Supplemental Information for Individuals Located in Europe
This supplemental section of Huron's Privacy Statement is directed at and applies to individuals located in the European Union ("EU"), United Kingdom ("UK"), Switzerland, or where applicable EU data protection laws (e.g., the General Data Protection Regulation ("GDPR"), Data Privacy Framework ("DPF") and the UK Data Protection Act 2018) apply.
Table of Contents:
International Transfers of Your Personal Data
As provided in the Privacy Statement and Data Privacy Framework Statement, Huron collects various forms of Personal Data for various purposes.
By using the website or providing Personal Data to Huron, your Personal Data may be transferred to the United States, where Huron is headquartered, or to other Huron locations where we carry out our support activities. Your country's laws governing data collection and use may differ from those in the United States or other Huron locations. Some of the entities with whom we share your Personal Data, as described above in the Privacy Statement, are also located in countries whose laws have not been deemed by the European Commission to provide the same level of protection to your Personal Data. Only a small number of countries have been officially recognized by the European Commission as providing an adequate level of protection (list available here). Transfers to Huron entities and others located in countries outside the European Economic Area ("EEA"), UK, or Switzerland take place on the basis of an adequacy finding by the relevant authority (i.e., European Commission, Swiss Federal Data Protection and Information Commissioner ("FDPIC"), UK Information Commissioner's Office ("ICO") or other competent supervisory authority), EU Standard Contractual Clauses (or other standard contractual clauses approved by a competent supervisory authority), or other appropriate GDPR or applicable law derogations, including the EU-U.S. Data Privacy Framework, Swiss-US Data Privacy Framework, and UK Extension to the EU-U.S. Data Privacy Framework.
Data Privacy Framework Statement
This Data Privacy Framework Statement ("DPF Statement"), and the sections that follow, describe Huron's standards and procedures when handling Personal Data transferred from the European Economic Area ("EEA"), the United Kingdom (and Gibraltar) and Switzerland to the U.S. in accordance with Huron's obligations under the Data Privacy Framework. This statement supplements our Privacy Statement, and the terms in this DPF Statement have the same meaning as in our Privacy Statement. If there is any conflict between the terms in this Privacy Statement and the Data Privacy Framework Principles related to Personal Data transferred in reliance on our Data Privacy Framework certification, the Data Privacy Framework Principles shall govern.
Huron complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Huron has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Huron has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Huron entities and subsidiaries that adhere to the DPF principles:
- Innosight Consulting, LLC
- Huron Transaction Advisory LLC
- Huron Consulting Services LLC
- Huron Managed Services LLC
- Huron Public Finance Advisory LLC
The Federal Trade Commission has jurisdiction over Huron’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
Notice
The foregoing information, in addition to the Privacy Statement, further outlines Huron's commitment to compliance with the DPF Principles and provide you notice of specific information pertinent to you under the Data Privacy Framework.
Choice
You have the opportunity to opt out if your Personal Data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Where use or transfer involves sensitive information, you must opt-in before Huron will use or transfer such information.
Accountability for Onward Transfer for Personal Data
Huron may transfer Personal Data for the purposes described in the Huron Privacy Statement to a third party as a data controller or as an agent. In such an event, Huron will comply with and protect Personal Data as provided for in the Accountability of Onward Transfer Principle of the Data Privacy Framework. Huron remains responsible for the processing of Personal Data received under the Data Privacy Framework and then transferred to a third party acting as an agent if that party processes Personal Data in a manner inconsistent with the Data Privacy Framework and its principles, unless Huron demonstrates that we are not responsible for the event resulting in damage.
Security
Huron takes reasonable and appropriate measures to protect Personal Data and takes into account the risks involved in processing and the nature of the Personal Data it maintains, in order to protect against loss, misuse, and unauthorized access, disclosure, alteration and destruction.
Data Integrity and Purpose Limitation
Any Personal Data Huron collects may be used for the purposes indicated below or in our Privacy Statement or otherwise notified to you. We will not process Personal Data in a way that is incompatible with these purposes unless authorized by you.
The lawful basis for our processing of your Personal Data will depend on the purposes of the processing. For most Personal Data processing activities covered by this Privacy Statement, the lawful basis is that the processing is necessary for our legitimate business interests. Where we process Personal Data in relation to a contract, or a potential contract, with you, the lawful basis is that the processing is necessary for the performance of our contract with you or to take steps at your request prior to entering into a contract. If we are required to share Personal Data with law enforcement agencies or other governmental bodies, we do so on the basis that we are under a legal obligation to do so. We will also use consent as the legal basis where we deem appropriate or to the extent required by applicable law, for example, before we collect precise location data from your electronic device.
Depending on what Personal Data we collect from you and how we collect it, we may also rely on various grounds for processing your Personal Data, including the following reasons:
- Processing on the basis of legitimate business interests. When we process Personal Data on the basis that the processing is necessary for our legitimate business interests, such interests include: (i) providing, improving, and promoting our Services; (ii) communicating with current and potential customers, other business partners, and their individual points of contact; (iii) managing our relationships with our customers and other business partners, and their individual points of contact; (iv) other business development purposes; (v) sharing information within Huron, as well as with service providers and other third parties; and (vi) maintaining the safety and security of our products, Services, and employees, including fraud protection.
- Processing on the basis of performance of a contract. Examples of situations in which we process Personal Data as necessary for performance of a contract include e-commerce transactions in which you purchase a service from us.
- Processing on the basis of consent. Examples of processing activities for which we may use consent as its legal basis include: (i) collecting and processing precise location information from your electronic device; (ii) sending promotional emails when consent is required under applicable law; and (iii) processing Personal Data on Huron Services through cookies and similar technologies when consent is required by applicable law.
- Processing because we are under a legal obligation to do so. Examples of situations in which we must processes Personal Data to comply with our legal obligations include: (i) providing your Personal Data to law enforcement agencies and other governmental bodies when required by applicable laws; (ii) retaining business records required to be retained by applicable laws; and (iii) complying with court orders or other legal process.
If the processing of your Personal Data is based on your consent, the GDPR and Data Protection Act 2018 also allow users the right to access, revoke, or modify your consent at any time. Please see Contact Us, below, to review or modify your consents.
Retention
We will retain your Personal Data for as long as needed for the purposes described in this Privacy Statement. More specifically, the time we maintain your Personal Data depends on the following factors:
Whether we need the Personal Data to provide the Services. We will maintain any data needed to provide you with the Services, such as contact information and payment or transaction information, for as long as needed for us to provide you with the Services, respond to your questions and requests, and/or administer your account (if applicable).
- Whether we need the Personal Data to comply with our legal obligations. We may have legal obligations to maintain your Personal Data where a legal or regulatory body may ask for it in the future, for example in response to a data subject request or complaint. This information may include contact information and location information.
- Whether we need the Personal Data for a legitimate business interest. We may store Personal Data like contact information, cookies, and location information in order to perform analytics, troubleshoot errors, or improve our Services. In any event, we delete the Personal Data when it is no longer needed for our legitimate interest.
Regardless of our reason for retaining your Personal Data, we delete all Personal Data in accordance with our routine record keeping policies.
Access
If you are visiting the website from the EU, UK, or Switzerland or where applicable EU data protection laws so provide, you may exercise the following rights regarding your Personal Data:
Access. You have the right to obtain from us confirmation if your Personal Data is being processed and certain information in this regard.
Rectification. You have the right to request the rectification of inaccurate Personal Data and to have incomplete data completed.
Objection. You have the right, when we process Personal Data on the grounds of legitimate interests, to object to the processing of your Personal Data for compelling and legitimate reasons relating to your particular situation, except in cases where legal provisions expressly provide for that processing. In addition, you have the right to object at any time where your Personal Data is processed for direct marketing purposes.
Portability. You may receive your Personal Data that you have provided to us in a structured, commonly used, and machine-readable format and have the right to transmit them to other data controllers without hindrance. This right only exists if the processing is based on your consent, or a contract and the processing is carried out by automated means.
Restriction. You may request to restrict processing of your Personal Data (i) while we verify your request – if you have contested the accuracy of the Personal Data about you which we hold; (ii) if the processing is unlawful and you oppose the erasure of it and request restriction instead; (iii) if we no longer need it, but you tell us you need it to establish, exercise, or defend a legal claim; or (iv) while we verify your request if you have objected to processing based on public or legitimate interest.
Erasure. You may request to erase your Personal Data if it is no longer necessary for the purposes for which we have collected it, you have withdrawn your consent and no other legal grounds for the processing exists, you objected and no overriding legitimate grounds for the processing exist, the processing is unlawful, or erasure is required to comply with a legal obligation.
Right to lodge a complaint. You also have the right to lodge a complaint with a supervisory authority, in particular in the jurisdiction of your residence, or the location where the issue that is the subject of the complaint occurred.
Right to refuse or withdraw consent. Please note that in case we ask for your consent to certain processing, you are free to refuse to give consent and you can withdraw your consent at any time without any adverse negative consequences. The lawfulness of any processing of your Personal Data that occurred prior to the withdrawal of your consent will not be affected.
You may also revoke your consent for processing of your Personal Data. If you wish to object to the use and processing of your Personal Data, withdraw consent to this Privacy Statement, or exercise any of the above European Privacy Rights you can contact us in the following ways:
Online Form: Exercising Your Privacy Rights
Email: privacy@hcg.com
Call us: 1-866-229-7219 (toll free) and ask for Huron's Chief Privacy Officer
Write us:
Huron Consulting Group Inc.
Attn: Chief Privacy Officer
550 W Van Buren St
Chicago IL 60607
The requests above will be considered and responded to in the time period stated by applicable law. Note, certain Personal Data may be exempt from such requests. We may require additional Personal Data from you to confirm your identity in responding to such requests.
You have the right to lodge a complaint with the supervisory authorities applicable to you and your situation, although we invite you to contact us with any concern as we would be happy to try and resolve it directly. Please contact us at:
Email: privacy@hcg.com
Call us: 1-866-229-7219 (toll free) and ask for Huron's Chief Privacy Officer
Write us:
Huron Consulting Group Inc.
Attn: Chief Privacy Officer
550 W Van Buren St
Chicago IL 60607
Recourse, Enforcement and Liability
In compliance with the Data Privacy Framework, Huron is committed to resolving complaints related to the DPF and our collection or use of Personal Data. If you are in the EU, UK or Switzerland and have a complaint regarding our processing of your Personal Data, please contact us.
Furthermore and in compliance with the Data Privacy Framework, Huron will refer, at no cost, unresolved complaints concerning our handling of Personal Data received to the alternative dispute resolution services offered by JAMS, as our U.S.-based independent recourse mechanism. The website for submitting complaints that have not been resolved directly by Huron can be found here. Individuals covered by the Data Privacy Framework may seek binding arbitration for limited types of claims. For additional information about the Data Privacy Framework arbitration process, please visit the Data Privacy Framework website at Data Privacy Framework Arbitration.
EU Representative
VeraSafe has been appointed as Huron's representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. If you are in the European Economic Area, VeraSafe can be contacted in addition to Huron's Chief Privacy Officer (available at privacy@hcg.com), only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland
