European Union User Privacy and Cookie Rights–General Data Protection Regulation and Privacy Shield
Attn: Measurabl Support
707 Broadway Street, Suite 1000
San Diego CA, 92101
Types of Data We Collect.. “Personal Data” means data that allows someone to identify or contact you, including, for example, your name, address, telephone number, e-mail address, as well as any other non-public information about you that is associated with or linked to any of the foregoing data. “Anonymous Data” does not, by itself, permit the identification of individual persons. We collect Personal Data and Anonymous Data, as described below. We collect your Personal Data and/or Anonymous Data (collectively “Data”) in order to deliver contracted Services.
Information You Provide to Us.
We may collect Personal Data from you, such as your first and last name, e-mail and mailing addresses, professional title, company name, and password when you create an account to log in to our network (“Account”).
Our mobile homepage lets you store preferences like your location, safe search settings, and favorite widgets. We may associate these choices with your ID or the mobile device, and you can edit these preferences at any time on our mobile homepage.
When connecting to our Services via a service provider that uniquely identifies your mobile device, we may receive this identification and use it to offer extended services and/or functionality.
When you order services on our Sites, we will collect all information necessary to complete the transaction, including your name and billing information. This information may be shared with third party service providers who help process and fulfill your purchases. Specific Services may allow you to enter credit card information; when you submit credit card numbers, that information is encrypted with the most stringent level of certification available in the payments industry.
We retain information on your behalf, such as files and messages that you store using your Account.
If you provide us feedback or contact us via e-mail, we will collect your name and e-mail address, as well as any other content included in the e-mail, in order to send you a reply.
When you post content (text, images, photographs, messages, comments or any other kind of content that is not your e-mail address) on our Sites, the information contained in your posting will be stored in our servers or third party servers.
When you participate in one of our surveys, we may collect additional profile information.
We also collect other types of Personal Data that you provide to us voluntarily, such as your product registration number, and other requested information if you contact us via e-mail regarding support for the Services.
When you link a third party service to your Account (as described below), we collect your login credentials for such third party service.
We may also collect Personal Data, such as at other points in our Sites that state that Personal Data is being collected.
Information Collected via Technology.
Information Collected by Our Servers. To make our Sites and Services more useful to you, our servers (which may be hosted by a third party service provider) collect information from you, including your browser type, operating system, Internet Protocol (“IP”) address (a number that is automatically assigned to your computer when you use the Internet, which may vary from session to session), domain name, and/or a date/time stamp for your visit.
Pixel Tags. In addition, we use “Pixel Tags”(also referred to as clear Gifs, Web beacons, or Web bugs). Pixel Tags are tiny graphic images with a unique identifier, similar in function to Cookies, that are used to track online movements of Web users. In contrast to Cookies, which are stored on a user’s computer hard drive, Pixel Tags are embedded invisibly in Web pages. Pixel Tags also allow us to send e-mail messages in a format users can read, and they tell us whether e-mails have been opened to ensure that we are sending only messages that are of interest to our users. We may use this information to reduce or eliminate messages sent to a user. We do not tie the information gathered by Pixel Tags to our users’ Personal Data.
How We Respond to Do Not Track Signals. We do not currently respond to “do not track” signals or other mechanisms that might enable consumers to opt out of tracking on our Sites.
Gong. We use Gong.io to record phone calls for quality assurance and note taking automation purposes. For each call that will be recorded, user consent is explicitly requested via a Gong-generated email prior to any recording taking place. The email will clearly state that the call will be recorded if you click on the link and that by clicking on the link, they thereby consent to the call being recorded. Each user will have the option to opt-out of phone recordings if they choose.
HubSpot. We use HubSpot to manage our relationships with customers and prospective buyers of our Services. Hubspot assists with tracking visitors to our website. Cookies are left on visitors browsers that help us identify them on future visits.
SmartLook. We use SmartLook to record user interactions with our platform for quality assurance and design use cases.
Information Collected from You About Others. You can invite users (“Authorized Users”) to access your Account by sending each Authorized User a URL. Such Authorized User(s) will then be invited to create a sub-account under your Account (a “Sub-Account”) and we will collect information from such Authorized User(s) necessary for the creation of the Sub Account, such as his or her first and last name, email address, password, and company name. We rely upon you to obtain whatever consents from the Authorized User(s) that may be required by law to allow us to access and upload the Authorized User(s)’s names and e-mail addresses as required above. You or the Authorized User(s) may contact us at email@example.com to request the removal of this information from our database.
Information Collected from Third Party Companies. We may receive Personal and/or Anonymous Data about you from companies that provide our Services by way of a co-branded or private-labeled website or companies that offer their products and/or services on our Sites. These third party companies may supply us with Personal Data. We may add this information to the information we have already collected from you via our Sites in order to improve the Services we provide.
Use of Your Personal Data
General Use. In general, Personal Data you submit to us is used either to respond to requests that you make, or to aid us in serving you better. We use your Personal Data in the following ways:
to operate, maintain, and improve our Sites and Services;
to respond to comments and questions and provide customer service;
to send information including confirmations, invoices, technical notices, updates security alerts, and support and administrative messages;
to communicate about promotions, upcoming events, and other news about products and services offered by us and our selected partners;
to link or combine user information with other personal information we get from third parties, to help understand your needs and provide you with better service;
to analyze information imported to your Account and compare it against benchmarks;
to create and submit Reports on your behalf;
to provide you with recommendations to improve sustainability;
to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity;
to provide and deliver products and services customers request;
to identify you as a user in our system;
to facilitate the creation of and secure your Account on our network
to process and deliver orders;
to develop and improve marketing and advertising for the Services;
send you a welcome e-mail to verify ownership of the e-mail address provided when your Account was created;
send you administrative e-mail notifications, such as security, or support and maintenance advisories;
make telephone calls to you, from time to time, as a part of secondary fraud protection or to solicit your feedback; and
send newsletters, surveys, offers, and other promotional materials related to our Services and for other marketing purposes of Measurabl.
User Testimonials and Feedback. We often receive testimonials and comments from users who have had positive experiences with our Services. We occasionally publish such content. When we publish this content, we may identify our users by their first and last name and may also indicate their home city or place of employment. We obtain the user’s consent prior to posting his or her name along with the testimonial. We may post user feedback on the Sites from time to time. We will share your feedback with your first name and last initial only. If we choose to post your first and last name along with your feedback, we will obtain your consent prior to posting your name with your feedback. If you make any comments on a blog or forum associated with our Sites or with our social media content, you should be aware that any Personal Data you submit there can be read, collected, or used by other users of these forums, and could be used to send you unsolicited messages. We are not responsible for the personally identifiable information you choose to submit in these blogs and forums.
Creation of Anonymous Data. We may create Anonymous Data records from Personal Data by excluding information (such as your name) that makes the data personally identifiable to you. We use this Anonymous Data to analyze request and usage patterns so that we may enhance the content of our Services and improve Site navigation. We reserve the right to use Anonymous Data for any purpose and disclose Anonymous Data to third parties in our sole discretion.
Third Party Service Providers Designated by You. When you use the Services, the Personal Data you provide will be shared with the third party service providers that you designate to receive such information, including other websites, your friends, relatives and business associates. Depending on the type of access you grant to such third parties, they may also be permitted to edit the information you have provided to us and to designate others to access and edit such information. You may change your settings at any time as to who has access to your information by going to your account settings and changing your publishing options.
Third Party Service Providers. We may share your Personal Data with third party service providers to: provide you with the Services that we offer you through our Sites; to conduct quality assurance testing; to facilitate creation of accounts; to provide technical support; and/or to provide other services to Measurabl. These third party service providers are required not to use your Personal Data other than to provide the services requested by Measurabl.
AS A RESULT, WE MAY PROVIDE YOUR PERSONAL DATA TO A THIRD PARTY COMPANY. BECAUSE WE DO NOT CONTROL THE PRIVACY PRACTICES OF THESE THIRD PARTY COMPANIES, YOU SHOULD READ AND UNDERSTAND THEIR PRIVACY POLICIES.
NOTICE TO EUROPEAN UNION RESIDENTS
GENERAL DATA PROTECTION REGULATION (GDPR) RIGHTS
PURPOSES OF PROCESSING
What is personal data?
As used in this Policy, “personal data” has the meaning given to it in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “EU GDPR”) and the EU GDPR as it forms part of UK law (the “UK GDPR”) together with any applicable implementing or supplementary legislation in any applicable member state of the European Economic Area (“EEA”) and/or the UK (including the UK Data Protection Act 2018), together, the “GDPR”). This includes any information which, either alone or in combination with other information we hold about you, identifies you as an individual, including, for example, your name, postal address, email address, telephone number, as well as certain online identifiers.
Why do we need your personal data?
We will only process your personal data in accordance with applicable data protection and privacy laws. We need certain personal data in order to provide you with access to Sites. This consent to use Measurabl Sites provides us with the legal basis we require under applicable law to process your data. You maintain the right to withdraw such consent at any time. If you do not agree to our use of your personal data in line with this Policy, please do not use our Sites.
COLLECTING YOUR PERSONAL DATA
We collect information about you in the following ways:
Information You Provide to Us.
On our Sites, we allow for visitors to request more information and schedule a demo. Name and email address is collected at that time. Providing your contact information will allow us to complete these requests.
If you contact us or provide feedback via e-mail, we will collect your name and e-mail address, as well as any other content included in the e-mail, in order to send you a reply.
Information Collected via Technology.
Log Files. As is true of most websites, we gather certain information automatically and store it in log files. This information includes IP addresses, browser type, Internet service provider (“ISP”), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to analyze trends, administer the Sites, track users’ movements around the Sites, gather demographic information about our user base as a whole, and better tailor our Services to our users’ needs. For example, some of the information may be collected so that when you visit the Sites or the Services again, it will recognize you and the information could then be used to serve advertisements and other information appropriate to your interests.
Pixel Tags. In addition, we use “Pixel Tags”(also referred to as clear Gifs, Web beacons, or Web bugs). Pixel Tags are tiny graphic images with a unique identifier, similar in function to Cookies, that are used to track online movements of Web users. In contrast to Cookies, which are stored on a user’s computer hard drive, Pixel Tags are embedded invisibly in Web pages. Pixel Tags also allow us to send e-mail messages in a format users can read, and they tell us whether e-mails have been opened to ensure that we are sending only messages that are of interest to our users. We may use this information to reduce or eliminate messages sent to a user.
Automated Decision Making and Profiling.
We do not use your personal data for the purposes of automated decision-making.
We use the following categories of Cookies:
Strictly necessary Cookies are used for user authentication and session maintenance on our Sites.
Performance and analytics Cookies are used to analyze user interaction with our Sites.
You can typically remove or reject Cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the “settings,” “help” “tools” or “edit” facility). Many browsers are set to accept Cookies until you change your settings.
Further information about Cookies, including how to see what Cookies have been set on your computer or mobile device and how to manage and delete them, visit www.allaboutcookies.org.
If you disable our Cookies, you may experience some inconvenience in your use of our Sites. For example, we may not be able to recognize your computer or mobile device and you may need to log in every time you visit our Sites.
USING YOUR PERSONAL DATA
We may use your personal data as follows:
General Use. In general, personal data you submit to us is used either to respond to requests that you make, or to aid us in serving you better. We use your personal data in the following ways:
to operate, maintain, and improve our Sites and Services;
with your consent, to send you marketing e-mails about upcoming promotions, and other news, including information about products and services offered by us and our affiliates. You may opt-out of receiving such information at any time: such marketing emails tell you how to “opt-out.” Please note, even if you opt out of receiving marketing emails, we may still send you non-marketing emails.
to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity;
to develop and improve marketing and advertising for the Services;and
send newsletters, surveys, offers, and other promotional materials related to our Services and for other marketing purposes of Measurabl.
User Testimonials and Feedback. We often receive testimonials and comments from users who have had positive experiences with our Services. We occasionally publish such content. When we publish this content, we may identify our users by their first and last name and may also indicate their home city. We obtain the user’s consent prior to posting his or her name along with the testimonial. We may post user feedback on the Sites from time to time. We will share your feedback with your first name and last initial only. If we choose to post your first and last name along with your feedback, we will obtain your consent prior to posting you name with your feedback.
SHARING YOUR PERSONAL DATA
We may share your personal data as follows:
Other Disclosures. We may share personal data as we believe necessary or appropriate: (a) to comply with applicable laws; (b) to comply with lawful requests and legal process, including to respond to requests from public and government authorities to meet national security or law enforcement requirements; (c) to enforce our Policy; and (d) to protect our rights, privacy, safety or property, and/or that of you or others.
When we use the term “anonymous data,” we are referring to data and information that does not permit you to be identified or identifiable, either alone or when combined with any other information available to a third party.
We may create Anonymous Data records from personal data by excluding information (such as your name) that makes the data personally identifiable to you. We use this Anonymous Data to analyze request and usage patterns so that we may enhance the content of our Services and improve Sites navigation. We reserve the right to use Anonymous Data for any purpose and disclose Anonymous Data to third party service providers in our sole discretion.
THIRD PARTY SITES
Our Sites may contain links to third party websites and features. This Policy does not cover the privacy practices of such third parties. These third party service providers have their own privacy policies and we do not accept any responsibility or liability for their websites, features or policies. Please read their privacy policies before you submit any data to them.
INTERNATIONAL DATA TRANSFER
Your information, including personal data that we collect from you, will be transferred to, stored at and processed by us and our affiliates and other third parties outside the EEA and the UK, including, but not limited to the United States, where data protection and privacy regulations may not offer the same level of protection as in the EEA and the UK. We will take all steps reasonably necessary to ensure that wherever we transfer your personal data outside of the EEA and the UK, it is treated in accordance with this Policy and subject to appropriate safeguards which ensure that an equivalent level of protection is afforded to it. For example:
we may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and/or the UK Government, as applicable; and
where we use service providers outside the EEA and/or UK, we may use specific contracts approved by the European Commission, which give personal data the same protection it has in the EEA and UK.
We use reasonable organizational, technical and administrative measures to protect personal data within our organization. Unfortunately, no transmission or storage system can be guaranteed to be completely secure, and transmission of information via the internet is not completely secure. If you have reason to believe that your interaction with us is no longer secure please immediately notify us of the problem by contacting us using the details in Section 14 below.
We will only retain your personal data for as long as reasonably required for you to use the Sites and/or to provide you with the Services requested, whichever is longer, or until you notify us of your desire to have your personal data deleted unless a longer retention period is required or permitted by law (for example for regulatory purposes).
OUR POLICY ON CHILDREN
Our Sites are not directed to children under 16. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us using the details in Section 14 below. We will delete such information from our files as soon as reasonably practicable.
SENSITIVE PERSONAL DATA
Subject to the following paragraph, we ask that you not send us, and you not disclose (orally or otherwise), any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Sites or otherwise to us.
If you send or disclose any sensitive personal data to us when you submit user generated content to our Sites, we will delete such sensitive personal data from our records. If you do not consent to our processing and use of such sensitive personal data, you must not submit such user generated content to our Sites.
Opt-out. You may contact us anytime to opt-out of direct marketing communications.
Access. You may access the information we hold about you at any time by contacting us directly.
Amend. You can contact us to update or correct any inaccuracies in your personal data.
Erase and forget. In certain situations, for example when the information we hold about you is no longer relevant or is incorrect, you can request that we erase your data.
If you wish to exercise any of these rights, please contact us using the details in Section 14 below. In your request, please make clear: (i) what personal data is concerned; and (ii) which of the above rights you would like to enforce. For your protection, we may only implement requests with respect to the personal data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable and in any event, within one month of your request. Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting any change or deletion.
We are committed to resolve any complaints about our collection or use of your personal data. If you would like to make a complaint regarding this Policy or our practices in relation to your personal data, please contact us at:
Attn: Measurabl Legal
707 Broadway Street, Suite 1000
San Diego CA, 92101
We will reply to your complaint as soon as we can and in any event, within 45 days. We hope to resolve any complaint brought to our attention, however if you feel that your complaint has not been adequately resolved, the GDPR gives you the right to contact your local data protection supervisory authority, which for the UK, is the Information Commissioner’s Office.
We welcome your comments or questions about this Policy. You may contact us in writing at Legal@measurabl.com
Measurabl, Inc. Attn: Measurabl Legal
707 Broadway Street, Suite 1000
San Diego CA, 92101
EU-U.S. PRIVACY SHIELD
Measurabl complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the EU to the United States. We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles. To learn more about the Privacy Shield program, the Privacy Shield Principles and to view our certification, please visit www.privacyshield.gov.
We note that, although we continue to comply with the EU-U.S. Privacy Shield Framework, we no longer rely on this as a mechanism to provide appropriate safeguards in respect of transfers of personal data from the EEA or the UK to the U.S., since its invalidation for this purpose by the Court of Justice of the European Union on 16 July 2020. Where we effect transfers of personal data from the EEA or UK to the U.S., we now rely instead on the mechanisms described in Section 8 above (International Data Transfer).
As described in Measurabl’s Privacy Shield Principles, Measurabl is accountable for personal data that it receives and subsequently transfers to third parties. If third party service providers that process personal data on our behalf do so in a manner that does not comply with the Privacy Shield Principles, we are accountable, unless we prove that we are not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, Measurabl commits to resolve complaints about our collection or use of your personal data. EU individuals with inquiries or complaints regarding this Policy should first contact us at:
Attn: Measurabl Legal
707 Broadway Street, Suite 1000
San Diego CA, 92101
Measurabl has further committed to refer unresolved Privacy Shield complaints to EU-US Privacy Shield Principles BBB EU PRIVACY SHIELD, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information or to file a complaint. The services of EU-US Privacy Shield Principles BBB EU PRIVACY SHIELD are provided at no cost to you.
As further explained in the Privacy Shield Principles, binding arbitration before a Privacy Shield Panel will also be made available to you in order to address residual complaints not resolved by any other means. Measurabl is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
17. EMPLOYEE PERSONAL DATA
Measurabl commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to human resources data transferred from the EU in the context of the employment relationship. Please contact us to be directed to the relevant DPA contacts.
NOTICE TO CALIFORNIA RESIDENTS – YOUR CALIFORNIA PRIVACY RIGHTS
(AS PROVIDED BY CALIFORNIA CIVIL CODE SECTION 1798.83)
A CALIFORNIA RESIDENT WHO HAS PROVIDED PERSONAL DATA TO A BUSINESS WITH WHOM HE/SHE HAS ESTABLISHED A BUSINESS RELATIONSHIP FOR PERSONAL, FAMILY, OR HOUSEHOLD PURPOSES (A “CALIFORNIA CUSTOMER”) MAY REQUEST INFORMATION ABOUT WHETHER THE BUSINESS HAS DISCLOSED PERSONAL INFORMATION TO ANY THIRD PARTIES FOR THE THIRD PARTIES’ DIRECT MARKETING PURPOSES. IN GENERAL, IF THE BUSINESS HAS MADE SUCH A DISCLOSURE OF PERSONAL DATA, UPON RECEIPT OF A REQUEST BY A CALIFORNIA CUSTOMER, THE BUSINESS IS REQUIRED TO PROVIDE A LIST OF ALL THIRD PARTIES TO WHOM PERSONAL DATA WAS DISCLOSED IN THE PRECEDING CALENDAR YEAR, AS WELL AS A LIST OF THE CATEGORIES OF PERSONAL DATA THAT WERE DISCLOSED. CALIFORNIA CUSTOMERS MAY REQUEST FURTHER INFORMATION ABOUT OUR COMPLIANCE WITH THIS LAW BY E-MAILING INFO@MEASURABL.COM. PLEASE NOTE THAT WE ARE REQUIRED TO RESPOND TO ONE REQUEST PER CALIFORNIA CUSTOMER EACH YEAR AND WE ARE NOT REQUIRED TO RESPOND TO REQUESTS MADE BY MEANS OTHER THAN THROUGH THIS E-MAIL ADDRESS.
Public Profile. Certain portions of the information you provide to us may also be displayed in your Profile. As an essential element of the Services, most of the Personal Data you explicitly provide to us when you register or update your Profile is displayed on your Profile. In order for your Profile to be made public, you must go to your profile settings and then to profile visibility. By default, your Profile is not for public viewing. Your photos, posts, friends, and other content you post to the Sites are also meant for public consumption. We may display this content on the Sites, and further distribute it to a wider audience through third party sites and services. Once displayed on publicly viewable web pages, that information can be collected and used by others. We cannot control who reads your posting or what other users may do with the information that you voluntarily post, so it is very important that you do not put Personal Data in your posts. Once you have posted information publicly, while you will still be able to edit and delete it on the Sites, you will not be able to edit or delete such information cached, collected, and stored elsewhere by others (e.g., search engines).
Your Choices Regarding Your Information. You have several choices regarding use of information on our Services:
Cookies. If you decide at any time that you no longer wish to accept Cookies from our Service for any of the purposes described above, then you can instruct your browser, by changing its settings, to stop accepting Cookies or to prompt you before accepting a cookie from the websites you visit. Consult your browser’s technical information. If you do not accept Cookies, however, you may not be able to use all portions of the Service or all functionality of the Service. If you have any questions about how to disable or modify Cookies, please let us know at the contact information provided above.
Changing or Deleting Your Personal Data. All Users may review, update, correct or delete the Personal Information in their User account (including any imported contacts) by contacting us or by editing their profile via the Service. If you completely delete all of your Personal Information, then your User account may become deactivated. We will use commercially reasonable efforts to honor your request. We may retain an archived copy of your records as required by law or for legitimate business purposes. (For more information on how to control your User Content on the Service, including information regarding the use and storage of your User Content, please see the “Sharing Your Content” section in our Terms of Service.)
Security of Your Personal Data. Measurabl is committed to protecting the security of your Personal Data. We use a variety of industry-standard security technologies and procedures to help protect your Personal Data from unauthorized access, use, or disclosure. We also require you to enter a password to access your Account information. Please do not disclose your Account password to unauthorized people. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while Measurabl uses reasonable efforts to protect your Personal Data, Measurabl cannot guarantee its absolute security.
A Note About Children. We do not intentionally gather Personal Data from visitors who are under the age of 16. If a child under 16 submits Personal Data to Measurabl and we learn that the Personal Data is the information of a child under 16, we will attempt to delete the information as soon as possible. If you believe that we might have any Personal Data from a child under 16, please contact us at firstname.lastname@example.org.
Scope: Under the terms of this Policy, an employee includes any applicant undergoing the job application process and any person who is in an employment relationship with Measurabl.
“Personal human resources data” is any information about a specific or definable employee. An employee is considered definable if, for example, a relation to the person can be established by the information from the data combined with supplementary knowledge, even if such knowledge is available only by coincidence.
“Transmission” is any disclosure of personal data to third parties by the data controller.
“The processing of personal data” is any action, carried out with or without the assistance of automated processes, that serves to collect, save, organize, store, change, access, use, pass on, transmit, distribute, combine, or reconcile the data. This also includes destroying, deleting, or blocking data and data storage media.
“The data controller” is the legally independent entity within Measurabl that initiated the data processing measure in question through its business activities.
Scope and Amendments of the Policy – This Policy applies for all of the companies in Measurabl, Inc. and all of its dependent subsidiaries, as well as associated companies and their employees. Under the terms of this Policy, a dependent subsidiary is a company that Measurabl can require either directly or indirectly to adopt the Policy by virtue of a majority voting interest, a majority in the company management, or an agreement.
This Policy applies to all processing of personal HR data. Personal HR data also includes data relating to job applicants. Individual Group companies are not entitled to put in place regulations that deviate from this Policy.
Application of the Law of Individual Nations – This Data Protection Policy comprises the internationally accepted principles of data protection, without replacing the existing national laws . It applies in all cases as far as it is not in conflict with the respective national law; additionally, the national law shall apply if it makes greater demands. National law applies in the case that it entails a mandatory deviation from, or exceeds the scope of, this Policy for data protection. This Policy also applies in countries in which there is no corresponding national legislation in place. For the transborder flow of data originating from the European Union, Switzerland and United Kingdom or from countries that require an adequate standard of protection for transborder data flows, the party importing the data must comply with the national legislation in force in the country from which the data originated when processing such personal HR data. This does not apply for data flows within the European Union/EEA and United Kingdom or for transborder data flows into non-EU/EEA countries that have been deemed by the European Commission to have an adequate level of data protection. The notification requirements for data processing set out in the laws of individual nations must be met.
Principles for Processing of Personal Data
1. Fairness and lawfulness In processing personal HR data, the individual rights of the employees must be protected. Personal HR data must be processed fairly and in accordance with legal provisions.
2. Restriction to a specific purpose Personal HR data may be processed only for the purposes for which they were originally collected. Subsequent changes to the purpose are possible only to a limited extent. Such changes may take place by virtue of a contractual agreement with the employee concerned, collective agreements, consent given by the employee, or national legislation.
3. Transparency Employees must be informed of how their data is being handled. As a matter of principle, personal data must be collected directly from the employee concerned. When collecting the data, the employee must either be aware of or be informed of the following:
• The identity of the data controller
• The purpose for which the data is being processed
• Third parties or categories of third parties to whom the data may potentially be transmitted. National legislation or collective agreements may impose additional or differing requirements regarding the content and scope of this information.
4. Data Economy Before any step is taken to process personal HR data, it must be checked whether and to what extent the processing of personal HR data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows, and where the expense involved is in proportion with the goal being pursued, anonymized or statistical data must be used. This Policy does not apply for statistical analysis or studies based on anonymized data. Personal data may not be collected in advance and stored for potential future purposes unless required by national legislation in force in the country in question. Data that are no longer needed should be deleted in compliance with existing archival requirements.
5. Factual accuracy and timeliness of data Personal HR data must be correct and up to date when stored. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, or supplemented.
6. Personal HR data requiring special protection Personal data requiring special protection may be processed only under certain conditions. Data require special protection if they relate to the racial or ethnic background, political views, religious or philosophical convictions, trade union membership, health, or sexual orientation of the data subject. Further data categories may be classed as requiring special protection, or the content of these data categories may be filled in differently, according to the laws of individual nations. Similarly, data regarding criminal offenses may often be handled only in compliance with special requirements set out in the applicable national laws. The processing of such data must be expressly permitted or required according to the applicable national law. In addition, the processing of such data may be permitted if it is necessary in order for the responsible party to uphold its rights or fulfill its obligations in the domain of employment law. The employee may also give his/her express consent to the data being processed.
7. Need-to-Know Principle In the context of increasingly flexible company organization, it must be ensured that employees have access to personal data on a need-to-know basis only. The need-to-know principle means that employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
8. Automated Individual Decisions Automated processing of personal HR data intended to evaluate certain personal aspects of the employee (e.g. skills profile) must meet special requirements. It must not form the sole basis for decisions that have negative consequences or result in significant detriment to the employee concerned. In order to avoid incorrect decisions, it must be ensured that a test and a plausibility check are carried out by an employee. In addition, the employee concerned must be informed of the fact that an automated individual decision-making procedure is carried out and of its result, and he/she must be given the opportunity to respond. Stricter requirements for automated individual decisions set out in national legislation must be observed.
VI. Data Processing Legitimacy
1. Data collection on the basis of employment relationship For the purpose of the employment relationship such data may be collected that is necessary for executing the employment contract. Personal data of applicants may be processed for the purpose of initiating an employment relationship. The data of unsuccessful applicants must be deleted in compliance with deadlines set out in the laws of evidence, unless the applicant has given consent for his/her data to be stored for a subsequent selection process. Consent must also be obtained to use the data for further application procedures or to pass them on to other Group companies. If it should be necessary for the application procedure to collect information on an applicant from a third party, the requirements of respective national law have to be observed. In cases of doubt consent of the applicant must be obtained.
2. Data processing on the basis of employment relationship Personal HR data may be collected and processed on the basis of an employment contract, for the purposes of executing the employment relationship. The processing of data must always relate to the purpose of the employment contract, if none of the subsequent reasons permitting data processing apply. Particularly requirements deriving from applicable law regarding the handling of personal HR data requiring special protection have to be observed. Even within the employment relationship such data may only be processed and used in accordance with respective national law. If it should be necessary within the employment relationship to collect information on an employee from a third party, the requirements of respective national law have to be observed. When processing personal HR data that fall within the context of the employment relationship but that are not originally processed for the purpose of executing the employment contract, the legal legitimacy of such data processing must always be demonstrated. Such legitimations may be requirements deriving from law, the consent of the employee or legitimate interests of the company.
3. Collective agreements on data processing If a data processing activity exceeds the purposes of implementing a contract, if may be permissible if authorized through a collective agreement. Collective agreements are labor agreements or agreements between employers and employee representatives, within the scope allowed under the relevant employment law (e.g. company agreements under United Kingdom law). The agreements must cover the specific purpose of the intended data processing activity, and must be drawn up within the parameters of national data protection legislation.
4. Consent to data processing Processing of personal HR data may take place by virtue of consent obtained from the employee concerned. Similarly, the purpose of the data processing activity may be changed if consent is given by the employee concerned. Declarations of consent must be given voluntarily. Consent, which came under social pressure, is not effective. Before consent is given, the employee must be informed as specified in section V.3. of this Policy. For documentation purposes, declarations of consent must generally be obtained either in written or electronic form. In certain circumstances, consent may be given verbally, in which case it must be documented. Instead of explicit consent, consent can also be given implicitly by voluntarily providing data, e.g. on the Intranet. In such cases, internal organization standards must be observed. Special requirements for statements of consent set out in national legislation must be met.
5. Data processing based on legal authorization The processing of personal HR data is also permitted if requested, required, or permitted under the applicable national law. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions. If legal provisions allow a certain amount of discretionary freedom, employees’ interests that require protection must be taken into account.
6. Data processing based on legitimate interest The processing of personal HR data may also be carried out if it is necessary in order to realize a legitimate interest held by either the data controller or a third party. Legitimate interests are usually of a legal nature (e.g. asserting, executing, or defending legal claims) or a commercial nature (e.g. carrying out a company evaluation). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the employee merit protection, and that this takes precedence over the interest being pursued through the processing of such data. This must be checked before any data processing is undertaken. Control measures, which require a processing of employee data, may only be performed if a legal obligation exists or a justified cause is given. Even with a justified cause being present, a legitimate interest of the enterprise (e.g., adherence to legal provisions or internal rules) must exist, which outweighs possibly existing legitimate interests of the concerned employees in the exclusion of the measure. The legitimate interest of the enterprise and the possible legitimate interests of the employees must be determined and documented before each measure. The measure must be appropriate related to the facts to be examined and the employees to be included into the investigation. If necessary, existing further requirements according to national law (e.g., rights of co-determination of the representatives for the employees and rights of information of the concerned employees) must be considered.
VII. Transmission of Personal Data For some business processes, it is necessary to pass on personal HR data to third parties. If this does not occur owing to a legal obligation , it must be checked in each instance whether it is in conflict with any interest of the employee concerned that merits protection. When transferring personal data to a party external to the Measurabl, the conditions set out in section VI. must be met. If the recipient is located in a third country, he/she must guarantee an adequate level of data protection in line with this Policy. This does not apply if the data transmission is carried out owing to a statutory obligation, or to any other permissible legal obligation. The recipient must be bound under contract only to use the data for the specified purpose. Data shall be transmitted to government institutions or authorities to the extent required according to the relevant legal provisions in each case. In the case that data is transmitted to Measurabl companies by third parties, it must be ensured that the data have been collected lawfully in accordance with the relevant legal provisions, and that the use of such data for the intended data processing activities is permitted.
VIII. Data Transmission within the Group If a legally independent entity within Measurabl passes on personal data to another Group company, from a legal point of view this constitutes transmitting data to a third party. For a data transmission of this kind, the conditions set out in section VI. must be in place. If personal HR data are transferred from a Group company with its registered office in the European Union/EEA and United Kingdom to a Group company with its registered office in a third country, both the Data Protection Officer Protection and the company importing the data are obliged to cooperate with any inquiries made by the relevant supervisory authority in the country in which the party exporting the data has its registered office, and to comply with any observations made by the supervisory authority with regard to the processing of the transmitted data. In the event that an employee claims that this Policy has been breached by the Group company located in a third country that is importing the data, the Group company located in the European Union/EEA and United Kingdom that is exporting the data undertakes to support the employee concerned, whose data was collected in the European Union/EEA and United Kingdom, in establishing the facts of the matter and also asserting his/her rights in accordance with section XI. of this Policy against the Group company importing the data. In addition, the employee is also entitled to assert his or her rights, as set out in section XI., against the Group company exporting the data. In the case of personal data being transmitted from a Group company located in the European Union/EEA and United Kingdom to a Group company located in a third country, the data controller transmitting the data shall be held liable for any violations of this Policy committed by the Group company located in a third country with regard to the employee whose data was collected in the European Union/EEA and United Kingdom, as if the violation had been committed by the data controller transmitting the data. The legal venue is the competent court at the location of the registered office of the company exporting the data.
IX. Data Processing on Behalf When data is processed on behalf of the data controller, a service provider is engaged to process the data, without taking on responsibility for the associated business process. In the case that personal HR data is disclosed during data processing on behalf, the controller remains responsible for the data processing activity. Any claims from the employee concerned must be made against the controller. In addition, the following measures must be taken when awarding contracts:
1. When selecting a data processor, it must be ensured that the candidate can guarantee the necessary technical and organizational requirements and security provisions. When making the selection, the criteria established by the Data Protection Officer Protection must be taken into account.
2. The terms and conditions for carrying out data processing on behalf must be set out in a written contract, in which the parties agree on the data protection and information security requirements. In particular, it must be established that the processor may process the data only in accordance with the controller’s instructions. 3. Guidelines from the Data Protection Officer Protection must be taken into account when drawing up the contract. If necessary, the Data Protection Officer Protection will be involved in the process in an advisory capacity. 4. When appointing service providers outside the European Union/EEA and United Kingdom to process personal data from the European Union/EEA and United Kingdom, the service provider must guarantee an adequate level of data protection in line with this Policy if it intends to process the data in a third country. Comparable regulations set out in the data protection laws of other individual nations must also be observed. In addition, when appointing service providers outside of the European Union/EEA and United Kingdom, the requirements set out in section VII. must be met.
X. Telecommunications and Internet Telecommunications equipment and access to the Internet and Intranet are primarily considered work tools. They may be used in compliance with the relevant legal provisions (laws or collective agreements) and company rules in force at global or national level. The use of electronic communication networks and services may be logged for security reasons. Checks on individuals may be carried out where there is justified suspicion of abuse. Checks can be initiated only by departments specified in the company organization. The Data Protection Officer Protection, and, if applicable, an employee representative, must be involved at an early stage. If, under certain circumstances, it is permitted to use the telecommunications equipment at a particular location for private purposes, the relevant national regulations regarding the secrecy of telecommunications must be observed. This also applies for authorized private use of the email system and Internet connection.
XI. Employee Rights Every employee has the following rights. The assertion of these rights is to be processed directly by the responsible department. An employee may not suffer any disadvantage as a consequence of asserting his/her rights.
1. The employee may request information on which personal data relating to him/her have been stored, how the data were collected, and for what purpose.
2. If personal HR data are transmitted to third parties, the employee concerned must also be informed of the recipient’s identity, or of the category of recipients.
3. If the relevant employment legislation provides for further rights of access to employee documents (i.e. employee files), these rights remain unaffected.
4. If personal HR data are incorrect or incomplete, the employee may request for them to be corrected or supplemented.
5. The employee may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing activity has lapsed or ceased to be applicable for other reasons. Existing archival requirements must be observed.
6. The employee generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
XII. Data Secrecy Employees may not collect, process, or use personal data without authorization. Any data processing undertaken by an employee that he/she has not been entrusted to carry out as part of his/her legitimate duties is unauthorized. The confidentiality obligation also applies for data that are legitimately processed. In particular, it is prohibited to use personal data for private or commercial purposes, to disclose them to unauthorized persons, or make them available in any other way. Under the terms of this Policy, unauthorized persons also include work colleagues, unless a specific colleague is authorized to be party to such information owing to a specific task within his/her area of responsibility. The confidentiality obligation continues to apply after the employment relationship has ended.
XIII. Data Processing Security Appropriate technical and organizational measures are implemented in order to guarantee data security. These measures safeguard personal data also from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification, or destruction. These measures relate to the security of data which merit protection, whether processed electronically or in paper form. These technical and organizational measures form part of an integrated information security management plan, and are constantly revised in accordance with technological developments and organizational changes. For complying with legal data security requirements the Information Security Policy is particularly relevant.
XIV. Responsibilities and Sanctions The boards of management and management staff of the Group companies, who in each case bear responsibility for data processing activities, are obliged to ensure that legal data protection requirements and requirements formulated in this Policy for data protection are met. Management staff are responsible for ensuring that organizational, HR, and technical measures are in place so that any data processing undertaken in their department is carried out in accordance with regulations and with due regard for data protection. Compliance with the Data Protection Policies and the applicable Data Protection Laws is controlled by regular data protection audits. In many countries, abusive processing of personal data or other violations of data protection laws may lead to criminal proceedings and claims for damages. In principle, contraventions for which individual employees can be held responsible are subject to employment law sanctions in accordance with the applicable national legislation in the country in question (see Guideline on Disciplinary Measures).
XV. The Data Protection Officer Protection, being internally independent of professional orders, supervises the observance of national and international data protection regulations. He is responsible for the Policies on data protection, and supervises their compliance. He carries out data protection checks and audits. The Data Protection Officer Protection is appointed by the Measurabl board of management. In general, group companies that are legally obliged to appoint a data protection officer, will appoint the Data Protection Officer Protection. Exceptions have to be agreed with the Data Protection Officer Protection. The business management or plant management must indicate to the Data Protection Officer Protection that they have appointed a data protection coordinator. In organizational terms, and with the agreement of the Data Protection Officer Protection, one data protection coordinator may also be appointed to carry out this role for several companies or plants. The data protection coordinators act as on-site advisors for data protection issues. They can carry out checks, and they are responsible for ensuring that employees are familiar with the content of the Data Protection Policy. The management of the company in question is obliged to support the Data Protection Officer Protection and the data protection coordinators in their activities. The business units must inform the data protection coordinators of any new activities involving the processing of personal data.
The data protection coordinators shall promptly inform the Data Protection Officer Protection of any data protection risks. If data processing activities are planned that could entail particular risks to the personal rights of the employees concerned, the Data Protection Officer Protection must be involved in advance of any data processing activity. This applies in particular for personal HR data requiring special protection. The business units ensure that their employees obtain the necessary education on data protection. The Data Protection Officer Protection provides a web based training tool. In the event of data protection breaches or complaints, the management staff responsible must immediately inform the responsible data protection coordinator or the Data Protection Officer Protection. In addition, any employee may approach the Data Protection Officer Protection, or the relevant data protection coordinator, at any time to raise concerns, ask questions, request information or make complaints relating to data protection or data security issues. If requested, concerns and complaints will be handled confidentially. If the data coordinator in question cannot resolve a complaint or remedy a breach of the Policy for data protection, the Data Protection Officer Protection must be brought in immediately. Decisions made by the Data Protection Officer Protection to remedy data protection breaches must be upheld by the management of the company in question.
Motivated and dedicated employees are an important factor for value creation in the Measurabl. Treating our employees with the respect they deserve includes safeguarding their personal rights. Measurabl recognizes that its corporate responsibilities include responsible handling of personal HR data. With this Policy, Measurabl is adopting a consistent, globally valid data protection and data security standard for processing employees’ personal data, based on globally accepted principles.
This policy applies to all companies and employees of the Measurabl worldwide. It particularly relates to those employees, who design processes and collect, process and use personal HR data. In processing personal HR data, the individual rights of the data subjects must be protected. The Policy therefore regulates under which circumstances such data processing is legitimate. This can be the case, for example, for the purpose of initiating or executing an employment relationship or by virtue of consent obtained from the data subject. Please also note the principles on the processing of personal HR data as defined by the Policy, like fairness and lawfulness, restriction to a specific purpose, transparency and data economy. Main issues of the policy The boards of management and management staff of the Group companies, who in each case bear responsibility for data processing activities, are obliged to ensure that legal data protection requirements and requirements formulated in this Policy for data protection are met. However, data protection is a task of every employee dealing with personal data and management alike.