XI. Your Rights and Access to Information
EU, UK, and Swiss Residents
If you are a European Union, UK or Swiss resident, applicable data protection laws (which may include the EU’s General Data Protection Regulation or “GDPR”) may provide you with certain rights with regards to our processing of your personal information.
To the extent established under applicable law, if you are a Canadian, European Union, UK or Swiss resident you may have the right:
- to access, review, and update your personal information;
- to restrict our processing of your personal information;
- to request that we provide you a copy of, or access to, your personal information in structured, commonly used and machine-readable format (or that we transfer your personal information to another controller, when technically feasible);
- to withdraw your consent when our processing of your personal information is based on your consent (and not another legitimate basis);
- to request that we delete all of your personal information (subject to certain limitations); and
- to lodge a complaint with the applicable supervisory authority in the country you live in, the country you work in, or the country where you believe your rights under applicable data protection laws have been violated. Before you do this, we request that you contact us directly in order to give us an opportunity to work directly with you to resolve any concerns about your privacy.
Note that we will only be able to directly process the above requests in situations where we are the “data controller” under the GDPR, which refers to the entity that controls the relevant personal information and its processing. This includes some situations where you provided the relevant information directly to us. However, in many cases we are instead the “data processor” or “sub-processor” under the GDPR, and are processing personal information on behalf of our customer or our client’s customer, who provided the information to us or on whose behalf we are collecting your personal information, and our customer or client’s customer acts as the “data controller” under the GDPR. In those situations where we are acting as the data processor or sub-processor, we will refer your request to the applicable data controller instead.
California Privacy Rights
California law (including the California Consumer Privacy Act or “CCPA”) entitles California residents to certain additional protections regarding personal information. For purposes of this section alone, “personal information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. Please be aware, however, that under the CCPA personal information does not include:
- Publicly available information from government records;
- Deidentified, aggregated or anonymized information that is maintained in a form that is not capable of being associated with or linked to a California resident;
- Information excluded from the CCPA’s scope, such as:
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or
- Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994; or
- Information relating to job applicants, employees, contractors and other personnel of BlueWhale Research or its affiliates.
If you are a California resident, you have the right to request:
- information regarding your personal information we have collected in the past 12 months (including the categories of personal information we have collected, the categories of sources of such information, and the business or commercial purposes for collecting or, if applicable, selling such information);
- notice of whether we have disclosed or sold your personal information to third parties in the past 12 months (and if so, what categories of information we have disclosed or sold, and what categories of third parties we have disclosed or sold it to);
- a copy of your personal information collected by us in the past 12 months; and
- that your personal information be deleted.
We will not discriminate against you if you choose to exercise any of these rights. To make any of the above requests, please contact us as set forth at the end of this Article. We will need to verify your identity before processing your request. In order to verify your identity, we will generally require the matching of sufficient information you provide us to the information we maintain about you in our systems. Although we try to limit the personal information collected in connection with a request to exercise the right to know and/or the right to deletion, certain requests may require us to obtain additional personal information from you. In certain circumstances, we may decline a request to exercise the right to know and/or right to deletion, particularly where we are unable to verify your identity. In certain instances, we may be permitted by law to decline some or all of your requests.
Note that we will only be able to directly process the above requests in situations where we are the “business” under the CCPA, which refers to the entity that determines the purpose and means of information processing. This includes some situations where you provided the relevant information directly to us. However, in many cases we are instead a “service provider” under the CCPA, and are processing personal information on behalf of our customer or our client’s customer, who provided the information to us or on whose behalf we are collecting your personal information, and our customer or our client’s customer acts as the “business” under the CCPA. In those situations where we are acting as a service provider, we will refer your request to the applicable business instead.