Our full details are:
Full name of legal entity: namatovu Ltd
Main Contact: Georgina Elliott
Email address: email@example.com
Postal address: 36 Amies Street, London SW112JN
namatovu Ltd. takes data privacy and security very seriously. We take steps to make sure that we comply with our data privacy law obligations in the EU (primarily, the Data Protection Directive 95/46/EC as implemented into the national laws of EU Member States) and the General Data Protection Regulation ("GDPR") beginning in May of 2018), and make it easy for our Partners/Participants to comply with their respective obligations too. With GDPR set to take effect on May 25, 2018, Impact Marathon Series updated our data privacy program so that we, and our Partners, are comfortable that we will meet the new requirements. Here are a few highlights.
1. namatovu Data Processing Obligations
a. namatovu as a data controller. —Where a Participant provides namatovu with personal data in the course of signing up to an event, namatovu will be a data controller over the personal data provided to namatovu directly by that Participant. namatovu will also be a data controller of the personal data that namatovu obtains in the course of a Partner or Participant's use of namatovu Services.
b. namatovu as a data processor. — namatovu will be a data processor over a Participant's personal data that namatovu obtains as a result of providing its core payment and booking management services to our Partners. For example, allowing Partners to learn more about their Participants during the booking process, facilitating the transmission of emails to Participants at the request of the Partner, collating personal information and processing payments.
Given that namatovu processes a Participant's personal data both in providing services to the Partner, and to the account-holding Participant directly in his or her own use of namatovu, namatovu may be both a controller and a processor of the same personal data and will be held to different processing obligations as a result.
2. Data Security
namatovu is committed to maintain the highest level of security to protect personal data.
namatovu have put in place security measures to prevent personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. In this effort, namatovu has implemented numerous security measures and monitors them on a regular basis.
namatovu information systems are protected by industry standard firewalls, encryption and intrusion detection systems and access is only allowed to employees and partners who have a business need to know of such data, which they must keep confidential.
3. Data Deletion
As a data controller of our account-holding participants, namatovu will adhere to a Participant's request that namatovu delete that Participant's personal data. As a result, there may be a time when namatovu will show anonymized personal data for a particular Participant, however the financial data associated with that Participant should remain as part of the trip. Similarly, if namatovu removes personal data on its own in accordance with our internal data retention policy, this same process will apply.
Once a trip has been completed, namatovu will no longer provide Partners with access to personal data of its former Participants. This should be collated directly through the Participants.
namatovu will only retain personal data for as long as necessary to fulfil the purposes namatovu collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Should one of the Participants ask to have their personal data removed from our system, the request should be sent to firstname.lastname@example.org
4. Data Incident Notifications
In cases where namatovu are a data controller (even if namatovu are both a data processor and a data controller) over data accessed in an unauthorized manner, namatovu will notify the affected Partner or Participant directly.
5. International Transfers
Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.
Many of our third parties service providers are based outside the European Economic Area (EEA) so their processing of personal data will involve a transfer of data outside the EEA.
Whenever namatovu transfer personal data out of the EEA, we do our best to ensure a similar degree of security of data by entering in to a specific contract or code of conduct with our service providers.
6. Marketing Communications
Participants will receive marketing communications from namatovu if they made a purchase or asked for information from us about our goods or services, this may have been in the form of emailing namatovu, clicking on the website or attending an namatovu event.
Before namatovu share personal data with any third party for marketing purposes namatovu will ask for express consent.
7. namatovu and GDPR
a. Accountability and Training. — namatovu have updated our data privacy guidelines to make sure they're in line with the GDPR and we're making sure that our employees are trained on them appropriately. This means that everyone at namatovu plays a role in handling personal data in a legitimate and fair way.
b. Privacy by Design. — namatovu implementing enhanced procedures to help ensure that all of our systems and tools that collect and store personal data are designed in a privacy-friendly way. By doing this, we can reduce privacy risks at the outset and offer our Partners and Participants more control over their information.
The namatovu website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share personal data. namatovu do not control these third-party websites and are not responsible for their privacy statements. When you leave the namatovu website, we encourage you to read the privacy notice of every website you visit.