EU — US AND SWISS — US PRIVACY SHIELD

EU—US AND SWISS—US PRIVACY SHIELD FRAMEWORKS & THE GENERAL DATA PROTECTION REGULATION

Rosetta Stone Ltd. (the "Company") participates in the EU-US and Swiss-US Privacy Shield Frameworks (the "Frameworks"). Company's participation in the Frameworks applies to personal data received in the United States from the European Union and Switzerland (collectively, "Europe") about employees/contractors/job applicants ("European Human Resources Data"), corporate customer contacts and consumers ("European Customer Data"), and corporate customer's end-users ("European End User Data") (collectively, "European Personal Data"). The Framework has been determined as an “adequate” tool for cross-border transfers by the European Commission, including under the General Data Protection Regulation (“GDPR”), which is effective as of May 25, 2018. We are committed to meeting the requirements of the GDPR and to subjecting such European Personal Data to the Frameworks, including its Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. To learn more about the Frameworks, visit the US Department of Commerce's Privacy Shield here.

European Personal Data Collection, Use, and Disclosure

European Customer Data: The types of European Customer Data that we collect, the purposes for which we collect and use such data, and the types of third parties to which we disclose such data and the purposes of such disclosures, are the same as specified in our Website Privacy Policy

European End User Data: We operate as a processor acting on behalf of our corporate customers regarding the collection, use, and disclosure of European End User Data. If you are an end user of one of our corporate customers, please consult the privacy policies of that entity for information about its privacy practices.

European Human Resources Data: We provide notice to European employees and other covered individuals about the collection, use, and disclosure of their European Human Resources Data through internal company policies.

Rights of European Data Subjects - GDPR

If you are a European data subject, you have the right to obtain confirmation of the existence of certain Personal Data relating to you, to verify its content, origin, and accuracy, as well as the right to access, review, port, delete, or to block or withdraw consent to the processing of certain Personal Data (without affecting the lawfulness of processing based on consent before its withdrawal), subject to certain limitations, such as where the legitimate rights of other persons would be infringed or where the burden or expense, for example, of providing access, would be disproportionate. If you wish to exercise such rights, please contact us as described below. In particular, you have the right to object to our use of Personal Data for direct marketing and in certain other situations at any time. Contact us below for more details. Please note that certain Personal Data may be retained as required or permitted by applicable law.

Please note that if you are an End User receiving access to our services through a Corporate, Governmental, Educational or other Organizational Enterprise Client of Rosetta Stone, and you wish to request access, limit use, limit disclosure or remove your End User Personal Data, please contact the Enterprise Client organization that submitted your personal data to us, and we will support them as needed in responding to your request.

Choices of European Data

You can access or update your personal information by sending an email to the privacy team at privacyofficer@rosettastone.com. If you are a European resident with questions regarding your rights in your European Personal Data under GDPR, please contact the Rosetta Stone Data Protection Officer, Sofia Simoes, by email at DPO@rosettastone.com. Corporate customer contacts and individual consumers have the right to exercise choice (opt-out) from our use of their European Customer Data for direct marketing purposes. To exercise this right, please follow the instructions in any direct marketing message you may have received or contact us at privacyofficer@rosettastone.com. We do not otherwise use or disclose European Customer Data and European End User Data in a manner that is subject to choice requirements under the Frameworks unless noted. We describe the choices for European Human Resources Data through internal company policies.

Recourse, Enforcement, and Liability

Please contact us as specified below if you have any questions, need access to your European Personal Data, or otherwise need assistance. We remain responsible for our collection, use and disclosure of European Personal Data in accordance with the Frameworks. We also are responsible for third party agents that are processing such data on our behalf, unless we prove that we are not responsible for the event giving rise to the damage. In certain situations, we may be required to disclose European Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

If you have an unresolved concern about European Personal Data that we have not addressed satisfactorily, we have committed to cooperate with the panels established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) to serve as our independent dispute resolution bodies for the Frameworks. We are also subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to the Frameworks. In addition, under certain conditions, more fully described on the Privacy website, European residents may invoke binding arbitration for non-monetary issues when other dispute resolution procedures have been exhausted.

Contact Us

Please contact us at privacyofficer@rosettastone.com if you have any questions, wish to exercise your rights of access, or seek other assistance as described above.