Introduction and Scope
For more details on our overall data protection efforts, including with the European Union’s General Data Protection Regulation (the “GDPR”), see the section below titled “BGI’s GDPR Compliance Efforts and You”.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
With respect to personal data processed within the scope of this Policy, BGI complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (the “Privacy Shield”) as adopted and set forth by the U.S. Department of Commerce regarding the processing of personal data transferred from the European Union, the European Economic Area, the United Kingdom, and Switzerland to the United States or otherwise received in reliance on the Privacy Shield. BGI commits to adhere to and has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
BGI is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
VeraSafe Privacy Program
BGI is a member of the VeraSafe Privacy Program, meaning that with respect to personal data processed within the scope of this Policy, VeraSafe has assessed BGI’s data governance and data security for compliance with the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data privacy and implement specific best practices pertaining to notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.
Where a privacy complaint or dispute cannot be resolved through BGI’s internal processes, BGI has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
If your dispute or complaint can’t be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield.
Categories of Personal Data
We may process the following types of personal data:
Collection or Storage of Other Data
We may collect information about your computer hardware and software such as your browser type, domain names, use and access times, and referring website addresses, if applicable, for purposes of operating and maintaining the quality of our service.
Data Subject Rights
BGI acknowledges the right of EU and Swiss individuals to access their personal data pursuant to the Privacy Shield and will grant individuals reasonable access to personal information it received pursuant to these Principles. In addition, BGI will take reasonable steps to permit individuals to correct, amend, or delete such information that is demonstrated to be inaccurate or incomplete. An individual may request to access his or her information, or otherwise correct, amend, or delete his or her information pursuant to the EU-U.S. and Swiss-U.S. Privacy Shield Principles by contacting us using the information listed in the “Contact Us” section of this Policy.
You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our services do not have the capability to respond to “Do Not Track” signals received from web browsers.
Within the scope of this Policy, BGI acts as an agent, also known as a data processor, for the personal data we process. This means that our clients determine the types of personal data they provide for us to process on their behalf. We typically have no direct relationship with the individuals whose personal data we receive from our customers.
Basis of Processing
Within the scope of this Policy, we process your personal data based on the documented instructions of our clients, acting as data controllers.
Purposes of Processing
We may process your personal data for the purposes of:
In order to utilize our software and enable its use, we need to collect and store personal data in order to record time and expenses for our clients.
How Long Does BGI Retain Personal Data?
We retain personal data for as long as instructed by the applicable client. We delete the personal data submitted to us within six months of the end of our service agreement with the client, unless applicable laws require otherwise.
How Does BGI Receive Personal Data?
We may receive your personal data when you provide it directly to us when using our systems or when our clients provide it to us.
Sharing Personal Data with Third Parties
We share personal data with our service provider, Amazon Web Services (“AWS”), which provides cloud hosting services. We require that AWS maintains at least the same level of confidentiality that we maintain for personal data.
BGI remains liable for the protection of your personal data that we transfer to AWS, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.
Other Disclosure of Your Personal Data
We may disclose your personal data (i) to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders, or (ii) if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change, or (iii) to our subsidiaries or affiliates only if necessary for business and operational purposes as described in the section above.
If we must disclose your personal data in order to comply with official investigations or legal proceedings initiated by governmental agencies or law enforcement officials, we may not be able to ensure that such recipients of your personal data will maintain the privacy or security of your personal data.
We use and may transfer, sell, and share aggregated, anonymous data for any legal business purpose, such as analyzing usage trends and seeking compatible business opportunities. Such data does not include any personal data.
Data Integrity and Security
BGI has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect personal data against loss or theft as well as unauthorized access, disclosure, copying, use or modification.
Access and Review
If we have received your personal data in reliance on the Privacy Shield, you may also have the right to request access to your personal data, opt out of having your personal data shared with third parties and to revoke your consent to our sharing your personal data with third parties. You may also have the right to opt out if your personal data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized.
Requests should be sent directly to the client that provided your personal data to us. BGI has limited rights to access personal data our clients submit to us. Therefore, if you contact us with such a request, please provide the name of our client that submitted your personal data to us (generally, the client for which you are a contractor). We will forward your request to that client and will provide any needed assistance as they respond to your request.
If we make any material change to this Policy, we will post the revised Policy to this webpage and update the “Effective” date above to reflect the date on which the new Policy became effective.
If you have any questions about this Policy or our processing of your personal data, please write to our data protection officer by email or by postal mail as follows. Please allow up to four weeks for us to reply.
|Bitta Group Incorporated
Attention: Data Protection Officer
|7251 Crest Lane|
|Indianapolis, IN 46256, USA|
|+ 1 317 455 5244|
In addition to us, you may also contact VeraSafe, our outside data privacy consultant that serves as our EU Representative on data protection matters pursuant to Article 27 of the GDPR. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/
Alternatively, VeraSafe can be contacted at:
VeraSafe Czech Republic s.r.o
Prague 1, 11002
BGI’s GDPR Compliance Efforts and You
At BGI, we are well aware of the new data protection requirements brought about GDPR, which took effect on May 25, 2018. We’re proud to announce that BGI’s services are fully compatible with its GDPR obligations.
Let’s talk a little bit about the GDPR and what to expect from us.
What Is the GDPR?
The GDPR is a European Union (“EU”) regulation intended to harmonize, update, and strengthen data protection laws in the EU. It’s a comprehensive privacy law that aims to protect the personal data—and rights related to that data—of persons residing within the EU and the European Economic Area. The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” What constitutes personal data is interpreted broadly by regulators. Name, home address, email address, and identification card number are obvious examples of personal data, but the term can also include geolocation data, IP address, cookie ID and device identifiers, among many other types of data.
Although promulgated by the EU, the GDPR has global impact. Practically speaking, nearly every organization that collects or processes the personal data of EU residents or monitors their behavioral activity online is now required to comply with the GDPR, whether or not such companies have any physical or legal presence in the EU.
How Is BGI Complying with the GDPR?
As the initial step in our GDPR compliance initiative, we mapped our information systems to create a dashboard view of our IT systems, our data, and our data flows, with an emphasis on privacy impacts. We’re taking steps to ensure that our information systems and processes allow us to adequately and efficiently respond to individuals exercising their data privacy rights, and that these systems and processes allows us to demonstrate compliance with the new regulation. We’ve also implemented technical and organization security measures to protect personal data that we process.
We have finalized a data processing addendum (“DPA”) for our clients in order to meet the data processing and transfer requirements of the GDPR. The DPA adds GDPR-related privacy and security provisions into our service contract with our clients and helps ensure that personal data is processed in BGI’s systems in a way that fully respects the requirements of the GDPR.
Furthermore, as mentioned above under the heading “Contact Us”, we have appointed an outside data privacy consultant, VeraSafe, to act as our EU Representative on data protection matters pursuant to Article 27 of the GDPR and appointed an internal data protection officer pursuant to Article 37 of the GDPR.
As discussed above under the heading “VeraSafe Privacy Program”, we have joined VeraSafe’s Privacy Program. VeraSafe has assessed BGI’s data governance and data security for compliance under its Certification Criteria, which require that participants maintain a high standard for data privacy and implement specific best practices pertaining to notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.
Finally, as discussed above under the heading, “EU-U.S. and Swiss-U.S. Privacy Shield Frameworks”, BGI has become Privacy Shield certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles, thereby allowing BGI to receive GDPR-regulated personal data in compliance with the GDPR.