Additional EEA Privacy Disclosures
Last Updated: January 1, 2020
These Additional European Economic Area (EEA) Privacy Disclosures supplement the information contained in the CDW Privacy Notice . These Disclosures apply only to our processing of your personal data where you are based in the EEA or Switzerland. CDW Limited is the data controller responsible for the collection and use of such personal data. Unless otherwise expressly stated, terms in these Disclosures have the same meaning as defined in the Notice.
We rely on the following legal grounds to process Personal Data about you, whether it is obtained from you or a third party:
Category of Personal Data
How We Use the Personal Data
Legal Bases for Processing
You are not required to provide personal data to us, but we do rely on your personal data to provide certain of our services and products. For example, we need your personal data to facilitate and deliver an order that you request. If you choose not to provide us with your personal data, we may not be able to provide you with a service or product you request.
We retain personal data about you for as long as is necessary for the purposes set out in these Disclosures, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights.
The criteria used to determine the period for which personal data about you will be retained varies depending on the legal basis under which we process the personal data:
Where we are processing personal data based on our legitimate interests, we generally will retain such information for a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of data subjects.
Where we are processing personal data based on your consent, we generally will retain the information for the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain of your data erased (please see the Your Privacy Rights section below).
Where we are processing personal data based on a legal obligation, we generally will retain the information for the period of time necessary to fulfill the legal obligation.
We may need to apply a “legal hold” that retains information beyond our typical retention period where we face threat of legal claim. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.
Where we are processing personal data based on contract, we generally will retain the information for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from the contractual relationship.
In all cases, in addition to the purposes and legal bases, we consider the amount, nature and sensitivity of the personal data, as well as the potential risk of harm from unauthorized use or disclosure of your personal data.
International Data Transfers
We may transfer personal data about you among us and to our subsidiaries or affiliates, as well as to the categories of third parties identified in the Our Disclosure of Personal Information section of the Notice. Personal data may be transferred to, stored and processed in a country other than the one in which it was collected, including, but not limited to, the United States. The country to which personal data is transferred may not provide the same level of protection for personal data as the country from which it was transferred.
We may transfer personal data about you outside the EEA and Switzerland and when we do so, we rely on appropriate or suitable safeguards recognized under the GDPR including adequacy decisions, standard contractual clauses and the EU‑U.S. Privacy Shield.
We may transfer personal data about you to countries that the European Commission has deemed to adequately safeguard personal data.
The European Commission has adopted Standard Contractual Clauses, which provide safeguards for personal data transferred outside of the EEA. We may use these Standard Contractual Clauses when transferring personal data from a country in the EEA to a country outside the EEA that has not been deemed to adequately safeguard personal data. You can request a copy of our Standard Contractual Clauses by contacting us as set forth in the How to Contact Us section below.
The EU-U.S. Privacy Shield Framework (Privacy Shield) was designed by the U.S. Department of Commerce and the European Commission to ensure adequate protection for Personal Data transferred to a company certified under Privacy Shield. If we transfer any personal data about you from the EEA to a third party outside the EEA who is certified under Privacy Shield as set forth by the U.S. Department of Commerce, we may rely on such certification to ensure adequate protection for personal data so transferred.
In addition, CDW LLC, CDW Direct LLC, CDW Government LLC, CDW Logistics, Inc., and CDW Technologies LLC are certified under Privacy Shield, and as part of this commitment, protects personal data received about customers in accordance with Privacy Shield Principles. These CDW entities remain responsible for onward transfers of personal data to third parties, unless we prove we are not responsible for the event giving rise to the damage. These CDW entities may also be required to disclose personal data in response to lawful requests by public authorities, including in order to satisfy national security or law enforcement requirements.
These CDW entities commit to resolve complaints about our collection or use of personal data, and are subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to Privacy Shield. If you have questions or complaints regarding our Privacy Shield certification, you should first contact us at firstname.lastname@example.org. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. In addition, under certain conditions, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
To learn more about Privacy Shield and review our self-certification, please visit the Privacy Shield List here.
The right to access and obtain a copy of personal data about you, as well as information relating to its processing.
The right to correct or update any personal data about you that is inaccurate or incomplete.
Restriction of Processing
The right to require us to limit the purposes for which we process your personal data if the continued processing of the personal data in this way is not justified, such as where the accuracy of the personal data is contested by you.
The right to request the deletion or erasure of personal data about you without undue delay if the continued processing of that personal information is not justified.
The right to obtain a copy of personal data about you in an easily accessible format and the right to transmit that personal data to another controller.
You also have the right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal data, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.
Please note that if the exercise of these rights limits our ability to process personal data, we may not be able to provide our products or services to you, or otherwise engage with you going forward.
Where we rely on your consent for processing of your personal data, you also have the right to withdraw your consent to such processing, subject to certain limitations at law.
You may withdraw your consent in the following ways:
- Marketing Communications: Where you have provided your consent to marketing communications, you may withdraw your consent by following the opt-out instructions provided in the Managing Communication Preferences section in our Notice, except that the contact to manage any email or Catalog subscriptions in the UK is email@example.com.
- Contact Us: You may also withdraw your consent by contacting us as set forth in the How to Contact Us section below.
To submit a request, please contact us as set forth in the How to Contact Us section below or by filling out our Rights Request Form. We may need to verify your identity before processing your request, which may require us to obtain additional personal data from you. In certain circumstances, we may decline a request to exercise the rights described above.
If you have any complaints regarding our privacy practices, you have the right to lodge a complaint with your national data protection authority (i.e., supervisory authority). You may also contact our Lead Supervisory Authority, the Information Commissioner’s Office of the United Kingdom, with any questions about our privacy practices.
Changes to these Disclosures
We may update these Disclosures from time to time. When we make changes to these Disclosures, we will change the date at the beginning of these Disclosures to include the "Last Updated" date. If we make material changes to this Notice, we will notify you by email to your registered email address, by prominent posting on our online services, or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided in the notification.
How to Contact Us
If you have any questions or requests in connection with these Disclosures or other privacy-related matters, please contact our data protection officer by sending an email to firstname.lastname@example.org.
Alternatively, inquiries may be addressed to:
Global Compliance & Ethics
3rd Floor, 10 Fleet Place
London, EC4M 7RB