EU Addendum
Last modified: 09-29-2020
PURPOSE FOR ADDENDUM
This European Union Data Privacy Addendum, including any future modifications (this "Addendum"), is part of the Company's Privacy Policy and applies to any "personal data" (as defined under the GDPR) that we may "process" (as defined under the General Data Protection Resolution; the "GDPR") through your use of the services. While the Company is a United States company subject to United States law, the Company will attempt to give effect to the GDPR for its European users that are entitled to enforce rights under the GDPR if commercially reasonable and if the GDPR's requirements do not conflict with the requirements of United States law. The purpose of this Addendum is to describe: 1) rights under the GDPR and 2) the legal bases that support the Company's processing activities.
RIGHT TO ACCESS BASIC INFORMATION
You have a right to confirmation by the Company as to whether the Company is processing your personal data and, where that is the case, you have a right to access the following information:
-
The purpose of the processing;
-
The categories of personal data concerned;
-
The recipients or categories of recipients to whom your personal data have been or will be disclosed;
-
The envisaged period for which your personal data will be stored or the criteria used to determine that period;
-
The existence of your right to rectification (discussed below);
-
The existence of your right to erasure (discussed below);
-
The existence of your right to restrict processing (discussed below);
-
The existence of your right to object to processing (discussed below);
-
Whether the Company uses your personal data for automated decision-making and, where that is the case, the logic involved and the significance and envisaged consequences to you;
-
Where the Company does not collect your personal data directly from you, the existence of your right to information regarding the Company’s source of your personal data; and
-
Where the Company intends to transfer your personal data to a third country or international organization, the existence of your right to be informed of the appropriate safeguards used in connection with the transfer.
Your right to access includes the right to obtain a copy of the personal data the Company is processing. In compliance with the GDPR, The Company will provide one such copy for free, but the Company may charge a reasonable fee for any additional copies.
RIGHT TO DATA PORTABILITY
You have the right to transfer your personal data between controllers (e.g., to move account details from one online platform to another). Specifically, you have the right to:
-
Receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
-
Transfer your personal data from one controller to another;
-
Store your personal data for further personal use on a private device; and
-
Have your personal data transmitted directly between controllers without hindrance.
Inferred or derived data (data derived through use of analytical processes) do not fall within the right to data portability, because such data are not provided by you. The Company is not obliged to retain personal data for longer than is otherwise necessary simply to service a potential data portability request.
RIGHT TO RECTIFY INFORMATION
You have a right to obtain from the Company the rectification of inaccurate personal data concerning you. Additionally, taking into account the purposes for which the Company is processing your personal data, you have a right to obtain from the Company the completion of incomplete personal data concerning you.
RIGHT TO WITHDRAW CONSENT
Your consent can provide a lawful basis for the Company to process your personal data and/or transfer your data internationally. You have the right to withdraw such consent. The Company will, however, likely have other lawful bases that may apply to the processing or transfer of your data.
RIGHT TO ERASURE
Under the GDPR, in certain circumstances, you may have the right to have the Company erase your personal data, cease further dissemination of the data, and potentially have third parties halt processing your data upon your request. You have the right to erasure of your personal data if:
-
The data are no longer needed by the Company for their original purpose (and no new lawful purpose exists);
-
The lawful basis for the processing is your consent, you withdraw that consent, and no other lawful ground exists for the Company to process the information;
-
You exercise your right to object to processing and the Company has no overriding grounds for continuing the processing;
-
The data have been processed unlawfully; or
-
Erasure may be necessary to comply with other EU laws or the national law of a relevant EU Member State.
RIGHT TO OBJECT TO PROCESSING PERSONAL DATA FOR PUBLIC OR LEGITIMATE INTERESTS
Where the Company is processing your personal data on the basis of having a "public interest" or "legitimate interests", those bases are not absolute and you may have a right to object to such processing. If you object, the Company must cease such processing unless it either: 1) demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms; or 2) requires the data in order to establish, exercise, or defend legal rights.
RIGHT TO OBJECT TO PROCESSING FOR THE PURPOSES OF DIRECT MARKETING
You have the right to object to the processing of your personal data for the purposes of receiving direct marketing from the Company (including "profiling" activities as detailed further below).
RIGHT TO OBJECT TO PROCESSING FOR SCIENTIFIC, HISTORICAL, OR STATISTICAL PURPOSES
Where your personal data are processed for scientific and historical research purposes or statistical purposes, you have the right to object, unless the processing may be necessary for the performance of a task carried out for reasons of public interest.
RIGHT TO RESTRICT PROCESSING
You may be entitled to limit the purposes for which the Company can process your personal data. Specifically, you have the right to restrict the processing of your personal data if:
-
The accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
-
The processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
-
The Company no longer needs the data for their original purpose, but the data are still required by the Company to establish, exercise, or defend legal rights; or
-
If verification of overriding grounds is pending in the context of an erasure request.
RIGHT TO MAKE A COMPLAINT TO THE RELEVANT DPA
Data Protection Authorities ("DPAs") are responsible for monitoring and enforcing data protection laws at a national level and providing guidance on the interpretation of those laws. If you believe your rights have been infringed by the Company, you have the right to ask the Company to remedy the situation. If you believe you have not received an adequate response from the Company, you may file a complaint with the relevant DPA (either the DPA for the EU Member State in which you live or work or the Member State in which the alleged infringement occurred). A list of DPAs may be found at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080(current as of September 2018).
COMPANY'S LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA
Our legal basis for collecting and using the Information described above will depend on the type of Information and the specific context in which we collect it.
We process Information about you in order to provide our services in accordance with our Terms of Use and where it is in our legitimate interests to do so and not overridden by your rights (for example, in some cases for direct marketing, fraud prevention, network and information systems security, responding to your communications, and improving our services).
In some cases, we may also have a legal obligation to collect Information about you, or may otherwise need the Information to protect your vital interests or those of another person.
INTERNATIONAL DATA TRANSFERS
If you access the Services from the EU, you are voluntarily transmitting your personal data to the United States. Your data may also be processed by certain third-party data processors located in the United States (including the Company's affiliated entities, service providers). The Company will ensure that any transfers made between itself and any data processors are made with appropriate safeguards in place to protect the information from unauthorized uses or disclosures if reasonably possible. For processors that process your personal data on the Company's behalf, and will then transfer data to the United States or another jurisdiction that is not deemed to have adequate safeguards, the Company will ensure that the "Standard Contractual Clauses", approved by the European Commission, are in place between the Company and the processor. The applicable Standard Contractual Clauses may be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010D0087&from=EN