PRIVACY POLICY
Last update: August 10th 2020
Introduction – Scope
Welcome to the website https://chemicalsafety.com (hereinafter “Website”) of the company under the name “SFS Chemical Safety Inc.”, which is incorporated in California, USA (5901 Christie Ave. Suite 502, Emeryville, CA 94608, USA) and with its EU Representative in Greece, based in 1, Lampsa St, Athens, Greece, 115 24 (hereinafter “Chemical Safety”, “Company”, “us” or “we”).
This Policy governs the management practices of Personal Data and information of natural persons (hereinafter “Data Subjects”) who either visit our Website individually on their own initiative or use our Service and/or interact with the Company within a contractual context.
This Policy explains how we collect, process and protect Data Subjects’ information as part of the Service provided, in compliance with the applicable European regulatory framework for privacy and the protection of Personal Data, and in particular, Regulation (EU) 2016/679, also known as General Data Protection Regulation (GDPR), European Directive 2002/58/EC (e-Privacy Directive), as applicable, including the relevant decisions of national and European courts, as well as the relevant Guidelines and decisions of the competent supervisory authorities and the European Data Protection Board, hereinafter collectively referred to as “Applicable Legislation”. Any reference to the use of the Service in this Policy includes visits and other interactions with our Website, as well as users of our related websites and help desk platform, tools and services offered by Chemical Safety (“Service”).
By accessing and using the Service, you declare your acceptance of the terms of this Policy. If you do not agree or are not familiar with any aspect of this Policy or the Terms and Conditions of Use of Service, you should immediately discontinue access to or use of our Service.
1. Relationship with Data Subjects
1.1. As Controller: The Company acts as Controller, when pursuing its own purposes, processes the Personal Data of the following Data Subject Categories
- Company’s employees and job applicants;
- Physical persons that interact with our Website, mobile application and social media;
- Physical persons interested to our Service.
1.2. As Processor: Chemical Safety acts as Processor, when Personal Data of certain Data Subject Categories are been processed in terms of the execution of a contract with our clients (legal entities), such us:
- Client’s personnel;
- Client’s consumers and/or client’s service end-users;
- Client’s third parties, vendors, contractors who are physical persons.
2. Data Protection Principles
Chemical Safety is committed to processing Personal Data in compliance with Applicable Legislation and in accordance with the principles below. The Company’s commitment to privacy rests on these principles.
A. Lawfulness, Fairness and Transparency
A.1 Chemical Safety’s employees and certain contract personnel who process Personal Data (“Covered Persons”) must process Personal Data lawfully, fairly and in a transparent manner.
A.2 All Personal Data must be processed on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
A.3 Data Subjects whose Personal Data is processed, must be notified in accordance with Applicable Legislation, and the Privacy Notice must include a description of the Personal Data Processed, how the Personal Data will be processed and the persons and entities with whom the Personal Data will be shared. In addition, where required by Applicable Legislation, consent must be obtained prior to the processing of Personal Data. Evidence of such consent shall be kept.
A.4 Where communications are sent to individuals based on their consent, the option for the individual to withdraw their consent should be clearly available and systems should be in place to ensure such withdrawal is reflected accurately in Chemical Safety’s systems.
B. Limitation of Data Collection and Storage
B.1 Covered Persons must only process Personal Data if it is relevant and limited to what is necessary in relation to the legitimate purposes specified in the Privacy Notice provided to Data Subjects. Personal Data must not be processed in a manner that is incompatible with those purposes. If Personal Data is used for a purpose other than that for which it originally was collected, the affected Data Subjects must be notified. In the case of Special Categories of Personal Data, prior consent for a new purpose must be obtained.
B.2 Covered Persons must not maintain Personal Data longer than is necessary for the purposes for which it is processed. Personal Data may be retained for longer periods for purposes of complying with legal requirements, archiving in the public interest, or scientific, historical research or statistical purposes, subject to implementation of appropriate technical and organizational measures to safeguard that Personal Data.
C. Data Integrity
C.1 Covered Persons must keep Personal Data accurate and up to date. Reasonable steps must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
D. Security
D.1 Covered Persons must take reasonable precautions, taking into consideration the risks to the rights of Data Subjects, to protect Personal Data from loss, misuse, unlawful processing, unauthorized access and disclosure, alteration and destruction.
D.2 Chemical Safety shall maintain a data breach response plan. According to this plan, in the event of a breach of security, Chemical Safety shall promptly assess the risk to Data Subjects’ rights and freedoms and if necessary, address without undue delay and in compliance with Applicable Legislation, incidents in which Personal Data may have been lost, stolen or disclosed without authorization to the competent data protection authority and the affected Data Subjects.
3. Categories of Personal Data Collected and Processed
Chemical Safety may collect various Categories of Personal Data that physical persons voluntarily provide to us during their interaction with the Website and our Service. The Personal Data we collect depends on the context of the interactions with us and/or our Service and/or our digital means (website, mobile application, social media). In summary, the Company collects the following data and information, voluntarily disclosed to us:
- Identification/authentication and communication data: full name and ID/passport number, postal address, telephone number, email address, user ID and password.
- Banking and Billing information: Bank account, Postal billing address and VAT number (Tax ID).
- Employees’ information: Role and responsibilities, employment and academic details, as well as all necessary information for the execution of the contract as per applicable legislation (only for Company’s employees or job applicants).
- Other electronic identifiers: operating system, browser name and version, IP addresses and/or geolocation.
- Physical persons’ interaction with the Company and our Service: any voluntarily provided information, authentication data, security questions, public social media posts, user ID, click flow data and other data collected through cookies and similar technologies. Please read the Company’s Cookie Policy for more information.
4.Processing Purposes and Legal Basis
4.1. In respect and in compliance with the applicable legislation on Personal Data protection, Chemical Safety hereby provides the information about our purposes for the processing of Personal Data, as well as about the legal basis for such processing.Unless otherwise permitted by law, the Company may process the data and personal information provided to us for the following purposes:
Purpose of processing | Legal basis |
For network and information security purposes against malicious actions of third parties
We may process Personal Data in order to:
| Art. 6(1)(b) GDPR Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. |
For the proper provision of our Service We shall process Personal Data to provide the chosen Service and perform the terms of an active contract. | Art. 6(1)(b) GDPR Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. |
For communication purposes within the Service We may need to contact certain physical persons to provide information related to the provided Service and/or in the context of an interest expressed to our Service, to update about our Service, to notify of relevant security issues or updates, or to provide further relevant information. | Art. 6(1)(b) GDPR Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. |
For ensuring quality control We process the data provided to us voluntarily for the quality control and training of our authorized personnel, to ensure that we continue to provide high quality Service. Without the measures of quality control, problems during the use of the Service may occur. Thus, quality control is necessary in order to address problems e.g. related to the uninterrupted operation of the Service. | Art. 6(1)(b) GDPR Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. |
To facilitate access to the Service We process Subjects’ Personal Data according to their options on how to access the Service for the purpose of providing access to the Service according to their preferences. For instance, they can share part of their social media account information with us for their authentication in order to sign up or sign in to their account. Without this processing of their data, we may not be able to secure access to the Service. | Art. 6(1)(f) GDPR Processing is necessary for the purposes of the legitimate interests pursued by the Company. |
For research and development purposes We process the data provided to us to better understand Data Subjects’ use and interaction with the Service. For instance, interaction data can provide useful information that helps us measure, adapt, or improve the Service we offer. In addition, this information helps us significantly to develop new and improved Service to better serve them. | Art. 6(1)(f) GDPR Processing is necessary for the purposes of the legitimate interests pursued by the Company. |
For marketing purposes Subject to Data Subjects’ prior valid consent, we may process their data for advertising and commercial purposes (marketing), such as sending targeted advertising messages about our Service, promotional offers and events of the Company or its partners. The possibility to withdraw any consent for these purposes is easy and free of charge at any time. | Art. 6(1)(a) GDPR The processing shall be carried out with the valid consent of the Data Subject. |
4.2. In addition to these purposes, the Company may process all or part of Personal Data in order to comply with any obligations arising from a legal provision (Art.6(1)(c)GDPR) and/or in pursuit of further legitimate interests, such as the support and pursuit of the Company’s legal claims (Art.6(1)(f) (GDPR).
4.3. Chemical Safety is committed to using Personal Data solely for the above legitimate purposes or compatible ones.
5. Access to Personal Data
5.1. Access to Personal Data has only the Company’s authorized personnel and its partners, providing appropriate contractual guarantees. In certain cases, and to the extent necessary, we use third-party services, such as in payments, file storage and analytics. All these services comply with policies such as ours.
5.2. The Company carries out most of the data processing activities required to provide our Service on its own resources and authorized personnel. However, where appropriate and according to the needs that arise, we may collaborate with third party service providers for the proper function and support of our Service, including our suppliers in the following areas:
- Payment processing services
- Cloud storage services
- Customer support tools
- Product development tools
- IT and security service providers
- Marketing and analytics tools
5.3. To the extent possible, Chemical Safety is committed to act its best to control and bound each service provider by contractual obligations equivalent to or more stringent than our Policy.
6. International Transfers (outside EU/ EEA)
6.1. Chemical Safety uses approved data transfer mechanisms to transfer only necessary Personal Data to and from the United States and other jurisdictions outside the EU/EEA. The Company relies on Standard Contractual Clauses approved by the European Commission as a legal mechanism, where necessary, for any non-EU/EEA data transfers, to the extent that such transfers are made.
6.2. The Company recognizes that the Court of Justice of the European Union ruled in July 2020 (Schrems II decision) that certification under the EU-US Privacy Shield can no longer serve as an exclusive basis for guaranteeing an adequate and equal level of protection of Personal Data and equal to the EU level. In this context, where necessary, the Company shall make every effort to the extent possible to ensure further guarantees as to the level of protection of Personal Data by non-EU/EEA providers and in particular in the United States, by adopting the respective Standard Contractual Clauses approved by the European Commission.
6.3. For further information on the European Commission’s Standard Contractual Clauses, please address to https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
6.4. In case of conflict between the terms of the non-EU/EEA Providers Policy and this Policy, this Policy shall prevail.
7. Data Retention and Storage Period
Subjects’ Personal Data is stored only for the period of time required to fulfill the purposes for which the data was originally collected. Furthermore, the Company retains Subjects’ Data as long as necessary to comply with requirements of the law, including any legal, accounting or other obligations in order to resolve any disputes arising from its activities. Although retention requirements may be different in each case, we apply some standard retention periods for part of Subjects’ Personal Data, as described below:
- Contact information collected for marketing purposes, such as name and e-mail address, is kept on an ongoing basis until Data Subjects request to opt-out or withdraw any prior consent.
- Browser interaction data, such as data from cookies and related tracking technologies, is retained for the periods provided for in the Company’s applicable Cookie Policy or until the withdrawal of any prior consent.
- Data provided during the use or in the framework of the Service shall be kept for a period of five (5) years from the date of the last interaction of the Data Subjects or the termination of the contract between us accordingly, unless otherwise specified by law.
8. Security
We are committed to protecting the physical and digital security of Subjects’ Personal Data by implementing appropriate contractual, technical, and organisational measures. Indicatively, such measures are the following:
- Internal Policies and Procedures for the protection of Personal Data;
- Confidentiality and privacy clauses in contracts with our service providers and business partners;
- Event management and disaster recovery plan;
- Data recovery plan;
- Keeping backups;
- Classified access depending on the role of each user;
- Maintenance and regular upgrade of hardware and software and their security control;
- Periodic system and infrastructure security screening;
- Keeping backup copies;
- Encryption and pseudonymisation, such as SSL Protocol for credit card information or log in credentials.
9. Data Subject Rights
9.1. In accordance with Articles 15-22 GDPR , Data Subjects about whom Chemical Safety processes Personal Data, have the right to request access, rectification, erasure, restriction, objection, withdrawal of consent (to the extent that the legal basis of the processing is consent), portability of their Personal Data as well as not to be subject to automated processing, including profiling. Requests made by Data Subjects regarding their Personal Data must be forwarded to privacy@chemicalsafety.com.
9.2. In such cases, the Company will evaluate and respond accordingly to the request within one (1) month of the receipt of the request and after identification. In case the request is complex or there is a large number of requests, our Company has the right to extend the one-month period up to two (2) additional months, in compliance with the GDPR. Moreover, the Company may refuse to grant the request in whole or in part, only when this is possible in compliance with the Applicable Legislation.
9.3. Furthermore, in the event of the exercise of one or more of the above-mentioned rights to rectification, erasure and restriction of the Personal Data concerned, the requests may also be shared with any third party to whom the data may have been transferred in pursuit of the above-mentioned processing purposes.
9.4. In certain circumstances, the Company may refuse to respond to certain rights or requests in connection with the Personal Data. This may be the case when:
- Refusal of access is required or permitted by law;
- The provision of access would have a negative impact on the rights and freedom of third natural persons; or
- Where the request is manifestly unfounded or excessive.
9.5. The Data Subject has the right to contact the Greek Data Protection Authority (www.dpa.gr -> submission of a complaint) or any other competent supervisory authority concerned (further information here).
10. Updates
From time to time and according to our needs, we may update this Policy. The updated version of this Policy will be posted on the Website indicating the effective date of the latest version, which is the date of its posting on the Website. If we make significant changes to this Policy, we may notify Data Subjects either by posting a specific notice of these changes on the Website or by sending them a notice directly by e-mail to the address they have provided to us. In any case, we encourage all to frequently review this Policy for their reliable and timely information on how we process and protect their Personal Data.
Privacy Policy for EU Residents/ Entities
Under the Regulation (EC) 2016/679 – GDPR. Last update: August 10th 2020