Governance and Executive Systems (referred to as ‘we’, ‘us’, ‘our’, or ‘BoardMaps’) is committed to protecting your privacy and handling your personal information and data you upload to the portal in transparent and secure manner. The personal data that we collect and process depends on how you use our site or service you request from us and agree to in each case.
This privacy notice:
- provides an overview of how BoardMaps collects and processes your personal data and tells you about your rights under the EU General Data Protection Regulation (“GDPR”),
- is directed to natural persons who are either current or potential customers of BoardMaps, or are authorized representatives/agents of legal entities which are current or potential customers of BoardMaps,
- explains under what circumstances we may share your personal data with other members of BoardMaps and third parties (for example, our service providers or suppliers).
In this privacy notice, your personal data may be also referred to as “personal information”. Actions like collecting, handling, storing, sharing and erasing, etc. in respect to your personal data may generally be called “data processing”.
For the purposes of this notice, personal data shall mean any information by which you are or can be identified, such as: your name, email, IP-address, etc.
Please note that if your company has a separate agreement with us, it will govern the processing of all information and data collected by us in connection with service provision, including some data collected through our site. Such agreement takes precedence over any conflicting provision in this privacy notice.
1. How we collect and process your personal data.
We may also collect and process personal data which we lawfully obtain not directly from you but also from our partners or third parties e.g., companies that introduce or recommend you to us. For example, your contact information can be shared between several sales teams within BoardMaps due to your company’s business location.
We may also collect and process personal data from publicly available sources (e.g. social networks like LinkedIn, the press, media and the Internet) obtained in a lawful and transparent manner.
We tend to request the least data possible to ensure proper functioning of our platform and a set of features we offer.
If you are a customer of BoardMaps, or an authorized representative/agent of a legal entity which is a customer, the relevant personal data we collect may include:
Full name, contact details (phone and email), title or work position, authentication data, other data arising from the performance of our contractual obligations including the mentioned personal data of all users invited into a database.
2. Children’s data.
We do not provide any services to children. We may process personal data in relation to children only provided that our customer submits this information to a database. For the purposes of this privacy notice, “children” are individuals who are under the age of eighteen (18).
3. Whether you have an obligation to provide us with your personal data.
To proceed with a business relationship with our service, you have to provide your personal data necessary to let us commence the execution of a business relationship and the performance of our contractual obligations.
Kindly note that if you refuse to provide the required data we will not be allowed to commence or continue our business relationship with you as our customer, or as the authorized representative/agent of a legal entity which is our customer.
4. Legal basis for us processing your personal data.
As mentioned prior we are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the GDPR for one or more of the following reasons:
A. For the performance of a contract.
We process personal data in order to offer services based on contracts with our customers and to be able to complete the procedure so as to enter into a contract with prospective customers. The contract terms and conditions provide more details of the relevant purposes.
B. For compliance with a legal obligation.
As a service provider, we are subject to a number of laws, legal obligations and statutory requirements. Such obligations and requirements impose personal data processing activities on us for compliance with court orders, tax laws, other reporting obligations, etc.
C. For the purposes of safeguarding legitimate interests.
We process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is right and best for you. Examples of such processing activities include:
- Initiating legal claims and preparing our defense in litigation procedures,
- Measures to manage business and for further developing our products and services.
D. You have provided your consent.
Provided that you have given us your specific consent for processing (other than for the reasons set out hereinabove) then the lawfulness of such processing is based on that consent. You have the right to revoke your consent for further processing at any time. The revocation will not affect any data processed prior to receiving the request.
5. Who receives your personal data.
While performing our contractual obligations we may share your personal data with several departments within BoardMaps. Some service providers and suppliers (such as Google Analytics, Twilio, Clickatell, Google Mail, ProsperWorks, PandaDoc, RingCentral, Drift, Calendly) may also receive your personal data so that we are able to perform our contractual obligations. Such service providers and suppliers enter into contracts with BoardMaps by which they observe confidentiality and data protection requirements according to the data protection law and the GDPR.
It must be noted that we may disclose information about you for any of the reasons set out hereinabove, or if we are legally required to do so, or if we are authorized under our contractual and statutory obligations, or if you have given your consent to do so. All data processors appointed by us to process customer data on our behalf are bound by contract to comply with the GDPR provisions.
Under the circumstances referred to above, recipients of personal data may be, for example: supervisory and other regulatory and public authorities; external consultants, financial and business advisors; auditors and accountants; marketing operators; card payment processing companies; file storage companies, archiving and/or records management companies, cloud storage companies; companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support; website and advertising agencies.
6. Transfer of your personal data to a third country or to an international organization.
Your personal data may be transferred to third countries, i.e. countries outside of the European Economic Area, because we engage service providers from those countries. Our service providers (processors) in third countries are obligated to comply with the European data protection standards and to provide appropriate safeguards in relation to the transfer of your data in accordance with GDPR Article 46.
7. The extent of automated decision-making and profiling.
In establishing and carrying out a business relationship, we generally do not use any automated decision-making. We may process some of your data automatically, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you, in the following cases: voice verification, sending verification codes by text, etc.
8. How we treat your personal data for marketing activities and whether profiling is used for such activities.
We may use your personal data to tell you about our products, services and offers that may be of interest to you or your business.
The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services or visit our site. We evaluate this information to focus our product developments and marketing activities on what we think can better meet your needs or what can be of interest for you. In some cases, profiling is done, i.e. we process your data automatically and analyze certain aspects of your personal data to provide you with targeted marketing information on our services.
We can only use your personal data to promote our services to you if we have your explicit consent to do so or, in certain cases, if we consider that it is in our legitimate interest to do so.
You have the right to object to processing of your personal data for marketing purposes, which includes profiling at any time, by contacting us via firstname.lastname@example.org.
9. How long we keep your personal information.
We will keep your personal data for as long as we have a business relationship with you (in respect of our dealings with a legal entity you are authorized to represent).
After you choose to cease using BoardMaps, our customer support team closes your account, which can be reopened within three-year extension period after the closure date. In three years, all the data including the backup copy will get deleted physically from our servers. Upon request, the data can be deleted sooner — within the three-year extension.
We may keep your data for longer than three years if we cannot delete it for legal, regulatory or technical reasons.
All the data uploaded into our platform and the encrypted cloud database physically resides in ISO and SOC compliant Tier-3 data centers (servers). BoardMaps and partially data centers, as data hosting providers, act as data processors. All processing activities are performed automatically by BoardMaps’ computer scripts and only on servers (data centers) protected by firewalls. Data centers’ personnel does not have access to our customers’ data since it is encrypted both at rest and in transfer. BoardMaps’ customers act as data controllers, which means that they can delete the data uploaded into the database on their own or file a specific request with BoardMaps support team to erase and physically delete all the contents of their database.
11. Your data protection rights.
You have the following rights in terms of your personal data we hold about you:
- Receive access to your personal data. This enables you to e.g. receive a copy of the personal data we hold about you and to check that we are lawfully processing it. In order to receive such a copy you can send us a request to email: email@example.com.
- Request correction [rectification] of the personal data we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to erase your personal data (the ‘right to be forgotten’) where there is no good reason for us continuing to process it.
- Object to processing of your personal data where we are relying on a legitimate interest but you have certain grounds to object to processing in your particular situation. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
You also have the right to object how we process your personal data for direct marketing purposes. This also includes profiling inasmuch as it is related to direct marketing.
- Restrict processing of your personal data. This enables you to request us to limit processing of your personal data, i.e. use it only for allowed purposes, if:
- it has been used improperly but you do not wish us to delete it,
- it is not relevant any more, but you prefer us to keep it for use in possible legal claims,
- you have already asked us to stop using your personal data but you are waiting for our confirmation of some legitimate grounds to use your data.
- Request to receive a copy of your personal data we have collected in a structured and commonly used format to be able to transmit such data to other organizations. You also have the right to have your personal data transmitted directly by us to other organizations you will name (the right to data portability).
- Withdraw the consent that you gave us with regard to the processing of your personal data at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact us via email: firstname.lastname@example.org.
- Right to lodge a complaint
If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to file a complaint by sending an email to email@example.com. You also have the right to complain to the Office of the Commissioner for Personal Data Protection.
12. Changes to this privacy statement
We may modify or amend this privacy statement from time to time.
We will notify you appropriately when we make changes to this privacy statement and we will amend the revision date at the top of this page. We do however encourage you to review this statement periodically so as to be always informed about how we process and protect your personal information.
13. Frequently asked questions
To help you understand the basic principles of data privacy law and address some of the common questions that arise with regard to the protection of your personal data according to the GDPR, please refer to the FAQ page.
GDPR Frequently Asked Questions
1. What is the GDPR?
GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679). The EU Regulation is a new comprehensive data protection law that updates existing EU laws to strengthen the protection of personal data across 28 EU Member States.
2. When will the GDPR come into effect?
The GDPR has been approved by the EU Parliament on April 14th 2016 and will come into effect on May 25th 2018. It does not require any enabling legislation to be passed by the state authority and is directly applicable to each Member State’s national law.
3. Who does the GDPR affect?
The new legal framework applies to all companies dealing with the personal data of individuals residing in the European Union, regardless of the company’s location.
4. What constitutes personal data?
In a nutshell, the GDPR determines personal data as any information that identifies or can be used in conjunction with other data to identify an individual. The definition of personal data now encompasses not only natural person’s explicit identifiers like Social Security Number, name, email, physical address, but also biometric, demographic and geographic data.
5. What does “processing” mean?
Processing activities with regard to personal data includes anything that is done to, or with, personal data (collecting, tracking, structuring, storing or deleting, etc.).
6. What is the difference between a data processor and a data controller?
The GDPR applies to “controllers” and “processors”. A data controller determines the purposes, conditions and means of processing personal data. A data processor is responsible for processing personal data on behalf of a controller. Therefore, BoardMaps is a controller with respect to data collected about the clients, and is a processor to data stored by clients in a database.
7. What rights do individuals have under GDPR?
The GDPR expands a set of rights granted to individuals, as outlined below:
- Right to be informed — We will inform you about which of your personal data we collect and how we use it.
- Right of access — Should you be filling out our contact form, we will inform you about purposes of collecting your data and how we will use it.
- Right to be forgotten (also known as the right to erasure) — If we have collected your data for the purposes you are aware of, but you prefer to have all your personal data deleted you can file the request and we will delete it, if there is no compelling reason to continue its processing.
- Right to object — If you do not approve of ways how we use your data you were informed about, you can file a respective request with our support team.
- Right to rectification — You can request supplementing or correcting your personal data.
- Right to restrict processing — You have the right to request to block or suppress processing of your personal data. This however is not an absolute right and may be declined on a number of grounds.
- Right to data portability — You can receive a copy of your personal data and transfer it to another company.
- Right to not be subject to automated decision making — In certain circumstances, you are entitled not to be the subject of a decision which has either a legal bearing on you, and is based on automated processing. This right however may be declined on a number of grounds.
- Right to lodge a complaint — You can lodge a complaint by contacting us via firstname.lastname@example.org.
8. What is the lawful basis for processing and when is consent required?
We are allowed to process personal data as a data controller on one of the following grounds:
- On the basis of your direct consent;
- In order to enter into a contract with you or perform our contractual obligations;
- Our legal obligations require processing customer personal data;
- For our legitimate interests, but only if the balance between our interests and your rights is maintained.
- To protect vital interests of the individuals.
9. When can personal data be transferred outside the EU?
The transfer of personal data outside the EU is allowed only under certain conditions, for example:
- where the European Commission has designated a third country or an international organization as providing an adequate level of personal data protection; or
- where model contracts exist based on agreements on transfers made between organizations within a group, called standard data protection clauses or binding corporate rules; or
- where an approved certification mechanism applies, e.g. EU-US Privacy Shield.
In addition, a transfer may be made where the individual has provided specific consent.
10. What are the rules on security under the GDPR?
GDPR safeguards personal data by ensuring they are processed in a manner that provides their security, including protection against unauthorized or unlawful processing as well as against accidental loss, destruction or damage. It requires appropriate technical or organizational measures to have in place to prevent such personal data leaks or unlawful processing.
11. How do we secure data stored in the database?
Data security is our top asset and the primary competence much appreciated and relied on by our clients. All the data uploaded into the encrypted cloud database physically resides in ISO and SOC compliant Tier-3 data centers (servers). Data centers act as data processors and all processing activities are performed automatically by BoardMaps’ computer scripts and only on servers protected by firewalls. Data centers’ personnel does not have access to our customers’ data since it is encrypted both at rest and in transfer. BoardMaps’ customers act as data controllers, which means that they can delete the data uploaded into the database on their own or file a specific request with BoardMaps support team to erase and physically delete all the contents of their database.
As an exception, a customer who owns the data stored in the cloud database can turn to our technical specialists to look into the structure of the database should they be experiencing any technical issues. The eligible specialist will be able to check the file’s details (but not the content) to look into the issue and fix it shortly. No one is eligible or able to access the contents data stored in the database.