DATA PRIVACY STATEMENT Gamified Assessment Tool

DATA PROCESSOR INFORMATION

This statement informs you of the types of personal data we obtain when you use our service and how we process them.

When using the platform, AO Kaspersky Lab, located at address: 39A/3 Leningradskoe Shosse, Moscow 125212, Russian Federation (“Kaspersky” or “we”) is the data handler and act as the data processor e.g. by providing the service to the customer – your data controller. The following information concerns the data processing for which Kaspersky acts as the data processor. Please refer to the specific sections below and, for further information, to the relevant data privacy statement of the according data controller. If you have any questions regarding the processing of your personal information by Kaspersky as the data processor, please contact our Kaspersky EU representative via e-mail or phone: Kaspersky Labs GmbH, Despag-Strasse 3, 85055 Ingolstadt, Germany, dpo@kaspersky.com.

YOUR PERSONAL DATA – WHAT IS IT?

Personal data relates to a natural person who can be identified from that data. Identification can be by the information alone or in conjunction with any other information. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

WHY WE PROCESS YOUR PERSONAL DATA

As a processor on behalf of your data controller, we use the personal data for providing a service, namely, Gamified Assessment Tool (GAT).

THE CATEGORIES OF PERSONAL DATA

As a processor on behalf of your controller we process the following categories of your data:

• First Name
• Last Name
• Email address
• Telephone number
• Static IP address
• Company Name

As a data processor on behalf of your controller we have obtained the personal data from your data controller - service customer.

WHAT IS OUR LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

Our lawful basis for processing your personal data:

• Processing for the purposes of the legitimate interests. In these cases, we are under contractual obligations to process your personal data for customer – your data controller and our legitimate interests lie in providing with a service.
• Processing necessary for compliance with a legal obligation.

SHARING YOUR PERSONAL DATA

We may disclose your personal data as follows:

• Sub-Processors: Service providers which we use in accordance with and subject to the instructions of your data controller for the provision of certain services e.g. providers of IT services. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose.
• Public bodies: Authorities and state institutions, such as public prosecutors' offices, courts or tax authorities, to which we may have to transmit personal data in individual cases.

The personal data will be treated as strictly confidential and will only be shared with Service Providers that provide us with IT and system administration services.

TRANSFER OF DATA ABROAD

The personal data provided to Kaspersky can be processed in countries outside the European Union (EU) or the European Economic Area (EEA) which have not been deemed to have an adequate level of data protection by the European Commission, in particular in Russia.

Kaspersky has taken appropriate security measures to protect the personal data in accordance with security and privacy best practices, including, utilizing the European Commission's Standard Contractual Clauses for transfers of personal information (you can find these standard contract clauses at the following link), which requires all group companies to protect personal information being processed from the EEA to an equivalent standard to that required under EU data protection law. Where we share your personal data with a third party service provider outside of the European Economic Area and Switzerland (as detailed in the section entitled “Sharing your information”), we contractually oblige the third party service provider to implement adequate safeguards to protect your information.

HOW LONG DO WE KEEP YOUR PERSONAL DATA?

As a processor on behalf of your data controller we retain your personal data in compliance with the instructions of your data controller.

AUTOMATED DECISION MAKING

We do not use automated decision making at Security Awareness.

YOUR RIGHTS AND YOUR PERSONAL DATA

We inform you that you have certain rights regarding the personal data we maintain about you on behalf of your data controller:

• Right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data, and your rights.
• Right of access. You have the right to receive information about the personal data pertaining to you that we process. how we use your personal data. In addition, you can request to receive a copy of the Personal Data we process about you.
• Right to rectification. You have the right to request correction of inaccurate personal data that we process about you. Furthermore, you may demand that incomplete data will be completed.
• Right to erasure (Right to be forgotten). In certain cases, you are entitled to demand us to delete or remove your personal data.
• Right of restriction of processing. In certain cases, you are entitled to demand us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
• Right to data portability. If you have made the data available to us based on a contract or consent, you are entitled to request the transfer of your personal data. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
• Right to object. You may object at any time to our processing of your personal data when such processing is based on our legitimate interests for reasons arising from your particular situation. We will then no longer process such personal data for those purposes, unless we can provide compelling protected reasons for such processing that outweigh your interests, rights and freedoms, or the processing is necessary for the assertion of, exercise of, or defence against any legal claims.
• Right to withdraw your consent. If applicable you have the right to withdraw your consent to the processing of your personal data. Your withdrawal of consent shall not affect the validity of any activity processing of your personal data already carried out before the withdrawal of your consent.
• Right to complain. If you believe that the processing of the personal data concerning you is illegal, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your workplace, or at the location of the alleged breach.

HOW TO EXERCISE YOUR RIGHTS

If you wish to exercise these rights towards us, you may at any time contact us directly or our representative in EU: Kaspersky Labs GmbH, Ingolstadt, Germany, info@kaspersky.de, +49 (0) 841 98 18 90.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

COMPLAINTS

If you would like to make a complaint regarding this Privacy Statement or our practices in relation to your personal data, please contact us at click here.

If you consider that the processing of personal data relating to you infringes applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority at any time. Which supervisory authority has competence for your complaint can depend on the country where you reside.