Data Policy

1. GDPR

We need to make sure that your and our processing of the Embedded Data complies with the requirements of the General Data Protection Regulation (EU) 2016/679 (the “EU GDPR“), the EU GDPR as incorporated into UK national law by virtue of the European (Withdrawal) Act 2018 (the “UK GDPR“) and the Data Protection Act 2018.

This Policy, together with our Terms, forms part of your Order. It comprises a balanced set of terms to support the assessment that our sharing of Embedded Data with you is in your and our legitimate interests and does not unduly prejudice the rights and freedoms of individuals to whom the Platform Personal Data relates. If you have any questions about it, please contact us.

1.1. Definitions: In this Data Policy, the following terms shall have the following meanings (any definitions not found here will be in the main Terms):

(a) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, UK Data Protection Law, the EU GDPR and the EU e-Privacy Directive (Directive 2002/58/EC).
(b) “clause” means a clause of this Data Policy.
(c) “controller“, “processor“, “data subject“, “processing” (and “process”) and “special categories of data” shall have the meanings given in UK Data Protection Law.
(d) “Data Usage Tier” means one of the four tiers outlined in Part 3 of this Data Policy which determines the extent of your usage rights in relation to Embedded Data, including Platform Personal Data.
(e) “GDPR” means the EU GDPR and the UK GDPR.
(f) “Party” means you or Embedded, as party to a Order comprising the Embedded Terms and this Data Policy.
(g) “Permitted Purpose” is as defined in clause 1.2 below.
(h) “personal data” means any information relating to an identified or identifiable natural person (a data subject). This is one who can be identified, directly or indirectly, in particular by reference to an identifier.
(i) “Platform Personal Data” is any personal data made available to you via the Embedded Platform, as further described in Annex I below.
(j) “UK Data Protection Law” means:

(i) the UK GDPR;
(ii) the Privacy and Electronic Communications (EC Directive) Regulations 2003); and
(iii) the Data Protection Act 2018.

1.2. Disclosure of data: Embedded will make available to you via the Embedded Platform certain personal data as further described in Annex I (the Platform Personal Data) to process strictly in accordance with the Data Usage Tier outlined in your Subscription (and subject to any restrictions outlined in Part 3) or as otherwise agreed in writing between Embedded and you (the “Permitted Purpose“).

1.3. Relationship of the parties: You acknowledge that Embedded is a controller of the Platform Personal Data made available via the Embedded Platform, and that you will process the Platform Personal Data as a separate and independent controller strictly for the Permitted Purpose. In no event will Embedded and You process the Platform Personal Data as joint controllers.

1.4. Legitimate Interests: The Parties acknowledge that for the purposes of UK Data Protection Law, the legal basis on which Embedded will facilitate access by you to the Platform Personal Data is the legitimate interests pursued by Embedded in building and operating its business of providing insights into UK technology suppliers and the surrounding ecosystem as well as those pursued by the Organisation which may wish to partner with.

1.5. Compliance with law: Each of Embedded and you shall be separately responsible for complying with the obligations that apply to it as a controller under Applicable Data Protection Law.

1.6. Prohibited data: We shall not disclose any special categories of personal data to you for processing.

1.7. International transfers: Transfer of Platform Personal Data occurs whenever a User accesses the Embedded Platform.

Organisation based in the EEA/UK: you shall not transfer the Platform Personal Data (nor permit the Platform Personal Data to be transferred) outside of the European Economic Area (“EEA“) and/or the United Kingdom (“UK“) unless you take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.

Organisation based outside the EEA/UK: If you are based outside the EEA/UK in a country that has not been deemed as ensuring adequate data protection within the meaning of Article 45 of the GDPR, you agree that the Standard Contractual Clauses (2021/914/EC) Module 1 (“Standard Contractual Clauses“) and the ICO’s UK Addendum to the Standard Contractual Clauses (“UK Addendum“) shall be incorporated by reference into your Order. For the purposes of populating the Appendices to the Standard Contractual Clauses and UK Addendum, the required information will be as set out in the Annexes to this Data Policy. In the event of any conflict between the Data Policy and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. In the event of any conflict between the Data Policy and the UK Addendum, the UK Addendum shall prevail.

For the purposes of Clause 11 of the Standard Contractual Clauses (“Redress”), the optional Clause (which reads as follows: “The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.”) is hereby deleted.

For the purposes of Clause 17 of the Standard Contractual Clauses (“Governing law”), the parties agree that this shall be the law of Ireland.

For the purposes of Clause 18 of the Standard Contractual Clauses (“Choice of forum and jurisdiction”), the parties agree that those shall be the courts of Ireland.

For the purposes of Clause 17 of the UK Addendum, the parties agree that the Approved Addendum (as defined in the UK Addendum) shall be populated by reference to this Data Policy and its Annexes and that any changes in formatting (including for the avoidance of doubt with respect to Part 1: Tables) shall not adversely affect the validity of the Order or the compliance with Applicable Data Protection Law of any international transfers of personal data made thereunder. The parties hereby acknowledge and agree that any such formatting changes do not reduce the standard of Appropriate Safeguards (as defined in the UK Addendum) provided.

For the purposes of Clause 19 of the UK Addendum, the parties agree that the Exporter shall be entitled to terminate the Addendum by providing written notice of the same to the Importer.

1.8. Security: You shall implement appropriate technical and organisational measures to protect the Platform Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Platform Personal Data (a “Security Incident“). Such measures shall include, as appropriate:

(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

1.9. Subcontracting: You shall not allow access to Platform Personal Data to any person outside the Organisation without our prior written consent and all restrictions must be adhered to (see Part 3).

1.10. Cooperation: In the event that either Party receives any correspondence, enquiry or complaint from a data subject, regulator or other third party (“Correspondence“) related to (a) the disclosure of the Platform Personal Data by Embedded to you for the Permitted Purpose; or (b) processing of the Platform Personal Data by the other Party, it shall promptly inform the other Party giving full details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Applicable Data Protection Law.

1.11. Security incidents: Upon becoming aware of a Security Incident, you shall inform us without undue delay. You shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep us informed of all developments in connection with the Security Incident. Each Party agrees to provide reasonable assistance to the other to facilitate the handling of any Security Incident in an expeditious and compliant manner.

1.12. Deletion of Platform Personal Data: Further to paragraph 11.3 of the Terms, upon termination or expiry of this Agreement, you shall destroy all Platform Personal Data (including all copies of the Platform Personal Data) in your possession or control. This requirement shall not apply to the extent that you are required by any EU (or any EU Member State) law or UK law to retain some or all of the Platform Personal Data, in which event you shall securely isolate and protect the Platform Personal Data from any further processing except to the extent required by such law,

1.13. Audit: Should we have reasonable cause, you shall permit us (or our appointed third party auditors) to audit your compliance with this Data Policy, and shall make available to us all information, systems and staff necessary for us (or our third party auditors) to conduct such audit.

2. Email Addresses from the Embedded Platform

We may provide business email addresses on the Embedded Platform so that you can directly approach the individuals to whom those business email addresses relate.

2.1. You are forbidden from using email addresses from the Embedded Platform to email more than 5 people in a single send (“Mailshots”). This is to ensure that any contact that you make is direct and deliberate, and you must ensure that this is the case. Further, if you have not received a response, you shall not contact an individual more than 4 times and you shall ensure that there is at least 4 days interval between one email to an individual and the next email to the same individual.
2.2. You must identify yourself in any email you send and include contact details, ideally a postal address, active email address, and a phone number.
2.3. You must include in each email a clear and simple way for anyone you email to opt out of your communications.
2.4. If someone objects to or opts out of your marketing, you must immediately add them to a ‘do not contact’ list and stop communications with them. You must screen all your marketing against this list to make sure you don’t contact anyone who has opted out.
2.5. You must ensure that you are fully compliant with any Applicable Data Protection Laws, including ‘the e-privacy Directive’ (and any and all applicable national data protection laws made under or pursuant to such Directive). It is your responsibility to keep up to date with any changes in the law, in particular following the introduction of the proposed new e-Privacy Regulation, which is due to replace European Directive 2002/58/EC.

3. Data Usage Rights

Users may use Embedded Data, including any Platform Personal Data, subject to the following restrictions:

(a) You must ensure that Platform Personal Data is only used and shared in a manner which is compliant with Applicable Data Protection Law;
(b) Only a User may access Embedded Data on the Embedded Platform and each User may only share or make available Embedded Data with other active Users on Your Subscription. These rights are subject to paragraph 9.7 of the Terms, so where any Subscribed Teams are identified in the Service Summary, Embedded Data may not be accessed, used, shared or made available by or with anyone outside of such Subscribed Teams.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

1. Name: Embedded IT Ltd
Address: 4500 Parkway, Solent Business Park, Whiteley, Fareham, PO15 7AZ
Official registration number: 09054394
Contact person’s name, position and contact details: Phil Clark, Managing Consultant, enquiries@embedded-it.co.uk
Activities relevant to the data transferred under these Clauses: Provision of Embedded Data via the Embedded Platform
Signature and date:

Role (controller/processor): Controller

Data importer(s):

2. Name: As set out in the Service Summary
Address: As set out in the Service Summary

Contact person’s name, position and contact details: As set out in the Service Summary
Activities relevant to the data transferred under these Clauses: Provision of Embedded Data via the Embedded Platform
Signature and date:

Role (controller/processor): Controller

B. DESCRIPTION OF DATA ACCESSED VIA THE EMBEDDED PLATFORM

Data subjects
The Platform Personal Data accessed concern the following categories of data subjects:

● Directors, shareholders and employees of companies on the platform included within the Embedded Platform.

Categories of data
The Platform Personal Data accessed concern the following categories of data:

● Details pertaining to businesses on the Embedded Platform, including but not limited to: names, business contact details (business email address, business telephone number), job title, details of shareholdings, and details of company directorships.

Sensitive data (if appropriate)
The Platform Personal Data accessed do not concern any categories of sensitive data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous basis.

Nature of the processing
Collection, recording, structuring, organisation, retrieval and access.

Purposes of the transfer(s)
Access is for the following purpose:

● To facilitate usage by the Organisation and further described in this Data Policy.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
For the duration of this Order.

Recipients
Subject always to the provisions of this Order, the Platform Personal Data accessed may be disclosed only to the following recipients or categories of recipients:

● Organisation: Users (as defined in the Order) duly authorised by the Organisation to have access to Embedded Data for the Permitted Purpose

● Public bodies and law enforcement authorities: Duly authorized staff at public bodies and law enforcement authorities who make enquiries of the Organisation in accordance with applicable law.

C. COMPETENT SUPERVISORY AUTHORITY

As set out in Clause 13 of the Standard Contractual Clauses.

Data protection registration information of Embedded (where applicable)

● Information Commissioner Registration Number for Embedded IT Limited: ZA162859

Contact points for data protection enquiries

Phil Clark

Email: enquiries@embedded-it.co.uk

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

● Measures of pseudonymisation and encryption of personal data
● Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
● Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
● Measures for user identification and authorisation
● Measures for the protection of data during storage
● Measures for internal IT and IT security governance and management
● Measures for ensuring limited data retention
● Measures for ensuring accountability
● Measures for ensure appropriate data security & protection training for relevant individual