1. Who is the data controller?
The Company, whose principal place of business is at Ground Floor, 16 Bastwick Street, London, EC1V 3PS, is the data controller with regard to the processing of the Data.
2. What kind of Data does the Company process?
During the performance of the Agreement, the Company collects and processes the Data provided by the Entity regarding the Data Subjects, such as the Data Subjects' name, surname, email address, telephone number and similar Data.
3. For what purposes is the Data processed?
The Company processes the Data through manual and electronic means:
For the performance of the negotiations and the Agreement between the Company and the Entity;
To protect and defend the rights of the Company, in particular there may be instances in which the Company may disclose the Data in case the disclosure is necessary to (i) protect, enforce or defend the legal rights, privacy, safety or property of the Company, its employees, agents and contractors, (ii) protect the Company against fraud or (iii) for risk management purposes;
To comply with applicable laws and legal procedures and to respond to requests from the relevant government authorities;
To complete a corporate transaction, such as a proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of the Company’s business, assets or stock (including in connection with any bankruptcy or similar proceedings). If the Company is involved in a merger or transfer of all or a material part of its business, the Company may transfer the information on the Entity and the relevant Data Subject to the party or parties involved in the transaction as part of the transaction.
4. On which legal basis is the Data processed?
The processing of the Data for the purposes of:
Sections 4 (a) and 4(b) is necessary for the performance of the Agreement and therefore the refusal to provide the Data would prevent the Company from entering into the Agreement or, if already entered, to continue its performance;
Section 4(c) is necessary in order to comply with applicable laws and therefore the refusal to provide the Data would again prevent the Company from entering into the Agreement or, if already entered, to continue its performance;
5. Who has access to the Data?
Data will be accessed only by those employees duly authorized and instructed for accessing Data by the Company and to the extent necessary for their business need.
The Company might communicate the Data to (a) third party service providers, entrusted with processing activities and, when required by applicable laws, appointed as processor (e.g., cloud service providers, other entities of the group, providers of services instrumental to the Company’s activities, such as, by way of example and without limitation, companies that provide IT services, experts, consultants and lawyers - companies resulting from possible mergers, demergers or other transformations) and (b) competent authorities, when allowed under applicable laws.
6. Do the Data Subjects have rights with regard to their Data?
The Data Subject with regard to his/her Data has the right, at any given time, to:
Obtain confirmation as to whether or not the Data exists and to be informed of its content and source, verify its accuracy or request its rectification, update or amendment;
Request the deletion, anonymization or restriction of any Data processed in breach of the applicable law;
Object to its processing, in all cases, for legitimate reasons; and
Withdraw at any time the consent to the processing of the Data, without affecting the lawfulness of the processing of the Data performed before the consent is revoked.
In addition to the above, from May 25, 2018, you will have the additional rights of Section 8 below. The rights referred to above can be exercised by contacting the Company at the address indicated in Section 7 below.
7. How can you contact the data controller?
If you are receiving emails from Tin Man and would prefer not to please email firstname.lastname@example.org.’
8. What will change from May 25, 2018?
From May 25, 2018, the EU General Data Protection Regulation 2016/679 (the "GDPR") will become effective and, consequently, the following additional provisions will apply:
A. Data Retention
Data collected for the purposes indicated in Section 4, letters a) to d) will be retained for the duration of the Agreement plus the applicable statutory limitation period(s) subsequent to the termination of the Agreement, while
B. Additional rights
In addition to the rights as indicated in Section 8 above, when the GDPR becomes effective the Data Subject will have the right, at any time, to:
a) Request the Company to limit the processing of the Data Subjects' Data where:
It challenges the accuracy of the Data, until such time as the Company has taken sufficient steps to correct or verify its accuracy;
The processing is unlawful, but the Data Subject does not want the Company to erase the Data;
The Company no longer needs the Data for the purposes of the processing, but the Data Subject requires the Data for the establishment, exercise or defence of a legal claim; or
The Data Subject has objected to the processing, justified on legitimate interest grounds, pending verification as to whether the Company has compelling legitimate grounds to continue processing.
b) Object to the processing of the Data, when it is based on legitimate interest, including marketing purposes;
c) Request the erasure of the Data, without undue delay;
d) Receive an electronic copy of the Data (“data portability”), when the Data is processed by automatic means and the processing is either (i) based upon the Data Subjects’ consent; or (ii) necessary for the performance of the Agreement; and
e) Lodge a complaint with the relevant supervisory authority. The UK supervisory authority for data protection issues is the Information Commissioner's Office (www.ico.org.uk).