “Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission.
- ”UK GDPR“ means the GDPR as it forms part of the laws applicable in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as applied and modified by Schedule 2 of the Data Protection, Privacy and
Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) or as modified time to time by other laws applicable in the UK).
December 1, 2023