Your privacy is important!
Latest Revision July 20, 2018
Superseding the Data Protection Directive, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with privacy by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymization, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done on a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data’s owner. The business must allow this permission to be withdrawn at any time.
- THE LAWFUL BASIS FOR PROCESSING
Data may not be processed unless there is at least one lawful basis to do so:
- The data subject has given consent to the processing of personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular, if the data subject is a child.
If consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). Consent for children must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.
The area of GDPR consent has a number of implications for businesses who record calls as a matter of practice. The typical “calls are recorded for training and security purposes” warnings will no longer be sufficient to gain assumed consent to record calls. Additionally, when recording has commenced, should the caller withdraw their consent then the agent receiving the call must be able to stop a previously started recording and ensure the recording does not get stored.
- DATA PROTECTION BY DESIGN AND BY DEFAULT
(Article 25) requires data protection to be designed into the development of business processes for products and services. Privacy settings must, therefore, be set at a high level by default, and technical and procedural measures should be taken by the controller to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data is not processed unless necessary for each specific purpose.
- RIGHT TO ERASURE
Article 17 provides that a the data subject has the right to request erasure of personal data related to them on any one of a number of grounds, including noncompliance with Article 6(1) (lawfulness) that includes a case (f) if the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data A processor of personal data must clearly disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any third-parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Our data protection officer (DPO), is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
- RECORDS OF PROCESSING ACTIVITIES
Cryo North Studios Inc. agrees that Records of processing activities must be maintained that include purposes of the processing, categories involved and envisaged time limits. The records must be made available to the supervisory authority on request (Article 30).
- DATA PROTECTION OFFICER
Cryo North Studios Inc. may employ personnel to manage IT processes, data security (including dealing with cyber attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations. The controller’s core activities consist of processing operations that require regular and systematic monitoring of the data subjects, and processing on a large scale of special categories of data pursuant to Article 9 and personal expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this regulation.
- DATA BREACHES: the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).
However, the notice to data subjects is not required if the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption (Article 34).
- WHAT PERSONAL INFORMATION DOES CRYO NORTH STUDIOS INC. COLLECT
- Member Registration
If you decide to register on our site, there will be certain information you must provide such as your legal name, e-mail address, gender, and a unique login name, and password to confirm your new member registration using the Cryo North Studios Inc. Service.
- Transaction Information
Cryo North Studios Inc. is a is a tabletop game design and publishing company. The purchase of games includes the collection of Credit Card information. We do not store any credit card information you provide. We do store the history of purchases.
- Collection and Processing
Data controllers may collect and process personal data when any of the following conditions are met:
For collecting personal data: Pursuant to the Web, a data controller may only collect personal data if he has a purpose for this. The purpose must be:
- Explicit; and
A data controller may not collect data if he has not clearly specified the purpose.
For processing personal data:
- The data subject has unambiguously given his prior consent thereto; or
- The processing is necessary for the performance of a contract to which the data subject is a party; or
- The processing is necessary in order to comply with a legal obligation to which the data controller is subject; or
- The transfer is necessary in order to protect the vital interests of the data subject; or
- The transfer is necessary or legally required in order to protect an important public interest; or
- The processing is necessary for upholding the legitimate interests of the data controller or of a third party to whom the data is supplied, except where the interests or fundamental rights and freedoms of the data subject, in particular, the right to protection of individual privacy, prevail.
In addition, personal data may not be further processed in a way incompatible with the purposes the data were collected. Whether further processing is incompatible depends on different circumstances, such as:
- The relationship between the purpose of the intended processing and the purposes for which the data originally was obtained;
- The nature of the data concerned;
- The consequences of the intended processing for the data subject;
- The manner in which the data have been obtained;
- The extent to which appropriate guarantees have been put in place with respect to the data subject;
Also, personal data may only be processed, where, given the purposes for which they are collected or subsequently processed, they are adequate, relevant and not excessive.
- INFORMATION WE MAY SHARE
We WILL NOT share your Personal data; we do share aggregate non-personal data with third parties without notice to you under certain circumstances. Finally, the Web sets out strict rules in relation to sensitive data. The main rule is that such data may not be processed unless the data subject has given its explicit consent to it.
- Website Providers
When we engage a Website provider to perform certain business-related functions, we only provide them with the information that they need to perform their specific function.
- Legal Requirements
If we are required to do so by law, court order, as requested by other government or law enforcement authority, or in the good faith belief that disclosure is necessary or advisable including, without limitation, to protect the rights or properties of Cryo North Studios Inc.
- Business Transfers
In the case of a corporate sale, asset sale, merger, reorganization, dissolution, or similar event, we may share your information with new business partners. Personal Information and Non-Personal Information may be part of the assets that are transferred.
- Aggregated Information
We may aggregate your Personal and Non-Personal Information and provide it to our existing or potential business partners, sponsors, advertisers, or other third parties, in response to a government request for lawful purposes.
We may disclose Personal Information to third party marketers (who may combine such Personal Information with their records, and files available from other sources), for their direct marketing purposes.
- HOW ARE COOKIES USED ON THE CRYO NORTH STUDIOS INC. WEBSITE?
A “cookie” is a small piece of data that a site transmits to your browser that helps our site remember information about you and your preferences. This helps us is to identify you to a site when you revisit it, and to load your preferences and to track the pages you have visited.
Session data: Session data is when we automatically track generic information during your time or session on our website. The information can include your individual IP address and your OS and browser software information, and the activities performed by the user while using the Avrljean.com Service. Why do we collect your session data information? We receive this information as it helps us analyze critical data as what subject’s visitors are most likely to click on, how many persons are clicking on multiple pages on the site, how long they are staying and how often they are visiting. It also helps us diagnose problems with our servers and lets us better administer our systems. We only access these tools so users can share our information through their social media feeds.
- THIRD PARTY SERVICES
10.1 Advertising Data Collected by Third Party Vendors
The advertisements you see on the Cryo North Studios Inc. Service is served by us or by third-party vendors. We allow third-party Vendors to collect data about your online sessions through cookies and other technologies. We won’t allow these third parties to collect personal data about you via the advertisements they serve on the Cryo North Studios Inc. service. The data gathered by these third parties is used to make predictions about you, your interests, or preferences and to display advertisements on Cryo North Studios.
10.2 Third Party Disclaimers
- THIRD PARTY PLUGINS
Our website uses Social Plugins (“Plugins). We use the social network, facebook.com, which is operated by Facebook Inc.; the plugins are identifiable by one of the Facebook logos (white “f” on a blue background or a “thumbs-up” sign) or are identified by the phrase “Facebook Social Plugin”. You may sign in to our site using your Facebook account. http://www.facebook.com/policy.php.
- ADVERTISING DATA COLLECTED BY US
We may directly or indirectly through Website Providers, serve personalized advertisements for products, website’s, and programs when you visit our Site. Your Personal Information and generic Information is combined and compared with other user information and databases for marketing or advertising purposes. You may opt out of the tailoring of advertising based on information we collect.
Cryo North Studios Inc. is dedicated to providing you with pertinent content and data. To do this, we may, through cookies and other technologies, gather information about your searches. This data collected is used to display ads to you on our website or elsewhere online; that match your apparent interests. We use this data, combined with other data we have collected, to display advertisements to you on our website that match your apparent interests.
- ADVERTISING DATA COLLECTED BY THIRD PARTY VENDORS
The advertisements you see on the Cryo North Studios Inc. service is served by us or by third-party vendors. We allow third-party Vendors to collect data about your online sessions through cookies and other means. We do not permit these third parties to collect personal data about you via the advertisements they serve on the Cryo North Studios Inc. service. The data gathered by these third parties is used to make predictions about you, your interests, or preferences and to display advertisements on Cryo North Studios.
- WITH WHOM WILL MY PERSONAL INFORMATION BE SHARED?
We use third party’s vendors to provide the services and technology that make up the Cryo North Studios Inc. service. Cryo North Studios Inc. provides these third parties with access to personal information specifically for use in connection with providing such services and techniques. We may at times, use third parties to act on our behalf for projects such as market-research surveys or will contract with third parties to provide co-branded products. The information we provide is protected by confidentiality agreements and is to be used solely for the purpose(s) permitted by such agreements.
We use non-personal data in the generic form to build quality, beneficial, online services. We perform statistical analyses of the overall characteristics and behavior patterns of our customers. We may also provide non-personal information in aggregate form to third parties who provide a portion of the services and technology that make up the Cryo North Studios Inc. service so they can optimize, maintain, support, and improve the Cryo North Studios Inc. service.
- HOW CAN I UPDATE OR CORRECT MY PERSONAL INFORMATION?
Your personal profile, which includes member registration and policy information, can be updated through “My Account” on the www.cryonorthstudio.com home page. Because of the way we store information, after you update your information or request that your account is deactivated for marketing purposes, residual copies of your information may remain in our active servers for a period and may remain in our backup systems. Information may also be retained as required by law or for legitimate business purposes.
- SAFEGUARDS IN PLACE TO PROTECT MY DATA?
While no website can promise complete security, we have incorporated the latest, technical, and physical security procedures designed to protect your personal data. Only authorized personnel are permitted to access personal data, and they may only do so for permitted business functions. Also, we use encryption when transmitting your private data between systems. We employ firewalls and intrusion detection systems to help prevent unauthorized persons from gaining access to your information.
- TRANSFER OF YOUR PERSONAL DATA
Transfer of a data subject’s personal data to non-EU/European Economic Area countries is allowed if the countries provide “adequate protection”. For transfer of data to the United States, companies, which adhere to the US/EU Safe Harbor principles, are deemed to offer adequate protection.
Data controllers may transfer personal data out of the European Economic Area to countries which are not deemed to offer adequate protection if any of the following exceptions apply:
- The data subject has unambiguously given its consent thereto; or
- The transfer is necessary for the performance of the contract between the data controller and the data subject; or
- The transfer is necessary for respect of an important public interest, or for the establishment, exercise or defense in the law of any right.
You can control your privacy preferences regarding email. You may update these preferences at any time.
You may opt-out of receiving promotional emails from us regarding new features, Website, and special offers when registering for an account by unchecking the box that asks whether you would like to receive e-mail updates.
You may unsubscribe from receiving promotional e-mails of certain types at any time by using the Unsubscribe page on our Site. You may also opt-out from promotional emails from us by calling Customer Care.
- CONTACTING US
We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained. If you have any questions about our privacy practices or this Policy, please contact us at Customer Service Support or email us.