ATENTO Privacy Notice (July 22nd, 2020)
The primary and exclusive goal of Processing Personal Data is to allow Customers (either Buyers or Receivers) to benefit from the perks which are inherent to each Voucher.
ATENO may reach out to “unknown” natural persons while conveying its services under a Marketing perspective but where that is the case, ATENTO will gather the minimum amount of Personal Data that allows enticing contact with the Data Subject under Legitimate Interest that derives from the GDPR Article 14 ruling and not going against what is determined by applicable local Marketing Legislation.
Customer is either the natural persons (Data Subjects) that purchase a Voucher (a Buyer) as well as those to whom Vouchers are offered to as a gift (Receivers).
Nevertheless, the Data Subject maintains full control over the Personal Data that pertains to him/ her as well as the Personal Data Processing Activities undertaken by ATENTO (as defined under the European General Data Protection Regulation [GDPR]).
II.Who is the Data Controller of your data?2
III.What data do we process?3
IV.For what purposes do we process your data?4
V.What third parties can receive my data?4
VI.International Data Transfers and Safeguards Employed5
VIII.Rights of Data Subjects5
Use of Information
ATENTO Processes Personal Data for the following purposes:
Respond to the Data Subject’s comments, questions, and requests, and provide needed Consulting/ Coaching towards its Customers (legal and operational);
ATENTO Processes Personal Data pertaining to those Data Subjects who have either freely submitted it, and therefore having become ATENTO Customers while on the role of Buyers, or those Data Subjects whose Personal Data has been shared with ATENTO by the Buyer and are the beneficiaries of the purchased Vouchers (Receivers).
As herein above mentioned, ATENTO may gather the minimum amount of Personal Data that allows it to entice contact with a Data Subject who may be a potential Buyer. In such case, ATENTO strictly observes by the GDPR Article 14 ruling, making explicitly known to the Data Subject WHICH Personal Data it has gathered pertaining to him/ her and WHAT has been the source, plus the “purpose” and “scope” of its Personal Data Processing Activities (on-going and to be if the Data Subject becomes a Customer), all of this while fully observing the Principle of Data Minimization.
As defined under the GDPR Article 14 if either the Data Subject provides no feedback or he/she declines the approach/ contact, ATENTO shall erase the Personal Data that it has gathered until 1 month after collection date.
To prevent further contact within the same scope, the “Data Subject’s” Name and e-mail address will be “blacklisted” (therefore maintained by ATENTO) on a dedicated repository that is accessible to relevant internal Departments only.
Personal Data pertaining to any one Prospect Customer that is identified as being under 16 years of age (therefore not bearing full legal capacity as an adult under the GDPR) will be automatically excluded from ATENTO repositories. This also comprehends the unlikely event of a Data Subject who is under 16 years of age but has been identified as an adult by error/ mistake/ his/ her own conduct. Such a scenario will render the services contract null and inherent Personal Data shall be immediately erased from ATENTO repositories.
Additionally, if there would be the unlikely case of having a minor Personal Data under Processing, ATENTO will inform the appropriate Supervisory Authorities of the entire “incident”.
Personal Data pertaining to Receivers, having been shared by the Buyer is processed by ATENTO under the Lawful Basis of the existing services contract between ATENTO and the Buyer; nevertheless the Receiver (as well as the Buyer) may exercise their rights under the GDPR towards ATENTO at any point in time.
Some Merchants are solely owned businesses which makes the Corporate Data also Personal Data. Information and Data pertaining to Merchants who fall under this context is processed under the Lawful Basis of the Services Contract between both parties as well as inherent Legal Obligations under EU and Local applicable legislation.
Who is the Data Controller of your data?
Atento Technology Germany Gmbh
Rheinsberger Strasse 76/77
10115 Berlin, Germany
Mr. Rui Serrano
email – firstname.lastname@example.org
What data do we process?
ATENTO processes the following Categories of Personal data with regards to each potential Data Subject type:
Sensitive personal data.
ATENTO does no seek to gather any Sensivite Personal Data from any Data Subject with exception of what is and if it is required under the applicable legislation.
Notwithstanding this fact, there is one open field (the message from the individual offering the voucher to the receiver of that same voucher) which content is completely up to the decision of the Voucher Buyer.
For what purposes do we process your data?
Personal Data is exclusively processed by ATENTO under the scope of rendering its support services which has been contracted by the Customer (Data Subject to whom such Personal Data Pertains to) under the Lawful Basis of a Contract between both parties.
ATENTO does not perform any type of Automated Personal Data Processing activities or Decision Making, mainly (yet not exclusively) that may lead to “Profiling” activities, except keeping an inevitable log of performed purchases as well as received gifts.
Personal Data pertaining to a former Customer shall be erased from ATENTO repositories once all applicable legal timelines have expired being that if those are dilated in time (meaning over 1 year after service termination), the Personal Data shall be securely segregated from live Data.
Where the Data Subject exercises his/ her Right to Erasure (as determined under the GDPR article 17, and unless ATENTO has a valid legal reason not to observe such right, in which case that shall be informed to the Data Subject), the Data shall be erased within the maximum period of 28 days.
The Principle of Data Minimization.
ATENTO takes every reasonable step to ensure that Personal Data under its direct Processing activities (as the Controller) is absolutely limited to the amount and type that is necessary to deliver its Services towards its Customers, as it has been agreed with those over the establish Services Contract, and not to be maintained over any redundant repositories nor for any longer than required under the scope of such agreed services (Service Lifecycle and Legal Requirements/ applicable time frames).
What third parties can receive my data?
Besides what has been hereinabove mentioned, meaning the Merchants, ATENTO does not share Personal Data pertaining to its Customers with any 3rd party entities.
International Data Transfers and Safeguards Employed
ATENTO may use some cloud-based tools and where data may need to be transferred or processed outside the EU/EEA, ATENTO will chose providers who process data on the basis of either or both
General Retention Criteria.
As herein above mentioned, ATENTO will maintain Personal Data pertaining to its Customers for the duration of the Services plus as per Legal requirements (e.g. invoices must be maintained by Law for 7 years after document date).
In case of a potential legal dispute or for the period allowed by local legislation (in the geography where the Customer is located) after the Services Contract has come to an end, ATENTO reserves itself the right under Legitimate Interest to maintain Personal Data that exclusively is relevant to allow legal defense; all other Personal Data shall be erased.
Storing of Personal Data
ATENTO is a Digital company, which means that the overwhelming amount of Data and information the company requires to operate is exclusively maintained under Digital format on IT Systems.
ATENTO stores all Personal Data over the following 3rd party SaaS tools:
ATENTO acts as the Controller and these “Partners” as “Processors” or “Joint-Controllers”, meaning they will not undergo any “Personal Data Processing Activities” activities towards information registered, submitted or conveyed by ATENTO unless under the scope of contracted services and that is agreed and documented under an existing “DPA” between the parties.
Rights of Data Subjects
Under the GDPR, the Data Subject has the following set of established rights:
Right of access. The right to obtain from the Controller confirmation as to whether his/ her personal data is being processed, and, where that is the case, access to such personal data as well as related information. ATENTO will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may exercise this right by reviewing information on ATENTO’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not ATENTO Customers.
Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. Customers may directly amend existing information on ATENTO’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not ATENTO Customers.
Right to erasure. The right to have Personal Data pertaining to him/ her that is under Processing by ATENTO erased and therefore Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents ATENTO from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards Personal Data that pertains to him/ her. When exercising this right, the Data Subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
Right to data portability. The right to receive the Personal Data pertaining to that Data Subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. ATENTO will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may directly amend existing information on ATENTO’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not ATENTO Customers.
Right to be informed about a Personal Data Breach. The Data Subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized 3rd parties within 72 hours of its occurrence.
Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding ATENTO’s Processing activities over his/ her Personal Data towards any of the EU Member States data protection Supervisory Authorities. ATENTO is however also available to provide any clarification towards those Data Subjects who may feel that it's Processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, having such Personal Data processed in a secure manner and Confidentiality assurance. Data Subject may submit a complaint via the request process as per herein defined ahead.
Submitting a Data Subject Request/ Complaint.
Under the scope of Personal Data Protection, the Data Subjects may address ATENTO via:
The exercise of Data Subjects’ rights as some other “interactions” requires the univocal identification of the person submitting such request as being, in fact, the Data Subject to whom such Personal Data pertains to, hence ATENTO may have to set in place a process or mechanism that allows it to document having undergone such assertive identification.
“Agreed Services” or “Services” means those Services being rendered by the Controller towards the Data Subject towards which he/ she has agreed with and/ or comprehending Processing legitimacy that derives from an existing and documented Lawful Base.
“Controller” means the “Party” which determines the “scope”, “purpose” and form of Personal Data Processing activities.
“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains to him/ her.
“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under “GDPR”.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while replacing the Directive 95/46/EC and having become enforceable on May 25th, 2018.
“IT Landscape” means the set of IT assets and services of and at the disposal of either the Data Subject, ATENTO or its Partners that enables their Personal Data Processing to occur, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.
“Lawful Basis” means the enlisted lawful grounds that a Controller has to entice Personal Data Processing activities under “GDPR”, namely (but not limited to) having documented: the Data Subject’ Explicit Consent towards those Personal Data Processing activities; the Controller’ Legitimate Interest in proceeding with those activities; accessory legal obligations that the Controller must observe and which entitled it to proceed with such activities within the limits of GDPR ruling and inherent obligations.
“Partner” means any 3rd party entity towards which the Controller may resort in order to ensure Personal Data Processing activities under an established Lawful Base (as defined under the “GDPR”) and within the scope of agreed Services with the Data Subject.
“Personal Data” means any data which by itself or when cross-referenced with other data enables one to univocally identify a specific natural person, the “Data Subject”.
“Personal Data Processing” means any operation or set of operations which is performed upon “Personal Data”, whether or not by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).
“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data”.
“Processor” means the entity which proceeds with authorized Personal Data Processing activities on behalf of the “Controller”.