Dear Web Shield clients, users, visitors, guests, employees, shareholders, and website visitors: The protection of your privacy and the personal information that you share with us is one of the most important business and ethical concerns for Web Shield. The processing of personal data at the Web Shield Group is governed by the provisions of the General Data Protection Regulation (“GDPR”).
First, we would like to let you know who is taking care of your personal data:
We are the Web Shield Group, integrated by Web Shield Limited, Web Shield Services GmbH and Web Shield Polska sp. z o.o. The three Web Shield companies are joint controllers of the personal data of our data subjects.
Web Shield Limited is a company registered in the UK with company number 07893072. It is located at 54-58 Tanner Street, The Brandenburg Suite - Tanner Place, London, United Kingdom, SE1 3PH. The CEO is Mr. Glenn Mac Donald.
Web Shield Services GmbH is a company registered with the District Court of Leipzig, with commercial register number HRB 30305. It is located at the Rosa-Luxemburg-Straße 27 04103 in Leipzig, Germany. The managing director is Mr. Glenn Mac Donald.
Web Shield Services Polska sp. z o.o is a company registered in Poland with commercial registry number 0000590050. It is located at Grzybowska 43, 00-855 Warsaw, Poland. The managing director is Mr. Daniel Grech.
The companies that integrate the Web Shield Group have in place adequate protection of the company’s group national, EU-wide, and international, intra-group transfer and processing of personal data under GDPR.
The Web Shield group has a DPO. You can reach out to her if you want to exercise any of your data protection rights or have more information about our privacy policies and measures. You can send an email to: firstname.lastname@example.org. We are ready to process your request and keep you informed in a timely manner.
Next, we would like to inform you about how we process the personal data that we obtain directly from you.
We would like to let you know the following:
1. Who our data subjects are and how we get personal data from them
- Customers, their legal representatives, program contact and invoicing contact: We obtain their data from the contractual parties, in the context of contractual negotiation.
- System users who can access the system according to the contract: We obtain data directly from them when they register in our system as users. We also collect data from them via cookies designed to collect the user’s IDs, for authentication reasons.
- Employees: We obtain data from them in the context of recruitment, employment contract negotiation and signature, and in the context of carrying out background checks.
- Applicants to job positions: We receive personal data such as CVs, directly from job applicants, in the context of job applications. We keep their personal information for longer than legally allowed, ONLY after obtaining consent.
- Service providers: In the context of the provision of a services contract we receive personal data of the legal representatives and contact person directly from the natural person or from the company.
- Sales prospects: We receive personal data of potential clients from different sources such as LinkedIn. We only send offers after consent from the prospects.
- Newsletter subscribers: We receive personal data directly from newsletter subscribers when they subscribe to our newsletters.
- Website visitors: We collect personal when you visit this website if you consent to the collection and processing.
2. Personal data that we process
- Names and email addresses
- Postal addresses
- IP addresses
- Phone numbers
- Invoicing information
- Job applications
- Personal data found on the web during crawling during the processing of our products
3. Reasons for the processing of your personal data
We may process your personal data of our clients or other data subjects based on the following legitimate basis of processing:
- Contractual basis: In the case of service contracts with our clients, employment contracts with our employees, service contracts with our service providers, non-disclosure agreements, and other types of contracts.
- Compliance with legal obligations: For instance, tax and employment law obligations.
- Consent: We process personal data related to marketing and sales based on freely given, specific, informed, and unambiguous authorization provided by the data subjects.
- Legitimate interest: After a balancing test, to make sure the rights of our data subjects are duly protected.
At Web Shield, we neither sell nor lease any personal data. Furthermore, we DO NOT perform any type of automated decision-making based on your personal data.
4. Reasons and circumstances under which we share your personal data
We might share your personal data within the Web Shield Group in the context of our Intercompany Data Protection Agreement, which includes Standard Contractual Clauses, for sharing personal data with Web Shield Limited.
We may also share personal data with third parties in the following context:
- We may share your personal data with some of our service providers under strict contractual clauses established in data protection agreements and after a diligent screening.
- We might also share your personal information if required by a competent authority.
- We might also share the personal data we collect after receiving your explicit consent.
5. Countries to which we transfer personal data
We transfer your personal data within the group, meaning Germany, UK and Poland and our servers are in Germany.
We could transfer your personal data to third countries because of contractual relationships between Web Shield and our service providers. We would only transfer personal data abroad exceptionally. If we do, we will make sure that we do it in the context of the contractual relationship and according to the following standards:
- We make sure to establish contractual relationships only with service providers that offer a degree of protection of personal data approved by the EU. In this sense, we potentially transfer your personal data to other EU countries and to countries recognized by the EU as having a high degree of personal data protection (Data adequacy status granted by the European Commission).
- We would ONLY consider transferring your personal data to countries that do not fall within the previous categories, if they provide guarantees and appropriate safeguards for the lawful processing of your personal data, such as adhering to a standard clause of protection of personal data.
6. Our cookies
- The main purpose of cookies is to make it quicker for users to access the selected services. In addition, cookies make it possible to tailor the services offered by the website, allowing information of interest or potentially of interest to be provided to users depending on their use of the services. A cookie is any kind of file or device that is downloaded to a user’s system for the purpose of storing data that may be updated or retrieved by the company responsible for its installation.
- We process your personal data by using a cookie that stores your Login credentials. This is a session cookie that is automatically deleted after your visit. We need this cookie to collect your User ID only for user validation. Without fulfilling this validation process is impossible for us, because of legal, contractual and security reasons, to grant you access to our system.
- We also use the LinkedIn Insight Tag on our corporate LinkedIn page. In this case, data is pseudonymized after 7 days and deleted after 90 days.
7. How we delete your personal data from our filing systems
At Web Shield, we know you have the right to be forgotten. At the same time, we are aware of other legal responsibilities that derive from different types of contractual relationships. That is why we have designed an erasure concept that balances your data protection rights with legal obligations in line with tax, civil and commercial, regulatory, corporate, employment and criminal law. We erase your personal information at the end of the retention period allowed or required by those laws.
The personal data erasure concept designed by Web Shield is the following:
- Personal data of shareholders (ID Data): Deleted after 10 years, unless financial year tax evaluation has not yet been completed.
- Personal data of employees: Deleted 10 years after the conclusion of the employment contract, unless financial year tax evaluation has not yet been completed.
- Personal data of job applicants: Deleted after one year upon recruitment process termination. If we require to keep your personal data longer, we will request for your consent.
- Personal data of system users (ID Data): Upon platform termination, unless there is a compelling reason to keep it.
- Personal data in the Web Shield system archives: Anonymised after 10 years
- Personal data of Newsletter receivers and sales prospects: After 5 years or as soon as they withdraw consent.
8. Measures to keep your personal data safe
To ensure the safety of personal data, we have implemented, among others, the following organizational and IT measures:
- Training: To make sure that everybody at Web Shield understands their data protection responsibilities.
- Contract management: To ensure contracts with service providers offer accurate protection of personal data.
- On-Premises security measures: To make sure that no malicious entity can have access to the data you entrust with us.
- Restricted access to documentation: To ensure that the individuals who do not need to have access to your personal data do not have access to it.
- Confidentiality clauses: To ensure that our employees and subcontractors keep your personal information confidential.
- Virus scans and firewalls: To review and identify technological threats that could affect your information.
- Data backup and data restoration: To prevent your personal data gets lost.
- Tests and audits: To verify security measures.
- Automated security tests: To ensure that each software release is subject to constant adjustments to new hazards. Each year, the Company performs a comprehensive penetration test for this purpose.
9. How we enforce your rights
Under GDPR, you are entitled to exercise of the following rights:
- Right to request from controller access to personal data: you may require (i) information whether your personal data is retained and (ii) access to your personal data retained, including the purposes of the processing, the categories of personal data concerned, and the data recipients as well as potential retention periods.
- Right to rectification, erasure or restriction of personal data – you may request rectification, removal or restriction of your personal data, e.g. because (i) it is incomplete or inaccurate, (ii) it is no longer needed for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn.
- Right to withdrawal your consent: you may refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to processing of your personal data at any time.
- Right to object – you may object, out grounds relating to your particular situation, that your personal data shall be subject to a processing. In this case, please provide us with information about your particular situation. After the assessment of the facts presented by you we will either stop processing your personal data or present you our compelling legitimate grounds for an ongoing processing.
- Right to data portability – you may require (i) to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and (ii) to transmit those data to another controller without hindrance from our side; where technically feasible you shall have the right to have the personal data transmitted directly from us to another controller.
- Right to lodge a complaint with a supervisory authority – you may take legal actions in relation to any potential breach of your rights regarding the processing of your personal data, as well as to lodge complaints before the competent data protection regulators.