GIAC, LLC is a subsidiary of The Escal Institute of Advanced Technologies, Inc. d/b/a the SANS Institute (GIAC, LLC and the SANS Institute are collectively referred throughout as “GIAC”).GIAC is a US based company that provides cyber security certifications through its Global Information Assurance Certification programs. SANS Institute also operates its academic programs offered through the SANS Technical Institute (“STI”).
This Policy addresses how GIAC, as a data controller, collects, uses, and otherwise processes personal information relating to individuals who participate in the programs offered through GIAC and who visit the GIAC websites that link to this Policy (collectively, the “Websites”).
Identity of the Data Controller
GIAC is the data controller - the entity that collects and processes personal data or arranges for such actions taken on its behalf by its agents. As such, we are responsible for deciding the purposes for which personal information is used and processed, and how such processing is done. Thus, it is GIAC's responsibility to inform you in advance concerning the processing of your personal information. You may contact GIAC concerning your rights under this Policy by writing to: firstname.lastname@example.org or email@example.com.
Legitimate Bases for Collecting/Using Your Personal Information
The principal basis on which we collect and use your information is when you give us your affirmative consent. However, when you register for the GIAC program, or make a purchase of testing and/or related services from us, GIAC has a legitimate basis beyond consent to collect your personal information in order to provide you with the goods or services that you expect us to deliver, which depends upon us having and using your personal information. In the process of registering for testing services, you will be asked to sign a Candidate Agreement, from which a legitimate basis is created for us to collect and use your personal information. Once you have a formal relationship with us, GIAC also has a legitimate interest in providing you with timely information about upcoming events and/or products in which you may have an interest; so, to better serve you, we will market or promote those events/products to you. Thus, depending on the precise situation, GIAC may rely on one of these legitimate bases in collecting your personal information.
How We Collect and Use Personal Information
To save you time and make our web services easy to use, you may create a dashboard account using your personal information. You may do this by visiting https://www.sans.org/account/. The account dashboard system saves your information and references it to your email address and password. The next time you visit the GIAC website, you can simply enter your email address and password. If you purchase a certification or service from us, we request certain personally identifiable information from you on our order form. You must provide contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date). We use this information for billing purposes and to fill your orders. If we have trouble processing an order, we will use this information to contact you. We also use the mailing address to send you GIAC brochures and other items of interest.
When you register online for a certification, we collect the information you provide us, including your name, contact information, affiliation, and the name of the certification. We use this information to ensure you are properly registered for the certification you have selected, and to notify you about other certifications that may be of interest to you. We also use this information while fulfilling our obligations to provide the certification to you, including providing you materials, if opted for a certification renewal, and contacting you with respect to the certification itself.
Many employers have purchasing arrangements with GIAC that may be used by their employees to pay for GIAC products. GIAC candidate data, including contact information and exam-related data may be shared with the purchasing organization's designated contact. As such, GIAC may share your certification status, and/or the results of GIAC certification attempts with the entity that GIAC determines, using commercially reasonable practices, directly or ultimately paid for your certification exam or other related GIAC product or service. GIAC may release to such organization only appropriately limited information, including your progress, exam appointment date, exam deadline, and the results of the test, subject to the commitment by that entity to keep GIAC data confidential and not to further disclose it to any third party without your express written consent.
GIAC may occasionally provide you the opportunity to participate in contests or surveys on our site. If you participate, we may request certain personally identifiable information from you. Participation in these surveys or contests is completely voluntary and you therefore have a choice whether to disclose this information. The requested information typically includes contact and demographic information such as name and address. We may share aggregated demographic information about our user base with our partners and advertisers. When this information is shared, it is anonymous (i.e.., does not identify individual users).
When you contact GIAC, we may keep a record of your communication to help resolve any issues you might be facing. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements.
GIAC may use Twitter, Facebook or other social media outlets to market and promote its offerings and services. Any communications you make with GIAC using these media may be used by GIAC in accordance with this policy.
Access to Your Personal Information
You always have access to the information we have about you. To review and update your personal contact information, simply click https://www.sans.org/account/login and log in with your email address and password, then click Update Your Account. We encourage you to review your preferences regularly to keep the information current. You may also write firstname.lastname@example.org to have the information changed or removed, or to withdraw your consent.
How Long We Retain Your Personal Information
We will retain your personal information for as long as is needed to offer you services or comply with our legal obligations. For personal information that we process on behalf of a business partner or your employer, we will retain such personal information in accordance with the terms of our agreement with them.
Disclosure of Your Information
In general, we will only share or disclose your information with those individuals and/or entities whom you authorize or designate, for example, with your existing or prospective employer, with a governmental body that has authority to issue a credential or other certification, or with another certifying body.
We may share personal information with companies, organizations, or individuals outside of GIAC if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process, or enforceable governmental request.
- detect, prevent, investigate, or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property, or safety of GIAC, our users or the public as required or permitted by law.
When the certification body is required by law to release confidential information, the person concerned shall, unless prohibited by law, be notified as to what information will be provided.
We may share aggregated and non-personal information we collect under any of the circumstances set forth in this Policy.When we de-identify personal information, we have implemented reasonable measures as required by law to ensure that the de-identified data cannot be associated with any individual or customer.We will only maintain and use such data in a de-identified manner and do not attempt to re-identify the data, except as permitted by law.
In general, we may disclose the following categories of personal information in support of our business purposes identified above:
- Name, contact information, and other identifiers
- Customer records
- Protected classifications
- Commercial Information
- Usage data
- Audio, video, and other electronic data
- Education information
- Profiles and inferences
We have disclosed the categories of personal information listed above to the following categories of third parties in the preceding twelve months: data analytics providers, service providers, and sponsors of SANS events, programs, and papers.
Categories of Personal Information Sold or Shared
The California Consumer Privacy Act (“CCPA”) defines a “sale” as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration, and it defines “share” in pertinent part as disclosing personal information to a third party for cross-context behavioral advertising.
As defined by the CCPA, the categories of personal information that we may “sell” include:
- Name, contact information and other identifiers
As defined by the CCPA, the categories of personal information that we may “share” include:
- Name, contact information, and other identifiers
The categories of third parties to whom we sell or share the data, as defined by the CCPA, may include:
- Data analytics providers
- Service providers who are assisting us in fulfilling our contracts and carrying out our business
- Sponsors of SANS events, programs and papers
The business purpose for which we sell or share the data, as defined by the CCPA, may include:
- Lead generation, business prospecting, and similar activities
- To gain insights into online activities through analytics
- To provide leads to sponsors of SANS events, programs and papers
We have “sold” and “shared” the categories of personal information listed above to data analytics providers in the preceding twelve months.
Merger, Acquisition, Sale or Forced Sale
GIAC Certified Professional Information
GIAC Certified Professionals are listed on the GIAC website which is public information. Published data includes Analyst Number, Certificate Holder's Name, Gold Paper Title (if applicable) and Certification Expiration Date. No personal contact information is published.
As is true of most Web sites, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to analyze trends, to administer the site, to track how visitors interact with the site.
When you visit the GIAC website, we may assign your computer or device one or more cookies to facilitate access to our site and to personalize your online experience. Some of these cookies are necessary for the website to function, and others provide enhanced functionality and personalization. Other cookies help us measure and improve the performance of our Websites, and some of the cookies are used to build a profile of your interests and show you relevant content and advertisements on other websites. Through the use of a cookie, we also may automatically collect information about your online activity on our site, such as the web pages you visit, the links you click, and the searches you conduct on our site. Most browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies. If you choose to decline cookies, please note that you may not be able to sign in or use some of the interactive features offered on the website. A cookie is a small text file that is stored on a user’s computer or device for record keeping purposes. Cookies can be either session cookies or persistent cookies. A session cookie expires when you close your browser and is used to make it easier for you to navigate our website. A persistent cookie remains on your computer or device for an extended period of time. For example, when you sign in to the GIAC website, we will record your user or member ID, which is your email address, and the name on your user or member account in the cookie file on your computer or device. We store your unique member ID in a cookie for automatic sign-in. This cookie is removed when you sign-out. For security purposes, we will encrypt the unique member ID and any other user or member account-related data that we store in such cookies. In the case of sites and services that do not use a user or member ID, the cookie will contain a unique identifier. We may allow our authorized service providers to serve cookies from Websites to allow them to assist us in various activities, such as doing analysis and research on the effectiveness of our site, content and advertising.
For more about the cookies used on our Websites, please see our Cookie Notice.
You may delete or decline cookies by changing your browser settings (click “Help” in the toolbar of most browsers for instructions). If you do so, some of the features and services of our Websites may not function properly. You also may manage your cookie preferences on our Websites by visiting our Cookie Notice and choosing “Cookie Settings.”
Other technologies.We may use standard internet technology, such as web beacons, session replay scripts, and other similar technologies, to track your use of our Websites. We also may include web beacons in promotional email messages or newsletters.Web beacons are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, pixel tags are embedded invisibly on web pages. We may use these, in connection with our Websites to, among other things, track the activities users of our services, improve ads, personalize and manage content, and gather usage information about our Websites. We may also use these in HTML emails to, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded. Session replay software scripts capture information concerning a user’s interaction with the Websites, including keystrokes, mouse movements and clicks, movements within a webpage and through the Websites, interactions with menus, banners, and forms, and form field entries.We may use third-party software embedded in the script of the Websites to monitor your interaction with the Websites and/or for our compliance verification purposes, which may mean that the third-party software provider also collects this information.By using our Websites, you consent to this collection and disclosure of information.
Transfer of Your Information
Details of Your Rights
Your rights in relation to your personal information are to: (1) be informed about its use; (2) have access to your information; (3) correct your personal information; (4) have your personal information deleted; and (5) restrict how we use your personal information. You also have the right to have your personal information ported to others; however, as explained in more detail in the Candidate Agreement, because GIAC's use of your personal information is specific to its uses (e.g., for testing and marketing activities related to our services), it is usually not technically feasible for us to honor such requests because we are not able to exchange that information with another entity with which we have no direct interface or any reason to exchange data. You are also entitled to know if GIAC is using any automated decision-making (including profiling); we do not use any such automated technologies in the processing of your personal information.
You have the right to withdraw your consent at any time during use of this website or by emailing GIAC at email@example.com. However, as described in more detail in the Candidate Agreement, any data processing performed in whole or in part by GIAC prior to your withdrawal of consent cannot be undone.
You also have the right to object to GIAC's collection and/or use of your personal information, or request access to your information as well as request that we correct any information we have or to remove you from our records. If your personal information changes (e.g., postal code, phone, email, or postal address), you can change online, physical contact, and other information by contacting GIAC as shown above. If you wish to correct/update/delete information or no longer desire to receive information from GIAC, you can notify us by using any of the information in the Contact section of this Policy. We will respond to your request to access within 30 days.
You have the right to file a complaint with GIAC by emailing us at firstname.lastname@example.org and we will respond without undue delay, within at least 30 days unless we inform you that additional time will be required. In addition, you have the right to file a complaint with your relevant Supervisory Authority (i.e., Data Protection Authority).
How We Protect Your Personal Information
GIAC safeguards the security of the data you send us with physical, electronic, and managerial procedures. Likewise, we urge you to take every precaution to protect your personal data when you are on the Internet. These precautions include changing your password often, using a combination of letters, numbers, and symbols, and using a secure browser.
The GIAC website uses SSL v3 and TLS v1 encryption on all web pages where personal information is submitted. This protects the confidentiality of your information as it is transmitted over the Internet.
GIAC does not store credit card numbers on our servers. Credit card numbers are submitted to a credit card authorization service. This service provides GIAC with credit card validation information only. We do not have access to your personal financial data.
GIAC may employ independent contractors to help manage data services, and such contractors may have access to data, like the access we give our employees. Also, GIAC may store sales account data, including personally identifiable information, with a third-party application service provider.
Newsletters And Promotional Email
If you no longer wish to receive our newsletters and promotional communications from GIAC, you may withdraw your previous consent and stop receiving them by following the instructions included in each newsletter or communication or by accessing your preferences by logging into https://www.sans.org/account/login as described in the previous paragraph.
Links To Other Sites
The GIAC website contains links to other sites that are not owned or controlled by GIAC. Please be aware that GIAC is not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave our site and to read the privacy statements of each website that collects personally identifiable information.
Information Obtained from Third Parties
GIAC does not sell or trade your personal information. Nonetheless, we may at times receive contact lists from other organizations. We may send mailings such as brochures to these addresses. Typically, these are one-time mailings, and the data is not entered into our database. If you want to remove yourself from the third party's database, you must contact them directly. These mailings have a brochure code printed on the mailing label. By providing this code, we will be able to tell you from what provider we received your contact info.
Changes to This Privacy Statement
Statement Regarding Privacy Shield
GIAC, as a covered entity of The ESCAL Institute of Advanced Technologies, Inc., complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and Switzerland to the United States.
You may be aware that a 2020 Court of Justice of the European Union decision invalidated the EU-US Privacy Shield program. While GIAC is waiting for detailed guidance from the relevant Regulators, GIAC will continue to participate in the existing Privacy Shield program administered by U.S. Department of Commerce’s International Trade Administration.
GIAC data is processed within the EU, the United Kingdom and other relevant jurisdictions. Data is also securely stored on servers within the United States of America. GIAC remains confident that its processing activity is secure and complies with the protections provided within the General Data Protection Regulation 2016. We have taken steps to ensure that all sub processors that we engage have provided us with appropriate assurances in the form of 'standard contractual clauses'. GIAC itself also abides by all the principal requirements of these legal protections. We would however bring to your attention the current issues in relation to Privacy Shield.
By using GIAC services and products you are consenting to the processing of your data in the United States of America. You can find further information on Privacy Shield via this link, https://www.privacyshield.gov/program-overview
GIAC has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the EU Data Protection Authorities (DPAs), or where applicable instead, to the Swiss Federal Data Protection and Information Commissioner. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the following web site for more information and to file a complaint with the EU DPAs: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
If you have exhausted all other means to resolve your complaint, you may be able to engage in binding arbitration.
GIAC's commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
For Residents of California
If you are a California resident, you may have the following rights:
- Right to Know: You have the right to request that a business that collects personal information about you disclose the following: (1) the categories of personal information it has collected about you; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about you.
- Right to Correct: You have the right to request a business that maintains inaccurate personal information about you to correct that information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
- Right to Delete: You have the right to request that a business delete any personal information about you which the business has collected from you.
- Right to Opt Out of Selling and Sharing:You have the right to request that a business not sell your personal information to a third party or share your personal information with a third party for purposes of cross-context behavioral email@example.com or firstname.lastname@example.org.
- Right to Non-Discrimination: You have the right to not be discriminated against because you exercised any of your CCPA rights.
California residents may make a Request to Know up to twice every 12 months.
If you are a California resident, you may specifically instruct us not sell your Personal Information. GIAC does not sell personal data of its customers. If you are a California resident and would like to make a request to exercise your rights under the CCPA, please contact email@example.com. We will respond to verifiable requests received from California residents as required by law. For more information about our privacy practices, you may contact us as set forth in the Section below entitled “Contact Us.”
We will use the following process to verify Requests to Know, Requests to Delete, and Requests to Correct:We will acknowledge receipt of your Consumer Request, verify it using processes required by law, then process and respond to your request as required by law.To verify such requests, we may ask you to provide the following information:
- For a Request to Know categories of personal information which we collect, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you against information in our systems which are considered reasonably reliable for the purposes of verifying a consumer’s identity.
- For a Request to Know specific pieces of personal information, Requests to Delete, Requests to Correct, we will verify your identity to a high degree of certainty by matching at least three pieces of personal information provided by you to personal information maintained in our systems and also by obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.
An authorized agent can make a request on a California resident’s behalf by providing a power of attorney valid under California law, or providing: (1) proof that the consumer authorized the agent to do so; (2) verification of their own identity with respect to a right to know categories, right to know specific pieces of personal information, or requests to delete which are outlined above; and (3) direct confirmation that the consumer provided the authorized agent permission to submit the request.
For Residents of Virginia
If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) may grant you the following rights:
- Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.
- Right to Correction: You have the right to request that a business correct inaccuracy in your personal information, taking into account the nature of the personal information and our purpose for processing the personal information.
- Right to Delete: You have the right to request that a business delete your personal information that was collected about you.
- Right to Opt Out of Certain Types of Processing. You have the right to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.
- Right to Non-Discrimination: You have the right not to be discriminated against by a business for exercising your rights listed above.
Submitting Requests:Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests may be submitted by contacting us at firstname.lastname@example.org or at email@example.com.
We will use the following process to verify Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests:We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law.To authenticate such requests, we may ask you to provide additional information as reasonably necessary.
For Residents of Nevada
If you are a Nevada resident, the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) may grant you the right to request that a business not sell certain kinds of personal information that the business has collected or will collect about you.A “sale” under the NPICICA is the exchange of personal information for monetary consideration by the business to a third party to license or sell the personal information to third parties, with certain exceptions.If you are a Nevada resident and wish to obtain information about GIAC’s compliance with Nevada law, please contact us at firstname.lastname@example.org or at email@example.com.
Our services are not directed to children under the age of 13. We do not knowingly collect personal information from children under the age of 13, nor do we knowingly distribute such information to third parties. If we become aware that we received personal information from someone under the age of 13, we will take steps to delete such information from our records. If you believe we have personal information from someone under 13, please contact us at firstname.lastname@example.org or email@example.com.