Rebura LTD – PRIVACY NOTICE (EFFECTIVE DATE: 23rd June, 2021)
IMPORTANT NOTICE FOR UK/EU/EEA PERSONS REGARDING BREXIT:
THE UNITED KINGDOM (‘UK’) LEFT THE EUROPEAN UNION (‘EU’) AND EUROPEAN ECONOMIC AREA (‘EEA’) EFFECTIVE 31 JANUARY 2020 (‘BREXIT’) AND A ‘TRANSITION PERIOD’ EXTENDING EU/EEA DATA PROTECTION OBLIGATIONS IN THE UK EXPIRED ON 31 DECEMBER 2020. EFFECTIVE 1 JANUARY 2021 UNTIL 30 APRIL 2021, PER THE TRADE AND COOPERATION AGREEMENT BETWEEN THE EU, EEA, AND UK, 31 DEC. 2020, 2020 O.J. (L 444) 14, PART 7 FINAL PROVISIONS, ART. FINPROV.10A (THE ‘TCA’), TRANSFERS OF EU/EEA PERSONAL DATA TO THE UK SHALL CONTINUE TO FOLLOW THE EU GENERAL DATA PROTECTION REGULATION (EU) 2016/679 AS IT EXISTED ON 31 DECEMBER 2020 (‘GDPR’) UNTIL SUCH TIME AN EU ADEQUACY DECISION IS REACHED REGARDING TRANSFERS OF PERSONAL DATA TO THE UK (THE ‘BRIDGING MECHANISM’). IF AN ADEQUACY DECISION IS NOT REACHED BY 30 APRIL 2021, UNLESS A TCA PARTY OBJECTS, THE BRIDGING MECHANISM IS AUTOMATICALLY EXTENDED UNTIL 30 JUNE 2021. ACCORDINGLY, REBURA LIMITED (AS DEFINED BELOW) SHALL CONTINUE TO FOLLOW THE GDPR (AS DEFINED BELOW) AND NO CHANGES SHALL BE MADE TO THE FOLLOWING PRIVACY NOTICE WITH RESPECT TO THESE DATA TRANSFERS UNTIL SUCH TIME AN ADEQUACY DECISION IS REACHED, THE BRIDGING MECHANISM EXPIRES, OR A FURTHER INTERNATIONAL AGREEMENT IS MADE BETWEEN THE TCA PARTIES. PLEASE CHECK THIS PRIVACY NOTICE PERIODICALLY FOR UPDATES.
I. Introduction. Your privacy is important. This Privacy Notice (the “Privacy Notice,”) together with its addendums, our Terms and Conditions and any other documents referred to in this Privacy Notice or the Terms and Conditions explains how we comply with applicable privacy requirements and sets out minimum standards for how we deal with all personal data that we collect from you, or that you provide to us including via this website and any other websites or applications of Rebura Holdings Limited (United Kingdom) and its subsidiaries (collectively, the “Websites”). Rebura Holdings Limited (United Kingdom), its subsidiaries and our applicable affiliates (collectively, “we,” “us,” “our,” or “Rebura”) include Rebura Limited (United Kingdom), Rebura Inc. (USA), and the Jefferson Frank brand of Frank Recruitment Group Services Limited (United Kingdom). For more information on the privacy practices of our other affiliates not subject to this Privacy Notice including those which operate under Frank Recruitment Group Services Limited (United Kingdom) not mentioned here and its applicable affiliates, please see https://www.frankgroup.com/privacy-notice/.
This Privacy Notice sets out the basis on which we collect, store, use and disclose personal data we receive in writing, through our Websites or through the consulting services that we provide. It therefore applies to personal data that you provide to Rebura telephonically, electronically (including email) and in person.
This information may be updated from time to time, and should be read in the context of any additional specific information such as that provided in privacy policies applicable to specific businesses or local areas as displayed on the relevant Website or distributed to you from time to time.
This Privacy Notice also informs you how we obtain and use information gained by us through your use of the Websites, including by using “cookies” and third party vendors.
Please read the following carefully to understand our views and practices regarding your personal data, how we will treat it and your rights.
This Privacy Notice applies to Rebura globally. The first part of the policy is general and applies globally. The second of the Privacy Notice is comprised of country-specific addendums, and where applicable, Rebura will handle Personal Data relying on certain exemptions under local law. Please be sure to check the addendums below to see if there is one that applies to your country or local jurisdiction. In the event of a conflict between the general part of this Privacy Notice and an addendum, the addendum prevails.
II. Who are we?
Rebura is one of the fastest growing AWS Consulting Partners, AWS End User Computing (EUC) Partners, and AWS Solutions Providers in the world. We are a one-stop-shop for all of your AWS support, cost-optimization, and consulting needs (“AWS Services”).
If you want to contact Rebura or any of its group companies, please click here.
You can contact Rebura’s Chief Privacy Officer (“CPO”) by emailing email@example.com or by sending written correspondences here:
The St. Nicholas Building
St. Nicholas Street
Tyne & Wear U.K. NE1 1RF
Attn: Chief Privacy Officer
III. Who does this Privacy Notice protect?
This Privacy Notice protects individuals throughout the world who access our Websites or receive AWS services from us. This also includes individuals who are employed by an actual, former or prospective Rebura client. A Rebura “client” is one of (a) a business that Rebura has contracted with to provide AWS services or is in the process of doing so, (b) a business that Rebura may solicit with the intention of providing AWS services or (c) a business to whom Rebura may provide relevant AWS services information. Additionally, Rebura acts as the data controller for Personal Data (as defined below) obtained concerning those protected under this Section III. Notwithstanding the forgoing, Rebura and/or Rebura Limited acts as the data processor for Personal Data (as defined below) obtained concerning those protected under this Section III during the provision of AWS services.
IV. What information will we collect?
Some of the data that we collect and receive from you is personal data which means that it is information that could personally identify you (“Personal Data” or “PII”). The Personal Data that we may collect from all users of our Websites and users of our recruitment services may include any of the following:
V. Why do we process your Personal Data?
Generally, we use your Personal Data for our business and activities, and in our efforts to expand and improve our business. Examples include:
A. All users of the Websites and/or our services
a) To provide our AWS services to you, your employer or your company;
b) To facilitate the AWS services process, including but not limited to:
B. Entities or individuals who solicit or participate in AWS Consulting
VI. Who do we send your Personal Data to?
A. All users of the Websites and/or our services
VII. What will Rebura do if my Personal Data is breached?
Rebura has put in place reasonable technical, administrative and physical safeguards intended to prevent a breach of your Personal Data. That being said, Rebura cannot guarantee that your Personal Data will not be breached.
A breach can take many forms, including, without limitation, the loss of your Personal Data or the unauthorized access to, disclosure, modification, copying and transfer of your Personal Data.
Once Rebura becomes aware of the breach, Rebura will take reasonable steps to isolate the breach, stop the breach, determine the root cause, determine the Personal Data breached, fix the root cause and determine if notice to you and/or the appropriate government agency(ies) is required. Rebura will comply with all applicable law in reacting to, and dealing with, a breach of Personal Data.
If you believe, for any reason, that your Personal Data has been breached while in Rebura’s care, custody or control, please email Rebura immediately at firstname.lastname@example.org.
If Rebura obtains your Personal Data from someone other than you, this Privacy Notice includes all information required under applicable law except that Rebura shall not provide you with this information if you already possess this information, providing you with such information is against (or not mandatory under) applicable law, is subject to an obligation of professional secrecy, proves impossible, would involve a disproportionate effort or would render impossible or seriously impair the achievement of the objectives of the processing, in which case, Rebura shall take appropriate measures to protect your rights, freedoms and legitimate interests. If you have any questions, please contact Rebura at email@example.com.
VIII. Will my Personal Data be transferred to another country?
Yes, Rebura may transfer your Personal Data to the categories of third parties described in this Privacy Notice, some of whom are located outside of the country in which you provided your Personal Data to Rebura or the country of collection.
If so, Rebura will take reasonable steps to ensure that your Personal Data is protected and treated in accordance with this Privacy Notice and local applicable law. The countries where Rebura may transfer your Personal Data will have varying levels of data security practices and laws, some of which may be less stringent or protective than your country. Rebura will use all reasonable efforts to require that any of its suppliers and vendors who receive your Personal Data are contractually bound to (a) keep your Personal Data confidential and (b) take, at a minimum, reasonable efforts to maintain the privacy and security of your Personal Data.
Under certain circumstances, Rebura may share your Personal Data with one or more of its group companies who may be located in a country other than yours or other than the country in which Rebura collected your Personal Data. In such cases, Rebura will comply with applicable laws and its Intercompany Data Processing Agreements (“DPAs”). The DPAs are incorporated by reference into this Privacy Notice.
IX. How long will Rebura store my Personal Data for?
We are required by applicable law to store your Personal Data for as long as is necessary to comply with our legal, regulatory and contractual obligations. This period of time will vary based on the law in your country and in the country where Rebura stores your Personal Data.
In addition, Rebura will keep your Personal Data for the identified purposes until it reasonably believes that it no longer needs it, that there is no reasonable chance that you, your employer or your company will do business with Rebura, and there is no reason to believe that we will need the Personal Data for any special circumstances such as the issuance or defence of legal proceedings, audit, investigation or collections.
X. Sending Rebura Personal Data over the internet
Your Personal Data is held on servers hosted by us, our internet services providers or third party vendors with whom Rebura has a contract. The transmission of information via the internet is not completely secure. Although we will take the efforts set forth in the Privacy Notice to protect your Personal Data, we cannot guarantee the security of any data transmitted through or to our Websites. Any transmission of data by you to us over the internet is at your own risk.
XI. How we collect and aggregate information about visitors to our Websites
We also collect information about the way job seekers and visitors use the Websites in order to improve our services, to understand our users better, and to determine aggregate trends, most popular pages, etc. By using the Websites, you agree that we may share de-identified aggregate data with selected third parties to assist with these purposes. We may also undertake marketing profiling to help us identify candidates, clients, or jobs which may be of interest to you. We may process Personal Data that you submit to us through the Websites under one or more of the permissible bases for processing Personal Data set forth in the Privacy Notice.
XII. Technology and Tools
Like many companies, we use technology and tools that tell us when a computer or device has visited or accessed our content. Those tools include services from search engines and other companies that help us to tailor our products and services to better suit our clients and potential clients. Search engines provide facilities to allow you to indicate your preferences in relation to the use of those tools in connection with computers and other devices controlled or used by you.
We also set out further information below about Cookies and Web Beacons.
A. What are cookies?
A “cookie” is a piece of information that is stored on your computer’s hard drive and which records your navigation of a website so that, when you revisit that website, it can present tailored options to you based upon the stored information about your last visit. You can normally alter the settings of your browser to prevent acceptance of cookies.
Cookies are used are many, many websites, including Rebura’s Websites.
We use “cookies” and plug ins to: (1) make the Websites function properly and as a user would normally expect of a commercial website; and (2) monitor Website user traffic patterns and Website usage. Our use of these tools helps us to understand how our users use our Websites so that we can develop and improve the design, layout and functionality of the Websites and to provide more efficient and relevant services to you.
C. There are different kinds of cookies with different functions.
The cookies we use are explained below:
The Rebura Websites use personalisation cookies to help us to advertise jobs that we think may be of interest to you. These cookies are persistent and mean that when you log in, or return to, the particular Rebura Website, you may see advertising for jobs that are similar to jobs that you have previously browsed.
For information on how to reject these personalisation cookies, see Section E below
D. Cookies and Plug-ins set by Rebura or Third Parties used by Rebura
For our Rebura Websites generally:
This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user’s browser supports cookies.
This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
The cookie is set by Facebook to show relevant advertisements to the users and measure and improve the advertisements. The cookie also tracks the behaviour of the user across the web on sites that have Facebook pixel or Facebook social plugin.
This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
This cookie is set by the Google Analytics. This cookie is used for tracking the signup commissions via affiliate program.
This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
The cookie is set when the visitor is logged in as a Pardot user.
This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
This cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
This cookie is set by LinkedIn and used for routing.
This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
This cookie is set by Hotjar. This cookie is set when the client first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behaviour in subsequent visits to the same site will be attributed to the same user ID.
LinkedIn – Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.
This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
E. How to reject cookies
If you don’t wish to receive cookies that are not strictly necessary to perform basic features of our Websites, you may choose to opt out of them by selecting the appropriate box at the bottom of any of the Websites, in a link called “Cookie Preferences.”
Note that most web browsers will accept cookies, but if you would rather that we did not collect data in this way you can choose to accept or reject some or all cookies in your browser’s privacy settings. Rejecting all cookies means that certain features of the Website(s) cannot then be provided to you and accordingly you may not be able to take full advantage of all our Websites’ features. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences.
For more information generally on cookies, including how to disable them or change cookies’ settings, please refer to aboutcookies.org (http://www.allaboutcookies.org/). You will also find details on how to delete cookies from your computer. Find out how to manage cookies on popular browsers:
To find information relating to other browsers, visit the browser developer’s website.
To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.
F. Web Beacons
Rebura may use or include web beacons in emails or other electronic communications that Rebura sends to you. We use web beacons to help us analyze the effectiveness of our communications to you. For example, we may use web beacons to understand when and if you opened our email, how many times you opened the email, if you have forwarded the email to another email address, or if you clicked on a link in an email that we sent to you. The web beacons do not collect or give us your PII but they do provide information to us about your actions after receiving a communication from us. If you would like to stop receiving emails with web beacons from us, you may unsubscribe by clicking the “Unsubscribe” link in the email or by emailing firstname.lastname@example.org. However, you may receive auto generated emails from Rebura after you create an account on the Websites or take some other affirmative action on the Websites which contain web beacons but do not contain an “Unsubscribe” link. In those cases, just simply email email@example.com if you would like to stop receiving emails from Rebura with web beacons.
Also, Rebura works with third parties to help manage online advertising who embed web beacons in online job postings and job advertisements that Rebura requests these third parties to post online. These web beacons allow third parties to obtain information such as the IP address of the computer that downloaded the page on which the beacon appears, the URL of the page on which the beacon appears, the time the page containing the beacon was viewed, the type of browser used to view the page, and the information in cookies set by a third party such as Google Analytics. These files enable Google Analytics to recognize a unique cookie on your web browser, which in turn enables third parties to learn which advertisements bring users to our Websites or websites on which third parties placed our advertisements. The cookie on your web browser was placed by third party advertisers who work with Google Analytics. With both cookies and web beacon technology, the information that Google Analytics (either directly, see cookie/plug-in chart above) or third parties collects and shares with us is anonymous and not personally identifiable. It does not contain your name, address, telephone number, or email address. For more information about Google Analytics, including information about how to opt out of these technologies, go to www.google-analytics.com.
XIII. Links to other websites
Please note that clicking on links and banner advertisements and RSS (Rich Site Summary) feeds may result in your transfer to another website, where data privacy practices may be different than described in this Privacy Notice. It is your responsibility to check other website privacy notices and policies to ensure that you are happy for your personal information, including Personal Data, to be used in accordance with those third parties’ privacy notices and policies. We accept no responsibility for, and have no control over, third party websites, links, adverts or RSS feeds or information that is submitted to or collected by third parties.
XIV. Changes to our Privacy Notice
We reserve the right to change this Privacy Notice from time to time by updating this Privacy Notice on our website. Any changes to this Privacy Notice or any of its addendums will be posted on this Website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. We encourage you to check this Website frequently for updates. Your continued use of this Website or any Rebura services shall constitute your acceptance of the revised Privacy Notice.
Rebura will interpret and enforce this Privacy Notice in accordance with all applicable law.
This Privacy Notice was updated on 20th April 2018.
This Privacy Notice was last updated on 23rd June 2021.
 The “Purposes” listed in this chart are brief summaries and not intended to explain all or every reason why Rebura uses the particular cookie or plug in. If you have any questions about the cookie table, please click the link to the cookie creator’s website and/or email Rebura at firstname.lastname@example.org.
UNITED KINGDOM AND EUROPEAN ECONOMIC AREA ADDENDUM
I. Who is Rebura’s Supervisory Authority for Data Protection Purposes?
Until December 31, 2020, Rebura has designated the UK Information Commissioner’s Office (“ICO”) as the supervisory authority for purposes of Data Protection Act of 2018 (“DPA2018”) and General Data Protection Regulation (“GDPR”). After December 31, 2020, Rebura shall update this United Kingdom and European Economic Area Addendum into distinct United Kingdom and European Economic Area Addendums consistent with post-“Brexit” changes. After December 31, 2020, the ICO remained the supervisory authority for purposes of the DPA2018 and the United Kingdom General Data Protection Regulation (UK GDPR). This Addendum applies to both United Kingdom and European Economic Area residents.
II. How do we lawfully process your data?
In order to process your Personal Data lawfully Rebura must have a legal basis to do so. Rebura relies on three main legal bases for processing your Personal Data:
We may rely on one or more legal bases to process your Personal Data.
A. All users of the Websites and/or our services
Legitimate Interests: Rebura uses Personal Data that we collect for the following general purposes in the performance of our legitimate interests as a business: to provide the services to our clients; to enhance their experience, to improve our services and to contact clients.
B. Individuals who work for Rebura clients (i.e. a client contact)
Consent: If you would like to receive general marketing and other communications from us, you will have the option to affirmatively check a box consenting to Rebura processing your Personal Data for this purpose. Rebura may also ask you via email or telephone for your affirmative consent to receive marketing and other communications from us.
Legitimate Interest: Rebura has a legitimate interest in processing your Personal Data in order to provide AWS services at your company or employer, and provide you with other products and services relevant to your company or employer and to market its products and services to you in order to grow our business, to demonstrate our knowledge of the AWS services marketplace and relevant technologies and to enhance the standing and recognition of our brands. Rebura also has legitimate interest to process your Personal Data if you seek or obtain further information about Rebura or an Rebura client.
Necessary for the performance of a contract: Rebura can process your Personal Data in the performance of its contract with your company or employer.
With respect to actual or prospective client contacts, if Rebura obtains your Personal Data from someone other than you, Rebura shall inform you of the identity and contact details of the person or entity from whom Rebura obtained your Personal Data, whether Rebura obtained your Personal Data from publicly available sources, the categories of Personal Data that Rebura obtained and, if Rebura is processing your Personal Data based on its legitimate interest (see Section III below), the nature of Rebura’s legitimate interest. Rebura shall provide you with the information listed in this paragraph by the earlier of (1) one month after Rebura obtains your Personal Data or (2) if Rebura uses your Personal Data to communicate with you, the first time that Rebura communicates with you.
Rebura shall not provide you with the information described in the paragraph immediately above if you already possess this information, providing you with such information is against applicable law, is subject to an obligation of professional secrecy, proves impossible, would involve a disproportionate effort or would render impossible or seriously impair the achievement of the objectives of the processing, in which case, Rebura shall take appropriate measures to protect your rights, freedoms and legitimate interests.
III. Your Special Rights under Data Protection Laws
A. Do I have a right to be erased (forgotten)?
Yes. You have the right to request that Rebura deletes or removes your Personal Data where there is no compelling reason for us to continue to process it. You can exercise this right, free of charge, by sending an email to Rebura at email@example.com.
Please note that your right to erasure is not absolute. Rebura will remove your Personal Data when:
Rebura can refuse to comply with an erasure request in the following limited circumstances:
(a) to exercise Rebura’s right of freedom of expression and information;
(b) to comply with a legal obligation or for the performance of a public interest task;
(c) for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
(d) for the establishment, exercise or defence of legal claims.
If we remove your Personal Data per your request for erasure, then we will confirm this with you.
If we have disclosed any of your Personal Data to a third party and you submit an erasure request to us, then we will inform (1) you about the recipients and (2) any such third parties of your erasure request unless doing so is impossible or involves disproportionate efforts.
We will respond to your erasure request without undue delay. Please note that, for your and Rebura’s protection, we cannot respond to an erasure request until we have verified the identity of the person making the request. This verification process may extend the response timeframes set forth in this paragraph.
B. Do I have a right of access to a copy of my Personal Data?
Yes. You have the right to:
You can exercise this right by sending an email to Rebura at firstname.lastname@example.org.
This right is in place to ensure that you are aware of and can verify the lawfulness of the processing. In most cases, we will provide you with a copy of your Personal Data free of charge. However, we may charge you a reasonable fee if your request is manifestly unfounded, excessive or repetitive. With respect to unfounded, excessive or repetitive requests, in rare cases, Rebura may refuse to respond to your request but will explain the reason(s) for its refusal to you without undue delay and within one month of its receipt of your request. If Rebura so refuses, you have the right to file a complaint with the ICO and to seek a judicial remedy.
If you submit your access request to Rebura electronically, Rebura will provide you with its response, and a copy of your Personal Data (if applicable) via email or other commonly used electronic form.
If Rebura did not collect your Personal Data from you, Rebura will inform you about the source from which it obtained your Personal Data. Your right of access does not adversely affect your right of erasure (forgotten) and right of rectification, both of which are described in this Privacy Notice.
Generally, Rebura will provide you with a copy of your Personal Data without undue delay and within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex or numerous. If Rebura exercises this extension of time, Rebura will inform you of its decision to exercise the extension within one month of its receipt of your request, and will explain the reason(s) for the extension. If your request is large or complex, Rebura may ask you to specify the particular information or category of information you seek.
Please note that, for your and Rebura’s protection, Rebura cannot respond to an access request until it verifies the identity of the person making the request for your Personal Data. This verification process may extend the response timeframes set forth in the paragraph above.
C. Do I have a right to object to the processing of my Personal Data, including the processing of my Personal Data by Rebura for direct marketing?
Yes, you have a right to object to the processing of your Personal Data where:
You can exercise this right, free of charge, by sending an email to Rebura at email@example.com.
If Rebura receives an objection request from you for reasons unrelated to direct marketing, Rebura will stop processing your Personal Data unless we can show compelling legitimate ground(s) for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of any legal claims.
If Rebura receives an objection request from you for reasons related to direct marketing, we will stop processing your Personal Data.
If you receive a direct marketing communication from Rebura and you do not wish to receive future direct marketing communications from Rebura, you may request to unsubscribe from future marketing communications by sending Rebura an email at firstname.lastname@example.org In addition, if the direct marketing communication you received was via email and has an “Unsubscribe” link, you can click the “Unsubscribe” link at the bottom of the email and fill out the required form. Whether through email or by clicking the “Unsubscribe” link, Rebura will process your unsubscribe request. Please allow up to ten (10) business days for your unsubscribe request to take effect.
D. Do I have a right to restrict processing of my Personal Data?
Yes, you have a right to restrict, the processing of your Personal Data. You can exercise this right, free of charge, by sending an email to Rebura at email@example.com. When you exercise this right, Rebura may continue to store your Personal Data but cannot further process it. Rebura will cease processing your Personal Data in the following circumstances:
While the processing of your Personal Data is restricted, Rebura may continue to process such data by storing it, processing it with your consent or processing it for the establishment, exercise or defence of legal claims.
Rebura will inform you if it decides to lift a restriction on processing.
If Rebura has disclosed any of your Personal Data to a third party and you submit a request to restrict processing, Rebura will inform (1) you about the recipients if you so request and (2) any such third parties of your restriction request unless doing so is impossible or involves disproportionate efforts.
Rebura will act on your restriction request in accordance with this Privacy Notice without undue delay. Please note that, for your and Rebura’s protection, Rebura cannot act on a restriction request until it verifies the identity of the person making the request. This verification process may extend the timeframe in which Rebura acts on your restriction request.
E. Do I have a right to Personal Data portability?
Yes. You can exercise this right, free of charge, by sending an email to Rebura at firstname.lastname@example.org. This right exists to allow you to obtain and use your Personal Data for your own purposes across different services. Under this right, you can move, copy or transfer your Personal Data from Rebura to another data controller.
This right applies where Rebura is processing your Personal Data with your consent or for the performance of a contract. It also applies if we process your Personal Data by automated means. If your portability request concerns someone other than you, Rebura will have to consider whether providing or porting the Personal Data would prejudice the other person’s or people’s rights.
Generally, Rebura will respond to your portability request without undue delay and within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex or numerous. If Rebura exercises this extension of time, Rebura will inform you of its decision to exercise the extension within one month of its receipt of your request, and will explain the reason(s) for the extension. Where technically feasible, you may request that Rebura transmit your Personal Data to another data controller.
F. Do I have a right to object to decision been taken by automated means?
If Rebura uses automated (i.e. non-human) methods to process your Personal Data to make decisions that could potentially have a damaging legal or similarly significant effect on you (each, an “Automated Decision”), you have the right not to be subject to the Automated Decision. This right is inapplicable to any Automated Decision made by Rebura that is necessary for entering into or the performance of a contract between you and Rebura, is authorized by law or is based on your explicit consent.
If Rebura makes any Automated Decisions to which this right applies, Rebura will ensure that you are able to obtain human intervention, express your point of view and obtain an explanation of the decision and challenge it.
If Rebura engages in “profiling” by automated means, Rebura will ensure that appropriate safeguards are in place including (1) ensuring that the processing is fair and transparent by providing you with meaningful information about the logic involved and the significance and consequences of the outcome of the decision, (2) using appropriate mathematical or statistical procedures for the profiling, (3) implementing appropriate technical and organizational measures to enable inaccuracies to be corrected and minimize the risk of errors and (4) securing the Personal Data in a way that is proportionate to the risk to your interests and rights and prevents discriminatory effects.
G. Do I have a right to have any inaccurate or incomplete Personal Data rectified?
Yes. You can exercise this right, free of charge, by sending an email to Rebura at email@example.com.
Generally, Rebura will respond to your rectification request within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex. In rare cases, Rebura may refuse to respond to your request but will explain the reason(s) for its refusal to you within one month of its receipt of your request. If Rebura so refuses, you have the right to file a complaint with the ICO and to seek a judicial remedy.
If Rebura has disclosed any of your Personal Data to a third party and you submit a rectification request to Rebura that Rebura is going to honor, Rebura will inform (1) you about the recipients and (2) any such third parties of your rectification request as well as any corrected Personal Data, unless doing so is impossible or involves disproportionate efforts.
We will use reasonable endeavours to ensure that your Personal Data is maintained and up to date.
H. What are my rights if the Security of my Personal Data is breached?
A breach of Personal Data (a “Breach”) means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, your Personal Data for which we are responsible under applicable law.
If the Breach is likely to have a significant detrimental effect on your rights and freedoms (such as resulting in discrimination, damage to reputation or financial loss), Rebura will notify the ICO without undue delay, and if feasible, within 72 hours of Rebura’s becoming aware of the Breach. Rebura will assess the determination of “significant detrimental effect” on a case by case basis.
If the Breach is likely to result in a “high risk” to your rights and freedoms, Rebura will notify you without undue delay. To be clear, the threshold requiring Rebura to notify you of a Breach is higher than the threshold requiring Rebura to notify the ICO of a Breach so it is possible that Rebura will notify the ICO of a Breach but not you. Rebura will assess the determination of “high risk” on a case by case basis.
Any Breach notice issued by Rebura will contain, where possible, (1) the categories and approximate number of individuals and Personal Data records effected by the Breach, (2) the name and contact details of the information security manager (“ISM”) (or other Rebura contact representative if Rebura does not have a ISM at the time that Rebura issues the Breach notice), (3) a description of the likely consequences of the Breach, (4) a description of the measures that Rebura has taken, and may take, to stop the Breach and, where appropriate, to mitigate the adverse effects of the Breach and (5) recommendations on actions you can take to protect yourself in light of the Breach.
I. Will my Personal Data be transferred outside the UK, EEA, or Switzerland?
Rebura may transfer your Personal Data to third parties described in this Privacy Notice who are located outside of the UK, Switzerland, or EEA. If so, Rebura will take reasonable steps to ensure that your Personal Data is protected and treated in accordance with this Privacy Notice and local applicable law. Some of the countries outside the UK, Switzerland, or EEA where your Personal Data may be transferred will be on the EU Commission’s, ICO’s, or Swiss Federal Data Protection and Information Commission’s list of countries that it has deemed to have adequate security controls in place (the “Approved List”). Given the European Court of Justice’s decision in Data Protection Commissioner v. Facebook Ireland and Maximilian Schrems, Case C-311/18 (July 16, 2020) (“Schrems II”) as well as the September 8, 2020 Swiss Federal Data Protection and Information Commissioner’s Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection, and absent consent from the Data Subject (or any other reason provided in GDPR Article 49(1)(b)-(f), UK, or Swiss law as may be amended from time to time), if Rebura transfers your Personal Data to processors (which could be external third party vendors or suppliers) that store, transfer, process, or control your Personal Data in a country not on the Approved List or not in the UK, Switzerland, or EEA (“Third Countries”), then Rebura shall determine whether each processor (and each subprocessor that a processor has provided Rebura formal notice of) can store, transfer, process, or control the Personal Data solely within the UK, Switzerland, EEA, or a country on the Approved List.
(a) If Rebura determines that the processor (and each subprocessor that a processor has provided Rebura formal notice of) can store, transfer, process, or control the Personal Data solely within a country on the Approved List or in the UK, Switzerland, or EEA, we will require such processor (and will require the processor to require each of its applicable subprocessors) to do so.
(b) If Rebura determines that the processor (and each subprocessor that a processor has provided Rebura formal notice of) cannot store, transfer, process, or control the Personal Data in a country on the Approved List or in the UK, Switzerland, or EEA, then:
(i) Rebura will require such processor (and will require the processor to require each of its applicable subprocessors) to be bound by the model clauses promulgated by the European Commission as provided here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 or the ICO, as applicable (or any updated link which the European Commission or ICO makes available from time to time) (“Model Clauses”). When relying on the Model Clauses, Rebura shall (a) monitor the laws and regulations of Third Countries for the adequate protections of UK, Swiss, or EEA Data Subjects as required by the GDPR or other local laws and regulations; and (b) terminate the storage, transfer, processing , or control of Personal Data by a processor (or a subprocessor where the process has informed Rebura of the country in which such subprocessor is processing your Personal Data) when (i) such laws and regulations of Third Countries are incompatible with the GDPR or other local laws and regulations, or (ii) access to Personal Data is requested by the public authorities of Third Countries and such access is lawful under the laws of the Third Countries but is prohibited under the GDPR or other local laws and regulations. If the events described in III(I)(b)(i)(b)(i) or (ii) occur, Rebura will confer with the appropriate supervisory authority regarding appropriate actions to safeguard your Personal Data.
(c) Rebura shall also require the processor (and will require each processor to require its applicable subprocessors) to determine whether each processor or subprocessor can store, transfer, process, or control the Personal Data solely within the UK, Switzerland, EEA, or a country on the Approved List.
Under certain circumstances, Rebura may share your Personal Data with one or more of its group companies who may be located in a Third Country. In such cases, Rebura will comply with its DPAs. The DPAs are incorporated by reference into this Addendum
J. How long will Rebura store my Personal Data for?
We are required by law to store your Personal Data for as long as is necessary to comply with our legal, regulatory and contractual obligations.
With respect to GDPR (and similar laws), we will store and process your Personal Data that we obtain via: (i) your consent, until the earlier of (a) the purpose for which we obtained such information has been fully accomplished or (b) you inform us that you have withdrawn your consent; (ii) our legitimate interest until the earlier of (a) your Personal data is no longer necessary for the purpose for which it is being processed, or (b) Rebura concludes that your rights and freedoms outweigh our right to process your Personal Data; and (iii) our necessity for the performance of a contract, until the termination or expiration of the contract including the termination or expiration of Rebura’s and your employer’s or company’s duties or obligations that survive any such termination or expiration.
Furthermore, we will store your Personal Data in special circumstances related to the issuance or defense of legal proceedings, outstanding invoices or in connection with any investigation by or of a government authority.
K. What Protections do I have if Rebura transfers my Personal Data to the U.S.?
In short, you have the protections of the Model Clauses, defined above. In addition to the Model Clauses, Rebura has additional contractual clauses that may apply to its United States clients and vendors which are in the United States of America Addendum below.
Rebura discloses Personal Data to third party service providers in connection with the operation of their respective businesses, including their provision of services to clients.
Rebura may be required to disclose Personal Data to law enforcement, regulatory or other government agencies, or to other third parties, in each case to comply with legal, regulatory, or national security obligations or requests.
Any questions, complaints, or requests to access, correct, amend, delete, or limit the use or disclosure of Personal Data (opt out) may be directed to firstname.lastname@example.org. If Rebura has not been able to satisfactorily resolve the issue, then you may raise it with your data protection authority (see paragraph immediately below).
L. UK/EEA residents. Should your complaint remain unresolved and you reside in the UK/EEA, then you should contact the EEA/UK Supervisory Authorities (the “SAs”) who act as an independent recourse mechanism to settle all such disputes. Such complaints can be directed either to the EEA/UK SAs panel secretariat or individual EEA/UK SAs.
Currently, the contact information relevant to the submission of the EEA standard complaint form is as follows: Commission Européenne, Directorate General Justice, Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Data Protection Panel, B-1049 Brussels, Belgium, Telephone: (32-2) 299 11 11, Fax: (32-2) 298.80.94, email: email@example.com.
You can find the standard compliant form at https://edps.europa.eu/data-protection/our-role-supervisor/complaints/edps-complaint-form_en.
The contact information for individual EU SAs can be found at: http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm
M. Swiss residents. Should your complaint remain unresolved and you reside in Switzerland, then you should contact the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland with whom Rebura has agreed to cooperate regarding such disputes.
The contact information for the Swiss FDPIC can be found at: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection—switzerland.html.
UNITED STATES OF AMERICA ADDENDUM
I. If you would like a copy of Rebura’s US comprehensive information security program, please email Rebura’s CPO at firstname.lastname@example.org.
If Rebura receives a “Do Not Track” signal or request from a web browser, Rebura will not honor such request or signal. Rebura has taken this position in part to provide you with a personalized and efficient experience on the Websites.
As discussed in this Privacy Notice, there are third parties who conduct tracking on the Websites.
Information about web beacons used by Rebura and third parties with whom it contracts can be found in Section XII.F of the Privacy Notice above.
II. For information on Rebura’s transfers of EEA/UK/Swiss data to the U.S., see the section entitled “ In addition to the forgoing, for compliance with applicable law, the following terms, to which Rebura reserves the right to revise from time to time without notice, shall be incorporated by reference where these terms are required in client contracts:
(A). In the event Rebura transfers to client or any of its affiliates, or provides client or any of its affiliates with access to any Personal Data (as defined for this Section II below) of European Union or Switzerland residents, including employees of Rebura or its affiliates and actual or prospective Rebura client contacts, and client maintains, receives, has access to, stores, uses or processes such Personal Data in the United States, client shall comply with data protection, data security and confidentiality requirements at least as strong as those set forth in the Privacy Shield Principles issued by the U.S. Department of Commerce, as revised from time to time (collectively, the “Principles”) During the term of such contracts and while client creates, receives, maintains, stores, uses, processes or disseminates any Personal Data, client shall:
(B) Upon the termination or expiration of the applicable client contract, client shall, at Rebura’s option, return all Personal Data to Rebura as applicable or permanently destroy all Personal Data (and all copies and derivative works thereof) in its care, custody or control except for any Personal Data that applicable law, if any, requires client to maintain (“Archival Personal Data”). With respect to any Archival Personal Data, client’s obligations and requirements under this Section II shall remain in full force and effect for as long as such Archival Personal Data remains in client’s care, custody or control.
(C) If client forwards or gives access to any of the Personal Data to any third party at any time, including any subprocessor or controller of client, client shall ensure that its written contract with such third party contains these terms, as applicable.
(D) For purposes of this Section II, the term “Personal Data” shall have the same meaning ascribed to that term as in the Principles which can be found at https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg as revised from time to time.