Personal Data Protection Policy – Freeway Entertainment Group
1. Introduction and scope
This Personal Data Protection Policy ("Policy") describes the privacy practices of Freeway regarding the Processing of Personal Data of the directors, officers and employees and – to the extent applicable – the customers of the Client and/or the relevant Client Affiliates, as part of the provision of Freeway Services to its Clients. This Personal Data can be stored on Freeway systems, Client systems or third-party systems to which Freeway is provided access to for the provision of Services. Where Freeway provides Services to its Clients, Freeway will be acting as Processor and the Client will be acting as Controller.
This Policy applies globally to any and all Services provided by Freeway to its Clients under the Service Agreements, executed on or after the effective date of this Policy.
Freeway Processes Personal Data on behalf of the Client in accordance with Data Protection Laws.
This Policy does not apply to the collection of Personal Data through our website or through cookies with respect to which Personal data Freeway can be considered Controller; we refer to our separate Privacy Statement and Cookies Policy for more information in this regard.
This Policy is available through the Freeway Entertainment Group website at the following link. Freeway reserves the right to update this Policy without consulting or pre-informing its Clients.
The capitalized terms listed below have the follow meaning in this Policy:
a. “Client” means the counterparty to the Service Agreement with Freeway
b. “Client Affiliate” means any legal entity affiliated to the Client
c. “Client Data Subjects” shall mean the former and current directors, officers and employees and customers of the Client and Client Affiliates
d. “Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data
e. “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Service Agreement, the General Data Protection Regulation (EU) 2016/679 ("GDPR") together with all implementing laws and any other applicable data protection, privacy laws or privacy regulations
f. “Freeway” means Freeway Affiliate that is the contracting entity to the Service Agreement
g. “Freeway Affiliate” means with respect to any specified person or entity, any other person or entity directly or indirectly controlling or controlled by or under direct or indirect common control with such specified person or entity. For the purpose of this definition, “control”, when used with respect of any specified person or entity means the power to direct or cause the direction of the management or policies of such person or entity, whether through ownership of voting securities or by contract or otherwise. The terms “controlling” and “control” have meaning correlative to the foregoing. Specifically excluded from this definition are the shareholding companies controlling Freeway Entertainment Group B.V.
h. “Personal Data” means any information through which a Client Data Subject can be identified directly or indirectly
i. “Processing” means any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
j. “Processor” shall mean the party, which Processes Personal Data on behalf of the Controller
k. “Services” means services Freeway provides to the Client under the Service Agreement
l. “Service Agreement” means any written contract, any written statement of work, or any other written binding agreement, including any annexes thereto, between Freeway and the Client
m. “Subprocessor” means any data processor appointed by Processor to process Personal Data on behalf of the Controller
3. Personal data processed by Freeway Entertainment Group
By signing the Service Agreement, the Client authorizes and instructs Freeway to:
- Process the Personal Data for all legitimate and relevant purposes in connection with the Services of Freeway;
- Process the Personal Data insofar necessary to comply with a legal obligation of the Client or Freeway, including the disclosure of Personal Data to competent local authorities;
- Transfer the Personal Data as necessary or relevant to any Subprocessor.
The details of the Personal Data that will be Processed by Freeway on behalf of the Client, including the duration, purpose and types and categories of Personal Data, as well as Subprocessors, if any, are set out below.
Nature and Purpose of Processing: the Freeway Affiliate involved in the rendering of Services to Client is a financial and administration services provider, and will Process Client Personal Data as necessary and solely for the purposes of performing the Services pursuant to the Service Agreement, and as further instructed by Client or Client Affiliate in its use of the Services.
Duration of Processing: Freeway will Process Personal Data for the duration of the Service Agreement, unless otherwise agreed upon in writing.
Types of Services and Personal Data Processed: Client (Affiliate) may submit Personal Data to Freeway to enable it to render the Services, the extent of which is determined and controlled by Client (Affiliate) in its sole discretion, and which may include the following types of Personal Data, depending on the type and scope of the Services:
Types of Personal Data
Collection Account Management Services
first and family name, address, telephone, email, bank account details, date of birth, gender, nationality
Data Management Services
If required and as determined per scope in the Service Agreement
*Client (Affiliate) may choose to deviate from the types included in the table above as it may be required for specific purpose under the Service Agreement and as determined by the same.
Categories of Data Subjects: Client may submit Personal Data to Freeway to enable it to render the Services, to the extent determined and controlled by Client in its sole discretion, and which may include the following categories of Personal Data, depending on the type and scope of the Services:
- clients who are (also) natural persons
- (candidate) employees or contact persons of Client (Affiliate)’s
- agents, advisors, suppliers, shareholders and other representatives of Client (Affiliate)’s - who are natural persons
- other third-party users authorized by Client (Affiliate)’s to receive/use the Services.
Subprocessors: Subject to section 5 of this Policy, the subprocessors of Freeway are the following:
Type of Services
Microsoft Ireland Operations Limited
Garba Royal Kft.
Netkorzo Online Kft.
4. Use of personal data
Freeway shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than:
as necessary to process Personal Data to provide the Services and/or otherwise in accordance with the documented instructions of Client, or
as required to comply with Data Protection Laws or other laws to which Freeway is subject, in which case Freeway shall (to the extent permitted by law) inform Client of that legal requirement before processing the Personal Data.
In addition, Freeway is allowed to use aggregated data – to the extent this can no longer be considered Personal Data - for analysing purposes, for website and for internal operations, including troubleshooting, data analysis, testing, research, for statistical purposes and for improving the quality of its Services.
Freeway may be required to appoint certain third parties to provide part of the Services to the Client or assist with providing technical support, such as IT service providers or other suppliers. By signing the Service Agreement, the Client authorises Freeway to subcontract the Processing of Personal Data to Subprocessors in the relevant countries where the Services will be rendered as listed in section 3. Subprocessors are in each case subject to the terms between Freeway and the Subprocessor which are no less protective than those set out in this Policy and the Service Agreement. Freeway will inform the Client of the details of such Subprocessor(s) upon written request from the Client. Freeway will inform the Client in advance of any intended changes concerning the addition or replacement of Subprocessors and thereby give the Client the opportunity to object to such changes. If the Client does not object in writing within five (5) days of receipt of the notice, the Client is deemed to have accepted the new Subprocessor. If the Client does object in writing within five (5) days of receipt of the notice, Freeway and the Client will discuss possible resolutions.
6. Confidentiality and security
Freeway shall keep the Personal Data confidential and will ensure its staff and Subprocessors are bound by the same confidentiality obligation. Freeway shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risk required pursuant to applicable Data Protection Laws and, where the Processing concerns personal data of EU residents, shall take all measures required pursuant to article 32 GDPR. In assessing the appropriate level of security, Freeway shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
7. Co-operating with requests of the client
Freeway shall, upon request and to the extent required under Data Protection Laws, co-operate with requests of the Client that relate to the Processing of Personal Data. In particular, Freeway shall co-operate with requests that relate to Client Data Subject rights, Data Protection Impact Assessments and audit rights as described below.
Client Data Subject rights: Freeway shall notify the Client as soon as possible, if it receives a request from a Client Data Subject under any Data Protection Laws in respect of Personal Data, including requests by a Client Data Subject to exercise rights in Chapter III of GDPR or other similar rights pursuant to Data Protection Laws, and shall provide full details of that request. Freeway shall co-operate as requested by the Client to enable the Client to comply with any exercise of rights by a Client Data Subject in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under Data Protection Laws. Provided in each case that the Client shall reimburse Freeway in full for all costs (including for internal resources and any third party costs) reasonably incurred by Freeway performing its obligation under this section.
Data Protection Impact Assessment: Freeway shall provide reasonable assistance to the Client with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Client which are required under Article 36 GDPR, in each case in relation to Processing of Personal Data by Freeway on behalf of the Client and taking into account the nature of the processing and information available to Freeway.
Audit rights: On reasonable request and notice, Freeway will co-operate in the conduct of any audit or inspection, reasonably necessary to demonstrate Freeway's compliance with the processor obligations laid down in Data Protection Laws and this Policy related to the Service Agreement, provided always that this requirement will not oblige Freeway to provide or permit access to information concerning: (i) Freeway internal pricing information; (ii) information relating to Freeway's other Clients; (iii) any of Freeway non-public external reports, or (iv) any internal reports prepared by Freeway's internal audit function. The Client shall avoid causing any damage, injury or disruption to Freeway's equipment, personnel and business in the course of such audit or inspection. A maximum of one Data Protection Laws compliance audit or review may be activated under this section in any twelve (12) month period, unless the audit is following upon a Personal Data breach caused by Freeway in the same period. Any further Data Protection Laws audits shall be at the Client’s expense.
The Client’s requests provided in this section 7 will be fulfilled in close co-operation with and under supervision of Freeway's Information Security Officer, Freeway’s Privacy Officer, or similar Freeway local officials.
8. Deletion or return of client personal data
Freeway will, at the choice of the Client, delete or return the Personal Data at the end of the provision of the Services relating to Processing, unless (i) Data Protection Laws, (ii) any law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organization that applies to the Services in the country where those Services are being provided, or (iii) competent court, supervisory or regulatory body, require the retention of such Personal Data by Freeway.
9. Incident management
Freeway shall notify the Client without undue delay after becoming aware of a Personal Data breach, providing the Client with sufficient information which allows the Client to meet any obligations to report a Personal Data breach under Data Protection Laws. Such notification shall as a minimum:
- describe the nature of the data breach, the categories and numbers of Client Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
- communicate the name and contact details of Freeway's data protection officer or other relevant contact from whom more information may be obtained;
- describe the likely consequences of the data breach, and
- describe the measures taken or proposed to be taken to address the data breach.
Upon request by the Client, Freeway shall fully co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation and remediation of each Personal Data breach, in order to enable the Client to (i) perform a thorough investigation into the Personal Data breach and provide incident details as required under Data Protection Laws such as Article 33 (3) GDPR, (ii) formulate a correct response and (iii) take suitable further steps in respect of the Personal Data breach in order to meet any requirement under the Data Protection Laws (“Remediation Measures”). If and to the extent costs incurred by Freeway related to the Remediation Measures as directed by the Client are related to the Personal Data breach caused by the Client, the Client shall compensate reasonable costs of the Remediation Measures taken by Freeway. The Remediation Measures shall: (i) start without undue delay, (ii) be completed within a reasonable period after Freeway has become aware of a Personal Data breach, and (iii) be carried out within the regular business hours of the local office where the Remediation Measures are required to be taken.
10. International transfers of client personal data
Always subject to section 4 of this Policy and in the event the Services require international transfers of Personal Data between Freeway, Freeway Affiliate(s) and/or any Subprocessor(s), the following shall apply (insofar relevant):
a. Transfer to Freeway Affiliates in or from EU. The Personal Data may be transferred to one or more of Freeway's Affiliates in either one or more Member States of the European Economic Area ("EEA") or Switzerland on the basis of Data Protection Laws.
b. Transfer to Subprocessors in or from EU. The Personal Data may be transferred (i) to one or more Subprocessors (other than Freeway's Affiliates) in one or more Member States of the EEA or Switzerland on the basis of Data Protection Laws pursuant to the Clients permission ex section 5 of this Policy, or (ii) to one or more such Subprocessors in one or more third countries on the basis of an exception under Data Protection Laws, or (iii) on the basis of adequate safeguards added either, insofar as allowed under Data Protection Laws, by Freeway to ensure the protection of the Personal Data, or by the Client, in which case Freeway shall cooperate with the Client to seek an adequate basis for the cross-border transfer of Personal Data to such Subprocessor. At the Client's request, Freeway shall inform the Client of the applicable basis for the cross-transfer of the Personal Data.
c. Other transfers. Where the data protection or privacy law of any country outside the EEA or Switzerland applies to the Personal Data, the Client shall ensure that any cross-border transfer of Personal Data from Freeway to a Subprocessor shall be allowed, by implementing additional safeguards pursuant to Data Protection Laws or as otherwise permitted by Data Protection Laws.
The Client warrants that all Personal Data processed by Freeway on behalf of the Client has been and shall be Processed by the Client in accordance with Data Protection Laws including without limitation: (a) ensuring that all notifications to and approvals from regulators which are required by Data Protection Laws are made and maintained by the Client; and (b) ensuring that all Personal Data is Processed fairly and lawfully, is accurate and up to date and that a fair notice is provided to Client Data Subjects which described the processing to be undertaken by Freeway pursuant to the Services agreed upon in the Service Agreement.
Freeway shall be liable for the damage caused by Processing only where it has not complied with obligations of Data Protection Laws specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Client as indicated in the Service Agreement. Client shall be liable for the damage caused by Processing by Client which infringes Data Protection Laws. Client or Processor shall be exempt from liability under this section 11 if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same processing and where they are, under the Service Agreement, responsible for any damage caused to Client Data Subject by Processing, each Controller or Processor shall be held liable for the entire damage in order to ensure effective compensation of the Client Data Subject(s). Where a Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controller(s) or Processor(s) involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in the previous paragraph.
Save for this section 11 third paragraph, the indemnities, liabilities and exclusions or limitations thereof set out in the Service Agreement, shall also apply to the obligations of the parties pursuant to this Policy and the Service Agreement, and in case of any conflict will prevail.