PART A: PRIVACY OF YOUR OWN PERSONAL DATA (COVERAGEBOOK.COM AS DATA CONTROLLER)
If you need any help or assistance in relation to the use of our Site, please contact firstname.lastname@example.org and we will do our best to get back to you promptly.
INFORMATION WE MAY COLLECT FROM YOU
We may collect and process the following Information about you:
- Information that you provide or input when you subscribe and use the Services, when you fill out forms on our Site and otherwise by corresponding with us or interacting with us via or in connection with our Site or Services.
- Contact details that you provide to us.
- Any documents, content, communications and electronic files that you upload or import to or transmit through our Site.
- Information that you permit us to access and import from third party websites or storage locations.
- If you contact us or we contact you, by email, telephone, web forms or otherwise, we may keep a record of that correspondence.
- We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details of your visits to our Site including, but not limited to, traffic data, location data, weblogs, and other communication data, and the resources that you access.
- When you access our Site from a computer, mobile phone, or other device, we may collect information from that device about your browser type, location, and IP address etc.
- Searches that you perform via the Site and Services (therefore, be aware of this if you include any personally identifiable information in your searches).
IP ADDRESSES, COOKIES AND ANALYTICS
Our servers may collect your Information including data about your computer or device, including where available your IP address, operating system and browser type, to assist us in the provision of the Site and Services, for system administration and to report aggregate anonymised information to our associates and Third Party API Providers.
For the same reason, we may obtain your Information about Site usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our Site and to deliver a better and more personalised service. They enable us:
- To make our Site and Services more useful to you.
- To estimate our audience size and usage patterns.
- To store your Information about preferences, and so allow us to customise and develop our Site and Services.
- To speed up your searches and usage of the Site and Services.
- To recognise you when you return to our Site.
- We may also collect or allow third parties to collect information about how you use and interact with our Site and Services. For example, we may use Google Analytics or similar services.
HOW WE USE YOUR INFORMATION
We use your Information in the following ways:
- As reasonably required in order to provide our Site and Services to you and to carry out our obligations arising from our Site and Services.
- To help identify you as a user on our systems.
- For customer services purposes.
- To help us develop the Site and Services and to make them more useful to you.
- To allow you to participate in interactive features of our Site and Services.
- To provide you with news and information about our Services, third party sites and other information that we think may be relevant to you.
- To assist Third Party API Providers to monitor end user usage of their third party services provided via the Services.
- To ensure that content from our Site and Services is presented in the most effective manner for you and for your computer.
- Where directed to by you through our Site, to export your Information in order to update or delete your Information and/or add to or amend your Information held on a third party website or to carry out any other similar function.
- To notify you about changes to our Services.
- As required in order to facilitate your use of any new Services, applications or uses for any of your Information via our Site.
LEGAL BASIS OF PROCESSING
We shall only be entitled to process your Information as above to the extent that at least one of the following applies:
- You have given consent to the processing of your Information for one or more specific purposes;
- Processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which we are subject;
- Processing is necessary in order to protect your vital interests or those of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest of in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests of your fundamental rights and freedoms which require protection of personal data. Our legitimate interests may include:
- The proper administration of our Site and Services;
- The performance of our contractual obligations;
- Monitoring and improving our Site and Services;
- Taking steps at your request;
- Communicating with users of our Site and Services;
- The protection and assertion of legal rights;
- The protection of our business against risks.
DISCLOSURE OF YOUR INFORMATION
When we subcontract the running of our Site or any part of it to a third party (including but not limited to Third Party API Providers) or where the Site interacts with a third party service provider, provided that all subcontractors are bound by reasonable privacy policies.
In the event that we sell or buy any business or assets, in which case we may disclose your Information in confidence to the prospective seller or buyer of such business or assets.
If we or substantially all of our assets are transferred to or acquired by a third party, in which case all of your Information will be one of the transferred assets on the equivalent terms and conditions as herein.
If we are under a duty to disclose or share your Information in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions other agreements; or to protect the rights, property, or safety of us, our customers, or others. This includes exchanging Information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
RETENTION OF YOUR INFORMATION
We will endeavour not keep your Information for longer than necessary in order to facilitate your use of our Site and Services. If you wish to delete your content or your account, we will delete the content we hold in relation to you on request, except that some prior content may remain in backup or cached copies for a reasonable time (but we will not make it available again to third parties). In addition, content that you have submitted to our Third Party API Providers may still be in use and so there may be some ongoing use of your Information. We may also retain certain information to prevent identity theft, legal disputes and misconduct, even if deletion has been requested.
THIRD PARTY PROVIDERS
All of your Information that you provide to us is stored on our servers, which may be hosted by third parties. Any payment transactions (if any) will be encrypted and may be processed by third party payment providers. In addition, as a condition of providing certain third party services to you, we may need to provide your Information to our Third Party API Providers to enable them to monitor the usage by you of their services, which use may be subject to the privacy policies of our Third Party API Providers.
THIRD PARTY WEBSITES
WHERE WE STORE AND PROCESS YOUR INFORMATION
Your Information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by third parties and staff operating outside the EEA who work for us or for one of our suppliers as necessary for operating the Site and Services. If any processing of your Information is to take place outside of the EEA in a third country or international organisation which does not ensure an adequate level of data protection, we may only transfer your Information if appropriate safeguards have been implemented and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available. The safeguards may be by way of EU Model Contract Clauses, binding corporate rules, approved code of conduct or approved certification mechanism. If you require any further information in this regard, please contact email@example.com.
We may create anonymous records from your Information by excluding all data from which you may be identified or contacted. We may use such anonymised data for our reasonable business purposes (including but not limited to research and develop our Site and Services and our business).
You have a number of rights as a data subject as summarised below:
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to access your Information and details of how we process it, as long as this does not adversely affect the rights and freedoms of others. You may request a copy of Information undergoing processing, subject to evidence of your identity (normally a certified copy of your passport plus an original copy of a utility bill showing your current address). The first copy shall be provided without charge, but reasonable administration fees shall be charged for additional or subsequent copies.
We will rectify any errors in the Information we hold on request.
You may erase your Information from our systems in the following situations:
- The Information is no longer necessary in relation to the purpose for which it was collected;
- You withdraw your consent on which the processing is based and where there is no other legal ground for the processing;
- You object to the processing and there are no overriding legitimate grounds for the processing;
- The Information has been unlawfully processed;
- The Information has to be erased for compliance with a legal obligation to which we are subject.
RIGHT TO RESTRICTION OF PROCESSING
You have the right to restrict our processing on specified grounds.
Where you have asked us to rectify, erase or restrict processing of your information, we shall communicate the same to each recipient to whom your Information has been disclosed, unless this proves impossible or involves disproportionate effort, in which case we shall let you know.
You have the right in specific circumstances where processing is based on consent to receive your Information in a structured, commonly used and machine-readable format and have the right to transmit the Information to another controller without hindrance, provided that our processing is carried out by automated means.
RIGHT TO OBJECT
In certain circumstances you have the right to object to our processing of your Information, including in relation to profiling, direct marketing or scientific or historical research purposes.
AUTOMATED INDIVIDUAL DECISION MAKING
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you unless this is necessary for our contract, is authorised under applicable law or is based on your explicit consent.
You can exercise these right by contacting us at firstname.lastname@example.org and/or by following our online account procedures. We shall respond to your requests without undue delay and in any event within one month unless we need to extend such period by up to two further months in specific circumstances. Please note that if you delete or restrict your account or required Information, this may prevent you from making full use of our Services.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone, including people who work for us.
The transmission of you Information via the internet is not completely secure. Although we will do our best to protect your Information, we cannot guarantee the security of your Information transmitted to or from our Site; any transmission is at your own risk. Once we have received your Information, we will use strict procedures and security features to try to prevent unauthorised access.
PART B: PRIVACY OF THIRD PARTY PERSONAL DATA PROCESSED ON YOUR BEHALF (COVERAGEBOOK.COM AS YOUR DATA PROCESSOR)
Processing of Subscriber Personal Data
Where processing of personal data relating to others controlled by you (“Subscriber Personal Data”) is to be carried out on your behalf pursuant to the terms and functionality applicable to your Coveragebook.com subscription, appropriate technical and organisational measures shall be implemented by us in such a manner that processing will meet the requirements of the EU General Data Protection Regulation 2016/679 (“GDPR”), as may be amended or superseded and other applicable data protection laws and regulations in the UK and EU (together, “Data Protection Laws”) and ensure the protection of the rights of the data subject.
Restriction on subprocessing
We shall not engage a subprocessor to process Subscriber Personal Data (“Subprocessor”) without your prior specific or general written authorisation, which may be given in electronic form. In the case of general written authorisation, we shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. Details of this process are set out below.
Compulsory processor terms pursuant to Article 28(3) GDPR
Details of the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out below.
In respect of any processing of Subscriber Personal Data we shall:
- process Subscriber Personal Data only on your documented instructions (including electronic instructions), including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law to which we are subject; in such a case, we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensure that persons authorised to process Subscriber Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all measures required pursuant to Article 32 GDPR (Security of processing), to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
- respect the conditions referred to in paragraphs 2 and 4 for engaging another processor;
- taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This shall include promptly notifying you if we receive a request to exercise any data subject rights under Data Protection Laws within 14 days of receiving such request and thereafter assisting you as reasonably necessary to comply with such request promptly. We shall not respond to such requests directly to any data subject except on your documented instructions or as required by applicable laws to which we are subject;
- assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (Security of processing; Notification of a personal data breach to the supervisory authority; Communication of a personal data breach to the data subject; Data protection impact assessment; and Prior consultation) taking into account the nature of processing and the information available to us. This shall include notifying you without delay and, where feasible, within one Business Day, after having become aware of any Personal Data Breach, being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Subscriber Personal Data transmitted, stored or otherwise processed hereunder;
- at your choice, delete or return all Subscriber Personal Data after the end of the provision of services relating to processing, and delete existing copies unless Data Protection Laws require storage of the personal data;
- make available to you all information necessary to demonstrate compliance with the obligations laid down in these terms and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
- inform you if, in its opinion, an instruction infringes Data Protection Laws.
Compulsory subprocessor contract terms (Article 28(4))
Where we engage a Subprocessor, such engagement shall contain the same, or equivalent, data protection obligations as are referred to above by way of a binding contract or other other legal act, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of GDPR.
Where any Subprocessor engaged by us fails to fulfil its data protection obligations in respect of Subscriber Personal Data, we shall remain fully liable to you for the performance of that subprocessor’s obligations.
Documented instructions to process Subscriber Personal Data
Processing by us
You hereby instructs us to process Subscriber Personal Data as reasonably necessary for the provision of the Site and Services and in compliance with our Terms and Conditions.
We may continue to use those Subprocessors already engaged by us as at the date of these terms, provided that prior to May 2018 wee meet the obligations set out in this Addendum regarding such Subprocessors.
With respect to each new Subprocessor appointed after the date of this Addendum, we shall:
- before the Subprocessor first processes Subscriber Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Subscriber Personal Data required by Data Protection Laws;
- if that arrangement involves a transfer of Subscriber Personal Data to a third country, a territory or one or more specified sectors within a third country or international organisation outside the EEA that does not benefit from a formal adequacy decision by the European Commission (pursuant to Article 45 GDPR), ensure that such transfer is subject to appropriate safeguards within the meaning of Article 46 GDPR, which may include the use of EU Model Contractual Clauses, Binding Corporate Rules or recognised legal frameworks or accreditations, such as the EU-US Privacy Shield;
- provide to you for review on request details of all Subcontractors, including our contracts with them (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as you may request from time to time.
We shall publish on the Site the appointment of any new Subprocessors to be appointed, including full details of the processing to be undertaken by the Subprocessor. If, within 14 days of publication, you notify us in writing of any objections (on reasonable grounds) to the proposed appointment, we shall not disclose any Subscriber Personal Data to that proposed Subprocessor and/or (as applicable) you shall not access any element of our Site or Services affected by this issue until reasonable steps have been taken to address the objections raised by you. If no such objections are raised, you shall be deemed to have consented to the appointment of the Subprocessor.
Charges and Costs Mitigation
DETAILS OF PROCESSING OF SUBSCRIBER PERSONAL DATA
The processing of Subscriber Personal Data as required by Article 28(3) GDPR is as follows:
Subject matter and duration of the processing of Subscriber Personal Data
The nature and purpose of the processing of Subscriber Personal Data
All reasonable purposes in relation to our performance of our contractual obligations to you.
The types of Subscriber Personal Data to be processed
All personal data processed in the normal use, management and development of our Site and Services including:
- Email addresses
- Contact details
- Profile information provided by users
- Usage data
- Preferences/personalisation details
- Evidence of opt-ins/contact permissions and other privacy consents/unsubscribe requests
The categories of Data Subject to whom the Subscriber Personal Data relates
All users of our Site and Services, mobile applications and other features, services and technology provided by us which may include:
- Site users
- PR and advertising agencies
- Brand owners/your clients
Your obligations and rights
GENERAL PRIVACY TERMS (APPLICABLE TO BOTH PART A AND PART B)