User Corporate Rules

Version 1.0 – 30 September 2019

 

Envizage” is a trading name of Lifescale Limited, a private limited company incorporated in England and Wales with company number 07476290.

These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

1. Objective

Envizage’s goal is to apply uniform, adequate and global data protection and privacy standards for the handling of user (User) personal information (User Information) throughout Envizage (Lifescale Limited). and Envizage affiliates, subsidiaries and joint ventures (collectively, “Envizage Entities”). For the purposes of these Corporate Rules, Envizage Entity means Envizage and any entity directly or indirectly controlled by Lifescale Limited, that processes User Information, where Control means the ownership of greater than fifty percent (50%) of the voting power to elect the directors of the company, or greater than fifty percent (50%) of the ownership interest in the company.

2. Scope

These Binding Corporate Rules (Corporate Rules) are corporate guidelines that apply to the processing of User Information by Envizage Entities.

User Information means information relating to an identifiable User. An identifiable User is an individual who can be identified, directly or indirectly, based upon the information collected about the individual in the context of an Envizage Entity providing a Service to them. The term Service applies to a website or other product offered by an Envizage Entity for use by a User. The term User applies to individuals that have utilized a Service provided by an Envizage Entity.

Envizage Entities do not knowingly process User Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or concerning health, sexual life or criminal records (Sensitive Information). To the extent Sensitive Information is manifestly made public by the User him/herself and provided to Envizage Entities, Envizage Entities do not process it for their own purposes.

3. Application of Laws

With varying legal requirements throughout the world relating to data protection, Envizage’s Corporate Rules establishes a consistent set of requirements to help ensure the appropriate use of User Information. While the Corporate Rules create a baseline requirement for Envizage Entities to comply with, Envizage Entities will comply with applicable laws that may impose a stricter standard than those set forth in these Corporate Rules.

All Envizage Entities are obligated to comply with these Corporate Rules. Additionally, all employees of Envizage should follow these Corporate Rules, which form part of the Envizage Code of Business Conduct.

The Corporate Rules are global User Information processing guidelines for Envizage Entities. Collection and processing of User Information shall occur in accordance with the Service’s term and conditions, the law applicable to the User and the guidelines established by these Corporate Rules. Where applicable law is more protective than the guidelines set forth by the Corporate Rules, Envizage Entities will process User Information in accordance with the applicable law. If applicable law provides for a lower level of protection, the guidelines of the Corporate Rules shall apply. The Corporate Rules are binding obligations and failure to follow them may result in employee corrective action, including termination and other penalties as provided by law.

Where an Envizage Entity has reason to believe that applicable law may prevent compliance with the Corporate Rules resulting in a substantial effect on the protections provided by the Corporate Rules, the Envizage Entity will promptly inform the Envizage privacy team, which will, in turn, inform the relevant data protection authorities (except where prohibited by law enforcement or other government official).

Where there are multiple interpretations of the commitments, terms or definitions made in these Corporate Rules, Envizage Entities shall interpret the Corporate Rules in a way that is most consistent with the basic concepts of the principles of EU Directive 95/46/EC.

4. Principles for Processing Personal Information

Processing means any operation or set of operations which is performed upon User Information, whether or not by automatic means such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking erasure or destruction.

Envizage Entities observe the following processing principles for User Information:

  • process User Information fairly and lawfully;
  • provide notice to Users about the processing of their personal information and their rights;
  • collect User Information for specified, legitimate purposes and not process further in ways incompatible with those purposes;
  • maintain User Information in adequate and relevant ways, in relation to the purposes for which they are collected;
  • keep User Information accurate and up-to-date as reasonably possible;
  • process User Information in a way that is relevant and not excessive for the purposes which they are collected and used;
  • store User Information for as long as necessary for the Services; and
  • protect User Information with appropriate physical, technical and organizational security measures to prevent unauthorized access, unlawful processing and unauthorized or accidental loss, destruction and damage.

Where the processing involves automatic decision-making or processing which significantly affects the User (Automated Decisions), Envizage Entities shall provide suitable measures to safeguard the User’s legitimate interests, such as providing the User an opportunity to have a customer support representative review the decision manually and permit the User to provide their point of view.

5. Purposes for Processing User Information

Envizage Data Controllers must provide a privacy policy and disclose the nature and type of User Information processed and transferred. Generally, Envizage Data Controllers process User Information to facilitate the Services Users request, resolve disputes, troubleshoot problems, process transactions, collect fees owed, measure consumer interest in Envizage’s Services, inform Users about online and offline offers, products, Services, and updates, customize Users’ experiences, detect and protect Envizage against error, fraud and other criminal activity, enforce the Service’s terms and conditions and as otherwise described to Users at the time of collection.

Where the Data Controller transfers User Information to a Data Processor, the Service’s privacy policy must describe the processing performed by the Data Processor and the nature and type of Data Processors. Processing of User Information is limited to the purposes and conditions described above, the disclosures made in the Service’s privacy policy and the directions of the Data Controller. Further processing in a way incompatible with those purposes will not take place unless a User is notified and consent is received according to applicable law.

The Services’ privacy policy shall be accessible via a link in a prominent location of each Service and/or displayed during registration provides additional details according to applicable law regarding the collection, processing, protection and transfer of User Information.

6. Security, Confidentiality, and Privacy Awareness Training

Envizage Entities use physical, technical and organizational security controls commensurate with the amount and sensitivity of the User Information to prevent unauthorized access, use, loss, destruction and damage. Envizage Entities use encryption, firewalls, access controls, standards and other procedures to protect User Information from unauthorized access. Physical and logical access to electronic and hard copy files is further restricted based upon job responsibilities and business needs.

Envizage Entities conduct privacy and information security awareness training to emphasize and inform employees of the need to protect and secure User Information. Access to User Information shall determine the need for additional training relating to specific policies as well as these Corporate Rules. Employees are also required to review the Company Confidentiality Agreement and these Corporate Rules. Envizage Entities inform employees that failure to comply with these policies may result in disciplinary actions. A copy of these Corporate Rules and other relevant privacy and security related policies and procedures are available to employees at any time.

7. User Choices

Users that do not wish to receive marketing communications from Envizage Entities should indicate their preference on their account profile page or by following the directions provided in an email or from a link on the advertisement.

Envizage Entities will strive to provide Users with the opportunity to review, access and rectify their own User Information using the appropriate online tool or self service process as is described on the Service’s website they visited. In all cases, Users have the right to submit a data subject access request to view User Information not accessible via the Service’s website. User should contact customer support via directions provided by the Service. Envizage Entities will comply with reasonable requests in a commercially reasonable period of time so long as it does not require a disproportionate effort to retrieve and where applicable law requires access. In these instances, Users may be required to provide proof of their identity and may be subject to a servicing fee as permitted by applicable law.

Users who object to the processing of their User Information may request to have their accounts closed by following the instructions provided via the Service’s website. Envizage Entities will remove or render anonymous a User’s information from a Service as soon as reasonably possible based upon account activity and in accordance with applicable law. In some instances, Envizage Entities may delay the closure of an account or retain User Information to conduct an investigation or where required by law. Envizage Entities may also retain User Information from closed accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce a Service’s terms and conditions, comply with legal requirements and take other actions otherwise permitted by applicable law.

8. Transferring and Sharing User Information

Envizage Entities share User Information in the normal course and scope of business with other Envizage Entities worldwide to facilitate the Services Users request, prevent fraud, provide joint content and Services and as described in the Services Privacy Policy or at the time of collection. Envizage Entities may transfer User Information to other Envizage Entities worldwide under the authority and only on the instructions of the Data Controller (except where required by the relevant Envizage Entities’ local law or local competent authorities) when there is a legitimate business need, sufficient technical and organizational security measures exist and the recipient has complied with the Corporate Rules or provides an adequate level of protection when processing User Information (for instance by entering into contracts based on the model clauses for the transfer of EU User Information to processors or controllers established in third countries published by the European Commission).

Envizage Entities may share User Information with third party processors (such as service providers or vendors) worldwide who help with their business operations. The Service’s Privacy Policy further describes the types of third parties Envizage Entities may share User Information with and under what circumstances. Contracts with third party processors require sufficient technical and organizational security measures, limit the use of User Information to purposes defined by the Data Controller and retain control of User Information where applicable. Additionally, Envizage Entities will only transfer User Information of Users located in the EU to third party processors that provide an adequate level of protection when processing User Information (for instance by entering into contracts based on the model clauses for the transfer of EU User Information to processors established in third countries published by the European Commission). Agreements with third party processors provide for legal remedies in the event of a breach of the agreement.

According to applicable law, treaties or applicable international conventions, Envizage Entities may share User Information with law enforcement, regulatory authorities or other third parties when: required as a matter of law; it is necessary to protect Envizage’s rights; it is necessary to keep the Services free from abuse; or there is a legitimate purpose (e.g., to prevent imminent physical harm, financial loss or to report suspected illegal activity). Envizage Entities may disclose User Information to other third parties for the third party’s own purposes in accordance with the User’s instructions or with the unambiguous informed consent of the User (where permissible under applicable law).

9. Direct Marketing

Envizage Entities do not sell or rent User Information to third parties for their marketing purposes without the User’s prior consent. With the exception to those Users who have selected not to receive certain communications, Envizage Entities may use User Information to target communications to Users based on their interests according to applicable law.

10. Complaint Handling Process

If a User believes that his/her User Information has been processed in violation of the Corporate Rules, the User may report concerns to the customer support of the Data Controller (i.e., the Envizage Entity identified within the terms and conditions of the Services the User has requested) (Data Controller) via the Service’s website, email, or as otherwise indicated in the Service’s terms and conditions. Users can generally find answers to the most common privacy questions and concerns by typing the word “privacy” into the relevant Service’s help section, which will usually direct the User to a privacy specific page or policy. The “help” section of the relevant Service is the unique entry point for all Users’ queries relating to their privacy or the processing of their User Information and provides User’s the opportunity to contact customer support. Customer support shall investigate and attempt to resolve concerns raised by Users. Employees responsible for addressing privacy related concerns work closely with the Envizage privacy team and issue comments consistent with the policies, procedures and guidance issued by the Envizage privacy team. If a User believes their concern has not been addressed adequately, they can request their concern be escalated to the legal department or the Envizage privacy team. Escalation paths shall be determined based upon the nature and scope of the concern and shall be forwarded to the appropriate team without delays. A response to the complaint shall be provided to the User within a reasonable timeframe.

The Envizage privacy team is a corporate team within Lifescale Limited and is responsible for privacy matters for all Envizage Entities globally. The Envizage privacy team develops and coordinates implementation of its compliance strategy across Envizage Entities. The Envizage privacy team is led by the Global Privacy Leader (a senior position within Envizage) and interacts with other groups such as operations, information security, risk and internal audit to ensure consistent privacy communications and policies. Additionally, the Envizage privacy team has direct and indirect representatives throughout the Envizage Entities that help to ensure compliance with the Corporate Rules and applicable data protection laws.

11. Liability and Third Party Beneficiary Rights

Envizage Entities will comply with these Corporate Rules. The Corporate Rules are binding obligations and failure to follow them may result in employee corrective action, including termination and other penalties as provided by law.

Lifescale Limited, a private limited liability company incorporated in England and Wales, as advised by the Envizage privacy team, accepts responsibility for and agrees to oversee the Group’s adherence to the Corporate Rules and shall help ensure non-EU Envizage Entities take the necessary action to remedy the acts of noncompliance relating to these Corporate Rules.

If an EU User suspects a breach of the Corporate Rules based upon User Information transferred from the EU to an entity located outside of the EU, the User should report his/her concern to the Data Controller’s customer support via the Service’s website, email or as otherwise indicated in the Service’s terms and conditions. The Data Controller will investigate claims of noncompliance to determine if a violation of the Corporate Rules has occurred. If the violation is confirmed, the Data Controller and other concerned Envizage Entities shall work together to address and resolve the violation within a commercially reasonable time.

EU Users that suspect a breach of the Corporate Rules have the right to claim enforcement of the Corporate Rules or liability as third party beneficiaries for the following sections of the Corporate Rules: 3, 4, 5, 6, 7, 8, 9, 10, 11, and 14 and, where appropriate compensation from the exporting Data Controller in the EU or its EU Headquarters (as defined in the Service’s terms and conditions) before the relevant data protection authority or courts in accordance with the terms set up in the Corporate Rules and applicable law. While it is not required, an EU User should first report his/her concern directly to the Data Controller rather than the data protection authorities or the courts. This enables an efficient and prompt response from the Data Controller and minimizes possible delays from data protection authorities or court procedures. The exporting Data Controller and its EU headquarters shall not be liable if they reasonably demonstrate that the nonEU Entity has not violated the Corporate Rules or is not responsible for the act resulting in the damage claimed by the EU User.

The enforcement rights and mechanisms described above are in addition to other remedies or rights provided by Envizage or available under applicable law.

12. Audit Procedures

To help ensure compliance with the Corporate Rules, the Envizage privacy team reviews, on a regular basis, User Information processing activities and practices or recommends that Envizage’s internal audit team conduct a review of the identified activities and practices. The internal audit team acts as an independent and objective advisor to management and the Board of Directors, through the audit committee and communicates audit findings to the Board of Directors. The internal audit team and the Envizage privacy team shall, if necessary, require an action plan to ensure compliance with the Corporate Rules. To the extent that internal groups do not resolve matters adequately, Envizage may appoint independent external auditors for further resolution.

The Envizage privacy team shall review and address matters relating to non-compliance with the Corporate Rules identified in the course of a review or upon notice by an Envizage Entity, User, employee or other individual. Audit findings are available to relevant data protection authorities upon request. Envizage will redact portions of the audit to ensure confidentiality of proprietary or otherwise company confidential information. Further, Envizage will only provide audit findings relating to privacy.

13. Modifications to the Corporate Rules

Envizage reserves the right to modify the Corporate Rules as necessary, for example, to comply with changes in laws, regulations, Envizage Entities’ practices, procedures and organizational structure or requirements imposed by data protection authorities. The Envizage privacy team must approve all changes to the Corporate Rules and shall track all modifications to the Corporate Rules as well as any change in the Envizage Entities bound by the Corporate Rules. Envizage shall report to the relevant data protection authorities changes to the Corporate Rules where approval is required or at least on an annual basis.

Changes to the Corporate Rules shall be applicable to all existing entities bound by the Corporate Rules on the effective date of implementation. Newly formed or acquired entities shall be bound by the Corporate Rules or guarantee an adequate level of protection prior to processing User Information.

Envizage Entities will provide notice of material changes to Users in accordance with their Service preferences and/or shall post the revised Corporate Rules on select external websites accessible by Users. Revisions to the Corporate Rules are effective within a reasonable period after Envizage notifies the User and/or posts the revised Corporate Rules.

14. Obligations Toward Data Protection Authorities

Envizage Entities will respond diligently and appropriately to requests from data protection authorities about the Corporate Rules and their compliance with privacy laws and regulations. If an employee receives such a request from a data protection authority, he or she should immediately inform a member of the Envizage privacy team or legal department so that the relevant Envizage Entity can provide the data protection authorities with names and contact details of relevant contact persons within Envizage who will reply to the data protection authority.

With regard to transfers of User Information between Envizage Entities, the importing and exporting entities will cooperate with inquiries and accept audits from the data protection authority responsible for the entity exporting the data, and respect decisions, consistent with applicable law and due process rights.