Last Updated: 26 November 2020
As you access this Site, Customuse Ltd (“we”, “us” or “Customuse”) recognises your desire to safeguard your personal information and we are committed to protecting your personal information that you share with us
What information we gather
How we collect your information
How we protect your information
How we will use the information collected
When we might share your information
Storage of your information
Your rights in relation to your information
Third party websites
Opting “In” or “Out
1. What information do we gather?
We collect two types of information at various points in your user or customer journey:
1.1 “personally identifiable information” or “personal information”, meaning it can be used to specifically identify you; and
1.2 “non-personally identifiable information” or “non-personal information”, meaning it relates to you but can’t be used to specifically identify you: information about the device you may be using or what kind of browser you are using.
2. How we collect your information
2.1 Personal information
We may collect personal identification information from you in a variety of ways, including, but not limited to when you register on the site, subscribe to the newsletter, and in connection with other activities, services, features or resources we make available on or through our site. Users may be asked for a number of contact details, including but not limited to and as appropriate: name, address and email address. We may collect this information and store this for future use using “cookies” (see our Cookies Policy below). Users may however visit this website anonymously. We will collect personal identification information from users only if they voluntarily submit such information to us. Users can always refuse to provide personal identification information but this may mean that they are prevented from participating in Site and event related activities.
2.2 Non-personal identification information
We may collect non-personal identification information about users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about users means of connection to our Site, such as the operating system and the internet service providers utilised and other similar information.
2.3 Cookies and tracking technologies
3. How we protect your information
3.1 Security for all personal information is extremely important to us. To prevent unauthorised access, maintain data accuracy and ensure the correct usage of information, we monitor and adjust our physical, electronic and managerial procedures to safeguard and secure the information we collect online.
3.2 Unfortunately, we cannot guarantee that data transmitted over the Internet will always be secure. As a result, while we strive to protect your personal information, we cannot ensure or warrant the security of any information you transmit to us through our Site and you do so at your own risk.
3.3 We encourage you to review the privacy statements of other websites you choose to link to from our Site so that you understand how those sites collect, use and share your information. Customuse is not responsible for the privacy statements or other content of websites you may link to from this Site.
4. How we may use information collected
Customuse may collect and use users’ personal information for the following purposes:
4.1 To support functionality of the website
The information you provide us will allow us to register your account and maintain any preferences you have with us, as well as let you see any individual orders for our products or services that you have taken out.
4.2 To improve and personalise user experience
The information provided allows us to understand customer needs more efficiently and support improvement of Customuse. Information may also be used to understand how users use the services and resources provided on our site and will be used to improve our products and services.
4.3 To process payments and for other service providers
Information provided in the process of placing an order will be used to aid the service for that order. Information is not shared to outside parties except to the extent in which the service needs to be provided.
4.4 To send newsletters, SMS and email communication
If a user agrees to receive communication and emails through our newsletters and mailing lists emails will include updates on company and partner news, updates, related product or service information, etc. If a user has provided consent to us to share their details with our sponsors and third party organisers, we may do so to fulfil their wishes. In each case, the user is able to unsubscribe from the mailing list by following the steps set out below.
4.5 Other Marketing Activities
5. When we might share your information
While we will never sell your personal information to any other third party without your explicit consent, we do sometimes need to work with a number of third parties to create the best, seamless and most dynamic service we can. We are very careful about who we share your information with, but we would like to give you more detail about the limited circumstances where we may share your personal information with external parties and why.
5.1 Sharing information with our Service Providers
5.2 Sharing your information with our social media partners and third-party marketing partners
We may provide aggregated non-personally identifiable information, usually obtained through cookies, to third parties (such as marketers, ad server companies and advertisers) that make use of general customer data.
5.3 Sharing information with other third parties
We may provide information to others (such as governmental or law enforcement agencies) in the good faith belief that such action is necessary to: (ii) comply with any legal claims raised against us; (iii) protect the rights, property or safety of Customuse; or (iv) protect the rights, property or safety of the public.
We may also provide your information to third parties such as our sponsors or other event organisers where users have expressly consented to this. Please note, we will not share your information with third parties under this paragraph where you have not given us your consent. If you have given us your consent and would like to withdraw this consent, please contact us on our details below. You may also use the unsubscribe button contained in our emails.
6. Storage of your information
6.1 We will usually store the information we collect from you within the European Economic Area (“EEA”). We will only store personal information we collect from you outside of the EEA if we have first obtained your consent.
6.2 We will retain your information for the shortest time possible, taking into account our purposes for collecting it, as well as any legal obligations to keep the data for a fixed period of time. Your information will be deleted after five years.
By way of an exception, your personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (anonymisation, encryption, etc.).
6.3 We will not retain your personal data for any longer than reasonably necessary. What this means is that if you only provide your personal data to us in connection with a promotion or competition that you have entered through our Site, we will securely delete your personal data once such a promotion or competition has come to an end. If you provide us with your email address so that you can receive our newsletters, we will continue to store your email address until you notify us that you no longer wish to receive our newsletters. Notwithstanding the foregoing, you have the right at any time to notify us that you want the personal data we hold on you to be deleted.
7. Your rights in relation to your information
You have the following rights in relation to your personal information:
7.1 you have the right to request us to divulge what personal information concerning you we hold, and how we are using it (Subject Access Request);
7.2 you have the right to object to us processing your personal information if there are sufficient grounds relating to your particular situation (Right to Restrict/Object to Processing);
7.3 you have the right to require us to correct any errors in your personal information held or processed by us or on our behalf (Right of Rectification);
7.4 you have the right to ask us to delete your personal information where that information is no longer needed for the original purpose for which it was obtained/given. you also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with the GDPR. Note that we may demonstrate compelling legitimate grounds to process your information which override your right to erasure (Right to be Forgotten);
7.5 where we are processing your personal information only by way of your consent (for example, if you have provided explicit consent to have your personal information shared with a social media network), you have the right to withdraw this consent at any time;
7.6 where we are unable to delete the information, either because a legitimate legal basis remains or because you want us to keep some or all of your personal information for whatever reason, you have the right to have the purpose for which that information is held or processed restricted;
7.7 you have the right to make a data portability request, allowing you to obtain and reuse your personal data for your own purposes across different services;
7.8 you have the right, subject to narrow exceptions, to not be subject to automated decision making.
You also have the right to prohibit us from using your personal information for direct marketing purposes and we will only send you marketing information where you have expressly consented thereto. You will always have the option of removing your information from our e-mail mailing list(s) so that you will not receive further e-mail promotional communications from us.
In order to ensure immediate removal from any list, it is best to follow the specific instructions outlined within the communications you receive from us (for example, an unsubscribe button) since we operate numerous sites and e-mail lists. If you are unable to complete the process indicated in such communications, please send us an email at: firstname.lastname@example.org.
8. Third Party Sites
8.2 Sites linked to our Site are checked at the time of linking for possible legal violations. A permanent control of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of violations, links will be removed immediately.
Privacy Statement for the use of Facebook plugins (like button)
8.3 Our website contains plugins designed by the social network Facebook (Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA). You can easily identify the Facebook plugins thanks to the Facebook logo or the “Like Button” (“Like”) on our website. You can read more about Facebook plugins here: http://developers.facebook.com/docs/plugins/.
8.4 When you visit our pages, a direct connection is established between your browser and the Facebook server. In the process, Facebook receives the information that you have visited our website with your IP address. When you click on the Facebook “Like Button” while you are still logged in you Facebook account, you can link the contents of our pages to your Facebook profile. This makes it possible for Facebook to allocate our pages to your user account. We would like to emphasise that, as the provider of the web pages, we have no knowledge of the data and how they are used by Facebook. For more information, please see the data privacy statement at http://de-de.facebook.com/policy.php.
8.5 If you do not wish that Facebook can assign to visit our pages to your Facebook user account, please log out of your Facebook user account.
Privacy Statement for the Use of Google Analytics
8.6 This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses. “Cookies”, text files that are stored on your computer and enable analysis of your use of the website. The information generated by the cookie about your use of this website are usually transferred to a Google server in the USA and stored there. If the IP anonymisation option is activated on this website, your IP address is abbreviated by Google within Member States of the European Union or in other countries which are contracting parties to the Agreement of the European Economic Area (EEA).
8.7 Only in exceptional cases will the full IP address to a server transmitted by Google in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compiling reports on website activity and providing others with website and internet related services to the website operator. It is undertaken as part of Google Analytics that your IP address will not be merged with other data held by Google.
Privacy Statement for the Use of Twitter
8.9 Functions of the Twitter service are integrated on our sites. These functions are offered by Twitter (Twitter, Inc. 1355 Market St, Suite 900, San Francisco, CA 94103, USA). Through the use of Twitter and the “Re-Tweet” the web pages you visit are linked to your Twitter account and made known to other users. This data is also transmitted to Twitter.
8.10 We point out that, as providers of the sites, we have no knowledge of the content of the transmitted data and use them through Twitter.
8.11 For more information, please see the privacy statement of Twitter at http://twitter.com/privacy.
8.12 You can modify your data protection settings on Twitter in the account settings at http://twitter.com/account/settings.
8.13 By using this Site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our Site. Continued use of the Site following any changes made to the policy is deemed to represent acceptance of these changes.
Privacy Statement for the use of Google’s reCAPTCHA
9. Opting “In” and “Out”
9.1 You can ask us or third parties to stop sending you marketing messages at any time.
9.2 Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us in order to receive service from us.
Data Breach Policy
1.1 Customuse holds Personal Data about our users, volunteers, clients, suppliers and other individuals for a variety of business purposes. We understand that this data is a valuable asset that requires protection, and we are fully committed to providing that protection from both accidental and deliberate data protection breaches.
1.2 The compromise of this data may result in harm to individuals, reputational damage, detrimental effect on service provision, legislative non-compliance, and/or financial costs.
2. Purpose of Policy
2.1 Following the coming into force of the General Data Protection Regulation (GDPR) on 18.05.2018, we are required to have in place a framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility. This includes notification to the Information Commissioner’s Office (ICO) and sometimes to affected data subjects.
2.2 The purpose of this policy is to outline Customuse’s internal breach reporting procedure and our internal and external response plan. It should be read in conjunction with our data protection policy.
2.3 This policy must be read and understood by all staff.
3.1 For the purpose of this policy, data security breaches include both confirmed and suspected incidents.
3.2 A data breach is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and cause damage to Customuse’s information assets and/or reputation.
3.2.1 This includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
3.3 Data breaches may be caused by human error:
3.3.1 Loss of computing devices (portable or otherwise), data storage devices (e.g. USB sticks), or paper records containing personal data;
3.3.2 Disclosing data to a wrong recipient;
3.3.3 Handling data in an unauthorised way (e.g. downloading a local copy of personal data);
3.3.4 Unauthorised access or disclosure of personal data by volunteers (e.g. sharing an email login);
3.3.5 Improper disposal of personal data (e.g. hard disk, storage media, or paper documents containing personal data sold or discarded before data is properly deleted).
3.4 Data breaches may be caused by malicious third parties:
3.4.1 Hacking incidents through which access is gained to Customuse databases containing personal data;
3.4.2 Theft of computing devices (portable or otherwise), data storage devices, or paper records containing personal data;
3.4.3 Blagging scams that deceive Customuse volunteers into releasing personal data of individuals;
3.4.4 Website defacement.
3.5 Data breaches may be caused by computer system errors:
3.5.1 Errors or bugs in Customuse’s website or email;
3.5.2 Failure of cloud services, cloud computing, or cloud storage (e.g. Google Drive/Dropbox), or security/authentication systems
3.6 Data breaches may be caused by unforeseeable events outside of Customuse’s control:
3.6.1 Natural disasters such as floods, earthquakes, fires;
3.6.2 War or other armed conflict.
4. Breach Register
4.1 Customuse will maintain a register of all suspected or confirmed breaches, regardless of whether they are reported to the ICO.
4.2 The register will contain the following information:
4.2.1. The facts relating to the breach, including the cause of the breach, what happened and what personal data were affected;
4.2.2 The effects of the breach;
4.2.3 The response taken by Customuse.
5. Reporting a Breach
5.1 All volunteers must report actual or potential data protection compliance failures to Director and Data Protection Officer (Artur Safaryan),
5.2 Volunteers ought to retain any evidence in relation to the breach and provide an Incident Report Form setting out any relevant information relating to the actual or suspected personal data breach, including:
5.2.1 Name, team and contact details;
5.2.2 Date of the confirmed or suspected breach;
5.2.3 Date of discovery of the confirmed or suspected breach;
5.2.4 Date of Incident Report Form;
5.2.5 Factual summary relating to the confirmed or suspected breach, including the types and amount of personal data involved;
5.2.6 Any information or evidence as to the cause of the confirmed or suspected breach;
5.2.7 Any steps taken to remedy the breach, and whether or not the breach is resolved or ongoing;
5.2.8 Any information or evidence as to who was affected by the breach.
5.3 All volunteers reporting data breaches should keep the incident internal. Customuse will investigate and assess the confirmed or suspected personal data breach in accordance with the response plan set out below and determine who should be notified and how.
6. Response Plan
6.1 The DPO will assemble a team to investigate, manage and respond to the personal data breach. The response team will:
6.1.1 Make an urgent preliminary assessment of the breach – is the breach resolved or ongoing; what data has been lost and how;
6.1.2 Take immediate steps to contain the breach and recover any lost data:
18.104.22.168 Shut down the compromised system that led to the data breach;
22.214.171.124 Take steps to recover lost data and limit any damage caused (e.g. remotely formatting a lost phone);
126.96.36.199 Prevent further unauthorised access to the system;
188.8.131.52 Reset passwords if accounts and/or passwords have been compromised;
184.108.40.206 Isolate the causes of the data breach in the system, and where applicable, change the access rights to the compromised system and remove external connections to the system.
6.1.3 Undertake a full and detailed assessment of the breach;
220.127.116.11 How many people were affected?
18.104.22.168 Whose personal data had been breached?
22.214.171.124 What types of personal data were involved?
126.96.36.199 What are the consequences of the breach for the data subjects?
188.8.131.52 Are any additional measures in place or required to minimise the impact of a data breach (e.g. data encryption)?
6.1.4 Record the breach in Customuse’s data breach register;
6.1.5 Put in place any further measures to address it and mitigate its possible adverse effects, and to prevent future breaches.
7. Notification to the ICO
7.1 Article 33(1) GDPR requires notification of the breach to the ICO within 72 hours of having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
7.2 Customuse fully endeavours to meet the 72-hour deadline, and where impossible, will provide adequate reasons for delay.
7.3 A decision to report will be made on a case-by-case basis, involving the following non-exhaustive list of considerations:
7.3.1 Whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Article 33 GDPR, such as:
184.108.40.206 Loss of control over their data;
220.127.116.11 Limitation of their rights;
18.104.22.168 Identity theft;
22.214.171.124 Reputational damage;
126.96.36.199 Financial loss;
188.8.131.52 Loss of confidentiality;
184.108.40.206 Any other significant economic or social disadvantage.
7.3.2 Whether notification would assist the data subjects affected (e.g. could they act on the information to mitigate risks?);
7.3.3 Whether notification would help prevent the unauthorised or unlawful use of personal data;
7.3.4 Whether there are any legal/contractual notification requirements.
7.4 Where a breach is reportable, Customuse’s report will include:
7.4.1. The nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
7.4.2 The name and contact details of Customuse’s Director and DPO in case more information needs to be obtained;
7.4.3 The likely consequences of the personal data breach;
7.4.4 The measures taken or proposed to be taken by Customuse to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8. Notification to Affected Data Subjects
8.1 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Customuse shall communicate the personal data breach to the data subject(s) without undue delay in clear and plain language.
8.2 The communication will include:
8.2.1 A description of the nature of the breach;
8.2.2 The name and contact details of Customuse’s DPO;
8.2.3 A description of the likely consequences of the breach;
8.2.4 A description of the measures taken, or to be taken, by Customuse to address the breach and mitigate its possible adverse effects.
8.3 Customuse will also provide practical advice on damage control e.g. cancelling credit cards or resetting passwords.
8.4 Communication will be made by email, except where this is unknown or would involve disproportionate effort on Customuse’s part, in which case a visible notice will be put up on Customuse’s website (www.customuse.com).
8.5 Customuse is not required to notify affected data subjects where:
8.5.1 Customuse has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
8.5.2 Customuse has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
9. Policy Review and Evaluation
9.1 This policy will be updated as necessary to reflect best practice and to ensure compliance with any changes or amendments to relevant legislation.
9.2 This policy was last reviewed on 26 November 2020