GDPR Addendum

Last modified: March 28, 2025

1. Introduction

This GDPR Privacy Addendum (the “GDPR Privacy Addendum”) supplements the information contained in our PESI, Inc. Privacy Notice (our “Privacy Notice”) and applies solely to the users of our PESI Services who are located in the European Economic Area, the United Kingdom, or Switzerland. We adopt this GDPR Privacy Addendum to comply with the European Union’s General Data Protection Regulation, and any laws implementing the foregoing by any member states of the European Economic Area, the United Kingdom (including the UK Data Protection Act and the UK-GDPR), and or Switzerland (collectively, the “GDPR”). Unless otherwise defined in this GDPR Privacy Addendum, any terms defined in the GDPR or our Privacy Notice have the same meaning when used in this GDPR Privacy Addendum. When this GDPR Privacy Addendum is applicable to you, it takes precedence over anything contradictory in our Privacy Notice.

2. Data Controller

PESI is the data controller of your Personal Data.

3. Information We Collect About You and How We Collect It

The Personal Data we collect and the ways in which we collect it is described in our Privacy Notice.

The Personal Data we collect from you is required to enter into a contract with PESI, for PESI to perform under the contract, and to provide you with our products and services. If you refuse to provide such Personal Data or withdraw your consent to our processing of Personal Data (when appropriate), then in some cases we may not be able to enter into the contract or fulfill our obligations to you under it.

We only place non-essential cookies on your device and use other interaction and/or performance monitoring tools with your affirmative consent. You may withdraw or change your consent at any time by accessing our cookie consent manager through the “Cookies” link on our Websites or in our Applications. You may also set your browser or mobile operating system to refuse all or some browser cookies (which may include essential cookies), or to alert you when cookies are being sent. However, if you do not consent to our use of cookies or select this setting you may be unable to access certain parts of the PESI Services.

4. Lawful Basis for Processing Your Personal Data

The processing of your Personal Data is lawful only if it is permitted under the GDPR. We have a lawful basis for each of our processing activities (except when an exception applies as described below):

• Consent. Sometimes, we will use your Personal Data because you have actively indicated it is okay that we do so. This includes, for example, situations where you have checked a consent box when required to be made available to you under applicable laws;
• Legitimate Interests. We will process your Personal Data as necessary for our legitimate interests. Our legitimate interests are balanced against your interests and rights and freedoms and we do not process your Personal Data if your interests or rights and freedoms outweigh our legitimate interests. Our legitimate interests include to: facilitate communication between PESI and you; detect and correct bugs and to improve our Websites and Applications; safeguard our IT infrastructure and intellectual property; detect and prevent fraud and other crime; promote and market our business; check your credit and perform risk assessments; and develop our product and services;
• To Fulfill Our Obligations to You under our Contract. We process your Personal Data in order to fulfill our obligations to you pursuant to our contract with you to deliver our goods and services to you; and
• As Required by Law. We may also process your Personal Data when we are required or permitted to by law; to comply with government inspections, audits, and other valid requests from government or other public authorities; to respond to legal process such as subpoenas; or as necessary for us to protect our interests or otherwise pursue our legal rights and remedies (for instance, when necessary to prevent or detect fraud, attacks against our network, or other criminal and tortious activities), defend litigation, and manage complaints or claims.

5. Automated Decision Making

PESI does not use your Personal Data with any automated decision making process , including profiling, which may produce a legal effect concerning you or similarly significantly affect you.

6. How We Use Your Information

We use your Personal Data as described in our Privacy Notice.

We may use your Personal Data to contact you about goods and services that may be of interest to you. If you would like to object to the processing of your Personal Data for direct marketing purposes or withdraw your consent to receiving direct marketing, you can contact us through the contact information below.

7. Disclosure of Your Information

We do not share or otherwise disclose your Personal Data for purposes other than to the entities and for the purposes described in our Privacy Notice.

8. Your Rights

The GDPR provides you with certain rights with regards to our processing of your Personal Data. These rights replace the similar rights provided in our Privacy Notice or are supplemental to such rights.

• Right to be Informed. You have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things. We are informing you of how we process your Personal Data with our Privacy Notice and this GDPR Privacy Addendum. We will make every effort to let you know how we use your Personal Data. However, if we did not get your data directly from you, the GDPR does not require us to inform you in these cases: (1) When it is impossible or too costly to provide the information. (2) When the law obliges us to gather or share the data. (3) If the Personal Data must stay confidential because of professional or other secrecy obligations.
• Access. You have the right to (1) get confirmation of whether we process Personal Data about you (2) ask for full details of the Personal Data we hold about you and certain related information; (3) get a copy or access to the Personal Data. You have the right to obtain from us, including confirmation of whether or not we process Personal Data concerning you, and, where that is the case, a copy or access to the Personal Data and certain related information. Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.
• Update. You can review, correct, and change your Personal Data by logging into the Websites and/or Applications and visiting your “Account” page. You may also notify us through the Contact Information below of any changes or errors in any Personal Data we have about you to ensure that it is complete, accurate, and as current as possible. We may not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect.
• Restrictions. You have the right to restrict our processing of your Personal Data under certain circumstances. In particular, you can request we restrict our use of it if you contest its accuracy, if the processing of your Personal Data is determined to be unlawful, or if we no longer need your Personal Data for processing but we have retained it as permitted by law.
• Right to Object. You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data where we rely on legitimate interests. We will no longer process your personal data unless we demonstrate compelling legitimate grounds for processing or for the establishment, exercise or defense of legal claims. You also have the right to object at any time to our use of your personal data for direct marketing purposes.
• Portability. To the extent the Personal Data you provide PESI is processed based on your consent and that we process it through automated means, you have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in structured, commonly used and machine-readable format. You also have the right to request that we transmit this Personal Data to another controller, when technically feasible.
• Withdrawal of Consent. To the extent that our processing of your Personal Data is based on your consent, you may withdraw your consent at any time by closing your account. Withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your Personal Data.
• Right to be Forgotten. You have the right to request that we delete all of your Personal Data. We cannot delete your Personal Data except by also deleting your user account, and we will only delete your account when we no longer have a lawful basis for processing your Personal Data or after a final determination that your Personal Data was unlawfully processed. We may not accommodate a request to erase information if we believe the deletion would violate any law or legal requirement or cause the information to be incorrect. In all other cases, we will retain your Personal Data as set forth in this policy. In addition, we cannot completely delete your Personal Data as some data may rest in previous backups. These will be retained for the periods set forth in our disaster recovery policies.
• Complaints. You have the right to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. However, before doing so, we request that you contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.
• How You May Exercise Your Rights. You may exercise any of the above rights by contacting us through any of the methods listed under Contact Information below. If you contact us to exercise any of the foregoing rights, we may ask you for additional information to verify your identity. We reserve the right to limit or deny your request if you have failed to provide sufficient information to verify your identity or to satisfy our legal and business requirements. Please note that if you make unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access your Personal Data, you may be charged a fee subject to a maximum set by applicable law.

9. Processing of Personal Data In Other Countries Outside the European Economic Area or the United Kingdom

In order to provide the PESI Services to you, we may send and store your Personal Data outside of the EEA, Switzerland, or the United Kingdom, including to the United States. Accordingly, your Personal Data may be transferred outside the country where you reside or are located, including to countries that may not or do not provide an equivalent level of protection for your Personal Data. Your information may be processed and stored in the United States and United States federal, state, and local governments, courts, or law enforcement or regulatory agencies may be able to obtain disclosure of your information through the laws of the United States.

When your Personal Data is safeguarded by the GDPR, before sending it to parties outside the European Economic Area (“EEA”), the United Kingdom, or Switzerland, we will do one of two things:

• Seek your consent; or
• Demand privacy and security: We will ensure the third party maintains the same level of privacy and security for your Personal Data as we do.

In some cases, the authorities of a country may have determined that the laws of other countries, territories or sectors within a country provide a level of protection equivalent to domestic law.

We are accountable for the protection of your Personal Data when we transfer it to others. We either send it to a country, territory or sector within a country that is recognized as providing the same level of personal data protection as the country of origin, or use safeguards like the Data Privacy Framework, Binding Corporate Rules or the Standard Contractual Clauses (also known as the “SCCs”) approved by the European Commission under Article 46.2 of the GDPR, with necessary adjustments for transfers from the United Kingdom or Switzerland, or use specific transfer instruments like the United Kingdom International Data Transfer Agreement.

10. Data Retention Periods

PESI will retain your Personal Data for as long as needed for the purpose we collected it and any other permitted linked purpose and in accordance with our data retention policies.

For example, we will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We retain and use your Personal Data as required to meet legal obligations, resolve disputes, and enforce our agreements and policies. If we use your data for multiple purposes, we keep it until the purpose with the longest retention period expires, discontinuing use for shorter periods. Our retention periods align with our business needs and industry standards.

11. Changes to This GDPR Privacy Addendum

We may change this GDPR Privacy Addendum at any time. It is our policy to post any changes we make to our GDPR Privacy Addendum on this page with a notice that the GDPR Privacy Addendum has been updated on the Websites’ or Applications’ home page/screen. If we make material changes to how we treat our users’ Personal Data, we will notify you by email to the email address specified in your account and/or through a notice on the Websites’ and Applications’ home page/screen. The date this GDPR Privacy Addendum was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Websites or Applications and this GDPR Privacy Addendum to check for any changes.

12. Contact Information

If you have any questions, concerns, complaints, or suggestions regarding our Privacy Notice or this GDPR Privacy Addendum, have any requests related to your Personal Data described in the Privacy Notice or this GDPR Privacy Addendum, or otherwise need to contact us, you can do so at the contact information below or through the “Contact” page on our Websites or in our Applications.

To Contact PESI

PESI, Inc.
3839 White Avenue
Eau Claire, WI 54703
USA
(800) 844-8260
dataprotectionteam@pesi.com

European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031.

Alternatively, VeraSafe can be contacted at:

VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

United Kingdom Representative

VeraSafe has been appointed as our representative in the United Kingdom for data protection matters, pursuant to Article 27 of the United Kingdom General Data Protection Regulation. If you are located within the United Kingdom, VeraSafe can be contacted in addition to or instead of us, only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +44 (20) 4532 2003.

Alternatively, VeraSafe can be contacted at:

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London
SE1 7TL
United Kingdom

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:

VeraSafe LLC
100 M Street S.E., Suite 600
Washington, D.C.
20003
USA
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/

Agreements and Notices

Terms of Use • Events Terms • Privacy Notice • GDPR Privacy Addendum • Cookie Notice