BEECOM Data Protection Policy for Add-ons
As of January 14th 2019
1. Scope and Purpose
By installing and using the Software, you acknowledge that you have reviewed this Policy and accepted the terms of this Policy.
This Policy sets out the obligations of the Company regarding data protection and the rights of the Customers in respect of their personal data under the Swiss Data Protection Act ("DPA") and General Data Protection Regulation ("GDPR"), as amended from time to time (collectively "Regulation").
The Regulation defines "personal data" as any information relating to an identified or identifiable natural person (a Customer); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed at all times by the Company and its agents, contractors or other parties working on behalf of the Company.
2. Company's Contact
In the event of questions relating to this Policy or the personal data processed, the Company can be contacted by e-mail to firstname.lastname@example.org or by regular mail to beecom AG, Aargauerstrasse 180, 8048 Zurich, Switzerland.
3. Legal basis for Processing and Purpose
The Company processes personal data in order to perform its obligations under the EULA, to send email notifications of new versions of the Software and newsletters (if opted-in), for the purpose of other legitimate interests or in order to comply with a legal duty imposed on the Company in connection with the EULA.
4. Information collected by the Company
The following personal data may be collected, held, and processed by the Company:
a) the Customer's names, telephone number(s), mailing address, email address and any other information relating to the Customer which the Customer has provided to the Company during the registration process on Atlassian Market Place;
b) any technical and related information, including but not limited to the Customer's devices, systems and use of the Software; and
c) other information provided by the Customer to the Company in connection with the EULA.
5. Ways of collecting personal data
Generally, the Company may collect personal data in the following ways:
a) when the Customer submits forms or applications to the Company;
b) when the Customer submits requests to the Company;
c) when the Customer asks to be included in an email or other mailing list;
d) when the Customer responds to our initiatives; and
e) when the Customer submits personal data to the Company for any other reason.
6. The Data Protection Principles
This Policy aims to ensure compliance with the Regulation. The Regulation sets out the following principles with which any party handling personal data must comply. All personal data must be:
a) processed lawfully, fairly, and in a transparent manner in relation to the Customer;
b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
e) kept in a form which permits identification of the Customer for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the Customer;
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
7. Customers' Rights
The Customer has the following rights under the Regulation:
a) the right to be informed about the collection and use of personal data by the Company;
b) the right of access to the personal data the Company holds about the Customer;
c) the right to rectification if any personal data the Company holds about the Customer is inaccurate or incomplete;
d) the right to be forgotten;
e) the right to restrict (i.e. prevent) the processing of the personal data;
f) the right to data portability (obtaining a copy of the personal data to re-use with another service or organization);
g) the right to object to the Company using the personal data for particular purposes; and
h) rights with respect to automated decision making and profiling (where applicable).
8. Data Protection Measures
The Company shall ensure that all its Customers, agents, freelancers, contractors, or other parties working on its behalf when processing personal data, will apply and implement the appropriate technical (e.g. use of passwords; encryption of sensitive personal data; regular back-ups; use of secure networks, etc.) and organisatorial (e.g. access only on a need to know basis; signing of NDAs by Customers where necessary, etc.) measures.
9. Transferring personal data to a country outside the EEA
The Company may from time to time transfer ("transfer" includes making available remotely) personal data to countries outside of the EEA, in particular to the USA.
The transfer of personal data to a country outside of the EEA shall take place only if
contractual clauses (e.g. the EU Model Clauses or the Swiss Transborder Data Flow Agreement) have been put into place.
10. Data Breach Notification
All personal data breaches must be reported immediately to the Company by written notice or by e-mail to email@example.com.
If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of the Customer (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Company must ensure that the Swiss Federal Data Protection and Information Commissioner ("FDPIC") and where applicable the Information Commissioner’s Office in the EU is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. With regard to data security breaches the FDPIC must be informed immediately.
In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of the Customer, the Company must ensure that all affected Customers are informed of the breach directly and without undue delay.
11. Withdrawal of Consent
In the event consent was given, Customers have the right to withdraw such consent given at any time by sending a written notice or e-mail to the Company to firstname.lastname@example.org.