II. The GDPR and Your Rights as an EU, Swiss, or UK Data Subject
Definition of Personal Data
EEA Data Protection Laws define personal data broadly. As such, where Usage Data and/or Profile Information relates to an individual in the EEA, we treat it as personal data. Similarly, nearly all of the data collected from EEA Data Subjects in the context of our normal business operations is likely to be considered personal data. This includes: a) data collected via visits to ShareThis.com; b) data collected from Customers, Publishers and business partners; and c) data collected from employees and prospective employees.
Special Categories of Personal Data
ShareThis does not collect nor process any special categories of personal data with respect to EEA Data Subjects, and we do not create Profile Information of audience segments of such consumers based on special categories of personal data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation).
Legal Basis for Processing
EEA Data Protection Laws requires entities seeking to process personal data to have a valid legal basis for doing so. The legal basis utilized by ShareThis include: a) consent (our primary legal basis with respect to our Processing of Usage Data and Profile Information); b) legitimate interest (i.e., where we believe that our need to process the data and/or the value we deliver by processing such data is not outweighed by the rights of the data subject); c) where necessary for the performance of a contract; and d) where processing is necessary to comply with our legal obligations. We will endeavor to outline our legal basis for the most common types of processing conducted by ShareThis.
Cookie and Similar Tracking Technologies – We endeavor to obtain consent for our placement of cookies, pixels and similar tracking technologies as required under the ePrivacy Directive as implemented throughout the EEA. As ShareThis does not have direct relationships with Internet users in many cases, we ask Publishers and other partners to obtain a consent on our behalf as described below. Where we directly place cookies (e.g., via ShareThis.com) we directly obtain the consent from data subjects we’ve identified as being from the EEA or other place where consent is required.
Usage Data and Profile Information – We obtain a consent for our placement of cookies as described above, and ShareThis also processes Usage Data and Profile Information with consent.
Website Data – We collect personal data via ShareThis.com. Where that data is provided to ShareThis (e.g., via completing an online form), we consider it either Account Data and/or data collected pursuant to a business relationship which are described below. Where we place cookies via the Website, we use consent. Where data is collected automatically (e.g., log files containing IP addresses), we process such data via our legitimate interest and in order to maintain the Website and help us to a better job of personalizing the Website to the interests of visitors.
Account Data and Business Relationships – We require some Publishers to setup an Account with ShareThis. Similarly, we maintain accounts containing personal data with most of the vendors who provide services to ShareThis, our Customers, our employees, and our business partners. If you are an employee of one of those entities, ShareThis may have your personal data including your name, your work email, or your work telephone number. For data subjects located in the EEA or UK, we process this data under the legal basis of contractual necessity. In other words, we need to process this data in order to honor the terms of the contract between ShareThis and the Publisher, Customer, vendor, Etc. This includes maintaining an account and login credentials, billing and payment purposes, communicating with the other party, and fulfilling requests. Where we are seeking to market additional products and services to these entities, we will do so via legitimate interest unless applicable law dictates that we use consent (e.g., for email marketing).
General Purposes – There are a number of instances where ShareThis processes personal data which are distinct from the descriptions provided above. For example:
Legal and Regulatory Compliance – Like most companies, ShareThis will process data in order to comply with law, cooperate with requests from competent legal authorities such as the police, and to pay taxes. The legal basis for this type of processing is necessary for ShareThis to meet our legal and regulatory obligations.
Enforcement of legal obligations – To enforce our terms and conditions, protect of our intellectual property and/or the rights of third parties, ShareThis processes personal data in these instances via our legitimate interest. This may include obtaining advice and conducting legal proceedings.
Sell and Promote our Business – ShareThis may choose to conduct, evaluate and/or promote the sale of our business via our legitimate interest.
Aggregated Data – Where we aggregate data and remove digital identifiers (e.g., cookie IDs), we may use this data for internal research, marketing, and statistical analysis purposes.
ShareThis is generally a Controller of data with respect to the data processed as described above. Where the EEA Data Protection Laws apply to Usage Data and Profile Information and we share this data with our Customers, our Customers are independent controllers in relation to their processing of such data and they process it in accordance with their own privacy policies. ShareThis is also the controller of the data it collects via ShareThis.com.
ShareThis also has a number of agents and service providers who operate as processors of data on ShareThis’ behalf. These agents and service providers are only able to use the data as specifically directed by ShareThis and only to provide the services requested by us. They are also contractually obligated to process the data securely and under confidentiality obligations.
EEA Data Subject Rights
Where the EEA Data Protection Laws apply, such data subjects have certain rights, including: a) The right to be informed about the types of data being processed and the legal basis for processing; b) the right to access and see the data being processed; c) the right of rectification, to make corrections to data subject to processing; d) the right to erase data; e) the right to restrict processing of data; f) the right of data portability; g) the right to object to the processing of data and f) the right not to be subject to automated decision-making. Some of these rights apply only in certain circumstances and depend on the legal basis relied upon to process the data. As an example, the right to object applies to processing which is carried out because it is necessary for our legitimate interests and only if we cannot demonstrate compelling legitimate grounds which outweigh your rights, interests and freedoms. The same right does not apply to processing which is necessary for us to comply with our legal obligations or to perform a contract with you. These rights may extend to the personal data we place into cookies or similar tracking technologies.
Where processing is based on your consent, in accordance with the GDPR and UK Data Protection Act (as applicable), you may withdraw that consent at any time, although any processing previously carried out will still be legal. In order to exercise your data subjects’ rights or if you have any questions about these rights, you can write to us at email@example.com. We will endeavor to respond to any requests to exercise your rights within one month from when they are made, although this period may be extended in some cases in which case we will inform you before the expiration of the one-month period.
You also have the right to submit complaints to the supervisory authority in your jurisdiction. A list of supervisory authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_en.
How ShareThis interacts with our Publishers on GDPR, Swiss, and UK Data Protection compliance
Cross-border transfers of EEA personal data
We generally process data in the United States. When we share data, we provide data to companies globally. In each case, we have safeguards in place which allow those transfers to happen in a way that ensures data is handled in accordance with the applicable law.
When we transfer personal data outside the EEA or UK, unless the recipient or location to which the data is transferred has been approved by the appropriate authorities as providing an adequate level of protection for personal data, we put in place measures to ensure that the transfer complies with the applicable data protection law and that the personal data which is transferred is appropriately safeguarded.
When we enter into business relationships which involves the transfer of personal data of EEA Data Subjects to the United States, we put in place reasonable transfer mechanisms such as the EU standard contractual clauses with the recipient. More information about international data transfers under the GDPR can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en. If requested, we may make available a copy of such safeguards, as required by EAA Data Protection Laws.
Data Protection Officer and Representative
ShareThis has appointed a data protection officer to supervise our personal data processing-related activities, and to respond to requests as required. Our DPO can be contacted as follows: Vincent Potier (ShareThis DPO): firstname.lastname@example.org
ShareThis’ representative in the UK is: ShareThis UK Limited of 10 John Street, London WC1N 2EB, UK.
ShareThis’ representative in the EU is: Verasafe and they may be reached at email@example.com.