Terms & Conditions
By signing up to be an Affiliate in the ORIGINAL DIGITAL ART Affiliate Program ("Program") you are agreeing to be bound by the following terms and conditions ("Terms of Service").
ORIGINAL DIGITAL ART reserves the right to update and change the Terms of Service from time to time without notice. Any new features that augment or enhance the current Program, including the release of new tools and resources, shall be subject to the Terms of Service. Continued use of the Program after any such changes shall constitute your consent to such changes.
Violation of any of the terms below will result in the termination of your Account and for forfeiture of any outstanding affiliate commission payments earned during the violation. You agree to use the Affiliate Program at your own risk.
- You must be 18 years or older to be part of this Program.
- You must live in the United Kingdom to be an Affiliate.
- You must be a human. Accounts registered by "bots" or other automated methods are not permitted.
- You must provide your legal full name, a valid email address, and any other information requested in order to complete the signup process.
- Your login may only be used by one person - a single login shared by multiple people is not permitted.
- You are responsible for maintaining the security of your account and password. ORIGINAL DIGITAL ART cannot and will not be liable for any loss or damage from your failure to comply with this security obligation.
- You are responsible for all Content posted and activity that occurs under your account.
- One person or legal entity may not maintain more than one account.
- You may not use the Affiliate Program for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright laws).
- You may not use the Affiliate Program to earn money on your own ORIGINAL DIGITAL ART product accounts.
Links/graphics on your site, in your emails, or other communications
Once you have signed up for the Affiliate Program, you will be assigned a unique Affiliate Code. You are permitted to place links, banners, or other graphics we provide with your Affiliate Code on your site, in your emails, or in other communications. We will provide you with guidelines, link styles, and graphical artwork to use in linking to ORIGINAL DIGITAL ART. We may change the design of the artwork at any time without notice, but we won't change the dimensions of the images without proper notice.
To permit accurate tracking, reporting, and referral fee accrual, we will provide you with special link formats to be used in all links between your site and the ORIGINAL DIGITAL ART. You must ensure that each of the links between your site and the ORIGINAL DIGITAL ART properly utilizes such special link formats. Links to the ORIGINAL DIGITAL ART placed on your site pursuant to this Agreement and which properly utilize such special link formats are referred to as "Special Links." You will earn referral fees only with respect to sales on an ORIGINAL DIGITAL ART product occurring directly through Special Links; we will not be liable to you with respect to any failure by you or someone you refer to use Special Links or incorrectly type your Affiliate Code, including to the extent that such failure may result in any reduction of amounts that would otherwise be paid to you pursuant to this Agreement.
Affiliate links should point to the page of the product being promoted.
Referral fees/commissions and payment
For a Product sale to be eligible to earn a referral fee, the customer must click-through a Special Link from your site, email, or other communications to http://od-art.co.uk/wp and complete an order for a product during that session.
We will only pay commissions on links that are automatically tracked and reported by our systems. We will not pay commissions if someone says they purchased, or someone says they entered a referral code if it was not tracked by our system. We can only pay commissions on business generated through properly formatted special links that were automatically tracked by our systems.
We reserve the right to disqualify commissions earned through fraudulent, illegal, or overly aggressive, questionable sales or marketing methods.
Payments only begin once you've earned more than £20 in affiliate income. If your affiliate account never crosses the £20 threshold, your commissions will not be realized or paid. We are only responsible for paying accounts that have crossed the £20 threshold.
Identifying yourself as an ORIGINAL DIGITAL ART Affiliate
You may not issue any press release with respect to this Agreement or your participation in the Program; such action may result in your termination from the Program. In addition, you may not in any manner misrepresent or embellish the relationship between us and you, say you develop our products, say you are part of ORIGINAL DIGITAL ART or express or imply any relationship or affiliation between us and you or any other person or entity except as expressly permitted by this Agreement (including by expressing or implying that we support, sponsor, endorse, or contribute money to any charity or other cause).
You may not purchase products through your affiliate links for your own use. Such purchases may result (in our sole discretion) in the withholding of referral fees and/or the termination of this Agreement.
As long as your current affiliate earning are over £20, you'll be paid each month. If you haven't earned £20 since your last payment, we'll pay you the following month after you've crossed the threshold.
Customers who buy products through this Program will be deemed to be our customers. Accordingly, all of our rules, policies, and operating procedures concerning customer orders, customer service, and product sales will apply to those customers. We may change our policies and operating procedures at any time. For example, we will determine the prices to be charged for products sold under this Program in accordance with our own pricing policies. Product prices and availability may vary from time to time. Because price changes may affect Products that you have listed on your site, you should not display product prices on your site. We will use commercially reasonable efforts to present accurate information, but we cannot guarantee the availability or price of any particular product.
You will be solely responsible for the development, operation, and maintenance of your site and for all materials that appear on your site. For example, you will be solely responsible for:
- The technical operation of your site and all related equipment
- Ensuring the display of Special Links on your site does not violate any agreement between you and any third party (including without limitation any restrictions or requirements placed on you by a third party that hosts your site)
- The accuracy, truth, and appropriateness of materials posted on your site (including, among other things, all Product-related materials and any information you include within or associate with Special Links)
- Ensuring that materials posted on your site do not violate or infringe upon the rights of any third party (including, for example, copyrights, trademarks, privacy, or other personal or proprietary rights)
- Ensuring that materials posted on your site are not libellous or otherwise illegal
Compliance with Laws
As a condition to your participation in the Program, you agree that while you are a Program participant you will comply with all laws, ordinances, rules, regulations, orders, licenses, permits, judgments, decisions or other requirements of any governmental authority that has jurisdiction over you, whether those laws, etc. are now in effect or later come into effect during the time you are a Program participant. Without limiting the foregoing obligation, you agree that as a condition of your participation in the Program you will comply with all applicable laws that govern marketing email, including without limitation, the CAN-SPAM Act of 2003 and all other anti-spam laws.
Term of the Agreement and Program
The term of this Agreement will begin upon our acceptance of your Program application and will end when terminated by either party. Either you or we may terminate this Agreement at any time, with or without cause, by giving the other party written notice of termination. Upon the termination of this Agreement for any reason, you will immediately cease use of, and remove from your site, all links to http://od-art.co.uk/wp, and all of our trademarks, trade dress, and logos, and all other materials provided by or on behalf of us to you pursuant hereto or in connection with the Program. ORIGINAL DIGITAL ART reserves the right to end the Program at any time. Upon program termination, ORIGINAL DIGITAL ART will pay any outstanding earnings accrued above $20.
ORIGINAL DIGITAL ART, in its sole discretion, has the right to suspend or terminate your account and refuse any and all current or future use of the Program, or any other ORIGINAL DIGITAL ART service, for any reason at any time. Such termination of the Service will result in the deactivation or deletion of your Account or your access to your Account, and the forfeiture and relinquishment of all potential or to-be-paid commissions in your Account if they were earned through fraudulent, illegal, or overly aggressive, questionable sales or marketing methods. ORIGINAL DIGITAL ART reserves the right to refuse service to anyone for any reason at any time.
Relationship of Parties
You and we are independent contractors, and nothing in this Agreement will create any partnership, joint venture, agency, franchise, sales representative, or employment relationship between the parties. You will have no authority to make or accept any offers or representations on our behalf. You will not make any statement, whether on your site or otherwise, that reasonably would contradict anything in this Section.
Limitations of Liability
We will not be liable for indirect, special, or consequential damages (or any loss of revenue, profits, or data) arising in connection with this Agreement or the Program, even if we have been advised of the possibility of such damages. Further, our aggregate liability arising with respect to this Agreement and the Program will not exceed the total referral fees paid or payable to you under this Agreement.
We make no express or implied warranties or representations with respect to the Program or any products sold through the Program (including, without limitation, warranties of fitness, merchantability, noninfringement, or any implied warranties arising out of a course of performance, dealing, or trade usage). In addition, we make no representation that the operation of the ORIGINAL DIGITAL ART will be uninterrupted or error-free, and we will not be liable for the consequences of any interruptions or errors.
YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT AND AGREE TO ALL ITS TERMS AND CONDITIONS. YOU UNDERSTAND THAT WE MAY AT ANY TIME (DIRECTLY OR INDIRECTLY) SOLICIT CUSTOMER REFERRALS ON TERMS THAT MAY DIFFER FROM THOSE CONTAINED IN THIS AGREEMENT OR OPERATE WEB SITES THAT ARE SIMILAR TO OR COMPETE WITH YOUR WEB SITE. YOU HAVE INDEPENDENTLY EVALUATED THE DESIRABILITY OF PARTICIPATING IN THE PROGRAM AND ARE NOT RELYING ON ANY REPRESENTATION, GUARANTEE, OR STATEMENT OTHER THAN AS SET FORTH IN THIS AGREEMENT.
This Agreement will be governed by the laws of The United Kingdom, without reference to rules governing choice of laws. You may not assign this Agreement, by operation of law or otherwise, without our prior written consent. Subject to that restriction, this Agreement will be binding on, inure to the benefit of, and be enforceable against the parties and their respective successors and assigns. Our failure to enforce your strict performance of any provision of this Agreement will not constitute a waiver of our right to subsequently enforce such provision or any other provision of this Agreement.
The failure of ORIGINAL DIGITAL ART to exercise or enforce any right or provision of the Terms of Service shall not constitute a waiver of such right or provision. The Terms of Service constitutes the entire agreement between you and ORIGINAL DIGITAL ART and govern your use of the Service, superseding any prior agreements between you and ORIGINAL DIGITAL ART (including, but not limited to, any prior versions of the Terms of Service).
What is a Cookie?
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Cookies do not contain malicious software programs, spyware or viruses and are used as a means to collect an end user’s information in order to improve the user experience, by making the interaction between the user and the website faster and more personalised, by ‘remembering’ a user’s activity for the duration of the visit to the site ‘Session cookie’ or for repeat visits ‘Persistent cookie’.
What Cookies do we use?
We use the following different types of cookies:
These are temporary cookies which are deleted when you close your browser or leave your session on our site or in the product or service. We use session cookies on our site to identify and track users and to store information about your preferences. Our session cookies may also contain your company name and email address.
Persistent cookies enable our site to ‘remember’ who you are and to remember your preferences on our site. Persistent cookies will stay on your computer or device after you close your browser or leave your session.
Load Balancer Cookie
This cookie is essential to help ensure that the website loads efficiently by distributing visits across multiple web servers.
Web analytics cookies and similar technologies such as Google Analytics
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Google stores the information collected by the cookies on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
Unless you opt-out of the Google Cookie, by using this site you consent to the use of the Google Cookie and any information generated by Google Analytics. Click here or copy and paste the link into your browser: Http://www.google.com/analytics for an overview of privacy at Google and for information on how to opt-out from all Google Analytics cookies.
What information is collected?
The following information is collected in a cookie:
• Your IP Address. This is a string of numbers unique to your device that is recorded by Original Digital Art’s web server, when you request any page or component on the website. This information is used to monitor your usage of the website.
• Data recorded by the website, which allows Original Digital Art to ‘recognise’ you to optimise the session performance.
At no time, is any personal information collected.
Visitors can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads using the Ads Settings, see https://www.google.com/settings/ads. Additionally, visitors may wish to use the Google Analytics Opt-Out Browser Add-on found at https://tools.google.com/dlpage/gaoptout/
Your rights to return goods are protected under the EU Distance Selling Directive. The Client shall within 7 days of delivery (or within 3 days if the Client enters into this contract in the course of its business) notify Original Digital Art of any alleged defect, shortfall in quantity, damage or failure to comply with description or sample and return the completed materials together with all associated paperwork and packaging to Original Digital Art within 7 days (or within 3 days if the Client enters into this contract in the course of its business) of the said notification. If the Client shall fail so to notify Original Digital Art without reasonable explanation he shall be deemed to have accepted the materials and they will be presumed to be without any defect or damage which may be apparent on reasonable examination.
These terms apply to your order. We may change our terms and conditions at any time, so please do not assume that the same terms will apply in the future. None of these terms affect your legal rights and these are not diminished in any way. If any term is held to be invalid under any applicable statute or rule of law, that term is automatically omitted from the terms to minimum extent necessary to comply with the law and without affecting the validity or enforceability of the remainder.
Personal Data Protection Policy
1. Purpose, Scope and Users
Original Digital Art, hereinafter referred to as the “Company”, strives to comply with applicable laws and regulations related to Personal Data protection in countries where the Company operates.
This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data. This Policy applies to the Company and it’s directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing the personal data of data subjects within EEA.
The users of this document are all employees, permanent or temporary, and all contractors working on behalf of The Company.
The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:
Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject") who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
Processing: An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
Anonymization: Irreversibly de-identifying personal data such that the person cannot be identified by using reasonable time, cost, and technology either by the controller or by any other person to identify that individual. The personal data processing principles do not apply to anonymized data as it is no longer personal data.
Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymization reduces, but does not completely eliminate, the ability to link personal data to a data subject. Because pseudonymized data is still personal data, the processing of pseudonymized data should comply with the Personal Data Processing principles.
Cross-border processing of personal data: Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the EU GDPR;
Lead supervisory authority: The supervisory authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data; it is responsible, among others, for receiving the data breach notifications, to be notified on risky processing activity and will have full authority as regards to its duties to ensure compliance with the provisions of the EU GDPR;
Each “local supervisory authority” will still maintain in its own territory, and will monitor any local data processing that affects data subjects or that is carried out by an EU or non-EU controller or processor when their processing targets data subjects residing on its territory. Their tasks and powers includes conducting investigations and applying administrative measures and fines, promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as obtaining access to any premises of the controller and the processor, including any data processing equipment and means.
“Main establishment as regards a controller” with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
“Main establishment as regards a processor” with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
Group Undertaking: Any holding company together with its subsidiary.
3. Basic Principles Regarding Personal Data Processing
The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
3.1. Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
3.2. Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3.3. Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
3.5. Storage Period Limitation
Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
3.6. Integrity and confidentiality
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organisational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.
4. Building Data Protection in Business Activities
In order to demonstrate compliance with the principles of data protection, an organisation should build data protection into its business activities.
4.1. Notification to Data Subjects
(See the Fair Processing Guidelines section.)
4.2. Data Subject’s Choice and Consent
(See the Fair Processing Guidelines section.)
The Company must strive to collect the least amount of personal data possible. If personal data is collected from a third party, the Information Security Manager must ensure that the personal data is collected lawfully.
4.4. Use, Retention, and Disposal
The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Notice. The Company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. Information Security Manager is responsible for compliance with the requirements listed in this section.
4.5. Disclosure to Third Parties
Whenever the Company uses a third-party supplier or business partner to process personal data on its behalf, the Information Security Manager must ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks such as misuse of personal data, unauthorised disclosure of personal data, data breaches, etc. For this purpose, the Processor GDPR Compliance Questionnaire must be used. The Company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes. When the Company processes personal data jointly with an independent third party, the Company must explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement.
4.6. Cross-border Transfer of Personal Data
Before transferring personal data out of the European Economic Area (EEA) adequate safeguards must be used including the signing of a Data Transfer Agreement, as required by the European Union and, if required, authorization from the relevant Data Protection Authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set forth in Cross Border Data Transfer Procedure.
4.7. Rights of Access by Data Subjects
When acting as a data controller, the Information Security Manager is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.
4.8. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. Information Security Manager is responsible to ensure that such requests are processed within one month, are not excessive (i.e. if the data subject sends requests daily) and do not affect the rights to personal data of other individuals.
4.9. Right to be Forgotten
Upon request, Data Subjects have the right to obtain from the Company the erasure of its personal data. When the Company is acting as a Controller, Information Security Manager must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.
5. Fair Processing Guidelines
Personal data must only be processed when explicitly authorised by the Information Security Manager.
The Company must decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines.
5.1. Notices to Data Subjects
At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, the Information Security Manager is responsible to properly inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. This information is provided through Privacy Notice.
If your company has multiple data processing activities, you will need to develop different notices which will differ depending on the processing activity and the categories of personal data collected – for example, one Notice might be written for mailing purposes, and a different one for shipping purposes.
Where personal data is being shared with a third party the Information Security Manager must ensure that data subjects have been notified of this through a Privacy Notice.
Where personal data is being transferred to a third country according to Cross Border Data Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which entity personal data is being transferred.
Where sensitive personal data is being collected, the person responsible for Data Protection matters must make sure that the Privacy Notice explicitly states the purpose for which this sensitive personal data is being collected.
5.2. Obtaining Consents
Whenever personal data processing is based on the data subject's consent, or other lawful grounds, the Information Security Manager is responsible for retaining a record of such consent. The Information Security Manager is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
When requests to correct, amend or destroy personal data records, the Information Security Manager must ensure that these requests are handled within a reasonable time frame. Person responsible for data protection matters must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Person responsible for Data Protection matters is responsible for complying with the rules in this paragraph.
Now and in the future, the Information Security Manager must ensure that collection methods are compliant with relevant law, good practices and industry standards.
The Information Security Manager is responsible for creating and maintaining a Register of the Privacy Notices.
6. Organisation and Responsibilities
The responsibility for ensuring appropriate personal data processing lies with everyone who works for or with the Company and has access to personal data processed by the Company.
The key areas of responsibilities for processing personal data lie with the following organisational roles:
The board of directors makes decisions about and approves the Company’s general strategies on personal data protection.
The Information Security Manager the nominated person responsible for data protection matters is responsible for managing the personal data protection program and is responsible for the development and promotion of end-to-end personal data protection policies;
The Information Security Manager monitors and analyses personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their Personal data goals. This may include seeking legal advice or external counsel.
The Head of Technology is responsible for:
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software is functioning properly.
The Head of Marketing, is responsible for:
• Approving any data protection statements attached to communications such as emails and letters.
• Addressing any data protection queries from journalists or media outlets like newspapers.
• Where necessary, working with the Person responsible for Data Protection Matters to ensure marketing initiatives abide by data protection principles.
The Head of Human Resources is responsible for:
• Improving all employees' awareness of user personal data protection.
• Organising Personal data protection expertise and awareness training for employees working with personal data.
• End-to-end employee personal data protection. It must ensure that employees' personal data is processed based on the employer's legitimate business purposes and necessity.
The Information Security Manager is responsible for passing on personal data protection responsibilities to suppliers and improving suppliers' awareness levels of personal data protection as well as flow down personal data requirements to any third party a supplier they are using. The Procurement Department must ensure that the Company reserves a right to audit suppliers.
7. Guidelines for Establishing the Lead Supervisory Authority
7.1. Necessity to Establish the Lead Supervisory Authority
Identifying a Lead supervisory authority is only relevant if the Company carries out the cross-border processing of personal data.
Cross border of personal data is carried out if:
a) processing of personal data is carried out by subsidiaries of the Company which are based in other Member States;or
b) processing of personal data which takes place in a single establishment of the Company in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State. If the Company only has establishments in one Member State and its processing activities are affecting only data subjects in that Member State than there is no need to establish a lead supervisory authority. The only competent authority will be the Supervisory Authority in the country where Company is lawfully established.
7.2. Main Establishment and the Lead Supervisory Authority
7.2.1. Main Establishment for the Data Controller
The main establishment/ headquarters for Original Digital Art is 63 Woolbrook Road, Crayford, Dartford, Kent DA1 3RB.
If the Company is based in an EU Member State and it makes decisions related to cross-border processing activities in the place of its central administration (headquarters), there will be a single lead supervisory authority for the data processing activities carried out by the Company. If Company has multiple establishments that act independently and make decisions about the purposes and means of the processing of personal data, [the Directors / top management of the Company] needs to acknowledge that more than one lead supervisory authority exists.
7.2.2. Main Establishment for the Data Processor
When the Company is acting as a data processor, then the main establishment will be the place of central administration. In case the place of central administration is not located in the EU, the main establishment will be the establishment in the EU where the main processing activities take place.
7.2.3. Main Establishment for Non-EU Companies for Data Controllers and Processors
If the Company does not have a main establishment in the EU, and it has subsidiarie(s) in the EU, then the competent supervisory authority is the local supervisory authority. If the Company does not have a main establishment in the EU nor the subsidiaries in the EU, it must appoint a representative in the EU, and the competent supervisory authority will be the local supervisory authority where the representative is located.
8. Response to Personal Data Breach Incidents
When the Company learns of a suspected or actual personal data breach the Information Security Manager must perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.
9. Audit and Accountability
The Information Security Manager and Tech team are responsible for auditing how well business departments implement this Policy. Any employee who violates this Policy will be subject to disciplinary action and the employee may also be subject to civil or criminal liabilities if his or her conduct violates laws or regulations.
10. Conflicts of Law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which Original Digital Art. operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
Not found the answer?
feel free to contact our customer service for free support