Effective as of 1 December 2019
Mediaocean Systems Ltd
Blue Fin Building, 110 Southwark Street, London SE1 0TA UK
The services which Mediaocean provides in the UK run on our mainframe and servers located in our secure data centre in the USA. Where Personal Information is collected, stored or used by our client companies using these hosted systems, please note that we act only as a Data Processor. The client company is the Data Controller and is responsible for data protection obligations pertaining to its notification, collection, accuracy, and timely disposal. The client company is also responsible for arrangements to enable you to access your own Personal Information, subject to confirmation of identification, for authorizing disclosure to Third Parties, and for breach notifications to your local Supervisory Authority, for example the Information Commissioner’s Office in the UK, and to users, in case of a security incident. As a Data Processor, Mediaocean’s responsibilities for this data are to:
- Process the Personal Information only on documented instructions from the client company
- Ensure that all persons we authorize to process the Personal Information understand and respect the confidential nature of this information
- Make provisions for the security, availability and integrity of data on our systems, including where we have appointed Sub-processors to help us deliver our services to our clients
- In the event that there is a security incident, provide the client company with the information they need to make statutory breach notifications.
Categories of Personal Information in our hosted systems
Our clients may ask us to process the following types of Personal Information:
- User credentials, including user names and passwords;
- Logs of actions you have taken within our systems in application logs, usage analysis and audit trails;
- Business contact details for our clients’ employees, and possibly their vendors’ or clients’ employees, for example to facilitate order or payment processes, or to ensure delivery of printed output to the correct person;
- In the case of Aura or our financial systems, information related to payment of staff expenses, staff timesheets etc.
We do not process Sensitive Information about you unless you provide this to us.
How we store your information
Personal Information processed in our hosted systems is stored at our secure data centres and at secure off-site storage facilities for back-up media. Details of current locations and Sub-processors are published via our Support portal.
Staff involved in support, engineering and technical operations may be based in any location where Mediaocean group companies have offices (Australia, Canada, France, Germany, India, UK, USA). So please be aware that our staff may access your data from any of those locations. However, staff are only given access to the data if they need it in order to be able to do their jobs, and only if they have completed mandatory training on security procedures. Data transfer agreements (including the EU model clauses) have been put in place with all Mediaocean entities within the group to ensure protection of Personal Information in line with European data protection requirements.
We retain Personal Information within our hosted systems in accordance with Mediaocean’s Data and Document Retention Policies. These policies define retention rules based on the nature of the information and the purpose for which it is required. We destroy or dispose of all Personal Information securely when it is no longer needed.
How we keep your information secure
Mediaocean has a documented Information Security policy and we have implemented technical and organizational security measures to ensure the confidentiality, availability and integrity of Personal Information within our hosted systems. These include:
- logical access controls
- network security configurations
- physical access controls
- system software support and change control procedures
- processing integrity measures including logging & monitoring systems
- data retention practices including data replication, virtual and physical back-ups
- resilience, recovery and continuity planning
- applications software development and change control procedures
- incident management
- vendor management
Your rights under this Policy
The EU General Data Protection Regulation guarantees Data Subjects’ rights with respect to their Personal Information. This includes rights to information about the data being held about you, to correct inaccurate information, to ask for the data to be deleted or to object to its processing, and to withdraw consent that you have previously given. If you wish to exercise any of these rights in respect of the Personal Information within our hosted systems, please contact the client company as they are the Data Controller. Mediaocean will not be able to respond to Data Subject requests regarding Personal Information in our hosted systems without authorisation from our client.
Children under the Age of 13
Our hosted services are not intended for children under 13 years of age. No one under age 13 may provide any Personal Information to or on the website. We do not knowingly collect Personal Information from children under 13. If you are under 13, do not use or provide any information on this website or on or through any of its features. If we learn we have collected or received Personal Information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at Infosec&Compliance@mediaocean.com.
Enquiries and complaints
We will cooperate with the relevant local Supervisory Authority, for example the Information Commissioner’s Office in the UK and any other relevant government agencies, and law enforcement and judicial authorities in investigating any privacy complaints or suspected violations of privacy laws or Mediaocean’s privacy commitments, as well as in rectifying any noncompliant practices. Employees or contractors who violate the terms of these principles may be subject to disciplinary consequences up to and including termination of employment or termination or non-renewal of contract, in addition to any other legal measures that may be taken by Mediaocean, its clients, or the affected individuals and their representatives.
- Personal Information is any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, regardless of the medium or format in which the information is stored.
- A Data Controller is a party or entity that determines the purposes and means of the processing of Personal Information. A company functions as a data controller when it decides how such information is to be used, and then uses that information accordingly.
- A Data Processor is a party or entity that processes Personal Information on behalf of a Data Controller. A company functions as a Data Processor when it acts as an agent of another company, following its instructions as to how that information should be handled and processed.
- Sensitive Information consists of Special Categories of Personal Data as defined by the EU General Data Protection Regulation, that is, information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health information, or sex life/orientation.
- A Sub-processor is a Data Processor who has been engaged by the Data Processor to carry out specific processing activities on behalf of the controller.
- A Supervisory Authority is an independent public authority which is established by an EU Member State in order to monitor the application of EU Data Protection law.
- A Third Party is an entity or person other than you, Mediaocean or its clients.