OCP Data Privacy Policy
Last modified: February 14, 2024
This OCP Data Privacy Policy is incorporated by reference into the OCP Service Terms and Conditions agreement with OMILIA NATURAL LANGUAGE SOLUTIONS LTD, a company incorporated and existing under the laws of Cyprus with registered offices at Gladstonos 55 Str., 3040, Limassol, Cyprus, TIC number 123189502Z (“Omilia”), and describes the contractual requirements for Data Privacy provided by Omilia to the Customer (hereinafter “Data Controller”) related to the provision of OCP Services that the Partner has licensed from Omilia and transferred or sublicensed to the Customer, or to the provision of OCP Services that the Customer has licensed directly from Omilia. This OCP Data Privacy Policy is applicable to the extent that Omilia, acting as “Data Processor”, has access and control over Data Controller’s data.
1.
PROCESSING ACCORDING TO THE INSTRUCTIONS OF THE DATA CONTROLLER1.1.
Omilia warrants and undertakes in respect of all Personal Data that it processes on behalf of the Data Controller that at all times:
1.1.1.
It shall only process such Personal Data for the purposes of providing the Services and as may subsequently be agreed by the Parties in writing and, in so doing, shall act solely on the documented instructions of the Data Controller;
1.1.2.
It shall not itself exercise control, nor shall it transfer, or purport to transfer, control of such Personal Data to a third party, except as it may be specifically instructed, in documented form, to do so by Data Controller;
1.1.3.
It shall not process, apply or use the Personal Data for any purpose other than as required and is necessary to provide the Services;
1.1.4.
It shall not process Personal Data for its own purposes or include Personal Data in any product or service offered to third Parties;
1.1.5.
Omilia is committed not to sell or share Personal Information with third parties for commercial purposes, nor process such information for targeted advertising or profiling, nor for any monetary or other valuable consideration. Moreover, the use of sensitive personal information by Omilia is strictly limited by the purposes specified by the Data Controller.
1.2.
To ensure that Data Controller’s instructions in respect of any Personal Data can be carried out as required under this Agreement, Omilia has in place appropriate processes and any associated technical measures that ensures that Data Controller ’s instructions can be complied with, including the following:
1.2.1.
Requests by individual Data Subject to Data Controller, or any exercise, from time to time, of privacy rights in respect of their Personal Data, can be implemented;
1.2.2.
Provision of appropriate interfaces or support for other processes of Data Controller in ensuring information is provided to Data Subjects as required by the applicable Privacy Legislation;
1.2.3.
Updating, amending, or correcting the Personal Data of any individual upon request from time to time of the Data Controller;
1.2.4.
Cancelling or blocking access to any Personal Data upon receipt of instructions from the Data Controller;
1.2.5.
The flagging of Personal Data files or accounts, to enable Data Controller to apply particular rules to individual Data Subject’s Personal Data, such as the suppression of marketing activity.
1.3.
Omilia complies with applicable Privacy Legislation and any other relevant data protection laws, regulations, and other regulatory requirements, guidance, or statutory codes of practice to which Omilia is subject, and shall not perform its obligations under the Master Agreement in relation to the Personal Data in such a way as to cause Data Controller to breach any of their obligations under applicable Privacy Legislation.
Regulations / Acts regarding the protection of personal data, that Omilia complies with, are indicated below (the list is not exhaustive):
- The European (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”, hereinafter “GDPR”);
- The United Kingdom’s General Data Protection Regulation (UK GDPR), that followed UK’s departure from the EU and the end of the ‘Transition Period’ on 31 December 2020, and is broadly aligned with the GDPR in terms of its substantive requirements;
- The Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity;
- The California’s Consumer Privacy Act (CCPA), a state statute intended to enhance privacy rights and consumer protection for residents of California (amended by the California Privacy Rights Act (CPRA) of November 2020), as well as California Invasion of Privacy Act (CIPA);
- The Virginia’s Consumer Data Protection Act (VCDPA), that applies to entities that conduct business in Virginia or produce products or services that are targeted to residents of Virginia (“consumers”);
- The Colorado’s Privacy Act (CPA), which requires the protection of personal data of Colorado residents;
- Connecticut Consumer Data Protection Act (CTDPA) (along with Title 36a of the General Statutes of Connecticut which prescribes requirements for data breach notification) which protects personal data of Connecticut consumers;
- Utah Consumer Privacy Act which protects personal data of the residents of Utah;
- Brazilian General Personal Data Protection Law (LGPD);
- The South Africa’s Protection of Personal information Act (POPIA), and Promotion of Access to Information Act (PAIA), that apply to the processing of personal information by or for a responsible party domiciled or just makes use of processing means in the Republic of South Africa;
- The Germany Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), which applies to the entities that process personal data in Germany;
- The U.S. Health Insurance Portability and Accountability (HIPAA), which governs the protection of the health information of US individuals;
- The US Biometrics Privacy Framework, which includes: Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), Washington Biometric Identifiers Act (RCW), New York Biometrics regulations (New York City Administrative Code Title 22 Chapter 12)
- The US Finance Privacy Framework, which includes: Gramm-Leach-Bliley Act (GLBA), Privacy of Consumer Financial Information (Regulation P), Fair Credit Reporting Act (FCRA), Dodd-Frank Act.
1.4.
Omilia shall give the Data Controller such cooperation, assistance, and information as the Data Controller may reasonably request to enable it to comply with its obligations under any applicable Privacy Law and cooperate and comply with the directions or decisions of a relevant Privacy Authority, and in each case within such time as would enable that other party to meet any time limit imposed by the Privacy Authority.
1.5.
Prior to commencing the processing, and any time thereafter, Omilia shall promptly inform Data Controller if, in its opinion,
1.5.1.
An instruction from Data Controller infringes any applicable Privacy Law; or
1.5.2.
Omilia is subject to legal requirements that would make it unlawful or otherwise impossible for Omilia to act according to Data Controller’s instructions or to comply with applicable Privacy Law.
1.6.
Omilia shall not be entitled to reimbursement of any reasonable costs which Omilia may incur as a result of, or in connection with, complying with the Data Controller’s instructions for the purposes of providing the Services and/or with any of its obligations under this Agreement or any applicable Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Omilia is subject.
1.7.
Omilia shall provide, within five (5) calendar days following the receipt of the Data Controller’s request, a written record of Personal Data processing by Omilia on behalf of the Data Controller, and such record shall include at minimum:
1.7.1.
The name and contact details of Omilia’s data protection officer - and, where applicable, of any related to the Data Controller’s processing Sub-processor’s representative;
1.7.2.
The categories of processing carried out on behalf of the Data Controller;
1.7.3.
Where applicable, transfers of Personal Data to a third country (where “third country” is any country outside the EU for EU Data Subjects, or any country outside the origin of the Personal Data for non-EU Data Subjects), or to an international organization, including the identification of that third country or international organization.
2.
PERSONAL INFORMATION SECURITY2.1.
Omilia shall keep Personal Data logically separate to data processed on behalf of any other third party.
2.2.
Omilia maintains and shall continue to maintain appropriate technical and organizational security measures to protect such Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and in addition shall comply with the Data Controller Minimum Security Requirements.
3.
SECURITY OF COMMUNICATIONSOmilia undertakes appropriate technical and organizational measures to safeguard the security of any electronic communications networks or services provided to Data Controller or utilized to transfer or transmit Personal Data (including measures designed to ensure the secrecy of communications and prevent unlawful surveillance or interception of communications and gaining unauthorized access to any computer or system, and, thus, guaranteeing the security of the communications).
4.
OMILIA EMPLOYEES – CONFIDENTIALITYOmilia shall ensure the reliability of any employees/personnel who access the Personal Data, and that such personnel have undergone appropriate training in the care, protection, and handling of Personal Data and have entered into confidentiality provisions in relation to the processing of Personal Data that are no less onerous than those found in the Master Agreement.
5.
PROCESSING OF PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA (EEA) AND COUNTRY OF ORIGINWhere Personal Data originating in the European Economic Area is processed by Omilia outside the European Economic Area or in a territory that has not been designated by the European Commission as ensuring an adequate level of protection pursuant to applicable Privacy Law, the Standard Contractual Clauses (as those prescribed by Article 46 of GDPR, the form of which is implemented by the valid decision of the European Commission) shall apply to that processing. Omilia shall ensure that the processing of Personal Data does not commence until Data Controller has confirmed to Omilia that it has obtained any approvals required from relevant Privacy Authorities.
For the cases where Personal Data originating in non-EU countries and is processed by Omilia outside the such country of origin (“Third Countries”), Omilia shall ensure an adequate level of protection and compliance. Any processing of Personal Data shall be subject to security and data protection mechanisms in accordance with the applicable laws of the jurisdiction of origin that shall be deemed sufficient in respect of such Processing.
6.
USE OF SUB-PROCESSORS6.1.
Omilia shall not subcontract or outsource any processing of Personal Data to any other person or entity, including Omilia Group Companies (“Sub-Processor”) unless and until:
6.1.1.
Omilia has notified Data Controller by way of formal written notice of the full name and registered office or principal place of business of the Sub-Processor
6.1.2.
Omilia has provided to the Data Controller details (including categories) of the processing to be carried out by the Sub-Processor in relation to the Services; and such other information as may be requested by Data Controller, in order for Data Controller to comply with applicable Privacy Law or for Data Controller to notify the relevant Privacy Authority;
6.1.3.
Omilia has imposed legally binding terms no less onerous than those contained in this Agreement on such Sub-Processor;
6.1.4.
Data Controller has not objected to the subcontracting or outsourcing within ten (10) working days from receiving Omilia’s written notification set forth in Clause 6.1.1, together with the information set forth in Clause 6.1.2; and
6.1.5.
Omilia has entered into Standard Contractual Clauses with the subcontracting third party, where the scope of subcontracting involves the Data Controller’s Personal Data to be processed or stored by any means in third countries.
6.2.
No Sub-Processor shall carry out processing in relation to the Services other than as previously notified to, and not objected to, by Data Controller.
6.3.
If requested by Data Controller, Omilia shall procure that any third party Sub-Processor appointed by Omilia pursuant to this Clause 6 shall enter into a data processing agreement with Data Controller on substantially the same terms as this Agreement.
6.4.
In all cases, Omilia shall remain fully liable to Data Controller for any act or omission performed by the Sub-Processor or any other third party appointed by it as if they were the acts or omissions of the Processor, irrespective of whether Omilia complied with its obligations specified in the above Clause 6.1.
6.5.
Where a breach of this Agreement is caused by the actions of a Sub-Processor, Omilia shall – if requested by Data Controller – assign to Data Controller the rights of Omilia to take action under the Processor’s contract with the Sub-Processor. Data Controller may take action as it deems necessary in order to protect and safeguard Personal Data.
7.
PERSONAL DATA BREACH AND NOTIFICATION REQUIREMENTS7.1.
Omilia shall notify Data Controller in writing as soon as possible in the circumstances but no later than within fourty-eight (48) hours after becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data (“Security Breach“). Such notification shall include (i) a detailed description of the Security Breach, (ii) the type of data that was the subject of the Security Breach, and (iii) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). Omilia shall communicate to Data Controller in such notification (i) the name and contact details of Omilia’s and/or any involved Sub-Processor’s data protection officer or another point of contact where more information can be obtained; (ii) a description of the likely consequences of the Security Breach; (iii) a description of the measures taken or proposed to be taken by Omilia to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and additionally in such notification or thereafter (iv) as soon as such information can be collected or otherwise becomes available, any other information Data Controller may reasonably request relating to the Security Breach.
7.2.
Omilia shall immediately investigate the Security Breach and identify, prevent and make best efforts to mitigate the effects of any Security Breach in accordance with its obligations under this Agreement and, subject to the Data Controller’s prior agreement, carry out any recovery or other action necessary to remedy the Security Breach. Omilia shall not release or publish any filing, communication, notice, press release, or report concerning any Security Breach in respect of Personal Data (“Publicity“) without Data Controller’s prior written approval. The actions and steps described in this Clause 7 shall, without prejudice to the Data Controller’s right to seek any legal remedy (including the claim for reimbursement of Data Controller’s costs of legal action against Omilia or Sub-Processor) as a result of the breach, be undertaken at the expense of Omilia, and Omilia shall pay for or reimburse Data Controller for all costs, losses, and expenses relating to the cost of preparing and publishing Publicity.
8.
PRIVACY IMPACT ASSESSMENTSWhere requested to do so by Data Controller, Omilia shall make available to Data Controller all information necessary to demonstrate Data Controller compliance with the applicable Privacy Law and shall assist the Data Controller to carry out a privacy impact assessment of the Services and work with the Data Controller to implement agreed mitigation actions to address privacy risks so identified.
9.
RIGHT TO AUDIT9.1.
Omilia shall, and shall procure that any Sub-Processor shall, permit Data Controller access to its premises, computer, and other information systems, records, documents, and agreements as reasonably required by the Sub-Processor to check that Omilia and/or its Sub-Processors are complying with their obligations under the Master Agreement (or any subsequent sub-processing contract) or any applicable Privacy Law. Any review in accordance with Clause 9.1 shall not require the review of any third-party data and that such reviewing entity enters into such confidentiality obligations with Omilia or with the relevant Sub-Processor as may be reasonably necessary to respect the confidentiality of the Processor’s or Sub-Processor’s business interests and third party data and information of which the reviewing entity may become aware in the course of undertaking the review. The Auditing Party shall bear its own costs in relation to such audit unless the audit reveals any non-compliance with the Processor’s or Sub-Processor’s obligations under any applicable Privacy Law or this Agreement or any subsequent sub-processing contract, in which case the costs of the audit shall be borne by the Processor.
9.2.
Omilia shall, and shall procure that any Sub-Processor shall, permit at its own costs the Privacy Authorities to conduct a data protection audit with regards to the Processing carried out by Omilia or Sub-Processor in accordance with the applicable Privacy Law.
10.
DELETION OF PERSONAL DATA10.1.
Omilia shall delete Personal Data from the Service(s) in accordance with the Omilia’s retention policy and at such other times as may be required from time to time by Data Controller. In the normal course of data retention, the following timeframes apply:
- 60 days for live data;
- 2 years for security logs;
- 5 years for aggregated data.
10.2.
Upon termination or expiry of any of the relevant Services, in respect of such Services any remaining Personal Data shall, at Data Controller’s option, be destroyed or returned to Data Controller, along with any medium or document containing Personal Data.
10.3.
Upon termination or expiry of the Agreement, any remaining Personal Data shall, at Data Controller’s option, be destroyed or returned to Data Controller, along with any medium or document containing Personal Data.
11.
NOTICES11.1.
Formal written notices to be given under, or in connection with, this Agreement shall be made in writing in English and shall be deemed to have been duly given: (i) when delivered, if delivered by messenger during the hours of 9.00am to 5.00pm EET; (ii) when sent, if transmitted by facsimile transmission (transmission confirmed) during the hours of 9.00am to 5.00pm EET; and (iii) on the fifth business day following posting, if posted by signed for (postage prepaid) mail or the equivalent in the country of posting
11.2.
Communications not requiring formal written notices may be conducted by email.
12.
THIRD PARTY REQUESTS FOR DISCLOSURE OF PERSONAL DATA12.1.
Requests from governmental authorities or Data Controllers: Omilia shall, and shall procure that the Sub-Processor shall, inform Data Controller promptly (and in any event within two (2) business days of receipt or sooner if required to meet with any earlier time-limit) of any inquiry, communication, request or complaint from:
12.1.1.
Any governmental, regulatory or supervisory authority, including Privacy Authorities and/or
12.1.2.
Any Data Controller, relating to the Services, any Personal Data, or any obligations under applicable Privacy Law and any other relevant data protection and privacy law, regulations, and other regulatory requirements, guidance, or statutory codes of practice to which Omilia is subject, and shall provide all reasonable assistance to Data Controller free of costs to enable Data Controller to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. Omilia shall not, and it shall procure that any Sub-Processor shall not, disclose Personal Data to any of the persons or entities in 12.1.1 or 12.1.2 above unless it is obliged by law or a valid and binding order of a court or other legal judicial process to disclose Personal Data and has otherwise complied with the obligations in this Clause 12.1.
12.2.
Requests at law:
Where Omilia or any Sub-Processor is required by law, court order, warrant, subpoena, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Data Controller, Omilia shall, and shall procure that any Sub-Processor shall, notify Data Controller promptly (and in any event within two (2) business days of receipt or sooner if required to meet with any time-limit in the Legal Request) and shall provide all reasonable assistance to Data Controller to enable Data Controller to respond or object to, or challenge, any such demands, requests, inquiries or complaints and to meet applicable statutory or regulatory deadlines. Omilia shall not, and it shall procure that any Sub-Processor shall not, disclose Personal Data pursuant to a Legal Request unless it is obliged by law or a valid and binding order of a court or other legal judicial process to disclose Personal Data and has otherwise complied with the obligations in this Clause 12.2.