1. Policy statement
1.2 mGage strives to collect, use, protect and disclose Your Personal Information in a manner consistent with the Applicable Laws of the countries in which we do business; including the specific laws of the European Union.
1.4 STATEMENT OF COMPLIANCE WITH PRIVACY SHIELD
This Policy establishes and maintains an adequate level of Personal Information, including HR Data, privacy protection when Personal Information is sent from the European Union to the United States of America. This Policy applies to the processing of Personal Information that mGage obtains from Customers, current and past employees as well as prospective employees located in the European Union.
mGage complies with the US-EU Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of Personal Information from You (Customer, employees and prospective employees) in the European Union member countries. mGage has certified that it adheres to the Privacy Shield Privacy Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between the policies in this Policy and the Privacy Shield Privacy Principles, the Privacy Shield Privacy Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/welcome.
The Federal Trade Commission (FTC) has jurisdiction over mGage’s compliance with Privacy Shield.
2.1 “Applicable Laws” means any legal safeguards applicable in the relevant jurisdictions, including those specified in the UK Data Protection Act 1998, the European Directive 95/46/EC (or any subsequent EU Directive as applicable from time to time) and other regulations as might be applicable from time to time.
2.2 “Customer” means an individual customer or client of mGage. The term also includes any representative, supplier, contractor or any third party and employee where mGage has obtained his or her Personal Information from such Customer as part of its interaction with mGage either as a part of a business relationship or use of its systems.
2.3 “Data Controllers” or “Controls” are the people who or organisations and processes which determine the purposes for which, and the manner in which, any Personal Information is processed. We are the Data Controller of all personal data used in our business for our own commercial purposes. We are not the Data Controller for Your Personal Information that we process as part of You using a service provided by a customer of Ours.
2.4 “Europe” or “European” refers to a country in the European Union.
2.5 “HR Data” means any Personal Information collected by Us in the context of Your employment (past or present) with Us and including any information collected when You apply for a job at mGage. Unless specified otherwise herein, the principles contained in this policy apply equally to Personal Information collected for HR and non-HR purposes.
2.6 “Personal Information” or “Personal Data” is information about you that is personally identifiable to you, such as your name, address, e-mail address, phone number, past transactional behaviour, information about your devices and other non-public information that is associated with the foregoing. For certain services, we also collect credit card or payment account information.
2.7 “Processing” or “Process” or “Processor” is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Information to third parties. We are the Data Processor for any of Your Personal Information collected by a Customer of Ours and used by You to access the services provided by Our Customer.
2.8 “Sensitive Personal Information” includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive Personal Information can only be processed under strict conditions, including a condition requiring the express permission of the person concerned. mGage may process some Sensitive Personal Information regarding You which have been collected by the Data Controller.
2.9 “Third Party” means any individual or entity that is neither Us nor an employee, contractor or representative of Ours.
2.10 “mGage”, “We”, “Us”, “Our” means mGage LLC, its affiliates and subsidiaries as well as Vivial Media LLC.
3. Choice and how to unsubscribe
mGage as Data Controller – Marketing by mGage of mGage Services
Should you decide stop receiving email communications or newsletters from Us, You will have the opportunity to “opt-out” by following the unsubscribe instructions provided in the email. If at anytime You wish to unsubscribe from any communication from Us, You may do so by contacting Us at firstname.lastname@example.org.
From time to time, we may contact You to offer you products or services which we believe may be valuable to you. Should you prefer not to receive such calls, please advise the representative who contacts You.
mGage as Data Processor
mGage is not responsible for the collection of Your consent to use Your Personal Information when acting as a Data Processor. For any query relating to your choice regarding Your Personal Information, please contact directly Your provider of services.
For Premium and Direct Billing Services: mGage holds information relating to Your instruction to SUBSCRIBE and UNSUBSCRIBE to the service provided by Your service provider. If you have subscribed to a messaging services, you may unsubscribe either via text only by sending the correct instruction.
For mGage’s Communicate Pro platform, mGage provides Software As A Service solutions; whereby Our Customers can create and manage digital marketing campaigns. The Customer (and Your provider of service) is responsible for the set up (including choice and consent options) of this service. Please contact Your service provider directly should You have any query relating to the management of Your Personal Information by Your service provider.
mGage as Data Controller – HR Data – mGage does not use HR Data for non-employment related activity.
mGage may aggregate HR Data for statistical reporting where such HR Data has been anonymised. You will not be informed when or if mGage complies such statistical reports.
4. Data Integrity and Purpose Limitation
4.1 PURPOSE LIMITATION – We are committed to processing Your Personal Information fairly and lawfully. We process Personal Information that (i) We collect directly from our Customers and (ii) that We collect from Our Customers in Our role as a service provider for the following business purposes, without limitation:
- Maintaining and supporting Our products, delivering and providing the requested products/services, and complying without contractual obligations related thereto (including managing transactions, reporting, invoices, renewals and other operations related to providing services to Customer);
- Storing and processing data, including Personal Information, in computer databases and servers located in the United States and elsewhere in the world;
- Verifying identity and age requirements;
- And as otherwise required by Applicable Laws.
We may transfer any of Your Personal Data to a country outside the European Economic Area (“EEA”), provided that one of the following conditions applies:
(a) The country to which Your Personal Information is transferred ensures an adequate level of protection and You have given Your consent; or
(b) The transfer is necessary for one of the reasons set out in Applicable Law including on important public interest grounds or for the establishment, exercise or defence of legal claims; or
(c) The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of Your Personal Information; or
(d) Other countries pursuant to mGage’s service offering pursuant to our service contract.
4.2 DATA ACCURACY – Where mGage is the Data Processor, We are not responsible for maintaining the accuracy of your Personal Information. Please contact Your service provider for further information regarding the accuracy of Your Personal Information.
4.3. Where mGage is the Data Controller, the accuracy of the Personal Information we hold is maintained in near real-time within certain third party licensed software systems Your HR file is kept up to date in real-time basis.
4.4 mGAGE MOBILE USER INFORMATION
As part of mGage’s services, we may receive information from wireless carriers, operators, or our clients, such as an end user’s mobile phone number. In some limited instances, additional information such as a user’s geographic location, a personal identification number (PIN), or a mailing address is also provided. Additionally, we process message content from our clients which may contain personal information on behalf of a mobile end user. mGage does not create this content nor is it responsible for the content sent or received by our clients or any end user; we are simply the passive conduit through which the content is sent. Regardless, our agreements with our clients ensure that the client has the ultimate responsibility to obtain any and all required “opt-ins” or other consent(s) from end users prior to such information being sent. Any mobile user information collected pursuant to the above is governed by this Policy as well as mGage’s internal policies regarding confidential and personally identifiable information. We also include specific provisions in the contracts with our clients to ensure that responsibility for compliance-related obligations and message content is within their control. If you have questions or would like more information, please contact privacy@mGage.com.
mGage acting as Data Controller – mGage marketing its products
When We collect Personal Information directly from You, We make available a description of:
(a) The purpose(s) for which we intend to collect and/or process Your Personal Information.
(b) The types of third parties, with which We will share/disclose Your Personal Information.
(c) How You can limit our use and disclosure of Your Personal Information.
mGage acting as a Data Controller – HR Data – mGage does not use non-HR Data for non-employment activity. mGage reserves the right, without any further notice to You, to transfer Your Personal Information for occasional employment-related operational needs, such as booking flights, hotel rooms, insurance coverage, internal audit purposes, and the like.
mGage acting as a Data Processor
In instances where mGage acts as the Data Processor, the relevant data privacy and consent notices must be provided by Your service provider.
We are committed to protecting the privacy of minors. Some of the services provided by Our Customers are not designed or intended to attract minors and We carry age check verification.
6. Recourse, Enforcement and Data security
6.1 Data Security – Your Personal Information is processed in accordance with our Data Security Policy. We are committed to protecting the security of Your Personal Information. We have adopted commercially reasonable security measures consistent with industry practice that are designed to assist in protecting against the loss, misuse and alteration of Your Personal Information which We process. As you know, no security system or system of transmitting data be guaranteed to be 100% secure.
6.2 Internal Recourse – The Data Protection Officer is responsible for ensuring compliance with Applicable Law and with this Policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Officer at the following address: email@example.com or via post at to the attention of the Data Protection Officer, mGage Europe Ltd, 11 York Road, Tower Building, SE1 7NX London, United Kingdom (+44 207 633 5000).
6.3 Independent Recourse Mechanism – For Personal Information sent from the EU, we commit to cooperate the relevant Data Protection Authority and comply with the advice given by the Information Commissioner representing the relevant Data Protection Authority with regards to Personal Information transferred from the European Union in the context of the provision of Our services or in the context of Your employment with Us.. For the United Kingdom, we commit to cooperate with the information Commissioner’s Office (ICO) and comply with the advice given by the Information Commissioner.
6.4 Binding arbitration – Privacy Shield – You have the possibility to invoke arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. You may find further information about the conditions in which You can invoke binding arbitration at the following address: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
7. Accountability for onward transfer
7.1 Whether we act as a Data Controller or a Data Processor, Personal Information We hold may be processed by Our employees, contractors or representatives or Third Party organisations operating outside of the jurisdiction where You reside; including outside of the EEA. Third Parties may either work for Us or for one of Our suppliers. Your Personal Information may be stored in the facilities operated by Third Parties outside of the EEA.
7.2 Onward transfer is limited to the minimum required for Us and may include, among other things, the fulfilment of Our contractual obligations, the processing of payment details and the provision of support and customer care services.
7.3 As part of our processes, Third Parties must agree to process Your Personal Information in compliance with the Privacy Shield Principles or agree to provide adequate protections for Your Personal Information that are no less protective than those set out in this policy.
7.4 We shall remain primarily liable for the manner in which Your Personal Information is managed regarding data protection pursuant to this policy.
7.5 We do not carry out any onward transfer of Your HR Data outside of the EEA.
8. Disclosure and limitation on application of principles
8.1 We may share Personal data we hold with any member of Our group, which means Our subsidiaries, Our ultimate holding company and its subsidiaries.
8.2 We may be required to disclose your Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements of the countries in which we operate.
8.3 You may choose to directly disclose Personal Information through public message boards available. Information shared on the message boards will be accessible to the general public and Your information may be collected and used by others.
9. Dealing with subject access requests
9.1 When mGage is the Controller of your Personal Information – You may request, correct, update, suppress or otherwise modify any of Your Personal Information or object to the use or processing of such Personal Information by Us. You must do so via a formal request by writing to Us at firstname.lastname@example.org.
For HR Data, You can write to Us either at email@example.com or contact Your HR representative. You will be given a right to consult Your HR file in the office and in the presence of Your HR representative.
9.2 Although mGage makes good faith efforts in providing You with access to Your Personal Information, We reserve the right to limit or deny such access where (i) the burden or expense of providing access would be disproportionate to the risks to Your privacy; (ii) where the legitimate rights of any third party would be violated as a result of Your request or (iii) where granting full access would reveal confidential information or breach a legal or other professional obligation or where doing so is otherwise consistent with the Privacy Shield Principles.
In addition, for HR Data, we reserve the right to restrict Your access including in cases where providing access would (i) prejudice an employee security investigation or (internal or external) grievance proceedings or in connection with employee succession planning or corporate re-organisation; (ii) prejudice the confidentiality necessary in monitoring, inspecting or running any regulatory function connected with sound management or, (iii) in future or ongoing negotiations involving the organisation.
9.3 Where mGage is the data Processor, then mGage is not in a position to respond to Your access request. We will pass Your request onto the relevant Data Controller.
10. Changes to this policy
10.2 We have designated the Operations Department to oversee Our information security program, including its compliance with EU Privacy Shield program. The Operations team shall review and approve changes to this program as necessary. Each head of Department is responsible for keeping their data flow and purpose policy up to date. We have designated the Legal Department to oversee regulatory changes that may affect this Policy. Any questions, concerns or comments regarding this Policy also may be directed at firstname.lastname@example.org.
11. Responsibility and management
11.1 RESPONSIBILITY – All Our employees who handle Personal Information are required to comply with this Policy; any breach of this policy may result in disciplinary sanctions.
11.2 All Third Parties handling Personal Information are obliged to comply with this Policy when processing Personal Information on Our behalf. Any actual breach of this policy may result in contractual or legal action.
11.3 CONTACT DETAILS – You can contact Our Data Protection Officer at: email@example.com.
11.4 ONGOING VERIFICATION – We will renew Our EU Privacy Shield certifications annually, unless We subsequently determine We no longer need such certification or if We employ a different adequacy mechanism.
Prior to recertification We will conduct an in-house verification to ensure that Our attestations and assertions with regard to Our treatment of your Personal Information are accurate and that We have adequately implemented and maintained these practices.