Optimize Training and Recovery.
Workouts may not always have the intended effect.
Terms of Service | Privacy Policy | Security Statement
Your privacy and the security of your personal information are very important to us. This Privacy Policy describes how we use and protect the information which we collect on QAthlete Personal Assessment System (the product). We are dedicated to protecting the privacy of those who use the product. Please read this Privacy Policy carefully before you proceed. Except as we disclose in this Privacy Policy, we will not sell, share, license, trade or rent your personal information to others. For purposes of this Privacy Policy, "we", "us", and "our" means QAthlete.
We collect two types of information: personally identifiable information and non-personally identifiable information.
1.1 Personally Identifiable Information
Personally identifiable information is information that identifies you or can be used to identify or contact you ("Personally Identifiable Information"). Personally Identifiable Information may include your name, address, email address, telephone numbers, birth date, job description and place of employment. We will request Personally Identifiable Information from you when you use the product. We will collect Personally Identifiable Information from you only if you voluntarily submit such information to us. Unless you give us permission to do so, we will not sell, share, license, trade or rent your Personally Identifiable Information other than as specified in this Privacy Policy. If you choose to withhold requested Personally Identifiable Information, you may not be able to utilise the full functionality of the product.
1.2 Non-Personally Identifiable Information
We also may collect information that by itself cannot be used to identify or contact you, such as demographic information (like age, profession or gender) and health information (like current body mass index) ("Non-Personally Identifiable Information"). Non-Personally Identifiable Information may also include user IP addresses (to the extent that it is not deemed to be Personally Identifiable Information [NOTE - STATIC IP ADDRESSES ARE GENERALLY CONSIDERED IDENTIFIABLE], browser types, domain names, and other anonymous statistical data. Non-Personally Identifiable Information is used to help us understand who uses the product and to improve our conclusion engine and to assist us in isolating patterns in populations and demographics.
1.3 Information from Other Sources
We may also supplement the information we collect with information from other sources to assist us in evaluating and improving the product and its successors and/or to study stress and health in general.
When you provide us with your Personally Identifiable Information, you acknowledge that this information may be stored and processed on internationally located servers and you consent to your Personally Identifiable Information being exported and shared in this way. The USA does not have data protection legislation, however, we will, of course, keep your information secure.
We may collect information (including information that is Personally Identifiable Information) from you in different manners (including touch-screen responses and in writing) and at different points during your use of the product. The following is a description of the manners in which we primarily collect information about you.
3.1 Registration
Before any tests are performed or readings obtained, you will be required to submit certain personal details including your name, contact details, date of birth, occupation and nationality. In addition, you will also be required to complete the following on-screen questionnaires:
"Life Style questionnaire" including information such as your smoking habits, alcohol consumption, and dietary and exercise habits. Other relevant questionnaires may be introduced including a "Stress questionnaire" which requires you to indicate how you have been feeling in the past week about a number of matters.
3.2 Cookies
We use cookies to track and store information about you. A "cookie" is a software application that enables us to track your use of our website and services. You can find out more about the way cookies work on http://www.cookiecentral.com. We use cookies to help us understand what our users' interests and preferences are in order that we can tailor the product for our members, subscribers and visitors.
We are committed to protecting the privacy of minors. The products is not designed for use by children and is for use by individuals who are between 18 and 65 years only. We do not collect Personally Identifiable Information from any person we actually know is under the age of 18.
We use the information you provide and our sophisticated computerised system that gives detailed information on ECG, EEG, PPG, GSR, and Heart Rate Variability ("HRV") (which monitors the balance or imbalance of the automatic nervous system) to generate a full HRV analysis and lifestyle report.
Your individual reports will also be available on-line.
We may use the information gathered by the product to perform statistical analysis of user behavior, to analyse and evaluate issues relating to stress and health or to evaluate and improve our products and systems. We may link some of this information to Personally Identifiable Information for internal purposes only or to provide analysis to you. From time to time, we would like to send you information about other products or services which we think may be of interest to you. If you do not wish to receive this information any longer please email us at info@qathlete.com.
You give explicit consent to our use of your Personally Identifiable Information for the purposes listed above.
Except as set out in this Privacy Policy or as specifically agreed to by you, we will not disclose any information we gather from you on the product.
6.1 Affiliates, Agents and/or Commercial Partners
We may disclose information (including Personally Identifiable Information) about you to our Affiliates, agents and/or commercial partners. For purposes of this Privacy Policy, "Affiliates" means any person or entity which directly or indirectly controls, is controlled by or is under common control with QAthlete, whether by ownership or otherwise. Any information relating to you that we provide to our Affiliates will be treated by those Affiliates in accordance with the terms of this Privacy Policy.
6.2 Laws and Legal Rights
We may also disclose your information (including Personally Identifiable Information) if we believe in good faith that we are required to do so in order to comply with an applicable statute, regulation, rule or law, a subpoena, a search warrant, a court or regulatory order, or other valid legal process. We may disclose Personally Identifiable Information in special circumstances when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating our Terms & Conditions, or to protect the safety and/or security of our users, the product or the general public.
6.3 Third Parties Generally
We may provide to third parties Non-Personally Identifiable Information, including where such information is combined with similar information of other users of the product. For example, we might inform third parties of the number of individuals who have used the product, the demographic breakdown of our users or information regarding the general health, stress, stress related illnesses or health risks of our users which is Non-Personally Identifiable Information. The third parties to whom we may provide this information may include potential or actual advertisers, providers of advertising services, commercial partners, sponsors, licensees, researchers and other similar parties.
6.4 Outside Contractors
We may employ independent contractors ("Outside Contractors") to provide specific services related to our Website, such as mathematical and statistical analysis and reporting services. These Outside Contractors may sometimes have limited access to information collected by the product, including your Personally Identifiable Information, in the course of providing services to us. Access to your Personally Identifiable Information by these Outside Contractors is limited to the information reasonably necessary in order for the Outside Contractors to perform their limited function for us. We also require that these Outside Contractors
1. Protect the privacy of your Personally Identifiable Information consistent with this Privacy Policy,
2. Undertake not to use or disclose your Personally Identifiable Information for any purpose other than providing us with services for which we contracted.
6.5 Sale of Business
In the event that the business is sold or integrated with another business, information will be disclosed to our advisers and any prospective purchasers advisers and will be passed to the new owners of the business.
We take reasonable and appropriate steps to protect your information. If you would like information on our security procedures please contact us at info@qathlete.com.
We take reasonable and appropriate measures including encryption to ensure that your personal information is protected from unauthorised access or modification, unlawful destruction and improper use. However, the internet is an open system and we cannot and do not guarantee that the personal information you have submitted will not be intercepted by others and decrypted.
You will be given a personal identification number (PIN) which you will need to enter to access information relating to you via our website. You must keep your PIN confidential and must not disclose it or share it with anyone. You should inform us immediately if your PIN is lost or stolen. We can give no guarantee that Personally Identifiable Information relating to you will be kept confidential if your PIN is lost or stolen.
We want your information (including Personally Identifiable Information) to remain as secure as possible. Only employees and consultants who need access to your information to perform a specific task or function are granted access to such information. In addition, all QAthlete employees must abide by this Privacy Policy and are kept up-to-date on security practices. Any employee who violates this Privacy Policy is subject to disciplinary action, up to and including termination.
Notwithstanding the above commitments to protect your information (including Personally Identifiable Information) from loss, misuse or alteration by third parties, you should be aware that there is always some risk involved when information is transmitted over the internet. There is also some risk that others could find a way to thwart our security systems. As a result, while we strive to protect your information, we cannot ensure or warrant the security and privacy of any information you give to us and you do so at your own risk.
Except as otherwise described in this Privacy Policy, we will only use Personally Identifiable Information for the purposes described above or as otherwise disclosed at the time we request such information from you. If we intend to use your Personally Identifiable Information for any other purpose, we will inform you in advance of the proposed use and ask you to "opt-in" to give us your permission to use your Personally Identifiable Information for such purpose.
You may change the preference you have previously submitted and "opt-out" at any time by withdrawing your permission by contacting info@qathlete.com.
If your name, address, email address telephone number, job description or place of employment ("Personal Details") that you have provided to us changes, please let us know the correct details by emailing info@qathlete.com.
You can always contact us in order to
1. Update or correct your Personal Details
2. verify what Personal Details we maintain about you
3. delete the Personal Details maintained about you on our systems, by contacting info@qathlete.com
Such updates, corrections, changes and deletions will not have an effect on other information that we maintain, or information that we have provided to third-parties in accordance with this Privacy Policy prior to such update, correction, change or deletion.
Please note that any information and analysis which has been generated by us following your use of the product and which is based on information provided by you and results obtained through your use of the product is fixed at that point in time and cannot subsequently be amended or updated. If any Personally Identifiable Information other than your Personal Details changes and you wish to update or correct such information, you will need to carry out a further test using the product including completing the relevant questionnaires and a further charge will be payable for the amended report.
You should be aware that it is not technologically possible to remove or verify each and every record of the information you have provided to us from our system. The need to back-up our systems to protect information from inadvertent loss means that a copy of your Personally Identifiable Information may exist in a non-erasable form that will be difficult or impossible for us to locate. We promise that promptly after receiving your request, all Personally Identifiable Information stored in databases we actively use and other readily searchable media will be updated, corrected, changed, deleted or confirmed to you, as appropriate, as soon as reasonably practicable.
We reserve the right in our sole discretion to amend this Privacy Policy at any time, and you should check this Privacy Policy for any amendments each time you use the product. If we decide to change this Privacy Policy, we will post those changes [on our Website QAthlete] so you are always aware of what information we collect, how we use it, and under circumstances, if any, we disclose it. If at any point we decide to use Personally Identifiable Information in a manner significantly different from that stated in this Privacy Policy, or otherwise disclosed to you, at the time it was collected, we will notify you [by e-mail], and you will have a choice as to whether or not we use your Personally Identifiable Information in the new manner. We may also make non-significant changes to our Privacy Policy that generally will not affect our use of your Personally Identifiable Information.
If you do not agree to the terms of this Privacy Policy, you should not use the product.
If you have any questions about our Privacy Policy or feel that we are not abiding by the terms of our posted Privacy Policy, please contact our Privacy Coordinator in any of the following ways:
Email our Privacy Coordinator at: info@qathlete.com
BY USING THE PRODUCT, YOU ACKNOWLEDGE YOUR ACCEPTANCE OF THIS PRIVACY POLICY AND OF US PROCESSING YOUR PERSONAL DATA IN ACCORDANCE WITH THE TERMS OF THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU SHOULD NOT USE THE PRODUCT. BY SUBMITTING YOUR PERSONAL INFORMATION, YOU CONSENT TO THE USE OF YOUR INFORMATION AS SET OUT IN THIS PRIVACY POLICY.
Your privacy is important to QAthlete® and have developed a Privacy Policy that covers how we collect, use, disclose, transfer, and store your information. Please take a moment to familiarize yourself with our privacy practices and let us know if you have any questions.
Collection and Use of Personal Information
Personal information is data that can be used to uniquely identify or contact a single person.
You may be asked to provide your personal information anytime you are in contact with QAthlete® or an QAthlete® affiliated company. QAthlete® and its affiliates may share this personal information with each other and use it consistent with this Privacy Policy. They may also combine it with other information to provide and improve our products, SOFTWARE, content, and advertising.
Here are some examples of the types of personal information QAthlete® may collect and how we may use it.
What personal information we collect
When you create an QAthlete® ID, register your products, apply for commercial credit, purchase a product, download a SOFTWARE update, register for a class at an QAthlete® Affiliate Universities, or participate in an online survey, we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, and credit card information.
When you share your content with colleagues using QAthlete® products, send gift certificates and products, or invite others to join you on QAthlete® forums, QAthlete® may collect the information you provide about those people such as name, mailing address, email address, and phone number.
In the U.S., we may ask for your Social Security number (SSN) but only in limited circumstances such as when determining whether to extend commercial credit.
How we use your personal information
The personal information we collect allows us to keep you posted on QAthlete®’s latest product announcements, SOFTWARE updates, and upcoming events. It also helps us to improve our SOFTWARE, content, and advertising. If you don’t want to be on our mailing list, you can opt out anytime by updating your preferences.
We also use personal information to help us develop, deliver, and improve our products, SOFTWARE, content, and advertising.
From time to time, we may use your personal information to send important notices, such as communications about purchases and changes to our terms, conditions, and policies. Because this information is important to your interaction with QAthlete® , you may not opt out of receiving these communications.
We may also use personal information for internal purposes such as auditing, data analysis, and research to improve QAthlete® ’s products, SOFTWARE, and customer communications.
If you enter into a sweepstake, contest, or similar promotion we may use the information you provide to administer those programs.
Collection and Use of Non-Personal Information
We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an QAthlete® product is used so that we can better understand customer behavior and improve our products, SOFTWARE, and advertising.
We also may collect information regarding customer activities on our website, and from our other products and SOFTWARE. This information is aggregated and used to help us provide more useful information to our customers and to understand which parts of our website, products, and SOFTWARE are of most interest. Aggregated data is considered non-personal information for the purposes of this Privacy Policy.
If we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined.
Cookies and Other Technologies
QAthlete® ’s website, online SOFTWARE, interactive applications, email messages, and advertisements may use “cookies” and other technologies such as pixel tags and web beacons. These technologies help us better understand user behavior, tell us which parts of our website people have visited, and facilitate and measure the effectiveness of advertisements and web searches. We treat information collected by cookies
and other technologies as non-personal information. However, to the extent that Internet Protocol (IP) addresses or similar identifiers are considered personal information by local law, we also treat these identifiers as personal information. Similarly, to the extent that non-personal information is combined with personal information, we treat the combined information as personal information for the purposes of this Privacy Policy.
QAthlete® and its partners use cookies and other technologies in mobile advertising SOFTWARE to control the number of times you see a given ad, deliver ads that relate to your interests, and measure the effectiveness of ad campaigns. If you do not want to receive ads with this level of relevance on your mobile device, you can opt out by email: info@medeia.com . This opt-out applies only to QAthlete® advertising SOFTWARE and does not affect interest-based advertising from other advertising networks.
QAthlete® and our partners also use cookies and other technologies to remember personal information when you use our website, online SOFTWARE, and applications. Our goal in these cases is to make your experience with QAthlete® more convenient and personal. For example, knowing your first name lets us welcome you the next time you visit the QAthlete® website. Knowing your country and language - and if you are an educator, your school - helps us provide a customized and more useful experience. Knowing someone using your computer or device has shopped for a certain product or used a particular SOFTWARE helps us make our advertising and email communications more relevant to your interests. And knowing your contact information, product serial numbers, and information about your computer or device helps us register your products, personalize your operating system, set up your SOFTWARE, and provide you with better customer support.
If you want to disable cookies and you’re using your web browser, check with your provider to find out how to disable cookies. Please note that certain features of the QAthlete® website will not be available once cookies are disabled.
As is true of most websites, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet SOFTWARE provider (ISP), referring and exit pages, operating system, date/time stamp, and clickstream data.
We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, and to gather demographic information about our user base as a whole. QAthlete® may use this information in our marketing and advertising SOFTWARE.
In some of our email messages, we use a “click-through URL” linked to content on the QAthlete® website. When customers click one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.
Pixel tags enable us to send email messages in a format customers can read, and they tell us whether mail has been opened. We may use this information to reduce or eliminate messages sent to customers.
Disclosure to Third Parties
At times QAthlete® may make certain personal information available to strategic partners that work with QAthlete® to provide products and SOFTWARE, or that help QAthlete® market to customers. For example, when you purchase and activate your SOFTWARE you authorize QAthlete® to exchange the information you provide during the activation process to carry out SOFTWARE REGISTRATION PROCESS. If you are approved for SOFTWARE, your USER PROFILE will be governed by QAthlete® and its respective privacy policies. Personal information will only be shared by QAthlete® to provide or improve our products, SOFTWARE and advertising; it will not be shared with third parties for their marketing purposes.
SOFTWARE Providers
QAthlete® shares personal information with companies who provide SOFTWARE such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer SOFTWARE, assessing your interest in our products and SOFTWARE, and conducting customer research or satisfaction surveys. These companies are obligated to protect your information and may be located wherever QAthlete® operates.
Others
It may be necessary - by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence - for QAthlete® to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
We may also disclose information about you if we determine that disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party.
Protection of Personal Information
QAthlete® takes precautions — including administrative, technical, and physical measures — to safeguard your personal information against loss, theft, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.
QAthlete® SOFTWARE uses Secure Sockets Layer (SSL) encryption on all web pages where personal information is collected.
When you use some QAthlete® products, SOFTWARE, or applications or post on an QAthlete® forum, chat room, or social networking site, the personal information you share is visible to other users and can be read, collected, or used by them. You are responsible for the personal information you choose to submit in these instances. For example, if you list your name and email address in a forum posting, that information is public. Please take care when using these features.
Integrity and Retention of Personal Information
QAthlete® makes it easy for you to keep your personal information accurate, complete, and up to date. We will retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.
Access to Personal Information
We make good faith efforts to provide you with access to your data so you can request that we correct the data if it is inaccurate or delete the data if QAthlete® is not required to retain it by law or for legitimate business purposes. We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by local law.
Location-Based SOFTWARE
To provide location-based SOFTWARE on QAthlete® products, QAthlete® and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your QAthlete® computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by QAthlete® and our partners and licensees to provide and improve location-based products and SOFTWARE.
Third-Party Sites and SOFTWARE
QAthlete® websites, products, applications, and SOFTWARE may contain links to third-party websites, products, and SOFTWARE. Our products and SOFTWARE may also use or offer products or SOFTWARE from third parties. Information collected by third parties, which may include such things as location data or contact details, is governed by their privacy practices. We encourage you to learn about the privacy practices of those third parties.
International Users
Information you provide may be transferred or accessed by entities around the world as described in this Privacy Policy. QAthlete® abides by the “safe harbor” frameworks set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information collected by organizations in the European Economic Area and Switzerland. Learn more about the U.S. Department of Commerce Safe Harbor Program.
Our Companywide Commitment to Your Privacy
To make sure your personal information is secure, we communicate our privacy and security guidelines to
QAthlete® employees and strictly enforce privacy safeguards within the company.
Privacy Questions
If you have any questions or concerns about QAthlete® ’s Privacy Policy or data processing, please contact us.
QAthlete® may update its Privacy Policy from time to time. When we change the policy in a material way, a notice will be posted on our website along with the updated Privacy Policy.
1.1 Scope Medeia Inc as Data Processor
These Rules address the worldwide Processing of Personal Data of individual customers or employees of Business Customers (Business Customer's Individuals Personal Data or BCI Data) by Medeia Inc in its role as a Data Processor in the course of delivering Customer Services.
1.2 Processing in non- Adequate Country
These Rules apply to BCI Data that are:
(i) subject to Data Transfer Restrictions; and
(ii) Processed by Medeia Inc in a non-Adequate Country.
1.2 Electronic and paper-based Processing
These Rules apply to the Processing of BCI Data by electronic means and in systematically accessible paper-based filing systems.
1.4 Applicability of local law and these Rules
Business Customer's Individuals keep any rights and remedies they may have under applicable local law. Where these Rules provide more protection than applicable local law or provide additional safeguards, rights or remedies for Business Customer's Individuals, these Rules shall apply.
1.5 Sub-policies and notices
Medeia Inc may supplement these Rules through sub-policies and notices that are consistent with these Rules.
1.6 Compliance Responsibility
These Rules are binding on Medeia Inc. The Responsible Executive shall be accountable for her business organization’s compliance with these Rules. Medeia Inc Staff must comply with these Rules.
1.7 Effective date
These Rules enter into force as of 16 July 2015 (Effective Date).
1.8 Rules supersede prior policies
These Rules supersede all Medeia Inc privacy policies that exist on the Effective Date to the extent they address the same issues or conflict with the provisions of these Rules.
1.9 Implementation
These Rules shall be implemented within Medeia Inc based on the timeframes specified in Article 15.
1.10 Role of Medeia Inc
Medeia Inc is tasked with the coordination and implementation of these Rules.
1.11 Privacy Officer Advice
Where there is a question as to the applicability of these Rules, Staff shall seek the advice of the appropriate Privacy Officer prior to the relevant Processing.
2.1 Business Customer Service Contract
Medeia Inc shall Process BCI Data only on the basis of a written contract with a Business Customer (Business Customer Service Contract). The Medeia Inc Contracting Entity uses Sub-Processors, both Medeia Inc Sub-Processors and Third Party Sub-Processors, in the regular performance of Business Customer Service Contracts. The standard Business Customer Service Contract shall authorize the use of such Sub-Processors, provided that the Medeia Inc Contracting Entity remains liable to the Business Customer for the performance of the contract by the Sub-Processors. If the Business Customer Service Contract explicitly does not authorize the use of Sub-Processors, Article 7 shall not apply.
2.2 Termination Business Customer Service Contract
Upon termination of the Business Customer Service Contract, Medeia Inc shall, at the option of the Business Customer, return the BCI Data and copies thereof to the Business Customer or shall securely destroy such BCI Data and certify to the Business Customer that Medeia Inc has done so, except to the extent the Business Customer Service Contract or applicable law provides otherwise. In that case, Medeia Inc shall no longer Process the BCI Data, except to the extent required by the Business Customer Service Contract or applicable law.
2.3 Audit of termination measures
Medeia Inc shall, at the request of the Business Customer or Relevant Data Protection Authority, allow its Processing facilities to be audited in accordance with Article 10.2 or 10.3 (as applicable) to verify that Medeia Inc has complied with its obligations under Article 2.2.
3.1 Instructions of the Data Con-troller
Medeia Inc shall Process BCI Data only on behalf of the Business Customer and in accordance with any instructions received from the Business Customer.
3.2 Compliance with Applicable Adequate Data Protection Law
Medeia Inc shall Process BCI Data only in accordance with the Applicable Adequate Data Protection Law and shall deal promptly and appropriately with requests for assistance of the Business Customer to ensure compliance of the Processing of the BCI Data with the applicable Adequate Data Protection Law.
3.3 Notification of non-compliance, substantial ad- verse effect
If Medeia Inc:
(i) determines that it is unable for any reason to comply with its obligations under Article 3.1 and 3.2 and Medeia Inc cannot cure this inability to comply; or
(ii) becomes aware of any circumstance or change in the Applicable Data Processor Law, except with respect to the Mandatory Requirements, that is likely to have a substantial adverse effect on Medeia Inc ability to meet its obligations under Article 3.1, 3.2 or 10.3;
Medeia Inc shall promptly notify the Business Customer thereof,in which case the Business Customer will have the right to temporarily suspend the Processing until such time the Processing is adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible, the Business Customer shall have the right to terminate the relevant part of the Processing by Medeia Inc.
3.4 Request for disclosure of BCI Data
Medeia Inc shall promptly notify the Business Customer of any legally binding request Medeia Inc receives for disclosure of BCI Data by a law enforcement authority unless otherwise prohibited by law from making such disclosure.
3.5 Inquiries of the Business Customer
Medeia Inc shall deal promptly and appropriately with inquiries of the Business Customer related to the Processing of the BCI Data pursuant to the terms of the Business Customer Service Contract.
4.1 Legitimate Business Purposes
Where Medeia Inc serves as a Data Processor, Personal Data and Sensitive Data may be Processed by Medeia Inc for one or more of the following purposes:
(i) Customer data management information technology services including:
(a) hosting, storage, backup, or archiving;
(b) reporting on the use of data services by a Customer;
(c) security maintenance (e.g., implementing access controls, auditing use, managing servers, managing network security, managing incidents); or
(d) account management of third-party use of Customer-specific Medeia Inc products or services (e.g., use reporting and billing of a Customer's customer on behalf of the Customer).
(ii) Customer support services including:
(a) providing (local and remote) assistance to Customer in the use or repair of Medeia Inc products or services;
(b) Medeia Inc generation of service level reports or other reports on a Customer's use of Medeia Inc products or services for Customer management information purposes; or
(c) life-cycle management of Medeia Inc products and services (e.g., planning, evaluation, demonstration, installation, calibration, training, maintenance, decommissioning) to facilitate continued and sustained use by a Customer of Medeia Inc products and services.
(iii) Customer-specific custom services including:
(a) device or system tuning for the purpose of adjusting the service or product to meet a Customer's specifications (e.g., by engaging application specialists, undertaking project management activities, modifying of device or system);
(b) the collection and analysis of Customer use data to report trends (e.g., specific status reports, management reporting, proactive management for security, the general improvement of Customer's internal operations);
(c) the purchase of goods and services on behalf of a Customer (e.g., contract broadband network service for device placement and data acquisition, third- party hardware integration); or
(d) the provision of training for Customer's staff or third parties (e.g., equipment training, HIPAA training, infection control training, radiation training).
(iv) Medeia Inc internal business process execution and management leading to incidental Processing of Personal Data or Sensitive Data for:
(a) internal auditing of Medeia Inc Processor-related activities;
(b) activities related to compliance with applicable law or regulation (e.g., data processing law, medical device regulation);
(c) data deidentification and aggregation of deidentified data for data minimization; and
(d) use of deidentified, aggregate data to facilitate continuity, sustainability, and improvement of Medeia Inc products and services.
5.1 Data security
Medeia Inc shall take appropriate, commercially reasonable, technical, physical and organizational measures to protect BCI Data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access during the Processing. Medeia Inc shall in any event take the measures specified in Annex 2 of these Rules, which Annex shall be revised by Medeia Inc if so required to reflect industry standards, or such stricter measures as instructed by the Business Customer in the Business Customer Service Contract.
5.2 Data access and confidentiality
Medeia Inc shall provide Medeia Inc Staff access to BCI Data only to the extent necessary to perform the Processing. Medeia Inc shall impose confidentiality obligations on Staff that has access to BCI Data.
5.3 Data Security Breach notification requirement
Medeia Inc shall notify the Business Customer of a Data Security Breach as soon as reasonably possible following discovery of such breach, unless a law enforcement official or supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security or the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. Medeia Inc shall respond promptly to inquiries of the Business Customer relating to such Data Security Breach.
6.1 Copy of Data Protection Provisions of Business Customer Service Contract
Medeia Inc shall provide the Business Customer's Individual, at its request, the contact details of the relevant Business Customer. If the Business Customer's Individual is unable to obtain from the Business Customer a copy of the data protection provisions of the relevant Business Customer Service Contract, Medeia Inc shall provide the Business Customer's Individual with a copy of these provisions. Where the disclosure sets forth a description of detailed security measures, Medeia Inc may replace the details with a summary description.
6.2 Other Requests of Business Customer's Individuals
Medeia Inc shall promptly notify the Business Customer of requests (other than requests under Article 6.1) or complaints that are received directly from a Business Customer's Individual without responding to such requests or complaints, unless otherwise instructed by the Business Customer in the Business Customer Service Contract.
If instructed by the Business Customer to respond to requests and complaints of Business Customer's Individuals, Medeia Inc shall ensure that the Business Customer's Individual is provided with all required information (including the point of contact and the procedure) in order for the Business Customer's Individual to be able to effectively make the request or lodge the complaint.
7.1 Third Party Sub-Processing Contracts
Third Party Sub-Processors may Process Business Customer Data only if the Third Party Sub- Processor has a written contract with Medeia Inc. The contract shall impose similar data protection-related Processing terms on the Third Party Sub- Processor as those imposed on the Medeia Inc Contracting Entity by the Business Customer Service Contract and these Rules.
7.2 Publication of Overview of Sub-Processors
Medeia Inc shall publish on the appropriate Medeia Inc website an overview of the categories of Sub-Processors (both Third Parties and Medeia Inc) Medeia Inc involves in the performance of the relevant Customer Services. This overview shall be promptly updated in case of changes.
8.1 Chief Privacy Officer
Medeia Inc shall appoint a Chief Privacy Officer who is responsible for:
(i) supervising compliance with these Rules;
(ii) providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues; and
(iii) coordinating, in conjunction with the appropriate staff, official investigations or inquiries into the Processing of BCI Data by a public authority.
8.2 Privacy Council
The Privacy Council, or substituted by board of directors, shall create and maintain a Medeia Inc framework for:
(i) the development of the policies, procedures and system information (as required by Article 9);
(ii) planning training and awareness programs;
(iii) monitoring and reporting on compliance with these Rules;
(iv) collecting, investigating and resolving privacy inquiries, concerns and complaints;
(v) determining and updating appropriate sanctions for violations of these Rules (e.g., disciplinary standards).
8.3 Senior Privacy Officers
Medeia Inc does not have Senior Privacy Officers due to the size of the company.
8.4 Responsible Executive
The Board of Directors is the responsible executive and shall perform at least the following tasks:
(i) ensure that the policies and procedures are implemented and the system information is maintained (as required by Article 9);
(ii) provide such system information to the Senior Privacy Officers necessary as required for her to comply with the task listed in Article 8.3 sub (ii);
(iii) ensure that Personal Data are returned or securely deleted
or destroyed after termination of the Business Customer Service Contract (as required by Article 2.2);
(iv) determine how to comply with the Rules when there is a conflict with applicable law (as required by Article 13.1); and
(v) inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc’s ability to comply with these Rules (as required by Article 13.2).
8.5 Default Privacy Officer
If no Senior Privacy Officer has been designated in a Sector, Country or Region, the Board of Directors is responsible for supervising compliance with these Rules.
8.6 Privacy Officers
Where a Privacy Officer holds her position pursuant to law, she with statutory shall carry out her job responsibilities to the extent they do not position conflict with her statutory position.
9.1 Policies and procedures
Medeia Inc shall develop and implement policies and procedures to comply with these Rules.
9.2 System information
Medeia Inc shall maintain readily available information regarding the structure and functioning of all systems and processes that Process BCI Data (e.g., inventory of systems and processes, privacy impact assessments).
9.3 Staff training
Medeia Inc shall provide training on these Rules and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing BCI Data.
10.1 Internal audits
Medeia Inc Internal Audit shall audit business processes and procedures that involve the Processing of BCI Data for compliance with these Rules. The audits shall be carried out in the course of the regular activities of Medeia Inc Internal Audit. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Board of Directors shall be informed of the results of the audits. In case the audit identifies violations of the Rules, these will be reported to senior management. A copy of the audit results will be provided to the Dutch Data Protection Authority upon request.
10.2 Business Customer audit
Medeia Inc shall provide to the Business Customer a statement issued by a qualified independent third party assessor certifying that the Medeia Inc business processes and procedures that involve the Processing of BCI Data comply with these Rules when requested by Business Customer.
10.3 Audit by Relevant Data Protection Authority
A Relevant Data Protection Authority may request an audit of the facilities used by Medeia Inc for the Processing subject to the same conditions (regarding the existence of the right to audit, scope, subject and other requirements) as would apply to an audit by that Data Protection Authority of the Business Customer itself under the Applicable Data Controller Law.
10.4 Annual Report
The Chief Privacy Officer shall produce an annual BCI Data protection report for Medeia Inc’ Board of Directors on Medeia Inc’ compliance with these Rules and other relevant issues.
10.5 Mitigation
Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address breaches of these Rules identified during the monitoring or auditing of compliance pursuant to this Article 10.
11.1 Specific provision when Data Protection Authorities in EEA have jurisdiction under national law.
If a Data Protection Authority of one of the EEA countries has jurisdiction under its applicable data protection law to evaluate data transfers by a Group Company established in its country, such Data Protection Authority may evaluate these data transfers also against these Rules. The Dutch Data Protection Authority will provide cooperation and assistance where required, including providing audit reports available at the Dutch Data Protection Authority insofar as relevant to evaluate the aforementioned data transfers against these Rules.
11.2 Rights of Business Customer's Individuals
When the Business Customer has factually disappeared or ceased to exist in law or has become insolvent, unless a successor entity has assumed the legal obligations of the Business Customer by contract or by operation of law (in which Jurisdiction for Claims of Business Customer's Individuals case the Business Customer's Individual should enforce its rights against such successor entity), the Business Customer's Individual can enforce against the Medeia Inc Contracting Entity Article 3, 5.1, 5.3, 6, 7.1, 7.2, 10.3, 11.1, 11.2, 11.4, and any claim for direct damages as a result of a breach of these enumerated provisions.
To the extent the Business Customer's Individual may enforce any rights against the Medeia Inc Contracting Entity, the Medeia Inc Contracting Entity may not rely on a breach by a Sub-processor of its obligations to avoid liability. Medeia Inc may, however, assert any defenses that would have been available to the Business Customer.
11.3 The Business Customer's Individual
The Business Customer's Individual may, at her choice, submit any claim she has under Article 11.2 against the Medeia Inc Contracting Entity:
(i) to mediation by;
a. an independent person located in the country in which the Business Customer's Individual resides or, if the Business Customer's Individual does not reside in an EEA Country, an independent person located in the Netherlands; or
b. a Relevant Data Protection Authority;
(ii) to the courts in the country of establishment of the Business Customer or, if the Business Customer is not established in an EEA Country, to a court in the Netherlands but in that case only against Medeia Inc; or
(iii) to a Relevant Data Protection Authority or, if the Business Customer is not established in an EEA Country, to the Dutch Data Protection Authority, but in that case only against Medeia Inc.
The courts, the Relevant Data Protection Authority and the Dutch Data Protection Authority shall apply their own substantive and procedural laws to the dispute. Any choice made by the Business Customer's Individual will not prejudice the substantive or procedural rights he may have under applicable law.
11.4 Rights of Business Customers
The Business Customer may enforce these Rules against the Medeia Inc Contracting Entity or, if the Medeia Inc Contracting Entity is not established in an EEA Country, against Medeia Inc. Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address violations of these Rules by the Medeia Inc Contracting Entity or any other Group Company. The Medeia Inc Contracting Entity or Medeia Inc may not rely on a breach by another Group Company or a Sub-processor of its obligations to avoid liability.
11.5 Available remedies, limitation of damages, burden of proof re. damages for Business Customer's Individuals
In case of a violation of these Rules, Business Customer's Individuals shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer's Individual resulting from a violation of these Rules.
Regarding the burden of proof in respect of damages, it will be for the Business Customer's Individual to demonstrate that she has suffered damage and to establish facts which show it is plausible that the damage has occurred because of a violation of these Rules. It will subsequently be for the Medeia Inc Contracting Entity or Medeia Inc to prove that the damages suffered by the Business Customer's Individual due to a violation of these Rules are not attributable to a Group Company or a Sub-processor.
11.6 Available remedies, limitation of damages, burden of proof re. damages for Business Customers
In case of a violation of these Rules, Business Customers shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer resulting from a violation of these Rules.
11.7 Mutual assistance Group Companies and redress
All Group Companies shall cooperate and assist each other to the extent reasonably possible to achieve compliance with these Rules, including an audit or inquiry by the Business Customer or a Relevant Data Protection Authority.
The Medeia Inc Group Company upon receiving a request for information pursuant to Article 6.1 or a claim pursuant to Article 11.1, is responsible for handling any communication with the Business Customer's Individual regarding her request or claim except where circumstances dictate otherwise and as mutually agreed among Senior Privacy Officers relevant to the specific issue.
The Medeia Inc Group Company that is responsible for the Processing to which the request or claim relates, shall bear all costs involved and reimburse any costs made by other Medeia Inc Group Companies in respect thereof.
11.8 Advice by Relevant Data Authority
Medeia Inc shall abide by the advice of a Relevant Data Protection Authority with regard to the Processing of BCI Data.
12.1 Non-compliance
Non-compliance of Medeia Inc employees with these Rules may result in disciplinary action up to and including termination of employment.
13.1 Conflict between Rules and law
Where there is a conflict between Applicable Data Processor Law and the Rules, the relevant Responsible Executive shall consult with the appropriate Senior Privacy Officers and their legal departments to determine how to comply with these Rules and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.
13.2 New conflicting legal requirements
The relevant Responsible Executive, in consultation with her legal department, shall promptly inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc ability to comply with these Rules.
14.1
Any changes to these Rules require the prior approval of the Chief Legal Officer.
14.2
Any amendment shall enter into force after it has been approved and published on the Medeia Inc General Business Principles Internet site and communicated to the Business Customers.
14.3
Any request or claim of a Business Customer's Individual involving these Rules shall be judged against the version of these Rules that is in force at the time the request, complaint or claim is made.
14.4
The Chief Privacy Officer shall be responsible for informing the relevant government authorities of material changes to these Rules on a yearly basis and coordinating their responses. The Chief Privacy Officer shall inform the Board of Directors of the effect of these responses.
15.1 General Transition Period
Except as otherwise indicated, Medeia Inc shall strive to comply with these Rules as soon as possible after the Effective Date. In any event all Processing of Personal Data that is subject to these Rules shall be conducted in compliance with the Rules within one year of the Effective Date.
15.2 Transition Period for New Group Companies
Any entity that becomes a Group Company after the Effective Date shall comply with the Rules within one year of becoming a Group Company.
15.3 Transition Period for Divested Entities
A Divested Entity will remain covered by these Rules after its divestment for such period as is required by Medeia Inc to disentangle the Processing of BCI Data relating to such Divested Entity.
15.4 Transition Period for Systems
Where implementation of these Rules requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.
15.5 Transition Period for Existing Agreements
Where there are existing agreements with Third Parties that are affected by these Rules, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.
ANNEX 1 - Definitions
Privacy Policy
Your privacy and the security of your personal information are very important to us. This Privacy Policy describes how we use and protect the information which we collect on QAthlete Personal Assessment System (the product). We are dedicated to protecting the privacy of those who use the product. Please read this Privacy Policy carefully before you proceed. Except as we disclose in this Privacy Policy, we will not sell, share, license, trade or rent your personal information to others. For purposes of this Privacy Policy, "we", "us", and "our" means QAthlete.
1. INFORMATION COLLECTION AND USE
We collect two types of information: personally identifiable information and non-personally identifiable information.
1.1 Personally Identifiable Information
Personally identifiable information is information that identifies you or can be used to identify or contact you ("Personally Identifiable Information"). Personally Identifiable Information may include your name, address, email address, telephone numbers, birth date, job description and place of employment. We will request Personally Identifiable Information from you when you use the product. We will collect Personally Identifiable Information from you only if you voluntarily submit such information to us. Unless you give us permission to do so, we will not sell, share, license, trade or rent your Personally Identifiable Information other than as specified in this Privacy Policy. If you choose to withhold requested Personally Identifiable Information, you may not be able to utilise the full functionality of the product.
1.2 Non-Personally Identifiable Information
We also may collect information that by itself cannot be used to identify or contact you, such as demographic information (like age, profession or gender) and health information (like current body mass index) ("Non-Personally Identifiable Information"). Non-Personally Identifiable Information may also include user IP addresses (to the extent that it is not deemed to be Personally Identifiable Information [NOTE - STATIC IP ADDRESSES ARE GENERALLY CONSIDERED IDENTIFIABLE], browser types, domain names, and other anonymous statistical data. Non-Personally Identifiable Information is used to help us understand who uses the product and to improve our conclusion engine and to assist us in isolating patterns in populations and demographics.
1.3 Information from Other Sources
We may also supplement the information we collect with information from other sources to assist us in evaluating and improving the product and its successors and/or to study stress and health in general.
2. TRANSFER OF YOUR PERSONAL INFORMATION
When you provide us with your Personally Identifiable Information, you acknowledge that this information may be stored and processed on internationally located servers and you consent to your Personally Identifiable Information being exported and shared in this way. The USA does not have data protection legislation, however, we will, of course, keep your information secure.
3. WHERE AND WHEN IS INFORMATION COLLECTED
We may collect information (including information that is Personally Identifiable Information) from you in different manners (including touch-screen responses and in writing) and at different points during your use of the product. The following is a description of the manners in which we primarily collect information about you.
3.1 Registration
Before any tests are performed or readings obtained, you will be required to submit certain personal details including your name, contact details, date of birth, occupation and nationality. In addition, you will also be required to complete the following on-screen questionnaires:
"Life Style questionnaire" including information such as your smoking habits, alcohol consumption, and dietary and exercise habits. Other relevant questionnaires may be introduced including a "Stress questionnaire" which requires you to indicate how you have been feeling in the past week about a number of matters.
3.2 Cookies
We use cookies to track and store information about you. A "cookie" is a software application that enables us to track your use of our website and services. You can find out more about the way cookies work on http://www.cookiecentral.com. We use cookies to help us understand what our users' interests and preferences are in order that we can tailor the product for our members, subscribers and visitors.
4. COLLECTION OF INFORMATION FROM MINORS
We are committed to protecting the privacy of minors. The products is not designed for use by children and is for use by individuals who are between 18 and 65 years only. We do not collect Personally Identifiable Information from any person we actually know is under the age of 18.
5. WHAT WE DO WITH THE INFORMATION WE COLLECT
We use the information you provide and our sophisticated computerised system that gives detailed information on ECG, EEG, PPG, GSR, and Heart Rate Variability ("HRV") (which monitors the balance or imbalance of the automatic nervous system) to generate a full HRV analysis and lifestyle report.
Your individual reports will also be available on-line.
We may use the information gathered by the product to perform statistical analysis of user behavior, to analyse and evaluate issues relating to stress and health or to evaluate and improve our products and systems. We may link some of this information to Personally Identifiable Information for internal purposes only or to provide analysis to you. From time to time, we would like to send you information about other products or services which we think may be of interest to you. If you do not wish to receive this information any longer please email us at info@qathlete.com.
You give explicit consent to our use of your Personally Identifiable Information for the purposes listed above.
6. DISCLOSURE OF INFORMATION TO THIRD PARTIES
Except as set out in this Privacy Policy or as specifically agreed to by you, we will not disclose any information we gather from you on the product.
6.1 Affiliates, Agents and/or Commercial Partners
We may disclose information (including Personally Identifiable Information) about you to our Affiliates, agents and/or commercial partners. For purposes of this Privacy Policy, "Affiliates" means any person or entity which directly or indirectly controls, is controlled by or is under common control with QAthlete, whether by ownership or otherwise. Any information relating to you that we provide to our Affiliates will be treated by those Affiliates in accordance with the terms of this Privacy Policy.
6.2 Laws and Legal Rights
We may also disclose your information (including Personally Identifiable Information) if we believe in good faith that we are required to do so in order to comply with an applicable statute, regulation, rule or law, a subpoena, a search warrant, a court or regulatory order, or other valid legal process. We may disclose Personally Identifiable Information in special circumstances when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating our Terms & Conditions, or to protect the safety and/or security of our users, the product or the general public.
6.3 Third Parties Generally
We may provide to third parties Non-Personally Identifiable Information, including where such information is combined with similar information of other users of the product. For example, we might inform third parties of the number of individuals who have used the product, the demographic breakdown of our users or information regarding the general health, stress, stress related illnesses or health risks of our users which is Non-Personally Identifiable Information. The third parties to whom we may provide this information may include potential or actual advertisers, providers of advertising services, commercial partners, sponsors, licensees, researchers and other similar parties.
6.4 Outside Contractors
We may employ independent contractors ("Outside Contractors") to provide specific services related to our Website, such as mathematical and statistical analysis and reporting services. These Outside Contractors may sometimes have limited access to information collected by the product, including your Personally Identifiable Information, in the course of providing services to us. Access to your Personally Identifiable Information by these Outside Contractors is limited to the information reasonably necessary in order for the Outside Contractors to perform their limited function for us. We also require that these Outside Contractors
1. Protect the privacy of your Personally Identifiable Information consistent with this Privacy Policy,
2. Undertake not to use or disclose your Personally Identifiable Information for any purpose other than providing us with services for which we contracted.
6.5 Sale of Business
In the event that the business is sold or integrated with another business, information will be disclosed to our advisers and any prospective purchasers advisers and will be passed to the new owners of the business.
7. SECURITY
We take reasonable and appropriate steps to protect your information. If you would like information on our security procedures please contact us at info@qathlete.com.
We take reasonable and appropriate measures including encryption to ensure that your personal information is protected from unauthorised access or modification, unlawful destruction and improper use. However, the internet is an open system and we cannot and do not guarantee that the personal information you have submitted will not be intercepted by others and decrypted.
You will be given a personal identification number (PIN) which you will need to enter to access information relating to you via our website. You must keep your PIN confidential and must not disclose it or share it with anyone. You should inform us immediately if your PIN is lost or stolen. We can give no guarantee that Personally Identifiable Information relating to you will be kept confidential if your PIN is lost or stolen.
We want your information (including Personally Identifiable Information) to remain as secure as possible. Only employees and consultants who need access to your information to perform a specific task or function are granted access to such information. In addition, all QAthlete employees must abide by this Privacy Policy and are kept up-to-date on security practices. Any employee who violates this Privacy Policy is subject to disciplinary action, up to and including termination.
Notwithstanding the above commitments to protect your information (including Personally Identifiable Information) from loss, misuse or alteration by third parties, you should be aware that there is always some risk involved when information is transmitted over the internet. There is also some risk that others could find a way to thwart our security systems. As a result, while we strive to protect your information, we cannot ensure or warrant the security and privacy of any information you give to us and you do so at your own risk.
8. COLLECTION, DISCLOSURE AND DISTRIBUTION OF PERSONALLY IDENTIFIABLE INFORMATION
Except as otherwise described in this Privacy Policy, we will only use Personally Identifiable Information for the purposes described above or as otherwise disclosed at the time we request such information from you. If we intend to use your Personally Identifiable Information for any other purpose, we will inform you in advance of the proposed use and ask you to "opt-in" to give us your permission to use your Personally Identifiable Information for such purpose.
You may change the preference you have previously submitted and "opt-out" at any time by withdrawing your permission by contacting info@qathlete.com.
9. UPDATING AND CORRECTING YOUR PERSONALLY IDENTIFIABLE INFORMATION
If your name, address, email address telephone number, job description or place of employment ("Personal Details") that you have provided to us changes, please let us know the correct details by emailing info@qathlete.com.
You can always contact us in order to
1. Update or correct your Personal Details
2. verify what Personal Details we maintain about you
3. delete the Personal Details maintained about you on our systems, by contacting info@qathlete.com
Such updates, corrections, changes and deletions will not have an effect on other information that we maintain, or information that we have provided to third-parties in accordance with this Privacy Policy prior to such update, correction, change or deletion.
Please note that any information and analysis which has been generated by us following your use of the product and which is based on information provided by you and results obtained through your use of the product is fixed at that point in time and cannot subsequently be amended or updated. If any Personally Identifiable Information other than your Personal Details changes and you wish to update or correct such information, you will need to carry out a further test using the product including completing the relevant questionnaires and a further charge will be payable for the amended report.
You should be aware that it is not technologically possible to remove or verify each and every record of the information you have provided to us from our system. The need to back-up our systems to protect information from inadvertent loss means that a copy of your Personally Identifiable Information may exist in a non-erasable form that will be difficult or impossible for us to locate. We promise that promptly after receiving your request, all Personally Identifiable Information stored in databases we actively use and other readily searchable media will be updated, corrected, changed, deleted or confirmed to you, as appropriate, as soon as reasonably practicable.
10. CHANGES TO THIS PRIVACY POLICY
We reserve the right in our sole discretion to amend this Privacy Policy at any time, and you should check this Privacy Policy for any amendments each time you use the product. If we decide to change this Privacy Policy, we will post those changes [on our Website QAthlete] so you are always aware of what information we collect, how we use it, and under circumstances, if any, we disclose it. If at any point we decide to use Personally Identifiable Information in a manner significantly different from that stated in this Privacy Policy, or otherwise disclosed to you, at the time it was collected, we will notify you [by e-mail], and you will have a choice as to whether or not we use your Personally Identifiable Information in the new manner. We may also make non-significant changes to our Privacy Policy that generally will not affect our use of your Personally Identifiable Information.
If you do not agree to the terms of this Privacy Policy, you should not use the product.
11. WHO DO I CONTACT IF I HAVE ANY PRIVACY QUESTIONS?
If you have any questions about our Privacy Policy or feel that we are not abiding by the terms of our posted Privacy Policy, please contact our Privacy Coordinator in any of the following ways:
Email our Privacy Coordinator at: info@qathlete.com
BY USING THE PRODUCT, YOU ACKNOWLEDGE YOUR ACCEPTANCE OF THIS PRIVACY POLICY AND OF US PROCESSING YOUR PERSONAL DATA IN ACCORDANCE WITH THE TERMS OF THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU SHOULD NOT USE THE PRODUCT. BY SUBMITTING YOUR PERSONAL INFORMATION, YOU CONSENT TO THE USE OF YOUR INFORMATION AS SET OUT IN THIS PRIVACY POLICY.
GENERAL PRIVACY POLICY
Your privacy is important to QAthlete® and have developed a Privacy Policy that covers how we collect, use, disclose, transfer, and store your information. Please take a moment to familiarize yourself with our privacy practices and let us know if you have any questions.
Collection and Use of Personal Information
Personal information is data that can be used to uniquely identify or contact a single person.
You may be asked to provide your personal information anytime you are in contact with QAthlete® or an QAthlete® affiliated company. QAthlete® and its affiliates may share this personal information with each other and use it consistent with this Privacy Policy. They may also combine it with other information to provide and improve our products, SOFTWARE, content, and advertising.
Here are some examples of the types of personal information QAthlete® may collect and how we may use it.
What personal information we collect
When you create an QAthlete® ID, register your products, apply for commercial credit, purchase a product, download a SOFTWARE update, register for a class at an QAthlete® Affiliate Universities, or participate in an online survey, we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, and credit card information.
When you share your content with colleagues using QAthlete® products, send gift certificates and products, or invite others to join you on QAthlete® forums, QAthlete® may collect the information you provide about those people such as name, mailing address, email address, and phone number.
In the U.S., we may ask for your Social Security number (SSN) but only in limited circumstances such as when determining whether to extend commercial credit.
How we use your personal information
The personal information we collect allows us to keep you posted on QAthlete®’s latest product announcements, SOFTWARE updates, and upcoming events. It also helps us to improve our SOFTWARE, content, and advertising. If you don’t want to be on our mailing list, you can opt out anytime by updating your preferences.
We also use personal information to help us develop, deliver, and improve our products, SOFTWARE, content, and advertising.
From time to time, we may use your personal information to send important notices, such as communications about purchases and changes to our terms, conditions, and policies. Because this information is important to your interaction with QAthlete® , you may not opt out of receiving these communications.
We may also use personal information for internal purposes such as auditing, data analysis, and research to improve QAthlete® ’s products, SOFTWARE, and customer communications.
If you enter into a sweepstake, contest, or similar promotion we may use the information you provide to administer those programs.
Collection and Use of Non-Personal Information
We also collect non-personal information - data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an QAthlete® product is used so that we can better understand customer behavior and improve our products, SOFTWARE, and advertising.
We also may collect information regarding customer activities on our website, and from our other products and SOFTWARE. This information is aggregated and used to help us provide more useful information to our customers and to understand which parts of our website, products, and SOFTWARE are of most interest. Aggregated data is considered non-personal information for the purposes of this Privacy Policy.
If we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined.
Cookies and Other Technologies
QAthlete® ’s website, online SOFTWARE, interactive applications, email messages, and advertisements may use “cookies” and other technologies such as pixel tags and web beacons. These technologies help us better understand user behavior, tell us which parts of our website people have visited, and facilitate and measure the effectiveness of advertisements and web searches. We treat information collected by cookies
and other technologies as non-personal information. However, to the extent that Internet Protocol (IP) addresses or similar identifiers are considered personal information by local law, we also treat these identifiers as personal information. Similarly, to the extent that non-personal information is combined with personal information, we treat the combined information as personal information for the purposes of this Privacy Policy.
QAthlete® and its partners use cookies and other technologies in mobile advertising SOFTWARE to control the number of times you see a given ad, deliver ads that relate to your interests, and measure the effectiveness of ad campaigns. If you do not want to receive ads with this level of relevance on your mobile device, you can opt out by email: info@medeia.com . This opt-out applies only to QAthlete® advertising SOFTWARE and does not affect interest-based advertising from other advertising networks.
QAthlete® and our partners also use cookies and other technologies to remember personal information when you use our website, online SOFTWARE, and applications. Our goal in these cases is to make your experience with QAthlete® more convenient and personal. For example, knowing your first name lets us welcome you the next time you visit the QAthlete® website. Knowing your country and language - and if you are an educator, your school - helps us provide a customized and more useful experience. Knowing someone using your computer or device has shopped for a certain product or used a particular SOFTWARE helps us make our advertising and email communications more relevant to your interests. And knowing your contact information, product serial numbers, and information about your computer or device helps us register your products, personalize your operating system, set up your SOFTWARE, and provide you with better customer support.
If you want to disable cookies and you’re using your web browser, check with your provider to find out how to disable cookies. Please note that certain features of the QAthlete® website will not be available once cookies are disabled.
As is true of most websites, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet SOFTWARE provider (ISP), referring and exit pages, operating system, date/time stamp, and clickstream data.
We use this information to understand and analyze trends, to administer the site, to learn about user behavior on the site, and to gather demographic information about our user base as a whole. QAthlete® may use this information in our marketing and advertising SOFTWARE.
In some of our email messages, we use a “click-through URL” linked to content on the QAthlete® website. When customers click one of these URLs, they pass through a separate web server before arriving at the destination page on our website. We track this click-through data to help us determine interest in particular topics and measure the effectiveness of our customer communications. If you prefer not to be tracked in this way, you should not click text or graphic links in the email messages.
Pixel tags enable us to send email messages in a format customers can read, and they tell us whether mail has been opened. We may use this information to reduce or eliminate messages sent to customers.
Disclosure to Third Parties
At times QAthlete® may make certain personal information available to strategic partners that work with QAthlete® to provide products and SOFTWARE, or that help QAthlete® market to customers. For example, when you purchase and activate your SOFTWARE you authorize QAthlete® to exchange the information you provide during the activation process to carry out SOFTWARE REGISTRATION PROCESS. If you are approved for SOFTWARE, your USER PROFILE will be governed by QAthlete® and its respective privacy policies. Personal information will only be shared by QAthlete® to provide or improve our products, SOFTWARE and advertising; it will not be shared with third parties for their marketing purposes.
SOFTWARE Providers
QAthlete® shares personal information with companies who provide SOFTWARE such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer SOFTWARE, assessing your interest in our products and SOFTWARE, and conducting customer research or satisfaction surveys. These companies are obligated to protect your information and may be located wherever QAthlete® operates.
Others
It may be necessary - by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence - for QAthlete® to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
We may also disclose information about you if we determine that disclosure is reasonably necessary to enforce our terms and conditions or protect our operations or users. Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party.
Protection of Personal Information
QAthlete® takes precautions — including administrative, technical, and physical measures — to safeguard your personal information against loss, theft, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.
QAthlete® SOFTWARE uses Secure Sockets Layer (SSL) encryption on all web pages where personal information is collected.
When you use some QAthlete® products, SOFTWARE, or applications or post on an QAthlete® forum, chat room, or social networking site, the personal information you share is visible to other users and can be read, collected, or used by them. You are responsible for the personal information you choose to submit in these instances. For example, if you list your name and email address in a forum posting, that information is public. Please take care when using these features.
Integrity and Retention of Personal Information
QAthlete® makes it easy for you to keep your personal information accurate, complete, and up to date. We will retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.
Access to Personal Information
We make good faith efforts to provide you with access to your data so you can request that we correct the data if it is inaccurate or delete the data if QAthlete® is not required to retain it by law or for legitimate business purposes. We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by local law.
Location-Based SOFTWARE
To provide location-based SOFTWARE on QAthlete® products, QAthlete® and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your QAthlete® computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by QAthlete® and our partners and licensees to provide and improve location-based products and SOFTWARE.
Third-Party Sites and SOFTWARE
QAthlete® websites, products, applications, and SOFTWARE may contain links to third-party websites, products, and SOFTWARE. Our products and SOFTWARE may also use or offer products or SOFTWARE from third parties. Information collected by third parties, which may include such things as location data or contact details, is governed by their privacy practices. We encourage you to learn about the privacy practices of those third parties.
International Users
Information you provide may be transferred or accessed by entities around the world as described in this Privacy Policy. QAthlete® abides by the “safe harbor” frameworks set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information collected by organizations in the European Economic Area and Switzerland. Learn more about the U.S. Department of Commerce Safe Harbor Program.
Our Companywide Commitment to Your Privacy
To make sure your personal information is secure, we communicate our privacy and security guidelines to
QAthlete® employees and strictly enforce privacy safeguards within the company.
Privacy Questions
If you have any questions or concerns about QAthlete® ’s Privacy Policy or data processing, please contact us.
QAthlete® may update its Privacy Policy from time to time. When we change the policy in a material way, a notice will be posted on our website along with the updated Privacy Policy.
EU Processor Privacy Rules GDPR Compliant
Article 1 – Scope, Applicability and Implementation
1.1 Scope Medeia Inc as Data Processor
These Rules address the worldwide Processing of Personal Data of individual customers or employees of Business Customers (Business Customer's Individuals Personal Data or BCI Data) by Medeia Inc in its role as a Data Processor in the course of delivering Customer Services.
1.2 Processing in non- Adequate Country
These Rules apply to BCI Data that are:
(i) subject to Data Transfer Restrictions; and
(ii) Processed by Medeia Inc in a non-Adequate Country.
1.2 Electronic and paper-based Processing
These Rules apply to the Processing of BCI Data by electronic means and in systematically accessible paper-based filing systems.
1.4 Applicability of local law and these Rules
Business Customer's Individuals keep any rights and remedies they may have under applicable local law. Where these Rules provide more protection than applicable local law or provide additional safeguards, rights or remedies for Business Customer's Individuals, these Rules shall apply.
1.5 Sub-policies and notices
Medeia Inc may supplement these Rules through sub-policies and notices that are consistent with these Rules.
1.6 Compliance Responsibility
These Rules are binding on Medeia Inc. The Responsible Executive shall be accountable for her business organization’s compliance with these Rules. Medeia Inc Staff must comply with these Rules.
1.7 Effective date
These Rules enter into force as of 16 July 2015 (Effective Date).
1.8 Rules supersede prior policies
These Rules supersede all Medeia Inc privacy policies that exist on the Effective Date to the extent they address the same issues or conflict with the provisions of these Rules.
1.9 Implementation
These Rules shall be implemented within Medeia Inc based on the timeframes specified in Article 15.
1.10 Role of Medeia Inc
Medeia Inc is tasked with the coordination and implementation of these Rules.
1.11 Privacy Officer Advice
Where there is a question as to the applicability of these Rules, Staff shall seek the advice of the appropriate Privacy Officer prior to the relevant Processing.
Article 2 – Business Customer Service Contract
2.1 Business Customer Service Contract
Medeia Inc shall Process BCI Data only on the basis of a written contract with a Business Customer (Business Customer Service Contract). The Medeia Inc Contracting Entity uses Sub-Processors, both Medeia Inc Sub-Processors and Third Party Sub-Processors, in the regular performance of Business Customer Service Contracts. The standard Business Customer Service Contract shall authorize the use of such Sub-Processors, provided that the Medeia Inc Contracting Entity remains liable to the Business Customer for the performance of the contract by the Sub-Processors. If the Business Customer Service Contract explicitly does not authorize the use of Sub-Processors, Article 7 shall not apply.
2.2 Termination Business Customer Service Contract
Upon termination of the Business Customer Service Contract, Medeia Inc shall, at the option of the Business Customer, return the BCI Data and copies thereof to the Business Customer or shall securely destroy such BCI Data and certify to the Business Customer that Medeia Inc has done so, except to the extent the Business Customer Service Contract or applicable law provides otherwise. In that case, Medeia Inc shall no longer Process the BCI Data, except to the extent required by the Business Customer Service Contract or applicable law.
2.3 Audit of termination measures
Medeia Inc shall, at the request of the Business Customer or Relevant Data Protection Authority, allow its Processing facilities to be audited in accordance with Article 10.2 or 10.3 (as applicable) to verify that Medeia Inc has complied with its obligations under Article 2.2.
Article 3 – Compliance Obligations Philips
3.1 Instructions of the Data Con-troller
Medeia Inc shall Process BCI Data only on behalf of the Business Customer and in accordance with any instructions received from the Business Customer.
3.2 Compliance with Applicable Adequate Data Protection Law
Medeia Inc shall Process BCI Data only in accordance with the Applicable Adequate Data Protection Law and shall deal promptly and appropriately with requests for assistance of the Business Customer to ensure compliance of the Processing of the BCI Data with the applicable Adequate Data Protection Law.
3.3 Notification of non-compliance, substantial ad- verse effect
If Medeia Inc:
(i) determines that it is unable for any reason to comply with its obligations under Article 3.1 and 3.2 and Medeia Inc cannot cure this inability to comply; or
(ii) becomes aware of any circumstance or change in the Applicable Data Processor Law, except with respect to the Mandatory Requirements, that is likely to have a substantial adverse effect on Medeia Inc ability to meet its obligations under Article 3.1, 3.2 or 10.3;
Medeia Inc shall promptly notify the Business Customer thereof,in which case the Business Customer will have the right to temporarily suspend the Processing until such time the Processing is adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible, the Business Customer shall have the right to terminate the relevant part of the Processing by Medeia Inc.
3.4 Request for disclosure of BCI Data
Medeia Inc shall promptly notify the Business Customer of any legally binding request Medeia Inc receives for disclosure of BCI Data by a law enforcement authority unless otherwise prohibited by law from making such disclosure.
3.5 Inquiries of the Business Customer
Medeia Inc shall deal promptly and appropriately with inquiries of the Business Customer related to the Processing of the BCI Data pursuant to the terms of the Business Customer Service Contract.
Article 4 – Processor Purposes
4.1 Legitimate Business Purposes
Where Medeia Inc serves as a Data Processor, Personal Data and Sensitive Data may be Processed by Medeia Inc for one or more of the following purposes:
(i) Customer data management information technology services including:
(a) hosting, storage, backup, or archiving;
(b) reporting on the use of data services by a Customer;
(c) security maintenance (e.g., implementing access controls, auditing use, managing servers, managing network security, managing incidents); or
(d) account management of third-party use of Customer-specific Medeia Inc products or services (e.g., use reporting and billing of a Customer's customer on behalf of the Customer).
(ii) Customer support services including:
(a) providing (local and remote) assistance to Customer in the use or repair of Medeia Inc products or services;
(b) Medeia Inc generation of service level reports or other reports on a Customer's use of Medeia Inc products or services for Customer management information purposes; or
(c) life-cycle management of Medeia Inc products and services (e.g., planning, evaluation, demonstration, installation, calibration, training, maintenance, decommissioning) to facilitate continued and sustained use by a Customer of Medeia Inc products and services.
(iii) Customer-specific custom services including:
(a) device or system tuning for the purpose of adjusting the service or product to meet a Customer's specifications (e.g., by engaging application specialists, undertaking project management activities, modifying of device or system);
(b) the collection and analysis of Customer use data to report trends (e.g., specific status reports, management reporting, proactive management for security, the general improvement of Customer's internal operations);
(c) the purchase of goods and services on behalf of a Customer (e.g., contract broadband network service for device placement and data acquisition, third- party hardware integration); or
(d) the provision of training for Customer's staff or third parties (e.g., equipment training, HIPAA training, infection control training, radiation training).
(iv) Medeia Inc internal business process execution and management leading to incidental Processing of Personal Data or Sensitive Data for:
(a) internal auditing of Medeia Inc Processor-related activities;
(b) activities related to compliance with applicable law or regulation (e.g., data processing law, medical device regulation);
(c) data deidentification and aggregation of deidentified data for data minimization; and
(d) use of deidentified, aggregate data to facilitate continuity, sustainability, and improvement of Medeia Inc products and services.
Article 5 – Security Requirements
5.1 Data security
Medeia Inc shall take appropriate, commercially reasonable, technical, physical and organizational measures to protect BCI Data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access during the Processing. Medeia Inc shall in any event take the measures specified in Annex 2 of these Rules, which Annex shall be revised by Medeia Inc if so required to reflect industry standards, or such stricter measures as instructed by the Business Customer in the Business Customer Service Contract.
5.2 Data access and confidentiality
Medeia Inc shall provide Medeia Inc Staff access to BCI Data only to the extent necessary to perform the Processing. Medeia Inc shall impose confidentiality obligations on Staff that has access to BCI Data.
5.3 Data Security Breach notification requirement
Medeia Inc shall notify the Business Customer of a Data Security Breach as soon as reasonably possible following discovery of such breach, unless a law enforcement official or supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security or the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. Medeia Inc shall respond promptly to inquiries of the Business Customer relating to such Data Security Breach.
Article 6 – Transparency to Business Customer's Individuals
6.1 Copy of Data Protection Provisions of Business Customer Service Contract
Medeia Inc shall provide the Business Customer's Individual, at its request, the contact details of the relevant Business Customer. If the Business Customer's Individual is unable to obtain from the Business Customer a copy of the data protection provisions of the relevant Business Customer Service Contract, Medeia Inc shall provide the Business Customer's Individual with a copy of these provisions. Where the disclosure sets forth a description of detailed security measures, Medeia Inc may replace the details with a summary description.
6.2 Other Requests of Business Customer's Individuals
Medeia Inc shall promptly notify the Business Customer of requests (other than requests under Article 6.1) or complaints that are received directly from a Business Customer's Individual without responding to such requests or complaints, unless otherwise instructed by the Business Customer in the Business Customer Service Contract.
If instructed by the Business Customer to respond to requests and complaints of Business Customer's Individuals, Medeia Inc shall ensure that the Business Customer's Individual is provided with all required information (including the point of contact and the procedure) in order for the Business Customer's Individual to be able to effectively make the request or lodge the complaint.
Article 7 – Sub-Processors
7.1 Third Party Sub-Processing Contracts
Third Party Sub-Processors may Process Business Customer Data only if the Third Party Sub- Processor has a written contract with Medeia Inc. The contract shall impose similar data protection-related Processing terms on the Third Party Sub- Processor as those imposed on the Medeia Inc Contracting Entity by the Business Customer Service Contract and these Rules.
7.2 Publication of Overview of Sub-Processors
Medeia Inc shall publish on the appropriate Medeia Inc website an overview of the categories of Sub-Processors (both Third Parties and Medeia Inc) Medeia Inc involves in the performance of the relevant Customer Services. This overview shall be promptly updated in case of changes.
Article 8 – Supervision and compliance
8.1 Chief Privacy Officer
Medeia Inc shall appoint a Chief Privacy Officer who is responsible for:
(i) supervising compliance with these Rules;
(ii) providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues; and
(iii) coordinating, in conjunction with the appropriate staff, official investigations or inquiries into the Processing of BCI Data by a public authority.
8.2 Privacy Council
The Privacy Council, or substituted by board of directors, shall create and maintain a Medeia Inc framework for:
(i) the development of the policies, procedures and system information (as required by Article 9);
(ii) planning training and awareness programs;
(iii) monitoring and reporting on compliance with these Rules;
(iv) collecting, investigating and resolving privacy inquiries, concerns and complaints;
(v) determining and updating appropriate sanctions for violations of these Rules (e.g., disciplinary standards).
8.3 Senior Privacy Officers
Medeia Inc does not have Senior Privacy Officers due to the size of the company.
8.4 Responsible Executive
The Board of Directors is the responsible executive and shall perform at least the following tasks:
(i) ensure that the policies and procedures are implemented and the system information is maintained (as required by Article 9);
(ii) provide such system information to the Senior Privacy Officers necessary as required for her to comply with the task listed in Article 8.3 sub (ii);
(iii) ensure that Personal Data are returned or securely deleted
or destroyed after termination of the Business Customer Service Contract (as required by Article 2.2);
(iv) determine how to comply with the Rules when there is a conflict with applicable law (as required by Article 13.1); and
(v) inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc’s ability to comply with these Rules (as required by Article 13.2).
8.5 Default Privacy Officer
If no Senior Privacy Officer has been designated in a Sector, Country or Region, the Board of Directors is responsible for supervising compliance with these Rules.
8.6 Privacy Officers
Where a Privacy Officer holds her position pursuant to law, she with statutory shall carry out her job responsibilities to the extent they do not position conflict with her statutory position.
Article 9 – Policies, procedures and training
9.1 Policies and procedures
Medeia Inc shall develop and implement policies and procedures to comply with these Rules.
9.2 System information
Medeia Inc shall maintain readily available information regarding the structure and functioning of all systems and processes that Process BCI Data (e.g., inventory of systems and processes, privacy impact assessments).
9.3 Staff training
Medeia Inc shall provide training on these Rules and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing BCI Data.
Article 10 – Monitoring compliance
10.1 Internal audits
Medeia Inc Internal Audit shall audit business processes and procedures that involve the Processing of BCI Data for compliance with these Rules. The audits shall be carried out in the course of the regular activities of Medeia Inc Internal Audit. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Board of Directors shall be informed of the results of the audits. In case the audit identifies violations of the Rules, these will be reported to senior management. A copy of the audit results will be provided to the Dutch Data Protection Authority upon request.
10.2 Business Customer audit
Medeia Inc shall provide to the Business Customer a statement issued by a qualified independent third party assessor certifying that the Medeia Inc business processes and procedures that involve the Processing of BCI Data comply with these Rules when requested by Business Customer.
10.3 Audit by Relevant Data Protection Authority
A Relevant Data Protection Authority may request an audit of the facilities used by Medeia Inc for the Processing subject to the same conditions (regarding the existence of the right to audit, scope, subject and other requirements) as would apply to an audit by that Data Protection Authority of the Business Customer itself under the Applicable Data Controller Law.
10.4 Annual Report
The Chief Privacy Officer shall produce an annual BCI Data protection report for Medeia Inc’ Board of Directors on Medeia Inc’ compliance with these Rules and other relevant issues.
10.5 Mitigation
Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address breaches of these Rules identified during the monitoring or auditing of compliance pursuant to this Article 10.
Article 11 – Legal issues
11.1 Specific provision when Data Protection Authorities in EEA have jurisdiction under national law.
If a Data Protection Authority of one of the EEA countries has jurisdiction under its applicable data protection law to evaluate data transfers by a Group Company established in its country, such Data Protection Authority may evaluate these data transfers also against these Rules. The Dutch Data Protection Authority will provide cooperation and assistance where required, including providing audit reports available at the Dutch Data Protection Authority insofar as relevant to evaluate the aforementioned data transfers against these Rules.
11.2 Rights of Business Customer's Individuals
When the Business Customer has factually disappeared or ceased to exist in law or has become insolvent, unless a successor entity has assumed the legal obligations of the Business Customer by contract or by operation of law (in which Jurisdiction for Claims of Business Customer's Individuals case the Business Customer's Individual should enforce its rights against such successor entity), the Business Customer's Individual can enforce against the Medeia Inc Contracting Entity Article 3, 5.1, 5.3, 6, 7.1, 7.2, 10.3, 11.1, 11.2, 11.4, and any claim for direct damages as a result of a breach of these enumerated provisions.
To the extent the Business Customer's Individual may enforce any rights against the Medeia Inc Contracting Entity, the Medeia Inc Contracting Entity may not rely on a breach by a Sub-processor of its obligations to avoid liability. Medeia Inc may, however, assert any defenses that would have been available to the Business Customer.
11.3 The Business Customer's Individual
The Business Customer's Individual may, at her choice, submit any claim she has under Article 11.2 against the Medeia Inc Contracting Entity:
(i) to mediation by;
a. an independent person located in the country in which the Business Customer's Individual resides or, if the Business Customer's Individual does not reside in an EEA Country, an independent person located in the Netherlands; or
b. a Relevant Data Protection Authority;
(ii) to the courts in the country of establishment of the Business Customer or, if the Business Customer is not established in an EEA Country, to a court in the Netherlands but in that case only against Medeia Inc; or
(iii) to a Relevant Data Protection Authority or, if the Business Customer is not established in an EEA Country, to the Dutch Data Protection Authority, but in that case only against Medeia Inc.
The courts, the Relevant Data Protection Authority and the Dutch Data Protection Authority shall apply their own substantive and procedural laws to the dispute. Any choice made by the Business Customer's Individual will not prejudice the substantive or procedural rights he may have under applicable law.
11.4 Rights of Business Customers
The Business Customer may enforce these Rules against the Medeia Inc Contracting Entity or, if the Medeia Inc Contracting Entity is not established in an EEA Country, against Medeia Inc. Medeia Inc shall, if so indicated, ensure that adequate steps are taken to address violations of these Rules by the Medeia Inc Contracting Entity or any other Group Company. The Medeia Inc Contracting Entity or Medeia Inc may not rely on a breach by another Group Company or a Sub-processor of its obligations to avoid liability.
11.5 Available remedies, limitation of damages, burden of proof re. damages for Business Customer's Individuals
In case of a violation of these Rules, Business Customer's Individuals shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer's Individual resulting from a violation of these Rules.
Regarding the burden of proof in respect of damages, it will be for the Business Customer's Individual to demonstrate that she has suffered damage and to establish facts which show it is plausible that the damage has occurred because of a violation of these Rules. It will subsequently be for the Medeia Inc Contracting Entity or Medeia Inc to prove that the damages suffered by the Business Customer's Individual due to a violation of these Rules are not attributable to a Group Company or a Sub-processor.
11.6 Available remedies, limitation of damages, burden of proof re. damages for Business Customers
In case of a violation of these Rules, Business Customers shall be entitled to compensation of damages. However, the Medeia Inc Contracting Entity or Medeia Inc shall be liable only for direct damages (which, excludes, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost) suffered by a Business Customer resulting from a violation of these Rules.
11.7 Mutual assistance Group Companies and redress
All Group Companies shall cooperate and assist each other to the extent reasonably possible to achieve compliance with these Rules, including an audit or inquiry by the Business Customer or a Relevant Data Protection Authority.
The Medeia Inc Group Company upon receiving a request for information pursuant to Article 6.1 or a claim pursuant to Article 11.1, is responsible for handling any communication with the Business Customer's Individual regarding her request or claim except where circumstances dictate otherwise and as mutually agreed among Senior Privacy Officers relevant to the specific issue.
The Medeia Inc Group Company that is responsible for the Processing to which the request or claim relates, shall bear all costs involved and reimburse any costs made by other Medeia Inc Group Companies in respect thereof.
11.8 Advice by Relevant Data Authority
Medeia Inc shall abide by the advice of a Relevant Data Protection Authority with regard to the Processing of BCI Data.
Article 12 – Sanctions for non-compliance
12.1 Non-compliance
Non-compliance of Medeia Inc employees with these Rules may result in disciplinary action up to and including termination of employment.
Article 13 – Conflicts between the Rules and Applicable Data Processor Law
13.1 Conflict between Rules and law
Where there is a conflict between Applicable Data Processor Law and the Rules, the relevant Responsible Executive shall consult with the appropriate Senior Privacy Officers and their legal departments to determine how to comply with these Rules and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.
13.2 New conflicting legal requirements
The relevant Responsible Executive, in consultation with her legal department, shall promptly inform the appropriate Senior Privacy Officers of any new legal requirement that may interfere with Medeia Inc ability to comply with these Rules.
Article 14 – Changes to the Rules
14.1
Any changes to these Rules require the prior approval of the Chief Legal Officer.
14.2
Any amendment shall enter into force after it has been approved and published on the Medeia Inc General Business Principles Internet site and communicated to the Business Customers.
14.3
Any request or claim of a Business Customer's Individual involving these Rules shall be judged against the version of these Rules that is in force at the time the request, complaint or claim is made.
14.4
The Chief Privacy Officer shall be responsible for informing the relevant government authorities of material changes to these Rules on a yearly basis and coordinating their responses. The Chief Privacy Officer shall inform the Board of Directors of the effect of these responses.
Article 15 – Transition Periods
15.1 General Transition Period
Except as otherwise indicated, Medeia Inc shall strive to comply with these Rules as soon as possible after the Effective Date. In any event all Processing of Personal Data that is subject to these Rules shall be conducted in compliance with the Rules within one year of the Effective Date.
15.2 Transition Period for New Group Companies
Any entity that becomes a Group Company after the Effective Date shall comply with the Rules within one year of becoming a Group Company.
15.3 Transition Period for Divested Entities
A Divested Entity will remain covered by these Rules after its divestment for such period as is required by Medeia Inc to disentangle the Processing of BCI Data relating to such Divested Entity.
15.4 Transition Period for Systems
Where implementation of these Rules requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.
15.5 Transition Period for Existing Agreements
Where there are existing agreements with Third Parties that are affected by these Rules, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.