Ativion

EU-UK Privacy Rights Notice                                              

Last Updated and Effective Date: September 20, 2024

 

This EU-UK Privacy Rights Notice (the “EU-UK Notice”) provide information about the collection, use, processing and sharing of data about individuals located in the European Union, United Kingdom (UK), Iceland, Liechtenstein or Norway (the “European Economic Area” or “EEA”). 

With respect to individuals in the UK, references to the GDPR in this EEA Notice are to be read as referring to the UK’s similar legislation, the Data Protection Act 2018.

In this EU-UK Notice:

  •  GDPR means the European Union’s General Data Protection Regulation or GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;
  •  Personal Data means information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, by use of any identifier or factor specific to that individual; and
  •  GDPR Processing Activities means the collection, use, processing or sharing of Personal Data when those activities are within the scope of the GDPR.

This EU-UK Notice applies only to the use of Personal Data in GDPR Processing Activities. In this EU-UK Notice, the words “Ativion,” “we,” “us” or “our” refer to the Ativion Group, a group of subsidiary companies of Impala Bidco and part of the Ativion and Netop companies as defined in our Group Structure available at www.www.ativion.com/legal/group-structure, and it applies to GDPR Processing Activities in which we are the data controller of the Personal Data.

This EU-UK Notice applies to GDPR Processing Activities by any means, including hardcopy (such as paper applications or forms) and electronic means (such as websites and mobile applications). Any capitalized but undefined terms have the same meaning found in the Privacy Policy.

A.  The Categories of Personal Data We Process and the Legal Bases

We collect several categories of Personal Data in circumstances that may involve GDPR Processing Activities, including data you provide, data collected automatically (potentially including location data), and data we obtain from third party sources.

If we process your Personal Data for any other purposes, we will describe the data collected, the purpose when we collect the Personal Data, and seek to obtain your consent.

The ways in which we collect and use your data vary depending on the relationship between you and us. The following sections of this EU-UK Notice describe in more detail how we collect and use Personal Data in various circumstances that may involve GDPR Processing Activities.

Purpose/Activity

Type of data

Lawful basis for processing, including basis of legitimate interest

To administer and protect our Websites and Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a)   Identity

(b)   Contact

(c)   Technical and Usage

Necessary for our legitimate interests (for running our Websites and Services, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or

group restructuring exercise).

Necessary to comply with a legal obligation

To use data analytics to improve our Websites, products, Services, relationships with users and user experiences

(a)   Technical and Usage

Necessary for our legitimate interests (to define types of users of our Websites, products and Services, to keep our Websites, products and Services updated and

relevant, to develop our Websites, products and Services)

To make suggestions and recommendations to you about our products, services, information and events that may be of interest to you

(a)   Identity

(b)   Contact

(c)   Technical and Usage

(d)   Profile

(e)   Marketing and

Communications

Necessary for our legitimate interests (to develop our Websites, products and Services)

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To Personalize our Services for you

(a)   Technical and Usage

(b)   Profile

For the Performance of the contract between us

To Consider your career application if you apply for a role with us

(a)   Identity

(b)   Contact

(c)   Profile

Necessary for our legitimate interests (to study how users use our products and

services and to develop them) You will provide your consent when entering the survey or competition

Complete a transaction with us for Services, including to process payments and refunds and to deliver Services and any other information as requested

(a)   Identity

(b)   Contact

(c)   Payment Data

For the Performance of the contract between us

To Detect, prevent, and address technical issues

(a) Technical and Usage

Necessary for our legitimate interests (to keep our Website and Services operating)

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To Personalize our Services for you

(a)   Technical and Usage

(b)   Profile

For the Performance of the contract between us

To Consider your career application if you apply for a role with us

(a)   Identity

(b)   Contact

(c)   Profile

Necessary for our legitimate interests (to study how users use our products and

services and to develop them) You will provide your consent when entering the survey or competition

Complete a transaction with us for Services, including to process payments and refunds and to deliver Services and any other information as requested

(a)   Identity

(b)   Contact

(c)   Payment Data

For the Performance of the contract between us

To Detect, prevent, and address technical issues

(a) Technical and Usage

Necessary for our legitimate interests (to keep our Website and Services operating)

B. Data Subjects from Whom We Collect Personal Data

The Data Subject who we collected personal data include the following:

 Customers, Users, and Subjects, as defined in the Privacy Policy.

  •  Visitors to the website who provide comments and questions.
  •  All visitors to the website.

 

C.  Recipients of Personal Data

We share your Personal Data with third parties including service providers, social media platforms, and government authorities for the following purposes:

  •  Service Providers. For purposes such as marketing and analytics; event registration and coordination; providing Services platforms or tools that enable or enhance our offerings; receiving research insights and analytics; system maintenance and security; facilitating other transactions with you; and assisting with our legal compliance.
  • Professional advisers. We may disclose to lawyers, bankers, auditors, and others who provide consultancy, banking, legal, insurance, and accounting services.
  • Your institution. We may share information with the institution you are affiliated with, if your use of our Services or any other products is through an affiliation with an institution.
  • Legal Process. Safety and Terms Enforcement. We may disclose your Personal Data to legal or government regulatory authorities as required by applicable law. We may also disclose your Personal Data to third parties in connection with claims, disputes or litigation, when otherwise required by applicable law, or if we determine its disclosure is necessary to protect the health, safety, rights or property of you, us or others, or to enforce our legal rights or contractual commitments that you have made.
  • Sale of our business or assets. We may choose to sell, transfer, or merge parts of our business or our assets with a third party or may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this EU-UK Notice.

D.   Data Retention

We will retain your Personal Data for as long as is necessary for the purposes set out in this EU- UK Notice and for as long as is required under applicable law or is needed to resolve disputes or protect our legal rights or otherwise to comply with legal obligations. Consistent with the foregoing guidance, some data may be retained indefinitely. Where we are processing Personal Data based on your consent, we generally will retain the information for the period of time necessary to carry out the processing activities to which you consented, subject to your right, under certain circumstances, to have certain of your Personal Data erased (see “Your Rights” below).

Where we are processing Personal Data based on contract, we generally will retain the information for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from the contractual relationship.

Where we are processing Personal Data based on the public interest, we generally retain the information for the period of time that continues to serve that underlying interest. Where we are processing Personal Data based on our legitimate interests, we generally will retain the data for a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects. In some cases, where Personal Data was primarily

processed and retained on the basis of consent, contract, the public interest, or other bases described in this EEA Notice, we may continue thereafter to retain the data based on a legitimate interest.

For retention of your Personal Data using cookies, please review our Cookie Policy at www.www.ativion.com/legal/CookiePolicy

E.   International Data Transfers

We are a global company with offices in the UK, US and Europe. We may share your personal data between our locations, and with service providers which help our operations. Some of our Personal Data processing takes place in the United States, though sometimes we or third parties with whom we share data, as discussed above, may process data in other countries. The data privacy laws in the United States and other countries outside the EEA and the UK may provide less protection than such laws in the EEA or the UK.

In the event we transfer your Personal Data outside the EEA or outside the UK as part of our GDPR Processing Activities, we rely where required on appropriate or suitable safeguards or specific derogations recognized under the GDPR or under UK law. We keep data in the country of origin wherever possible.

For our cloud and hosted Services, the storage location is typically the Customer’s region or the closest possible instance if the law allows us to do so. For example, data from UK-based Customers, their Users, and Subjects, is kept in the UK, and data for US-based Customers, their Users, and Subjects is kept within the US. For a full list of the countries where hosting instances are available, please contact the Ativion sales team.

The European Commission has adopted standard data protection clauses, also applicable in the UK, which provide safeguards for Personal Data transferred outside of the EEA or the UK. We may use Standard Contractual Clauses when transferring Personal Data from a country in the EEA or from the UK to a country outside the EEA or the UK. If so and your Personal Data are affected, you can request a copy of the Standard Contractual Clauses relevant to your Personal Data by contacting us as set forth in the “Contact Us” section below

F.   Your Data Subject Access Rights

Upon your reasonable, good-faith request, we will provide you with information about whether we hold any of your Personal Data as part of our GDPR Processing Activities to the extent required by and in accordance with applicable law. In certain cases, you may also have a right, with respect to your Personal Data collected and used in the GDPR Processing Activities, to:

  •  to access and receive the Personal Data collected by us;
  •  request the deletion of your Personal Data;
  •  correct or update any of your Personal Data that is inaccurate;
  •  restrict or limit the ways in which we use your Personal Data;
  •  object to the processing of your Personal Data; and
  •  Portability of data, meaning obtain a copy of your Personal Data in an easily accessible format.

To submit a request, please send an email message to dpo@ativion.com. Because we want to avoid processing your Personal Data at the direction of someone other than you, we will ask you for information verifying your identity. We will respond to your request within a reasonable timeframe.

G.  Withdrawing Your Consent

Subject to certain legal limits, you also have the right to withdraw your consent to our processing of your Personal Data as part of our GDPR Processing Activities, where our processing is solely based on your consent. In some cases, you can do this by discontinuing use of the services involved in the GDPR Processing Activities. This would include closing all of your online accounts with us and contacting us at dpo@ativion.com to request that your Personal Data be deleted.

If you withdraw your consent to the use or sharing of your Personal Data for the purposes set out in this EU-UK Notice or the other Ativion privacy notices, you may not have access to some or all of the related services, and we might not be able to provide you some or all of the services.

Please note that, in certain cases, we may continue to process your Personal Data after you have withdrawn consent and requested that we delete your Personal Data, if we have a legal basis to do so.

If you have any complaints regarding our privacy practices, you have the right to make a complaint with your national data protection authority (i.e., supervisory authority).

H.   Updates to the EEA Notice

We may update this EU-UK Notice from time to time   without prior   notice     by posting revised EU-UK Notice to this site. You can determine when this EU-UK Notice was last revised by checking the Last Updated date at the beginning of this EU-UK Notice. If the changes made to our Privacy Policy are substantial, we will contact you before the changes take place.

I.      Contacting Us and Exercising Your Rights

If you have any questions, comments, requests, or concerns about this EU-UK Notice or other privacy-related matters, you may contact us in the following ways:

Email: dpo@ativion.com

Mail (For UK):

Ativion Attn: Data Protection Officer, GDPR Information
Seventh Floor, East West Tollhouse Hill Nottingham, UK NG1 5FS

Mail (For EU):

Ativion Attn: Data Protection Officer, GDPR Information
Bregnerodvej 139, 3460 Birkerod, Denmark