When we refer to “Ethical” or use the word “we”, “our” or “us”, we mean the Ethical that acts as the ‘controller’ of the information we hold about you or the ‘processor’ of the information that a customer has entrusted to us, as explained in more detail under the “identifying the data controller” part of this Policy.
By “you” we mean the individual reading this text, i.e., you as a natural person (and not any company or other organization that you may be associated with).
Some words and phrases in this Policy are in single quotation marks (e.g., ‘controller’, ‘processor’ and ‘data subject’). These are legal terms, having the same meanings as given to them in the EU General Data Protection Regulation, i.e., Regulation (EU) 2016/679 (“GDPR”).
The Policy does not apply in relation to other parties products, services, websites, resources or activities.
When we speak of “Personal Data”, we mean any information about a living individual from which that person can be identified (the proper legal definition of ‘personal data’ is “any information relating to an identified or identifiable natural person”, with the person to whom the information relates being referred to as the ‘data subject’). Personal Data do not include information from which no individual can reasonably be identified, that is to say, anonymous information or personal data rendered anonymous in such a manner that the individual is not, or no longer is, identifiable (de-identified or anonymized information). The Policy does not apply to such information.
The Policy supplements our other terms and policies and is not intended to override them.
Identifying the data controller
A lot of what we do involves data processing in one way or another. Various data need to be processed in a number of ways in order for us to carry on our business, including provide, maintain and develop the Service and Websites, and to communicate with you. Information is processed both for us as well as our customers, and customers themselves process information through the Service. Not all of this information constitutes Personal Data and much of the processing is controlled by parties other than Ethical.
Ethical is the ‘controller’ of the Personal Data that are collected by us or on our behalf through the activities listed in this Policy, or which are otherwise processed for the purposes of our business. Specifically, it is Ethical that acts as the ‘controller’ of the said Personal Data. The following sections explain the collection and subsequent processing of these data in more detail.
The information we collect and receive
Ethical collects, generates and receives information in a variety of ways. Some of this information constitutes Personal Data and the rest does not. We shall use the word “Information” to designate any and all of the data that are collected, generated or otherwise processed by us or on our behalf. This part of the Policy describes which Information and how is collected or generated through the activities listed previously.
We collect Information about you in the course of negotiating, preparing, concluding and amending agreements between you and Ethical. The Information collected may include the data provided in such agreements and any data that you furnish for the purposes of negotiating, concluding or amending those agreements.
As with most websites, certain data are automatically collected when you visit a Website and this Information is recorded in log files.
It may also include the name of your device and information as to your web browser type and version.
On a more general level, we collect (or have third parties collect for us) anonymous Information about the use of our site.
When you use our Website or retrieve resources (e.g., files or other information) that form part of a Website, certain pieces of data known as cookies are sent to the device you are using and will be stored there. Your web browser stores them either at our request or the request of a third party whose services we use. Each cookie, in one way or another, distinguishes you from other Users and Website visitors. There are also other techniques, such as using web beacons or pixels, whose purpose can be similar to that of some cookies. In this Policy, the word “cookie” designates the objects delivered by those techniques as well.
Cookies vary by nature and purpose. For instance, a “session cookie” only exists in the temporary memory of your device and is usually deleted when your web browser is closed. A “persistent cookie”, on the other hand, has a longer lifespan: it remains on your device until you delete it (i.e., instruct your browser to do so) or until it expires. A “secure cookie” can only be sent over a “secure” (encrypted) connection, making it harder for others to intercept information. A “first-party cookie” belongs to us and a “third-party cookie” belongs to someone other than Ethical, e.g., a company providing us with Service or Website analysis services or delivering our messages (such as advertisements) across the internet. Some of the above cookies are associated with your User Account and certain of your Profile Information, allowing you to log in to the Service and remembering that you are logged in (which makes it possible for you to use the Website, enhances security and helps us to show you the right content). Other cookies allow us (or third parties we have engaged) to recognize and count the number of visitors to a Website, see how they move around the site when using it, which links they follow and who reads what, (only specific pieces of information are collected, and without identifying the Users). Certain cookies are used to recognize you when you return to a Website, enabling us to personalize our content for you and remember your preferences, e.g., your choice of language. And, quite importantly from the privacy aspect, there are some third-party cookies that gather information about your browsing activities over time and across different websites following your use of ours (in other words, track your online behavior), which may result in advertisements or other messages being displayed to you based on your browsing history.
You will encounter all of these cookies when interacting with our Websites or web resources. Cookies are vital to the Websites. You can, however, remove them (individually, in selections or all in one sweep) and it is possible to disallow their use altogether or refuse certain types of them (your browser tools or support pages will tell you how to do that). But, if you disallow first-party cookies, your copy or instance of the Service will not operate properly or may not operate at all and your experience at Websites will be notably poorer or at least not as we intended.
Third-party cookies can usually be managed by the tools provided by those parties. Some of such tools are available here:
https://adssettings.google.com (Google advertising settings);
https://tools.google.com/dlpage/gaoptout (Google Analytics opt-out);
http://optout.networkadvertising.org (Network Advertising Initiative opt-out page);
http://optout.aboutads.info (Digital Advertising Alliance opt-out page).
We cannot give you an exhaustive list of the means for opting out of third-party cookies as the service providers who may set such cookies in connection with the Service and Websites change from time to time. Contact us, using the details at the end of this Policy, to learn which third-party cookies may currently be in use on a particular Website.
The Websites do not respond to web browsers’ “do not track” signals and our data processing practices are not altered upon our receipt of such a signal.
We receive from you such Information as you provide us when filling in forms on a Website, sign up to receive notifications, newsletters or other communications from us, interact with our social media accounts or correspond or otherwise communicate with Ethical. If you email us or send us a letter or a message, we may retain a record of such communication, including your name and address, email address or telephone number (as applicable), the content of your communication and our response. We may complement these data with other Information.
Purposes and ground for Information processing
The purposes for which Information is processed and the legal grounds for such processing are varied and depend on the nature of the Information. If Information is anonymous or de-identified, we may collect, use, disclose and otherwise process it for any purpose. Our processing of Personal Data, however, is limited to the purposes set out in this Policy.
Most commonly, we will process your Personal Data in the following circumstances: if we need to perform an agreement you have with us or it is necessary to take pre-contractual steps at your request before entering into such an agreement (we shall refer to these grounds as “Contractual”); where we need to comply with a legal obligation, e.g., one arising from a law or regulation concerning taxation, accounting, financial reporting, prevention of terrorism or money laundering, or judicial or administrative process (this would be a “Legal” ground); if it is warranted by our legitimate interests or those of a third party and such interests are not overridden by yours or your fundamental rights and freedoms (here, the processing would be based on “Interest”); where we have your unambiguous consent before processing your Personal Data in that specific situation (thus allowing us to process these data on the grounds of “Consent”).
Each of the categories of Information described may include your Personal Data but not all those categories may apply to you.
You can unsubscribe from certain messages by adjusting your User Account settings and from others by following the instructions provided in the message. If you do, try adjusting your User Account settings, and whether you have an account or not, there should always be opt-out instructions in the message itself. If you have trouble unsubscribing, contact us and we shall opt you out. Our details, as noted, are at the end of this Policy.
Failure to provide Information
Generally, no one is obliged to give us her Personal Data but failure to do so may, or, depending on the circumstances, will or is likely to, result in our not being able to achieve the data processing purpose(s) specified for the occasion in question and the particular ‘data subject’ may, or, respectively, will or is likely to, miss the benefits corresponding to that purpose (or those purposes).
Where we need to collect your Personal Data by law or under the terms of a contract we have with you, or in order to enter into such a contract, and you fail to provide those data when requested, we may not be able to perform or enter into the relevant contract. Should that be the case, we may have to cancel a product or service you have with us, but we shall let you know at the time if that applies.
If you limit the ability of a Website to set cookies, you may, and in some cases most definitely will, prevent yourself from using that site or certain of its features, or may worsen your user experience as the item in question will not be personalized to you. It may also stop you from saving customized settings and you may need to validate your access to the Website more frequently during your browsing session.
Duration of Personal Data storage
We only store your Personal Data for as long as necessary in the light of, or compatible with, the purposes for which the data were collected (e.g., enjoying our rights and performing our obligations under the contract you have with us, if that was the sole purpose) and such additional period as may be required by law.
Legal retention periods vary depending on the type of Information concerned, and they can be quite long.
Disclosure of Personal Data
This part of the Policy describes the circumstances in which we may disclose or transmit your Personal Data to third parties. Please note that the sections below only address the disclosures and transmissions of Personal Data and not, for example, anonymous or de-identified Information (which we may transmit and disclose at any time to anyone anywhere, in any manner and for any purpose).
When you share your User Account by distributing links to such data, certain of your Profile Information (e.g., name, email address and/or profile picture) is likely to be disclosed to the addressee(s) along with the material you share (and you may also be disclosing other Users’ Personal Data).
Your Profile Information may also be shared when integrating third-party services with your User Account. You can control which data are shared when enabling and/or while enjoying the integration (depending on the third-party service). At any rate, do check your privacy settings for the third-party service prior to integration as well as during to determine which data may be shared. And please note that we are not responsible for the privacy practices (or other acts or omissions) of such third-party service providers, so it would be advisable for you to make sure, before the integration, that you trust the service and the provider in question and are satisfied with the provider’s policies.
We may share your Personal Data with our corporate affiliates and outside accountants, legal counsels and auditors.
If we engage in or are subject to a merger, acquisition, division, transformation, public offering of our securities, obtaining financing, divestiture of all or substantially all of our assets or a significant part of such assets, transfer of the enterprise or a part of the enterprise to which your agreement with us pertains, or a similar transaction or proceeding, or if we take steps in contemplation of such activities, your Personal Data may, subject to standard confidentiality arrangements, be shared with, or transferred to, our counterparties or other relevant participants in the respective transaction or proceeding.
We may find ourselves in a situation where we are legally obliged to disclose some or all of your Personal Data or where we reasonably believe that we are so obliged. This may be the case if we receive an Information request from an authority or there is a law or regulation that requires us to make a disclosure without specific request. We may also be compelled to disclose your Personal Data by a judicial, arbitral, administrative or otherwise mandatory order or judgment. Where any of the foregoing applies, we shall make the disclosure, and we may not be permitted to tell you that your Personal Data have been disclosed.
There may also be situations where we find the disclosure of your Personal Data to be necessary in order to exercise, enforce or defend our rights, freedoms or legitimate interests or to protect the rights, freedoms or legitimate interests of a third party.
We shall disclose your Personal Data at your request (unless legally prohibited, impracticable or involving unreasonable effort or expense) or may do so upon your Consent.
International transfers of Personal Data
We may transfer your Personal Data to jurisdictions other than the one you reside in, subject to section 37.
We shall not transfer your Personal Data from countries participating in the European Economic Area (“EEA”) to those which do not, or from the EEA to international organizations, unless the recipient country or the particular person or entity receiving the data ensures an adequate level of protection for the data received, or, if it does not, then without applying such safeguards as legally required and/or without the transfer being subject to such other conditions as the law provides for these kinds of transfers.
Personal Data Security
We shall maintain adequate technical and organizational measures to ensure such level of security in our processing of Personal Data as appropriate in the given circumstances. Upon assessing whether a measure is adequate and which level of security is appropriate we consider the nature of the Personal Data we are processing and the nature of the processing operations we perform, the risks to which you are exposed by our processing of your Personal Data, the state of the art, the costs of implementation and such other matters as may be relevant in the particular circumstances.
The measures referenced in the preceding section particularly address the following: the protection of Personal Data against unauthorized or unlawful processing and against accidental loss, alteration or destruction; the integrity and confidentiality of Personal Data; the availability and resilience of the features pertinent to the processing of Personal Data; our ability to restore the availability and access to Personal Data in a timely manner after a Website failure.
However, please be aware that no security measure is perfect. Our efforts notwithstanding, we cannot guarantee that your Personal Data, during transmission over the internet or while stored in our systems or those of our service providers or while otherwise in our care, will be absolutely safe from unauthorized or unlawful processing or accidental loss, alteration or destruction, or that they will indeed be intact and confidential at all times or shortly available after any Service incident. Note also that we cannot control, and are not responsible for, the actions of other parties with whom you share (or instruct us to share) your Personal Data.
Your rights as a Data subject
‘Data subjects’ in the EEA have certain statutory rights under the GDPR concerning the Personal Data that we have on them. This part of the Policy aims to give you a general understanding of these rights and we encourage you to deepen this understanding by studying the GDPR yourself. To facilitate this, we have, in relation to each of the rights noted below, provided a reference to the specific provision of the GDPR from which that right arises.
Specifically then, and subject to such statutory exceptions as may apply in your particular case, your ‘data subject’ rights include the following:
Right of access / GDPR Article 15
You have the right to enquire and get a confirmation from us as to whether or not we process any of your Personal Data. Where we do, you may request access to those data and have us give you a copy of them. A User can access most of the Personal Data we have about her by logging in to her User Account and going to her profile page (we have what you see there), and it may well be that these are the only Personal Data we maintain on her. If you wish to be certain or have no User Account, please use the contact details at the end of this Policy to exercise your ‘right of access’.
Right to rectification / GDPR Article 16
If the Personal Data we have about you is incorrect, you have the right to request that we correct those data, and, in some circumstances, you may have the right to require that your incomplete Personal Data be completed (but in each of these cases we may need to verify the accuracy of the information you provide to us). As with the ‘right of access’, Users can and are encouraged to update the Personal Data under their User Accounts themselves.
Right to erasure (right to be forgotten) / GDPR Article 17
You have the right to request that we delete or remove the Personal Data we have on you where there is no good reason for us continuing to process them. Please note that we may not always be able to comply with your request as there may be specific legal reasons which warrant the processing. Should this be the case, we shall inform you accordingly at the time of your request.
Right to object / GDPR Article 21
You have the right to object to our processing of your Personal Data where the processing is based on Interest and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts your interests or fundamental rights and freedoms. There may, however, be occasions where we demonstrate that we have compelling legitimate grounds to process your Personal Data and thus dismiss your objection.
Right to restriction of processing / GDPR Article 18
You have the right to request that we suspend the processing of your Personal Data where any of the following applies: you have contested the accuracy of the data and the same needs to be verified; the processing is unlawful but you do not want us to erase the data that we are processing; you need us to maintain the data even though we no longer require them as they are necessary for your establishment, exercise or defence of legal claims; you have objected to processing but we need to verify whether we have overriding legitimate grounds for processing.
Right to data portability / GDPR Article 20
If our processing of your Personal Data which you have provided us is based on a Contractual ground or on Consent and the processing is carried out by automated means, you are entitled to have us make those data available to you in a structured, commonly used and machine-readable format so that you could transmit them to someone else (another ‘controller’). You may also ask us to transmit these data to that other ‘controller’ directly, and we shall do so, if technically feasible.
Right to withdraw consent / GDPR subsection 13(2)(c)
If we are processing your Personal Data based on Consent, you may withdraw that consent at any time (but this will not affect the lawfulness of any processing activities carried out based on your consent before its withdrawal).
As noted above, you can exercise some of your ‘data subject’ rights (such as the ‘right of access’ and the ‘right to rectification’) through your User Account. If you are unable to do so, particularly if you have no User Account, or if the right in question cannot be thus exercised, then please use the contact details at the end of this Policy to get in touch with us and we shall do what we reasonably can to facilitate the exercise of your rights.
We aim to respond to any legitimate request within a month of its receipt but it may take us longer if your request is particularly complex or you have made several requests. If that is the case, we shall let you know and keep you updated.
We shall not charge you any fee for exercising the above rights. If your requests are clearly unfounded or excessive, we may decline your request in such circumstances.
Right to lodge a complaint with a supervisory authority
In case you believe that we are processing your Personal Data in violation of the GDPR, you have the right to lodge a complaint with the ‘supervisory authority’ located in the EEA country where you reside or work or where the alleged infringement took place or you can lodge the complaint with our ‘supervisory authority’ whose details are below. (Inserire dati se opportuno, o rimuovere parte sopra)
Feel free to get in touch with us if you have any questions about this Policy or our data processing practices or if you would like to exercise any of your ‘data subject’ rights with respect to the Personal Data we maintain on you.
Email us: firstname.lastname@example.org
Call us: +41 (0) 61 271 30 30