For the purpose of data management activities defined in this Notice (“Notice”), the data controller is the Intellectual Property LLC (seat: 16192 Coastal Highway, Lewes, Delaware 19958, USA; e-mail: [email protected]; hereinafter “Data Controller”).
Data management performed by the Data Controller is primarily governed by the laws of the USA. In case of data management performed within the EU, the General Data Protection Regulation of the European Union also applies (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) on the protection of natural persons with regard to the management of personal data and on the free movement of such data, and repealing Directive 95/46/EC; hereinafter “GDPR”).
The scope of this Notice shall cover the data management activities of the Data Controller. The scope of this Notice shall only cover data management activities subject to the provisions of the GDPR.
Based on the GDPR, personal data means any information relating to an identified or an identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
For the purposes of data management performed within the scope of this Notice, data subject shall be any person who contacts the Data Controller.
The scope of this notice shall only cover data management performed by the Data Controller.
The primary purpose of data management is to establish and maintain a relationship between the data subject and the Data Controller. The purposes of data management shall include the following:
Considering that the Data Controller manages personal data for several reasons, the legal basis for data management may vary. The key legal bases for data management are listed below.
Consent granted by the data subject (GDPR Article 6 (1) Point (a))
In certain cases data management is based on a consent given by the data subject. The data subject grants his consent by contacting the Data Controller. Consent shall be given in each case on a voluntary basis, however, if consent is not granted it may result in the failure of creating any legal relationship between the data subject and the Data Controller.
Contract entered upon by the Data Controller and the data subject (GDPR Article 6 (1) Point (b))
If the data subject enters into a contract with the Data Controller, or initiates to conclude such contract, he shall provide his data in the contract and in the related forms that are required for fulfilling the related contract. In the case specified in this section, processing is necessary for performing the contact and for taking the steps at the request of the data subject according to the relevant section of the GDPR.
Fulfilment of legal obligation (GDPR Article 6 (1) Point (c))
In certain cases processing is necessary for compliance with a legal obligation.
The Data Controller shall primarily collect data directly from the data subject. The Data Controller shall only collect data from other sources, if the data subject has granted his consent thereto, or authorisation for data collection is given by any relevant legislation.
The Data Controller shall process the data given by the data subject: name, e-mail address, phone, other information given by the data subject relating the services and/or the activity of the Data Controller.
The Data Controller shall only transfer personal data to any third party, if the data subject has expressly given his consent thereto, being aware of the type of data transferred and of the identity of the recipient, the contract between the Data Controller and the data subject provides legal basis, or if the data transfer is authorised by law.
The Data Controller shall have the right to employ a data processor for performing its activities. Data processors shall not make independent decisions, and they shall perform their data processing activities on behalf of the Data Controller according to the written contract signed with the Data Controller and as specified in the contract, and by following the instructions given by the Data Controller. The Data Controller shall supervise the work performed by the data processors. Data processors may only employ further data processors with the consent of the Data Controller. The Data Controller shall provide information about the data processors engaged.
The Data Controller shall ensure the protection of data security, and shall take the technical and organisational measures, and shall work out those procedural rules that are necessary to ensure compliance with data security requirements. The Data Controller shall keep records of the data managed by it according to the applicable legislations, ensuring that access to such data shall only be given to those employees and other persons acting for and on behalf of the Data Controller, who need to know such data based on their position, or for performing their work. Access to the personal data of data subjects shall only be given to those persons working within the organisation of the Data Controller, who need to know those for performing their work. All employees are required to treat such data confidentially.
In particular, the Data Controller shall ensure the following within the scope of its responsibilities related to IT protection:
The Data Controller shall take the necessary measures to provide protection for hard copy records, in particular, for ensuring the physical safety of and fire protection for such records.
Employees, agents and other persons acting for and on behalf of the Data Controller shall be obliged to ensure the safe keeping and appropriate protection for data carriers containing personal data used by or entrusted to them, regardless of the method by which such personal data have been recorded.
The Data Controller shall ensure by developing and complying with data deletion rules that the duration of data management should not exceed the required and lawful retention period. Data shall be deleted in the following cases:
When deletion of data is performed, the Data Controller shall make such data unidentifiable. If the law requires so, the Data Controller shall arrange for the destruction of the data carrier containing personal data.
Information (access). The data subject shall have the right to receive information about the management of his data. The Data Controller shall inform the data subject about data management at the time of recording such data, and this Notice shall be available to him at any time. The data subject may request full information about the management of his data during the data management process. The data subject may request The Data Controller to give him a copy of the affected data.
Correction. The data subject shall have the right to request The Data Controller to correct inappropriate data related to him, and to supplement incomplete data.
Deletion, withdrawal of consent. The data subject shall have the right to withdraw at any time his consent given to data management, and may request the deletion of his data. The Data Controller shall only reject such request, if data management is based on legal requirement, or if data management is necessary for the submission, enforcement or protection of any legal claim.
Restriction. The data subject shall have the right to restrict the management of data in the following cases:
If data management is restricted, with the exception of data storage, the affected personal data may only be managed with the data subject’s consent, or may only be used for the purposes of submitting, enforcing or providing protection for any legal claim, or for the protection of the rights of any natural person or legal entity, or for pursuing the important public interests of the European Union or of any member state.
Objection. If data management is necessary for pursuing the legitimate interest of The Data Controller or any third party, the data subject shall have the right to object to the management of his personal data at any time for reasons related to his own circumstances. In this case, the data controller shall not continue the management of data, unless, the data controller provides evidence that data management is justified by such compelling legitimate reasons, which are given priority over the data subject’s interests, rights and freedoms, or are related to the submission, enforcement or protection of any legal claim. If data management is performed for the purpose of gaining direct business opportunities, the data subject shall have the right to object to the management of his personal data at any time.
Data portability. The data subject shall have the right to receive his personal data in a segmented, widely used machine readable format, and shall be also entitled to transfer such data to another data controller, provided that data management process is performed automatically. If technically feasible, the data subject shall have the right to request the direct transfer of his personal data to another data controller.
The data subject may submit its request for exercising his rights in any form to The Data Controller (whether orally, or in writing). The Data Controller shall promptly assess such request, make a decision on the fulfilment thereof, and shall take the necessary measures. The Data Controller shall inform the data subject about the measures taken within one month. The information given shall in each case include the action taken by The Data Controller, or the information requested by the data subject. If The Data Controller rejects such request (fails to take the necessary actions required for the fulfilment of the request), the information supplied shall include the ground for rejection, the related reasons and the available legal remedies.
The Data Controller shall not make the fulfilment of the request conditional on the payment of any fee or the reimbursement of any cost.
If it is uncertain whether the request has been made by the data subject due to the given circumstances, or the method of submission, The Data Controller may request the data subject to verify his eligibility, or to submit the request by such method so that the eligibility can be clearly established.
The Data Controller shall inform all recipients about such correction, deletion or restriction imposed on data management, to whom the affected personal data was transferred, unless this is deemed impractical, or would involve disproportionate effort. At the data subject’s request, it shall inform the data subject about such recipients.
In the event that the data subject’s rights have been infringed, he may request The Data Controller to terminate such unlawful data management, and to assess the data management process, and consider the rejection of the data subject’s request. The Data Controller shall in each case examine all such complaints lodged by the data subject, and shall inform the data subject about the related outcome.
The data subject may also file his complaint directly to the competent data protection authority.