I. PROTECTING OUR EMPLOYEES
Auto Exchange (hereinafter "AX") respects the privacy of our employees. We recognize that the information our employees provide to us for employment-related and health-related purposes belongs to the respective employees and that we must treat it accordingly. In accordance with the Health Insurance Portability and Accountability Act (hereinafter "HIPAA") and the requirements of the Privacy Rule, 45 CFR Parts 160 and 164, AX is providing this notice to describe how we may use and/or disclose individually identifiable health information (hereinafter "employee information") about employees or their accounts. Terms used in this policy regarding employee information are defined in accordance with HIPAA, which is incorporated herein by reference. AX provides Medical, Prescription Drug, Dental, Vision and Flexible Spending Account ("FSA") Programs (hereinafter collectively called the "Health Plan") to all eligible employees. Personally identifiable health information the employee provides to AX relating to the Health Plan is "Protected Health Information" and the Health Plan must maintain the privacy of such information. The Health Plan and/or its insurers, HMOs or third party claim administrators may acquire Protected Health Information about the employee for the purposes of treatment, payment of benefits or provision of health care services, or for the overall health care operations of the Plan. This Protected Health Information will not be disclosed to anyone without the employee's express written authorization, except as permitted by law. Under HIPAA and the Privacy Rule, the Health Plan, Insurers, HMOs and third party claim administrators must provide the employee with notice of their legal duties and privacy practices with respect to that individually identifiable health information. Please contact your Health Plan, Insurer, HMO and/or claim administrator to obtain a copy of this notice.
PROTECTION OF EMPLOYEE INFORMATION THAT IS NOT PROTECTED HEALTH INFORMATION
Employee Information acquired directly by AX or for claims purposes for plans or programs from sources other than the Health Plan is not Protected Health Information. Although HIPAA and the Privacy Rule do not apply to such information, it will be treated the same as Protected Health Information, except that it can be used and disclosed without your authorization or consent for any claim for benefits under any other pension or welfare benefit plan or program sponsored by AX; including, short term or long term disability benefits; waiver of premium benefits under a group-term life insurance program; claims under the Dependent Care FSA that may arise because the spouse or child is ill or because the employee's spouse is physically or mentally unable to assist in caring for a dependent child or other family dependent; requests for certification of coverage of the employee or dependent; or other lawful employment-related purposes (e.g., pre-employment drug testing, requests for reasonable accommodations under the ADA, requests for family or medical leave, submission of a worker's compensation claim).
DESIGNATION OF AN AUTHORIZED PERSONAL REPRESENTATIVE
Under the Privacy Rule, employees and their covered dependents may designate a Personal Representative, whether their spouse or other third person, to act on their behalf by executing the Health Plan's authorization form, by executing a similar document, or by obtaining a court order pursuant to applicable state or other law. Generally, any court order designating someone as a guardian or executor or administrator or a duly executed power of attorney or health care proxy may serve as such a designation. You can also retain an attorney to deal with your Protected Health Information or other Employee Information. In most instances, parents are the Personal Representatives of their minor dependent children, unless there is a court order authorizing a third party to make treatment decisions for a minor child or if under the laws of some states the older minor children may obtain their own health care services without the knowledge or consent of their parents.
Designation of Personal Representatives:
AX, with respect to all benefit plans or programs, will accommodate these situations as follows:
- In the absence of any written statement from an employee or spouse to the contrary, AX will regard the employee and his or her spouse to be each other's Personal Representative
- Any written request delivered to AX or the Plan Administrator by (1) an employee and/or spouse or (2) a parent and/or adult child requesting that the other spouse should not be his or her Personal Representative will be kept on file and will be honored.
- In the absence of a written statement from a parent or adult child to the contrary, AX will not regard the parent or adult child as each other's Personal Representative with respect to Protected Health Information or other individually identifiable health information, except when the Plan Administrator or its delegate determines that the parent or child is incapable of making a decision with respect to his or her treatment, access to health care or payment of benefits.
II. PROTECTING OUR CUSTOMERS
At Auto Exchange(hereinafter "AX"), we respect the privacy of our consumers. We use information our customers provide to us to better serve their needs. We recognize that this information belongs to the customer and that we must treat it accordingly.
THE INFORMATION WE COLLECT
Personal information that can identify a consumer, such as name, address, and/or financial information may only be collected when the customer voluntarily offers it and solely for purposes that are clearly identified. Personal information acquired through such registration must be kept confidential and shall not be disclosed to non-affiliated third parties without the customer's prior consent except as may be required by law. AX employees may not, under any circumstances, seek personal information from children. We may obtain non-public personal information about customers from the following sources:
- Information about the customer provided directly to us by the customer.
- Information provided on applications, orders or other forms or transactions, which may include but is not limited to a customer's name, address, social security number, income information and sources that is not publicly available
- Information on any list, description, or other grouping of consumers (and publicly available information pertaining to them) derived from using any personally identifiable financial information that is not publicly available.
- Information about a customer's transactions with us, our affiliates, or others, such as balance and payment history.
- Information obtained from the consumer's employer or other employment-related sources to verify financial information.
- Information obtained from consumer reporting agencies, such as one's credit history, credit score, and information that we obtain to verify employment history or that insurance coverage is in place.
- Information obtained through Internet "cookies" in connection with an inquiry about a financial product or service.
THE INFORMATION WE DISCLOSE
Information about our customers may only be disclosed for the business purpose of assisting in the finance, purchase and/or insuring of a motor vehicle or related product(s) upon a customer's request for such service. AX's policy is to limit access to client information to those who need it to serve our client's needs. AX may not share this information with any other parties other than our own affiliates, financial service providers and the manufacturer of your vehicle. If the customer does not request this service, his or her information may not be shared with them. We do not disclose client information to non-affiliated third parties, except as necessary to conduct our business. Non-public personal information may be shared only with the customer's prior consent or as permitted by law. This policy affects former as well as current customers.
CONFIDENTIALITY AND SECURITY
Our employees, agents, administrators and subcontractors who need this information to provide then service and products the customer has requested may obtain and/or use customers' non-public personal and/or financial information solely as described herein. In accordance with the Privacy Act of 1974, the Gramm Leach Bliley Act, the Privacy and Safeguards Rules promulgated by the Federal Trade Commission and New York State Insurance Department Regulations, AX maintains physical, electronic and procedural safeguards that comply with New York State and federal regulations to guard customers' non-public personal information from unlawful disclosure and reasonably foreseeable risks to the security of the information. Any misuse of the customer's nonpublic personal and/or financial information will subject the employee to disciplinary action, up to and including discharge and/or prosecution.
The Internet is not a secure medium and the privacy of communication over the Internet cannot be guaranteed. AX does not assume any responsibility for any harm, loss, or damage a user may experience or incur by sending personal or confidential information over the Internet by or to AX.
AX'S CONFIDENTIAL INFORMATION
AX's confidential information includes all proprietary; intellectual property (trademark or otherwise); trade secret; and, any other non-public information AX expects or would reasonably expect to be kept secret and/or used solely by AX unless otherwise agreed to. AX owns any and all rights to its confidential information worldwide in perpetuity. By accepting to be employed by AX, the employee agrees not to disclose the content of or otherwise use any of AX's Confidential Information outside of the scope of his or her employment without AX's prior written consent.
U.S. - EU Safe Harbor Frame Work
AX complies with the U.S.-EU Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. AX has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view AX's certification, please visit http://www.export.gov/safeharbor/
James M Black II Chief Compliance Officer; Vice President and General Counsel 175 Crossways Park West Woodbury NY 11797
AX has further committed to refer unresolved privacy complaints under the US-EU Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by AX , please visit the BBB EU SAFE HARBOR web site at www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.
If an employee believes that his or her privacy rights have been violated, or that customer or confidential company information has been misused, he or she may complain in writing addressed to AX's Legal Department, 175 Crossways Park West, Woodbury, NY 11797. Complaints relating to personal privacy violations may also be made in writing to the Secretary of the US Department of Health and Human Services, 200 Independence Avenue SW, Washington DC 20201, within 180 days after the employee knows or should have known about the act or omission that is the subject of the complaint. AX will not retaliate against an employee who files such a complaint.
Dated as of __________________, ________
ACKNOWLEDGEMENT OF RECEIPT
ACKNOWLEDGED AND AGREED: