Personal Data is information that can be used to identify you as an individual, whether in isolation or in combination with other information that we hold. It may include, but is not limited to, your name, telephone number, mailing and e-mail addresses.
What Personal Data We Collect and Process
We collect and process Personal Data in the course of providing our services and more generally operating our business. What we collect and process and how we use it depends on how you use our services.
This information includes:
- Basic identification information, such as your name, your job title;
- Contact information, such as your mailing or e-mail address, your telephone number;
- Payment details, such as billing address;
- Bank account details and other payment related information;
- Recruitment information, such as your CV, your education and employment history;
- Demographic information, such as your gender, date of birth/age, country and preferred language;
- Background verification data, such as copy of passports;
- Website usage and information collected through various technologies, such as cookies, application data caches, databases and server logs, for more information please refer to our Tracking Technologies Policy;
- Records of any consents you may have given;
- If you are a client, data regarding your use of our proprietary software Webfolio® and ticket service Issue Manager;
- Any other Personal Data you may provide.
How We Collect Personal Data
We collect Personal Data in different ways, such as:
- Through you directly, when you provide it to us by completing a form on our website or contacting us;
- When clients use our proprietary software Webfolio® and ticket service Issue Manager;
- Through the monitoring of the use of our website, using cookies and other tracking technologies;
- If you visit our premises, video recording of you may be taken through CCTV systems, for safety and security purposes;
- From third-parties. For example, if you are a representative of one of our clients or business partners, your colleagues may provide us with your Personal Data;
- Through publicly available means, such as LinkedIn, Facebook, Twitter, Company registers and others.
Why and How We Process Personal Data, and on What Legal Basis
We rely on different legal bases to collect and use Personal Data. They include the following: we have obtained your consent, or the Personal Data is needed for our legitimate interests (more information on the balancing test is available upon request), or to enter into and perform contracts, or to comply with legal and regulatory obligations.
We collect and use Personal Data for different purposes, such as:
- Providing, maintaining and improving our services, as well as developing new ones;
- Processing payments;
- Communicating with you;
- Measuring the performance of our services;
- Providing after sales support;
- Marketing our services;
- Complying with our legal and regulatory obligations;
- Conducting investigations where necessary;
- Enforcing an agreement we have with you, or protecting our rights, property and safety and the rights, property and safety of our employees or others;
- Ensuring that our confidential information is protected and preventing unauthorised access and modifications to our computer systems;
- To administer and improve our website, as well as keep it safe and secure;
- For recruitment purposes;
- To pursue other legitimate interests where these are not outweighed by your interests or fundamental rights and freedoms.
Who We Share Personal Data With
We may share Personal Data strictly on a need-to-know basis with the following people:
- Our employees who provide our services or are involved in the recruitment process;
- Our professional advisors, auditors and insurers;
- Our clients’ employees;
- Third-party service providers to whom clients have outsourced certain Webfolio® related services;
- Third-party service providers who may act on our behalf as our processors;
- Investors or other third-parties in connection with a sale or transfer of all or a portion of our business or assets (including reorganization, dissolution or liquidation);
- Other third-parties in order to comply with our legal and regulatory obligations and to enforce our rights as required or permitted by applicable law.
Where We Store Personal Data and How We Protect It
We store Personal Data on our secure computers and servers in Montreal, Canada. Canada received a finding of adequacy from the European Union.
We have implemented physical, technical and procedural measures to protect Personal Data from unauthorized access, disclosure, alteration, destruction or use. However, we cannot guarantee that it is secure from intrusion.
Some of the measures that we have implemented include:
- Using encryption while Personal Data is in transit and at rest;
- Anonymizing Personal Data;
- Restricting access to Personal Data to the people described above in our section “Who we share Personal Data with” on a need-to-know basis;
- Regularly reviewing our security policies and testing our measures.
International Transfer of Personal Data
Because of the international nature of our business, it may be necessary for us to transfer Personal Data outside of Canada when delivering services to you. For example, this may happen when we receive Personal Data from you as a representative of one of our business partners or clients situated overseas. We may need to share the Personal Data that you provide with your colleagues or our professional advisors. When doing so, we will ensure that the party who receives your Personal Data is under a legal or contractual obligation to protect your data, in accordance with this Policy and applicable privacy legislation.
If the EU General Data Protection Regulation 2016/679 (“GDPR”) applies: some of the recipients of your Personal Data will be located or may have relevant operations outside of your country and the EU, such as in the USA, where the data protection laws may provide a different level of protection compared to the laws in your jurisdiction and with regard to which an adequacy decision by the European Union does not exist. The countries which provide an adequate level of data protection from a European Union data protection law perspective include Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, the State of Israel, Isle of Man, Japan, Jersey, New Zealand and the Eastern Republic of Uruguay. Recipients in the USA may partially be certified under the EU-U.S. Privacy Shield and thereby recognized as providing an adequate level of data protection from a European Union data protection law perspective. With regard to data transfers to such recipients outside of the EU we provide appropriate safeguards, in particular, by way of entering into data transfer agreements adopted by the European Commission (e.g. Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC)) with the recipients or taking other measures to provide an adequate level of data protection if and to the extent required under applicable data protection law. We will provide you with a copy of the respective measure we have taken upon request (please see below for contact details).
How Long We Keep Personal Data
We retain Personal Data for as long as it is necessary for the performance of our obligations and for the time necessary to achieve the purposes for which it was collected or used. Once it is no longer necessary to process your Personal Data, we will erase it from our systems and/or records and/or take steps to properly anonymize it so that you can no longer be identified from it (unless we need to keep a copy of the Personal Data to comply with legal or regulatory obligations to which we are subject).
What Rights You Have Regarding Your Personal Data
If you have declared your consent for any Personal Data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
Under certain circumstances and in accordance with applicable data protection laws, you may be entitled to:
- Ask if and why we process any of your Personal Data and, when technically feasible, ask for a copy of such information;
- Require us to correct any incomplete or inaccurate Personal Data we may hold about you;
- Ask us to delete or remove Personal Data we may hold about you. We may however refuse such a request where we are legally entitled to do so;
- Request that we stop processing Personal Data we may hold about you. We may however refuse such a request where we are legally entitled to do so;
- When technically feasible, ask us to transfer Personal Data we may hold about you to another party;
- Lodge a complaint with a data protection supervisory authority.
Please note that these aforementioned rights might be limited under the applicable national data protection law. For further information on these rights under the GDPR (if applicable), please refer to the Appendix Your Rights.
To exercise your rights, please contact us as stated below.
How to Contact Us
Digital Shape Technologies Inc.
Attention: Legal Department
1155 René-Lévesque Boulevard West
Montréal, Québec, Canada H3B 4T3
Please note that we will require proof of your identity should you have any requests regarding your Personal Data. If we cannot confirm your identity, we may refuse to answer your requests.
Effective date: October 29, 2019
Appendix Your Rights GDPR
Right of access
You may have the right to obtain from us confirmation as to whether or not Personal Data concerning you is processed, and, where that is the case, to request access to the Personal Data. The access information includes – inter alia – the purposes of the processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access.
You may have the right to obtain a copy of the Personal Data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
Right to rectification
You may have the right to obtain from us the rectification of inaccurate Personal Data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
Right to erasure ("right to be forgotten")
Under certain circumstances, you may have the right to obtain from us the erasure of Personal Data concerning you and we may be obliged to erase such Personal Data.
Right to restriction of processing
Under certain circumstances, you may have the right to obtain from us restriction of processing your Personal Data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
Right to data portability
Under certain circumstances, you may have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.
Right to object
Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data by us and we can be required to no longer process your Personal Data.
Moreover, if your Personal Data is processed for direct marketing purposes, you have the right to object at any time to the processing of Personal Data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case your Personal Data will no longer be processed for such purposes by us.