PRIVACY POLICY FOR BUSINESS DIGITAL ACADEMY
INTRODUCTION
This document (the “Privacy Policy”) is a legal document aiming to inform the Visitors/ Customers/ Participants about their rights regarding the processing and protection of general and Personal Data, which come to the control of the Provider, pursuant to the provisions of the Agreement.
This Privacy Policy explains the kind of information which will be processed by the Provider, how it will be processed, it informs the Data Subject about its rights and about the available tools to control the processing of its Personal Data.
Please read carefully. By visiting the Website and/or subscribing and/or contacting the Provider and/or purchasing a Product and/or accepting delivery of a Product, you agree with the Privacy Policy terms.
DEFINITIONS
“Access” means the provision by the Provider to the Customer of a certain code, which will enable the Customer to access the Learning Platforms and to accept delivery of the Product at the Time of Delivery;
“Agreement” means the Terms of Use, the entire content of the Website and any terms embodied in a quotation given by the Provider to the Customer;
“Cancellation Date” means the business day upon which a Party receives a cancellation notice by the other Party;
“Consent” means freely given, specific, informed and unambiguous consent given by the Data Subject, by which it authorises the Provider to process its Personal Data that may come in the Provider’s control, pursuant to the provisions of the Agreement;
“Controller” means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and/or the means of the processing of Personal Data;
“Cross-border processing” means:
- processing of Personal Data which takes place in the context of the activities of establishments, in more than one Member State of a controller or processor in the Union, where the controller or processor is established in more than one Member State; or
- processing of Personal Data which takes place in the context of the activities of a single establishment of a controller or processor, in the Union but which substantially affects or is likely to substantially affect Data Subjects, in more than one Member State.
“Customer” means the legal entity or natural person, who subscribes to the Website and/ or purchases a Product through the Website and in accordance with the provisions of the Agreement;
“Customer’s Personal Data” means any Personal Data of the Customer/ Participant, which are processed by the Provider, pursuant to the provisions of the Agreement;
“Data Subject” means the person who can be identified by the Personal Data processed by the Provider and includes the Visitors of the Website, the Customer who purchase a Product and any Participant to whom the Product is delivered on behalf of the Customer, pursuant to the provisions of the Agreement;
“Fee” means the amount payable by the Customer to the Provider, for the purchase of a Product, pursuant to the provisions of the Agreement;
“Intellectual Property Rights” means all Intellectual Property Rights, wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application of such rights (including copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents and rights in designs);
“Learning Platform” means the learning platform zoom.us
“Online Form Order” means an online form published by the Provider on the Website, in each Products overview page, which must be filled in before the payment of the Fee;
“Parties” means the Provider and the Customer and “Party” means either one of them;
“Participant” means the natural person to whom the Product is delivered;
“Pseudonymisation” is the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identifiable person;
“Personal data” means any data relating directly or indirectly to a person, by which the person may be identified. Personal Data does not include any data that is anonymized, aggregated, de-identified or compiled on a generic basis and which does not name or identify a specific individual directly or indirectly;
“Personal Data Breach” means a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed;
“Processor” means the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
“Processing” means the collecting, recording, using, storing, amending, adapting, disclosing, transferring, transmitting, structuring, using, combining, deleting, destroying of any Personal Data that come in the control of the Provider, pursuant to the provisions of the Agreement;
“Profiling” means any form of automated processing of Personal Data, regarding the evaluation of certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, interests, reliability, behaviour, location or movements;
“Provider” means the company Thomas Poutas International Associates Ltd (the “Company”), who sells the Product and/or any natural or legal person to which the rights and obligations provided in the Agreement are assigned by the Company;
“Product” means an online seminar/ webinar which is delivered by Trainers on a Learning Platform, and course material which are only accessible to the Customer /Participant;
“Recipient” means the person or legal entity, public authority, agency or another body, to which the Personal Data are disclosed;
“Restriction of Processing” means the marking of stored Personal Data, with the aim of limiting their processing in the future;
“Subscription” means the filling in and submitting of an Online Form Order and the payment of the Fee through the Website by the Customer;
“Trainer” means the natural person who administrates, runs and delivers the online seminar/ webinar on behalf of the Provider;
“Terms of Use” means all the documentation containing the provisions of the Agreement, namely the Online Order Form, the main body of the Terms of Use, including the modifications to that documentation from time to time;
“Third Party” means the person or legal entity, public authority, agency or body other than the Data Subject, controller, processor and persons authorised by the processor or the controller and who processes Personal Data;
“User” means a person or legal entity to whom the Product is delivered according to the Terms of Use;
“Visitor’s Personal Data” means the Personal Data of Visitors;
“Visitor” means a natural person who navigates through the Website;
“Website” means the website www.businessdigitalacademy.com;
GENERAL PRINCIPLES
- Each Party shall comply with the Data Protection Laws in respect to the processing of the Personal Data of the Data Subject.
- The Customer warrants to the Provider that it has the legal right and/or is duly authorized by the Data Subject to disclose all Personal Data that it does in fact disclose to the Provider, under or in connection with the Agreement.
- Any Personal Data disclosed by the Customer and processed by the Provider must be required by or related to the Agreement.
- The Provider shall only process the Personal Data of a Customer/Participant only for a period necessary to achieve the purpose of the processing or as far this is allowed by the European Legislation to which the Provider is subject to
- If the Customer instructs the Provider to process Personal Data in a way that infringes the Personal Data laws, the Provider shall inform the Customer promptly and decline to follow the instructions.
- The Provider is hereby authorized by the Customer to assign the processing of the Personal Data to third parties, acting as sub-processors on behalf of the Provider
- The Provider shall assign the process of Personal Data only to authorized persons, who have committed themselves to confidentiality or are under appropriate obligation of confidentiality.
- In case the Provider employs independent contractors, vendors, suppliers (collectively as “Independent Contractors), the Provider is obliged to:
- Protect the Personal Data which the Provider processes under the Agreement, in accordance with the Terms of Use and the Privacy Policy;
- Not use or disclose Personal Data, which the Provider processes under the Agreement, for any other purpose other than for the purchase of products or services for which the Provider has contracted with the Independent Contractors;
- The Provider shall ensure that the Independent Contractors operate .in compliance with GDPR.
- The Provider and the Customer shall each take all reasonable measures to ensure that, for the processing of Personal Data, they use standard, industry-wide, commercially reasonable security practices, for protecting the Personal Data they process.
- The Provider shall make available to the Data Subject all information necessary to demonstrate its compliance with its obligations under the Data Protection Laws.
- The Provider will block and/or erase routinely any Personal Data for which the purpose of processing is not applicable and or processing period has expired.
- The Provider is obliged, where possible, to apply Pseudonymisation of Personal Data, processed pursuant to the provisions of the Agreement.
- The Provider shall not process any Personal Data provided by the Customer at the payment of the Fee, except as far is necessary for the completion of the transaction and the Provider shall ensure that such Personal Data are erased immediately after the completion of the transaction.
- The Provider shall not rent or sell Personal Data to Third Parties.
- The Provider shall not disclose any Personal Data to any Third Parties, unless required to do so by law or subpoena or if the Provider believes that such action is necessary to conform to the law, comply with legal processes served on the Provider or affiliates or to investigate, prevent or take action regarding illegal activities, or in order to enforce the Agreement or to take precautions against liability, to investigate and defend the Provider against Third-Party claims or allegations, to assist government enforcement agencies, or to protect the security or integrity of the Website and exercise and protect the rights, property or personal safety of the Provider, the Visitors of the Website, the Customers who purchase a Product and/or persons to whom the Product is delivered under the Customer’s instructions.
- In case of Personal Data Breach, because of security breach, the Provider shall promptly notify the Data Subject to whom the compromised Personal Data belong, as required by law.
- Since the content of the Website and the Products provided by the Provider are not directed towards children, if the Provider discovers that it has collected Personal Data from a child under the age of 16, without parental consent, the Provider shall delete the Personal Data of the child, within and not later than 30 days.
RIGHTS OF THE DATA SUBJECT
RIGHT OF CONFIRMATION
The Data Subject has the right to obtain from the Controller a confirmation, as to whether or not the Data Subject’s Personal Data are being processed by the Controller.
RIGHT OF ACCESS
- The Data Subject has the right to know which Personal Data are processed by the Controller and to be informed in writing by the Controller.
- Additionally, the Data Subject may request to be informed about:
- The purpose of the processing;
- The categories of Personal Data that are being processed;
- The recipients or categories of recipients to whom the Personal Data have been or will be disclosed;
- The envisaged period for which the Personal Data will be processed and if the period cannot be determined, the Controller shall inform the Data Subject as to the criteria applied to determine the period;
- The existence of the right to request from the Controller rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the Data Subject;
- The right to lodge a complaint with a supervisory authority;
- Where the Personal Data are not collected from the Data Subject, any available information as to their source;
- The existence of automated decision-making, such as profiling and at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences for the Data Subject.
- Where Personal Data are transferred to a third country or to an international organisation, the Data Subject has the right to be informed about the appropriate safeguards in relation to the transfer.
- The Controller shall provide a copy of all Personal Data undergoing processing. For any further copy the Controller may request reasonable fee based on administrative cost. Where the Data Subject’s request is submitted electronically, the information shall be provided in commonly used electronic form.
RIGHT TO RECTIFICATION
The Data Subject may request the rectification of inaccurate, incomplete or false Personal Data.
RIGHT TO BE FORGOTTEN
The Data Subject may request and obtain by the Controller the erasure of any Personal Data and the Controller shall erase such Personal Data when one of the following grounds applies and as long as the processing is no longer necessary:
- The Personal Data are no longer necessary for the purposes or activities for which it was collected or otherwise processed;
- The Data Subject withdraws its consent under the provisions of GDPR and where there is no other legal ground for the processing;
- The Data Subject objects to the processing pursuant to the provisions of GDPR and there are no overriding legitimate grounds for the processing;
- The Personal Data has been unlawfully processed;
- The Personal Data must be erased for compliance with a legal obligation of the Controller to which the latter is subject.
RIGHT OF RESTRICTION OF PROCESSING
The Data Subject may obtain from the Controller restriction of processing where one of the following apply:
- The accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data;
- The processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead.
- The Controller no longer needs the Personal Data for the purposes of the processing but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- The Data Subject has objected the processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
RIGHT TO DATA PORTABILITY
- The Data Subject has the right to receive the Personal Data concerning him or her and which are processed by the Controller in a structured, commonly used and machine-readable format.
- The Data Subject shall have the right to transmit those Personal Data to another controller without hindrance from the Controller, provided that the processing is based on consent or a contract and the processing it carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller
- Furthermore, the Data Subject has the right to have Personal Data transmitted from one controller to another, where technically feasible and doing so does not affect adversely the rights and freedoms of others.
RIGHT TO OBJECT
- The Data Subject shall have the right to object on grounds relating to his or her situation, at any time, to the processing of its Personal Data and/or profiling
- In the event of an objection, the Provider shall no longer process the Personal Data, unless the Provider demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
- If the Provider processes Personal Data for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of its Personal Data for such marketing. This includes profiling to the extent that it is related to such direct marketing. If the Data Subject exercise its right, the Provider will no longer process the Personal Data for these purposes.
- In addition, the Data Subject shall have the right to object to the processing of its Personal Data by the Provider, when such processing relates to scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING
- The Data Subject shall have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning the Data Subject or similarly affects him or her, if:
- The decision is not necessary for entering into, or the performance of the contract between the Customer and the Provider;
- The decision is not authorised by the European Union or Member State law to which the Controller is subject, and which also lays down suitable measures to safeguard the Data Subjects rights and freedoms and legitimate interests;
- The decision is not based on the Data Subject’s explicit consent.
- If the decision is necessary for entering, or for the performance of a contract between the Customer and the Provider or it is based on the Data Subject’s explicit consent, the Provider shall implement suitable measures to safeguard the Data Subject’s rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express its point of view and contest the decision.
RIGHT TO WITHDRAW DATA PROCESSING CONSENT
The Data Subject shall have the right to withdraw its consent to processing its Personal Data at any time.
PERSONAL DATA PROCESSING BY BUSINESS DIGITAL ACADEMY
TYPE OF PERSONAL DATA PROCESSED
The Provider processes Personal Data which are required for the use of the Website, the subscription, the creation and function of a Customer Account, the purchase/delivery of a Product, billing, the communication between the Provider and the Customer and/or the Data Subject, the termination of the contract, the cancellation of the purchase and the refund.
The Provider processes information which the Customer discloses to the Provider, such as name, surname, telephone numbers, addresses and e-mail address, job position of the Customers and/or the Participants. If the Data Subject corresponds with the Provider, the Provider may retain the content of the e-mail messages, e-mail address and the Provider’s responses.
PROCESSING OF PERSONAL DATA
- The processing of Personal Data by the Provider starts once the Customer subscribes to the Website. The Provider collects the Personal Data of the Customer and/or any Participant, which are disclosed by the Customer on the Online Order Form and transmits them to the Controller.
- The Personal Data are collected and stored exclusively for internal use by the Provider. Any further transfer by the Controller to one or more processors must be for purposes attributable to the Provider.
- Immediately after the subscription, the Provider automatically creates a Customer’s Account, through which the Customer may access and be informed about the Personal Data that are being processed by the Provider. Through the Account, the Customer may update or rectify its Personal Data.
- The Customer’s Account is maintained and the Customer’s Personal Data are processed, even after the completion of the transaction and the Delivery of the Product, until the Customer explicitly requests the deletion of the Customer’s Account by sending a written notice to the Provider’s Designated Address. The Provider shall cease the processing of the Customer’s Personal Data promptly after the deletion of the Customer Account and not later than 30 calendar days from the receipt of the Customer’s written request for deletion of its Account. The Customer can only request the deletion of its Account and the erasure of its Personal Data, provided that any transaction between the Parties is completed and/or the Customer has waived explicitly any right arising from a Voucher or Credit given by the Provider, in accordance with the provisions of the Agreement.
- When the Customer purchases a Product, to be delivered to a Participant other than the Customer, the Provider processes the Participant’s Personal Data for a period commencing on the subscription date and ending on the date on which the Customer’s Account is deleted, provided that the Provider has obtained the Participant’s explicit consent for the processing its Personal Data, at the first direct communication with the Participant. If the Participant withholds its consent, the Provider will proceed to the erasure of the Participant’s Personal Data, within reasonable time and not later than 30 calendar days from the Participant’s denial.
- The Provider may use the email address of the Customer to send Product related notices, newsletters, special offers, if the Customer ticks the opt-in checkbox when providing the Provider with its email address. The Customer may withdraw its consent by clicking on the relevant link contained in each notice given by the Provider. The Provide will use the Participant’s email address to send such notices, if the Participant explicitly consents to such processing of its Personal Data at the first direct communication with the Provider.
- The processing of the Personal Data of the Customer/Participant is necessary to identify the person or legal entity subscribing, purchasing a Product, whether they purchase a Product as consumers and to enable the Provider to deliver the Product to the Participants. The Data Subject is free to change their Personal Data at any time or to have them completely deleted, provided that the deletion will not affect the Provider’s rights and ability to perform its obligations under the Agreement or its obligation imposed by any law to which the Provider it subject.
- The Provider may continue the processing of Personal Data provided by the Customer and/or any other Data Subject, pursuant to the provisions of the Agreement, after the expiration of the 30-days period stipulated above, if the Data Subject has explicitly consented to the processing of its Personal Data by the Provider for promotional and/or advertising purposes. If the Customer and/or any other Data Subject wishes to withdraw its consent for the processing of their Personal Data for such purposes, they can do so by clicking on the relevant link attached on any notification sent by the Provider for promotional and/or advertising purposes.
PROCESSING OF GENERAL DATA AND INFORMATION
- The general data and information collected by the Provider is needed to deliver the content of the Website, to optimize the content of the Website, to ensure the viability of the information technology system and the Websites technology of the Provider and to assist law enforcement authorities with necessary information for criminal prosecution in case of cyber-crimes.
- The Provider uses “cookies”, every time a Visitor visits the Website and/or a Customer logs in its Customer Account and/or purchases a Product. Additionally, the Provider provides custom, personalized content, and information, monitor the effectiveness of the Website, monitor the aggregate metrics such as total number of Visitors and traffic, diagnose or fix technology problems reported by the Visitors/ Customers/Participants and help the Data Subject efficiently access his/her information.
- The Visitor of the Website and/or the Customer will be offered the option to disable or control the “cookies”, by setting a preference within their browser.
- The Website may collect general data such as browser types and versions used, operating system used by the accessing system, the websites from which an accessing system reaches the Website, the sub-websites, the date and time of access to the Website, the IP address of the Visitor and/or user and/or Customer and/or any other similar data and information that may be used in the event of attacks on the information technology systems of the Provider.
- The Visitor/ Customer hereby grants to the Provider a non-exclusive licence to collect, store, copy, reproduce, distribute, publish export, adapt, edit and translate their general data, to the extent reasonably required for the performance of the Provider’s obligations and the exercise of the Provider’s rights under the Agreement. The Visitor/ Customer also grants the Provider the right to sub-license these rights to its hosting, connectivity and telecommunication service providers, to the extent reasonably required for the performance of the Provider’s obligations and the exercise of the Provider’s rights under the Agreement, subject to the national and European Legislation regulating the protection of Personal Data and subject to any express restrictions provided in the Privacy Policy and the Agreement. The Visitor/ Customer/ Participant agrees and consents to cross-border processing of such General data and information.
- The general data analysis is conducted anonymously and statistically and aims to increase the data security and data protection of the Website.
DISCLAIMER
The Provider shall not be responsible and does not undertake any duty to protect any Personal Data voluntarily disclosed by the Data Subject in public areas and/or public bulletin boards and/or in public classified advertisement within the Website and/or the Learning Platforms. Additionally, the Provider will not be responsible and/or liable for any processing of Personal Data of the Data Subject which the Data Subject has voluntarily disclosed in the Messages, Groups or in the Profile Page within the Website and/or the Learning Platforms.
The Provider shall not be responsible for the protection and processing of Personal Data of the Customer/ Participant on the Learning Platform, where the Product will be delivered.
DENIAL OF DISCLOSURE
The Visitor/ Customer/ Participant may decline to submit or consent to the processing of its Personal Data, in which case the Provider may not be able to proceed with the performance of its obligations, under the Agreement.
CONTACT IN CASE OF QUESTIONS OR REQUESTS REGARDING PRIVACY POLICY
If the Data Subject wishes to exercise any of the above rights, he or she may at any time directly contact the Provider’s Protection Officer or another employee of the Controller at info@businessdigitalacademy.com