Effective date: January 30, 2019
For the purpose of applicable European data protection legislation, the Data Controller is:
for Personal Data Processed through our website, app or related service, the controller is Md7, LLC, 10590 West Ocean Air Drive, Suite 300, San Diego, CA 92130 (“Md7, LLC”).
for Personal Data Processed in connection with a contractual agreement that you have with one of the Md7 entities, the controller is the contracting Md7 entity, i.e.:
for US contracting parties, this is Md7, LLC; and
for EEA and non-US contracting parties, this is either Md7 International (Telecommunications) Limited (Unit 4 The Capel Building, Mary’s Abbey, Dublin 7, Ireland, “MITL”) or Md7 Nederland B.V. (Wim Duisenbergplantsoen 51, 6221 SE Maastricht, The Netherlands, “Md7 NL”).
The Federal Trade Commission (FTC) has jurisdiction over Md7, LLC’s compliance with this Privacy Shield Policy, the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework.
The following definitions apply to our Policy:
“Data Processor” means any person or organization, including any third party vendor or service provider, who processes Personal Data on our behalf and under our instructions for the purposes set forth in this Policy.
“Data Subject” (or “you”) means all natural persons (our customers, vendors and users of the website) about whom we hold Personal Data.
“Electronic” means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
“Personal Data” means information (whether stored electronically or in paper-based filing systems) relating to an identified natural person or that could reasonably be used (by itself or in combination with other data reasonably available) to identify a natural person. Personal Data does not include anonymous information, namely information which does not relate to an identified or identifiable natural person or to Personal Data rendered anonymous in such a manner that the Data Subject is not or no longer identifiable.
“Processing” is any activity that involves use of the Personal Data. It includes obtaining, recording or holding the Personal Data, or carrying out any operation or set of operations on the Personal Data, including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties.
“Sensitive Personal Data” means Personal Data that reveals race, ethnic origin, political opinions, religion or philosophical/ideological beliefs or activities, trade union membership, genetic data, biometric data, information on criminal convictions and offences, health status, or sexual orientation, preference or activities.
This Policy applies to the Personal Data Processed in connection with your use of our website, products, services, apps or in connection with the contractual relationship you have with one of our entities. This Policy covers Personal Data we Process regarding Data Subjects. Please read the following carefully to understand our views and practices regarding your Personal Data and how we will treat it.
Processing of Personal Data
Personal Data We May Process and Purposes
A variety of Personal Data is Processed through the means described below. When you are asked to provide Personal Data, you may choose not to. But if you decline to provide Personal Data, your ability to use the website, product, service or app, or your ability to enter into a contract with one of our entities may be diminished or restricted.
Type of Personal Data
The Personal Data Processed through our website, app or related service, or in connection with a contractual agreement that you have with one of the Md7 entities includes:
Personal information, such as your name, address, telephone number, email address, mailing address and other (contact) information that you give through, for example, an input form on our website, through surveys, through the contractual arrangement you have with one of our Md7 entities, or through other means.
Lawful Bases and Purposes of Processing
Your Personal Data is Processed on the following lawful bases and for the following purposes:
For the performance of the agreement with you, e.g. to respond to your requests, such as a request for information, or a request to subscribe to a service or enter into a contract; to provide, manage, maintain, and secure the service(s) you request.
On the basis of your consent, e.g. to provide you with information about Md7's technologies, product or service releases, news, and other (marketing) communications.
For our legitimate interests, e.g. to provide existing customers marketing communications; to operate and improve the business, including to administer, protect, and improve services and systems; to develop new products and services, and for other internal business purposes; to better understand the preferences of the users of our services, compile aggregated statistics about usage of our services, and help personalize your experience of the website and services; and to conduct a prospective or actual sale, merger, transfer or other reorganization of all or parts of the business.
To comply with a legal obligation to which the relevant Md7 entity is subject, e.g. in connection with national security requests, requests from law enforcement officials and court proceedings.
We will retain such Personal Data for as long as it is required for purposes for which it was collected. This will be, for example, for as long as necessary to perform your request (e.g., your request to receive newsletters, until you opted-out) or for as long as necessary in view of the ongoing commercial relationship until the end thereof, plus the length of any applicable statutory limitation period.
A Special Note about Children’s Privacy
Children are not eligible to use our services and we do not knowingly Process children’s Personal Data. You must be at least 13 years old to use this website, and we ask that minors under the age of 13 do not submit any Personal Data to us. We do not knowingly collect, use or disclose Personal Data about visitors under 13 years of age.
Sensitive Personal Data
Please note that our practice is that we do not Process Sensitive Personal Data.
Where We Store and Process Data, including
Disclosure and Transfer
Personal Data may be disclosed to and Processed within our organization. For example, Personal Data may be disclosed to Md7, LLC in the United States as, and to the extent, business needs require.
Furthermore, we may provide Personal Data to Data Processors for the purposes set forth in this Policy. For example, Md7, LLC stores Personal Data in facilities operated by a Managed Cloud Company. Personal Data will only be disclosed to a Data Processor if it agrees to comply with procedures and policies which are compliant with our Policy and procedures regarding data protection, or if the Data Processor puts in place adequate measures which are compliant with applicable law and are consistent with our obligations under the Privacy Shield Principles.
The above disclosures may include transfers of Personal Data from the EEA or Switzerland to the United States or other countries that may not provide an equivalent level of privacy or data protection law as your country. When Personal Data is transferred from the EEA or Switzerland, we use a variety of legal mechanisms to effectuate the transfer (such as your consent, our Privacy Shield Certification or the use of Standard Contractual Clauses (of which you may request a copy via the contact details below)). All employees within our organization and Data Processors who handle Personal Data are required to comply with the principles stated in this Policy, and may access and use Personal Data only if they are authorized to do so and only for the purposes for which they are authorized.
Furthermore, we will transfer Personal Data to Data Processors who reasonably need to know such data only for the scope of the initial transaction and will not Process Personal Data for other purposes. We take reasonable and appropriate steps to ensure Data Processors process EU and/or Swiss Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third party agents and service providers who perform services on our behalf for their handling of EU and Swiss Personal Data that we transfer to them.
In addition to the foregoing, we may share your Personal Data with third parties as follows:
Business Transaction Disclosures. Your Personal Data may be shared or transferred in connection with a prospective or actual sale, merger, transfer or other reorganization of all or parts of our business.
Legally-Required Disclosures. Your Personal Data may also be shared or transferred as required by law or in the interest of protecting or exercising Md7’s or others’ legal rights, e.g., without limitation, in connection with national security requests, requests from law enforcement officials, and court proceedings.
Transfers overseas. The Personal Data we collect in connection with your use of the website, app or related service, or in connection with a contractual agreement that you have with one of the Md7 entities will be held on our computers and systems in the European Union and in the computers and systems of our offices in the United States and may be accessed by or given to our staff working outside the European Union.
Our Responsibility for Personal Data
How we protect Personal Data
Reasonable efforts are used to maintain the accuracy and integrity of Personal Data and to update it as appropriate to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
Reasonable security procedures have been implemented in an effort to ensure that any Personal Data we hold is kept in accordance with this Policy. Physical, administrative and technical procedures are also used to limit access to Personal Data as described in this Policy. In addition, security measures and technology are maintained to assist us so that Personal Data is not disclosed either orally or in writing or via the internet or by any other means, accidentally or otherwise, to any unauthorized third party.
Although industry standard efforts are used to safeguard the confidentiality of your Personal Data when you transmit it over the Internet, such as firewalls and Secure Socket Layers, perfect security does not exist on the Internet.
Website Links to Other Sites
Our website operated by Md7, LLC contains links that may direct users to other websites. Md7, LLC is not responsible for the privacy practices of or the content contained in other websites that may be accessible by links from our website, and the privacy practice on those sites may differ from that of Md7, LLC as set out in this Policy. Md7, LLC is not responsible for any product or services that you download, purchase, or otherwise receive in any manner or form, from a third party website.
Do Not Track Signals
We do not currently respond to “Do Not Track” (“DNT”) signals sent by web browsers. A uniform standard has not yet been adopted to determine how DNT signals should be interpreted and what actions should be taken by websites and third parties that receive them. However, you may use a variety of other means of controlling data collection and use, including cookie controls in your browser settings.
The Md7 entities will not send email marketing communications and advertisements unless applicable law authorizes us to do so. We may do so on the basis of your consent, such as when you submit your email address and opt-in to receive marketing communications (for example to Md7, LLC through the website). You may withdraw your consent at any time by contacting the applicable Data Controller at one of the contact methods listed below under “Administration of this Policy” or to send an opt-out request via the unsubscribe link included in the email you have received.
Opt-In/Out. In some circumstances, such as email marketing, the applicable Data Controller offers you the ability to opt-in or opt-out of some kinds of data collection, use, or sharing. In such circumstances, the applicable Data Controller will respect your choice. In addition, where required by applicable law, the applicable Data Controller may offer you an opportunity to choose whether your Personal Data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. Further, when the applicable Data Controller Processes Sensitive EU and/or Swiss Personal Data (which in practice, we don't), we will obtain your opt-in consent where the Privacy Shield or applicable law requires, including if we need to disclose your Sensitive EU and/or Swiss Personal Data to third parties, or before we use your Sensitive EU and/or Swiss Personal Data for a different purpose than we collected it for or than you later authorized.
Right to Access, Rectification, and Erasure. The applicable Data Controller provides Data Subjects with reasonable access to the Personal Data we hold about them. To learn what Personal Data we hold about you or to correct, amend or delete that Personal Data, please submit a written request using one of the contact methods listed below under “Administration of this Policy”.
In addition, to the extent that European data protection legislation applies, you may have the following additional rights as from 25 May 2018:
Right to Restriction. You may ask the applicable Data Controller to restrict the Processing of your Personal Data where, for example, we no longer need your Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims.
Right to Withdraw Consent. You have the right to withdraw your consent at any time where the applicable Data Controller Processes your Personal Data on the basis of your consent.
Right to Data Portability. You can request the applicable Data Controller to receive certain Personal Data which you have provided to us in a structured format, which can be transmitted to another service provider where technically feasible. This only applies to Personal Data the applicable Data Controller Processes by automatic means, and on the basis of your consent or the performance of a contract between you and the applicable Data Controller.
Right to Lodge a Complaint. You also have the right to lodge a complaint with a supervisory authority, in particular in your Member State of residence, if you consider that the Processing of your Personal Data infringes applicable data protection law.
For further information regarding your rights, or to exercise any of your rights, please contact our Chief Technology Officer at the contact details listed below under “Administration of this Policy.”
Administration of This Policy
Our Chief Technology Officer is responsible for ensuring compliance with the law and with this Policy. Any requests regarding your Personal Data and/or questions or concerns about the interpretation or operation of this Policy or about what may or may not be done with regard to Personal Data should be sent by email to email@example.com or by mail to Chief Technology Officer, Md7, LLC, 10590 West Ocean Air Drive, Suite 300, San Diego, CA 92130. Please always indicate to which Data Controller (Md7, LLC, MITL or Md7 NL) the request or question relates. The Chief Technology Officer responds to questions, concerns, or complaints within one month of receipt.
Enforcement and Oversight of Our Policy
We will conduct periodic compliance audits of our privacy practices to verify adherence to this Policy, the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework. We conduct annual self-assessments of our practices with respect to Personal Data to verify that representations we make about our Personal Data privacy practices are true and have been implemented as represented. Any employee found to have violated this Policy is subject to disciplinary action, up to and including termination of employment.
Privacy Shield Enforcement and Dispute Resolution
In compliance with the Privacy Shield Principles, Md7 commits to resolve complaints about our collection or use of your Personal Data. EU and Swiss Individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Md7, LLC by email to firstname.lastname@example.org or by mail to Chief Technology Officer, Md7, LLC, 10590 West Ocean Air Drive, Suite 300, San Diego, CA 92130. Md7, LLC resolves to respond to complaints within one month of receipt.
Md7 has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit JAMS at https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
You may have the option to select binding arbitration before a Privacy Shield Panel for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with us and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you.
Changes in this Policy
We reserve the right to change this Policy at any time. If we modify this Policy, we will provide notification of the changes as needed, for example on our website at least thirty (30) days prior to the date the change becomes effective. It is our policy to post any changes we make to this Policy on this page with a notice that the Policy has been updated on the website home page. If we make material changes to how we treat Personal Data, we will notify you through a notice on the website home page or through other means required by applicable law. Our Policy will indicate the date it was last updated. Your continued use of our site and our services will signify your acceptance of the changes to our Policy.