Version 1.0 – 30 September 2019
“Envizage” is a trading name of Lifescale Limited, a private limited company incorporated in England and Wales with company number 07476290.
Envizage’s goal is to apply uniform, adequate and global data protection and privacy standards for the handling of user (User) personal information (User Information) throughout Envizage (Lifescale Limited). and Envizage affiliates, subsidiaries and joint ventures (collectively, “Envizage Entities”). For the purposes of these Corporate Rules, Envizage Entity means Envizage and any entity directly or indirectly controlled by Lifescale Limited, that processes User Information, where Control means the ownership of greater than fifty percent (50%) of the voting power to elect the directors of the company, or greater than fifty percent (50%) of the ownership interest in the company.
These Binding Corporate Rules (Corporate Rules) are corporate guidelines that apply to the processing of User Information by Envizage Entities.
User Information means information relating to an identifiable User. An identifiable User is an individual who can be identified, directly or indirectly, based upon the information collected about the individual in the context of an Envizage Entity providing a Service to them. The term Service applies to a website or other product offered by an Envizage Entity for use by a User. The term User applies to individuals that have utilized a Service provided by an Envizage Entity.
Envizage Entities do not knowingly process User Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or concerning health, sexual life or criminal records (Sensitive Information). To the extent Sensitive Information is manifestly made public by the User him/herself and provided to Envizage Entities, Envizage Entities do not process it for their own purposes.
With varying legal requirements throughout the world relating to data protection, Envizage’s Corporate Rules establishes a consistent set of requirements to help ensure the appropriate use of User Information. While the Corporate Rules create a baseline requirement for Envizage Entities to comply with, Envizage Entities will comply with applicable laws that may impose a stricter standard than those set forth in these Corporate Rules.
All Envizage Entities are obligated to comply with these Corporate Rules. Additionally, all employees of Envizage should follow these Corporate Rules, which form part of the Envizage Code of Business Conduct.
The Corporate Rules are global User Information processing guidelines for Envizage Entities. Collection and processing of User Information shall occur in accordance with the Service’s term and conditions, the law applicable to the User and the guidelines established by these Corporate Rules. Where applicable law is more protective than the guidelines set forth by the Corporate Rules, Envizage Entities will process User Information in accordance with the applicable law. If applicable law provides for a lower level of protection, the guidelines of the Corporate Rules shall apply. The Corporate Rules are binding obligations and failure to follow them may result in employee corrective action, including termination and other penalties as provided by law.
Where an Envizage Entity has reason to believe that applicable law may prevent compliance with the Corporate Rules resulting in a substantial effect on the protections provided by the Corporate Rules, the Envizage Entity will promptly inform the Envizage privacy team, which will, in turn, inform the relevant data protection authorities (except where prohibited by law enforcement or other government official).
Where there are multiple interpretations of the commitments, terms or definitions made in these Corporate Rules, Envizage Entities shall interpret the Corporate Rules in a way that is most consistent with the basic concepts of the principles of EU Directive 95/46/EC.
Processing means any operation or set of operations which is performed upon User Information, whether or not by automatic means such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking erasure or destruction.
Envizage Entities observe the following processing principles for User Information:
Where the processing involves automatic decision-making or processing which significantly affects the User (Automated Decisions), Envizage Entities shall provide suitable measures to safeguard the User’s legitimate interests, such as providing the User an opportunity to have a customer support representative review the decision manually and permit the User to provide their point of view.
Envizage Entities use physical, technical and organizational security controls commensurate with the amount and sensitivity of the User Information to prevent unauthorized access, use, loss, destruction and damage. Envizage Entities use encryption, firewalls, access controls, standards and other procedures to protect User Information from unauthorized access. Physical and logical access to electronic and hard copy files is further restricted based upon job responsibilities and business needs.
Envizage Entities conduct privacy and information security awareness training to emphasize and inform employees of the need to protect and secure User Information. Access to User Information shall determine the need for additional training relating to specific policies as well as these Corporate Rules. Employees are also required to review the Company Confidentiality Agreement and these Corporate Rules. Envizage Entities inform employees that failure to comply with these policies may result in disciplinary actions. A copy of these Corporate Rules and other relevant privacy and security related policies and procedures are available to employees at any time.
Users that do not wish to receive marketing communications from Envizage Entities should indicate their preference on their account profile page or by following the directions provided in an email or from a link on the advertisement.
Envizage Entities will strive to provide Users with the opportunity to review, access and rectify their own User Information using the appropriate online tool or self service process as is described on the Service’s website they visited. In all cases, Users have the right to submit a data subject access request to view User Information not accessible via the Service’s website. User should contact customer support via directions provided by the Service. Envizage Entities will comply with reasonable requests in a commercially reasonable period of time so long as it does not require a disproportionate effort to retrieve and where applicable law requires access. In these instances, Users may be required to provide proof of their identity and may be subject to a servicing fee as permitted by applicable law.
Users who object to the processing of their User Information may request to have their accounts closed by following the instructions provided via the Service’s website. Envizage Entities will remove or render anonymous a User’s information from a Service as soon as reasonably possible based upon account activity and in accordance with applicable law. In some instances, Envizage Entities may delay the closure of an account or retain User Information to conduct an investigation or where required by law. Envizage Entities may also retain User Information from closed accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce a Service’s terms and conditions, comply with legal requirements and take other actions otherwise permitted by applicable law.
According to applicable law, treaties or applicable international conventions, Envizage Entities may share User Information with law enforcement, regulatory authorities or other third parties when: required as a matter of law; it is necessary to protect Envizage’s rights; it is necessary to keep the Services free from abuse; or there is a legitimate purpose (e.g., to prevent imminent physical harm, financial loss or to report suspected illegal activity). Envizage Entities may disclose User Information to other third parties for the third party’s own purposes in accordance with the User’s instructions or with the unambiguous informed consent of the User (where permissible under applicable law).
Envizage Entities do not sell or rent User Information to third parties for their marketing purposes without the User’s prior consent. With the exception to those Users who have selected not to receive certain communications, Envizage Entities may use User Information to target communications to Users based on their interests according to applicable law.
If a User believes that his/her User Information has been processed in violation of the Corporate Rules, the User may report concerns to the customer support of the Data Controller (i.e., the Envizage Entity identified within the terms and conditions of the Services the User has requested) (Data Controller) via the Service’s website, email, or as otherwise indicated in the Service’s terms and conditions. Users can generally find answers to the most common privacy questions and concerns by typing the word “privacy” into the relevant Service’s help section, which will usually direct the User to a privacy specific page or policy. The “help” section of the relevant Service is the unique entry point for all Users’ queries relating to their privacy or the processing of their User Information and provides User’s the opportunity to contact customer support. Customer support shall investigate and attempt to resolve concerns raised by Users. Employees responsible for addressing privacy related concerns work closely with the Envizage privacy team and issue comments consistent with the policies, procedures and guidance issued by the Envizage privacy team. If a User believes their concern has not been addressed adequately, they can request their concern be escalated to the legal department or the Envizage privacy team. Escalation paths shall be determined based upon the nature and scope of the concern and shall be forwarded to the appropriate team without delays. A response to the complaint shall be provided to the User within a reasonable timeframe.
The Envizage privacy team is a corporate team within Lifescale Limited and is responsible for privacy matters for all Envizage Entities globally. The Envizage privacy team develops and coordinates implementation of its compliance strategy across Envizage Entities. The Envizage privacy team is led by the Global Privacy Leader (a senior position within Envizage) and interacts with other groups such as operations, information security, risk and internal audit to ensure consistent privacy communications and policies. Additionally, the Envizage privacy team has direct and indirect representatives throughout the Envizage Entities that help to ensure compliance with the Corporate Rules and applicable data protection laws.
Envizage Entities will comply with these Corporate Rules. The Corporate Rules are binding obligations and failure to follow them may result in employee corrective action, including termination and other penalties as provided by law.
Lifescale Limited, a private limited liability company incorporated in England and Wales, as advised by the Envizage privacy team, accepts responsibility for and agrees to oversee the Group’s adherence to the Corporate Rules and shall help ensure non-EU Envizage Entities take the necessary action to remedy the acts of noncompliance relating to these Corporate Rules.
If an EU User suspects a breach of the Corporate Rules based upon User Information transferred from the EU to an entity located outside of the EU, the User should report his/her concern to the Data Controller’s customer support via the Service’s website, email or as otherwise indicated in the Service’s terms and conditions. The Data Controller will investigate claims of noncompliance to determine if a violation of the Corporate Rules has occurred. If the violation is confirmed, the Data Controller and other concerned Envizage Entities shall work together to address and resolve the violation within a commercially reasonable time.
EU Users that suspect a breach of the Corporate Rules have the right to claim enforcement of the Corporate Rules or liability as third party beneficiaries for the following sections of the Corporate Rules: 3, 4, 5, 6, 7, 8, 9, 10, 11, and 14 and, where appropriate compensation from the exporting Data Controller in the EU or its EU Headquarters (as defined in the Service’s terms and conditions) before the relevant data protection authority or courts in accordance with the terms set up in the Corporate Rules and applicable law. While it is not required, an EU User should first report his/her concern directly to the Data Controller rather than the data protection authorities or the courts. This enables an efficient and prompt response from the Data Controller and minimizes possible delays from data protection authorities or court procedures. The exporting Data Controller and its EU headquarters shall not be liable if they reasonably demonstrate that the nonEU Entity has not violated the Corporate Rules or is not responsible for the act resulting in the damage claimed by the EU User.
The enforcement rights and mechanisms described above are in addition to other remedies or rights provided by Envizage or available under applicable law.
To help ensure compliance with the Corporate Rules, the Envizage privacy team reviews, on a regular basis, User Information processing activities and practices or recommends that Envizage’s internal audit team conduct a review of the identified activities and practices. The internal audit team acts as an independent and objective advisor to management and the Board of Directors, through the audit committee and communicates audit findings to the Board of Directors. The internal audit team and the Envizage privacy team shall, if necessary, require an action plan to ensure compliance with the Corporate Rules. To the extent that internal groups do not resolve matters adequately, Envizage may appoint independent external auditors for further resolution.
The Envizage privacy team shall review and address matters relating to non-compliance with the Corporate Rules identified in the course of a review or upon notice by an Envizage Entity, User, employee or other individual. Audit findings are available to relevant data protection authorities upon request. Envizage will redact portions of the audit to ensure confidentiality of proprietary or otherwise company confidential information. Further, Envizage will only provide audit findings relating to privacy.
Envizage reserves the right to modify the Corporate Rules as necessary, for example, to comply with changes in laws, regulations, Envizage Entities’ practices, procedures and organizational structure or requirements imposed by data protection authorities. The Envizage privacy team must approve all changes to the Corporate Rules and shall track all modifications to the Corporate Rules as well as any change in the Envizage Entities bound by the Corporate Rules. Envizage shall report to the relevant data protection authorities changes to the Corporate Rules where approval is required or at least on an annual basis.
Changes to the Corporate Rules shall be applicable to all existing entities bound by the Corporate Rules on the effective date of implementation. Newly formed or acquired entities shall be bound by the Corporate Rules or guarantee an adequate level of protection prior to processing User Information.
Envizage Entities will provide notice of material changes to Users in accordance with their Service preferences and/or shall post the revised Corporate Rules on select external websites accessible by Users. Revisions to the Corporate Rules are effective within a reasonable period after Envizage notifies the User and/or posts the revised Corporate Rules.
Envizage Entities will respond diligently and appropriately to requests from data protection authorities about the Corporate Rules and their compliance with privacy laws and regulations. If an employee receives such a request from a data protection authority, he or she should immediately inform a member of the Envizage privacy team or legal department so that the relevant Envizage Entity can provide the data protection authorities with names and contact details of relevant contact persons within Envizage who will reply to the data protection authority.
With regard to transfers of User Information between Envizage Entities, the importing and exporting entities will cooperate with inquiries and accept audits from the data protection authority responsible for the entity exporting the data, and respect decisions, consistent with applicable law and due process rights.