OPUS AGENCY GDPR PRIVACY STATEMENT
Effective Date: May 25, 2018
Last Reviewed: June 1, 2020
Opus Solutions, LLC dba Opus Agency and its subsidiaries and affiliates (“Opus”, “we”, “us”, “our”) is active worldwide as a corporate events marketing agency. We may be obliged to comply with the European Union General Data Protection Regulation (Regulation 2016/679/EU, “GDPR”) when we act as a data processor for clients in Europe; when we contract with sub-processor vendors in Europe; or when we process personal data of natural persons in the EU as a data controller or processor.
Our Data Protection: General Principles
Our processing of personal data
We process personal data in different functions and contexts. We may process personal data as controller or as processor for third parties. As processor, we install and operate registration websites for events. We collect personal data via these websites or directly from our clients and process the data further to realize the event and to execute payment transactions.
Principles governing our data protection activities
We will process personal data according to the principles stated below. All employees are responsible for proceeding accordingly in their respective areas of responsibility.
- We will proceed lawfully, fairly and in a transparent manner when processing personal data.
- We will collect personal data only for specified, explicit and legitimate purposes. We will not further process data in a manner that is incompatible with these purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is legitimate.
- We will collect or process only personal data that is adequate, relevant and limited to what is necessary in relation for the relevant purpose.
- We will make sure that personal data is accurate and up to date. Inaccurate data shall be erased or rectified without delay.
- We will keep personal data that permits the identification of data subjects no longer than is necessary for the relevant purposes.
- We will ensure appropriate technical and organizational safety measures when processing personal data. This includes protection against unauthorized or unlawful processing, accidental loss, destruction or damage.
Data storage / Data erasure
Personal data collected and/or processed by our US affiliated entities in their roles as data controllers will be stored on servers in the USA, and only US-based cloud environments are used. Personal data collected and/or processed by our UK affiliate in its role as data controller will be stored on servers in the EU. With regard to our work as a data processor for our clients, and unless otherwise instructed to house personal data in a different region or transfer personal data to a different region, personal data we collect and/or process for our EU-based clients will be homed in EU-based locations and personal data we collect and/or process for our US-based clients will be homed in US-based locations. Data will be stored only as long as necessary for the relevant purpose and/or as requested by the relevant legal provisions and will be erased afterwards. The data will be erased at latest after 10 years, unless different legal retention periods apply.
Personal data / special categories of personal data
- Personal data means any information that identifies, relates to, describes, or is capable of being associated with a particular individual.
- In some cases, we may also process so-called “special categories” of personal data within the meaning of Art. 9 GDPR. These are particularly sensitive data such as data relating to racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or genetic or biometric data, health data or data concerning a natural person’s sex life or sexual orientation as well as data relating to criminal convictions or offenses which are specially protected by GDPR. They shall only be processed under the strict conditions of Art. 9 and Art. 10 GDPR. In principle, we will only collect and/or process such data if the data subject has given explicit consent or where necessary for the establishment, exercise or defense of legal claims or before court. In exceptional cases, we may process such data on other legal grounds of Art. 9 Par. 2 GDPR. Whenever we are processing special categories of personal data, special technical and organisational measures shall apply.
Data Protection Officer (DPO)
- We have appointed a data protection officer (“DPO”) as the responsible contact for all data protection issues relating to GDPR. This DPO can be reached as follows:email@example.com
+1 (971) 223-0777
The DPO will fulfill the tasks as specified in the GDPR and will be involved in all data protection-relevant processes from an early stage. They will interact closely with the corporate management. In their area of responsibility, the DPO shall act independently and free from directives and external influences.
- The DPO informs and advises the management as well as the employees regarding their data protection obligations. The DPO oversees compliance with data protection provisions.
Contact information of Opus and our designated representative
All concerns regarding our data processing activities can be addressed to:
Mail: Opus Agency
c/o Legal Department
9000 SW Nimbus Avenue
Beaverton, OR 97008 USA
Phone: +1 (973) 221-0777
According to Art. 27 (1) GDPR, we have appointed a representative in the EU. This designated representative serves as an additional contact in the EU for data subjects and the data protection supervisory authorities and thus supports enforcement of the GDPR. The designation of the representative shall be without any prejudice to legal actions that can be taken against us as a controller or processor.Our EU representative can be reached as follows:
Mail: European Data Protection Office (EDPO)
Avenue Huart Hamoir 71
Phone: +32 2 216 19 71
Fax: +32 475 81 02 62
Record of processing
- We maintain a record of our processing activities and shall make the record available to supervisory authorities on request. Where we are responsible as a controller for the personal data processed (see Section 2 below), the record shall comprise the information enumerated in Art. 30 (1) GDPR, such as:
- the name and contact details of the controller and joint controller, the controller’s representative and the data protection officer (DPO);
- the Purpose of the processing;
- a description of the categories of data subjects and of the categories of personal data Opus is processing;
- the categories of recipients of the personal data;
- where applicable, transfers of personal data to a third country or international organization, documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data.
- If we are acting as a processor (see Section 3 below), the information as stated in Art. 30 (2) GDPR will be recorded, such as:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting;
- the processor’s representative and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organization, documentation of suitable safeguards;
- where possible, a general description of the technical and organizational security measures according to Art. 32 (1) GDPR,
Data transfers within the US and to third countries
Being based primarily in the United States (US) and having servers located in the US, we observe the relevant GDPR provisions on data transfer where personal data are transferred from the EU to the US to be processed by us as well as where we engage sub-processors in non-EU-countries.
- Data transfers to us will be based on appropriate safeguards as we are using the standard data protection clauses in our contracts with the controllers.
- We will transfer personal data to non-EU-countries only insofar as there is a legal basis for the transfer. If other processors outside the EU in countries for which the European commission has not acknowledged an adequate level of data protection are engaged, and these processors do not commit to the EU-US-Privacy Shield, we will ensure that appropriate safeguards are in place, such as the standard data protection clauses published by the EU Commission. In individual cases where such safeguards cannot be provided, data transfers can be based on individual consent.
Co-operation with supervisory authorities / Support regarding the consultation with supervisory bodies
We will co-operate with and support supervisory authorities as required by the GDPR.
Opus as Controller
“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.If we are acting as a controller, we will be responsible for compliance with the principles relating to processing of personal data resulting from GDPR. In general, these are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data. As a controller, we will ensure that all processing can be based on a legal ground under GDPR.As a controller, we will implement appropriate technical and organizational measures to ensure that processing is performed in accordance with the GDPR (see Section 4 below). Those measures are reviewed on a regular basis and updated where necessary.
If the collection, processing and/or use of personal data cannot be based on a legal authorization, it will only be performed if the data subject has validly consented to the processing. Consent shall be obtained from the data subject at the latest when the data is collected. We will inform the data subject in a transparent and comprehensive manner about the purpose, type and scope of the intended use of the data before obtaining consent. We will ensure that the information in connection with the submission of declarations of consent is available to the data subject in an understandable form.
We will thus ensure that such consent is:
- voluntarily given
- unambiguous and
Data subjects are informed that consent can be withdrawn at any time with effect for the future.
We will document the declaration of consent, or, if it was given verbally or by an affirmative act due to particular circumstances, we will document the relevant circumstances. we will also record the withdrawal of consent in this way.
If the consent of a person under the age of 16 is required, the data will only be processed if the consent of the parents or legal guardians is available.
We further take care that processes are in place to promptly implement any withdrawals of consent and guarantees that affected processing operations are stopped accordingly.
- Personal data that is collected, processed and stored by us is used for different purposes. We will inform the data subject of the individual purpose of the use of its personal data. This information is provided at the time of the data collection. If data is not collected from the data subject, information is provided within a reasonable time after obtaining the data, but within one month at latest.
- We will inform the data subject in particular of:
- the identity and the contact details of the controller (Opus) and its representative;
- the contact details of the data protection officer;
- the purposes of the processing and the legal basis for the processing;
- if processing is based on legitimate interest, the legitimate interests pursued by the controller or a third party;
- any recipients or categories of recipients of the personal data;
- where applicable, the intention to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission and/or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them;
- the period for which the personal data will be stored or the criteria used to determine this period;
- the right to request access to and rectification or erasure of personal data or restriction of processing and the right to data portability;
- where the processing is based on consent, the right to withdraw consent at any time;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement or a requirement to enter into a contract; possible consequences if the data subject does not provide the requested data;
- the existence of automated decision-making and, if relevant, of the logic involved as well as the significance and the envisaged consequences of such processing for the data subject;
- We will inform the data subject of the right to object to the processing of personal data. If the data subject objects, we will not use the personal data, unless there are compelling reasons for the processing that are outweighing the data subject’s interests, rights and freedom.
- If personal data are to be further processed for a purpose other than that for which they were collected, we will provide the data subject with information about that other purpose and any other relevant information about the processing prior to further processing.
- If personal data are not collected from the data subject, we will also inform the data subject about the categories of personal data it processes, where the data came from and, if applicable, whether they originate from publicly available sources.
- We may abstain from providing the information where the data subject is already informed or the information is impossible or would require disproportionate effort.
Rights of the Data Subjects
- Data subjects may contact our Data Protection Officer at any time with questions, requests or complaints or to make use of their rights. We will address such concerns and provide the requested information without undue delay.
- We will ensure that the following rights of the data subjects as granted by GDPR are protected:
Right to information:
Data subjects may request information about the purpose of the processing, the data categories concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the envisaged period of storage or the criteria for determining the duration, the right to rectification, erasure or restricted processing of personal data or to object to such processing, the right to lodge complaint with a supervisory authority, the source of information that has not been provided by the data subject or the existence of automated decision making and, if applicable, the logic involved and the envisaged consequences for the data subject.
Right to rectification:
If the Data subject’s data turns out to be incorrect, we will rectify the personal data without undue delay. Incomplete personal data shall be completed.
Right to erasure:
If a review reveals that the purpose of data processing has lapsed due to time or other reasons, we will erase such data. Any legal storage obligations remain unaffected.We will further erase data,
- if the data subject withdraws the consent on which the processing is based and no other legal basis for the processing is available;
- if personal data have been processed unlawfully; or
- if an obligation to erase arises under EU law or the law of a Member State to which we are subject; or
upon request of the data subject, if the data was collected in relation to information society services offered under Art. 8 para. 1 GDPR and based on consent of a minor.
Rights of objection:
The data subject has the right to object to the use of his/her personal data for purposes of direct advertising or market and opinion research. Upon such objection, we will lock/encrypt the data in an appropriate manner to avoid such usage.The data subject further has a right to object to the processing of his or her personal data if the processing is based on the public interest, the exercise of public authority or to protect the legitimate interests of the controller or a third party. In this case, the data may only be processed further if we, as data controller, can prove compelling grounds for processing worthy of protection. These grounds must outweigh the interests, rights and freedoms of the data subject. The processing also remains legitimate if it serves to assert, exercise or defend legal claims. In the event that an examination reveals that a legitimate interest of the data subject outweighs our legitimate interest (because of his or her particular personal situation), we will delete or lock the data concerned.
Right to restriction of processing:
We will restrict processing of personal data in the following cases:
- where accuracy of the personal data is contested by the data subject;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
- the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
This means that data shall be stored but shall not be processed otherwise, unless with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
Right to data portability:
We will upon request provide personal data of a data subject that has been processed based on consent or in the context of a contract with the data subject in electronic format to the data subject in question or to another Controller.
We will communicate any rectification or erasure of personal data or restriction of processing as set out above to each recipient to whom the personal data have been disclosed. This notification may be omitted if this proves impossible or involves disproportionate effort. We will inform the data subject about those recipients if the data subject requests it.
Data subjects may contact the responsible data protection authorities to make use of these rights.
Engagement of subcontractors
If another company provides services to Opus as a subcontractor and personal data is collected, processed and/or used in this context, we ensure that the subcontractor is carefully selected and that the selection is based in particular on the aspect of the protection of personal data. Subcontractors need to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
Prior to each assignment, we will inform our Data Protection Officer and carry out an audit of the contractor with regard to the technical and organizational measures taken by him with regard to data protection and data security. We will oblige the contractor to comply with the legal requirements for the protection of personal data and, in particular, to prove upon request that the contractor’s employees who provide services for us have been bound to data secrecy. We will issue written instructions to the contractor regarding the type, purpose and scope of the processing of personal data and, if necessary, ensure compliance with the specifications by means of controls.
If the subcontractor is located outside the EU, we will make sure that data shall be transferred only if an adequacy decision is in place, appropriate safeguards apply or the data subject has explicitly consented to the data transfer in question.
Data Protection Impact Assessment
We may carry out Data Protection Impact Assessments (DPIA) as prescribed by GDPR if a type of data processing controlled by us is likely to result in a high risk to the rights and freedoms of natural persons. A determination regarding the necessity of a DPIA will take into account the nature, scope, context and purposes of the processing as well as the possible use of new technologies.
In particular, a DPIA will be made if:
- a systematic and extensive evaluation of personal aspects relating to natural persons is performed based on automated processing
- data of special categories is processed on a large scale, or
- a systematic monitoring of a publicly accessible area on a large scale is at issue (Art. 35 para. 3 GDPR).
Obligation to notify authorities and data subjects in case of data protection violations
Opus shall notify authorities about data protection violations promptly and without undue delay. We will inform the authorities about the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. We will describe the likely consequences of the data breach and the measures taken respectively proposed. Where feasible, such information will be delivered within 72 hours after becoming aware of the incident.
We will also notify data subjects of such data protection breaches. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, this will be done without undue delay. The data subjects will be informed transparently and in clear language of the nature of the personal data breach and its possible consequences as well as of the measures taken respectively, as long as risks are likely to materialize and the effort is not disproportionate.
Opus as Processor
Activity as processor
Where Opus is processing data on the instructions of a client (the controller), e.g. organizes events and activities for our clients, Opus is acting as a processor. ‘Processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
As a processor, we will only act on instruction of our client. We will co-operate closely with our client and, in particular, support the client in complying with data protection requirements. If we have doubts as to the legality of the client’s instructions, we will inform the client immediately.
We will ensure that appropriate technical and organisational measures are in place to ensure that processing will meet the requirements of the GDPR and the protection of the rights of the data subject.
Upon completion of our activities as a processor, we will delete or return all personal data in connection with the relevant order, provided that there is no obligation to store it in accordance with the law of the EU or a member state.
Where necessary, we will cooperate with the supervisory authorities.
Data Processing on behalf of a controller will only be performed on the basis of a written agreement between us and our client.
Essential contract content
Such agreements will include detailed descriptions of the processing agreements between the parties and, in particular, stipulate that we:
- will process data only on documented instruction of the controller, unless obliged to do so under relevant EU or EU Member state law; in the latter case we will inform the controller of these obligations before actually processing the data;
- will state in detail the processes to be performed by us and will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- will have adequate information security in place;
- will engage subprocessors only where the controller has declared consent and will ensure that these subprocessors are obliged to comply with the same data protection requirements as us
- will assist the controller by appropriate technical and organizational measures
- will cooperate with the relevant Data Protection Authorities in the event of an inquiry;
- will report data breaches to the controller without delay;
- have appointed a Data Protection Officer;
- will keep records of all processing activities;
- will comply with EU trans-border data transfer rules;
- will help the controller to comply with data subjects‘ rights;
- will assist the controller in managing the consequences of data breaches;
- will delete or return all personal data at the end of the contract at the choice of the controller;
- will inform of organizational measures in place for the protection of personal data; and
- will inform the controller if it finds that the processing instructions infringe the GDPR.
Engagement of Subcontractors
Where engaging other companies as subcontractors, which will be processing personal data on our behalf, we ensure that the subcontractor is carefully selected and that the selection is largely oriented towards the protection of personal data. We will only work with companies that can guarantee appropriate technical and organizational measures to ensure that processing is in compliance with GDPR.
If we provide services through subcontractors, prior approval will be obtained from our client. If approval has already been granted or contractual provisions exist which show that we are entitled to establish subcontracting relationships, we will inform our client of the planned involvement of a new subcontractor and grant the client a right of objection.
Prior to each assignment, we will inform our Data Protection Officer and carry out an audit of the contractor with regard to the technical and organizational measures taken by the contractor with regard to data protection and data security. We will ensure that the same data protection obligations as set out in the contract between our client and us will be imposed on that other (sub-)processor by way of a contract or other legal act. In particular, we will make sure that sufficient guarantees to implement appropriate technical and organizational measures are included. The security policies by which our subcontractors are expected to operate are included in our Contractor Security Policy.
If the subcontractor is located outside the EU, data transfers may only occur based on documented instructions of our client. We will make sure that data shall be transferred only if an adequacy decision is in place, appropriate safeguards apply, or the data subject has explicitly consented to the data transfer in question.
Notification of security breaches
As a processor, we are required to protect the personal data we are processing. In doing so, we are obliged to and will immediately report security breaches to the controller.
Support with Data Protection Impact Assessments (DPIAs)
We will support the respective controller with its DPIAs. This may also involve consultation with the supervisory authority
Protection of the Integrity of personal data, technical and organisational measures
We have internal policies in place to ensure data security. These policies are the Contractor Security Policy for independent contractors and the Employee Security Policy for our employees, both last updated July 3, 2019. For the processing of personal data under this Statement, the herewith self-imposed duties of Opus shall prevail if any conflicts with those policies should occur.
Data protection / data security standards
If acting as controller or processor, we ensure that the technical and organizational measures that are in place to protect the integrity of personal data comply with the level of protection under GDPR. Increased standards are applied where special categories of data according to Art. 9 GDPR are processed.
If we are acting as processor, the controller can contractually opt for increased security measures even outside the scope of Art. 9 GDPR. The relevant level of protection and the specific technical and organisational measures agreed upon are included in the controller-processor agreement under Art. 28 GDPR.
Personal data will only be collected, processed or used by employees that have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. These confidentiality obligations continue to apply even after termination of the employment relationship.
Technical and organizational measures
We ensure that the technical and organizational measures taken to protect personal data processed always reflect the state of the art.
Access to technical installations
Access to our servers is strictly limited and controlled. Access is limited to and managed by IT and Facilities personnel. Server rooms can only be entered after authorization, are secured, and are protected by alarm systems. All entrances to the server rooms are monitored by video. Cloud facilities are vetted for best-practice physical controls.
Access to data
IT systems as well as individual accounts are protected by individual and encrypted passwords; password entry is logged. Administrative guidelines for the use of administrative passwords are in place and employees are required to use complex passwords. These passwords are saved using hash functions and need to be changed regularly. Re-use of passwords is excluded.We ensure that the persons authorized to use our data processing systems can only access the data subject to their access authorization. Furthermore, we ensure that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage. Our authorizations are always granted according to the need-to-know principle. This means that only those persons are granted access rights to databases or applications that maintain these applications or databases or which are necessary for the development process. All other persons are only granted access rights to the required extent. The reading access to data is only possible via non-public, encrypted connections. The data on this encrypted connection is also transported using 128-bit SSL/TLS. All data access is logged.
Use of IT systems
Hardware and software is procured centrally and in consideration of data protection concerns. The principles of privacy by design and privacy by default are respected. We restrict the use of corporate accounts or e-mail addresses in public and the use of additional software on our workstations or laptops. For the use of mobile devices, special directions are included in the employee security policy. All employees are regularly trained regarding the secure processing of personal data.
As a controller, we will pseudonymise data where personal identification is not needed to fulfil the purposes the data has been collected for.As a processor, we will pseudonymise data on instruction of the controller as agreed on in the contract with the controller.
As a controller, we will protect the security of personal data by using encryption where possible for the relevant purposes. Special categories of data (sensitive data) as well as payment data will only be stored encrypted. The data backup is also encrypted.
As a processor, the use of encryption will be agreed on in the contract between us and the controller in detail. We will use encryption for special categories of data and payment data as standard. Further use of encryption can be agreed with our client.
We take measures to ensure that data collected for different purposes shall be processed separately. The applications we offer are multi-client capable. The data is stored in various logical data memories. These data stores are separated from each other by separate database users. They can only be accessed by the respective project team and the employees belonging to this project. The backup of these memories is also logically separated.
Protection against disclosure
We take measures to ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during transport or storage on data carriers. Data is only transmitted via secure and/or encrypted connections. Access to the systems in the data center or cloud environments is available only via TLS or VPN tunnel connections.
We ensure that it can be subsequently verified and established whether and by whom personal data has been entered, modified or removed from data processing systems. All read, write and change accesses are logged.
Availability / Capacity
We take measures to ensure that personal data is protected against accidental destruction or loss. The availability of the data is achieved through various security measures. The data is always stored on mirrored data carriers and is backed up daily. High availability is achieved by redundantly designed systems.
Privacy by design / Privacy by default
We take into account data protection principles and appropriate safeguards already when planning and designing processing activities. When developing processes, appropriate safeguards are addressed and implemented.
We take into account that personal data is only collected to the extent necessary for the successful execution of any project. Our products are designed accordingly and also the default settings reflect this principle.
Regular review, assessment, evaluation of data Protection measures
These provisions regarding appropriate safeguards are regularly evaluated and adapted with regard to their effectiveness. In particular, we will make sure that data protection incidents are recognized by all employees and reported immediately to the data protection officer. The DPO will investigate the incident immediately. As far as data are concerned, which are processed on behalf of a client, the respective client will be informed immediately about type and extent of the incident.
Further development of the principles
We will review these principles on a case-by-case basis or at regular intervals with regard to its need for adaptation and further development. The Data Protection Officer will coordinate and prepare this task. In particular, an adjustment may be necessary if the relevant legal provisions and/or new business processes change or develop.