Humanscale Presenter Data Protection Notice
According to the EU General Data Protection Regulation and the UK Data Protection Act 2018, the personal data controller of a register is obligated to inform the register’s data subjects in a clear manner. This statement fulfils these informing obligations.
1. Personal data controller
Oy CDQ Solutions Ltd, (”Supplier”) acts as a controller for the personal data register of the Humanscale Presenter (“Software”) user data as referred to in the EU General Data Protection Regulation (2016/679).
Oy CDQ Solutions Ltd
Konepajankuja 1
00510 Helsinki, Finland
contact@presentor.fi
The Client company Humanscale Corporation (“Client”) also acts as a controller for the personal data register as referred to in the EU General Data Protection Regulation (2016/679). This notice covers only the processing carried out by Presentor in its capacity as controller. Data subjects wishing to exercise rights in relation to the Client’s processing should contact the Client directly.
2. Data subjects
Users of the Software. These may include the Client’s employees, partners or agents or other persons to whom access rights have been granted.
Data subjects may also include recipients of presentation content or other materials shared via the Software, such as persons who receive access links to presentations or other content (“shared links”), regardless of whether such recipients have a registered user account in the Software.
3. Purpose of use of personal data
The data is used by the Supplier for developing and monitoring the use of the presentation tool. The data is used by the Client for monitoring and developing the Client’s presentation material and its use. The information will not be used for direct marketing.
Personal data may also be used to:
- enable secure sharing of presentation content via personalised or non-personalised access links
- verify that shared content has been delivered and accessed
- analyse the use and effectiveness of shared presentation material
- improve the usability, relevance, and performance of presentation content
- ensure information security and prevent misuse of shared content
Processing is limited to information necessary for providing the service and improving presentation effectiveness.
4. Categories of personal data processed
The information in the user register includes the user’s email address, as well as information about the devices on which the application is installed, their operating systems, the version numbers of the application, the use of presentation material, and when the application has been used. The primary directly identifying personal data processed is the user’s email address which serves as a username.
In connection with shared links or other shared content, the information processed may include:
- link access timestamps
- information about whether shared material has been opened
- viewed pages or sections of presentation material
- number of visits or interactions with shared material
- approximate device and browser information
Shared links may be personalised in order to enable access control and to allow the sender to understand whether shared material has been accessed.
Legal basis for registered Software users: Processing is based on the user’s consent and acknowledgement given during installation of the Software.
Legal basis for shared link recipients: Processing of data relating to recipients of shared links is based on the legitimate interest of the controller in providing secure content sharing, ensuring service functionality, and improving presentation effectiveness in a business context.
5. The data subject’s rights
The data subject has the following rights, and requests for their use should be sent to the personal data controller.
Right to access data
The data subject may check the data that has been recorded.
Right to rectification
The data subject may request the rectification of inaccurate or incomplete personal data.
Right to object
Where processing is based on legitimate interests, the data subject may object to such processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override the data subject’s interests, rights, and freedoms
Right to forbid direct marketing
The data subject has the right to forbid the use of personal data for direct marketing.
Right to deletion
The data subject has the right to request the deletion of data if personal data processing is not necessary. We will handle the request for deletion and proceed to either delete the data or state a justified reason for not being able to delete the data.
It should be noted that the controller may have legal or other rights to not delete the requested data.
Right to restriction of processing
The data subject has the right to request restriction of processing while a dispute about accuracy or lawfulness is being resolved.
Withdrawing consent
If the processing of personal data is based solely on the data subject’s consent, the data subject may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Right to complain
The data subject has the right to complain to the Data Protection Supervisor if the data subject feels that we are violating the effective data protection regulation when processing personal data.
Contact information of the data protection supervisor: www.tietosuoja.fi/en/index/yhteystiedot.html
6. Regular information sources
User data is regularly obtained from the use of the Software. Data may also be obtained when recipients access presentation materials via shared links or other authorised access methods.,
7. Regular disclosure of data
We disclose information to the Client, who acts as an independent data controller and has committed to complying with the requirements of the data protection regulation. The transfer to the Client is governed by EU Standard Contractual Clauses (European Commission Decision of 4 June 2021). On request, the data subject has the right to obtain a copy of these clauses.
8. Duration of processing
Personal data will be retained only for as long as necessary for analytics, security, contractual obligations, and operation of the service. When a user account is deactivated, access to the account is disabled, but certain data may be retained for analytics, reporting, and service improvement purposes. When a user account is permanently deleted, personal data relating to that account is removed from the register or irreversibly anonymised, unless retention is required to fulfil legal obligations. Information related to shared links or other shared content usage is retained only for as long as necessary for analytics, security, and operation of the service.
9. Personal data processors
In case the Client has been granted admin rights to monitor the user data in the Software, the Client accesses the data in its capacity as an independent data controller. Access to the personal data register is only available to designated admin users on the Client side. The Client will disclose the processed personal data to its personnel only to the extent where it is strictly necessary. Persons entitled to process personal data are bound by an obligation of professional secrecy or are subject to an appropriate legal obligation of secrecy.
10. Transferring data outside the EU
Personal data is regularly transferred outside the EU or the EEA to the Client which is located in the United States. Personal data is not transferred to any other recipients than the Client.
The transfer is safeguarded by EU Standard Contractual Clauses adopted pursuant to the European Commission Decision of 4 June 2021, supplemented by a Transfer Impact Assessment conducted in accordance with GDPR requirements. A UK Addendum to the EU Standard Contractual Clauses applies where personal data of UK data subjects is transferred.
11. Automatic decision making and profiling
User data is not used for automatic decision making or profiling.