1. General Information
1.1 Introduction and General Terms
Calligo Limited, its subsidiaries and associated businesses (Calligo and we) are committed to protecting your Personal Data and your privacy. We endeavour to ensure that any Personal Data we collect about you will be held and processed strictly in accordance with applicable data protection legislation,
Calligo Limited is headquartered in Jersey in the Channel Islands therefore all personal data we process is held in accordance with local laws that implement the European General Data Protection Regulation (“GDPR”). We also ensure that we comply with any other applicable local law governing personal data protection such as the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in Canada (“Applicable Local Laws”). Please see the section “Additional Information required under the GDPR” and “Additional Information required under PIPEDA” below, for further information on the rights that may apply to you under these laws.
The terms Personal Data, Data Controller and processing have the meanings given to them in the GDPR (which can be accessed here), unless otherwise indicated.
Calligo has created this Privacy Notice which explains how and why we collect Personal Data about you (“Your Data”), what that data is, under what circumstances we may disclose or transfer it, and how long we store it for.
1.2 What does this Notice cover?
At Calligo we collect and process Personal Data in a number of ways so this notice is layered to allow you to find the information that is most relevant to your situation. Please read this general information section then click on the heading below that is most appropriate for you situation, to find out more.
Note that this Privacy Notice does not cover Personal Data that we may process on behalf of our clients or customers who use our cloud infrastructure services (“Cloud Services”). If an organisation uses our Cloud Services and you have questions regarding the Personal Data held, please contact that organisation in the first instance. We cannot erase your Personal Data or provide you with details of the Personal Data held about you in our Cloud Services without an instruction to do so from our customer so please contact them in the first instance.
1.3 How do I contact Calligo?
If you have any queries regarding this notice or complaints about our use of Your Data, please contact us at email@example.com or at the address below and we will do our best to deal with your complaint or query as soon as possible.
Chief Privacy Officer
Block 3, The Forum,
1.4 Will Calligo share my Personal Data with anyone else?
Other than as set out below, we hold Personal Data on Calligo’s own secure servers in the Channel Islands.
In certain limited circumstances, however, it may be necessary for us to share Your Data with the recipients set out below. We may also share it with the third parties identified in Section 2 of this Notice. All third parties with whom we share Your Data are required to protect it strictly in accordance with applicable data protection law and, where the third party is acting as our data processor, they may only use it for specified purposes and in accordance with our instructions.
1.4.1 Calligo Group entities
We may share Your Data with our other group entities, details of which are available here. We have adopted an intragroup agreement, which ensures all Personal Data transferred across the group is protected to the same high standards, even if not required by the local data protection legislation.
We occasionally make use of consultants who may have access to Your Data if it is necessary for the service they provide.
In relation to any other third parties, we will only share Your Data with your consent or in the following circumstances:
1.4.3 Where we are required to do so for legal reasons
We will share personal information with companies, organisations or individuals outside Calligo if we have a belief in good faith that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process or enforceable governmental request.
- enforce applicable Terms of Service, including investigation of potential violations.
- detect, prevent or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property or safety of Calligo, our users or the public, as required or permitted by law.
1.4.4 Where it is necessaryin connection with legal proceedings
We may share Your Data with certain third parties where it is necessary for the purpose of, or in connection with legal proceedings or in order to exercise our legal rights.
1.4.5 If we sell our business, go out of business, list the company or merge with another company
1.5 Data Security
We have put in place appropriate security measures to prevent Your Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to Your Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Your Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
1.6 How long will Calligo keep my information?
Unless otherwise indicated in Section 2 below, we will hold Your Data on our systems for as long as is necessary for the relevant activity for which it was collected. After this time we may retain Your Data for a further period of a maximum of 10 years in order to comply with legal record keeping requirements. In limited circumstances, we may keep Your Data for longer than this if we have identified a legal, regulatory or technical reasons why this is necessary.
In the case of marketing communications, your data will be held for as long as is set out in the data receipt you will have received when giving your consent for us to use Your Data.
1.7 How to access, correct or delete Your Data
You can request access to all the Personal Data that Calligo has collected from you directly or indirectly, by contacting us using the contact details set out above. You can also request that we correct or delete Your Data in the same way.
For EU Residents, please see the section “Additional Information for EU Residents” for further information on your rights to access, correct or delete Your Data under the GDPR.
1.8 Your duty to inform us of changes
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.
1.9 Your choices and opt-outs
You can opt out of receiving marketing emails from us at any time. You can opt out of our marketing emails by clicking the ‘unsubscribe’ link at the bottom of our marketing messages.
Also, all opt out requests can be made by emailing us at firstname.lastname@example.org.
Please note that it may take up to 3 days to remove you contact information from our marketing communications lists, so you may receive correspondence from us for a short time after you make a request.
1.10 Changes to this Privacy Notice
We keep our privacy notice under regular review. This version was last updated on 18 December 2018. Historic versions are archived here.
If material changes are made to the Privacy Notice, for instance affecting how we would like to use Your Data, we will provide a more prominent notice (including, for certain services, email notification of Privacy Notice changes).
2. How do we collect your data?
At Calligo, we collect and process Personal Data in a number of ways. To help you find the information that is most relevant to your situation, we have separated our policy into a number of sections depending on how you interact with us. Please click on the heading below that is appropriate for your situation to find out more.
2.1 You are engaging with us as a potential customer or prospect
2.1.1 What does this section cover?
This section of our Privacy Notice sets out information relating to the data we collect from or about you when you interact with us as a prospective customer or if you belong to an organisation we have identified as potentially interested in our services.
This includes Personal Data collected in the following ways:
- when you download our marketing materials through our website or another party’s website;
- when you use the “Enquiry” form on the website;
- when you use our live chat function on the website;
- when you request information regarding our services via post, email or telephone;
- when you contact us or provide Your Data in relation to a marketing event we are running or sponsoring; or
- when you provide us with your business card.
2.1.2 How do we collect Your Data?
We collect certain Personal Data directly from you at the point at which you interact with us.
We also use public sources, social media, marketing services firms and media publishers to obtain Personal Data relating to people at organisations we believe may be interested in our services. A list of the third party sources we use is available on request.
In some circumstances, we may also obtain your Personal Data as a result of a referral from an existing Client.
Where you have provided your Personal Data to a third party who is collecting it on our behalf (such as EventBrite), we will collect certain Personal Data about you from that third party.
2.1.3 What Personal Data do we collect?
The Personal Data we collect will depend how you are interacting with us but, in general, this will include:
- First name;
- Last name;
- Job Title;
- Company Name;
- Email address;
- Telephone number; and
If you voluntarily provide additional Personal Data to us, we will also collect and hold that data in accordance with this Privacy Notice.
2.1.4 What do we use the Personal Data for?
We use Your Data in order to provide you with the information that you have requested, to respond to the request or enquiry you have submitted or to contact you in relation to the event you are attending. We may also use the Personal Data to contact you about the service in which you have shown an interest or to send you other similar marketing materials. Our legal basis for using Your Data in this way is that it is necessary for the purposes of our legitimate interest of running our business and increasing our customer base.
Where you have indicated your consent to it, we may also use Your Data to send you other online resources or marketing materials which we believe may be of interest to you. Our legal basis for using Your Data in this way is consent. You can unsubscribe from our emails at any time using the “unsubscribe” button at the bottom of the email. If you are an EU Resident, please see the section “Additional Information for EU Residents” below, for further information on how you can withdraw your consent.
2.1.5 Who do we share this Personal Data with?
We use a third party company to support our search engine optimisation and website performance and this party may have limited access to the Personal Data you submit through our website as a result.
We also use a third party automated email provider to send out marketing communications on our behalf.
All third parties with whom we share Your Data are required to protect it in accordance with applicable data protection law and, where the third party is acting as our data processor, they may only use it for specified purposes and in accordance with our instructions.
2.2 You are a customer of Calligo
2.2.1 What does this section cover?
This section of our Privacy Notice sets out information relating to the data we collect from or about you when you become, or the organisation you work for becomes, a customer of Calligo.
2.2.2 How do we collect Your Data
We collect Personal Data about you when you create an account using Calligo’s service portal, Viaje, or when you provide such Personal Data to us in order to become a customer of ours. We also collect Your Data when you raise a support ticket with us.
If you work for an organisation that has signed up for our services, we may receive Personal Data about you from other members of your organisation.
2.2.3 What Personal Data do we collect?
We collect the Personal Data necessary to provide you with the service you have requested or to support the service, which may include the following:
- First Name;
- Last Name;
- Email address;
- Telephone or mobile number (if voluntarily provided);
- Access permissions;
- Whether you are authorised to make changes to our service
If you voluntarily provide additional Personal Data to us, we will also collect and hold that data in accordance with this Privacy Notice.
2.2.4 What do we use the Personal Data for?
We use Your Data to provide you with the services you, or the organisation your work for, has requested. This may include using Your Data to manage our relationship with you and for service administration purposes (e.g. to provide you with reports or password reminders, or to notify you that a particular service, activity or online content has been suspended for maintenance). We may also use Your Data to contact you in relation to any support queries you raise. Our legal basis for using Your Data in this way is that it is necessary for the performance of a contract to which you are subject.
We provide regular emails to keep you updated with information about Calligo and other services we provide which we think you, or your organisation, may be interested in and to let you know about Calligo services. From time to time we may also contact you to ask your views on issues affecting Calligo. We may personalise the message content based upon any information you have provided to us and your use of Calligo platforms. Our legal basis for using Your Data in this way is that it is necessary for the purposes of our legitimate interest of running and improving our business.
You can opt out from these communications at any time. You may either use the unsubscribe mechanism in any of the communications you receive, or contact email@example.com
Your Calligo Account
As part of the contractual services Calligo provides, you may have registered for a Calligo account. This will also allow you to login to Viaje. You might be asked to use your Calligo Account on other Calligo services to enable you to sign in and seamlessly enjoy Calligo services.
For as long as Calligo is providing services to you, an account with an associated named individual is a necessary part of delivering that service and you cannot delete your account. However, any individual’s Personal Data may be removed wherever requested, provided an alternative named individual is provided. If you delete your Calligo account then Your Data will be deleted in timeframes in accordance with local laws, and the remaining information is anonymised for analytical purposes. Deleting your Calligo service account will not delete the data you shared with Calligo for reasons that are not connected with that service. For example, if you download marketing collaterals or register for events. To delete non-service-related information as well, please contact us using the contact details in paragraph 1.3 above.
2.3. You have contacted us in relation to a data protection query for one of our privacy clients
2.3.1. What does this section cover?
Calligo act as a Data Protection Officer for a number of organisations, as part of the privacy services we provide. When you contact us in this capacity, we will be the Controller of any of the personal data you submit to us. This section also covers any Personal Data we may receive from our clients, or have access to, whilst fulfilling our DPO role.
2.3.2. How do we collect Your Data?
Your Data will usually be collected when you submit an email to our privacy client’s privacy email address.
We may also receive limited personal data about you from our privacy clients, or have access to it, where it is required in order to fulfil our statutory requirements as a DPO (for example, where we need to investigate whether a complaint has been dealt with appropriately).
2.3.3. What Personal Data do we collect?
We will receive whatever Personal Data you include in your email to us but generally this will include:
- Your name;
- Your email address;
- Details of your query/complaint;
In limited circumstances, we may also have access to any Personal Data included in a response to a Subject Access Request that you have made to our client.
2.3.4. What do we use that Personal Data for?
We use Your Data in order to comply with our legal obligations under Article 39 of the GDPR.
2.3.5. Who do we share Your Data with?
In certain circumstances, we may need to share Your Data with a Supervisory Authority. For example, if we need to cooperate with a Supervisory Authority in relation to a complaint you have lodged.
3. Additional information required under the GDPR
3.1 Your privacy rights
Under the GDPR (or equivalent local legislation that implements or adopts the GDPR), data subjects have certain rights with respect to their Personal Data, including those set forth below.
- right to request access – you may obtain confirmation from us as to whether or not Your Data is being processed and, where that is the case, access to Your Data;
- right to rectification – you have the right to obtain rectification of inaccurate Personal Data we hold concerning you;
- right to erasure – you have the right to obtain the erasure of Your Data without undue delay in certain circumstances
- right to restriction of processing or to object to processing – you may require us to restrict the processing we carry out on Your Data in certain circumstances or to object to us processing Your Data;
- right to data portability – you have the right to receive Your Data in a structured, commonly used and machine-readable format;
- right to withdraw consent – where you have provided your consent to us processing Your Data, you have the right to withdraw your consent at any time. This can be done by emailing firstname.lastname@example.org at any time;
- right to lodge a complaint – you may lodge a complaint with the supervisory authority in the EU Member State where you are resident or where you work. For further information on your rights, please see the supervisory authority of your country or EU Member State. The relevant supervisory authorities for the UK, Jersey, Guernsey and Luxembourg are set out below and their websites contain the relevant contact details:
- United Kingdom – the Information Commissioner’s Office whose contact details can be found on their website which can be viewed here – https://ico.org.uk/
- Jersey – the Office of the Information Commissioner whose contact details can be found on their website which can be viewed here – https://oicjersey.org/
- Guernsey – the Office of the Guernsey Data Protection Commissioner whose contact details can be found on their website which can be viewed here – https://dataci.gg/
- Luxembourg – the National Commission for Data whose contact details can be found on their website which can be viewed here – https://cnpd.public.lu/en.html.
3.1.1 No fee usually required
You will not have to pay a fee to access Your Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
3.1.2 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
3.1.3 Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.2 International transfers of Personal Data
In certain circumstances, we may transfer Your Data to countries outside the EEA, which may not adhere to the same levels of data protection to which countries within the EEA are subject. Any such transfers are, at all times, made in accordance with the GDPR and/or Applicable Local Laws. Details of the circumstances and mechanisms in place to ensure compliance are set out below:
3.2.1 Calligo Group Companies
In addition to our EU offices, we also have offices in Jersey, Guernsey, the United States and Canada. Our central servers are also located in Jersey. The European Commission has ruled that Jersey, Guernsey and Canada offer adequate levels of data protection in their domestic legislation and transfers to these jurisdictions are, therefore, permitted under the GDPR and/or Applicable Local Laws.
We have also put in place an intercompany agreement which contains the Standard Contractual Clauses approved by the European Commission to ensure that all transfers of Personal Data to any member of the Calligo group are protected to the same level as required under European data protection legislation.
3.2.2 Third party suppliers
Some of our third party suppliers are based outside the EEA. Whenever we transfer Your Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
Please contact us if you want further information on the specific mechanism used by us when transferring Your Data out of the EEA.
4. Additonal information required under PIPEDA
4.1. Your privacy rights
Under PIPEDA, data subjects have the following rights:
- Right to access-you have the right to access your personal information held by Calligo and how it is used;
- Right to rectification – if you can successfully demonstrate the inaccuracy or incompleteness of your personal information, we shall amend the information accordingly;
- Right to withdraw consent – where you have provided your consent to us processing Your Data, you may withdraw your consent at any time. This can be done by emailing email@example.com at any time;
- Right to lodge a complaint – if you feel we have infringed PIPEDA, you may lodge a complaint with the relevant privacy commissioner in Canada as set out below and their websites contain the relevant contact details: