Bevy takes privacy seriously and is committed to complying with privacy and data protection laws.
The EU GDPR is a comprehensive data protection law that governs the processing of personal data of individuals who are in the European Economic Area (EEA). Following Brexit, the majority of the EU GDPR has been saved into domestic law by virtue of the European Union (Withdrawal) Act 2018 (Section 3). It is now the "UK GDPR" (along with an amended version of the Data Protection Act 2018) which governs data protection in the UK. In addition, Switzerland has its own data protection law, the Swiss Federal Data Protection Act and its corresponding ordinance.
This notice focuses on providing a general overview of Bevy's implemented measures to comply with the EU/UK GDPR (here referred to collectively as the GDPR). Personal data, as defined under the GDPR, includes any information relating to an identified or identifiable individual, which includes information like names, email addresses and phone numbers, location data or online identifiers, among others.
The GDPR distinguishes between "controllers" and "processors". The difference between these roles is important, because each has different responsibilities. In simple terms, a "controller" makes decisions about personal data –it decides "how" and "why" data is processed. By contrast, a "processor" only processes personal data on behalf of a controller –it is generally a service provider and only uses the data as instructed by its controller.
In some situations, Bevy may act as a controller under the GDPR. For example, if you sign up to attend an event via the CMX Website, we may be a controller with respect to the personal data you share with us.
In other situations, Bevy may act as a processor. For example, if a customer contracts with Bevy for access to the Bevy Service and shares personal data with Bevy, the company may be the controller with respect to such data and Bevy may be a processor. This means that Bevy, in addition to complying with its customers' processing instructions, needs to comply with the legal obligations that apply to processors under the GDPR.
Individuals are entitled to certain rights under the GDPR. These include, for example, the rights to access, correct and delete their personal data, and to restrict or object to processing of their personal data.
As a matter of law, these rights can only be exercised against controllers rather than processors. Accordingly, we have an approach in place to handle data subject rights requests made to Bevy, whether in its capacity as a controller (where we handle the requests directly) or a processor (where we will refer the request back to our customer, the controller).
The GDPR requires that controllers and processors implement appropriate technical and organisational measures to protect personal data. These measures must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to individuals.
Bevy has put in place a number of robust security measures to protect personal data. These include:
You can read more about our security practices here.
Where we process personal data on behalf of our customers and we act as a processor, we make a Data Processing Addendum (DPA) available as part of the contracting process. Our DPA contains the required provisions under the GDPR.
Where we act as a processor, we require appropriate security due diligence to ensure that our customers' information remains protected. As such, sub-processors are part of our overall risk management process and vendor risk assessments occur at a minimum prior to vendor selection, upon relevant changes (such as our own requirements or noteworthy changes in their security posture) or annually.
You can find a list of our sub-processors in our DPA.
International Data Transfers
The EU GDPR places restrictions on the transfer of personal data outside the European Economic Area (EEA) to non-EEA recipients unless an adequacy decision or appropriate transfer mechanisms are in place. This requirement may apply where, for example, we receive information from a customer based in the EEA and the customer's information is stored on our US servers.
Where we are party to a transfer of personal information originating in the EEA, the UK (and Gibraltar) and Switzerland to third countries and territories which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” and “adequacy regulations” from the European Commission, Swiss and UK authorities. This includes relying on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.
Where the transfer is not or cannot be subject to an adequacy decision, we take appropriate safeguards to ensure that your personal information will remain protected in accordance with applicable laws. These safeguards include implementing the European Commission’s Standard Contractual Clauses as issued on 4 June 2021 under Article 46(2) GDPR for transfers originating in the EEA and Switzerland; and the UK Addendum under Article 46(2) of the UK GDPR for the transfer of data originating in the UK.
Our Standard Contractual Clauses entered into by our group companies and with our third-party service providers and partners can be provided upon request. Please note that some sensitive commercial information will be redacted.
EU-U.S. Data Privacy Framework, UK Extension and Swiss-U.S. Data Privacy Framework
Bevy Labs, Inc. has certified to the U.S. Department of Commerce that it adheres to : (i) the EU-U.S. Data Privacy Framework Principles with regards to the processing of personal information received from the EEA in reliance on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), (ii) the UK Extension to the EU-U.S. DPF with regards to the processing of personal information received from the UK (and Gibraltar), and (iii) the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) with regards to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF. The Federal Trade Commission has jurisdiction over our compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
We have also taken steps to ensure that our contracts with vendors incorporate the terms required by the GDPR and an appropriate data transfer mechanism, as well as implemented internal data protection policies to address GDPR requirements.
Please reach out to firstname.lastname@example.org with further questions and/or feedback.