DATA GDPR Privacy Addendum

Last modified: 15 October 2022

This GDPR Privacy Addendum supplements the information in our Privacy Notice if you are located in the European Economic Area, the United Kingdom, or Switzerland. 

This GDPR Privacy Addendum (the “GDPR Privacy Addendum”) supplements the information contained in our Privacy Notice (our “Privacy Notice”) and applies solely to the users of our Services who are located in the European Economic Area, the United Kingdom, or Switzerland. We adopt this GDPR Privacy Addendum to comply with the European Union’s General Data Protection Regulation, and any laws implementing the foregoing by any member states of the European Economic Area, the United Kingdom (including the UK Data Protection Act and the UK-GDPR), and Switzerland (collectively, the “GDPR”). Unless otherwise defined in this GDPR Privacy Addendum, any terms defined in the GDPR or our Privacy Notice have the same meaning when used in this GDPR Privacy Addendum. When this GDPR Privacy Addendum is applicable to you, it takes precedence over anything contradictory in our Privacy Notice. 

DATA and your employer are both independent data controllers of your Personal Data we process on or through the Services. DATA has appointed a Data Protection Officer, a     representative in the European Union, and a representative in the United Kingdom.

DATA and your employer are the data controllers of your Personal Data. DATA has appointed representatives in both the European Union and the United Kingdom in compliance with the General Data Protection Regulation and the UK Data Protection Act and UK-GDPR. DATA, its Data Protection Officer, or its representative may be contacted in any manner set forth below in the “Contact Information” Section of this GDPR Privacy Addendum. 

The Personal Data we collect about you and how we     collect it is described in our Privacy Notice.

The Personal Data we collect and the ways in which we collect it is described in our Privacy Notice. 

The Personal Data we collect from you is required for your employer to enter into a contract with DATA, for DATA to perform under the contract, and to provide you and your employer with our products and services. If you refuse to provide such Personal Data or withdraw your consent to our processing of Personal Data (when appropriate), then in some cases we may not be able to enter into the contract or fulfill our obligations to you under it. 

We have a lawful basis for our processing of your Personal Data, including processing for our legitimate interests (when balanced against your rights and freedoms), to fulfill our obligations to you under a contract with you, and required by law, and with  your consent. 

The processing of your Personal Data is lawful only if it is permitted under the GDPR. We have a lawful basis for each of our processing activities (except when an exception applies as described below):

• Consent.By using our Services, you consent to our collection, use, and sharing of your Personal Data as described in our Privacy Notice and this GDPR Privacy Addendum. If you do not consent to the terms of our Privacy Notice and this GDPR Privacy Addendum, please do not use the Services and contact your employer.
• Legitimate Interests. We will process your Personal Data as necessary for our legitimate interests. Our legitimate interests are balanced against your interests and rights and freedoms and we do not process your Personal Data if your interests or rights and freedoms outweigh our legitimate interests. Our legitimate interests are to: facilitate communication between DATA and you; detect and correct bugs and to improve our Services; safeguard our IT infrastructure and intellectual property; detect and prevent fraud and other crime; detect and prevent misuse of our Services; promote and market our business; develop our product and services. 
• To Fulfill Our Obligations to You under our Contract.We process your Personal Data in order to fulfill our obligations to you pursuant to our contract with you under our Terms of Use to provide our Services to you (subject to our contract with your employer). 
• As Required by Law. We may also process your Personal Data when we are required or permitted to by law; to comply with government inspections, audits, and other valid requests from government or other public authorities; to respond to legal process such as subpoenas; or as necessary for us to protect our interests or otherwise pursue our legal rights and remedies (for instance, when necessary to prevent or detect fraud, attacks against our network, or other criminal and tortious activities), defend litigation, and manage complaints or claims. 

We generally do not request you provide and do not process any special categories of Personal Data.

DATA does not ask you to provide, and we do not knowingly collect, any special categories of Personal Data from you that may be considered sensitive, such as Personal Data that reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade unions membership, or personal data concerning your health or data concerning your sex life or sexual orientation or history of criminal convictions. Please do not provide any such Personal Data to DATA. If we find out that you have provided such Personal Data, we will delete it. 

We generally do not use your Personal Data with any automated decision making processes. 

DATA does not use your Personal Data with any automated decision making process, including profiling, which may produce a legal effect concerning you or similarly significantly affect you. As described in our Terms of Use, you are not permitted to use our Services to obtain a D.A.T.A. Score based on any statements that you have made. Please see our Terms of Use for more information about the proper use of our D.A.T.A. Score. 

We only use your Personal Data as described in our Privacy Notice. 

We use your Personal Data as described in our Privacy Notice. 

We will only use your Personal Data to contact you about our own goods and services that may be of interest to you with your consent. If you wish to consent to this use, please check the relevant box located on the form on which we collect your data. If you wish to change your choice, you may do so at any time by logging into the Services and adjusting our user preferences in your account profile by checking or unchecking the relevant boxes or by sending us an email stating your request at support@deceptionandtruthanalysis.com. For more information, see Choices About How We Use and Disclose Your Information.

We only share or disclose your Personal Data to the entities and for the purposes described in our Privacy Notice. 

We do not share or otherwise disclose your Personal Data for purposes other than to the entities and for the purposes described in our Privacy Notice. 

You have certain rights with respect to your Personal Data under the GDPR, including the right to access and update your Personal Data, restrict how it is used, transfer certain Personal Data     to another controller, withdraw your consent at any time, and the right to have us erase certain Personal Data about you. You also have the right to complain to a supervisory authority about our processing of your Personal Data.  However, your employer may be required to send certain requests on your behalf. 

The GDPR provides you with certain rights with regards to our processing of your Personal Data. These rights replace the similar rights provided in our Privacy Notice or are supplemental to such rights. 

• Access and Update. You can review and change some of your Personal Data by logging into the Services and visiting your account profile page. You may also notify us through the Contact Information below of any changes or errors in any Personal Data we have about you to ensure that it is complete, accurate, and as current as possible. Some changes will require your employer to make such a request on your behalf. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect. 
• Restrictions. You have the right to restrict our processing of your Personal Data under certain circumstances. In particular, you can request we restrict our use of it if you contest its accuracy, if the processing of your Personal Data is determined to be unlawful, or if we no longer need your Personal Data for processing but we have retained it as permitted by law. 
• Portability. To the extent the Personal Data you provide DATA is processed based on your consent and that we process it through automated means, you have the right to request that we provide you a copy of, or access to, all or part of such Personal Data in structured, commonly used and machine-readable format. You also have the right to request that we transmit this Personal Data to another controller, when technically feasible. Note that the information that we provide may be limited by the confidentiality obligations to your employer. 
• Withdrawal of Consent.To the extent that our processing of your Personal Data is based on your consent, you may withdraw your consent at any time by contacting your employer and having them request that we terminate your access to the Services. Withdrawing your consent will not, however, affect the lawfulness of the processing based on your consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing your Personal Data. 
• Right to be Forgotten. You have the right to request that we delete all of your Personal Data, however, you must exercise this right through your employer. We cannot delete your Personal Data except by also deleting your user account, and we will only delete your account upon request from your employer and when we no longer have a lawful basis for processing your Personal Data or after a final determination that your Personal Data was unlawfully processed. We may not accommodate a request to erase information if we believe the deletion would violate any law or legal requirement or cause the information to be incorrect. In all other cases, we will retain your Personal Data as set forth in this policy. In addition, we cannot completely delete your Personal Data as some data may rest in previous backups. These will be retained for the periods set forth in our disaster recovery policies. 
• Complaints.You have the right to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. However, before doing so, we request that you contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy. 
• How You May Exercise Your Rights. You may exercise any of the above rights by contacting us through any of the methods listed under Contact Information below. Where noted, you may have to exercise the above rights through contacting your employer’s HR department or other personnel who is responsible for the relationship between DATA and your employer. If you contact us to exercise any of the foregoing rights, we may ask you for additional information to verify your identity. We reserve the right to limit or deny your request if you have failed to provide sufficient information to verify your identity or to satisfy our legal and business requirements, including if you make a request that requires the approval of your employer. Please note that if you make unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access your Personal Data, you may be charged a fee subject to a maximum set by applicable law.

We may process your Personal Data outside of your home country, including to the United States. We only do this when     we are legally permitted to do so and when we have appropriate safeguards in place to protect your Personal Data. 

In order to provide our Services to you, we may send and store your Personal Data outside of the EEA or the United Kingdom, including to the United States. Accordingly, your Personal Data may be transferred outside the country where you reside or are located, including to countries that may not or do not provide an equivalent level of protection for your Personal Data. Your information may be processed and stored in the United States and United States federal, state, and local governments, courts, or law enforcement or regulatory agencies may be able to obtain disclosure of your information through the laws of the United States. By using our Services, you represent that you have read and understood the above and hereby consent to the storage and processing of Personal Data outside the country where you reside or are located, including in the United States.

Your Personal Data is transferred by DATA to another country only if it is required or permitted under the GDPR and provided that there are appropriate safeguards in place to protect your Personal Data. To ensure your Personal Data is treated in accordance with our Privacy Notice and this GDPR Privacy Addendum when we transfer it to a third party, DATA uses Data Protection Agreements between DATA and all other recipients of your data that include, where applicable, the standard contractual clauses adopted by the European Commission and/or the Information Commissioner’s Office in the United Kingdom (collectively, the “Standard Contractual Clauses”). The European Commission and the Information Commissioner’s Office in the United Kingdom have determined that the transfer of Personal Data pursuant to the Standard Contractual Clauses provides for an adequate level of protection of your Personal Data, however, the Standard Contractual Clauses may need to be supplemented in some cases with additional measures on a case-by-case basis after an analysis that such supplemental measures can provide you with an essentially equivalent level of protection as afforded in the EEA and/or the UK. When, as a result of this analysis, we believe this to be appropriate and necessary, the Standard Contractual Clauses have been supplemented in this way. Under these Standard Contractual Clauses, you have the same rights as if your Personal Data was not transferred to such third country. You may request a copy of the Data Protection Agreement by contacting us through the Contact Information below. 

We retain your Personal Data for as long as you keep your account open. In some instances, we may keep it after you close your account, for example we may keep it:

• on our backup and disaster recovery systems;
• for as long as necessary to protect our legal interests; and
• and to comply with other legal requirements.

DATA will retain your Personal Data for the entire time that your account remains open. After this period, we may retain your Personal Data for four (4) years, or for any of the reasons listed below, whichever is longer:

• for as long as necessary to comply with any legal requirement; 
• on our backup and disaster recovery systems in accordance with our backup and disaster recovery policies and procedures;
• for as long as necessary to protect our legal interests or otherwise pursue our legal rights and remedies; and
• for data that has been aggregated or otherwise rendered anonymous in such a manner that you are no longer identifiable, indefinitely.

We will post any changes to our GDPR Privacy Addendum on our Services. If we make material changes to this GDPR Privacy Addendum, we may notify you of such changes through your contact information and invite you to review (and accept, if necessary) the changes. 

We may change this GDPR Privacy Addendum at any time. It is our policy to post any changes we make to our GDPR Privacy Addendum on this page with a notice that the GDPR Privacy Addendum has been updated on the Services’ home page. If we make material changes to how we treat our users’ Personal Data, we will notify you by email to the email address specified in your account and/or through a notice on the Services’ home page. The date this GDPR Privacy Addendum was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Services and this GDPR Privacy Addendum to check for any changes.

If you wish to contact us, you must contact both us and our representative through the contact information below or through the “Contact Us” page on our Services. 

If you have any questions, concerns, complaints, or suggestions regarding our Privacy Notice or this GDPR Privacy Addendum, have any requests related to your Personal Data described in the Privacy Notice or this GDPR Privacy Addendum, or otherwise need to contact us, you must contact both us and our representative in the European Union or the United Kingdom (if you are a resident of the United Kingdom) at the contact information below. 

To Contact DATA (Controller)

Deception and Truth Analysis, Inc.

600 N. Broad St.

Suite 5 #273

Middleton, DE 19709-1032

Phone: (302) 314-1429

privacy@deceptionandtruthanalysis.com