Last updated January 05, 2021
GDPR is the new EU regulation for the protection of personal data and marks a new era in data protection, being the most significant piece of privacy legislation in Europe in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights of EU citizens over their data and creating a uniform data protection law across Europe. See the full GDPR guidelines here: https://www.eugdpr.org/.
Sharewell processes Personal Data in accordance with the GDPR requirements directly applicable to Sharewell’s provision of its services, which shall come into force on 01.05.2020. In particular, Sharewell processes personal data only in accordance with GDPR data protection principles and GDPR data protection provisions. Sharewell also implements appropriate technical and organizational measures and demonstrates compliance and ensures that both in the planning and implementation of processing activities, data protection principles, and appropriate safeguards are addressed and implemented (data protection by design and default).
You can make specific requests concerning your personal data to verify if you are comfortable with the information you provide us. We require you to send an email to firstname.lastname@example.org (from the email account used when signing up to Sharewell) as we need to verify your identity. Copy the request you have from the list below onto your email’s Subject field and we will take care of the rest.
- Consent Withdrawal
- Access request
- Rectification of personal data
- Erasure of personal data
- Restriction of processing of personal data
- Personal data portability request
- Objection to the processing of personal data
1.2 What data we collect and how we use them
Sharewell only collects Registration data about you. If and to the extent that, under a special agreement in writing, you provide Sharewell with any Researcher Personal Data, this Section to these ToS will also apply for the processing of such Data.
Your registration information is kept securely and not disclosed to any third party for any reason. Your registration information data may be used for contacting you occasionally (for platform announcements, account activation etc.). We may work with third-party service providers to provide maintenance services, data analysis, service hosting, and other services for us. These third parties may have access to or process your personal information as part of providing their contracted services to us. We require the aforementioned third-parties to agree to only use the personal information we provide them only for the purpose for which it was provided and to agree and warranty that all the processing operations in which they engage shall be lawful and compliant with the provisions of the GDPR (even if not applicable directly by Law to their business) and/or the EU-US/SWISS-US Privacy Shield, and any other Data Protection Legislation which may be applicable to their business. In particular, we require that they provide, in particular in terms of expert knowledge, reliability and resources, sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and/or the EU-US/SWISS-US Privacy Shield and ensure the protection of the rights of the data subject.
We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with state and federal laws in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement activity or other legal processes.
We also reserve the right to disclose your information, including personal information, as we believe, in good faith, if it is appropriate or necessary to take precautions against liability; to protect Sharewell and others from fraudulent, abusive, or unlawful uses or activity; to investigate and defend ourselves against any claims or allegations; to assist government enforcement agencies; to protect the security or integrity of the Service and our other property; or to protect the rights, property, or safety of us, our users, or other persons or entities.
Sharewell cooperates with reliable cloud hosting service providers. Sharewell cooperates with such cloud hosting providers who are either located within the E.U. (and therefore are obliged to comply with all EU Data Protection Laws and Regulations) or may be located in the US. In the latter case, US located cloud hosting providers are selected by Sharewell, on grounds of US providers being certified members of the U.S. – EU Privacy Shield companies (https://www.privacyshield.gov/list).
Finally, we use commercially reasonable physical, managerial, and technical safeguards in an effort to preserve the integrity and security of your personal information. All data and responses are transferred via HTTPS/SSL secure channels to ensure the secure exchange of data between the users’ devices and Sharewell servers. We cannot, however, ensure or warrant the security of any information you transmit to us, and you do so at your own risk. Once we receive your transmission of personal information, we make commercially reasonable efforts to ensure the security of our systems. Please be aware, however, that this is not a guarantee that such personal information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If we learn of a security systems breach, then we will attempt to notify you electronically so that you can take appropriate protective steps. We shall post a notice through the Service if a security breach occurs and we shall notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, in case the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.
Sharewell takes all necessary action to comply with COPPA and protect the rights and safety of Minors. By minors, we mean individuals under the age of majority in their residence. We make efforts to exclude Minors from any collection of data and therefore we delete any information and data that has come to our attention that is related to Minors without any notice.
We may use your email to send out a newsletter only if you consent on receiving the newsletter on specific email forms where email collection is the only purpose or on the registration page (users can check the box for receiving marketing newsletters). We send the newsletter only to people that have given their clear consent on receiving the newsletter. The newsletter will contain information about Sharewell, new features or new blog post notifications. We are using Mailerlite as our email marketing provider. Each newsletter includes the unsubscribe option. By using this option, you can easily remove your email from the Mailerlite list. Removing your email from Mailerlite will not erase your data kept in our servers. To completely delete your data, please send an email to email@example.com. We are using a double opt-in process in order to include a specific email address in our Newsletter lists when consent is given through email – only form. That means that any time you are giving us your email using an email only form, you will receive a confirmation email and only if you confirm your subscription, your email will be added to our newsletter list. The double opt-in process is not used when you sign up or check out – the consent in those cases is asked by using a checkbox.
The last paragraph applies also to the blog visitors (only if they consent on receiving the newsletter on specific email forms where email collection is the only purpose).
1.3 Your privacy rights
In your capacity as a data subject whose data is collected and processed by Sharewell, we inform you that you have the rights provided to you under the GDPR and, in particular, you have (a) the right to withdraw your consent at any time and without detriment, without affecting the lawfulness of processing based on consent before its withdrawal, by notifying such withdrawal to us via email with the subject “Data processing consent withdrawal” at the following email address firstname.lastname@example.org; (b) the right to request from Sharewell access to and rectification or erasure of personal data or restriction of processing concerning you and to object to processing as well as the right to data portability; (c) the right to receive notification regarding rectification or erasure of your personal data or restriction of processing that is takes place following your request; (d) the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, and (e) to lodge a complaint with a supervisory authority.
1.4 Contact info / Representative in the EU / Data Protection Officer
Please contact us with any questions or comments about this Policy, your personal information, our third-party disclosure practices, or your consent choices by email: email@example.com.
Sharewell designates as its representative in the EU, who acts on Sharewell’s behalf and who may be addressed by any supervisory authority and be subject to enforcement proceedings in the event of non-compliance with the GDPR by Sharewell, Mr. Sten Kreisberg, who can be contacted at the following address: firstname.lastname@example.org. Sharewell remains fully liable under the GDPR. Sharewell appoints as a Data Protection Officer Igor Murujev, who can be contacted at the following address: email@example.com
Governing Law & Miscellaneous
Changes And Updates To This Policy
Sharewell reserves the right to modify the terms and conditions of the present Agreement or alter or end its Services at any time at its sole discretion. You are responsible for ensuring that you will regularly review the present Agreement. If you choose to continue using Sharewell Services after any modifications to the present terms are made, you will be considered to have fully and unconditionally accepted the aforementioned modifications to this Agreement.
Data Processing Addendum
This Data Processing Addendum (“DPA”) forms the indispensable part of the Sharewell ToS Agreement.
If and to the extent that Useberry shall be deemed Processor of any Researcher Client Personal Data delivered by Researcher Client to Sharewell in the course of this Agreement, and if and to the extent that any Service provided by Sharewell in the course of this Agreement may be deemed or be may be interpreted to include processing of Data on behalf of the Researcher Client, this Data Processing Addendum shall apply.
4.1 Definitions and interpretation
In this Agreement the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified: “personal data” shall mean any information relating to a natural person (“data subject”) from which, directly or indirectly, the said natural person is or can be identified (his identity is verified); “processing of personal data” shall mean any operation or set of operations which is performed by the Processor on behalf of the Controller, which takes place with or without automated means, on personal data or on sets of personal data, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;“sub-processing” shall mean the process by which either party arranges for a third party to carry out its obligations under this Agreement and “Sub Contractor” shall mean the party to whom the obligations are subcontracted; “Technical and organizational security measures” shall mean means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and “Instruction” shall mean the documented instructions offered by the Controller to the Processor and instruct the latter to perform specific actions regarding personal data. These instructions are initially specified in the MSA and ToS and may from time to time be modified, strengthened or replaced by the controller with separate documented instructions from the controller (personalized instructions).
4.2 Security obligations of the processor
(A) The Processor shall only carry out those actions in respect of the personal data processed on behalf of the Controller as are expressly authorized by the Controller. The processor shall immediately inform Controller if, in its opinion, an instruction infringes GDPR. (B) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
(A) The Processor agrees that it shall maintain the personal data processed by the Processor on behalf of the Controller in confidence. In particular, the Processor agrees that, save with the prior written consent of the Controller, it shall not disclose any personal data supplied to the Processor by, for, or on behalf of, the Controller to any third party. (B) The Processor shall not make any use of any personal data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller. (C) The obligations in clauses 20.4.A and 20.4.B above shall continue for a period of five years after the cessation of the provision of services by the Processor to the Controller. (D) Nothing in this agreement shall prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties shall, however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.
(A) The Processor shall not appoint a sub-processor and shall not subcontract any of its rights or obligations under this Agreement without the prior written consent of the Controller. (B) Where the Processor, with the consent of the Controller, appoints a sub-processor and sub-contracts its obligations under this agreement it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations in relation to the security of the processing on the sub-processor as are imposed on the Processor under this Agreement. (C) For the avoidance of doubt, where the sub-processor fails to fulfill its obligations under any sub-processing agreement, the Processor shall remain fully liable to the Controller for the fulfillment of its obligations under this Agreement.
4.5 Data-subject rights
Taking into account the nature of the processing, the Processors shall assist the Controller by implementing appropriate technical and technological measures, insofar as possible, for the fulfillment of the Controller’s obligations to respond to requests to exercise Data Subject rights under the GDPR. Processors shall promptly notify Controller in case it receives a request from a Data Subject under GDPR in respect of personal data. The processor shall not respond to such request except on the documented instructions of Controller or as required by applicable laws to which Processor is subject, in which case Processor shall inform Controller of that legal requirement before Processor responds to Data Subject’s request.
4.6 International transfer
Any processing of Data outside the territory of the European Economic Area shall require the prior written consent of Controller and may only be carried out if all legal requirements under Applicable Data Protection Law for such processing are fulfilled. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
4.7 Personal data breach, data protection impact assessment, and prior consultation
(A) The processor shall notify Controller without undue delay upon it becoming aware of a Personal Data Breach, providing Controller with sufficient information to allow it to meet any obligations to report or inform Data Subjects of the Personal Data Breach. The processor shall cooperate with Controller and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach. (B) The processor shall provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities.
4.8 Records of processing activities, deletion or return of data & audit rights
(A) The processor shall appoint persons responsible for the protection of personal data as required by the applicable legislation, keep records of the processing activities under his / her responsibility, cooperate with the competent authorities and set at their disposal such records so that it can use them to monitor the processing operations in question. (B) At the choice of the Controller and based on his instructions, Processor, after the end of the provision of services relating to processing, shall (a) comply with any other agreement made between the parties concerning the return or destruction of data, or (b) return all personal data passed to the Processor by the Controller for processing, or (c) on receipt of instructions from the Controller, destroy all such data unless prohibited from doing so by any applicable law. (C) The processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the Controller.
4.9 Term and termination
This Agreement shall continue in full force and effect for so long as the Processor is processing personal data on behalf of the Controller.
4.10 Governing law
This Agreement shall be governed by and construed in accordance with the national law of the country in which the Controller is established.