Your Data, Your Rights: Makesbridge’s Processor Binding Corporate Rules on Data Protection

Introduction

Integrity, transparency, and responsibility characterise the way Makesbridge conducts business. As a processor of large volumes of our Customers’ personal data (see our Terminology list at the end of this document for more information), we recognize our responsibility to respect privacy rights and to put in place appropriate standards of data protection.

We operate in a highly networked, interconnected, and global business reality that demands a coordinated response to data protection. Our Processor Binding Corporate Rules (“BCR”) set down effective and uniform standards for the processing of personal data right across Makesbridge’s global operations. Our BCR help us to comply with data protection standards within the European Union (“EU”) and the European Economic Area (“EEA”).

The following document is part of our transparency efforts to share information about our approach to data protection. It contains full information on the aspects of our BCR that confer rights on individuals whose personal data we process on behalf of our Customers – these individuals are known as “Data Subjects” (see our Terminology list at the end of this document for more information). This document is designed to help Data Subjects in the European Economic Area understand what standards they can expect from our company, and what rights they may have if something goes wrong. Insofar as there is a divergence between the wording of this document and the BCR, the language of the BCR shall take precedence.

FAQs

What are Binding Corporate Rules (BCR)?

Binding Corporate Rules, or BCR, are a binding code of practice that governs how a multinational company transfers personal data between different entities within its corporate group. A multinational company has different parts of its business based across the world, and therefore subject to different local laws. While some national laws might afford a high level of protection for personal data, others may fall below the standard set down by the EU/EEA Data Protection Directive (and the General Data Protection Regulation that succeeds the said Directive as from May 25, 2018). Therefore, most personal data governed by the laws of EU/EEA Member States cannot be transferred to countries that do not afford adequate protection, unless there are proper additional safeguards in place. An approved set of BCR is one such type of safeguard.

When we provide services, we act as a Data Processor for our Customers, who act as Data Controllers. Our Customers determine why and how data is to be processed, and we process it on their behalf. To ensure that we act as a responsible partner for our Customers, we have adopted this BCR.

When does Makesbridge’s BCR apply?

Our BCR apply to all personal data processed by Makesbridge on behalf of our Customers being transferred from the EU/EEA to the United States.

How does Makesbridge’s BCR affect my rights?

If there is a breach of the BCR, then you may be able to obtain compensation from Makesbridge if you are not able to bring a claim against the entity for whom we process your personal data (i.e. our Customer), either because it has disappeared or ceased to exist in law, or become insolvent. Further information can be found in section “B” (Third-party beneficiary rights for Data Subjects) below.

Information on Beneficiary Rights under our BCR

A. The duty to respect the BCR

All members of Makesbridge ,employees, and contingent workforce must respect the BCR and the Service Agreement. We are under a clear duty to respect the Customer’s instructions regarding data processing as stated in the Service Agreement. The Makesbridge Information Security Team shall support and advise on privacy compliance matters.

B. Third-party beneficiary rights for Data Subjects

In case the Data Subject is not able to bring a claim against the applicable Customer because the Customer has factually disappeared or ceased to exist in law or has become insolvent, and unless any successor entity of the Customer has assumed the entire legal obligations of the Customer by contract or by operation of law, then the following applies:

  • The Data Subjects are entitled to enforce these BCR against any Makesbridge entity which has breached these BCR
  • The EEA contracting party with the Customer is responsible for, and shall agree to take necessary actions to remedy the acts of Makesbridge established outside of EEA or remedy breaches caused by external sub-processors established outside of EEA and to pay compensation to Data Subjects for any damages resulting from the violation of these BCR.
  • Makesbridge can assume responsibility, however it may be more convenient for the Data Subject to turn to the processor entity in their own country which is the EEA contracting party with the Customer, if they so choose.

Makesbridge assumes responsibility according to ii. or iii. above will accept liability as if such violation had been caused by the former instead of the Makesbridge outside the EEA or instead of the external sub-processor established outside of the EEA.

Further,Makesbridge having assumed responsibility according to ii or iii above can prove that the member of the group outside the EEA is not responsible for the act, it may discharge itself from any responsibility.

C. Responsibility towards the Customer

The Customer has the right to enforce this BCR and the Service Agreement against Makesbridge for breaches that Makesbridge caused; including the right to enforce against the EEA contracting party with the Customer should the breach have been caused by an external sub-processor established outside of EEA.

The EEA contracting party with the Customer, and Makesbridge if needed, is responsible for, and shall agree to take necessary actions to remedy the acts of Makesbridge established outside of EEA or remedy breaches caused by external sub-processor established outside of EEA and to pay compensation for any damages resulting from the violation of these BCR as agreed in the Service Agreement.

The EEA contracting party with the Customer will accept liability as if such violation had been caused by the EEA contracting party with the Customer itself instead of the Makesbridge entity outside the EEA or instead of the external sub-processor established outside of EEA.

Further, if the EEA contracting party with the Customer can prove that the member of the group outside the EEA is not responsible for the act, it may discharge itself from any liability.

D. Complaint handling process

Data Subjects who wish to file a complaint or a request shall be instructed to send an e-mail to support@makesbridge.com preferably according to the instruction:

Such complaints or requests shall be reported and communicated to the relevant Customer and handled according to the instructions in the Service Agreement by the Customer.

When a Customer has disappeared factually or has ceased to exist in law or become insolvent and no successor entity of the Customer has assumed the entire legal obligations of the Customer by contract of by operation of law, then Makesbridge will handle complaints by Data Subjects according to the following procedure:

The relevant Data Protection Authority will be the Federal Trade Commission, United States of America.

E. Duty to cooperate with the Customer and Data Protection Authorities

Makesbridge has a clear duty to co-operate with and to accept to be audited by applicable Data Protection Authority or Customers. In the event that a Data Protection Authority has issued a binding decision then this decision must be followed within the Makesbridge when Makesbridge has not exercised its right to appeal of the decision. In addition, Makesbridge must take into consideration any advice on issues related to privacy regulations. Data Protection Authorities may advise on any issue related to data protection in which case an affected Makesbridge is responsible for informing counsel, and, if necessary, seeking advice in the matter.

F. Material scope and description of transfers

These BCR are to ensure a proper level of protection of personal data when transferring data from the European Economic Area to U.S. have an adequate level of protection.

These BCR are applicable throughout the Makesbridge when Makesbridge is the Data Processor and a Customer is the Data Controller.

The rules are applicable to processing of personal data by electronic means and in systematically accessible paper based filing systems. Examples of operations in scope include but are not limited to:

  • Mass Email
  • Marketing Automation
  • Sales Automation
  • Business Intelligence
  • Marketing, Sales, and Promotions

The Customer shall also ensure that these BCR are applied to all transfer and processing of its personal data performed by Makesbridge.

G. Privacy principles

Transparency and Fairness

Customers shall be informed about in which countries Makesbridge or external sub-processors will process personal data. Any changes regarding such countries shall be communicated to relevant Customers.

Information about applicable processing activities shall be made available to Customers and relevant Data Protection Authorities on the “need-to-share” basis. Significant changes related to processing shall be communicated to relevant Customers.

Relevant Customers and relevant Data Protection Authorities shall be promptly notified if existing or anticipated future legislation prevents the expected compliance with these BCR or the applicable Service Agreement. If so, the Customer shall be entitled to suspend transfer of data.

If not against criminal investigation law, relevant Customers shall be promptly informed if Makesbridge is required by a law enforcement authority to disclose Customers' personal data.

Public Forums/Blogs

Our blog comment section is managed by a third party application that may require you to register to post a comment. We do not have access or control of the information posted to the blog. You will need to contact or login into the third party application if you want the personal information that was posted to the comments section removed. To learn how the third party application uses your information, please review their privacy policy.

Purpose Limitation

All personal data processed on behalf of the Customer shall only be collected and processed for fulfilment of legal or contractual obligations. Makesbridge shall respect that the Customer exclusively determines the definition of, and the purposes for processing of the personal data being processed on its behalf.

Personal data in Makesbridge’s custody and processed on behalf of the Customer shall be returned at the end of the contract unless Makesbridge is instructed to destroy the data.

Data Quality

Makesbridge must assist the Customer to comply with applicable data protection laws in particular to have data updated, corrected, deleted or anonymised.

Necessary measures shall be taken to rectify any inaccuracy and to delete personal data when reasonably requested by the Customer. It shall be ensured that such measures are taken by Makesbridge and external sub-processors holding the personal data in question. If not otherwise agreed, Customers’ personal data shall be deleted or anonymised when the data is no longer needed for the fulfilment of legal or contractual obligations.

Security

Security measures meeting requirements of EEA member state law of the exporting Customer and meeting Customers’ instructions set out in the Service Agreement shall be adhered to in addition to Makesbridge’s standard security as set forth in applicable group steering documents. Such measures will protect personal data from misuse or accidental destruction, loss, alteration disclosure or access. Access rights to personal data are authorized individually on the need-to-have principle if not otherwise agreed with the Customer. Staff who access personal data shall meet confidentiality obligations as specified by applicable non-disclosure agreements. Any security breach affecting the privacy of personal data being processed on behalf of the Customer shall promptly be communicated to the relevant Customer.

The Security Incident Management Process outlines the mandatory instructions to ensure that security and privacy incidents are properly reported and managed in order to avoid unnecessary damage and cost and to comply with legislation, rules, and contractual obligations.

Data Subject Rights:

Please see sections B (Third-party beneficiary rights for Data Subjects) and D (Complaints handling process) of this document.

Sub-processing and Onward Transfer

Makesbridge Technology, Inc. will retain personal data we process on behalf of our Clients for as long as needed to provide services to our Client. Makesbridge Technology, Inc. will retain and use this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Otherwise and prior to the processing, consent from the Customer shall be obtained on a case-by-case basis. Prior to onward transfer of personal data to external sub-processors the Customer’s written consent thereto shall be obtained. Written instructions to provide that adequate protection is implemented by external sub-processors must be agreed before processing of personal data may take place. Such instruction shall include the following provisions to be included in agreements with external sub-processors:

Personal data shall be processed only according to Makesbridge’s instructions and for the purpose authorized by Makesbridge.

Personal data shall be kept confidential.

Further sub-processing down the line shall not be allowed without prior written consent of Makesbridge, who first must obtain the Customer’s consent.

Makesbridge shall promptly be informed of any occurred or suspected Privacy Breach.

Security measures that will be in place to mitigate risks towards the personal data.

For onward transfers of personal data from EEA Makesbridge uses the Standard Contractual Clauses pursuant to European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under the EU/EEA Data Protection Directive (and the General Data Protection Regulation that succeeds the said Directive as from May 25, 2018) or other legal mechanism for transfer such as Binding Corporate Rules.

H. List of entities bound by the BCR

Makesbridge Technology, Inc.

I. Terminology list

Term Definition
Anonymised Personal data elements have been removed so that the individual is not identified, also referred to as “de-identified”.
Binding Corporate Rules Codes of practice drawn up and followed voluntarily by multinational organisations. These rules aim to ensure adequate safeguards for processing and transfers of personal data between entities, which are part of the same corporate group, and that are bound by these corporate rules. The rules are based on European data protection standards.
Customer A natural or legal person, public authority, agency, or any other body with whom Makesbridge has a Service Agreement to process personal data on that entity’s behalf. See “Data Controller” below.
Data Controller A natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this context, the Data Controller is an external entity with whom Makesbridge has a Service Agreement, such as a customer, partner, etc. It is the Data Controller that is primarily liable towards Data Protection Authorities and Data Subjects for ensuring that personal data transferred outside the EEA are protected.
Data Processor The Data Processor is the natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the Data Controller. In this context the Data Processor is Makesbridge.
Data Subject An identified or identifiable person to whom specific personal data relates. It is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific factors (physical, physiological, mental, economic, cultural, social).
EEA contracting party Any Makesbridge entity situated in an EEA country that is party to the Service Agreement with the Customer.
Personal data Personal data shall mean any information relating to a Data Subject.
Privacy Breach The unauthorised access, use or disclosure of Personal Information in a manner not permitted by law, regulation, or contract, which compromises the security and privacy of personal data and which creates a substantial risk of identity theft, fraud, or harm against an individual. This includes any accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data.
Processing of personal data means any operation or set of operations which is performed upon personal data, whether or not by automatic means (for example: collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deleting or destruction, etc.).
Third country A “third country” is a country outside of the EEA.
The EU Commission maintains a list of third countries which ensure an adequate level of data protection.
Third-party beneficiary A third-party beneficiary is a person who is not a party to a contract, but has legal rights to enforce the contract or share in proceeds because the contract was made for the third party's benefit.

Contact Details

Should you have any further enquiries regarding Makesbridge’s BCR or our approach to personal data protection generally, please do not hesitate to contact us using the following details:

Email: support@makesbridge.com

Makesbridge Technology, Inc.
9220 SW Barbur Blvd, Bldg 119 #343
Portland, OR 97219