Last Updated: June 17, 2020
The primary goal of Processing Personal Data is to identify authorized users (logged in users) of Meetter platform, so they can benefit from its functionalities as per their user profile.
Personal Data is exclusively Processed under the scope and purpose of agreed Services between Meetter and either the Data Subject’s employer via a Services Contract (where a Corporate Client of Metter) or the Data Subject him/ herself (natural person to whom such Data pertains to) via either a Contract or Explicit Consent towards required Personal Data Processing Activities.
Regardless of which of the above applies, each and every Data Subject maintains full control over the Personal Data that pertains to him/ her as well as the Personal Data Processing Activities undertaken by Meetter (as defined under the European General Data Protection Regulation [GDPR] as Data Subject’s Rights and also the rights described under the California Consumer Protection Act[CCPA]).
I. Data Collection
II. Who is the Data Controller of your data?
III. What data do we process?
IV. For what purposes do we process your data?
V. What third parties can receive my data?
VI. International Data Transfers and Safeguards Employed
VII. Retention periods
VIII. Rights of Data Subjects
We use information about you for the following purposes:
- Provide, maintain, and improve our services;
- Provide services you request, process transactions, and to send you related information;
- Send you technical notices, updates, security alerts, and support and administrative messages;
- Respond to your comments, questions, and requests, and provide customer service;
- Communicate with you about news and information related to our service;
- Monitor and analyze trends, usage, and activities in connection with our services; and
- Personalize and improve our services. By accessing and using our services, you consent to the processing and transfer of your information in and to the United States and other countries.
Meetter Processes Personal Data pertaining to those Data Subjects who have either freely submitted it with a view (potential intention) to become registered users of our platform or those whose employer has submitted it to make them users of our platform.
Any user that is identified as being under 18 years of age (therefore not bearing full legal capacity as an adult) is not allowed to use our websites, and if any Person Data has been gathered pertaining to such an individual, it shall be immediately erased from all repositories with except of a black-list that will prevent further collection/ Processing of such Data.
Meetings are automatically recorded (unless any of the participants disables the recording) which therefore constitutes new Personal Data consisting of image/ sound (voice recording) and the content of what has been spoken about.
Meetter also resorts to and produces a written digital transcription of the meeting content, which constitutes a redundant sample of content yet necessary for may Corporate Clients as well as users need it for internal operational purposes.
DPO contacts Mr. Rui Serrano Country: Portugal, European Union Email: [email protected]
When a Data Subject visits Meetter’ websites, the only sessions cookie in use gathers Login Data to enable providing access to registered users and IP address and browser version to optimize the user experience. These are deemed as essential Cookies in the sense that if not in place, users will not be able to Login, hence use the Services or having proper access to those services.
Meetter does not use any other type of cookies.
Although not a common practice, where “Personal Data” is collected from a 3rd party other than the Corporate Client (including “public sources”), Meetter will act as per “GDPR” Article 14 ruling, meaning the “Data Subject” will be contacted and informed about which type of “Personal Data” was gathered by Meetter, for which purpose and from which source and the “Data Subject” will be requested to provide his/ her Explicit Consent towards “Personal Data” Processing under the conveyed service scope.
If the “Data Subject” either does not reply within 28 days or his/ her answer is of not consenting towards Meetter Processing his/ her “Personal Data”, Meetter shall erase the “Personal Data” which has been collected about that “Data Subject”.
To prevent further contact within the same scope, the “Data Subject’s” Name and email address will be “blacklisted” (therefore maintained by Meetter) on a dedicated repository that is accessible to relevant internal Departments only.
Meetter does not profile “Data Subjects” except for their usage of the platform services, least of all from public platforms such as Social Media or “Affiliate” entities’ information repositories.
Meetter processes the following types of personal data:
- Identification Data: First and last name, email address;
- Account Verification data: User Name and Password; Slack account ID; Google Acount ID;
- Corporate Information: employer company;
- Online calendar availability and booking of meetings through the Meetter platform;
- Content of the meeting (video/ voice/ transcript) accessible only by the participants and the Corporate Client;
Meetter performs meeting voice and video recording, storing them on a secure, specific repository so its Corporate Clients and users (who participated in those meetings) may retrieve them.
Such recordings register the participants, their voice, and image which in it own constitutes Personal Data under this specific context. Additionally, any information conveyed over such meetings may consist of Personal Data either from the participants or other individuals. It is up to the Corporate Client to internally have its staff informed and where necessary to create internal processes that foster Personal Data Protection while having its staff using these resources. Additionally, the access to those recordings either by the company or other staff members than the participants it is also to be internally ruled by each Corporate Client.
As earlier herein mentioned participants may opt for disabling the meeting recording or having the meeting under a End-to-End Encrypted format that besides being more Secure due to inherent encryption also does not produce a recording.
Meetter does not seek to collect or otherwise Process Sensitive Personal Data as set out in the GDPR Article 9. Notwithstanding that fact, Meetter will host the recordings and transcripts of meetings that have not been disabled by the platform users and the content of each meeting recording is not possible to determine in advance, for it will depend on what is said by the participants on such meetings.
Your Personal Data is exclusively processed by Meetter to enable access to its resources by you.
Notwithstanding this fact, your company/ employer may (eventually) resort to Meetter Services and resources to Process Personal Data that pertains to you for specific internal purposes. If that is the case, then it is up to your company to internally clarify and (if necessary) to have the needed documentation that demonstrates an adequate Lawful Basis towards such Personal Data Processing Activities.
Meetter does not undergo any type of Automated Personal Data Processing activities or Decision Making, mainly (yet not exclusively) that may lead to “Profiling” activities.
Meetter takes every reasonable step to ensure that Personal Data under its direct Processing activities (as the Controller) is absolutely limited to the amount and type that is necessary to deliver its Services towards its Customers and Corporate Clients as it has been agreed by those, either via Consent or a Contract not maintained over redundant repositories nor for any longer than required under the scope of agreed services.
However, Customers and Corporate Clients alike will act also as Joint Controllers and the same is not “arguable” by Meetter with regards to those for it solely depends on their Personal Data Processing “scope” and “purpose”.
Meetter resorts to partners that act as Processors, nevertheless none of those partners proceed with Personal Data Processing activities outside of the scope of their Processor role under Meetter Services, as per ruled by Data Processing Agreements to be in place between Meetter and those partners.
Besides what has been hereinabove mentioned, Meetter does not share Personal Data pertaining to its users with any 3rd party entities.
Some of Meetter’s partners (Processors or Controllers) are established on 3rd countries (meaning not the EU Member States nor within the European Economic Area), as well as Meetter itself; therefore not enjoying an adequacy qualification by the European Commission pursuant to GDPR Article 45 ruling.
To make such transfers fully compliant with the GDPR, the Data Processing Agreements with those partners include the EU Standard Contractual Clauses in accordance with Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
And, more relevant, Meetter both ensures having internal Security Measures and Processes in place as performing a detailed assessment regarding such partners.
Meetter will maintain Personal Data pertaining to its Corporate Clients staff and “Customers” for the duration of the Services plus as per Legal requirements (e.g. invoices must be maintained by Law for 7 years after document date).
In case of a potential legal dispute or for the period allowed by local legislation (in the geography where the Corporate Client is located) after the Services Contract has come to an end, Meetter reserves itself the right under Legitimate Interest to maintain Personal Data that exclusively is relevant to allow legal defense; all other Personal Data shall be erased.
Meetter is a Digital company, which means that the overwhelming amount of Data and information the company requires to operate is exclusively maintained under Digital format on IT Systems.
Meetter stores all Personal Data in AWS while using some external 3rd party tools to enable parts of the Service, namely MongoDB Atlas and Twilio. So those partners which contribution to the delivery of the services is required are:
- MongoDB Atlas
Meetter acts as the Controller and these “Partners” as “Processors”, meaning they will not undergo any “Personal Data Processing Activities” activities towards information registered, submitted or conveyed by Meetter unless under the scope of contracted services and that is agreed and documented under an existing “DPA” between the parties.
Those Data Subject who are individual Customers may exercise their Rights directly towards Meetter, however, those who are staff members from Meetter Corporate Clients must address those companies to exercise their rights towards Meeter.
Under the GDPR, the Data Subject has the following set of established rights:
Right of access. The right to obtain from the Controller confirmation as to whether his/ her personal data is being processed, and, where that is the case, access to such personal data as well as related information. Meetter will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may exercise this right by reviewing information on Meetter’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Meetter Customers.
Right to rectification. The right to obtain the rectification of inaccurate Personal Data pertaining to that Data Subject. Customers may directly amend existing information on Meetter’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Meetter Customers.
Right to erasure. The right to have Personal Data pertaining to him/ her that is under Processing by Meetter erased and therefore Processing stopped, unless a legal duty or have a legitimate ground to retain certain data prevents Meetter from observing such right, in which case the Data Subject shall be duly informed. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards Personal Data that pertains to him/ her. When exercising this right, the Data Subject must be specific about which processing activities are being requested to be restricted and the Controller shall provide feedback to the Data Subject on either the completion of the request or any potential collateral impact that may derive from implementing the requested objection to Processing, asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as defined in the procedure stated below in this section.
Right to data portability. The right to receive the Personal Data pertaining to that Data Subject, in a structured, commonly used and machine-readable format as well as the right to transmit such Personal Data to another controller without hindrance. Meetter will share the Personal Data over a secure channel, and that (depending on the type of Data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the Data Subject to ensure authorized secure access. Customers may directly amend existing information on Meetter’s website user account area or by submitting a request as per herein defined ahead in this document which is the application process for those Data Subjects who are not Meetter Customers.
Right to be informed about a Personal Data Breach. The Data Subject has the right (and it is the Controller’s obligation by law to ensure it) to be informed of any unauthorized disclosure or potential disclosure of his/ her Personal Data to unauthorized 3rd parties within 72 hours of its occurrence.
Right to lodge a complaint with a supervisory authority. The right to lodge a complaint regarding Meetter’s Processing activities over his/ her Personal Data towards any of the EU Member States data protection Supervisory Authorities. Meetter is however also available to provide any clarification towards those Data Subjects who may feel that it’s Processing of the Personal Data that pertains to them has negatively impacted them or somehow breached their rights under GDPR and/ or the right to Privacy, having such Personal Data processed in a secure manner and Confidentiality assurance. Data Subject may submit a complaint via the request process as per herein defined ahead.
Under the scope of Personal Data Protection, the Data Subjects may address Meetter via the email [email protected]
The exercise of Data Subjects’ rights as some other “interactions” requires the univocal identification of the person submitting such request as being, in fact, the Data Subject to whom such Personal Data pertains to, hence Meetter may have to set in place a process or mechanism that allows it to document having undergone such assertive identification.
Meetter has its “IT Landscape” configured and monitored under the strictest Security market standards and it has reviewed and adopted changes to its operational processes in a manner that ensures compliance with the requirements posed under “GDPR” towards “Personal Data” Protection. This means to assure its Confidentiality and Privacy while under “Personal Data Processing Activities” performed by itself and its “Partners” within the scope of Meetter rendered services.
“Agreed Services” or “Services” means those Services being rendered by the Controller towards the Data Subject towards which he/ she has agreed with and/ or comprehending Processing legitimacy that derives from an existing and documented Lawful Base.
“Controller” means the “Party” which determines the “scope”, “purpose” and form of Personal Data Processing activities.
“Data Subject” means the identified or identifiable natural person to whom “Personal Data” relates. Both Parties understand that the “Data Subject” is the sole owner of “Personal Data” which pertains to him/ her.
“Data Subjects’ Rights” means the rights established towards the “Data Subjects” under “GDPR”.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Personal Data” Treatment” and on the free movement of such data, while replacing the Directive 95/46/EC and having become enforceable on May 25th, 2018.
“IT Landscape” means the set of IT assets and services of and at the disposal of either the Data Subject, Meetter or its Partners that enables their Personal Data Processing to occur, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.
“Lawful Basis” means the enlisted lawful grounds that a Controller has to entice Personal Data Processing activities under “GDPR”, namely (but not limited to) having documented: the Data Subject’ Explicit Consent towards those Personal Data Processing activities; the Controller’ Legitimate Interest in proceeding with those activities; accessory legal obligations that the Controller must observe and which entitled it to proceed with such activities within the limits of GDPR ruling and inherent obligations.
“Partner” means any 3rd party entity towards which the Controller may resort in order to ensure Personal Data Processing activities under an established Lawful Base (as defined under the “GDPR”) and within the scope of agreed Services with the Data Subject.
“Personal Data” means any data which by itself or when cross-referenced with other data enables one to univocally identify a specific natural person, the “Data Subject”.
“Personal Data Processing” means any operation or set of operations which is performed upon “Personal Data”, whether or not by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).
“Personal Data Breach” means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data”.
“Processor” means the entity which proceeds with authorized Personal Data Processing activities on behalf of the “Controller”.