Birdietime Data Protection Policy
Updated May 23, 2018.
This policy on processing of personal information (‘Data Protection Document’) defines the terms on processing personal information between Birdietime Innovations Ltd (‘Provider’) and golf professionals and other service providers (‘Customer’) utilizing Birdietime’s systems to offer their services.
If there is an agreement between the Provider and the Customer, and the agreement and its other appendices are in conflict with this Data Protection Document, this Data Protection Document will surpass the agreement, regardless what has been included in the agreement or its other appendices. The terminology used in this Data Protection Document are equivalent to the European Union General Data Protection Regulation (EU 2016/679). The Provider has the right to change these terms, if it’s justified because of changes in the legislation or in the interpretation of the legislation or in the changes of the Provider’s business or operational environment.
Controller and the Processor of the Personal Data
The Provider will process the personal data defined in this Data Protection Document and the personal data register to be formed as the processor of the personal data on the Customer’s behalf. The Customer remains the actual processor. The Provider will act according to the purpose defined by the Customer and according to the Customer’s instructions.
The purpose of the personal data register is to enable
- The collection of the data of persons having registered to the events arranged by the Customer to the extent that is necessary to arrange the event;
- Processing the data produced by any eventual surveys;
- Analysis of the data described above to the extent the Customer defines within the limits of the legislation.
Personal Data Collection
The Customer will define what data will be collected for the specific event. The Provider collects and files the data pertaining to a specific event as defined by the Customer in accordance with the policy drafted by the Customer on processing of personal data. This information may be the name, contact details and if needed, age, gender and other data necessary to register, participate and pay for the event (‘Personal Data’).
Personal Data Processing Policy
The Customer is responsible for having the right and consents to process personal data. The Customer is responsible to verify the age of the registered client. The Customer is responsible to draft a policy regarding the processing of the personal data, of keeping it available and informing the registered persons about the policy. The Provider is responsible for processing the Personal Data in compliance with the appropriate IT security processes and only in compliance with the legislation in force and the specifications done by the Customer in the Birdietime systems. The Provider is obligated to inform the Customer if the instructions given by the Customer are against the legislation according to the Provider’s assessment.
The Personal Data register and the Birdietime system are located within the EU, but the Provider does not guarantee that all the data transfer between the Customer or the registered person and the Provider will occur within the EU.
The Provider will help the Customer to comply with the requirements set by the General Data Protection Regulation to the processor. The Provider has a right to charge a reasonable fee for the assistance, if it requires action deviating from the normal operations of the Provider.
The Personal Data is removed at the latest upon the Customer’s request or the termination of the agreement, unless the Personal Data is necessary to be filed for a longer period for example due to payment transfers, other reason pertaining to the Provider’s legitimate benefit or required by legislation. The Provider will return all Personal Data to the Customer once the Customer so requires before the data has been removed in the normal procedure described above. The Provider may file and use during the processing and afterwards the data produced by means of anonymisation to develop their operations and products. Anonymisation means editing the data in a way that persons cannot be identified from it by any measure.
The Provider ensures that Personal Data is processed only by people who have committed to hold the information confidential. The Customer agrees to processing the Personal Data at the discretion of the Provider by others than the Provider and its staff. If the data is processed by such third party, the Provider ensures that the third party in question is committed to the responsibilities of this Data Protection Document.
Rights of the Registered Person
The Provider will assist with the application programming interface it provides the Customer to fulfill the obligation of a processor to answer any requests concerning the use of the rights of a registered person and helps the controller to ensure that, taking into consideration the nature of the Personal Data, the safety of the processing is adequate. The Provider will inform the Customer immediately of data protection breaches that have come to its knowledge and informing the registered people, if possible.
Ensuring Data Protection
The Provider will deliver upon the Customer’s request the necessary documentation and will allow audits as well as assist in the audits to prove that the Provider is in compliance with the requirements of this Data Protection Document. The auditor must commit to keep confidential all information it has required during the audit. The Provider is entitled to refuse an audit, if the auditor is a direct or indirect competitor of the Provider or a party whose expertise or trustworthiness can be reasonably doubted. The Customer is responsible for all costs related to an audit. The Provider will address all data protection authorities’ inquiries related to the Customer. The Provider does not represent the Customer or act on behalf of the customer in issues related to data protection.
Liability for Damages
Any eventual liability for damages or the restrictions to the liability are defined in the General Data Protection Regulation (EU 2016/679).
The Provider ensures that the documented risk management and data security processes are applied to processing of Personal Data. The Provider will perform all administrative and technical actions required by the data protection legislation and this Data Protection Document to protect Personal Data it processes. Taken into consideration the sensitivity of the Personal Data the Customer has defined and their risk level, the Provider will protect the systems and data communication with appropriate data security solutions to ensure that the confidentiality, integrity and accessibility is guaranteed until the Personal Data has been removed from the Provider’s system.