General Data Protection Regulation (GDPR)
Global Cross-Border Privacy Rules (CBPR) Framework
Overview
Dakota Performance Solutions recognizes and respects the importance of protecting personal information as it flows across international borders. As a business process outsourcing and federal services organization that may handle data originating from or transmitted to jurisdictions outside the United States, DPS is committed to upholding the principles of the Global Cross-Border Privacy Rules (CBPR) Framework, administered through the Global CBPR Forum.
The Global CBPR Framework is an internationally recognized data privacy certification system that establishes baseline standards for the protection of personal information transferred between participating economies. It was developed from the Asia-Pacific Economic Cooperation (APEC) CBPR System and expanded into a global framework open to all economies committed to interoperable privacy protections.
Scope of Application
This section applies to all personal information that Dakota Performance Solutions collects, processes, stores, transfers, or otherwise handles on behalf of clients, partners, or individuals located outside the United States, including but not limited to:
  • Personal data processed under federal contracts involving international counterparts or allied nation programs
  • Client data originating from organizations headquartered or operating in CBPR-participating economies
  • Employee or subcontractor data involving cross-border transfers in the performance of outsourced business processes
  • Data flows to and from third-party service providers located outside the United States
Core CBPR Principles We Uphold
Dakota Performance Solutions aligns its data handling practices with the nine foundational principles of the Global CBPR Framework:
1. Preventing Harm DPS takes reasonable steps to identify foreseeable harms that could result from the collection, use, or transfer of personal information and implements safeguards proportionate to the likelihood and severity of such harm.
2. Notice Individuals whose personal data is collected are provided with clear, accessible, and timely notice regarding the purposes of collection, the types of information collected, and how that information will be used, shared, and protected — including when data is transferred internationally.
3. Collection Limitation DPS collects only the personal information that is necessary, relevant, and proportionate to the identified purpose. We do not collect personal data through unlawful or unfair means.
4. Uses of Personal Information Personal information is used only for the purposes disclosed at the time of collection or for purposes that are compatible with and not materially different from those disclosed, unless additional consent is obtained or legal authority permits otherwise.
5. Choice Where practicable and required by applicable law or the CBPR Framework, individuals are offered meaningful choices regarding the collection, use, and disclosure of their personal information — including opt-out mechanisms for non-essential uses and opt-in consent for sensitive data.
6. Integrity of Personal Information DPS maintains reasonable practices and procedures to ensure that personal information is accurate, complete, and current for the purposes for which it is to be used, and takes reasonable steps to correct inaccurate or outdated information upon request.
7. Security Safeguards Dakota Performance Solutions implements physical, technical, and administrative security safeguards appropriate to the sensitivity of the personal information held and the risks of unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction.
8. Access and Correction Individuals have the right to request access to their personal information held by DPS and to request correction of inaccurate or incomplete data, subject to applicable legal limitations. Requests may be submitted to privacy@dakotaperformance.com.
9. Accountability Dakota Performance Solutions takes responsibility for all personal information under its control, including data transferred to third-party agents or service providers. We require all recipients of personal data acting on our behalf to provide equivalent levels of protection consistent with these principles.
International Data Transfers
When personal information is transferred across borders, Dakota Performance Solutions employs one or more of the following safeguards to ensure continued protection:
  • Contractual obligations requiring the receiving party to maintain privacy protections consistent with applicable law and CBPR principles
  • Vendor due diligence and data processing agreements with third-party processors
  • Transfer impact assessments where required by applicable law or contract
  • Compliance with applicable bilateral or multilateral data sharing frameworks, including those governing U.S. federal agency data sharing with allied nations
DPS does not transfer personal information to countries or recipients that cannot provide an adequate level of protection without first implementing appropriate contractual, technical, or organizational safeguards.
Sensitive Personal Information
Dakota Performance Solutions treats the following categories of information as sensitive and applies heightened protection and, where required, explicit consent prior to collection or cross-border transfer:
  • Government-issued identification numbers
  • Financial account information
  • Health or medical information
  • Biometric data
  • Information relating to national security clearances or federal employment
  • Racial or ethnic origin, political opinions, or religious beliefs, where applicable under the laws of the originating jurisdiction
Your Rights Under This Framework
Individuals whose personal data is subject to the Global CBPR Framework may have the following rights, subject to applicable law and any overriding federal contract requirements:
  • The right to know what personal information DPS holds about you
  • The right to access and receive a copy of your personal information
  • The right to request correction of inaccurate or incomplete information
  • The right to request deletion or restriction of processing, where permitted
  • The right to object to the transfer of your data to third parties
  • The right to lodge a complaint with an applicable privacy enforcement authority
To exercise any of these rights, please contact us at privacy@dakotaperformance.com. We will respond within 30 days of receiving a verifiable request.
Accountability Agent & Dispute Resolution
Dakota Performance Solutions is committed to resolving privacy-related complaints in a timely and transparent manner. If you believe your personal information has been handled in a manner inconsistent with this section or the Global CBPR Framework principles, you may:
  • Submit a written complaint to our mailing address listed in Section 11
  • Contact the relevant privacy enforcement authority in your jurisdiction
We will acknowledge complaints within 5 business days and provide a substantive response within 30 days. Where a complaint cannot be resolved internally, DPS will cooperate with applicable regulatory authorities or accountability agents designated under the Global CBPR Framework.
Relationship to Other Privacy Laws
This section supplements and does not replace DPS's obligations under other applicable privacy laws, including but not limited to:
  • The Privacy Act of 1974 (for federal data)
  • The California Consumer Privacy Act (CCPA), as applicable
  • The EU-U.S. Data Privacy Framework, where relevant
  • State-level privacy laws applicable to DPS operations
  • Agency-specific data handling requirements under federal contracts
In the event of a conflict between this section and a stricter applicable legal requirement, the stricter requirement shall control.
Updates to This Section
Dakota Performance Solutions reviews and updates this Cross-Border Privacy disclosure periodically to reflect changes in applicable law, business operations, and evolving global privacy standards. Material changes will be posted to this page with an updated effective date.
For questions specific to cross-border data transfers or to submit a data subject request, contact: privacy@dakotaperformance.com
Reminder — fill in before publishing:
  • Confirm whether DPS is pursuing or holds formal CBPR certification (if so, include your certification seal/number)
  • Add the name of any accountability agent or third-party dispute resolution provider if enrolled
  • Confirm whether EU-U.S. Data Privacy Framework applies to your operations and add that section if needed
  • Have a licensed attorney review before publishing
12. Global Cross-Border Privacy Rules (CBPR) Framework & International Data Privacy
Overview
Dakota Performance Solutions recognizes and respects the importance of protecting personal information as it flows across international borders. As a business process outsourcing and federal services organization that may handle data originating from or transmitted to jurisdictions outside the United States, DPS is committed to upholding the principles of the Global Cross-Border Privacy Rules (CBPR) Framework, administered through the Global CBPR Forum, as well as all other applicable international privacy regulations — including the General Data Protection Regulation (GDPR).
The Global CBPR Framework is an internationally recognized data privacy certification system that establishes baseline standards for the protection of personal information transferred between participating economies. It was developed from the Asia-Pacific Economic Cooperation (APEC) CBPR System and expanded into a global framework open to all economies committed to interoperable privacy protections.
Scope of Application
This section applies to all personal information that Dakota Performance Solutions collects, processes, stores, transfers, or otherwise handles on behalf of clients, partners, or individuals located outside the United States, including but not limited to:
  • Personal data processed under federal contracts involving international counterparts or allied nation programs
  • Client data originating from organizations headquartered or operating in CBPR-participating economies
  • Personal data originating from individuals located in the European Union, European Economic Area, or United Kingdom, which is subject to the GDPR and UK GDPR respectively
  • Employee or subcontractor data involving cross-border transfers in the performance of outsourced business processes
  • Data flows to and from third-party service providers located outside the United States
Core CBPR Principles We Uphold
Dakota Performance Solutions aligns its data handling practices with the nine foundational principles of the Global CBPR Framework:
1. Preventing Harm DPS takes reasonable steps to identify foreseeable harms that could result from the collection, use, or transfer of personal information and implements safeguards proportionate to the likelihood and severity of such harm.
2. Notice Individuals whose personal data is collected are provided with clear, accessible, and timely notice regarding the purposes of collection, the types of information collected, and how that information will be used, shared, and protected — including when data is transferred internationally.
3. Collection Limitation DPS collects only the personal information that is necessary, relevant, and proportionate to the identified purpose. We do not collect personal data through unlawful or unfair means.
4. Uses of Personal Information Personal information is used only for the purposes disclosed at the time of collection or for purposes that are compatible with and not materially different from those disclosed, unless additional consent is obtained or legal authority permits otherwise.
5. Choice Where practicable and required by applicable law or the CBPR Framework, individuals are offered meaningful choices regarding the collection, use, and disclosure of their personal information — including opt-out mechanisms for non-essential uses and opt-in consent for sensitive data.
6. Integrity of Personal Information DPS maintains reasonable practices and procedures to ensure that personal information is accurate, complete, and current for the purposes for which it is to be used, and takes reasonable steps to correct inaccurate or outdated information upon request.
7. Security Safeguards Dakota Performance Solutions implements physical, technical, and administrative security safeguards appropriate to the sensitivity of the personal information held and the risks of unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction.
8. Access and Correction Individuals have the right to request access to their personal information held by DPS and to request correction of inaccurate or incomplete data, subject to applicable legal limitations. Requests may be submitted to privacy@dakotaperformance.com.
9. Accountability Dakota Performance Solutions takes responsibility for all personal information under its control, including data transferred to third-party agents or service providers. We require all recipients of personal data acting on our behalf to provide equivalent levels of protection consistent with these principles.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is the European Union's comprehensive data protection law, effective May 25, 2018. It governs the collection, processing, storage, and transfer of personal data belonging to individuals located in the European Union and European Economic Area (EEA), regardless of where the processing organization is located. The United Kingdom maintains a parallel framework known as the UK GDPR following its departure from the EU.
To the extent that Dakota Performance Solutions processes personal data of individuals located in the EU, EEA, or United Kingdom — whether directly or on behalf of a client under a data processing agreement — DPS is committed to meeting its obligations under the GDPR and UK GDPR.
Lawful Basis for Processing
Under the GDPR, all processing of personal data must be based on a valid lawful basis. Dakota Performance Solutions relies on one or more of the following lawful bases depending on the nature of the processing activity:
  • Consent: The individual has freely given, specific, informed, and unambiguous consent to the processing of their personal data for one or more specific purposes.
  • Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is party, or to take pre-contractual steps at their request.
  • Legal Obligation: Processing is necessary for compliance with a legal obligation to which DPS is subject.
  • Legitimate Interests: Processing is necessary for the legitimate interests pursued by DPS or a third party, provided those interests are not overridden by the fundamental rights and freedoms of the data subject.
  • Vital Interests: Processing is necessary to protect the vital interests of the data subject or another person.
  • Public Task: Processing is necessary for the performance of a task carried out in the public interest, including in connection with federal and government contract obligations.
Data Subject Rights Under the GDPR
Individuals located in the EU, EEA, or United Kingdom whose personal data is processed by Dakota Performance Solutions have the following rights under the GDPR, subject to applicable exemptions and limitations:
  • Right of Access (Article 15): You have the right to obtain confirmation of whether DPS processes your personal data and, if so, to receive a copy of that data along with information about how it is used.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data without undue delay.
  • Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where consent has been withdrawn, or where processing is unlawful, among other grounds.
  • Right to Restriction of Processing (Article 18): You have the right to request that DPS restrict the processing of your personal data in certain circumstances, such as while the accuracy of the data is being contested.
  • Right to Data Portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object at any time to processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, DPS will cease processing immediately.
  • Rights Related to Automated Decision-Making and Profiling (Article 22): You have the right not to be subject to decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects, unless such processing is necessary for a contract, authorized by law, or based on explicit consent.
To exercise any of the above rights, please submit a written request to privacy@dakotaperformance.com. We will respond within 30 days of receipt of a verifiable request. Where requests are complex or numerous, we may extend this period by an additional two months, with notice provided to you within the initial 30-day window.
Data Protection Officer (DPO)
Where required by the GDPR, Dakota Performance Solutions designates a Data Protection Officer responsible for overseeing compliance with data protection law and serving as the point of contact for data subjects and supervisory authorities. DPO inquiries may be directed to: privacy@dakotaperformance.com.
International Transfers of EU/EEA Personal Data
Transfers of personal data from the EU, EEA, or United Kingdom to the United States or other third countries are conducted only where an adequate level of protection is ensured through one or more of the following mechanisms:
  • EU-U.S. Data Privacy Framework (DPF): Where applicable, DPS relies on the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, or the UK Extension to the EU-U.S. DPF as the legal basis for transatlantic data transfers.
  • Standard Contractual Clauses (SCCs): DPS incorporates the European Commission's approved Standard Contractual Clauses into data processing agreements with third-party recipients of EU personal data.
  • Adequacy Decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection are permitted without additional safeguards.
  • Binding Corporate Rules (BCRs): Where applicable within a corporate group, BCRs approved by a competent supervisory authority may serve as the transfer mechanism.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Dakota Performance Solutions will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to individuals, affected data subjects will be notified without undue delay in accordance with Article 34.
Retention of EU Personal Data
Personal data of EU, EEA, and UK individuals is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law or contract. Upon expiration of the applicable retention period, data is securely deleted, anonymized, or returned to the data controller in accordance with the terms of any applicable data processing agreement.
Supervisory Authority
If you are located in the EU or EEA and believe that DPS has not handled your personal data in compliance with the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state of residence or place of work. A list of EU supervisory authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members_en. If you are located in the United Kingdom, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.
International Data Transfers — General
When personal information is transferred across borders, Dakota Performance Solutions employs one or more of the following safeguards to ensure continued protection:
  • Contractual obligations requiring the receiving party to maintain privacy protections consistent with applicable law and CBPR principles
  • Vendor due diligence and data processing agreements with all third-party processors
  • Transfer impact assessments where required by applicable law or contract
  • Compliance with applicable bilateral or multilateral data sharing frameworks, including those governing U.S. federal agency data sharing with allied nations
  • Standard Contractual Clauses for transfers involving EU/EEA/UK personal data
DPS does not transfer personal information to countries or recipients that cannot provide an adequate level of protection without first implementing appropriate contractual, technical, or organizational safeguards.
Sensitive Personal Information
Dakota Performance Solutions treats the following categories of information as sensitive and applies heightened protection and, where required, explicit consent prior to collection or cross-border transfer:
  • Government-issued identification numbers
  • Financial account information
  • Health or medical information
  • Biometric data
  • Information relating to national security clearances or federal employment
  • Racial or ethnic origin, political opinions, religious beliefs, or trade union membership
  • Genetic data or data concerning a person's sex life or sexual orientation
  • Criminal convictions and offenses, where applicable under the laws of the originating jurisdiction
Your Rights Under This Framework
Individuals whose personal data is subject to the Global CBPR Framework, the GDPR, or other applicable international privacy law may have the following rights, subject to applicable legal requirements and any overriding federal contract obligations:
  • The right to know what personal information DPS holds about you
  • The right to access and receive a copy of your personal information
  • The right to request correction of inaccurate or incomplete information
  • The right to request deletion or restriction of processing, where permitted
  • The right to object to the transfer of your data to third parties
  • The right to data portability, where processing is automated and consent or contract-based
  • The right to lodge a complaint with an applicable privacy enforcement or supervisory authority
To exercise any of these rights, please contact us at privacy@dakotaperformance.com. We will respond within 30 days of receiving a verifiable request.
Accountability Agent & Dispute Resolution
Dakota Performance Solutions is committed to resolving privacy-related complaints in a timely and transparent manner. If you believe your personal information has been handled in a manner inconsistent with this section, the Global CBPR Framework, or the GDPR, you may:
  • Submit a written complaint to our mailing address listed in Section 11
  • Contact the relevant privacy enforcement authority or supervisory authority in your jurisdiction
We will acknowledge complaints within 5 business days and provide a substantive response within 30 days. Where a complaint cannot be resolved internally, DPS will cooperate with applicable regulatory authorities or accountability agents designated under the Global CBPR Framework or GDPR.
Relationship to Other Privacy Laws
This section supplements and does not replace DPS's obligations under other applicable privacy laws, including but not limited to:
  • The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679
  • The UK General Data Protection Regulation (UK GDPR)
  • The Privacy Act of 1974 (for federal data)
  • The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), as applicable
  • The EU-U.S. Data Privacy Framework
  • State-level privacy laws applicable to DPS operations
  • Agency-specific data handling requirements under federal contracts
In the event of a conflict between this section and a stricter applicable legal requirement, the stricter requirement shall control.
Updates to This Section
Dakota Performance Solutions reviews and updates this Cross-Border Privacy and GDPR disclosure periodically to reflect changes in applicable law, business operations, and evolving global privacy standards. Material changes will be posted to this page with an updated effective date.
For questions specific to cross-border data transfers, GDPR rights requests, or to submit a data subject access request, contact: privacy@dakotaperformance.com