Rapid Ratings International Inc., together with its subsidiaries (“RapidRatings”, “we”, “our”, “us”) provide this policy to explain our practices regarding the collection and processing of information collected from or about the users of any online portal or website where this policy is posted (“Site”) and our business contacts. Please read the following carefully to understand our views and practices regarding your information and how we will treat it.
Where this policy refers to “EU Personal Data,” the policy applies to data covered by the GDPR and any United Kingdom equivalent data privacy law; where the policy refers to “U.S. Personal Information,” the policy applies to your name, address, e-mail address, phone number, and credit card information (where you purchase a RapidRatings service/product); and where the policy refers to “information,” the policy covers EU, U.S., and all other data generally.
What information do we collect?
We collect and process the following information:
- Information you give us. You give us information about you by filling in forms on our Site or by corresponding with us. The information you give us may include your name, address, e-mail address, phone number, and credit card information (where you purchase a Rapid Ratings service/product) . We also collect information you provide when you register to use our Site, subscribe to our service, use our products and services, place an order on our Site, participate in discussion boards or other social media functions on our Site, enter a competition, promotion or survey, apply for a vacancy advertised on our Site, and when you report a problem with our Site.
- Information we collect about you. With regard to each of your visits to our Site we automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
- Information we receive from other sources. We receive information about you, including U.S. Personal Information and EU Personal Data, if you use any of the other websites we operate or the other services we provide. We also work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and receive information from them.
You can find out more information about Google Analytics cookieshere: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage. To opt-out of Google Analytics relating to your use of our websites, you can download and install the Browser Plugin available via this link: https://tools.google.com/dlpage/gaoptout?hl=en.
For detailed overview about our cookies use please refer to our cookies policy.
Use of the Information
We, and our subsidiaries, use information held about you, including U.S. Personal Information and EU Personal Data, in the following ways:
- Information you give to us. We will use this information:
- to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
- to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
- to provide you, with information about goods or services we feel may interest you. If you are an existing client, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you.
- to notify you about changes to our service;
- to ensure that content from our Site is presented in the most effective manner for you and for your computer;
- to prevent fraud;
- to ensure network and information security;
- to report criminal acts or threats to public security; and
- to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
- Information we collect about you. We will use this information:
- to provide or improve our products and services
- to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our Site to ensure that content is presented in the most effective manner for you and for your computer;
- to allow you to participate in interactive features of our service, when you choose to do so;
- as part of our efforts to keep our Site safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- to prevent fraud;
- to ensure network and information security;
- to report criminal acts or threats to public security; and
- to make suggestions and recommendations to you and other users of our Site about goods or services that may interest you or them.
- Information we receive from other sources. We combine this information with information you give to us and information we collect about you. We use this information and the combined information, including U.S. Personal Information and EU Personal Data, for the purposes set out above (depending on the types of information we receive).
What is RapidRatings approach to disclosing information (including personal data) We share your information, including U.S. Personal Information and EU Personal Data, with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.
We share your information with selected third parties including:
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. See the Digital Advertising section of this policy for more information.
- Analytics and search engine providers that assist us in the improvement and optimization of our Site.
- Partners for the purposes of determining whether to enter into contracts with you.
We also disclose your information to third parties:
- In the event that we sell or buy any business or assets, in which case we may need to disclose your information to the prospective seller or buyer of such business or assets.
- If Rapid Ratings International Inc., or substantially all of its assets are acquired by a third party, in which case personal data held by it about its clients will be one of the transferred assets.
- If we are under a duty to disclose or share your information in order to comply with any legal obligation, or in order to enforce or apply our terms of and other agreements; or to protect the rights, property, or safety of Rapid Ratings International Inc., our clients, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is the European privacy regulation which replaced the EU Data Protection Directive (“Directive 95/46/EC”). The GDPR addresses the processing of personal data and the free movement of such data. It aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. Broadly, it sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.
The GDPR also established the European Data Protection Board (“EPDB”), which ensures that the data protection law is applied consistently across the EU and works to ensure effective cooperation amongst data protection authorities.
What are the implications of the GDPR for organizations like RapidRatings?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
Does RapidRatings comply with the GDPR?
RapidRatings maintains data standards to be compliant with GDPR.
EU data subjects have the following rights as regards their personal data:
We will assist you if you choose to exercise any of your rights over your EU Personal Data, including:
- Withdrawing your previously granted consent; however, this will not invalidate any previously consented processing
- Providing confirmation as to whether or not EU Personal Data is being processed and access to personal data that we hold or process
- Correction of any EU Personal Data that is incorrect
- Erasure of any EU Personal Data that we process in certain circumstances
- Restrict processing of your EU Personal Data in certain circumstances
- Asking us to provide you or another company you nominate with certain aspects of your EU Personal Data, often referred to as ‘the right to portability’
- The ability to object to any processing of EU Personal Data where we are processing the data for our legitimate interests
- As applicable, the ability to contest a decision made entirely by automated processing, to express your point of view and to request that a human review the decision
For more information on these rights you can contact email@example.com.
RapidRatings’ as the data controller vs RapidRatings as the data processor
“Data controller” and “data processor” are important concepts in understanding a company’s responsibilities under the GDPR. Depending on the scenario, a company may be a data controller, data processor or both – and has specific responsibilities as a result:
A company is a data controller when it has the responsibility of deciding why and how (the “purposes” and “means”) the personal data is processed.
- Under the GDPR, data controllers have to adopt compliance measures to cover how data is collected, what it’s used for and how long it’s retained. They also need to make sure that people can access the data about them.
- Data controllers must ensure that data processors meet their contractual commitments to process data safely and legally.
When it comes to employee data, we are deemed to be controllers. Where RapidRatings is provided with personal data by third parties for the purpose of purchasing our services, we are deemed to be the data controllers.
A company is a data processor when it processes personal data on behalf of a data controller. Under the GDPR, data processors have obligations to process data safely and legally.
There are some instances in which we operate as a data processor when working with businesses and other third parties. When RapidRatings’ processes data on a client’s behalf for the purpose of reaching out the client’s suppliers in such instance the information shared by the client as regards contact details of its suppliers will be deemed to be a data processor relationship.
During the performance of RapidRatings services, our clients may identify third parties that they require RapidRatings to interact with in order for RapidRatings to produce a report (i.e. provide our service(s)). A new documented relationship with the third party can be created independent of the RapidRatings and client relationship.
In effect, a client is merely acting in a form of “introducer” type role, whereby RapidRatings finds itself in dialogue with a client’s suppliers in order to provide services for the benefit of client. This independent engagement results in RapidRatings having a direct relationship with the third party and a new data controller to data processor relationship is established. As such, beyond RapidRatings processing of the data for the benefit of client, the third party is free to choose to engage further with RapidRatings directly through its own desire.
What is the Lawful Basis of Processing EU Personal Data under the GDPR?
We process EU Personal Data: to carry out our contracts; abide by law; and based on your consent. To the extent that processing is based on consent, you have the right to withdraw consent at any time (see the Data Rights section of this policy).
We also process EU Personal Data when it is in our legitimate interests to do so and when these interests are not overridden by your rights. For example, we process data for: preventing fraud; sharing data among subsidiaries for internal purposes; ensuring network and information security; reporting criminal acts or threats to public security; direct marketing; establishing legally binding agreements with third parties; billing third parties; and taking internal measures to improve Site functionality and analyze usage.
We will process EU Personal Data when it is necessary to protect your vital interests or the vital interest of another person or if processing is necessary for the performance of a task carried out in the public interest as governed by law.
Where We Store Your Personal Data
To help prevent unauthorized access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect. We use a variety of security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. While RapidRatings’ takes all due care in ensuring the privacy and integrity of the information that you provide, we recognize that no data transmission over the Internet can be guaranteed to be 100% secure. The possibility exists that this information could be unlawfully observed by a third party while in transit over the Internet. RapidRatings accepts no liability should this occur.
We retain EU Personal Data only as long as we have a legitimate business purpose to retain such data in accordance with our data retention schedule and/or as otherwise required by applicable law.
What are the Model Clauses?
The European Commission has approved a set of standard provisions called the Standard Contractual Clauses (“Model Clauses”) which provide a data controller a compliant mechanism to transfer personal data to a data processor outside of the European Economic Area (“EEA”). The Model Clauses are appended to the RapidRatings DPA in applicable instances to help provide adequate protection for data transfer outside of the EEA.
What steps has RapidRatings taken to prepare for Brexit (the UK’s departure from the European Union?
Irrespective of the outcome of the ongoing Brexit negotiations, RapidRatings remains committed to the meeting privacy requirements of the UK and the rest of Europe. We are closely monitoring the negotiations between the UK government and the European Union regarding the details of their future relationship. As the details become clear, we will take appropriate measures to ensure that client data can continue to use our services in compliance with both EU and UK laws, and for RapidRatings overall, business will continue as usual and will remain focused on our client’s success.
I still have a question about RapidRatings’ compliance with GDPR
If you have any more questions about GDPR, please get in touch with firstname.lastname@example.org.
What is the ISO 27001 Information Security Certification?
ISO 27001 is the international standard which is recognized globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardized requirements for an Information Security Management System (ISMS). The standard adopts a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.
RapidRatings is certified to the ISO 27001 Information Security Certification
As of 2019, RapidRatings became certified through independent review and analysis by Certification Europe. RapidRatings considers ISO 27001 standard to be the gold standard in information security management system. Certification assures clients that their RapidRatings has as completed the following:
- Implemented an information security management system for service development, operations, and support.
- Put controls that in place to protect Personal Data.
Implemented an in-depth information security risk management program.
How does the invalidation of the E.U. – U.S. Privacy Shield affect transfers RapidRatings data from the EEA to the U.S.
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a ruling invalidating the EU-U.S. Privacy Shield program. The U.S. Department of Commerce indicated that it will continue to administer the Privacy Shield program.
RapidRatings clients can continue to use RapidRatings’ services and transfer data in compliance with European law such as the GDPR, as we have EU Model Clauses (most commonly incorporated into our Data Processing Agreements) in place. Furthermore, we are ISO 27001 Information Security certified which assists in complying with the security requirements of many privacy related laws such as the GDPR.
We have withdrawn from the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/.
If you would like to access the RapidRatings DPA and/or EU Model Clauses for review or signature, you can access it reaching out to email@example.com.
Does RapidRatings sell personal data as per the CCPA?
The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) is a U.S. law enacted in the State of California with an effective date of January 1, 2020. Generally, it expands upon the privacy rights available to certain California consumers, and requires certain companies to comply with various data protection requirements.
We do not “sell” our client’s personal information as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to a third party for monetary or other valuable consideration.
We may share aggregated and/or anonymized information regarding use of the Service(s)—which is not considered personal information under the CCPA—with third parties to help us develop and improve the Services and provide our clients with more relevant content and service offerings as detailed in our client agreements.
Use of Third-Party Links on our Site
Our Site will, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
For more information about interest-based advertising on your desktop or mobile browser, and your ability to opt out of this type of advertising by third parties that participate in the Digital Advertising Alliance (“DAA”), please visit the DAA Self-Regulatory Program. Please note that any opt-out choice you exercise through these programs will apply to interest-based advertising by the third parties you select, but will still allow the collection of data for other purposes, including research, analytics, and internal operations. You may continue to receive advertising, but that advertising may be less relevant to your interests.
If you use a different browser or device or clear your cookies you may need to opt-out again.
Does RapidRatings process or control personal data relating to Children?
Our services and this website are not intended for children under the age of 16, and we do not knowingly collect information from children under the age of 16.
You also have the right to lodge a complaint with data protection authorities. You may contact the relevant Data Protection Authority in your country of residence.
Updated: June 2021