The Asian American Store Owners Association of South Carolina Inc. henceforth referred to as (“AASOA”) strives to comply with applicable laws and regulations related to personal data protection in countries where the association operates. This policy sets forth the basic principles by which the association processes the personal data of visitors, sponsors, members and preferred vendors, and indicates the responsibilities of its association while processing personal data. The policy reflects AASOA’s commitment to protect the personal information and handle it responsibly to meet association, legal and regulatory requirements related to personal data

Notice

AASOA shall notify individuals about the purposes for which it collects, processes, stores and/or discloses information about them. Notice should be communicated in a clear and easy-to- understand manner before it uses such information for a purpose other than that for which it was originally collected or processed by transferring organization or discloses it for the first time to the third party

a) At a minimum, the Notice statement should contain (unless it is evident from the context):

  • Its participation in Privacy Shield and provide a link to, or the web address for, the Privacy Shield list.
  • The type of personal data that is collected; and the entities and the subsidiaries of the organization adhering to the Principles.
  • The purpose for which the personal information is collected and used for;
  • If there is a legal requirement to collect the personal information, a statement of this fact;
  • How the personal information will be used or processed;
  • If the information will be collected by or disclosed to third parties, a statement of this fact and the purposes for doing so along with the type and identify of that third party.
  • AASOA’s liability in cases of onward transfer of information to the third parties
  • The right of individuals to access the personal data,
  • How individuals can access their information and correct or delete it if it is inaccurate; and
  • How to contact AASOA with questions, corrections, complaints, and disputes
  • Where feasible, AASOA shall provide the Notice to an individual at or before the time of the collection of Personal Information.
  • The choices and means AASOA offers the individuals for limiting the use and disclosure of their personal data
  • The requirement to disclose personal information in response to lawful requests by public authorities including to meet national security or law enforcement requirements.
  • Under the Privacy shield the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual
  • The possibility, under certain conditions, for the individual to invoke binding arbitration

Choice and Consent

AASOA shall obtain consent from individuals when required or appropriate. AASOA should also clearly communicate any choices available when personal data is collected or used by a third party, or disclosed by AASOA to such parties.

Specifically, when consent is required or appropriate, AASOA shall:

  • Request the consent of the individual using the type of consent (opt-out or opt-in) that is required or appropriate;
  • Ensure that the choices provided to an individual are complete and clear (e.g., how to “opt-out”);
  • Inform individuals of the consequences for failing to consent or to provide their information;
  • Verify that AASOA’s use of individual personal data is consistent with consent obtained; and
  • Obtain new consent if personal data will be used for a purpose other than originally disclosed to the individual.
  • Inform the individual about the provision to withdraw the consent if required

Collection

AASOA should collect or obtain personal data only in a fair and lawful manner Specifically, AASOA shall

  • Collect only as much personal data as is required by law or needed for the purposes about which the individual has been informed;
  • Collect personal data in a fair and non-deceptive manner;
  • Clearly indicate to individuals which personal data is required and which is optional at the time of collection;
  • Collect personal data from individuals consistent with local country and jurisdictional laws;
  • Collect personal data directly from the individual, when possible; and
  • Verify that personal data collected from third parties is reliable and legally obtained.

Use and Retention

Use and RetentionAASOA shall use, process, store, and/or retain personal data only for legitimate business purposes or as authorized by the individual.

Specifically, AASOA will use, store, and/or process personal data consistent with:

  • Stated purposes for which it was collected;
  • Consent obtained from the individual; and
  • Contractual, regulatory, and local country laws and requirements.

AASOA shall retain Personal data in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of 5a. This obligation does not prevent organizations from processing personal information for longer periods for the time and to extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific and historical research, and statistical analysis. In these cases such processing shall be subject to the other principles and provisions of the Framework and the personal information shall be destroyed according to applicable AASOA data retention policies and procedures.

Purposes of Use

Managing Personnel:

  • To manage member and preferred member matters
  • To set up a member or preferred vendor porfile
  • To maintain an internal meber and preferred vendor directory for purposes of identification
  • To facilitate communication, interaction and collaboration among AASOA, members and preferred vendors
  • To promote the AASOA organization
  • To arrange and manage events and public service activities

Monitoring, Security, And Compliance:

  • To monitor use of AASOA information systems and other electronic resources

Monitoring, Security, And Compliance:

  • For communications with prospective, current, and former members and preferred vendors
  • To promote the association
  • To provide a directory and contact information for members and preferred vendors
  • To facilitate administrative functions and for legal reasons and association transactions.

Access & Correction

AASOA shall provide access to individuals about whom it processes personal data an opportunity to access and correct their information. Specifically, AASOA shall provide a:

  • Response to the request for access to personal data in a timely manner, in a format convenient for both AASOA and the individual; and
  • Chance to review the personal data, challenge its accuracy, and have it corrected, amended or deleted.

Choice and Consent

AASOA shall obtain consent from individuals when required or appropriate. AASOA should also clearly communicate any choices available when personal data is collected or used by a third party, or disclosed by AASOA to such parties.

Specifically, when consent is required or appropriate, AASOA shall:

  • Request the consent of the individual using the type of consent (opt-out or opt-in) that is required or appropriate;
  • Ensure that the choices provided to an individual are complete and clear (e.g., how to “opt-out”);
  • Inform individuals of the consequences for failing to consent or to provide their information;
  • Verify that AASOA’s use of individual personal data is consistent with consent obtained; and
  • Obtain new consent if personal data will be used for a purpose other than originally disclosed to the individual.
  • Inform the individual about the provision to withdraw the consent if required

AASOA shall authenticate individuals before allowing access to or providing personal data. Access to personal data may be denied if an unreasonable request is made (e.g., requests that do not follow the procedure outlined in the privacy notice or requests which would provide personal data about others besides the requesting individual). However, in cases in which access is denied, AASOA shall provide a reason to the individual and a point of contact for further inquiry

Disclosure and Onward Transfer

AASOA may share an individual’s personal data, acting as a controller, with Third Parties as required for normal association operations while complying with the notice and choice Principles. When disclosing information AASOA shall:

  • Only disclose personal data to Third Parties for the purposes identified in the notice provided to individuals;
  • Verify that AASOA’s actions align with the consent provided by the individual, in addition to any legal and/or regulatory requirements;
  • Require Third Parties, through contractual clauses and/or written agreements to adhere to a baseline of privacy and information security controls- as approved by the respective legal team; and
  • Require Third Parties to process personal data in accordance with the individuals’ choices and consent
  • Take reasonable and appropriate steps to stop and remediate unauthorized processing by such third party.
  • Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

Security

AASOA shall take reasonable precautions, including administrative, technical and organizational, personnel, and physical measures, to safeguard personal data against loss, misuse and unauthorized access, disclosure, alteration, destruction, and theft, taking into account the risks involved in the processing and the nature of the personal data.

  • AASOA shall take reasonable technical and organizational precautions to prevent the loss, misuse or alteration of your personal information.
  • AASOA shall store all the personal information you provide on our secure (password- and firewall-protected) servers.

Data Integrity, Data Quality, Data Security & Purpose Limitation

AASOA shall employ reasonable processes to keep personal data accurate, complete, and up-to-date and in the event that personal data changes must update the change immediately. Shall limit the purposes for which it was collected AASOA shall not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. AASOA undertakes to protect Personal Data using commercially reasonable organizational, technical and administrative procedures to protect against unauthorized or unlawful access, processing, disclosure, alteration, destruction or accidental loss of your personal data.

These precautions include password protections for online information systems and restricted access to Personal Data.

AASOA shall :

  • Implement procedures to keep personal data as accurate, complete and up-to-date as needed; and
  • To the extent feasible, allow and encourage individuals to keep their personal data accurate, complete and up-to-date.
  • AASOA may assign different types of data different security levels, with appropriate corresponding security precautions. AASOA also restricts access to Personal Data to those Personnel that have a legitimate business need for such access

Monitoring, Recourse, Enforcement & Liability

AASOA is committed to monitoring and enforcing ongoing compliance with this policy and with applicable privacy laws, regulations and obligations.

  • AASOA’s Effective privacy protection includes robust mechanisms for assuring compliance with the principles, Monitoring the dataflow, recourse for individuals who are effected by non-compliance with the principles and consequences for the organization when the principles are not followed. At a minimum such mechanisms shall include :
  • readily available independent recourse mechanisms by which each individual’s complaints and disputes are expeditiously resolved at no cost to the individual and by reference investigated and to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide;
  • follow-up procedures for verifying that the attestations and assertions about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and
  • obligations to remedy problems arising out of failure to comply with the Principles by AASOA announcing their adherence to them and consequences in case of non-adherence.

Data Security Incident Notification

Where required by applicable law, AASOA shall follow applicable procedures to notify individuals, in a timely manner, when a data security incident has occurred, and has resulted or could result in unauthorized access or acquisition of personal information. Colleagues who suspect such an incident should immediately contact the privacy office.

Data Breach Management

The Privacy Team will work with the AASOA Board to minimize the impact of data loss, and jointly work out a communication plan. Depending on the classification of the data breach, e.g. whether sensitive data was lost or not, incident information will be shared with the data subject, preferred vendors, members and sponsors as appropriate.

Exceptions

Under certain limited or exceptional circumstances, AASOA may, as permitted or required by applicable laws and obligations, process personal data without providing notice or seeking consent.

In addition, AASOA may, as permitted or required by applicable law and obligations, process personal data without providing access, such as in the circumstances described above; when the privacy interests of others would be jeopardized; or where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy.

Sensitive Data

AASOA is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is:

  • in the vital interests of the data subject or another person;
  • necessary for the establishment of legal claims or defenses;
  • carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects;
  • necessary to carry out the AASOA’s obligations in the field of employment law; or
  • related to data that are manifestly made public by the individual.

Limitation to Access

An organization may set reasonable limits on the number of times within a given period that access requests from a particular individual will be met. In setting such limitations, an organization should consider such factors as the frequency with which information is updated, the purpose for which the data are used, and the nature of the information.