Majestic-12 Limited, GDPR Compliance Statement
1. Purpose of this document
As the General Data Protection Regulation (GDPR) becomes effective on 25th May 2018, many of our business partners have asked Majestic-12 Limited for information regarding its processing of data including personal data. (Unless otherwise stated, any term defined in GDPR has the same meaning in this document).
With the intention of providing that information to our business partners, we have prepared this document to assemble in one place all information regarding processing which we think will be relevant and helpful in this regard.
2. Information we need from our business partners
We in turn will require similar information from our business partners in order to satisfy ourselves that in receiving personal data from or passing personal data those business partners, we are remaining compliant with GDPR.
3. About Majestic-12 Limited and data protection generally
At Majestic-12 Limited, we are internet cartographers. We are working towards the creation of a world wide web search engine based on concepts of distributing workload in a similar fashion achieved by successful products such as “SETI@home” and “distributed.net”.
Essentially, this means that we aim to map the world wide web. To do that, we produce a “web map”, conceptually similar to the map of a railway network, showing how the information on the web is linked together. This web map is made available to our customers via a specialist search engine containing a resolution of hypertext document titles and details of the hypertext links between documents.
The privacy and security of the personal information we process is very important to us and we are fully committed to achieving compliance with GDPR.
We have taken, and are continuing to receive, extensive and detailed legal advice to enable Majestic-12 Limited to remain compliant with applicable data protection laws. Our GDPR programme is well established and we will ensure our alignment on regulatory interpretation to enable delivery of GDPR compliance protecting individuals’ personal data and their related rights and freedoms including appropriate transparency of our data processing. Where applicable, we carry out privacy impact assessments.
FURTHER GDPR RELATED INFORMATION
1. How Majestic-12 Limited receives personal data
We are developing a search engine scalable to billions of web pages but one of the biggest challenges we face in doing this is actually getting access to so many web pages. To help us, we have created a piece of software called MJ12node. The MJ12node software can be run on otherwise idle computers and combines machines from all around the globe to crawl, collate and then send back its findings to the master server. The crawled data will then be indexed and added to our search engine.
We do not actively seek out or target personal data in carrying out our web mapping activities as described above. However, we do look at and use hyperlinks and web page titles and those hyperlinks and web page titles could incidentally contain personal data. In processing personal data in this way, we rely on “legitimate interests” as our lawful basis for that data processing. In this context, our legitimate interest is our commercial business interests in the provision and development of our services. We consider that our processing of personal data in this manner has a minimal privacy impact and our processing is very unlikely to cause unjustified harm to data subjects.
2. Majestic-12 Limited’s processing of sensitive or special category data
We do not seek to collect or process any special categories of personal data (which includes details about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership or information about health including genetic and biometric data). Nor do we collect any information about criminal convictions or offences.
3. Specific information for our customers
We limit our collection of personal data from our customers and we only collect the personal data that is absolutely necessary.
We may collect, use, store and transfer different kinds of personal data about our customers which we have grouped together follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from customers and other details of products and services they have purchased from us.
- Technical Data includes internet protocol (IP) address, customers’ login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices they use to access our website.
- Profile Data includes customers’ username and password, purchases or orders, customers’ interests, preferences, feedback and survey responses.
- Usage Data includes information about how customers use our website, products and services.
- Marketing and Communications Data includes customers’ preferences in receiving marketing from us and our third parties and communication preferences.
We collect this personal data from our customers via our direct interactions with them.
We have set out below, in a table format, a description of the ways we plan to use personal data belonging to our customers, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To register new customers||
||Performance of a contract with the customer|
To process and deliver customers’ orders including:
|To manage our relationship with customers which will include:
|To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||
|To deliver relevant website content and advertisements to customers and measure or understand the effectiveness of the advertising we serve to customers||
||Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our website, products/services, marketing, customer relationships and experiences||
||Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to customers about goods or services that may be of interest to customers||(a) Identity
|Necessary for our legitimate interests (to develop our products/services and grow our business)|
4. Data security
We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. The measures we have put in place include (but are not limited to) the following:
- Firewalls are deployed to protect technical assets,
- HTTPS is implemented for all website connections,
- As far as practicable, all software development and maintenance which interacts with our customer database is performed in-house, limiting our requirement for external third party IT assistance and therefore reducing the number of people with access to personal data;
- We regularly review our security protocols around passwords and application security; and
- We aim to minimise the amount of data we collect, collecting only such data which is absolutely necessary to achieve our legitimate interests in processing that data.
In addition, we limit access to customers’ personal data to those who have a business need to know. They will only process customers’ personal data on our instructions and they are subject to a duty of confidentiality. We have also put in place procedures to deal with any suspected personal data breach and will notify data subjects and any applicable regulator of a breach where we are legally required to do so.
5. Data Protection Officer
Due to the nature of our activity and the data we process, we are not required to have, and therefore, have not appointed a data protection officer. The person with responsibility for data protection is Paul Greenshields.
6. Disclosures of personal data
7. Transfers of personal data
Sometimes we will transfer personal data outside the European Economic Area but we will only do so where such transfer is compliant with data protection laws and the means of transfer provides adequate safeguards, for example:
- By way of data transfer agreement, incorporating the current standard contractual clauses approved by the European Commission for the transfer of personal data by data controllers in the EEA to data controllers and processors in jurisdictions without adequate data protection laws;
- By ensuring that any US-based organisations we transfer data to have signed up to the EU-U.S. Privacy Shield Framework for the transfer of personal data from the EEA to the United States of America (or ensuring that any equivalent framework agreement is in place respect of other jurisdictions);
- By transferring personal data to a country whose data protection laws have been found to be adequate by the European Commission; or
- Where data subjects have expressly consented to the data transfer (having been informed of any relevant risks involved).
8. Legal rights of data subjects
Under certain circumstances, data subjects have rights under data protection laws in relation to their personal data. Those rights include the right to:
- Request access to their personal data;
- Request correction of their personal data;
- Request erasure of their personal data;
- Object to processing of their personal data;
- Request restriction of their personal data;
- Request transfer of their personal date; and
- Withdraw consent.
If a data subject wishes to exercise any of the rights set out above, they should contact us by email at firstname.lastname@example.org, clearly marking the correspondence as GDPR.