Effective: January 1, 2024

 

Purpose of this Privacy Policy

In the course of serving you as an individual client or as someone associated with one of our corporate or institutional clients, Award Solutions, Inc. (“Award”) may obtain some of your personal data or other confidential information that is necessary for us to deliver our services to you and/or our client. Award respects your privacy and has undertaken diligent efforts to protect your personal data that comes into our possession. This Privacy Policy explains how Award collects, uses, stores, transmits and otherwise processes and protects your personal data and other confidential information. This Privacy Policy will be updated from time to time and the effective date of the current version will be shown at the top of the page and/or in the footer.

 

Who we are

Award is a telecommunications training company based in the United States. Award and its subsidiaries and affiliates, located in several countries, including Ireland and India, provide telecommunications training worldwide. Award and its subsidiaries and affiliates who collect, store, use, transmit and otherwise process personal data in connection with Award’s services are referred to herein as “we”, “our” or “us”. We provide training in several ways including: instructor-led training in classrooms, instructor-guided training via a web platform, eLearning via one or more Learning Management Systems (“LMS”) and other platforms, including Award’s website at awardsolutions.com, and training that can be accessed through your computers and personal devices. Training is delivered at several physical locations worldwide. And training is also delivered via the web from other countries, including Ireland and India.

Controller or Processor: We may have an agreement with your employer or its affiliated company to deliver training to its employees, contractors or customers and, in order to deliver training to such individuals, we will be given the names, email addresses, phone number and other personal data in order to facilitate the scheduling and delivery of the training to said individuals, verify attendance and completion of the training and/or to issue training completion certificates. If you reside in the European Union (“EU”), European Economic Area (“EEA”), or in Switzerland, in a country where the EU General Data Protection Regulation (“GDPR”) applies, then, the company that makes the contract with Award will determine the purposes and means of processing the personal data given to us,  that company will be classified as the “controller” of your personal data, and we will be classified as the “processor” of your personal data that said company or you provide to us. Our obligations and your rights with respect to your personal data will be subject to the direction and control of the controller, except as otherwise provided by applicable laws. In some instances, you may deal directly with us, such as when you purchase or take our complementary training from us directly or when you enroll directly with us for our services, products, other offering or for marketing or promotional communications. In such instances, if you are a data subject protected under the GDPR, we will be seen as the controller of your personal data that you share with us. In almost every case, we only need your name and email address for you to obtain our services. We encourage you to not provide any other personal data to us unless we specifically request the additional data from you.

 

Data we Collect, how we Collect it and for what Purpose 

Types of personal dataHow we collect the dataPurposes for which we collect data
Your name and business email address, personal email address, job title, employer’s name, work address, work telephone number.  If you purchase through our website and pay be credit card we may also collect: credit card number and billing address for the credit card that you use.

You provide the data in the profile you create on our website.

 

Your employer provides the data to us.

 

A third party provides the data to us, such as an affiliate of your employer or a reseller from whom you or your employer purchased our services.

 

You provide this data through direct interaction including, in person at seminars or other events, or in your feedback, email, fax, phone, mail, text, other media. 

To communicate with you regarding our services or in response to your requests or as required under contracts. To schedule training delivery, to deliver training materials, to verify your attendance or completion of the training, or to deliver training certificates to you.

 

To send order or registration confirmation, reminders, scheduling changes, cancellation notices, and service messages. To perform a contract we made with you, your employer or its affiliates, or a reseller or other third-party company, to deliver services or products. To comply with our legal obligations, including our record retention obligations. To protect our legitimate interests, including network security and to prevent fraud, infringement, misappropriation and plagiarism.

 

To notify you of a change in our policies, including this Privacy Policy. To notify you of data breaches.  To respond to your requests with respect to your personal data.

User name and password that you use to log in to our system.We or our system may generate this data at your request or at the request of your employer or its affiliates or at the request of a reseller or other third party from whom you purchase our services or materials.To grant you access to our systems, to restrict access by unauthorized persons, and to protect our legitimate interests, including network security and to prevent fraud or theft of services or materials.
Your profile data including your interests and preferences.

From your profile that you created on our website or from requests you made to us or to third parties for our services or materials.

 

You provide this data through direct interaction including, in person at seminars or other events, or in your feedback, email, fax, phone, mail, text, other media. 

To deliver marketing information and materials about course offerings and upcoming events. You will have an opportunity to opt out of receiving marketing communication from us.
Usage data and technical data including: (1)  information about how you use our website or services, your feedback, postings, the comments you leave on message boards, blogs, publications and reviews relating to our system,  services, materials or personnel; and (2) information from your use of our website, including internet protocol (IP) address, referral source, browsing history, length of visit, geographical location, items and number of pages or content viewed, copied, downloaded, stored or purchased.

Our system is configured to capture usage and technical information by use of server logs, cookies and similar technologies that automatically collect technical data when you use or visit our website.

 

This data may also be collected by use of third-party software and services that monitor or capture this data.

To protect and pursue our legitimate interests, including IT administration, monitor storage capacity, system protection, network security, to prevent fraud, infringement, misappropriation, plagiarism, to improve website usability, to enhance visitor and user experience on our website, and to recognize your computer when you visit our website.

Personal Data: Personal data is data about an individual from which that individual can be identified. It does not include data where the identity of the person has been removed (anonymous data or aggregated statistical data).  The following are the types of personal data we collect, how we collect it, and the purposes for which we collect the data.

Failure to Provide Requested Personal Data: You do not have to provide your personal data to us. If you do not provide the personal data we require, you will not be able to access our websites or LMS, receive our services, receive promotional offers or marketing communications from us and we will not be able to accomplish the purposes for which we collect the data, as discussed in the table above.

Aggregated Data and Non-Personal Data: We collect, use, share and otherwise process statistical data for several purposes, including to pursue our legitimate business interests. Aggregated data may be derived in part from your personal data but does not legally constitute personal data because it does not directly or indirectly reveal your identity.

Data we do not Collect: We do not collect or otherwise process information about children.  We do not collect or otherwise process Sensitive Personal Data. “Sensitive Personal Data” is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying you, data concerning your health, data concerning your sex life or sexual orientation, or data relating to your criminal convictions or offenses. We do not collect or otherwise process your banking or payment card information. 

Marketing Use and Opportunity to Opt Out or Unsubscribe: We may use your contact, usage and technical data to market our services and products to you. In most instances, you would have consented to our use of your personal data for marketing purposes either by requesting said information personally, through our website or through a third party. 

If we used your personal data for marketing purposes prior to the effective date of this Privacy Policy, we will give you an opportunity via email or other communication to either renew your consent or otherwise agree to our continued use of your personal data or to unsubscribe. After the effective date of this Privacy Policy, you will also have the opportunity to opt out of our use of your personal data for marketing purposes by clicking the opt out or unsubscribe button in communications we send to you or by you informing our Data Security Office at the link provided in this Privacy Policy of your decision to not receive marketing communications from us. If you unsubscribe, we will discontinue the use of your personal data for marketing purposes. When you unsubscribe or opt out from receiving marketing communications from us, this will not apply to our use of personal data, such as transaction data or non-personal data that may have been derived from personal data, including pseudonymized or anonymous data from which we cannot identify you, to pursue and protect our legitimate interests and to satisfy our contractual and/or legal obligations. If you enter an agreement with us to take our training on a complementary basis in exchange for us marketing to you, we may continue to market to you if you elect to opt out from marketing after you took the complementary training based upon our agreement, unless prohibited by applicable law.

Cookies and other Tracking Technologies: We use cookies and other tracking technologies on our websites, applications, platforms and other systems. A cookie is a text file sent by a web server to a web browser and that is stored by the browser. The text file is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser. We may deploy a cookie that may be stored on the browser on your computer hard drive.

We also use electronic images known as web beacons, including in marketing email messages, to help deliver cookies from our sites, count users who have visited those sites, deliver services, analyze the effectiveness of our promotional efforts and determine if a marketing email message is opened. We also use webserver and application logs to automatically collect certain information to help us administer and protect our services, analyze usage, and improve user experience. By use of cookies and other tracking technologies, we may collect usage and technical data about your use and visits to our website, including internet protocol (IP) address, referral source, browsing history, length of visit, geographical location, items and number of pages or content viewed, copied or downloaded.

We may use the information we obtain from the cookie in connection with the administration of our website, to improve our website’s usability and/or for marketing purposes. We may also use that information to recognize your computer when you visit our website and to personalize the website for you. Most browsers allow you to refuse to accept cookies. You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. Disabling or refusing cookies will have a negative impact upon the usability of the website, as some parts of the website may become inaccessible or not function properly.

Third-party links: Our websites and training portals may provide links or references to third-party websites, plug-ins and applications. The provision of these links does not mean that we endorse the third-party data processing or protection mechanisms or their privacy policies. We do not control any third-party websites or data collection or processing activities. If you visit third-party sites, download their applications or enable the links, you will probably enable third parties to collect, share and otherwise process your personal data. You assume all risks by visiting third-party websites or using or enabling applications or links. You are encouraged to read the privacy policy of every website you visit.           

Authorized Processing:  Generally, processing of your personal data is authorized if and to the extent that at least one of the following applies: (1) you gave consent to process your personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the controller is subject; (4) processing is necessary in order to protect your vital interests or the vital interests of another natural person; and (5) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.

 

How we Share or Disclose Personal Data

As described in the table above, we only use your personal data for legally permitted reasons. We will share your personal data with our employees and contractors who have a bona fide need to access the personal data in order to administer enrollment for our training classes, to schedule the training delivery, to deliver training materials, to deliver the training, to verify attendance and completion of the training, to issue certificates of completion, for sales communications, and other peripheral services, including invoicing.

In some instances, depending on your location and your purchases from us, we may engage subject matter experts and other personnel of our subsidiary and affiliates located in Ireland, or India, and other contractors located within or outside the United States or EU, EEA or Switzerland, to deliver training services and materials to you, to facilitate the enrollment, scheduling and delivery of the training to you, to issue certificates of completion of the training to you, and for invoicing purposes in which event some of your personal data (usually your name and business email address) will be shared with subject matter experts and other personnel and contractors for said purposes and will or may be stored and otherwise processed at their offices, which may be outside the United States or EU, EEA or Switzerland.

We often use subject matter experts and other personnel from the following affiliates for the purposes shown: Award Solutions EMEA, Ltd - Dublin, Ireland: for training delivery and sales; and Award Solutions India Private Limited – Bangalore, India: for training delivery, scheduling and invoicing.

We also utilize third-party tools and services, through which some of your personal data may be transmitted or otherwise processed, which may be hosted or accessed within and/or outside the United States, EU, EEA or Switzerland, in connection with performing our services and advancing our legitimate business interests, including the following: (a) telephone, teleconferencing and internet platforms for communications, conferences and meetings; (b) services that support our in-person and web-based training services, to enroll for, gain access to and join training sessions, to obtain credit for the training, and to participate in pre-training and post-training evaluations to measure knowledge acquired from the training; (c) using cloud-based storage services whose servers may be located in multiple countries, for storage, access and otherwise processing personal data; (d) email and document file hosting services whose servers may be located in multiple countries; (e) electronic transmission services whose servers may be located in multiple countries; (f) automated travel and expense management tools whose servers may be located in multiple countries, to manage travel for delivery of our services and process scheduling information; (g) sales tools to communicate with our customers’ personnel; (h) tools for invoicing purposes whose servers may be located in multiple countries; and (i) using vendors and service providers to manage, support, maintain and upgrade our websites, LMS and other systems.

 

How we Protect your Data

We are committed to protecting confidential information, including the privacy of your personal data, and we have invested significant resources, time, efforts and money to do so. We have implemented commercially reasonable security measures and other technical and organizational measures to protect against unauthorized access, use, reproduction, alteration, disclosure, dissemination and destruction of data.

The following are some of the central features of our information security program.

1.           We implemented an information security policy and procedures to protect confidential, proprietary and personal data.

2.           We utilize storage and transmission encryption technology to protect confidential, proprietary and personal data at rest and in transit.

3.           Our premises are located in a building that provides physical security and controlled access. We also utilize third-party monitored security cameras and security alarms at our premises.

4.           We require all of our employees and contractors that we use to perform services for us to be bound by written confidentiality and non-disclosure agreements under which they are bound to protect confidential information, including personal data, from unauthorized access, use and dissemination (“NDAs”).

5.           We limit access to personal data to only those of our employees and contractors who have a bona fide need to know the data in order to perform their job functions.

6.           We provide periodic training to our employees and contractors to educate them on these security requirements.

7.           The companies that we use to provide support services, including IT services, are bound by NDAs and we restrict access to personal data on a need-to-know basis.

8.           Our NDAs restrict disclosure of protected information on the “Principle of Least Privilege”, i.e., authorized personnel are given limited and controlled access to only the least amount of confidential information, including personal data, and the lowest level of user right that they can have to perform their essential duties in connection with the approved purposes for which the data was disclosed.

9.           We also anonymize your personal data a reasonable time after we have completed using the data for the purpose for which it was initially disclosed to us. When your data has been anonymized, it is no longer identified with you.

10.        In certain instances, we pseudonymize your personal data so that it can no longer be attributed to you without use of additional information, which additional information is kept separately and is subject to technical and organizational measures to ensure that the pseudonymized personal data is not attributed to you.

11.        Our IT support team regularly monitors and tests our systems infrastructure to detect and correct vulnerabilities and detect and mitigate potential attacks.

12.        We implement controls to identify, authenticate and authorize access to various systems or sites.

13.        When we select third-party tools and services, we use diligent efforts to select nationally and internationally known and reputable providers who give assurances of network security and protection against unauthorized use and disclosure of confidential information, including personal data. If we use smaller, local or regional providers, we also rely on their assurances for these protections, including requiring them to sign an NDA. In any event, in all instances where we use third-party tools and services that may gain access to personal data, we take measures to ensure that appropriate safe guards and technical and organizational measures are in place to maintain network security and protect against unauthorized use and disclosure of confidential information, including personal data. 

 

How Long do we Keep Personal Data

Typically, we retain your personal data for the period necessary to fulfill the purposes for which the data was given to us and for a reasonable time period thereafter, usually about three years, unless you request erasure earlier; after said time period elapses or upon your earlier request, if we are the controller, we will delete your personal data, except in the following circumstances:

(1) if you consent to receive marketing communication from us, we may elect to retain your contact information for such marketing purposes until you revoke your consent as provided in this Privacy Policy;

(2) we may retain some of your personal data to the extent required by applicable laws and regulations, including laws requiring retention of records for certain specific periods of time;

(3) we may retain some of your personal data in order to comply with contracts under which we receive your personal data, such as contracts with your employer (who would be the Controller in that case) to provide training services to you, and to enforce our rights under said contracts, including for the statute of limitations periods;

(4) we may retain some of your personal data indefinitely to support our compliance with this Privacy Policy and applicable laws, including retaining evidence of your consent and your opt-out, unsubscribe, erasure and other rights requests. 

We may delete your personal data if we believe that the personal data is incomplete, inaccurate, or that our continued use and storage are contrary to our obligations. In some instances, we may anonymize, pseudonymize or aggregate your personal data so that the data is no longer identified with you, but the data may remain in our archives for research or statistical purposes and may remain indefinitely for such purposes or if we determine it is not practical or possible to delete it.

 

Transmission of Data to Other Countries 

Award is based in the United States but provides services internationally. Generally, personal data that we collect in the United States will be processed within the United States. Within the United States, Award utilizes third-party services, including internet cloud storage managed by internationally known companies, to store or otherwise process personal data. To our knowledge, said storage and other processing are conducted within the United States. It is likely that such internet and cloud services may store or otherwise process personal data outside the United States. As discussed in this Privacy Policy, your contact data may be used for training scheduling, enrollment, and certification and may be transmitted within and outside the United States for such limited purposes. 

In certain instances, personal data of data subjects who are protected under the GDPR will be processed outside the EU, EEA or Switzerland. We will transfer or process your personal data outside the EU, EEA or Switzerland only if the conditions laid down in the GDPR for such transfers and processing are complied with and applied in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined, including at least one the following conditions:

(1) Adequacy Decision: a decision of the European Commission that a third country, a territory or one or more specified sectors within that third country, or a particular international organization ensures an adequate level of protection. As of the effective date of this Privacy Policy, the European Commission has recognized the following countries as providing an adequate level of protection for the fundamental rights of EU data subjects whose personal data is transferred to those countries or areas or organizations within those countries: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (limited to the EU-US Privacy Shield framework).

(2) Appropriate Safeguards: in the absence of an adequacy decision, the controller or processor may transfer personal data to a third country or international organization only if the controller or processor has provided adequate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Adequate safeguards may be provided as follows: (a) without specific authorization from a supervisory authority, by mechanisms including, among others, (i) binding corporate rules, (ii) standard data protection clauses adopted or approved by the European Commission, (iii) an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or (iv) an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or (b) subject to the authorization from the competent supervisory authority, the appropriate safeguards may be provided by, among other things, contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization. A “supervisory authority” is an independent public authority which is established by an EU Member State pursuant to the GDPR; and

(3) Derogations for Specific Situations: in the absence of an adequacy decision or of appropriate safeguards, a transfer or set of transfers of personal data to third country or international organization shall take place only on certain GDPR specified conditions, including one of the following conditions: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s requests; (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or (d) the transfer is necessary for the establishment, exercise or defense of legal claims.

 

Realities and Risk Assessment

Data Protection by Design and Default: Taking into account the cost of implementation and the nature, context, and purposes of processing your data, we have implemented appropriate technical and organizational measures and safeguards, such as pseudonymization, anonymization and aggregation, we employ the Principle of Least Privilege and we limit access to personal and confidential data on a bona fide need-to-know basis, in order to minimize the processing of your data and to meet our legal requirements and commitments to protect your personal data and other confidential information.   

Realities:  Unfortunately, no data transmission over the Internet, no electronic storage of data and no website, system or facility is fully secure or immune from cyberattack or compromise. Accordingly, and despite our efforts to protect your personal data from unauthorized access, use, or disclosure, we cannot guarantee or warrant absolute security of the personal data that you transmit to us.

Risk Assessment: After giving due consideration and assessment of (1) the limited nature and volume of your personal data (name and email address and no Sensitive Personal Data) that we may process at our location or transfer to or process in a third country, (2) our limited use of said data (for scheduling training and verification of attendance and completion of training), (3) the safeguards and implemented technical and organizational measures that are required to protect said data, and (4) our experiences within the United States and in the other countries where we have operated, we estimate that there is minimal or no risk of material damage to you from our use or other processing of said data within or outside the United States.

 

Consent

If you reside within the EU, EEA or Switzerland and are covered as a data subject under the EU GDPR, we may require your consent to process your personal data. In such instances where we process your data based upon your consent, we require that you freely give your consent for us to process your personal data. Other than your consent, we may also rely on other GDPR-approved bases for processing personal data, including contracts, legal obligations, and legitimate interests. In performing or enforcing our contracts, we will process privacy data of data subjects as provided in said contracts. In some instances, we provide complementary training to data subjects in return for using their personal data to send marketing materials on course offerings and discounts. In other instances, we may have an on-going relationship with a company with whom the data subject in employed and is our contact person for business communication and we will utilize that data subject business contacts for such communications. We rely on those legitimate interests as the legal basis to process your personal data for said purposes.

Consent Given to Award: If you deal directly with Award or its affiliated companies, do not disclose your personal data to us unless you have freely given your consent for us to process your personal data pursuant to this Privacy Policy for one or more of the specific purposes described in this Privacy Policy. Your consent may be given in several ways, including by you clicking an “opt in”, “I agree”, “I consent” or other similar buttons on our websites when you complete or update your profile or when you transact business with us.

You may have given us your consent to use and otherwise process your personal data prior to the effective date of this version of the Privacy Policy. If we processed your personal data prior to the effective date of this Privacy Policy, you can elect to withdraw your consent, to restrict our use of your personal data, or to instruct us to stop using your personal data. In most cases, we would contact you via email and give you the opportunity to either renew your consent or otherwise agree to our continued use of your personal data or to unsubscribe. If you unsubscribe, we will discontinue the use of your personal data except for pseudonymized, anonymized or aggregated data from which we cannot identify you.

Consent Given to a Third Party: In some instances, you will give your consent to another company, such as the controller or your employer or a reseller from whom we receive your personal data. We will assume that your consent was freely given to such company and includes your consent for us to process your personal data pursuant to this Privacy Policy.

Consent Age Requirement: If you are under sixteen (16) years of age, your consent must be given or authorized by the person who holds parental responsibility over you. If you are subject to any law of any state or jurisdiction that sets this minimum age below sixteen (16) years [but in no event below thirteen (13) years of age], then, if you are under that statutory age but not less than thirteen (13) years of age, your consent must be given or authorized by the person who holds parental responsibility over you. Do not provide your consent or personal data if you are under thirteen (13) years of age. In any event, we have no obligation and we do not intend or desire to contract with you unless you are of the age set by applicable law for you to be bound by a contract with us.

 

Your Legal Rights

Under the GDPR, EU data subjects have certain legal rights (or you may also have those or similar rights under other applicable laws), including the following rights:

(1) Right to request access: this right enables you to obtain confirmation from the controller as to whether or not your personal data is being processed, and, if your personal data is being processed, to obtain from the controller access to your personal data, information showing that your personal data is being lawfully processed, and a copy of your personal data undergoing process, provided the right to obtain a copy does not adversely affect the rights and freedoms of others. For any additional copies, the controller may charge a reasonable fee based on administrative cost.

(2) Right to request rectification: this right enables you to obtain from the controller, without undue delay, the correction of inaccurate personal data and to have incomplete personal data completed – subject to our verification of the accuracy of the new personal data you provide to us.

(3) Right to erasure or to be forgotten:  this right enables you to obtain from the controller the erasure of your personal data without undue delay in certain instances, including (a) where the personal data is no longer necessary for the purpose for which it was collected or otherwise processed, (b) you withdraw your consent on which the processing is based, (c) where you have established a right to object to our processing of your personal data and there is no legitimate grounds for us to continue to process your personal data, (d) where we may have unlawfully processed your personal data, and (e) where we are required by law to erase your personal data.

(4) Right to restriction of processing: you have the right to obtain from the controller restriction of processing of your personal data where one of the following applies: (a) where you contest the accuracy of the personal data, you may request the controller to restrict processing for a period to enable the controller to verify the accuracy of the personal data; (b) the processing is unlawful, you oppose the erasure of the personal data and request the restriction of the use of the data instead of erasure; (c) the controller no longer needs the personal data for processing but you need the data to establish, exercise or defend legal claims; (d) you object to processing based on certain specific grounds (see item 7 below) and request the restriction of processing pending verification of whether the legitimate grounds of the controller override your grounds to object. Where processing has been so restricted, you have the right to be informed by the controller before the restriction is lifted.

(5) Right of notification: this right enables you to obtain from the controller, upon your request, information about recipients to whom your personal data had been disclosed and to whom the controller communicated that the personal data has been rectified or erased or its processing restricted at your request.

(6) Right of portability: this right enables you (a) to receive your personal data that you provided to the controller, in a structured, commonly used and machine-readable format and (b) to transmit that personal data to another controller, where the processing was based on your consent and carried out by automated means and the exercise of this right does not adversely affect the rights and freedoms of others. In exercising this right, you may have your personal data transferred directly from one controller to another, where technically feasible.

(7) Right to object to processing: you have the right to object at any time to the following: (a) the processing of your personal data where the objection is based on (i) processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or (ii) processing that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, including profiling based on (i) or (ii); (b) processing of your personal data for direct marketing purposes, including profiling related to such direct marketing, in which event, your personal data may not be processed for such purposes.  The term “profiling” means automated processing of personal data to evaluate a natural person’s personal aspects, in particular to analyze or predict performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

(8) Right to object to automated decision-making, including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right shall not apply if the decision is necessary for entering into or performing a contract between you and a controller or is based on your explicit consent.

(9) Right to withdraw consent at any time: you have the right to withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of processing of your personal data based on your consent that was given before withdrawal of that consent.

Where we are the processor, to exercise your legal rights, you must contact the controller, who may be the entity with whom we contract to provide our services for which your personal data was provided to us, which may be your employer. As a processor, we cannot honor your request without the direction of the controller and we may have to notify the controller of your requests to exercise your rights, except as otherwise required by applicable law. Where we are the controller, we will honor your request pursuant to this Privacy Policy, except as otherwise required by applicable laws or law enforcement personnel.

All requests to us must be directed to our Data Security Office using the information provided below. We will respond to your requests for the exercise of your rights in the time required under applicable laws, giving due regard to our overriding obligations.

Irreversibility of Erasure: If we erase your personal data from our system, upon such erasure we will be unable to recreate your personal data. In such instances, we will not be able to issue to you certificates of completion of our training or to verify your attendance or completion of the training or to evidence any transaction or communication you had with us.

Overriding Requirements: Applicable laws may provide compelling, legitimate grounds for processing personal data for the establishment, exercise or defense of legal claims, which override a data subject’s interests, rights and freedoms. The data privacy laws in some countries may be less stringent than the laws of your country and the government, law enforcement and courts of some countries may be able to access your personal data in certain circumstances. Some court orders, subpoenas, administrative agencies’ orders, or contracts may require us to take certain actions with respect to personal data, including disclosing your personal data, that may be contrary to your requests and instructions and we may have to defer to the foregoing laws, orders or contracts in certain circumstances.  Where we deem appropriate and permissible, we will seek protective orders to protect your personal data from such compelled disclosures. As a processor, we may be required to follow the instructions of the controller. A third-party contract under which we receive your personal data (e.g., a contract with your employer) or applicable laws may require us to retain business records, which may include personal data, for a period that is longer than the period allowed under other laws or regulations or that you prefer.

Presumption of Authenticity: We will rely on the data we have in our file to verify the accuracy of and honor or respond to your requests or instructions, including requests for revocation of your consent, request for rectification of your data or request for erasure of your data. In most cases, that will be your name or email address. We will assume that your request or instruction is authentic if it uses your name or email address that was provided in your profile created when you accessed our system or that was provided to us by a third party who had apparent authority to share your personal data with us, such as your employer or a reseller from whom you obtained access to our services. We rely on you to notify us of an inaccuracy in your information and to promptly correct your profile information or request rectification of your information. In some instances, we will request additional data from you to verify the authenticity of your requests.

 

Breach Notification

In the event we determine the occurrence of a data security incident, if we are the controller of your personal data, we will notify the appropriate supervisory authority of the data breach, as is required under applicable laws or regulations; and if we are the processor, we will notify the controller of the data breach without undue delay. Where the personal data breach is likely to result in high risks to the rights and freedoms of natural persons, if we are the controller, we will notify you of the data breach without undue delay.

 

Complaints

If you are a data subject covered by the GDPR, note that you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. We would appreciate the opportunity to address your complaint before you escalate the matter to a supervisory authority proceeding, so please contact us with your complaint so that we can address it as soon as possible to mitigate any resulting damages.

 

Communications

Our core activities do not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale and do not consist of processing on a large scale of Sensitive Personal Data and, consequently, we are not required under the GDPR to designate a data protection officer.

If you wish to restrict or stop our use of your personal data, for us to erase or rectify your personal data, or to otherwise communicate with us with respect to your legal rights affecting our use of your personal data, please contact our Data Security Office at:

Award Solutions, Inc.

5830 Granite Parkway, Suite 100-37

Plano, Texas 75024

+1 972 664 0727

legal@awardsolutions.com