1.1. Elastacloud is a data science and cloud architecture consultancy with offices in the United Kingdom, Spain, Brazil and India.
1.2. While conducting its Business, Elastacloud receives and Processes personal Data of its Stakeholders. Elastacloud is committed to receiving and Processing this personal Data in a lawful, reasonable and transparent manner, and otherwise in compliance with the requirements recorded in the GDPR.
1.3. Elastacloud has accordingly adopted this Policy to record its commitment to Processing personal Data in the manner described in paragraph 1.2 above and to inform its Stakeholders of their rights in and to their Data.
1.4. In order to assist our Stakeholders in understanding this Policy, certain terms which have particular meanings have been defined in paragraph 2 of this Policy. If any of our Stakeholders have difficulty understanding any words or provisions in this Policy, then we encourage those Stakeholders to contact us at firstname.lastname@example.org.
2.1. “Business” means the business of Elastacloud, which involves cloud architecture and data platform analytics, and which includes all matters related thereto;
2.2. “Data” means “personal data” and “special categories of personal data”, as the case may be, and as defined or described in the GDPR;
2.3. “Data Protection Legislation” means the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communication Regulations 2003;
2.4. “Data Protection Representative” means the person described in paragraph 13 below;
2.5. “Elastacloud” or “our” means Elastacloud Limited, a company registered in the United Kingdom with company registration number 07900393 (and ICO registration number ZA261808) and with its registered address at 131 Finsbury Pavement, London, England, EC2A 1NT and any of its subsidiaries;
2.6. “GDPR” means the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) applicable in the United Kingdom;
2.7. “ICO” means the Information Commissioner’s Office as contemplated in Section 114 of the Data Protection Act 2018;
2.8. “Policy” means this policy and any amendments made to it from time to time;
2.9. “Process” and “Processing” means anything that is done by Elastacloud in relation to its Stakeholder’s Data, whether or not by automated means, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Data;
2.10. “Stakeholder” means any natural person (other than Elastacloud employees and contractors) whose Data Elastacloud Processes, and this may include Data pertaining to Elastacloud’s candidates for employment, customers, suppliers, business associates, partners and any representatives thereof, if applicable;
3. Requirements for Processing Data
For Elastacloud to Process Data in a manner which is consistent with the GDPR, Elastacloud is required to:
3.1. Process Data lawfully, fairly and transparently. In order to do this:
3.1.1. the person whose Data is being Processed must give consent to the Processing of his or her Data by Elastacloud;
3.1.2. the Processing of Data by Elastacloud must be necessary for the performance of a contract to which the person whose Data is being Processed is party or to take steps at the request of that person prior to entering into a contract;
3.1.3. the Processing of Data must be necessary for compliance with a legal obligation to which Elastacloud is subject;
3.1.4. the Processing of Data must be necessary to protect the vital interests of the person whose Data is being Processed or of another natural person;
3.1.5. the Processing of Data must be necessary for the performance of a task carried out in the public interest; or
3.1.6. the Processing of Data must be necessary for the purposes of the legitimate interests pursued by Elastacloud or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the person whose Data is being Processed which require protection of Data.
3.2. Process Data for a specific, explicit and legitimate purpose and not further Process Data in a manner that is incompatible with that purpose;
3.3. Process Data only if it is adequate, relevant and limited to what is necessary in relation to the purpose for which it is Processed;
3.4. take reasonable steps to ensure that Data is accurate and, where necessary, kept up to date;
3.5. take reasonable steps to ensure that Data is kept in a form which permits identification of the person to whom it belongs for no longer than is necessary for the purpose for which the Data is being processed; and
3.6. Process Data in a manner that ensures appropriate security of that Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
4. The Purpose for Processing
4.1 Elastacloud will Process Data for the purpose of conducting and furthering its Business interests in general, and otherwise for the purpose for which the specific Data is transmitted to or received by Elastacloud (“the Purpose”).
4.2 If any of Elastacloud’s Stakeholders do not permit Elastacloud to Process their Data, Elastacloud may not be permitted to deal with or provide services to that Stakeholder, and may be required, at its discretion, to terminate any and all dealings with that Stakeholder.
5.1. Elastacloud will endeavour to collect and Process Data directly from its Stakeholders.
5.2. Where it is not possible or practicable for Elastacloud to collect and Process Data directly from its Stakeholders, Elastacloud will collect Data about its applicable Stakeholders from another source where it is lawfully permitted to do so, and will provide to its applicable Stakeholder the information required by the GDPR.
6. Grounds for Processing Data
6.1. Elastacloud will only Process Data in circumstances where it has a reasonable and lawful basis to do so.
6.2. Elastacloud will endeavour to acquire consent from its Stakeholders to the Processing of their Data in terms of this Policy. Any consents obtained by Elastacloud will be recorded and safely stored.
6.3. Where Elastacloud is unable to or does not obtain the consent of its Stakeholders to Process their Data, Elastacloud will only Process the Data of its Stakeholders in one or more of the following circumstances, and will document and catalogue any Data Processing carried out by it:
6.3.1. performance of a contract: where the Processing of Data is necessary for the performance of a contract to which the Stakeholder is a party, or to take steps at the request of a Stakeholder prior to entering into a contract;
6.3.2. compliance with a legal obligation: where the Processing of Data is necessary for Elastacloud to comply with a legal obligation imposed upon it in relation to the Stakeholder or otherwise, or to carry out its obligations and exercise its rights in relation to a Stakeholder in the field of employment, social security and social protection;
6.3.3. legal proceedings: where it is necessary for Elastacloud to Process Data in order to establish, exercise or defend a legal claim;
6.3.4. protect vital interest of Stakeholders: where the Processing of Data is necessary to protect the vital interests of one or more Stakeholders or other natural persons;
6.3.5. public interest: where the Processing of Data is necessary for the performance of a task carried out by Elastacloud in the public interest; or
6.4. legitimate interest: where the Processing of Data is necessary for the purposes of the legitimate interests pursued by Elastacloud or by a third party, save that when Processing Data on this basis, Elastacloud will carry out a balancing test of its interests in using its Stakeholder’s Data against the rights and interests that its Stakeholders may have in and to that Data.
6.5. Elastacloud may from time-to-time Process Data by automated means. Elastacloud will only Process Data by automated means where it has obtained the consent of its Stakeholder to do so, where it is necessary for entering into, or the performance of, a contract between Elastacloud and a Stakeholder or where it is required or authorised by any applicable law.
7. Transparency and Awareness
7.1 Elastacloud is required to ensure that, when Processing the Data of its Stakeholders, it is open, honest and transparent. In order to comply with this requirement, Elastacloud will bring this Policy to the attention of its Stakeholders by:
7.1.1. publishing a copy of this Policy on its website at www.elastacloud.com;
7.1.2. making a copy of this Policy available for inspection on its company intranet;
7.1.3. referring to this Policy in its recruitment and/or job advertisements; and/or
7.1.4. incorporating this Policy by reference into its contracts, agreements, terms and conditions of trading and/or email signatures.
8. Retention and Security of Data
8.1 Elastacloud is required to store, retain and protect Data against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
8.2 Elastacloud is also required to ensure that it does not keep Data for longer than is necessary for the Purpose.
8.3 Elastacloud has adopted a Data Retention Policy which records the duration which Elastacloud will retain Data of its Stakeholders and the manner in which Elastacloud will store, retain and protect Data. Elastacloud will, however, only retain Data for as long as that Data is required by it for the Purpose and in addition to any measures referred to in the aforesaid policy, also take steps to secure and protect the Data of its Stakeholders by ensuring that:
8.3.1 Data is only dealt with by those representatives of Elastacloud who need to deal with it;
8.3.2 Data is stored in a secure cabinet, or in a password protected and secure database that is protected from unauthorised access;
8.3.3 all employees and/or representatives of Elastacloud who have access to or Process Data keep their workstations free of Data which is not then being Processed; and
8.3.4 it regularly reviews the Data that it Processes to ensure that it does not retain Data that it no longer requires or is not obliged to retain.
9. Disclosure of Data
9.1 Elastacloud will only disclose its Stakeholders’ Data to those of its employees and officers (including the employees and officers of companies in the same group of companies as Elastacloud) who need to know for the Purpose and will not disclose Data to any third party unless the consent of the applicable Stakeholder has been obtained.
9.2 Elastacloud may disclose its Stakeholders’ Data without first obtaining consent if Elastacloud is required or permitted by any applicable law, Data Protection Legislation or any applicable regulator to disclose that Data or if Elastacloud is required to disclose that Data to its professional or legal advisors.
9.3 Elastacloud is part of an international group of companies and as such it may transfer Data to employees and officers of its related group companies. In the event that Elastacloud transfers Data to one of its group companies that is outside of the United Kingdom, it will do so only to the extent that it is permitted to do so by applicable law and/or the Data Protection Legislation, and in particular, if:
9.3.1 the United Kingdom has issued regulations confirming that the country to which Elastacloud may transfer the Data ensures an adequate level of protection for the applicable Stakeholders rights and freedoms;
9.3.2 appropriate safeguards are in place such as binding corporate rules, standard contractual clauses or an approved code of conduct or a certification mechanism;
9.3.3 the consent of the applicable Stakeholder has been obtained; or
9.3.4 the transfer is otherwise permitted by the GDPR.
10.1 Elastacloud is required to take reasonable steps to ensure that the Data of its Stakeholders that it Processes is complete, accurate and not misleading.
10.2 Elastacloud will, from time to time, take reasonable steps to update the Data that it Processes and retains in order to ensure that it is complete, accurate and not misleading.
11. Stakeholder Rights in and to its Data
11.1. Each Stakeholder has the right to:
11.1.1. request access to its Data and to receive a copy of that Data;
11.1.2. request rectification of its Data;
11.1.3. request the erasure of its Data;
11.1.4. request that Elastacloud restricts the Processing of its Data;
11.1.5. object to the Processing of its Data;
11.1.6. withdraw its consent for Elastacloud to Process its Data at any time, but the withdrawal of consent will not affect the lawfulness of Processing based on consent prior to the Stakeholder’s withdrawal of consent;
11.1.7. the right to lodge a complaint with ICO as contemplated in paragraph 14 below; and
11.1.8. the right to object to Data being processed by automated means, if applicable.
11.2. Should any Stakeholder wish to exercise any of the rights referred to above or contact Elastacloud about a privacy related concern or complaint, it can do so by:
11.2.1. contacting Elastacloud’s Data Protection Representative in the manner described in paragraph 13 below; and
11.2.2. by providing a form of identification acceptable to the Data Protection Representative so that the Stakeholder’s identity can be appropriately verified.
12. Data Breach
12.1. Elastacloud is, in certain circumstances, required to provide notice of a Data breach or of any unlawful or unauthorised access to Data belonging to its Stakeholders to the ICO and its Stakeholders.
12.2. Elastacloud has adopted a Data Breach Policy which records the steps that it will take in the event of a Data breach or of any unlawful or unauthorised access to Data belonging to its Stakeholders. Elastacloud will, however, in the event of such a breach or unlawful or unauthorised access to Data, provide prompt notice thereof to the ICO and its affected Stakeholders to the extent that it is necessary to do so.
13. Elastacloud Data Protection Representative
13.1. Elastacloud has appointed Alia Alguire as its Data Protection Representative.
13.2. Elastacloud’s Data Protection Representative can be contacted by sending an email to the following email address: email@example.com.
13.3. The Data Protection Representative is responsible for:
13.3.1. ensuring that Elastacloud Processes the Data of its Stakeholders in the manner recorded in this Policy;
13.3.2. ensuring that Elastacloud monitors developments and amendments to Data Protection Legislation and updates this Policy and any related policies from time to time;
13.3.3. responding to reasonable queries or concerns from Stakeholders in terms of paragraph 11 above; and
13.3.4. ensuring that all Stakeholders who are employees or officers of Elastacloud have received adequate training to enable them to comply with this Policy.
14. Information Commissioner’s Office
In the event that any of Elastacloud’s Stakeholders have any queries or concerns that cannot be addressed by the Data Protection Representative, that Stakeholder has the right to contact ICO. ICO’s details are as follows:
15. Status of Policy
This Policy has been adopted by Elastacloud. This Policy supersedes all earlier policies adopted by Elastacloud which relate to data protection and which are applicable to Elastacloud’s Stakeholders.
16. Processing Personal Data on Behalf of Microsoft
In the event that Elastacloud is required to collect or process any Data for or on behalf of Microsoft in order to provide services to a Stakeholder, the Microsoft Privacy Statement (available at https://privacy.microsoft.com/en-gb/privacystatement) will apply, supplemented to the extent applicable, by this Policy.