CCPA PRIVACY NOTICE
CALIFORNIA CONSUMER PRIVACY ACT PERSONAL INFORMATION POLICY
Effective: January 1, 2020
1. Purpose and Scope
This CCPA Personal Information Policy (“Policy”) provides guidance to Club Champion LLC (“Club Champion,” “our,” “we” or “us”); its subsidiaries, and all of their respective staff members, employees, consultants, contractors, distributors, temporary workers, suppliers, agents, representatives, partners, and all personnel affiliated with such third parties (“Covered Persons”) on the management of Personal Information (as defined below) Processed (as defined below) by or on behalf of Club Champion, in accordance with the California Consumer Privacy Act (the “CCPA”). This Policy describes how Personal Information must be collected, handled, and stored to meet Club Champion’s data protection standards, and to comply with the CCPA. The purpose of this Policy is to ensure fair and transparent Processing of Personal Information.
Club Champion’s policy is to respect and protect Personal Information collected or maintained by or on behalf of Club Champion. All Personal Information must be Processed in a lawful, fair, and transparent manner and it is Club Champion’s duty to ensure the security and confidentiality of such Personal Information at all times. This Policy covers all Personal Information obtained from Club Champion’s customers and other California Residents (defined below) for which Club Champion collects Personal Information.
Covered Persons can contact the Club Champion Marketing Department at
2. DEFINITIONS
Capitalized terms used but not defined in this Section 2 have the meanings given elsewhere in this Policy. In this Policy, unless stated otherwise:
“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018.
“California Resident” means a natural person who is a California resident, as defined in section 1798.140(g) of the CCPA.
“Verifiable Personal Information Request” means a California Resident request that a business disclose or delete Personal Information that it has about the California Resident pursuant to CCPA sections
1798.100, 1798.105, 1798.110, or 1798.115.
“Data Incident” means a breach of Club Champion’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information on systems managed
by or otherwise controlled by Club Champion. “Data Incidents” does not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in
attempts, pings, port scans, denial‐of‐service attacks, and other network attacks on firewalls or networked systems.
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California
Resident or household. (See Appendix A for examples of Personal Information.)
“Information Security Policy” means Club Champion’s internal information security policy.
“Process” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
“Service Provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its
shareholders or other owners, that Processes information on behalf of a business and to which the business discloses a California Resident’s Personal Information for a business purpose pursuant to a written
contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the Personal Information for any purpose other than for the specific purpose of performing the
services specified in the contract for the business, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the
services specified in the contract with the business.
3. RESPONSIBILITIES
(a) Club Champion Marketing Team Responsibilities
- The Club Champion Marketing Team is responsible for approving any data protection statements attached to documentation and communications provided to employees as well as documentation and communications sent to customers of Club Champion, such as emails and letters or information notices displayed on Club Champion’s websites.
- The Club Champion Marketing Team is responsible for addressing any data protection queries from California Residents, journalists, or media outlets like newspapers.
- The Club Champion Marketing Team will ensure that all Covered Persons are trained about their data protection responsibilities as part of the induction Process and at regular intervals thereafter.
Covered Persons whose roles require regular access to Personal Information, or who are responsible for implementing this Policy or responding to Verifiable Personal Information Requests under this
Policy, will receive additional training to help them understand their duties and how to comply with them. - Each business unit and their respective departments are responsible for working with the Club Champion Marketing Team, and Operations Department to implement appropriate compliance controls
specific to their operations (including but not limited to business practices, other guidance, and training of Covered Persons), in particular the vetting of any potential or current Service Provider to which
Personal Information may be transferred or disclosed, as part of their business relationship with Club Champion. Covered Persons are required to follow the applicable business practices and other
guidance, and to take the training required by their business units and/or departments.
(b) Covered Person Responsibilities
Covered Persons may have access to the Personal Information of other Covered Persons and of our customers in the course of their employment, contract, volunteer period, internship or apprenticeship. Where
this is the case, Club Champion relies on Covered Persons to help meet its data protection obligations.
Covered Persons who have access to Personal Information are required:
- to access only Personal Information that they have authority to access and only for authorized purposes;
- not to disclose Personal Information except to Covered Persons (whether inside or outside Club Champion) who have appropriate authorization;
- to keep Personal Information secure (for example, by complying with rules on access to premises, computer and mobile access, password protection, and secure file storage and destruction);
- not to remove Personal Information, or devices that can be used to access Personal Information, from Club Champion’s premises without implementing appropriate security measures
(such as encryption, password protection, and lockable cases) to secure the data and the device; - where documents are password protected, passwords must be transmitted separately and not via email;
- to ensure any documents (including emails) which contain Personal Information are:
(A) kept in an orderly fashion;
(B) filed on registered electronic or paper files as soon as practicable if they are to be retained;
(C) erased or securely destroyed (e.g., shredded) when they are no longer required (in accordance with Club Champion’s data retention policy); - not to keep random collections of odd papers or old emails. If they need to be retained, they should be properly filed, as mentioned above;
- to observe Club Champion’s clear desk policy;
- to ensure that if required, they could retrieve Personal Information for which they are responsible to answer an inquiry from an California Resident; and
- notify the Club Champion Marketing Team immediately, in the event of a data breach.
Failing to observe these requirements may amount to a disciplinary offense, which will be dealt with under Club Champion’s disciplinary procedure. Significant or deliberate breaches of this Policy, such as accessing employee or customer data without authorization or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
(c) Operations Department Responsibilities
The Operations Department is responsible for:
- ensuring all systems, services, and equipment used for storing Personal Information meet acceptable security standards and comply with Club Champion’s Information Security Policy;
- performing regular checks and scans to ensure security hardware and software is functioning properly; and
- evaluating any potential Service Provider Club Champion is considering using to store or Process data (for instance, cloud computing services).
4. NOTICE OF PRIVACY PRACTICES
All Personal Information should be Processed by lawful and fair means, in a transparent fashion. It is important to ensure that at or before Club Champion collects Personal Information, Club Champion provides California Residents with an appropriate notice (“Privacy Notice”) and information as to the categories, use and disclosure of the Personal Information Club Champion collects and Processes. Club Champion should only collect categories of Personal Information that have been appropriately disclosed to California Residents in a Privacy Notice. Covered Persons should limit Personal Information Processing to the minimum amount necessary to accomplish the purpose for which such Personal Information is collected, pursuant to Club Champion’s policies and procedures. Under no circumstances should Club Champion or Covered Persons sell Personal Information.
5. CALIFORNIA RESIDENT RIGHTS AND REQUESTS
(a) California Resident Rights. California Residents have a number of rights in relation to their Personal Information. California Residents can;
- request that Club Champion disclose to the California Resident the categories and specific pieces of Personal Information Club Champion has collected about them (“Request to Know”);
- request that Club Champion delete any Personal Information about the California Resident that Club Champion has collected about them (“Request to Delete”); and
- request to receive a copy of their Personal Information in a readily usable format that allows the California Resident to transmit the Personal Information from one entity to another without hindrance.
(b) Verifiable Personal Information Requests. Verifiable Personal Information Requests may be made in writing or via phone. If you receive a Verifiable Personal Information Request, please notify the Club Champion Marketing Team immediately. It is Club Champion’s duty to confirm receipt of a request by a California Resident within 10 days and provide information about how Club Champion will Process the request.
The Club Champion Marketing Team will be responsible for sending the California Resident the appropriate Verifiable Personal Information Request form to verify the identity of the California Resident. (See Appendix B for sample email responses to common Verifiable Personal Information Requests and Appendix C for common Verifiable Personal Information Request forms.) Club Champion must receive the completed Consumer Right Request form prior to addressing the California Resident’s request.
Club Champion has a duty to respond to verified Requests to Know and Requests to Delete within 45 days from the date the request was received.
California Residents may exercise their rights by contacting the Club Champion Marketing Team at
6. REQUIREMENTS FOR SERVICE PROVIDER ENGAGEMENT
(a) Verifiable Personal Information Requests.
If a Service Provider Processes Personal Information on behalf of Club Champion, Club Champion must have in place a written contract:
- prohibiting the Service Provider from (a) selling the Personal Information, (b) retaining, using or disclosing the Personal Information for any purpose other than to the extent required to perform the
obligations subcontracted to it, and (c) retaining, using or disclosing the Personal Information outside of its relationship with Club Champion. - that includes a written certification from the Service Provider that it understands and will comply with the above restrictions.
(b) All business units and departments shall work with Operations Department and the Club Champion Marketing Team to:
- require Service Providers to inform the California Resident to submit Verifiable Personal Information Requests regarding Personal Information that such Service Provider collects or maintains on
Club Champion’s behalf directly to Club Champion and provide the California Resident with information about Club Champion’s submission methods; - require Service Providers to explain the basis for any denial of a Verifiable Personal Information Request by the Service Provider regarding a Request to Know or delete from a California Resident regarding Personal Information that the Service Provider collects or maintains on Club Champion’s behalf;
- take reasonable steps to select and retain approved suppliers that can maintain appropriate security measures to protect Personal Information in a manner consistent with this Policy and any applicable laws;
- require Service Providers by contract to implement and maintain appropriate technical and organizational security measures for Personal Information and to protect Personal Information from unauthorized access, destruction, use, modification, or disclosure;
- require Service Providers to report information security incidents and breaches to Club Champion without delay following discovery of such breach (ideally between 24 / 48 hours) and provide
evidence relating to such breach context and extent; and - monitor suppliers for compliance with their data protection obligations and, in case of any doubt, mandate an audit of such supplier data protection practices, in compliance with the agreement entered with Club Champion.
7. CHANGES TO THIS POLICY
Club Champion may amend this Policy consistent with the requirements of the CCPA, including notice about any amendment.
8. EFFECTIVE DATE
This Policy is effective as of January 1, 2020.