Protecting the individual’s privacy on the Internet is crucial to the future of Internet-based business. We have created this Privacy Statement to demonstrate our firm commitment to the individual’s right to data protection and privacy in the context of the MASH’s Learning Hubs and cloud services. It outlines how we handle information that can be used to directly or indirectly identify an individual (“Personal Data”). MASH customers may be referred to as “Buyer” or “Seller” throughout this document. Individual users of the Solutions (whether employees of the Buyer or Seller organisations) collectively and individually may be referred to as “you” and “your” throughout this document. “Trading Partner” means an entity with which a Buyer or Seller transacts using the Solution. This statement describes MASH practices as a data processor of Personal Data submitted to the MASH cloud services specifically and is complimentary and works in conjunction with the agreement and data processing agreement between MASH (or other MASH affiliates or resellers) and each customer by offering further detail regarding such data processing activities. This statement is also referenced from within some of the Solutions, and from emails sent by the Solution, to provide transparency to individual users and organisations.
Data Controller versus Data Processor?
MASH collects information about an individual as we are providing the Solution and acting as a data processor for our customers, acting on the instructions of our customers within the scope of the services we offer. Except in limited cases identified above under “When does this Statement NOT apply?” our customers have the role of the “data controller.” Our customers are responsible for making sure that the user’s privacy rights are respected and that required consents are obtained before entering Personal Data into the Solution, including ensuring appropriate disclosures about third party data collection and use.
General Information
What Personal Data is Involved?
This Privacy Statement applies to Personal Data that customers provide to MASH when using the Solution (including email notifications sent to and from the Solution) or that customers provide to MASH service personnel for importation into the Solution, such as a list of Sellers to invite to use the Solution. The Solution enables customers to submit Personal Data to create users of the solution, to store transaction documents that may include some Personal Data of signatories or business contacts, and to store contact information associated with Trading Partners. Thus the general scope of Personal Data being processed a person’s, name, business email address, and business phone number. Buyers may also allow users to submit home address information for receiving items purchased through the Solution and some of the Solutions enable Buyers to create custom fields to collect Personal Data. Personal Data submitted to the Solution may not include Sensitive Personal Information unless, as the Solutions are enhanced, some type of Sensitive Personal Information is expressly allowed by us regarding a specific aspect of the Solution and is submitted by a customer only in accordance with the documentation. Protective measures under the applicable Data Protection Law (as defined in the Data Processing Agreement between your organisation and MASH).
Am I Required to Provide My Personal Data?
As a general principle, your provision of any Personal Data to the Solutions may be required for conducting business for your employer or with a Trading Partner. The data is generally only related to your role at your company, and is not related to you as a private person or as an individual consumer. If you object to providing personal data to the MASH cloud solutions, please contact your own company for alternatives. Buyers may use the custom field and form features in the Solution to gather various type of information about Suppliers and some Suppliers are sole proprietors. If you are a sole-proprietor or individual contractor and object to the types of Personal Data being requested from a Buyer, please contact the Buyer directly to investigate options.
Where will my Personal Data be processed?
MASH has third-party service providers within as well as outside of the European Economic Area (the “EEA”). MASH directs the operation of the Solution using data centers located mainly in the United Kingdom. Certain Solutions are offered to customers utilising data centers located in other countries or regions upon request. As MASH adds data centers in more regions, these terms shall apply to MASH’s provision of services in such data centers. Personal Data may be transferred to and from data centres. Ensuring compliance MASH and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions, and embargoes issued by these countries, MASH is required to take measures to prevent entities, organisations, and parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through MASH’s websites or other delivery channels controlled by MASH. This may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to MASH’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match. Protecting MASH’s Legitimate Interest Each of the use cases below constitutes a legitimate interest of MASH to process or use your Personal Data. If you do not agree with this approach, you may object against MASH’s processing or use of your Personal Data as set out below. -Contacting you for billing purposes if you are the administrative contact for a Seller account on MASH cloud services. -Sending system and administrative notices to administrative contacts Investigating security incidents, disruptions of service or legal disputes. Duration of processing of Personal Data MASH will retain Personal Data in active databases for varying lengths of time depending upon the specific Solution, type of data, choices of the account administrator and applicable law in accordance with the agreement between MASH and your organisation.
Customers are provided with user administration features with which they can remove or update elements of User’s Personal Data. Personal data being processed by MASH for Buyer’s in the Solution is deleted or obfuscated after expiration or termination of the Buyer’s agreement for all integrated Solutions with some time delay to confirm termination and allow for log files to be overwritten, unless there is a legal obligation for MASH to retain the information, retention is required for some time necessary to resolve a dispute, or an alternate approach has been mutually agreed with the Customer. MASH will work with the Seller to remove or anonymise Personal Data associated with users if there is no longer a legitimate need for retention. The approaches available to customer for purging and archiving data during a subscription term and the features available for anonymisation or deletion of Personal Data are set forth in the documentation for the Solution.
Changes to this Statement
From time to time MASH will need to make changes to this policy. Some of the changes will be in response to changes in applicable laws and regulations. Changes may also be required if MASH adds new features and new services to a Solution. If we seek to make a material change to this statement, MASH will document the change, note the date of the last update at the end of the policy, and send a notice to the administrative contacts on file with MASH for each Buyer and Supplier.
Further Information
If you have questions or concerns regarding this policy, you should first contact your company’s administrator for the use of the Solution. If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed or you do not have an active customer relationship with MASH, you should then raise your complaint to one of MASH directors who co-ordinate Privacy. To reach MASH, please submit a request to info@mashproduction.com or send a written correspondence to Attn: MASH Privacy Coordinator, or send written correspondence 8-10 Broomhall Road, S102DR MASH Privacy Statement v2.0 2018 Mash Production Ltd © All Rights Reserved EEA Considerations. As a consequence of this global footprint, whenever MASH is processing an EEA person’s Personal Data for the purposes set out in this Privacy Statement, MASH may transfer the Personal Data to (or access the Personal Data from) countries outside of the EEA including to such countries in which a statutory level of data protection applies that is not comparable to the level of data protection within the EEA. Whenever such transfer occurs, it is based on the Standard Contractual Clauses (according to EU Commission Decision 87/2010/EC or any future replacement) in order to contractually provide that the EEA person’s Personal Data is subject to a level of data protection that applies within the EEA. Customers may obtain a redacted copy (from which commercial information and information that is not relevant has been removed) of such Standard. Contractual Clauses by sending a request to info@mashproduction.com. – A Data Processing Agreement, incorporating the Standard Contractual Clauses regarding EEA personal data, is part of the MASH Terms of Use (Suppliers) and is a standard for Buyer agreements. If you are a Buyer and do not have a Data Processing Agreement in place with MASH for the Solutions and would like to add one to your agreement, please contact your MASH representative.
Data Subjects’ Rights
Individuals have the right to access, modify and delete Personal Data about them although this may require approvals by the individual’s employer. To exercise these rights, MASH has procedures to allow updates to Personal Data in a timely manner. In most Solutions, the administrative contact for your company can directly change Personal Data by logging on to the Solution and managing your account profile directly. In some Solutions, each individual user can self-administer his/her own user account details or changes may be requested by calling MASH support. Deletion of your Personal Data may require approval by your employer. Depending on the solution, requests to delete or anonymise Personal Data must be made to the administrative contact for your company and such steps may require MASH assistance. If you are unable to correct, update, or delete your Personal Data because you are no longer an employee of the business that is the account holder, or your account has been terminated, you may contact the MASH support. In each case, MASH will take reasonable measures to contact the business that is responsible for the account and accommodate your request or respond in writing with the legal basis for denying the request within thirty (30) days.
Disclosure to Third Parties
MASH does not provide your Personal Data to third parties, except as described in our contracts with our customers, unless – you (or your account administrator acting on your behalf) request or authorize it; – such disclosure is necessary to process transactions or provide services which you have requested – MASH is compelled to do so by a governmental authority, regulatory body, or under subpoena or similar governmental request or to establish or defend a legal claim; the third party is acting as our agent or sub-contractor in performing services or legal compliance activities or you designate your Personal Data to be publicly viewable in the Solution.
Providing the Solution to Your Organisation
MASH will use Personal Data for the following limited purposes in relation to the Solution, to facilitate operation of the Solution and its related services; enhance use of the Solution and its related web pages; perform internal tracking and Solution improvement; enable MASH to contact you; process requested transactions through the Solution including the use of templates, document creation and transmission of messages; and analyse the volume and history of a company’s Solution usage. MASH will treat Personal Data as confidential unless you or your account administrator submits it for public view using features of the Solution and will process the data according to the lawful and technically feasible instructions of the Buyer or Supplier. The Solution documentation is considered part of such instructions.
Tracking Technologies including Cookies
MASH gathers certain information automatically and stores it in log files. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. Some of our Solutions utilise cookies or similar technology. If you configure your browser to reject cookies from the Solution, you will not be able to access the Solution. Personal Data you submit while using the Solution is not stored in cookies except where necessary to perform web site security, service functionality and usage analytics. MASH does not place any third-party advertising tracking cookies on your computer during your use of the Solutions. The web pages you access when using the Solutions do not respond to “do not track” signals sent by your browser. In relation to emails generated by the Solution, we may track the open-rate, click-through rate and/or bounce rate of the messages at the individual level.
Ensuring compliance
MASH and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions, and embargoes issued by these countries, MASH is required to take measures to prevent entities, organisations, and parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through MASH’s websites or other delivery channels controlled by MASH. This may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to MASH’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match.
Protecting MASH’s Legitimate Interest
Each of the use cases below constitutes a legitimate interest of MASH to process or use your Personal Data. If you do not agree with this approach, you may object against MASH’s processing or use of your Personal Data as set out below. -Contacting you for billing purposes if you are the administrative contact for a Seller account on MASH cloud services. -Sending system and administrative notices to administrative contacts -Investigating security incidents, disruptions of service or legal disputes.
Duration of processing of Personal Data
MASH will retain Personal Data in active databases for varying lengths of time depending upon the specific Solution, type of data, choices of the account administrator and applicable law in accordance with the agreement between MASH and your organisation. Customers are provided with user administration features with which they can remove or update elements of User’s Personal Data. Personal data being processed by MASH for Buyer’s in the Solution is deleted or obfuscated after expiration or termination of the Buyer’s agreement for all integrated Solutions with some time delay to confirm termination and allow for log files to be overwritten, unless there is a legal obligation for MASH to retain the information, retention is required for some time necessary to resolve a dispute, or an alternate approach has been mutually agreed with the Customer. MASH will work with the Seller to remove or anonymise Personal Data associated with users if there is no longer a legitimate need for retention. The approaches available to customer for purging and archiving data during a subscription term and the features available for anonymisation or deletion of Personal Data are set forth in the documentation for the Solution.
Changes to this Statement
From time to time MASH will need to make changes to this policy. Some of the changes will be in response to changes in applicable laws and regulations. Changes may also be required if MASH adds new features and new services to a Solution. If we seek to make a material change to this statement, MASH will document the change, note the date of the last update at the end of the policy, and send a notice to the administrative contacts on file with MASH for each Buyer and Supplier.
Further Information
If you have questions or concerns regarding this policy, you should first contact your company’s administrator for the use of the Solution. If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed or you do not have an active customer relationship with MASH, you should then raise your complaint to one of MASH directors who co-ordinate Privacy. To reach MASH, please submit a request to info@mashproduction.com or send a written correspondence to Attn: MASH Privacy Coordinator, or send written
correspondence 8-10 Broomhall Road, S102DR
MASH Privacy Statement v2.0 2020 Mash Production Ltd © All Rights Reserved