Legal
Array Data Protection Policy
Launch Cloud LLC dba Array ("Array") is committed to preserving the confidentiality and integrity of all information it holds and processes and to operating its business in compliance with the requirements of the General Data Protection Regulation (“GDPR”), the UK Data Protection Act 2018 and all other applicable laws relating to the processing of Personal Data (collectively, the “Legislation”).
We recognize the importance of Personal Data and of respecting the privacy rights of individuals. This Data Protection Policy (“Policy”) sets out the principles which we apply to our Processing of Personal Data so that we not only safeguard one of our most valuable assets, but also that which belongs to our customers and employees. For the most part we process this information in one of two capacities, either: (i) as a Data Controller for our own internal business operations, such as human resources, administration, marketing, sales etc., or (ii) as a Data Processor when carrying out our software-as-a-service (or “SaaS”) operations for our customers.
It is the responsibility of all Array employees to apply the provisions of this Policy in relation to all Processing of Personal Data, whether Array is acting as Data Controller or Data Processor (or both). Array provides employees with regular instruction in respect of such matters.
This policy should be read in conjunction with the Array Privacy Notice (the “Privacy Notice”), which contains information for Data Subjects whose Personal Data we handle as a Data Controller.
1. DEFINITIONS
Key phrase
Explanation
“Data”
means information that is processed electronically (e.g. by computer), is recorded manually (e.g. on paper) with the intention of being processed electronically, or is recorded as part of any filing system structured by reference to individuals or criteria relating to them in such a way that specific information relating to a particular individual is readily accessible.
“Data Controller”
means the organization that determines the purposes for which and the manner in which Personal Data are processed.
“Data Processor”
means the organization that processes Personal Data on behalf of the Data Controller.
“Data Subject”
means a living, identifiable individual about whom Personal Data is processed.
“Personal Data”
means Data which relate to a living individual who can be identified from those Data or from those Data and other information which is in the possession of or is likely to come into our possession as Data Controller or Data Processor, as the case may be. Personal Data include opinions and any indications of our intentions towards an individual.
“Processing”
includes obtaining, recording, holding, altering, retrieving, consulting, using, disclosing, blocking, erasing or destroying Personal Data.
“Sensitive Personal Data”
means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited, as well as Personal Data relating to criminal convictions and offences or related security measures.
2. DATA PROTECTION PRINCIPLES
Array is committed to complying with the data protection principles set out in the Legislation. Under the GDPR, these are set out as six data protection principles, under which Personal Data must be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed (“storage limitation”);
- processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
Further details of how Array complies with these principles are set out below.
PRINCIPLE 1 – LAWFULNESS, FAIRNESS AND TRANSPARENCY
Fair Processing and transparency
The Legislation requires that Personal Data must be processed fairly. This means the Data Controller must ensure transparency of Processing so that Data Subjects are aware of who is Processing their Personal Data and why. This is primarily an obligation on the Data Controller who determines what is being processed and is much less relevant to a Data Processor who does not determine what is processed.
This obligation affects Array primarily when acting as a Data Controller in relation to the operation of our own internal business. For example, all employees’ terms of employment contain a data protection notice which includes the following information:
- the identity of the Data Controller (i.e. Array)
- the purposes for the Processing
- any other information that is necessary to make the Processing fair (such as any recipients of the Data and their purposes and a reminder of the Data Subject’s legal rights (see below)).
In the case of Array marketing activities e.g. advertisement of Array products and services on our website, we include a description of the communication channels that we intend to use. If any of those channels involve marketing by email, SMS, fax or automated calling systems, we will (as a general rule) obtain the Data Subject’s consent by means of a suitable (reversible) opt in provision. Where we obtain Personal Data directly from the Data Subject (e.g. as a result of a telephone call, or online capture) we give the notice to the Data Subject at the time we obtain their Data. Where we obtain Personal Data about a Data Subject from a third party source (e.g. an agent) we provide the data protection notice as soon as reasonably practicable after we have started Processing their Data (unless it would be a disproportionate effort to do so, in which case we will take appropriate measures to protect the Data Subject's rights, freedoms and legitimate interests, including making the notice publicly available).
Accordingly, where we act as a Data Processor for our SaaS customers, the obligation to issue any necessary data protection notices rests with our customer.
Lawful Processing
This is primarily an obligation for Data Controllers and for the most part only affects Array in the operation of our own internal business. Array will only process Personal Data where it is justified under one of the following conditions:
- the Data Subject has given his consent to the Processing for one more specified purposes, or
- the Processing is necessary:
- in order to enter into or perform a contract with the Data Subject
- for compliance with a legal obligation to that applies to Array (other than an obligation under a contract)
- in order to protect the vital interests of the Data Subject or another natural person (i.e. a life or death situation)
- for the purposes of legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
Processing Sensitive Personal Data
In addition, where Array processes Sensitive Personal Data, due to the sensitive and sometimes confidential nature of this category of Personal Data we will only process Sensitive Personal Data where it is justified under one of the following additional conditions:
- the Data Subject has given explicit consent to the Processing of those Personal Data for one or more specified purposes;
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Array or of the Data Subject in the field of employment law;
- Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent;
- Processing relates to Personal Data which are manifestly made public by the Data Subject;
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject;
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care services.
PRINCIPLE 2 – PURPOSE LIMITATION
The Legislation requires that Personal Data must be obtained by Data Controllers only for one or more specified and lawful purposes, and must not be further processed in any manner incompatible with those purposes.
Accordingly, the purposes for which Array will process Personal Data as a Data Controller are set out below:
- Staff Administration
- Advertising, Marketing and Public Relations
- Advertising, Marketing and Public Relations on behalf of customers
- Accounts and Records
- Consultancy and Advisory Services
- Information and databank administration
- Array will not process Personal Data for any other purpose unless the Data Subject gives consent. Where Array acts as a Data Processor for a SaaS customer the responsibility for obtaining any such consent rests with the relevant SaaS customer.
More information about the purposes for which Array processes Personal Data is set out in the Privacy Notice.
PRINCIPLE 3 – DATA MINIMISATION
The Legislation requires that Personal Data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed and that it must be kept up-to-date.
To fulfil the requirement for Personal Data to be adequate, relevant and not excessive, Array ensures that when acting as Data Controller:
- we identify the Personal Data needed for a particular purpose and we collect the minimum amount required to properly fulfil that purpose
- we do not hold Personal Data on a ‘just-in-case’ basis or because we think it might be useful in the future except where a Data Subject consents, e.g. a prospective employee agrees to us retaining Personal Data should a suitable vacancy arise
- we keep Personal Data up to date, and
- we do not keep Personal Data for too long.
PRINCIPLE 4 – ACCURACY
When inputting Data onto our system in our capacity as a Data Controller, Array takes reasonable steps to ensure the Data is accurate and may contact Data Subjects for clarification if we are unsure as to the accuracy of certain information.
Array will not be in breach of this principle, even if we are holding inaccurate Data if:
- we accurately recorded those Data when we received them from the Data Subject or a third party
- we took reasonable steps to ensure the accuracy of those Data, and
- if the Data Subject has notified us that the Data are inaccurate, we have taken steps to indicate this fact.
Array takes reasonable steps to keep Data up-to-date to the extent necessary.
PRINCIPLE 5 – STORAGE LIMITATION
The Legislation requires that Personal Data processed for any purpose must not be kept for longer than is necessary for that purpose.
Array reviews the Personal Data it holds on a regular basis and, where relevant, securely removes any Data which is no longer required in connection with the purpose for which it was originally obtained. Securely removes means that any printed material is appropriately shredded or electronic media has the record removed from it relating to the subject including from backups, in a manner that the material is not normally retrievable.
Where Array acts as Data Processor and holds Data on its servers on behalf of its customers that the customer has input directly into Array’s system, the customer will be responsible for maintaining such Data and deleting any Data that is no longer required. Array will return or destroy all Data held on behalf of a SaaS customer in accordance with the terms of the relevant contract with that customer.
PRINCIPLE 6 – INTEGRITY AND CONFIDENTIALITY
The Legislation requires Array to take appropriate technical and organizational measures to safeguard Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Array has put in place a number of technical and organizational measures and procedures which we apply to Personal Data.
Details of our technical and organizational measures are available upon request.
Where Array uses third parties to process Personal Data on our behalf, they will be acting as our Data Processors and we will ensure that we:
- put in place a contract in writing with each of our Data Processors under which they agree to act only on instructions from us
- include the right to audit our Data Processors to ascertain compliance with the data protection requirements in their contract, and
- ensure that the Data Processor agrees to comply with obligations equivalent to those set out in this Policy.
3. DATA SUBJECT RIGHTS
We have summarised here the rights that Data Subjects may have under the Legislation, assuming that the GDPR and/or Data Protection Act 2018 apply. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
The rights described here should be exercised where we process Personal Data as a Data Controller. If we process Personal Data as a Data Processor, then the rights would be exercisable against the relevant Data Controller, not against us. For example, Array is a Data Controller with respect to the Personal Data of its employees, but is a Data Processor with respect to much of the data supplied by customers.
The principal Data Subject rights under the Legislation are:
- the right to access
- the right to rectification
- the right to erasure
- the right to restrict Processing
- the right to object to Processing
- the right to data portability
- the right to complain to a supervisory authority
- the right to withdraw consent.
Data Subjects have the right to confirmation as to whether or not we process their Personal Data and, where we do, access to the Personal Data, together with certain additional information. That additional information includes details of the purposes of the Processing, the categories of Personal Data concerned and the recipients of the Personal Data. Providing the rights and freedoms of others are not affected, we will supply to Data Subjects a copy of their Personal Data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
Data Subjects have the right to have any inaccurate Personal Data about them rectified and, taking into account the purposes of the Processing, to have any incomplete Personal Data about them completed.
In some circumstances Data Subjects have the right to the erasure of their Personal Data without undue delay. Those circumstances include: the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the Data Subject withdraws consent to consent-based Processing; the Data Subject objects to the Processing under certain rules of the Legislation; the Processing is for direct marketing purposes; and the Personal Data have been unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where Processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
In some circumstances Data Subjects have the right to restrict the Processing of their Personal Data. Those circumstances are: they contest the accuracy of the Personal Data; Processing is unlawful but they oppose erasure; we no longer need the Personal Data for the purposes of our Processing, but they require Personal Data for the establishment, exercise or defence of legal claims; and they have objected to Processing, pending the verification of that objection. Where Processing has been restricted on this basis, we may continue to store the Personal Data. However, we will only otherwise process it: with the Data Subject's consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
Data Subjects have the right to object to our Processing of their Personal Data on grounds relating to their particular situation, but only to the extent that the legal basis for the Processing is that the Processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If a Data Subject makes such an objection, we will cease to process the Personal Data unless we can demonstrate compelling legitimate grounds for the Processing which override their interests, rights and freedoms, or the Processing is for the establishment, exercise or defence of legal claims.
Data Subjects have the right to object to our Processing of their Personal Data for direct marketing purposes (including profiling for direct marketing purposes). If they make such an objection, we will cease to process the Personal Data for this purpose.
To the extent that the legal basis for our Processing of Personal Data is consent or that the Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the Data Subject's request prior to entering into a contract, and such Processing is carried out by automated means, the Data Subject has the right to receive the Personal Data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
If a Data Subject considers that our Processing of their Personal Data infringes the Legislation, they have a legal right to lodge a complaint with a supervisory authority responsible for data protection. For instance, they may do so in the EU member state of their habitual residence, their place of work or the place of the alleged infringement.
To the extent that the legal basis for our Processing of Personal Data is consent, Data Subjects have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of Processing before the withdrawal.
Data Subjects may exercise any of their rights in relation to their Personal Data by written notice to us.
4. OVERSEAS TRANSFERS
The Legislation requires that Personal Data must not be transferred from within the European Economic Area (i.e. the member states of the EU plus Iceland, Liechtenstein and Norway) to any place outside the EEA, unless appropriate safeguards are in place.
Array has offices across the world and, as a Data Controller and Data Processor, there may be occasions where it is necessary to transfer Data between these offices or to third parties to process Personal Data on our behalf. Array recognizes that in addition to complying with the rules on overseas transfers contained in the Legislation it will also be necessary to comply with the privacy laws as apply in each country.
5. CONFIDENTIAL INFORMATION
Array will keep relevant information (including Personal Data) it receives confidential in accordance with the confidentiality provisions in the Array terms and conditions.
6. CONTACTS AND RESPONSIBILITIES
In each of Array’s offices and internal departments, we have appointed “Data Owners” who are locally responsible for ensuring that employees within their department or area receive appropriate training and are working in compliance with this Policy. The Data Owners undertake regular assessments of Personal Data types and ensure that the right levels of protection are in place.
Array has appointed an overall Privacy Officer who is responsible for:
- acting as a key point of contact for data protection queries and the reporting of breaches for all Data Owners, employees, customers and Data Subjects
- monitoring and ensuring the compliance with this Policy across the whole of the Array group worldwide and dealing with any disputes which may arise concerning data protection issues
- conducting reviews of internal procedures to ensure that they continue to provide adequate protection of Personal Data
- improve security awareness and communicate information relating to this Policy to employees
- updating this Policy to reflect any changes in data protection laws
- registering with government agencies (such as the UK Information Commissioner’s Office).
If you have any queries regarding this Policy, please contact the Privacy Officer at legal@buildarray.com.
7. AMENDMENTS TO THIS POLICY
This Policy and its Schedules will be updated from time to time by the Privacy Officer to reflect any changes in legislation or in our methods or practices. The current issue of the Policy will be available from our website at www.launchcloud.com or from legal@buildarray.com who are responsible for data protection issues.