Last Updated: March 3, 2019
What personal data does Onapsis have?
We may collect and process your name, email address, job information, phone number, address and cookie information. Personal data can be collected when voluntarily submitted or provided by you through sales enquiries, marketing events, downloads, use of Onapsis platform, customer portal and website (“Website”) and from third parties.
The information we collect on or through the Website may include information you provide by filling in forms or making other affirmative choices on the Website, details of transactions you carry out through the Website and information we collect through automatic data collection technologies (“Cookies”). As you navigate through and interact with the Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including (i) details of your visits to the Website, such as traffic data, logs, navigation data and other communication data and the resources that you access and use on Website; and (ii) information about your computer and internet connection, including your IP address, operating system, and browser type.
The information we collect automatically is statistical data and may include personal data, but we may maintain it or associate it with personal data we collect in other ways or receive from third parties. This information helps us to understand our user base and usage patterns, store information about your preferences, allowing us to customize our Website, improve the Website and deliver better service; and recognize you when you return to the Website.
The technologies we use for automatic data collection may include:
- Browser cookies
- Web beacons
Pages of the Website may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us to ascertain the effectiveness of our product, service campaigns and marketing programs; allow us to customize the services offered on or through our Website; and help us determine the best use for Website content, and product and service offerings.
External or Third Party Websites
To the extent hyperlinks are utilized to access external or third-party sites, you should be aware that these external or third-party sites are not controlled by Onapsis and, therefore, are not subject to this Policy. Onapsis suggests that you check the privacy policies of these sites to determine how your personal data will be utilized by the proprietors of those third-party sites.
How is my personal data used?
If you are a customer or a partner your personal data will be used for contract management, sales administration, Onapsis customer portal access and product updates. This will allow us to fulfil our contractual obligations owed to you and to support our business relationship with you. We will also use your personal data to verify your identity, communicate with you, arrange the delivery or other provision of products and services, provide customer services and respond to your product support requests.
If you provide us with your personal data using one of our Website forms we will hold this information to track if you visit the Onapsis Website again, and to follow up with you if you request Onapsis to do so. We may also collect information about the use of the Onapsis Website such as the types of information accessed and how many users we receive daily. Onapsis may use this data to help us monitor, improve and protect our products, content, services and for statistical analysis, marketing, or similar promotional purposes.
We may also use your personal data for marketing purposes if we have your consent or a legitimate interest in doing so. We may, from time to time, contact you to keep you informed about our products and services, special offers, events or our selected partners’ products and services. You can unsubscribe from marketing emails at any time.
On other occasions, we may also use your personal data for any other purpose with your consent and we will use the data for the purpose which we will explain at that time.
Is my personal data shared with third parties?
We may share your personal data with other Onapsis companies. Where another Onapsis company processes your information the same principles of this Policy will apply. We may also share your personal data with our suppliers to process your personal data on our behalf. If you would like further information on our suppliers and their privacy policies, please contact us at [email protected].
If Onapsis needs to transfer your personal data to a third party outside of the European Economic Area we will ensure that your personal data is appropriately protected through, standard contractual clauses approved by the EU Commission or other means approved by our supervisory authority.
We may disclose your personal data that we collect or you provide as described in this Policy:
- to fulfill the purpose for which you provide it;
- to support our business (such as helping to provide our Services, for promotional and/or marketing purposes, and to provide you with information relevant to you such as product announcements, software updates, special offers, or other information) and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them;
- for any other purpose disclosed by us when you provide the information;
- for any other purpose with your consent.
We may also disclose your personal data as is necessary to: (a) comply with a subpoena or court order; (b) cooperate with law enforcement or other government agency; (c) establish or exercise our legal rights; (d) protect the property or safety of our company and employees, contractors, vendors, and suppliers; (e) defend against legal claims; (f) help with internal and external investigations; or (g) as otherwise required by law or permitted by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.
In the event that our business is sold or integrated with another business, your data will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business (subject to the applicable laws).
What rights do I have on the data you have about me?
You have the right to request a copy of the personal data Onapsis holds about you and to have any inaccuracies corrected. You also have the right to have your personal data removed from our marketing database if you no longer wish to receive marketing communications. Please send your requests to [email protected].
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR. We will inform you of relevant exemptions we rely upon when responding to any request you make.
How long will you keep my personal data?
For customers, partners and vendors, we will keep your personal data for up to six years after your contract with us ends or for as long as required pursuant to applicable legal and/or regulatory requirements.
For portal users, we will keep your personal data for as long as you are an active user of our Website and for up to five years after this. For marketing contacts, we will keep your personal data until your request us to stop and for a short period after this (to allow us to implement your request). We will also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.
How do I complain about use of my personal data?
IIf you would like to make a complaint about our use of your personal data please send details of your complaint, including the personal data it relates to, to [email protected]. We will investigate your complaint and respond as soon as we can, and no more than one month later. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred.
General Data Protection Regulation (“GDPR”)
Data and its protection are becoming increasingly important to individuals and enterprises. On May 25, 2018, the European Union has enacted the most significant pieces of legislation intended to protect personal data, the General Data Protection Regulation (“GDPR”). The GDPR is designed to establish one set of data protection rules across the European Economic Area (“EEA”). The GDPR applies to organizations that process EEA personal data, even if that organization is established outside of the EEA.
The terms “Data Controller”, “Data Processor”, “Personal Data”, “Processing” and “Subprocessor” shall have the same meaning as defined in the Standard Contractual Clauses and Article 4 GDPR;
Pursuant to Article 28 of the GDPR, Onapsis has certain obligations as Data Processor relating to it's processing of personal data and expressly commits to:
- Only act on written instructions of the Data Controller (i.e. customer set out in a Data Processing Agreement).
- Implement technical and organisational measures to ensure the adequate protection of Customer’s Personal Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32.
- Notify Data Controller, without undue delay, if Onapsis becomes aware of breaches of the protection of personal data and to the data protection authorities within 72 hours.
- Engage Subprocessors (i.e. contractors) only with prior written authorization of the Data Controller.
- Provide adequate safeguards to transfer Personal Data to a country outside the European Economic Area (EEA) (“Third country”).
- Ensure that persons authorized to process Personal Data have committed themselves to Data Secrecy/Confidentiality Agreements.
- Inform the Data Controller if Onapsis receives a request from a data protection authority or individuals to exercise data subject's rights.
- Upon Data Controller’s instruction correct, delete or return all the Personal Data after the end of the provision of services.
- Make available to the Data Controller all information necessary to demonstrate compliance and cooperate in audits.
International Data Transfers
Pursuant to GDPR, when a Data Controller or Data Processor wishes to transfer personal data to a Third Country, the third country must ensure that it has an adequate level of protection for the personal data as determined by the European Commission (“Commission”) or provide appropriate safeguards on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
Onapsis uses the Standard Contractual Clauses as a mechanism to legitimize international data transfers to countries that are not deemed to provide an adequate level of protection and has deployed a mechanism that provides appropriate safeguards for the data. Therefore, third country transfer will be based on Standard Contractual Clauses and incorporated in the form of a Data Processing Agreement (“DPA”) between Onapsis and its customers. Onapsis will not transfer personal data that processes on Customer’s behalf to any third country, unless and according to the Commission, a mechanism that provides appropriate safeguards for data is properly deployed.
In addition, and for the purposes of providing an additional level of trust for its European customer base, Onapsis has self-certified for the EU-US Privacy Shield Framework, which has been deemed by the Commission as adequate to enable data transfers under EU law.
Privacy Shield Policy
Notice of Certification: Onapsis complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union to the United States. Onapsis has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse and Enforcement. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. You can view our certification at www.privacyshield.gov/list
Scope: This Privacy Shield section of this Policy applies to all personal data received or processed by Onapsis in the United States from the EU, in any format, including electronic, paper or verbal.
Onapsis is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
Compelled Disclosure: Onapsis may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Complaints: In compliance with the Privacy Shield Principles, Onapsis commits to resolve complaints expeditiously (no more than 45 days) about our collection or use of your personal data. EU individuals with enquiries or complaints regarding our Privacy Shield policy should first contact Onapsis at: [email protected]
Dispute Resolution: If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, Onapsis has committed to refer unresolved Privacy Shield complaints to JAMS (Judicial Arbitration and Mediation Services, Inc), an alternative dispute resolution provider located in the United States. In either of those cases, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS (Judicial Arbitration and Mediation Services, Inc) are provided at no cost to you.
Arbitration: For residual complaints not fully or partially resolved by other means, you may be able to invoke binding arbitration before the Privacy Shield Panel as detailed in the Principles. If neither Onapsis nor our dispute resolution provider resolves your complaint, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism. For further information, please see the Privacy Shield website. To learn more about the Privacy Shield Framework at https://www.privacyshield.gov.
Liability: In the context of an onward transfer, Onapsis as a Privacy Shield certified organization has responsibility for the processing of personal data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Onapsis, as a Privacy Shield certified organization shall remain liable under the Principles if its agent processes such personal data in a manner inconsistent with the Principles, unless we prove that it is not responsible for the event giving rise to the damage.
Children Under the Age of 16
Onapsis will not collect personal data from any person who is actually known to us to be under the age of 16. If we become aware that a person under 16 has provided personal Data, Onapsis will take steps to remove such data and terminate that individual's account, access and use of the Website. If you believe we might have any information about a child under 16, please contact us at [email protected].
State of California Residents
Under California Civil Code Section 1798.83 (the "Shine the Light" law), California residents who provide personal information in obtaining products or services from Onapsis are entitled to request and obtain from us once a calendar year information about the customer information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year (e.g., requests made in 2016 will receive information regarding 2015 sharing activities). If you are a California resident and would like a copy of this information, please submit a written request to:
Attn: California/Shine the Light
60 State St., 10th Floor,
Boston, MA 02109
We hope that we can satisfy any queries you may have about the way we process your data. If you have any concerns about how we process your data, or would like to opt out of direct marketing, you can get in touch at [email protected] or by writing to:
60 State St., 10th Floor,
Boston, MA 02109