Part 1: Overview
The purpose of this document is to set out Your Performance Lab’s procedures on protection of Personal Data of individuals under the company’s custody or possession. It contains important information about how and why Your Performance Lab collects, stores, uses, discloses, transfers and disposes of Prospects, Members, Employees and Freelancers Personal Data. This Policy takes into consideration General Data Protection Regulation (“GDPR
April, 2016 which is a regulation in EU law on data protection and privacy in the EU and the EU economic area (“EEA
”), including any amendment, replacement or re-enactment thereof for the time being in force and including any statutory instruments, rules, regulations, orders, notices, directions, consents or permissions as enacted by the authority currently charged with enforcing the provisions of GDPR.
Part 2: General Data Protection Regulation
The GDPR establishes a data protection law in the European Union that comprises various rules governing the collection, storage use, and disclosure, transfer access to, correction, care and disposal of individuals’ Personal Data by organisations. It recognises both the rights of individuals to protect their Personal Data, including rights of access and correction and disposal, and the needs of organisations to collect, use or disclose Personal Data for legitimate and reasonable purposes. Your Performance Lab intends to comply with all applicable provisions covering data protection by implementing suitable procedures as outlined throughout the remainder of this Policy.Part 3: Data Protection Policy
This Policy sets out the basis upon which Your Performance Lab may collect, use, disclose, store, transfer and dispose or otherwise Process Personal Data of our Prospects, Members, Employees and Freelancers in accordance with the GDPR. This Policy applies to Personal Data in our possession or under our control, including Personal Data in the possession of organisations which we have engaged for the above Purposes.Part 4: Definitions
Throughout this Policy, unless there is something in the subject or context inconsistent therewith, the following terms shall have the following meanings:
• “Affiliates” means an entity which is directly or indirectly controlled by Your Performance Lab. An entity that otherwise qualifies under this definition is included within the meaning of Affiliate even though it qualifies after this Policy comes into effect.
• “Third Party Service Providers” means any third-party provider or vendor appointed by Your Performance Lab to assist in delivery of the Services for Your Performance Lab’s Members;
• “Prospect” means any individual who has contacted Your Performance Lab through any means to find out more about any goods or Services we provide;
• “Data Protection Officer” or “DPO” refers to the individual appointed by Your Performance Lab to carry out the specific duties described in section 19 of this Policy;
• “Employee” means all individuals who may or have entered into a contract of service with Your Performance Lab and shall include all current and former Employees;
• “Freelancer” means individuals who may or have entered into a contract for service with Your Performance Lab and shall include all current and former Freelancers;
• “Your Performance Lab” means Your Performance Lab, Inc, a company incorporated in United States of America and registered office address of 9450 SW Gemini Drive, Beaverton, OR 97008-7105, USA;
• “Member” means any Prospective Customer who has entered into a contract with Your Performance Lab for the supply of Our Services;
• “Personal Data” refers to data, whether true or not, about Prospects, Members, Employees and Freelancers who can be identified from that data; or from that data and other information to which Your Performance Lab has or is likely to have access;
• Without limitation to the generality of section 4.8 of this Policy, for the purposes of Your Performance Lab’s day-to-day activities and the various specific lawful purposes as set out in the GDPR, Your Performance Lab will be specifically Processing Prospect Customers, Members, Employees and • Freelancers Personal Data of the following nature:
identity card/passport numbers; fingerprints; names; dates of birth; gender; Nationalities; ages; marital status; photographs; telephone numbers; residential addresses; email addresses; debit/credit card information and bank details; and occupations.
Without limitation to the generality of the Personal Data described at section 4.9 and without prejudice to the specificity of the Personal Data described at section 4.10, for the purposes of Your Performance Lab’s day-to-day activities and the various specific lawful purposes as set out in the GDPR, Your Performance Lab will be specifically Processing sensitive Personal Data of the following nature:
• Blood and Gut health biomarker data related to us by a prospect or Member’s blood test results from tests done by Your Performance Lab laboratory partners or other institutions.
• Prospects or Members may also upload previously existing blood and Gut Health test results obtained via their doctor or insurance company.
Any Research Consent is optional and voluntary. A Prospect or Member will not be required to agree to a Research Consent document in order to use the Platform or Services. Self-Reported Information includes information provided by the Prospect or Member in Your Performance Lab questionnaires or in any other website surveys or forms, such as sex, body weight, height, diet, etc. we may use Prospects or Members Self-Reported Information in a de-identified way for research.
User Content is all information other than Blood Test and Gut Heath Test Information, Wearable Information, or Self-Reported Information provided by Members of the Your Performance Lab Services and transmitted, whether publicly or privately, to Your Performance Lab. User content may include data, text, software, music, audio, photographs, graphics, video, messages, or other materials. For example, User content includes comments made on Your Performance Lab blogs and emails to Member support.
Behavior Information is information on how a Member uses our Platform (e.g. browser type, domains, page views, app usage etc.). We may collect this information through log files, cookies, and web beacon, analytical and advertising technologies.
Your Performance Lab may collect non-Personal Information about a Member when a Member interacts with our Platform. Non-Personal Information may include Member browser name, type of computer, and the files a Member viewed on the Platform. Clickstream data, (i.e. a list of pages or URLs visited), and technical information about how a Member connects to the Platform, such as the operating system and the internet service providers used. We may, in some cases, need to review this automatically collected data in combination with specific registration information to identify and resolve issues for individual Users, detect fraud, etc. To the extent that we link this non-Personal Information with Member Personal Information, this Policy governs our use of such information.
“Platform” means a platform that uses artificial intelligence to learn about people and their behaviours in order to help them make intentional choices about their health including sleep, exercise, nutrition and work/life balance.
“Policy” means this data protection policy created by Your Performance Lab, as may be revised, modified or otherwise updated from time to time.
“Processing” in relation to Personal Data means the carrying out of any operation or set of operations in relation to the Personal Data and includes any of the following: Collection; recording; holding; organisation, adaptation and alteration; retrieval; combination; transmission; or erasure or destruction.
“Services” means Your Performance Lab’s Platform services including, but not limited to: Blood and Gut Health Tests and insights, Wearable integrations and insights, automatic or doctor reviewed insights for preventive health and optimizing longevity, vibrancy, performance, positive habit creation, various assessments and activity/status scoring. Off the platform, Your Performance Lab will partner up with practitioners, other platforms and medical entities to leverage their offerings in order to provide an integrated health and longevity service to its clients.
Other terms used in this Policy shall have the meanings given to them in the GDPR.
Part 5: Your Performance Lab’s Personal Data Inventory
Your Performance Lab utilises a Data Inventory Map (“DIM”). The DIM is an inventory of the Personal Data in the possession or under the control of Your Performance Lab. This is an integral part of the Data Protection Management Programme (“DPMP”) that we maintain to ensure compliance with the GDPR.Part 6: Collection of Personal Data
For explanatory purposes, Your Performance Lab collects Personal Data of its Prospects and Members in the following ways:
• When a Prospect submits any form, including but not limited to Member inquiry forms or other forms relating to any of our Services;
• When a Prospect or Member has a conversation with our Chatbot service, or a Your Performance Lab affiliated doctor;
• When a Prospect or Member enters into any agreement or provides other documentation or information in respect of their interactions with us, or when they use our Services;
• When a Prospect or Member interacts with our staff, including Your Performance Lab service officers, for example, via telephone calls (which may be recorded), letters, face-to-face meetings, social media platforms and emails; Via interaction with our websites or use Services on our websites and Platform;
• Via a request that Your Performance Lab contacts a Prospective Customer or request that a Prospective Customer be included in an email or other mailing list;
• When a Prospective Customer or Member responds to our promotions, initiatives or to any request for additional Personal Data;
• Via submission of an employment application or when provision of documents or information including a resume and/or CVs in connection with any appointment as an officer, director, representative or any other position;
• When a Prospect or Member is contacted by, and responds to, Your Performance Lab marketing representatives and Your Performance Lab service officers;
• When Your Performance Lab seeks information about, and receives Personal Data in connection with a relationship with us, including for our products and Services or job applications, for example, from business partners, public agencies, ex-employer, referral intermediaries and the relevant authorities; or when a Prospect or Member submits their Personal Data to us for any other reasons.
When an individual browses our website, the individual generally does so anonymously. Please see Part 15 below for information on cookies and other technologies which we have implemented on our website and apps. We do not, at our website, automatically collect Personal Data unless a Prospect provides such information to us. If a Prospect or Member provides us with any Personal Data relating to a third party (e.g. information of their spouse, children, parents, and/or employees), by submitting such information to Your Performance Lab, they represent to Your Performance Lab that they have obtained the consent of the third party to provide Your Performance Lab with their Personal Data for the respective purposes.
Prospects and Members should ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on a Prospect or Member’s part to do so may result in Your Performance Lab’s inability to provide the Services requested, or delays in providing Services requested, or processing applications. Unless otherwise permitted under the provisions of the GDPR, or any other laws, regulations and guidelines, Your Performance Lab shall not collect Personal Data without the consent of the Prospect or Member.Part 7: Processing of Personal Data
As a legal requirement under the GDPR, Your Performance Lab is required to ensure all Prospects, Members, Employees and Freelancers Personal Data is Processed in such a way that at least one of the following bases applies:
• The Prospect, Member, Employee or Freelancer has given consent to the Processing of his or her Personal Data for one or more specific purposes;
• The Processing is necessary for the performance of a contract to which the Member, Employee or Freelancer is party with Your Performance Lab or in order to take steps at the request of the Prospect, Member, Employee or Freelancer prior to entering into a contract with Your Performance Lab;
•The Processing is necessary for compliance with a legal obligation to which we are subject;
• The Processing is necessary for the protection of the vital interests of the Prospect, Member, Employee or Freelancer or another natural person; or the Processing is necessary for the purposes of the legitimate interests pursued by Your Performance Lab or by a third party.Part 8: Purposes of Processing Personal Data
Your Performance Lab collects, uses and discloses Personal Data of Prospects, Members, Employees and Freelancers (including former Prospects, Members, Employees and Freelancers unless otherwise required under the GDPR) for the following purposes:
• Prospect and Member service and support (including but not limited to Prospect and Member relationship management, contacting a Prospect or Member regarding medical reports and results, providing follow-up calls, providing a Prospect or Member with administrative support;
• Administering and processing Prospect and Member requests including creating and maintaining profiles of our Prospects and Members in our system database for administrative purposes (including tracking Prospects and Members attendance at various Your Performance Lab Affiliates’ facilities);
• Personalising Prospect and Member experiences at Your Performance Lab’s touchpoints and conducting market research, understanding and analysing Prospect and Member behaviour, location, preferences and demographics in order to improve our service offerings;
• Liaising with third party specialists including medical personnel such as doctors, clinics, hospitals and/or medical institutions in relation to Prospect and Member health care (including by providing them with access to Prospect and Member Personal Data with a Prospect and Member’s permission);
• Uses our mobile applications (such as the Your Performance Lab app) or online registration and payments systems, displaying a Prospect and Member’s biomarker data, sending a Prospect or Member health-related notifications, and facilitating the provision of our services to a Prospect or Member; or Purposes which are reasonably related to the aforesaid.
If an individual is a prospective or confirmed Third Party Provider of Your Performance Lab, their Personal Data will be processed for the following purposes:
• Assessing Third Party Provider organisation’s suitability as an external service provider or vendor for Your Performance Lab;
• Managing project tenders and quotations, processing orders or managing the supply of Services;
• Creating and maintaining profiles of our Third Party Provider in our system database;
• Processing and payment of Third Party Provider invoices and bills;
• Facilities management (including but not limited to issuing visitor access passes and facilitating security clearance);
• And/or any other purposes which are reasonably related to the aforesaid.
Where an Employee or Freelancer submits an application to us as a candidate for employment, contractor, internships or scholarships, their Personal Data will be Processed by Your Performance Lab for the following purposes:
• Conducting interviews;
• Processing an Employee or Freelancer’s application (including but not limited to pre-recruitment checks involving Employee or Freelancer’s qualifications and facilitating interviews);
• Obtaining references and for background screening;
• Assessing Employee or Freelancer’s suitability for the position applied for;
• Enrolling successful candidates as our Employees and Freelancers and facilitating human resource planning and management (including but not limited to preparing letters of employment, name cards and building access passes); and/or any other purposes which are reasonably related to the aforesaid.
Where an individual is an existing Employee or Freelancer of Your Performance Lab, their Personal Data will be Processed by Your Performance Lab for the following purposes:
• Remuneration reviewing salaries and bonuses, conducting salary benchmarking reviews, staff appraisals and evaluation, as well as recognising individuals for their services and conferring awards;
• Staff orientation and entry processing;
• Administrative and support processes relating to the Employees or Freelancers employment, including its management and termination, as well as staff benefits, including travel, manpower, business continuity and logistics management or support, processing expense claims, medical insurance applications, medical screenings and immunisations, leave administration, long-term incentive plans, training, learning and talent development, and planning and organising corporate events;
• Providing an Employee or Freelancer with tools and/or facilities to enable or facilitate the performance of his/her duties;
• Facilitating professional accreditation and complying with compliance audits;
• Compiling and publishing internal directories and emergency contact lists for business continuity;
• Managing corporate social responsibility projects;
• Conducting analytics and research for human resource planning and management, and for Your Performance Lab to review, develop, optimise and Improve work-related practices, environment and productivity;
• Ensuring that the administrative and business operations of Your Performance Lab function in a secure, efficient and effective manner (including but not limited to examining or monitoring any computer software and/or hardware installed within Your Performance Lab, Employee or Freelancer work emails and personal digital and storage devices);
• Compliance with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities (including but not limited to disclosures to regulatory bodies, conducting audit checks or surveillance and investigation);
• Administering cessation processes; and/or any other purposes which are reasonably related to the aforesaid.
In additional to the general purposes of Processing of Prospects, Members, Third Party Providers, Employees and Freelancers Personal Data as stated within section 8 of this Policy, Your Performance Lab also Processes Personal Data of its Prospects, Members, Employees and Freelancers for the following additional purposes:
• Taking or filming photographs and videos for corporate publicity or marketing purposes, and featuring Prospect, Member, Employee and Freelancer photographs and/or testimonials in our articles and publicity materials;
• Providing or marketing services and benefits to a Prospects and Members, including promotions, service upgrades, loyalty, reward and/or membership programmes (including affiliate programs) and sending of healthcare-related updates, event invitations, newsletters and marketing and promotional information to a Prospect or Member pursuant to such membership programmes);
• Organising roadshows, tours, campaigns (including health check or vaccination campaigns) and promotional or events and administering contests and competitions;
• Matching Personal Data with other data collected for other purposes and from other sources (including third parties) in connection with the provision or offering of Services;
• Sending details of services, clinic updates, health-related information and rewards, either to our Prospect or Members generally, or which we have identified may be of interest to a Prospect;
• Conducting market research, aggregating and analysing Prospect and Member profiles and data to determine health-related patterns and trends, understanding and analysing Prospect and Member behaviour, location, preferences and demographics for us to offer a Prospect or Member other products and services as well as special offers and marketing programmes which may be relevant to a Prospect or Member’s preferences and profile; and/or any other purposes which are reasonably related to the aforesaid.
If a Prospect or Member has provided us with UK and USA telephone number(s) and have indicated consent to receiving marketing or promotional information via the UK and USA telephone number(s), then from time to time, Your Performance Lab may contact the Prospect or Member using such UK and USA telephone number(s) (including via voice calls, text, social media, fax or other means) with information about our products and services.
In relation to particular Services or in a Prospect or Member’s interactions with us, we may also have specifically notified a Prospect or Member of other purposes for which we collect, use or disclose their Personal Data. If so, we will collect, use and disclose the Prospect or Member’s Personal Data for these additional purposes as well, unless we have specifically notified a Prospect or Member otherwise.
Unless permitted under the GDPR or any other laws, regulations and guidelines, Your Performance Lab shall not use or disclose the Personal Data for any other purpose, without first identifying and documenting the other purpose and obtaining the consent of the affected Prospect, Member, Employee or Freelancer.
The purposes listed in the above sections may continue to apply even in situations where a Member, Employee or Freelancer’s relationship with Your Performance Lab (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with a Member, Employee or Freelancer).Part 9: Withdrawal of Consent
Consent received expressly or impliedly by a Prospect, Member, Employee or Freelancer of Your Performance Lab for Personal Data Processing purposes stated within Part 7 of this Policy will remain valid until such time that it is withdrawn by a Prospect, Member, Employee or Freelancer in writing addressed to Your Performance Lab’s Data Protection Officer whose details are to be found within section 19.3 of this Policy.
Upon receipt of a Prospect, Member, Employee or Freelancer’s written request to withdraw their consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within 30 business days of receiving it.
If consent is withdrawn by an Employee or Freelancer, Your Performance Lab may need to discontinue his/her employment with the company. If consent is withdrawn by a Prospect or Member, Your Performance Lab may no longer be able to provide the requested products or services and our relationship with the Prospect or Member may have to be terminated. Withdrawing consent does not affect Your Performance Lab’s right to continue to collect, use and disclose Personal Data where such collection, use and disclose without consent is permitted or required under applicable laws.
A Prospect or Member may delete their account at any time by contacting us via email at firstname.lastname@example.org. Once deleted, a Prospect or Member’s data, including a Prospect or Member’s account, username, or any other related content, cannot be restored.
Content a Prospect or Member has shared with others, exported from the service, or that others have copied may also remain visible after a Prospect or Member has deleted a Prospect or Member account or deleted the information from their own profile. A Prospect or Member’s public profiles may be displayed in search engine results until the search engine refreshes its cache.Part 10: Protection of Personal Data
Your Performance Lab places great importance on ensuring the security of our Prospects, Members, Employees and Freelancers Personal Data against risks of unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction. Your Performance Lab has implemented security measures which include appropriate administrative, physical and technical measures such as up-to-date antivirus protection, encryption and the use of privacy filters to secure all storage and transmission of Personal Data by us, and disclosing Personal Data both internally and to our authorised third party service providers and agents only on a need-to-know basis.
Your Performance Lab will regularly review and implement appropriate security measures when processing and retaining Personal Data. While acknowledging that security cannot be guaranteed and that no method of transmission over the Internet or method of electronic storage is completely secure, Your Performance Lab strives to protect the security of our information and is constantly reviewing and enhancing the company’s information security measures.
Employees of Your Performance Lab are required to handle the Personal Data securely and with strict confidentiality, failing which they may be subject to disciplinary action. Further, Your Performance Lab will impose compliance with data confidentiality requirements on our agents, third party service providers, consultants and professional advisors in our working relationships and/ or agreements with these parties.
Your Performance Lab’s Members should recognize that protecting Personal Information is their responsibility. We ask all Members to safeguard Member’s password, secret questions and answers, and other authentication information a Member uses to access our Services. Members should not disclose their authentication information to any third party. Members should also immediately notify us of any unauthorized use of a Members password. We cannot secure Personal Information that a Customer or Member releases on their own or that a Member requests us to release. A Member may choose to disclose, through other means not associated with us, any part of their Personal Information and/or results. A Member may share this information with friends or family members, groups of individuals, third-party service providers, doctors or other health care professionals, or other individuals. We recommend that all Members make such choices carefully.
Part 11: Disclosure of Personal Data
Your Performance Lab and its Affiliates will take reasonable steps to protect Personal Data against unauthorised disclosure. Subject to the provisions of any applicable law, Personal Data may be disclosed, for the purposes listed in Section 8 of this Policy to the following entities or parties, whether they are located overseas or in Singapore:
• Amongst Your Performance Lab group members and Affiliates (including their coaching staff and medical practitioners); companies providing services relating to insurance to Your Performance Lab;
• Agents contractors, sub-contractors or third party service providers who provide operational services to Your Performance Lab, such as courier services, telecommunications, information technology, payment, printing, billing, debt recovery, processing, technical services, transportation, training, market research, call centre, security, or other services to Your Performance Lab;
• Vendors or third party service providers and our marketing and business partners in connection with marketing promotions, products and services;
• Our corporate Members.
• Any business partner, investor, assignee or transferee (actual or prospective) to facilitate business asset transactions (which may extend to any merger, acquisition or asset sale);
• External credit card companies, other financial institutions and their respective service providers; our advisers such as consultants, auditors and lawyers;
• Relevant government ministries, regulators, statutory boards or authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes imposed by any governmental authority (including the Ministry of Health); and/or any other party to whom a Member authorises us to disclose Personal Data to.Part 12: Access and Correction to Personal Data
A Member may make a request to access his/her Personal Data which is in Your Performance Lab’s possession or control. The Member must complete a data access request (“DAR”) form which a Member may fill out providing all necessary information as prescribed in the DAR form. We do not charge a fee for a DAR request in normal circumstances although we may charge a reasonable fee for further copies of information already provided or for requests that are manifesting unfounded or excessive, particularly where those requests are repetitive.
Your Performance Lab aims to revert within 30 days from the receipt of the DAR request. If Your Performance Lab is unable to comply with the DAR requirements within the said time frame, Your Performance Lab will have to inform the Member the reasonably soonest time by which a response will be provided in relation to the request.
A Member may make a request for correction of his/her Personal Data which is in Your Performance Lab’s possession or control. The Member should contact Your Performance Lab’s Data Protection Officer whose details are contained within section 19 of this Policy.
A Member may make a request for transfer of his/her Personal Data which is in Your Performance Lab’s possession or control. The Member should contact Your Performance Lab’s Data Protection Officer whose details are contained within section 19 of this Policy. To the extent required by GDPR, upon request by a Member, Your Performance Lab shall provide information relating to how the Member’s Personal Data has been or may have been used or disclosed within a year before the date of such request. Your Performance Lab may also provide a standard list of possible third parties as part of its response to all access requests for information relating to the disclosure of Personal Data during such a period.
Employees who wish to access or correct their Personal Data should contact the HR Department of Your Performance Lab. Potential Employees who were subsequently not employed by Your Performance Lab or former Employees of Your Performance Lab should complete the DAR/DCR form as mentioned in section 10 above (as the case may be).
Your Performance Lab may not be able to provide access to all of the Personal Data that we hold about an individual. For example, Your Performance Lab may not provide access to Personal Data if such provision could reveal Personal Data about another individual, if such information is subject to legal privilege or if provision will be contrary to national interest or where such refusal is permitted under the PDPA. If access to Personal Data cannot be provided, the reasons for denying access will be provided to Member within 30 days of receipt of the DAR form, subject to any legal or regulatory constraints.Part 13: Retention and Disposal of Personal Data
Your Performance Lab retains such Personal Data as may be required for business or legal purposes, and such purposes do vary according to the circumstances.
Your Performance Lab does not retain Personal Data (and in particular sensitive personal data) for any longer than necessary. The length of time over which Personal Data may be retained is dependent upon the circumstances including why the personal information was obtained in the first place.
Whilst Your Performance Lab will securely dispose of or anonymise Personal Data which it can reasonably determine is no longer needed and does not generally hold on to Personal Data “just in case”, it is in the interests of any caregiver or person treating a Prospect or Member to be able to refer to a complete set of biomarker records to avoid risks to health and safety of a Prospect or Member.
With respect to the biomarker records of a Prospect or Member, unless specific contrary instructions from the Prospect or Member are received, Your Performance Lab may (but is not obliged to) retain such medical records for as long as Your Performance Lab may be potentially consulted for further follow up by (or on behalf of) the Prospect or Member even where such consultation may not occur until after a substantial period of time or there is no current or present indication that the Prospect or Member may well return for further consultation or follow up.
- A Prospect or Member has the right to request that we dispose of the Personal Data we hold about them in the following circumstances:
- Where it is no longer necessary for us to retain that personal data having regard to the purpose for which it was originally collected or processed;
- Where the Prospect or Member wishes to withdraw consent to holding and Processing of Personal Data previously given to Your Performance Lab;
- Where the Prospect or Member objects to us holding and Processing their Personal Data and no overriding legitimate interest permitting Your - Performance Lab to continue doing so exists;
- The Personal Data of the Prospect or Member has been Processed unlawfully; or Your Performance Lab needs to dispose the personal data in order to comply with a particular legal obligation.
Unless Your Performance Lab has reasonable grounds for refusing to erase Personal Data, all erasure requests shall be complied with within one month from the receipt of the Prospect or Member’s request. In the event that any Personal Data that is to be disposed in response to a Prospect or Member’s request has been disclosed to Affiliates or third parties, those Affiliates or third parties will be informed of the disposal unless to do so is impossible or would require disproportionate effort.Part 14: Storage of Personal Data
– Small text files (typically made up of letters and numbers) placed in the memory of a Prospect or Members browser or device when a Prospect or Member visits a website or views a message. Cookies allow a website to recognize a particular device or browser. There are several types of cookies: Session cookies expire at the end of a Prospect or Member’s browser session and allow us to link a Prospect or Member’s actions during that particular browser session. Persistent cookies are stored on a Prospect or Member’s devices in between browser sessions, allowing us to remember a Prospect or Member’s preferences or actions across multiple sites. First party cookies are set by the site a Prospect or Member is visiting. Third party cookies are set by a third-party site separate from the site a Prospect or Member is visiting. Cookies can be disabled or removed by tools that are available in most commercial browsers. The preferences for each browser a Prospect or Member uses will need to be set separately and different browsers offer different functionality and options.Web beacons
– small graphic images (also known as “pixel tags” or “clear GIFs”) may be included on our sites and services. Web beacons typically work in conjunction with cookies to profile each unique user and user behavior.Similar technologies
We generally do not transfer a Prospect or Members Personal Data to countries outside of UK or USA. However, if we do so, we will obtain the Prospect or Member’s express consent for the transfer to be made and we will take steps to ensure that their Personal Data continues to receive a standard of protection that is at least comparable to that provided under the GDPR. For Prospect or Members outside of UK or USA, we can provide locally hosted services in accordance with local regulations and laws, but in general Prospects and Members information is housed on servers in the United States of America or United Kingdom. If a Prospect or Member is located outside of the United States of America or United Kingdom, please be aware that the Personal Data we collect will be processed and stored in the United States of America or United Kingdom.
By using our Services and submitting Personal Data, a Prospect or Member agrees to the transfer, storage, and/or processing of a Prospect or Member’s Personal Data in the United Kingdom. Where and as required, we will seek a Prospect or Member’s express consent as outlined in this Policy.
Part 17: Training
We will ensure that all personnel of Your Performance Lab receive adequate training as to their data protection responsibilities and as to how to act and respond as and when they receive requests for matters such as subject access requests, objections and requests for erasure and rectification. Those whose roles require regular access to Personal Data, or who are responsible for implementing this Policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and hot to comply with them.Part 18: Data Breaches
A data breach is any loss of data or information in whatever form it is held and by whatever means the data was lost including data that is destroyed or rendered unusable. It may take many different forms, including:
- Loss or theft of data or equipment on which Personal Data is stored;
- Unauthorised access to or use of Personal Data either by a member of staff or third party such as from hacking;
- Loss of data resulting from an equipment or systems (including hardware and software) failure;
- Human error, such as accidental deletion or alteration of data; and/or Deliberate attacks on IT systems, such as hacking, viruses and phishing scams.
Your Performance Lab will ensure that any data breach which results, or is likely to result in, significant harm to an affected individual or is otherwise of a significant scale is notified within seventy-two (72) hours to the GDPR and within a reasonable amount of time as may be practicable to all Prospects or Members affected by the data breach.Part 19: Data protection management programme (“DPMP”) and Data Protection Officer
Under the GDPR, organisations are required to develop and implement policies and practices that are necessary for the organisation to comply with the GDPR (i.e. Personal Data protection policies and practices). The DPMP is a data protection framework that helps organisations establish a robust data protection infrastructure. It covers management policies and processes for the handling of Personal Data, as well as defining roles and responsibilities of the people in the company in relation to Personal Data protection. As a company incorporated in the United States of America and also operating in the United Kingdom, Your Performance Lab is required by GDPR to designate one or more individuals to act as the data protection officer (“DPO”) of the company. The DPO is in charge of ensuring that the organisation complies with the GDPR. This is part of the Accountability Obligation of organisations under the GDPR.
Mr. Alexandru Bodea, CTO of Your Performance Lab, has been appointed as our DPO. He is responsible for informing and advising us on our data protection obligations, for monitoring compliance and for ensuring that we comply with our obligations in accordance with this Policy. Comments or queries concerning this Policy should be addressed to him at email@example.com
The DPO will deal with issues relating to this Policy and the application of data protection law including:
Issues relating to the correct lawful basis to be applied to Personal Data collected, held or processed and in particular when consent or legitimate interest is being relied upon;
- Issues relating to the use to which data can be put having regard to the purpose for which it was acquired;
- Issues relating to the periods for which Personal Data is retained;
- Privacy notices and when these are required;
- Subject access requests as set out in GDPR;
- Actual or suspected data breaches or issues relating to security arrangements;
- Sharing data with third parties and transferring data from outside the United Kingdom or the United States of America;
- Where processing uses new technologies and is likely to result in a high risk to the rights and freedoms of natural persons and a data protection impact assessment is required;
- In relation to automated processing, including profiling or automated decision making; and In relation to information which is deemed to be special category data or data relating to children (for the avoidance of doubt, Your Performance Lab’s products and services are not designed and aimed at children under the age of 18 and it is Your Performance Lab’s policy to immediately delete children’s Personal Data where this is discovered to be the case).