Privacy Policy

Last updated: May 23, 2023

Table of contents

  1. Name and address of the person responsible
  2. Contact details of the data protection officer
  3. General information on data processing
  4. Rights of the data subject
  5. Use of cookies
  6. E-mail contact
  7. Contact form
  8. Application by email
  9. Use of company appearances in job-oriented networks
  10. Hosting

1. Name and address of the person responsible

The person responsible under the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and other data protection regulations is:

Calin Coman-Enescu
37-41 Mortimer St
W1T 3JH, United Kingdom
+44 20 7139 4404
info@behaviourlab.com

behaviourlab.com

2. Contact details of the data protection officer

The entity designated for handling data protection is:

DataCo International UK Limited
Suite 1, 7th Floor, 50 Broadway
London, United Kingdom
SW1H 0BL
+44 20 3514 6557
privacy@dataguard.co.uk

dataguard.co.uk

3. General information on data processing

Scope of processing of personal data

In principle, we only process the personal data of our users to the extent that this is necessary to provide a functional website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies in such cases in which it is not possible to obtain prior consent for actual reasons and the processing of the data is required by statutory provisions.

Legal basis for processing personal data

Insofar as we obtain the consent of the person concerned for the processing of personal data, Article 6(1)(a) GDPR and UK GDPR serves as the legal basis.

Article 6(1)(b) GDPR and UK GDPR serves as the legal basis for the processing of personal data required to fulfil a contract to which the data subject is a party. This also applies to processing operations that are necessary to carry out pre-contractual measures.

Insofar as processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Article 6(1)(c) GDPR and UK GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR and UK GDPR serves as the legal basis.

In the event that it is necessary to process personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the person responsible, Article 6(1)(e) GDPR and UK GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the person concerned do not outweigh the first interest, Article 6(1)(f) GDPR and UK GDPR serves as the legal basis for the processing.

Data Erasure and Storage Duration

The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. Storage can also take place if this has been provided for by the international, European or national legislators in privacy regulations, laws, or other regulations to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

4. Rights of the data subject

If personal data is processed about you, you are the data subject within the meaning of the GDPR and the UK GDPR, and you have the following rights vis-à-vis the person responsible:

The right to access (Article 15 GDPR and UK GDPR)

You have the right to request confirmation from us as to whether personal data relating to you is being processed.

If this is the case, you have a right to information about this data and the following information:

  • The purposes for which personal data is processed.
  • The categories of personal data being processed.
  • Recipients or categories of recipients to whom personal data has been or will be disclosed.
  • Planned storage period or, if not possible, the criteria for determining this period.
  • The existence of the rights to rectification, erasure, restriction, or objection of processing of personal data.
  • Right to lodge a complaint with the competent supervisory authority.
  • If applicable, the origin of the data (if collected from a third party).
  • If applicable, the existence of automated decision-making including profiling with meaningful information about the logic involved, the scope and the expected effects.
  • Details of any transfer of personal data to a third country or international organisation, and the appropriate safeguards relating to the transfer.

Right to rectification (Article 16 GDPR and UK

If your personal data is incorrect or incomplete, you have the right to request an immediate correction or addition of the personal data.

Right to restriction of processing (Article 18 GDPR and UK GDPR)

If one of the following conditions is met, you have the right to demand that the processing of your personal data be restricted:

  • You contest the accuracy of your personal data for a period that enables us to verify the accuracy of the personal data.
  • In the context of unlawful processing, you reject the deletion of the personal data and instead request that the use of the personal data be restricted.
  • We no longer need your personal data for the purposes of processing, but you need your personal data to assert, exercise or defend your legal claims.
  • If you have lodged an objection to the processing, for the duration of the examination as to whether our legitimate interests outweigh your interests.

If the processing of personal data concerning you has been restricted, this data may – with the exception of data storage – only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest.

If the processing has been restricted according to the aforementioned conditions, you will be informed by the person responsible before the restriction is lifted.

Right to erasure / right to be forgotten (Article 17 GDPR and UK GDPR)

If one of the following reasons applies, you have the right to request the deletion of your personal data:

  • Your data is no longer necessary for the processing purposes for which it was originally collected.
  • You revoke your consent and there is no other legal basis for processing.
  • You object to the processing and there are no overriding legitimate interests for the processing or you object in accordance with Article 21(2) GDPR and UK GDPR with respect to direct marketing.
  • Your personal data is being processed unlawfully.
  • Erasure is necessary to comply with a legal obligation to which we are subject.
  • The personal data was collected in relation to information society services offered in accordance with Article 8(1) GDPR and UK GDPR.

Please note that the above reasons do not apply if the processing is necessary:

  • To exercise the right to freedom of expression and information.
  • To fulfil a legal obligation or to perform a task that is in the public interest and to which we are subject.
  • For reasons of public interest in the field of public health.
  • For archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes.
  • To assert, exercise or defend legal claims.

Right to data portability (Article 20 GDPR and UK GDPR)

You have the right to receive your personal data in a structured, common, and machine-readable format. You also have the right to request transmission of your personal data to another person responsible, where:

  • The processing of your personal data is based on consent or the performance of a contract; and
  • The processing is carried out by automated means.

Please note, however, that this right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the person responsible.

Automated decisions on a case-by-case basis, including profiling (Article 22 GDPR and UK GDPR)

You have the right to not be subject to a decision based solely on automated processing – including profiling – that will have a legal effect or substantially affect you in a similar manner. This does not apply if the decision:

  • Is required for the conclusion or execution of a contract between you and the person responsible.
  • Is permitted by legislation to which we are subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests.
  • Is based on your explicit consent.

However, these decisions must not be based on special categories of personal data under Article 9(1) GDPR and UK GDPR, unless Article 9(2)(a) or Article 9(2)(b) GDPR and UK GDPR applies, and reasonable measures have been taken to protect your rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in the points above, we must take appropriate measures to uphold your rights and freedoms as well as your legitimate interests, including the right to obtain assistance us, to express your opinion on the matter, and to contest the decision.

Right to object to certain data processing (Article 21 GDPR and UK GDPR)

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Article 6(1)(e) or (f) GDPR and UK GDPR. This also applies to profiling based on these provisions.

Right to lodge a complaint with a supervisory authority (Article 77 GDPR and UK GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR or UK GDPR. The supervisory authority to which the complaint was lodged will inform the complainant about the status and the results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR and UK GDPR.

If you are located in the United Kingdom, you have the right to complain to the Information Commissioner's Office (ICO) if you are unhappy with how we have used your data and/or believe that the processing of the personal data concerning you violates the applicable law. The ICO's address:

Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk

5. Use of cookies

We want to process as little personal information as possible when you use our website. That's why we've chosen Fathom Analytics for our website analytics, which doesn't use cookies and complies with the GDPR, ePrivacy (including PECR), COPPA and CCPA. Using this privacy-friendly website analytics software, your IP address is only briefly processed, and we (running this website) have no way of identifying you. As per the CCPA, your personal information is de-identified. You can read more about this on Fathom Analytics' website.

The purpose of us using this software is to understand our website traffic in the most privacy-friendly way possible so that we can continually improve our website and business. The lawful basis as per the GDPR is "Article 6(1)(f); where our legitimate interests are to improve our website and business continually." As per the explanation, no personal data is stored over time.

6. E-mail contact

Description and scope of data processing

It is possible to contact us via the email address provided on our website. In this case, the user's personal data transmitted with the email will be stored.

The data will only be used to process the conversation.

Purpose of data processing

If contact is made by email, this also constitutes the necessary legitimate interest in the processing of the data.

Legal basis for data processing

The legal basis for the processing of the data that is transmitted in the course of sending an e-mail is Article 6(1)(f) GDPR and UK GDPR. Our legitimate interest is to optimally answer your inquiry that you send by e-mail.

If the e-mail contact is aimed at concluding a contract, the additional legal basis for processing is the performance of a contract, under Article 6(1)(b) GDPR and UK GDPR.

Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. For the personal data sent by email, this is the case when the respective conversation with the user has ended. The conversation is over when it can be inferred from the circumstances that the facts in question have been finally

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

Possibility of objection

If you contact us by email, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued.

Users may revoke consent or object to data processing by sending a written request to dpo@behaviourlab.com.

All personal data that was saved in the course of making contact will be deleted in this case.

7. Contact form

Description and scope of data processing

There is a contact form on our website which can be used to contact us electronically. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and saved.

At the time the message is sent, the following data is stored:

  • E-mail address
  • Name
  • Organisation
  • Date and time of contact

Alternatively, you can contact us via the email address provided. In this case the personal data of the user transmitted with the email will be stored. The data will be used exclusively for the processing of the conversation.

Purpose of data processing

The processing of the personal data from the input mask serves us exclusively for the purpose of establishing contact. If you contact us by email, this also constitutes our necessary legitimate interest in the processing of the data.

The other personal data processed during the sending of the communications via the contact form serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

Legal basis for data processing

The legal basis for the processing of data transmitted while sending communications via the contact form is Article 6(1)(f) GDPR and UK GDPR. If the purpose of the contact is to conclude a contract, the additional legal basis for the performance of a contract is Article 6(1)(b) GDPR and UK GDPR.

Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

Possibility of

If you contact us via the input mask in the contact form, you can object to the storage of your personal data at any time.

Users may revoke consent or object to data processing by sending a written request to dpo@behaviourlab.com.

All personal data that was saved in the course of making contact will be deleted in this case.

8. Candidate Application by email

Scope of processing of personal data

You can send us your application by email. We record your e-mail address and the data you provided in the e-mail.

We also offer an applicant/talent pool, which involves the processing of the following personal data.

  • Salutation
  • First name
  • Surname
  • Address
  • Telephone / mobile number
  • E-mail address
  • Information on education and schooling
  • Linguistic proficiency
  • CV
  • Testimonies / referrals

Purpose of data processing

The processing of the personal data provided via your email application and the application serves us solely to process your application.

Legal basis for data processing

The legal basis for the processing of your data is the initiation of a contract, in accordance with Article 6(1)(b) of the GDPR and UK GDPR, which takes place at the request of the person concerned with the submission of their application.

The legal basis for the processing of data in the context of the applicant pool is the applicant’s express declaration of consent, in accordance with Article 6(1)(a) and Article 7 GDPR and UK GDPR. You can revoke your consent at any time with effect for the future.

Duration of storage

After completion of the application process, the data will be stored for up to six months. Your data will be deleted after six months at the latest. In the event of a legal obligation, the data will be stored within the framework of the applicable provisions.

Exercising Your Rights

Through the provision and processing of your personal data, you have various rights under the GDPR and UK GDPR. For further information, please see the section above on Rights of the Data Subject.

9. Use of company appearances in job-oriented networks

Scope of data processing

We use the possibility of company appearances in job-oriented networks.

We maintain a corporate presence on the following professional networks:

LinkedIn
Unlimited Company Wilton Place
Dublin 2
Ireland

On our site we provide information and offer users the opportunity to communicate.

The company website is used for applications, information/PR and active sourcing with respect to potential talent candidates. We have no information on the processing of your personal data by the companies jointly responsible for the company's appearance. If you carry out an action on our company website (e.g. comments, posts, likes, etc.), you may make personal data (e.g. real name or photo of your user profile) public.

Legal basis for data processing

The legal basis for the processing of personal data for the purpose of communicating with customers and interested parties is legitimate interests under Article 6(1)(f) GDPR and UK GDPR. Our legitimate interest is to answer your inquiry optimally or to be able to provide the requested information. If contact is aimed at concluding a contract, the additional legal basis of performance of a contract will apply for processing, in accordance with Article 6(1)(b) GDPR and UK GDPR.

Purpose of data processing

Our corporate identity serves to inform users about our services. Every user is free to publish personal data through activities.

Duration of storage

We store your activities and personal data published on our company website until you revoke your consent. In addition, we comply with the statutory retention periods.

Possibility of objection

You can object to the processing of your personal data that we collect as part of your use of our company website at any time and assert your data subject rights as detailed in the section about on Rights of the Data Subject. To do this, send us an informal email to the email address given in this privacy notice.

You can find more information on how to exercise your rights with LinkedIn in their data protection declaration:

LinkedIn's Privacy Policy

10. Hosting

The company website is hosted on servers by a service provider commissioned by us.

Our service provider is AWS.

The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The information stored is:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Date and time of the server request
  • IP address

This data is not merged with other data sources, and is collected on the basis of Article 6(1)(f) GDPR and UK GDPR. Our legitimate interest in processing this data is to display our website correctly and to optimise its functions.

The website server is geographically located in Ireland.