By using any services offered by Elev8 or by executing a Proposal, the Customer agrees to be bound by this policy. Customer and Elev8 here by agree that the following terms govern the use of and access to the Services of Elev8 by Customer and/or any individual authorized by the Customer to use the Services.
This Policy establishes the management framework and the set of guidelines and standards that are required to be adopted in order to establish and maintain an adequate level of privacy in the collection, processing, disclosure and transfer of Personal Data.
This Policy should not conflict with applicable national and/or regional laws in the jurisdictions in which Elev8 operates. In the event of any conflict between this Policy and any applicable national and/or regional laws, the provisions of the applicable law shall govern.
This Policy applies to Elev8 and to:
- Elev8 and its Group of Companies as well as any affiliate companies toElev8
- Customers to the Services of Elev8;
- Individual Customers of Elev8 and any parties to the Proposal.
3. Terms and Definitions
For the purposes of GDPR and/or other applicable data privacy legislation, the Company acts as a Data Processor in respect of the Personal Data collected from the Customer. Elev8 will process Customer’s Data as needed to provide Services to the Customer. Please note that the Customer is the data controller with respect to the processing of their personal data pursuant to the EU General Data Protection Regulation (“GDPR”). Elev8 is the data processor, meaning that we collect and process such information solely on behalf and based on the instructions of the Customer. The Parties acknowledge and agree that the Customer is at all times the data controller and Elev8 is a data processor. Customer represents and warrants that Customer shall only provide to Elev8 the minimum amount of Personal Data, the extent of which is determined and controlled by the Customer in its sole discretion, Customer represents and warrants that they are entitled to transfer relevant Personal Data to Elev8 so that Elev8 may lawfully use, process the Customer Data on the Customer’s behalf.
The Customer has access to the personal data of various data Subjects and is the Controller of such data. The Customer determines the purpose of and the means for the processing of personal data.
The Controller is deemed to be the responsible party within the meaning of article 5(2) of the GDPR;
The Processor is deemed to be the processor within the meaning of article 4(8) of the GDPR;
For the purposes of this Policy, the terms and definitions as listed as part of Appendix A apply.
4. Types of Personal Data
The standard personal data processed by Elev8 on the Customer’s behalf shall include: First name and Last name; Phone number; Email Address, Address – State, Province, City, ZIP/Postal code, previous job roles, education history and may include other personal data as determined by the Customer and as necessary to provide the Services in specific cases.
5. Data Protection and Privacy
5.1. Privacy Principles
Customer shall ensure that the relevant third parties, including data subjects, have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation.
In handling Personal Data, Elev8 shall abide by the following key principles:
5.1.1. Fair, Lawful and Transparent Processing
Elev8 shall ensure that Personal Data is processed fairly and lawfully and in a transparent manner, and ensure that the legal grounds for processing of personal information have been clearly identified before processing commences.
In strict specific terms, the collection and processing of personal information must only be permitted on one of the following six grounds listed in art.6 of the GDPR (or Lawful basis) in which the lawfulness of a specific case of processing of Personal Data may be established or as stated in the applicable privacy laws and regulations.
5.1.2. Restricted to the Original Purpose (PurposeLimitation)
Elev8 shall ensure that Personal Data must only be collected, processed, stored, and used for explicit and legitimate business purposes, and not further processed in a manner that is incompatible with the purpose for which it was collected.
5.1.3. Limited to the Minimum Necessary (DataMinimization)
Elev8 shall ensure that Personal Data is adequate, relevant and limited to what is necessary in relation to the intended purposes for which they are collected and processed.
Elev8 shall ensure that Personal Data is accurate and where necessary, kept up to date, subject to any professional or legal obligations.
5.1.5. Not Retained Longer than Necessary (StorageLimitation)
Elev8 should ensure that Personal Data is not kept for longer than necessary subject always to any professional or legal obligation to retain such Personal Data for prescribed time periods. The Company will hold Personal Data all throughout and as required by the Proposal.
The Company will retain Personal Data for as long as necessary to fulfil the purposes it was collected for, including for the purposes of satisfying any legal, accounting, tax and reporting requirements but not longer than as per the applicable laws and regulations.
5.1.6. Kept Secure (Integrity and Confidentiality)
Reasonable precautions must be taken to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access. These precautions should include technical, physical and organizational security measures, such as measures to prevent unauthorized access, that are commensurate with the sensitivity of the information and the level of risk associated with the processing of the Personal Data.
5.1.7. Processed in Accordance with the Rights of Data Subjects
Customer and Elev8 must ensure that the rights of natural persons are taken into consideration and adhered to where appropriate and that each of these rights are supported by appropriate procedures that allow the requested action to be taken within specific timescales.
Elev8 will assist the Customer upon Customer’s request when Data Subjects exercise their rights as provided in the table below:
|Data Subject Request||Description||Timescale|
|Right to be Informed||Individuals have the right to be informed about their Personal Data held including the purpose of the processing and the recipients of their Personal Data||Upon collection or within a month|
|Right of Access||Individuals have the right to request access to their data. This allows them to become aware of Personal Data that is processed and the ability to verify the Personal Data processed.||One Month|
|Right to Rectification||Individuals have the right to have any inaccurate Personal Data rectified and, taking into account the purposes of the processing, to have any incomplete Personal Data about them completed.||One Month|
|Right to Erasure||Under certain circumstances, individuals may have the right to request to erasure (or the right to be forgotten) of Personal Data concerning them.||One Month|
|Right to Restrict Processing||Under certain circumstances, individuals have the right to restrict the processing of their Personal Data.||One Month|
Elev8 must ensure that transfers of Personal Data to a third-party organization or country, which is to be processed after its transfer, can take place only if specific conditions are complied with as follows:
220.127.116.11. Contracts Involving the Processing of Personal Data
Elev8 will ensure that all business relationships it enters into with any Third Parties that involve the processing of Personal Data must be subject to a documented contract.
18.104.22.168. International Transfers of Personal Data
Within the global operations of Elev8, Personal Data may be transferred outside the country in which it was collected and/ or processed, for legitimate business activities in accordance with the applicable law. In addition, to the extent permissible by applicable law, Elev8 may store and/ or process Personal Data in facilities operated by Third Parties on behalf of Customer outside the country in which the Personal Data was collected and/or processed.
Where Personal Data is transferred from the EEA to other countries in which applicable laws do not offer the same level of data privacy protection as the EEA states the Parties shall put in place appropriate safeguards in place pursuant to Article 46 of the GDPR and Standard Contractual Clauses shall apply in respect of any transfer of Personal Data. Each Party agrees to execute the Standard Contractual Clauses as issued by the COMMISSION IMPLEMENTING DECISION, dated June 4th2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, upon request of the other Party and further agree that absent of such execution, the terms and conditions of the Standard Contractual Clauses shall in any event apply to any transfer of Personal Data to jurisdiction out of the European Economic Area.
5.1.9. Analytical activities
We may use analytical activities (via technological or other electronic means) to process data for statistical purposes, technical reasons, and evaluation assessments. This data will help us to deliver content and compile metrics and analytics to provide only to the Customer.
It may also be used to understand, improve, and research features, and services, including when you access our Services from devices such as your work computer or your mobile device.
Any decision affecting data subject rights shall be done with human intervention and such decision shall never be based solely on automated processing.
5.2. Privacy by Design
Elev8 has adopted the principle of privacy by design and will ensure that the definition and planning of all new and significantly changed processes (High Risk) and systems that collect or process Personal Data will be subject to privacy considerations, including the performance of Data Protection Impact Assessment.
The Data Protection Impact Assessment shall include:
- Consideration of how Personal Data will be processed and for what purposes.
- Assessment of whether the proposed processing of Personal Data is both necessary and proportionate to the purposes(s).
- Assessment of the risks to individuals in processing the Personal Data.
- What controls are necessary to address the identified risks and demonstrate compliance with related legislation. (Use of techniques such as encryption, anonymization or pseudo anonymization shall be considered where applicable and appropriate.
5.3. Complaints, Questions and Additional Information
To express a concern, raise a question, make a complaint, or to obtain additional information about the processing of Personal Data by the Company, the concerned individual should contact the Company’s Data Protection Officer via the following email address: email@example.com. In addition, if for any reason you believe that your rights as data subjects are not respected by the Company, you can file a complaint to your local independent authority.
6.1. Appendix A – Terms and Definitions
For the purposes of this Policy, the following terms and definitions apply.
|Data Controller||Refers to the organization, which determine the purposes and means of processing of Personal Data. In relation to this Policy, the Customer is the Data Controller.|
|Data Subject||Refers to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.|
|GDPR||Refers to the General Data Protection Regulation (EU) 2016/679|
|Personal Data or Personally Identifiable Information (PII)||Defined as any information related to an identified or an identifiable natural person. For example, a Data Subject’s home address, e-mail address, telephone number, or government-issued identification numbers would constitute Personal Data.|
|Data Processor||Defined as a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller. In relation to this Policy Elev8 is the Data Processor.|
|Processing||Defined as any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Special Category Personal Data||Defined as Personal Data revealing racial or ethnic origins, trade union membership, political, philosophical or religious beliefs, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.|
|Third Party||Defined as any natural or legal person, public authority, agency or body other than the Data Subject, the Data Controller, the Data Processor and the persons who, under the direct authority of the Data Controller or the Data Processor, are authorized to process the Personal Data.|