SCOPE OF POLICYThis GDPR Policy protects the Personally Identifiable Information of residents of countries that have adopted the GDPR (“Data Subjects”). When Processing the Personally Identifiable Information of such persons, CERTIFY will abide by the requirements of the GDPR, whether we are considered an entity that determines the purposes and means of the Processing of Data Subjects’ Personally Identifiable Information (“Data Controller”) and/or an entity that process the information (“Data Processor”). When Processing the Personally Identifiable Information of the customers of an entity, the entity agrees that it will have the responsibilities of the Data Controller and that CERTIFY will have the responsibilities of the Data Processor under the GDPR. Thus, the entity agrees that it will be responsible for its customers’ information, and that CERTIFY will not have any responsibilities for the information, except in connection with the processing of the information. When processing the Personally Identifiable Information of the customers of an entity, the entity may require that CERTIFY use certain third-party Data Processors to provide the Services. In such situations, the entity agrees that it authorizes CERTIFY to share its customers’ data with such third-Party Data Processors. The entity also agrees that it will be responsible for providing any and all instructions to such third-party Data Processors regarding its customers’ information. The entity agrees that the third-party Data Processors will not be considered subcontractors of CERTIFY.
PURPOSE OF PROCESSINGThe purpose of Processing Data Subjects’ Personally Identifiable Information is to provide the Services set forth on our Website.
LEGAL BASIS FOR PROCESSINGThe legal bases for the Processing of Data Subjects’ Personally Identifiable Information may include one or more of the following:
- The Data Subject’s consent, which may be provided when the Data Subject creates an Account to use the Services.
- Entry into a separate agreement with CERTIFY requiring the collection and use of such information.
- CERTIFY’s legal obligations (other than its contractual obligations to the Data Subject), such as when CERTIFY is required to respond to governmental demands for such information.
- CERTIFY’s legitimate interest in collecting and using such information, such as when we use the Data Subject’s information to improve the Services.
RIGHTS OF DATA SUBJECTSData Subjects have the following rights under the GDPR.
- The right to be informed about CERTIFY’s policies regarding their Personally Identifiable Information, including with respect to the purposes of Processing the information, the legal basis for the Processing, the recipients of the information, where the Processing of the information takes place, and contacting CERTIFY.
- The right to access their information.
- The right to the correction of their information.
- The right to the deletion of their information (i.e., the “right to be forgotten”), including if the information is no longer required for the purpose for which it was collected, if they withdraw their consent for the Processing of their information, if they request the deletion of their information, and if the Processing of the information has been unlawful.
- The right to restrict the Processing of their information, including if they contest the accuracy of the information or if the Processing of the information is unlawful.
- The right to receive a copy of the information that they provided to CERTIFY in a structured, commonly used, and machine-readable format and to transmit the information to another entity.
- The right to object to the Processing of their information, including if the legal bases for the Processing no longer apply, or if the information is used for direct marketing purposes or profiling related to direct marketing purposes.
- The right not to be subject to decisions based solely on automated decision-making processes.