1.2 Company provides data management services including but not limited to: data restoration, data migration, data remediation, litigation support, and information governance support (hereinafter, referred to as ‘Services’). Company’s UK subsidiary is certified for the provision of Services with the ISO/IEC 27001 standard for information security management systems; the rest of Company follows those practices as well. Moreover, Company adheres to the Electronic Discovery Reference Model (EDRM) that outlines the standards for gathering and assimilating electronic data during legal processes, including criminal evidence discovery.
Types of Data
2.1 Visitors’ Data
2.1.1 The Website allows Visitors to contact Company by filling out the Contact Us form. If Visitors want to download information from the Website, they do so by filling out the Downloads form available on the Website (hereinafter, the Contact Us form and the Downloads form are collectively referred to as the ‘Forms’). When Visitors fill out the Forms, Company collects the following personal data from them:
- full name;
- email address; and
- any other information that Visitors may decide to provide to Company through the Forms.
2.1.2 If Visitors sign up for Company’s newsletter by using the ‘Sign up for newsletter’ functionality available on the Website, Company will collect their email address.
2.1.3 When Visitors visit the Website, Company collects their IP address.
2.2 Customers’ Data
2.2.1 Company may collect the following Customers’ Data:
- full name;
- company information;
- work phone number;
- job title;
- email address; and
- any other information that the Customers may decide to provide to the Company in writing or orally.
2.2.2 Please note that Company does not collect Customers’ sensitive data such as health records, political and philosophic beliefs, racial and ethnic origin, and data of minors.
2.3 Project-related Data
2.3.1 The provision of Services by Company is governed by a contract concluded between Company and Customers (hereinafter referred to as the ‘Contract’). Upon provision of Services as set forth in the Contract, Company may restore and process certain types of personal and non-personal Project-related Data extracted from the following:
- email files;
- file shares;
- network shares;
- electronic files;
- computer images;
- voice recordings; and
- any other sources that Customers may decide to provide to Company.
2.3.2 Please note that, depending on the nature of the requested Services, Company may also be exposed to certain types of Customers’ sensitive data. Please note that such sensitive data will be processed in accordance with the Contract and after receiving Customers’ prior written consent. The sensitive data may include the following:
- health data;
- racial and ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- sexual life;
- data of minors;
- biometric data;
- genetic data; and
- any other data that Customers may decide to provide to Company.
2.5 Non-personal Data
2.5.1 Company may collect non-personal data, such as browser types, operating systems, and the URL addresses of websites clicked to and from the Website.
2.5.2 Company collects the non-personal data mentioned in Section 2.5.1 to analyze what kind of users visit the Website, how they find it, how long they stay, from which other websites they come to the Website, what pages they look at, and to which other websites they go from the Website.
The Purposes of Collection of Personal Data
3.1 Visitors’ Data are used by the Company only for the following:
- the purposes for which the data are provided;
- verifying Visitors’ contact details;
- customizing Website’s content based on Visitors’ location;
- providing the Visitors with advertisements of products and services which may be of interest to them;
- delivering Company’s newsletter to Visitors;
- sending notifications to Visitors about updates to the Website;
- sending information about promotions and/or events that may be of interest to Visitors; and
- audit and security purposes.
3.2 Customers’ Data are collected and processed solely for internal customer relationship management, financial management, and project management purposes, including the following:
- managing leads;
- managing sales processes;
- managing marketing processes;
- managing accounts receivable;
- managing accounts payable;
- managing post-sales projects; and
- delivering Services.
3.3 Project-related Data are collected and processed solely for the purposes of completing Services requested by Customers in accordance with the Contract. Please note that Company keeps Project-related Data in strict confidentiality and neither sells nor transfers such data to third parties. The employees of Company are subject to strict contractual confidentiality obligations and have restricted access to Project-related Data.
Data Protection and Liability
4.1 Company employs information security tools complying with ISO/IEC 27001 requirements to protect Visitors’ Data and Customers’ Data from loss, misuse, unauthorized access, alteration, and destruction. Such information security tools include, but are not limited to, secured networks, encryption, firewalls, antivirus protection, access control, physical security of buildings, camera monitoring, and regular background checks of Company’s employees.
4.2 Company employs extensive physical and information security measures to protect the Project-related Data from loss, misuse, unauthorized access, alteration, and destruction. Such measures include, but are not limited to, isolated data processing systems complying with ISO/IEC 27001 requirements, disconnection from the Internet, and limited access to sensitive data. Project-related Data may be stored with the prior consent of Customers in off-site, vaulted, and secured data centers managed by Company.
4.4 Due to the inherent risks of using the Internet, Company cannot be liable for any destruction, loss, leakage, and falsification of Customers’ Data and Visitors’ Data caused by circumstances beyond Company’s reasonable control.
Third Party Access and Data Transfer
5.1 Company may store Visitors’ Data using Constant Contact, which is a trading name of Constant Contact, Inc., an email marketing provider, having its principal place of business at Reservoir Place, 1601 Trapelo Road, Waltham, Massachusetts, 02451, United States, to provide Visitors with the requested newsletter, and to support the activities listed in Section 3.1. Constant Contact’s privacy statement is available at https://www.constantcontact.com/legal/privacy-statement. By signing up for Company’s newsletter or filling out the Forms on the Website, Visitors consent to the transfer of their personal data outside the European Union.
5.2 Customers’ Data may be used by Company for internal customer relationship management, financial management, and project management purposes. Customers’ Data may also be stored and used by the system mentioned in Section 5.1, strictly only with Customers’ prior written or oral permission and consent.
5.3 Company may transfer Customers’ Data and Visitors’ Data amongst its subsidiaries and affiliates. By providing their personal data to Company, Visitors and Customers consent to the transfer of their personal data between the European Union and the United States. The transfer of personal data between the U.S. and the EU is conducted in strict compliance with the Privacy Shield Framework (https://www.privacyshield.gov) as set forth by the U.S. Department of Commerce regarding the collection, use, protection, and retention of personal information between the Member States of the EU and the U.S.
5.4 Company does not provide third parties with access to Project-related Data, unless Company is legally bound to do so.
5.5 Company uses customer relationship management, financial management, and project management software provided by: (1) FutureSimple, Inc., a company having its principal place of business at 850, Shoreline Blvd, Mountain View, California, 94043, United States; (2) Vtiger Systems (India) Private Limited, a company having its principal place of business at No. 95, 12th Main, 3rd Block, Rajajinagar, Bangalore – 560 010, India; (3) The Sage Group plc, a company having its principal place of business at North Park, Newcastle Upon Tyne, NE13 9AA, United Kingdom; and (4) Intuit Inc., a company having its principal place of business at 2632 Marine Way, MS2675, Mountain View, California, 94043, United States. Company may store Visitors’ Data and Customers’ Data in these systems strictly for internal customer relationship management, financial management, and project management purposes.
5.6 The third parties indicated in Sections 5.1 and 5.5, except for Vtiger Systems (India) Private Limited and The Sage Group plc, comply with the EU-U.S. Privacy Shield Framework. They have certified adhering to the Privacy Shield principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. If Visitors and Customers would like to read more information on the EU-U.S. Privacy Shield Framework, they can visit https://www.privacyshield.gov.
5.7 The data stored in the software from Vtiger Systems (India) Private Limited, The Sage Group plc, and Intuit Inc. are entirely maintained on Company’s internal servers and internal network, and protected as described in Section 4.
5.8 Company will respond to lawful requests from U.S. public authorities to disclose information about Visitors and Customers to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.
5.9 With the exception of the cases in Sections 5.1, 5.2, and 5.5, Company does not transfer Visitors’ Data and Customers’ Data to third parties, unless Company is legally bound to do so.
Commitment to Privacy Shield
6.1 Company commits to apply the EU-U.S. Privacy Shield principles regarding notice, choice, onward transfer, security, data integrity, access, and enforcement to all Visitors’ Data and Customers’ Data transferred between the U.S. and the EU. For more information on the EU-U.S. Privacy Shield Framework, please visit https://www.privacyshield.gov.
6.2 Visitors and Customers can easily check the Privacy Shield status of Company by visiting the website of the U.S. Department of Commerce: https://www.privacyshield.gov/list.
6.3 Company only transfers Visitors’ Data and Customers’ Data for limited and specified purposes, consistent with any notice provided to it and consent given.
6.5 If the recipient can no longer provide the level of protection as required by the Privacy Shield principles, Company requires the recipient to notify it as soon as such a failure occurs. Company will take reasonable steps to stop and remediate unauthorized processing of Visitors’ Data and Customers’ Data.
6.6 The government agency in the U.S. that is responsible for investigation and enforcement of Company’s obligations under the Privacy Shield Framework is the U.S. Department of Commerce (https://www.commerce.gov).
6.7 In compliance with the Privacy Shield Principles, Company commits to resolve complaints about its collection or use of Visitors’ and Customers’ personal information. EU individuals with inquiries or complaints regarding Company’s Privacy Shield policy should first contact Company using the information in Section 14.1.
6.8 Company has further committed to cooperate with EU data protection authorities (DPAs) regarding unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship. If a Visitor or Customer does not receive timely acknowledgment of their complaint from Company, or if Company has not addressed a complaint to a Visitor’s or Customer’s satisfaction, please contact the EU DPAs for more information or to file a complaint. The services of EU DPAs are provided at no cost to the complainant.
6.9 In the event of a third party’s violation of the Privacy Shield Principles related to an onward transfer of Visitors’ Data or Customers’ Data, Company may be held liable to the complainant for its vendor’s violation of the Principles unless Company proves that it is not responsible for the event giving rise to the damage.
Accessing and Correcting Personal Data; Opting Out
7.1 Visitors and Customers have the right to: (1) have their data communicated; (2) get information about the purpose for which their data are processed; (3) learn about the categories of personal data concerned; and (4) get information about the recipients to whom the data are disclosed.
7.3 Customers and Visitors have the right to opt out from collection and processing of their personal data by contacting Company as set forth in Section 7.2.
7.4 Project-related Data can be accessed, corrected, and deleted by contacting Company as set forth in Section 7.2.
7.5 Company will answer any requests made under Section 7 within a reasonable time frame but no later than within two weeks.
7.6 Please note that Company may limit Visitors’ and Customers’ access rights in specific situations such as when providing access would undermine confidentiality, breach professional privilege, or conflict with legal obligations.
7.7 Unsubscribing from the newsletter service can be done through clicking on the ‘unsubscribe’ or ‘opt-out’ link contained in any of Company’s newsletters or mass emails.
Complaints and Disputes
8.1 Customers and Visitors have the right to lodge a complaint free of cost regarding the use of their personal data. The complaint should be first submitted to Company by using the contact as set forth in Section 14.1.
8.2 If the dispute between (1) Customers or Visitors and (2) Company fails to be resolved within a reasonable time frame, Visitors and Customers have the right to invoke binding arbitration with an independent recourse mechanism at no charge to the complainant.
8.3 Company is registered with JAMS (Judicial Arbitration and Mediation Services, https://www.jamsadr.com) as its alternative dispute resolution provider.
9.1 Visitors’ Data and Customers’ Data will be kept for as long as it is necessary to provide with the requested Services. For instance, if personal data is collected to deliver the newsletter, the personal data will be kept until the Visitors or the Customers unsubscribe from the newsletter service.
9.2 When Visitors’ Data and Customers’ Data are no longer necessary to deliver the requested Services, the Company will immediately delete such data.
9.3 Please note that the Project-related Data are deleted immediately after the Contract is executed. Upon explicit written request of the Customers, the Company may store the Project-related Data for a longer period. The retention period for Project-related Data is bound by the Contract signed between the Company and the Customers. The Project-related Data will be stored and/or disposed for the time period specified in the Contract.
10.3 Collecting and processing of Project-related Data will be carried out only after concluding the Contract and obtaining Customers’ prior consent (i.e., opt-in).
11.1 The Website may contain links to other websites. Company is not responsible for the privacy practices of those websites.
12.2 There are two types of cookies, namely, persistent cookies and session cookies. Persistent cookies remain valid until their expiration date, unless deleted before that date. Session cookies are stored on a web browser and will remain valid until the moment when the browser is closed.
12.3 Cookies do not typically contain personal data. However, personal data stored by Company may be linked to the information stored in and obtained from cookies.
12.5 Company uses Google Analytics to analyze Visitors’ activity on the Website. Google Analytics generates statistical and other information about the Website by means of cookies. The information generated by Google Analytics in relation to the Website is used to create reports about the use of the Website. Company uses the following Google Analytics advertising features: (1) Remarketing with Google Analytics; (2) Google Display Network Impression Reporting; (3) Google Analytics Demographics and Interest Reporting; and (4) integrated services that require Google Analytics to collect data via advertising cookies and identifiers.
12.6 If Visitors want to opt out from Google Analytics advertising features, they can do so through Ads Settings, Ad Settings for mobile apps, or any other available means (for example, the NAI’s consumer opt-out). Visitors can also install a Google Analytics opt-out browser add-on available at https://tools.google.com/dlpage/gaoptout?hl=en.
13.1 The Website provides Visitors with the possibility to comment on the articles published on the blog of the Website (hereinafter, referred to as ‘User-Generated Content’). Visitors agree not to submit any User-Generated Content on the Website that violates the applicable privacy and other laws.
13.2 Company shall not be liable for any direct or indirect damages caused by publication of unlawful content by Visitors.
13.3 Any User-Generated Content submitted by Visitors to Company may become public.
eMag Solutions, Ltd.
2A Oaktree Court, Mulberry Drive
Cardiff Gate Business Park
Cardiff, Wales, CF238RS, United Kingdom
Phone: +44 (0) 220 739940
Fax: +44 (0) 2920 739948