Pivacy Policy

“Personal Data” is what enables other individuals or companies to identify you and get to know you, yet it may render you at risk if accessed by unauthorized hill intended 3rd parties.

ENWOVEN is aware of that, both as an organization as each of its staff members, and that is why a set of Policies, Operational Processes and mechanisms (technological and human based) has been developed to ensure that the Personal Data entrusted by you to ENWOVEN will be maintained, handled and shared in a manner that ensures its Security, Accuracy, Confidentiality and Privacy, hence ensuring your Personal Data Protection.

GDPR is (at present Date) the most advanced and demanding piece of legislation towards Personal Data Protection, ruling and establishing requirements that ensure your Personal Data to be safely handled by companies, therefore not rendering you at risk, and that is why ENWOVEN has adopted it as a Corporate Guideline.

For terms definitions please refer to the Glossary (below).

ENWOVEN Core Activity – Service Catalog and “Lawful Basis”

ENWOVEN renders a set of services towards Corporate Clients, therefore under a Business to Business perspective, yet its services imply “Personal Data Treatment” activities as a “Processor” under Legitimate Interest that derives from contractual obligations towards those Corporate Clients.

WHAT “Personal Data” is “treated” by ENWOVEN

ENWOVEN Corporate Clients will be submitting their staff members basic contact information in order to have them as registered contributors over ENWOVEN’s CMS Platform.

A minimum amount of “Personal Data” is therefore gathered by Enwoven consisting of:

• Name
• Company name
• Staff email address

Additional contact Data may be required such as staff member company phone number which is not Personal Data but Corporate Data, since it pertains the Corporate Client and is intended exclusively for use under Corporate Services Scope.

The univocal identification and documentation of the “Data Subject”

ENWOVEN CMS Platform users (its Corporate Client staff) will be registered with Login credentials which consist of their Corporate email address as the “username” and a password to be defined by each user.

ENWOVEN does not and will not have assess to the user passwords, which must be maintained confidential by each user.

The user is identified before the CMS platform by entering his/ her username and password.

Operational Data/ Information

By Operational Data/ Information ENWOVEN means any Data that shall be input by contributor users over the CMS platform dedicated area to that specific Corporate Client, and which may consist of:

• Additional Personal Data
• Images
• Text
• Audio files
• Video files

Profiling Data

As per contract requirements, user activity over Enwoven’s CMS platform will be monitored and traced for the purpose of navigation registry and history, which implies documenting which content has been assessed or submitted by which user at which point in time.

This derives from ENWOVEN’s Legitimate Interest in fulfilling its contractual obligations with its Corporate Clients as well as ensuring proper service monitoring and performance.

WHAT Treatment occurs over “Personal Data”

Gathering/ Collection

Under the scope of its services, ENWOVEN will exclusively gather Personal Data from its Corporate Clients, both by the company itself (when submitting a list of authorized staff members to become CMS users) and by the contributor users when they upload Operational Data/ information.

Where ENWOVEN’s own Operation is involved, the company may collect (as per ruled under GDPR article 14) the minimum amount of Personal Data that enables reaching out towards a given Data Subject and present its purpose.

This may imply collecting basic context and contact information about Corporate Stakeholder to entice Business to Business contact while proposing its Corporate Services, or reaching out to a prospect best fit new staff member.

As per defined under “GDPR” article 14, the “Data Subject” will be contacted and informed about which type of “Personal Data” was gathered by ENWOVEN, for which purpose and from which source and the “Data Subject” will be requested to provide his/ her Explicit Consent towards “Personal Data” Processing under the conveyed service scope.

If the “Data Subject” either does not reply within 28 days or his/ her answer is of not consenting towards ENWOVEN Processing his/ her “Personal Data”, ENWOVEN shall erase the “Personal Data” which has been collected about that “Data Subject”. To prevent further contact within the same scope, the “Data Subject’s” Name and e-mail address will be “black listed” (therefore maintained by ENWOVEN).

Storing

ENWOVEN is a Digital company, which means that the overwhelming amount of Data and information the company requires to operate is exclusively maintained under Digital format on its IT Systems.

Paper is used exclusively either for short periods of time and once no longer required properly disposed of (shredders) or if required under any accessory local legal requirement, and that includes having “Personal Data” printed and stored.

ENWOVEN “IT Landscape” consists exclusively of Cloud based hosted services as well as Software as a Service tools provided by 3rd party “Partner” entities.

These “Partners” include companies and services such as (amongst other):

• Amazon Web Services
• Okta
• Amplitude
• Fullstory
• Guideline
• Intercom
• CS BOX
• SalesForce
• Prospect.io

ENWOVEN acts as the Contoller and these “Partners” as “Processors”, meaning they will not undergo any “Personal Data Treatment” activities towards information registered, submitted or conveyed by ENWOVEN or their users, unless under the scope of contracted services and that is agreed and documented under an existing “DPA” between the parties.

Processing

“Personal Data Treatment”, in specifics Processing will be performed by ENWOVEN’s CMS platform according to its functionalities and exclusively deriving from what has been defined as Operational Processes by its Corporate Clients while acting as “Controllers”.

As internal Services, ENWOVEN will only process Personal Data from either prospect Corporate Client contact stakeholders or potential candidates to collaborate with ENWOVEN.

Sharing

A portion of ENWOVEN’ “IT Landscape” is Cloud based, therefore tools and services are either hosted or enabled by 3rd parties (“Partners”) and “Personal Data” is shared with those entities, not in the sense that they will change it or process it but that they will either store it or have their software processing it with ENWOVEN users logged.

The existing DPAs with these types of “Partners” rule that these companies may not copy, use or process “Personal Data” “submitted” by ENWOVEN unless to enable ENWOVEN with storage or processing results that derive from the services rendered by ENWOVEN under defined “Lawful Basis” towards the “Data Subjects”.

Besides its operation, ENWOVEN will only share Personal Data pertains Corporate Clients’ staff interaction with the CMS platform as per ruled under the existing services contract between ENWOVEN and those Corporate Clients.

HOW is “Personal Data” Security, Privacy and Confidentiality assured

ENWOVEN has its “IT Landscape” configured and monitored under the strictest Security market standards and market best practices in terms of security and performance.

ENWOVEN has reviewed and adopted changes to its operational processes in a manner that ensures compliance towards the requirements posed under “GDPR” towards “Personal Data” Protection.

ENWOVEN has done within its power to ensure that its “Partners” that provide ENWOVEN with their SaaS solutions are also credible and reliable entities towards which not only does ENWOVEN have proper “DPAs” in place but also it has made sure that those companies do also obey by the same rules towards ensuring Data Security, Privacy and Confidentiality.

For HOW LONG is “Personal Data” maintained

Data retention is one major potential risk generator towards “Personal Data”, for having the Data available means it may be accessed if a “Personal Data Breach” occurs.

ENWOVEN has set the Data Retention periods according to its services’ lifecycle, so that in one hand the company will not hold to “Personal Data” for any day longer that it is effectively necessary and on the other hand the risk of having needed information deleted prior to the end of its lifecycle within ENWOVEN’ Service Catalog scope and commitment is minimized.

HOW to exercise “Data Subjects’” rights

“GDPR” configures a set of rights that assist the “Data Subjects”, namely:

• Right of Access
• The right to know whether data pertaining him/ herself is being “Treated” by the organization and if so to be informed of which “Personal Data” is it (Article 15).
• Right to Rectification
• The right to have the company updating any inaccurate “Personal Data” (Article 16).
• Right to Erasure
• Also known as the Right to be Forgotten means that any “Data Subject” may request of ENWOVEN to erase all “Personal Data” that pertains him/ her from its repositories and inform/ have its “Processors” doing the same (Article 17).
• Please note that “GDPR” does not overrule local legislation, hence in some cases ENWOVEN may not be able to immediately (or at all) comply with such “Data Subject’” request.
• If a “Data Subject” has pending contractual obligations towards ENWOVEN or its Corporate Clients that require ENWOVEN to maintain the means to have such registry and identify the “Data Subject” or if U.S. legislation requires some “Personal Data” to be maintained for a certain period (e.g. invoices), ENWOVEN will not be able to erase the “Personal Data” that is vital to obey by such accessory legal obligations.
• Restriction of Processing
• The right to limit the processing of the “Data Subject’s” “Personal Data” (Article 18).
• Processing is derived exclusively from the needs and requirements of ENWOVEN’ Services towards its Corporate Clients therefore exercising this Right needs to be addressed to that specific Corporate Client and not ENWOVEN.
• Right to be Informed
• ENWOVEN will inform the “Data Subject” if any rectification, erasure or rectification of processing has taken place (Article 19).
• So, the “Data Subject” has the right to be informed and will be by ENWOVEN if any “Personal Data Treatment” activity changes towards his/ her “Personal Data”, including but not limited to, changes in service scope and most relevant in case of any “Personal Data Breach” which may have affected the “Data Subject’s” “Personal Data” (which will be conveyed within a period of 72 hours upon the incident).
• The right to Data Portability
• The “Data Subject” is entitled to request and shall have his/ her “Personal Data” directly transmitted from ENWOVEN to another “Controller” of his/ her choice, where technically feasible or to receive such “Personal Data” in an intelligible format so he/ she may provide it to that other “Processor” (Article 20).
• Right to Object
• The right to instruct ENWOVEN not to process his/ her “Personal Data” (Article 21).
• Once more Processing is defined by the Controller (ENWOVEN’s Corporate Client) and performed as a Processor under that Controller’s instructions, hence this right must be exercised towards the Controller.
• The right to stop Automated Decisions over “Personal Data”
• The right to request of ENWOVEN to stop “Personal Data” Processing which derives from software automated triggers (Article 22).
• Once more Processing is defined by the Controller (ENWOVEN’s Corporate Client) and performed as a Processor under that Controller’s instructions, hence this right must be exercised towards the Controller.

Any “Data Subject” may exercise his/ her rights under “GDPR” by reaching out to ENWOVEN’ “DPO” through the e-mail address dpo@enwoven.com.

Glossary

“Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with each Party. Whereas “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Party.

“Controller” means the “Party” which determines the “Personal Data” which is forward to the other “Party” under the “Services” scope, and the inherent “Personal Data” Treatment” purposes, processes and/ or workflows which must be observed by the other “Party” within the mutual relationship.

“Data Protection Officer”/ “DPO” means the natural person within a company who bear the responsibility of ensuring corporate compliance towards “GDPR” (as per defined under this Regulation), both by means of monitoring compliance status as well as acting towards the organization and management structure informing those about existing non-conformity points and the need for the organization to act upon them in order to make them compliant with “GDPR” rules, guidelines and requirements.

“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains him/ her.

“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under “GDPR”. Please check the item below under the title “HOW to exercise Data Subjects’ rights”

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while Repealing and replacing the Directive 95/46/EC from May 25th, 2018 onwards.

“IT Landscape” means the set of IT assets and services of and at the disposal of each “Party” that enables their “Personal Data” Treatment” operation, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.

“Lawful Basis” means the enlisted lawful grounds that a company has to entice “Personal Data” Treatment” activities under “GDPR”, namely (but not limited to) having documented: the “Data Subject’” Explicit Consent towards “Personal Data” Treatment” activities; the company Legitimate Interest in proceeding with ““Personal Data” Treatment” activities; accessory legal obligations that the company must observe and which entitled it to proceed with “Personal Data Treatment” activities within the limits of such ruling and inherent obligations; other as per defined under “GDPR”.

“Partner” means any 3rd party entity towards which each “Party” may resort in order to ensure “Personal Data Treatment” under a “Lawful Basis” (as established by “GDPR”) and within the scope of agreed “Services”.

“Personal Data” means any data which by itself or when cross-referenced with other data enables to univocally identify one given natural person, the “Data Subject”.

“Personal Data Treatment” means any operation or set of operations which is performed upon “Personal Data”, whether or not by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).

“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data”.

“Processor” means the entity which proceeds with authorized “Personal Data Treatment” (under this DPA and the “Agreement”) on behalf of the “Controller”.

“Service Catalog” means the set of Services rendered by ENWOVEN that requires “Personal Data Treatment”.

“Sub-processor” means any “Processor” engaged by any of the “Parties” which performs complementary “Personal Data Treatment” within the scope of the “Services”.

‍