version 2.0 updated 24th June 2020
If you’d like to unsubscribe, access, amend or delete any information, please contact [email protected]
If at any time you are concerned or have questions about how we might be handling your data, please reach out to our Data Protection Officer at [email protected]
TABLE OF CONTENTS
We will collect, store, use and disclose Personal Data (Personal Information) in accordance with all applicable laws relating to the protection of Personal Data, including the EU Data Protection Directive 95/46/EC, the EU General Data Protection Regulation 2016/679, the EU ePrivacy Directive 2002/58/EC as amended by Directive 2009/136/EC, UK Data Protection Act 2018, The California Consumer Privacy Act (“CCPA”) as amended or superseded from time to time, and any national implementing legislation (“Data Protection Laws”).
2. Privacy principles
We adhere to the principles relating to the processing of Privacy & Personal Data.
a. Lawfulness, fairness, and transparency
We collect, process, and share Personal Data fairly and lawfully and for specified purposes. The law restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent processing, but ensure that we process Personal Data fairly and without adversely affecting the Data Subject.
We provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere.
We provide the Data Subject with all the information required by the law, including the identity of the Data Controller and Data Protection Officer, how and why we will use, process, disclose, protect and retain that Personal Data.
We check that the Personal Data was collected by the third party in accordance with the law and on the basis that contemplates our proposed processing of that Personal Data.
b. Purpose limitation
We collect Personal Data only for specified, explicit, and legitimate purposes.
We do not use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes, and they have consented where necessary.
c. Data minimization
We collect Personal Data only for specified, explicit, and legitimate purposes. We do not further process in any manner incompatible with those purposes.
We do not use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes, and they have Consented where necessary.
We take all reasonable steps to ensure that Personal Data is not incorrect or misleading as to any matter of fact and, where necessary, kept up to date. We correct or delete it without delay when inaccurate.
e. Storage limitation
We store Personal Data only for specified, explicit, and legitimate purposes. They’re not further processed in any manner incompatible with those purposes.
f. Integrity and confidentiality (security)
We secure Personal Data by appropriate technical and organizational methods or measures against unauthorized or unlawful processing and accidental loss, alteration, destruction, or damage.
We implement appropriate technical and organizational methods or measures in an effective manner to ensure compliance with data protection principles, according to commonly accepted standards, laws, or internal regulations.
We are able to demonstrate compliance with data protection principles. We recognize new laws and regulations and adapt our activities to changes in the context or broad range framework or business environment.
We have adequate resources and controls in place to ensure and to document the law compliance including:
We keep and maintain accurate records reflecting our processing, including records of Data Subjects’ Consent and procedures for obtaining Consent. These records include, at a minimum, contact details of the Data Controller and the Data Protection Officer, descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place.
We ensure that all personnel has undergone adequate training to enable them to comply with data privacy laws. We regularly test our systems and processes to assess compliance with all of the regulations.
We do not share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place. We share the Personal Data internally if the recipient has a job-related need to know the information.
3. Information Collection
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. We may obtain and use the following Personal Data and/or Sensitive Data about you and anyone you chose to add to our platform:
We do not intentionally collect data which is, by its nature, particularly sensitive (e.g., genetic data, biometric data, data revealing racial or ethnic origin, political opinions, sex life, sexual orientation, religion or other beliefs, data concerning health, criminal background or trade union membership). All responsibility for providing data as above does not belong to Tester Work. Providing such data to our partners and other third parties or their processing in our services or infrastructure is considered unintentional, and we exclude all legal liability. We also exclude all legal liability in case of unauthorized access or accidental loss, damage, corruption, or disclosure of your Personal Data or Sensitive Personal Data that was provided by you directly to our Partners or Clients.
We represent and warrant that you:
The Customer may need additional Personal Data or Sensitive Personal Data to process the order. In such a situation, it is the Customer’s responsibility to obtain consent for such processing from you.
Regardless of the legal or factual relationship between two independent entities, Tester Work disclaims its liability for any non-compliance of standards, law, or GDPR resulting from a violation by independent entities. Tester Work reserves that it is not a participant in the relationship regarding the consent to the processing of sensitive data by either party. Nor shall it be liable for negligence, disclosures, or infringements even if they were caused by unintentional negligence in implementing Tester Work infrastructure security mechanisms, enabling the provision of data processing services. In this regard, you must carefully read our Policy, understand it, accept it, and follow the rules.
Cookies and IP Addresses
We may obtain information about your device, which includes your public IP address, browser type, and operating system where available. This accumulation of data is used to assist system administration.
We may also collect information regarding your browsing activity and interests through the use of a cookie file. This cookie file is stored on the hard drive of your device and contains information that is transferred to your computer’s hard drive. We use the collection of this data to help us improve the experience of users on our Website and Service, and to deliver more personalized service with more relevant content. The collection of this data allows us to:
We use the following cookies:
You can find more information about some of the individual cookies we use and the purposes for which we use them below. Example of cookies used by the Service:
We use the services of many providers of data analysis solutions, below we indicate the most important ones.
Social Media And Advertising Cookies
e.g. Facebook / YouTube / Google
We use Facebook and LinkedIn’s 3rd-party audience data such as age, gender, and interests to better understanding the behavior of our customers and work with companies that collect information about your online activities to provide advertising targeted to suit your interests and preferences. For example, you may see certain ads on this Website or other websites because we contract with Facebook and other similar companies to target our ads based on information they or we have collected, including information that was collected through automated means (such as cookies and web beacons). These companies also use automated technologies to collect information when you click on our ads, which helps track and manage the effectiveness of our marketing efforts.
Google Analytics / AdWords / Security
We use Google Analytics’ / Adwords’ 3rd-party audience data such as age, gender, and interests to better understand the behavior of our customers and work with companies that collect information about your online activities to provide advertising targeted to suit your interests and preferences. For example, you may see certain ads on this Website or other websites because we contract with Google and other similar companies to target our ads based on information they or we have collected, including information that was collected through automated means (such as cookies and web beacons). These companies also use automated technologies to collect information when you click on our ads, which helps track and manage the effectiveness of our marketing efforts.
You may opt-out of the automated collection of information by third-party ad networks for the purpose of delivering advertisements tailored to your interests, by visiting the consumer opt-out page for the Self-Regulatory Principles for Online Behavioral Advertising at http://www.aboutads.info/choices/
We care about the safety and privacy of children online. Our Website and services are not designed or directed at children. We do not intentionally collect any personal information from persons under the age of 18 years of age. If we become aware that we have inadvertently received personal information from a user under the age of 18, we will delete the information from our records according to the law (e.g., GDPR, CCPA, or Children’s Online Privacy Protection Act of 1998 (“COPPA”). If any of the laws is more severe, we will comply with it.
4. Use of Information
a. Why we use information
The rules for the processing of Personal Data, protection of privacy and freedom for private persons are clear to us, known and communicated to all our employees. We use the information for ethical and legitimate purposes, legal and responsible business conduct.
b. What purpose we use Privacy Information (regarding to CCPA) or Personal Data (regarding to GDPR)
The Personal Data we hold about you may be used in any of the following ways:
We may also use your Personal Data to protect against and prevent fraud, claims, and other liabilities and to comply with or enforce applicable legal requirements, industry standards, and our policies and terms. We use Personal Data for these purposes when it is necessary to protect, exercise, or defend our legal rights, or when we are required to do so by applicable law.
5. Information Storing
Staff members operating within the EEA who work for or on behalf of us may process this information. Such staff members may, among other things, be involved in the processing of payment details, the provision of support services, and the delivery of your request(s) for us to provide the Service.
Without limiting the foregoing, you agree that Personal Data we obtain from you (including, without limitation, Client Data) may be processed by our service providers based in countries outside of the EEA for the purposes of providing you with the Service. Such countries may not have laws offering the same level of protection for Personal Data as those inside the EEA.
We store the Personal Data you provide us with on our secure servers. In the event of us giving you a password that grants you/them access to specific areas within our Website or Service, it remains your/their responsibility to maintain the confidentiality of this password. This includes the obligation to refrain from sharing your/their password with other parties. As the transmission of data via the Internet cannot be assumed completely secure, we cannot guarantee the security of any of your data transmitted to our Website or Service; you are therefore responsible for any risk associated with such transmission. We will however at all times take all reasonable steps to ensure the transmission of your data is executed as securely as possible, and upon receipt of your/their data, we will continue at all times to enforce strict security procedures and features in an attempt to prevent any unauthorized access.
6. Data Retention
7. Information Sharing and Disclosure
Disclosure of your Personal Data to third parties will only occur in any of the following events:
You acknowledge and agree that we may also disclose Personal Data (including, without limitation, Client Data) with:
Our service providers have to follow our express instructions when processing the Personal Data you provide and must have in place appropriate technical and organizational security measures to safeguard such Personal Data, and we do not allow them to use this information for their own commercial purposes.
If we do not process your Personal Data in accordance with our legitimate interest or based on a contractual obligation we have with you, we may share or disclose your Personal Data if you provide us with your affirmative consent.
8. Privacy Practices of Third Parties
We share the Personal Data we hold with third parties, according to our internal Supplier Security Policy and supplier security and privacy risk assessment, such as our service providers if:
9. Your Rights
a. The right to be informed
b. The right of access
You may email us at [email protected] to request a copy of the Personal Data we currently contain.
c. The right to rectification
You can correct what Personal Data We currently contain by emailing us at [email protected] to request that we correct or rectify any Personal Data that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. Where applicable, we will ensure such changes are shared with trusted third parties.
d. The right to erasure
If you should wish to cease the use of our services and have your Personal Data deleted, then you may submit a request by emailing us at [email protected] Upon receipt of such a request for erasure, we will confirm receipt and will confirm once your Personal Data has been deleted. Where applicable, we will ensure such changes are shared with trusted third parties.
e. The right to restrict processing
f. The right to data portability
g. The right to object
h. The right to consent
At any time, you may withdraw your consent to our processing of your Personal Data through our Websites by notifying us via email at [email protected] Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your Personal Data. Where applicable, we will ensure such changes are shared with trusted third parties.
i. Rights in relation to automated decision making and profiling
Profiling is any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms, which require appropriate safeguards. Profiling and automated individual decision-making are also covered by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data.
We sometimes use automated decision making and profiling mechanisms based only on your explicit consent.
We use automated decision making and profiling mechanisms for:
The mechanisms are based on:
We carry out regular checks to make sure that your systems are working as intended in accordance with the purposes of Personal Data processing.
We have additional checks or controls in place for our profiling/automated decision-making systems to protect against discrimination or other unethical or unlawful activities.
We only collect the minimum amount of data needed and have a clear retention policy for the profiles we create.
We conduct a DPIA to consider and address the risks before we start any new automated decision-making or profiling.
At any time, you could ask us about our mechanism for automated decision making and profiling and on what basis it’s taken by submitting a request via email to [email protected].
j. Exercising my right
You can exercise any of your rights by contacting via email to [email protected]
We may need to request specific information from you to reasonably confirm your identity and verify you are the Person Data belongs to. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request and to exercise your rights.
You will not have to pay a fee to access your Personal Data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
10. Accountability and governance
Whenever we use a processor, there must be a written contract in place. If a processor uses another organization (i.e., a sub-processor) to assist in its processing of Personal Data for a controller, it needs to have a written contract in place with that sub-processor.
What we set up in the contract:
What is our documentation of processing activities:
If we process special category we document:
When preparing to document our processing activities we:
As part of our record of processing activities we document, or link to documentation, on:
We document our processing activities in a granular way with important links between the different pieces of information.
We conduct regular reviews of the Personal Data we process and update our documentation accordingly.
We document our processing activities in writing and electronic form so we can add, remove, and amend information easily.
We share the results of processing your data, but we do not provide the above documents.
c. Data protection and privacy “by design” and “by default”
We consider data protection issues as part of the design and implementation of systems, services, products, and business practices.
We make data protection an essential component of the core functionality of our processing systems and services.
We anticipate risks and privacy-invasive events before they occur and take steps to prevent harm to individuals.
We only process the Personal Data that we need for our purposes(s) and that we only use the data for those purposes.
We ensure that Personal Data is automatically protected in any our IT system, Service, product, and/or business practice so that individuals should not have to take any specific action to protect their privacy.
We provide contact information of those responsible for data protection both within our organization and to individuals.
We offer strong privacy defaults and controls.
We only use data processors that provide sufficient guarantees of their technical and organizational measures for data protection by design.
When we use other systems, services, or products in our processing activities, we make sure that we only use those whose designers and manufacturers take data protection issues into account.
d. Data protection risk & impact assessment
Our information security & privacy risk assessment and Data Protection Impact Assessments (DPIA) process is based on international standards and best practices.
e. Data protection officers
We have appointed a Data Protection Officer (DPO) based on their professional qualities and expert knowledge of data protection law and practices.
Our DPO reports directly to our highest level of management and is given the required independence to perform their tasks.
We involve our DPO, in a timely manner, in all issues relating to the protection of Personal Data.
We ensure that any other tasks or duties we assign our DPO do not result in a conflict of interest with their role as a DPO.
Our DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits.
We take account of our DPO’s advice and the information they provide on our data protection obligations.
When carrying out a DPIA, we seek the advice of our DPO, who also monitors the process.
When performing their tasks, our DPO has due regard to the risk associated with processing operations and takes into account the nature, scope, context, and purposes of the processing.
Our DPO is easily accessible as a single point of contact for our employees, individuals, partners, contractors, third parties, and the regulator.
We develop, implement and maintain Information Security & Privacy Management System aligned with ISO 27001 standards and safeguards appropriate to our size, scope, and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Anonymization where applicable). We regularly evaluate and test the effectiveness of those safeguards to ensure the security of our processing of Personal Data. We exercise particular care in protecting Sensitive Personal Data from loss and unauthorized access, use, or disclosure.
We maintain data security by protecting the confidentiality, integrity, and availability of the Personal Data, defined as follows:
We comply with and not attempt to circumvent the administrative, physical, and technical safeguards we implement and maintain in accordance with the law and relevant standards to protect Personal Data.
12. Incident response and breach reporting
We have put in place procedures to deal with any suspected security incident and Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
If you know or suspect that a security incident or Personal Data Breach has occurred immediately, contact via email to [email protected] You should preserve all evidence relating to the potential security incident and Personal Data Breach.
13. International Transfers of Personal Information
Information we collect from you will be processed mainly in EEA, but could be processed outside EEA, depending on the purpose of processing. Whenever Personal Data is transferred outside the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
You could check how the EU determines if a non-EU country has an appropriate level of data protection by clicking the link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en .
You could check the commercial sector: EU-US Privacy Shield by clicking the link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en .
If Personal Data is transferred outside the EU for doing business by Tester Work in other law jurisdictions, then EU law and law of the relevant jurisdiction apply jointly. If they are divergent, the stringent one is used.
14. Links to Other Sites
We may, at times, provide links on our Website to third party websites, including without limitation those owned or managed by our partner networks, affiliates, or advertisers. These websites have separate privacy policies, and we, therefore, cannot accept any responsibility for the content. As such, choosing to follow these links is a choice you make at your own risk, and we advise that you check these websites’ individual privacy policies before submitting any Personal Data.
15. California Residents – The Privacy Rights (CCPA Privacy Notice)
a. Right to Know/Right to Access General Collection and Use of Personal Information
If you are a California resident, you have the right to request that we disclose what information we have collected, used, disclosed, or sold over the past 12 months. Once we receive and confirm your verifiable request, we will disclose to you, based on your specific request:
If we disclosed your personal information for a business purpose, the personal information categories that each category of recipients obtained. If we sell your personal information for a business purpose, the personal information categories that each category of recipients purchased.
b. Right to Request Deletion
If you are a California resident, you have the right to request that we delete any of your personal information that we have collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete your personal information from our records, and direct our service providers to do the same, unless an exception applies.
c. Right to Opt-Out of Sale of Personal Information
If you are a California resident and are 16 years old or more, you have the right to direct businesses that sell personal information to not sell your personal information.
d. Right to Opt-In to Sales of Personal Information for Minors Under 16
We do not intentionally process personal information of children under 18 years old.
e. Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights.
f. Financial incentives
We do not offer financial incentives permitted by the CCPA.
Under the CCPA, if you are a California resident, we could offer you certain financial incentives permitted by the CCPA, or different prices, rates, levels, or quality of goods or services that are reasonably related to your personal information’s value to the business.
g. Exercising Your Right to Know
If you are a California resident, you can exercise the right to know/right to access information. You or your authorized agent may submit a verifiable request via email [email protected]
You may only make a verifiable request to know or request for access twice within a 12-month period. The verifiable request must include information that allows us to reasonably verify you are the person about whom we collect personal information or an authorized representative and describe your request in enough detail that we can properly understand, evaluate, and respond to it.
If we are able to verify your request, we will make our best effort to respond within forty-five (45) days of our receipt of your request. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. We will not disclose information to you if we cannot verify your identity.
You will not have to pay a fee to access your Personal Data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
h. Exercising Your Right to Request Deletion
If you are a California resident, you can exercise the right to request deletion. You or your authorized agent may submit a verifiable request via email [email protected]
If we are able to verify your request, we will make our best effort to respond within forty-five (45) days of our receipt of your request. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. In our response, we will specify the manner in which we have deleted your personal information. We will not delete information if we cannot verify your identity.
i. Do Not Sell My Personal Information – Exercising Your Right to Opt-Out of Sale of Personal Information
For California residents to exercise the right to opt-out if we engage in selling your personal information, you or your authorized agent may submit a request via email [email protected]
We will act upon your request to opt-out within 30. (thirty) days of receiving the request. We will instruct the third parties to whom the information has been sold in the 30 days prior to your request not to further sell the information, and we will notify you when this instruction has been completed.
We will not act upon a request from authorized agents if the agent does not submit proof that the agent has been authorized by you to act on your behalf. We will not act upon a request if we believe it is fraudulent.
j. How We Verify California Residents’ Requests to Know/Requests for Access and Requests for Deletion
We will not respond to requests to know/requests for access or requests for deletion unless we can verify your identity to a reasonable degree of certainty. To verify your identity, when feasible, we will use information about you that we already have; however, we may need to request additional information, which we will use only for the purposes of verification. We may also use a third-party identity verification service. The information we need to verify your request will depend on the nature and scope of your request. Upon receipt of your request, we will notify you if we need additional information from you to verify your request.
k. Sale of Personal Information
We do not sell your personal information.
16. Periodic review, changes to this Policy or procedures related to the Policy
We conduct periodic, not less than every 12 months Policy and Information Security & Privacy System Management and documentation reviews. Review is mandatory after changes in the nature, scope, context, or purposes of the processing Personal Data. In all aspects of this Policy, the reviewer must demonstrate independence, knowledge, and experiences according to Personal Data protection.
We are updating the Policy every 12 months and anytime there are any material changes to the nature, scope, context, or purposes of the processing.
If at any time we make a change to this Policy, we will update this page to reflect such change. If we make material changes to how we treat your Personal Data, we will notify you by email and through a notice on this page, however, we recommend you review this page periodically to ensure you are up to date with the latest version.
The date the Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you.
17. Contact Us
We are monitoring the current developments with regards to UK Brexit and regulations that may arise.
Right now, the UK is still subject to the EU’s GDPR. The UK has its own version of the GDPR, the Data Protection Act 2018. There are no plans to repeal this law post-Brexit, but some changes are possible (link to actual https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/779335/Keeling_Schedule_for_GDPR.pdf
You could check Brexit and data privacy impact in The Information Commissioner’s Office clicking the link: